ci: Add integration test GHA

.github/integration_test.yml

@@ -0,0 +1,67 @@
+name: Integration Tests
+
+on:
+  schedule:
+    - cron: '00 08 * * 2'
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        description: Select the Environment
+        options:
+          - dev
+          - uat
+        default: uat
+      canary:
+        description: 'run the tests on canary version'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  id-token: write
+  contents: read
+  deployments: write
+
+
+jobs:
+  integration_test:
+    name: Test
+    runs-on: ubuntu-latest
+    environment: ${{(github.event.inputs == null && 'uat') || inputs.environment }}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
+
+      - name: Run Integration Tests
+        shell: bash
+        run: |
+          export CANARY=${{ inputs.canary }}
+          export REPORTING_BATCH_QUEUE=${{ vars.REPORTING_BATCH_QUEUE }}
+          export FLOW_SA_CONNECTION_STRING="${{ secrets.FLOW_SA_CONNECTION_STRING }}"
+
+          cd ./integration-test
+          chmod +x ./run_integration_test.sh
+          ./run_integration_test.sh ${{( github.event.inputs == null && 'uat') || inputs.environment }} ${{ secrets.API_SUBSCRIPTION_KEY }}
+
+  notify:
+    needs: [ integration_test ]
+    runs-on: ubuntu-latest
+    name: Notify
+    if: always()
+    steps:
+      - name: Report Status
+        if: always()
+        uses: ravsamhq/notify-slack-action@v2
+        with:
+          status: ${{ needs.integration_test.result }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          notify_when: 'failure,skipped'
+          notification_title: '{workflow} has {status_message}'
+          message_format: '{emoji} <{workflow_url}|{workflow}> {status_message} in <{repo_url}|{repo}>'
+          footer: 'Linked to Repo <{repo_url}|{repo}>'
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.gitignore

@@ -38,3 +38,13 @@ hs_err_pid*
 local.settings.json
 bin/
 obj/
+
+
+# Project files
+/target/
+**/node_modules
+
+# Terraform
+**/.terraform/
+/.identity/.terraform.lock.hcl
+*.lock

.identity/00_data.tf

@@ -0,0 +1,48 @@
+data "azurerm_resource_group" "dashboards" {
+  name = "dashboards"
+}
+
+data "azurerm_kubernetes_cluster" "aks" {
+  name                = local.aks_cluster.name
+  resource_group_name = local.aks_cluster.resource_group_name
+}
+
+data "github_organization_teams" "all" {
+  root_teams_only = true
+  summary_only    = true
+}
+
+data "azurerm_key_vault" "key_vault" {
+  name                = "pagopa-${var.env_short}-kv"
+  resource_group_name = "pagopa-${var.env_short}-sec-rg"
+}
+
+data "azurerm_key_vault" "domain_key_vault" {
+  name                = "pagopa-${var.env_short}-${local.domain}-kv"
+  resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg"
+}
+
+data "azurerm_key_vault_secret" "key_vault_sonar" {
+  name         = "sonar-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_bot_token" {
+  name         = "bot-token-github"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_cucumber_token" {
+  name         = "cucumber-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_integration_test_subkey" {
+  name         = "integration-test-subkey"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "flow_sa_connection_string" {
+  name         = "flows-sa-${var.env_short}-connection-string"
+  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+}

.identity/02_application_action.tf

@@ -0,0 +1,84 @@
+#module "github_runner_app" {
+#  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
+#
+#  app_name = local.app_name
+#
+#  subscription_id = data.azurerm_subscription.current.id
+#
+#  github_org              = local.github.org
+#  github_repository       = local.github.repository
+#  github_environment_name = var.env
+#
+#  container_app_github_runner_env_rg = local.container_app_environment.resource_group
+#}
+#
+#resource "null_resource" "github_runner_app_permissions_to_namespace" {
+#  triggers = {
+#    aks_id               = data.azurerm_kubernetes_cluster.aks.id
+#    service_principal_id = module.github_runner_app.client_id
+#    namespace            = local.domain
+#    version              = "v2"
+#  }
+#
+#  provisioner "local-exec" {
+#    command = <<EOT
+#      az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
+#      --assignee ${self.triggers.service_principal_id} \
+#      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+#
+#      az role assignment list --role "Azure Kubernetes Service RBAC Admin"  \
+#      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+#    EOT
+#  }
+#
+#  provisioner "local-exec" {
+#    when    = destroy
+#    command = <<EOT
+#      az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
+#      --assignee ${self.triggers.service_principal_id} \
+#      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+#    EOT
+#  }
+#}
+#
+#resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
+#  scope                = data.azurerm_resource_group.dashboards.id
+#  role_definition_name = "Contributor"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_role_assignment" "environment_key_vault" {
+#  scope                = data.azurerm_key_vault.key_vault.id
+#  role_definition_name = "Reader"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_role_assignment" "environment_key_vault_domain" {
+#  scope                = data.azurerm_key_vault.domain_key_vault.id
+#  role_definition_name = "Reader"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
+#  key_vault_id = data.azurerm_key_vault.key_vault.id
+#
+#  tenant_id = data.azurerm_client_config.current.tenant_id
+#  object_id = module.github_runner_app.object_id
+#
+#  key_permissions         = []
+#  secret_permissions      = ["Get", "List"]
+#  storage_permissions     = []
+#  certificate_permissions = []
+#}
+#
+#resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
+#  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+#
+#  tenant_id = data.azurerm_client_config.current.tenant_id
+#  object_id = module.github_runner_app.object_id
+#
+#  key_permissions         = []
+#  secret_permissions      = ["Get", "List"]
+#  storage_permissions     = []
+#  certificate_permissions = []
+#}

