.github/workflows/landingzones-tf100.yml

#
# Copyright (c) Microsoft Corporation
# Licensed under the MIT License.
#

name: landingzones-tf100

on:
  workflow_dispatch:
  pull_request:
    paths-ignore:
      - 'documentation/**'
      - '_pictures/**'
      - 'README.md'
      - 'CHANGELOG.md'
  schedule:
    - cron:  '0 3 * * *'

env:
  TF_CLI_ARGS: '-no-color'
  TF_CLI_ARGS_destroy: '