.identity/03_github_environment.tf

@@ -0,0 +1,80 @@
+resource "github_repository_environment" "github_repository_environment" {
+  environment = var.env
+  repository  = local.github.repository
+  # filter teams reviewers from github_organization_teams
+  # if reviewers_teams is null no reviewers will be configured for environment
+  dynamic "reviewers" {
+    for_each = (var.github_repository_environment.reviewers_teams == null || var.env_short != "p" ? [] : [1])
+    content {
+      teams = matchkeys(
+        data.github_organization_teams.all.teams.*.id,
+        data.github_organization_teams.all.teams.*.name,
+        var.github_repository_environment.reviewers_teams
+      )
+    }
+  }
+  deployment_branch_policy {
+    protected_branches     = var.github_repository_environment.protected_branches
+    custom_branch_policies = var.github_repository_environment.custom_branch_policies
+  }
+}
+
+locals {
+  env_secrets = {
+     #"CLIENT_ID" : module.github_runner_app.application_id,
+    "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
+    "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
+    "API_SUBSCRIPTION_KEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value,
+    "FLOW_SA_CONNECTION_STRING": data.azurerm_key_vault_secret.flow_sa_connection_string.value
+  }
+  env_variables = {
+    "CONTAINER_APP_ENVIRONMENT_NAME" : local.container_app_environment.name,
+    "CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME" : local.container_app_environment.resource_group,
+    "CLUSTER_NAME" : local.aks_cluster.name,
+    "CLUSTER_RESOURCE_GROUP" : local.aks_cluster.resource_group_name,
+    "NAMESPACE" : local.domain,
+    "REPORTING_BATCH_QUEUE": "pagopa${var.env_short}flowsaqueueorg"
+  }
+  repo_secrets = {
+    "SONAR_TOKEN" : data.azurerm_key_vault_secret.key_vault_sonar.value,
+    "BOT_TOKEN_GITHUB" : data.azurerm_key_vault_secret.key_vault_bot_token.value,
+    "CUCUMBER_PUBLISH_TOKEN" : data.azurerm_key_vault_secret.key_vault_cucumber_token.value,
+  }
+}
+
+###############
+# ENV Secrets #
+###############
+
+resource "github_actions_environment_secret" "github_environment_runner_secrets" {
+  for_each        = local.env_secrets
+  repository      = local.github.repository
+  environment     = var.env
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+#################
+# ENV Variables #
+#################
+
+
+resource "github_actions_environment_variable" "github_environment_runner_variables" {
+  for_each      = local.env_variables
+  repository    = local.github.repository
+  environment   = var.env
+  variable_name = each.key
+  value         = each.value
+}
+
+#############################
+# Secrets of the Repository #
+#############################
+
+
+resource "github_actions_secret" "repo_secrets" {
+  for_each        = local.repo_secrets
+  repository      = local.github.repository
+  secret_name     = each.key
+  plaintext_value = each.value
+}

.identity/99_main.tf

@@ -0,0 +1,32 @@
+terraform {
+  required_version = ">=1.3.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.30.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.45.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "5.18.3"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "github" {
+  owner = "pagopa"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}

.identity/99_variables.tf

@@ -0,0 +1,56 @@
+locals {
+  github = {
+    org        = "pagopa"
+    repository = "pagopa-gpd-reporting-analysis"
+  }
+
+  prefix         = "pagopa"
+  domain         = "gps"
+  location_short = "weu"
+  product        = "${var.prefix}-${var.env_short}"
+
+  app_name = "github-${local.github.org}-${local.github.repository}-${var.prefix}-${local.domain}-${var.env}-aks"
+
+  aks_cluster = {
+    name                = "${local.product}-${local.location_short}-${var.env}-aks"
+    resource_group_name = "${local.product}-${local.location_short}-${var.env}-aks-rg"
+  }
+
+  container_app_environment = {
+    name           = "${local.prefix}-${var.env_short}-${local.location_short}-github-runner-cae",
+    resource_group = "${local.prefix}-${var.env_short}-${local.location_short}-github-runner-rg",
+  }
+}
+
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+}
+
+variable "prefix" {
+  type    = string
+  default = "pagopa"
+  validation {
+    condition = (
+      length(var.prefix) <= 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "github_repository_environment" {
+  type = object({
+    protected_branches     = bool
+    custom_branch_policies = bool
+    reviewers_teams        = list(string)
+  })
+  description = "GitHub Continuous Integration roles"
+  default = {
+    protected_branches     = false
+    custom_branch_policies = true
+    reviewers_teams        = ["pagopa-team-core"]
+  }
+}

.identity/env/dev/backend.ini

@@ -0,0 +1 @@
+subscription=DEV-pagoPA

.identity/env/dev/backend.tfvars

@@ -0,0 +1,4 @@
+resource_group_name  = "io-infra-rg"
+storage_account_name = "pagopainfraterraformdev"
+container_name       = "azurermstate"
+key                  = "pagopa-reporting-analysis.tfstate"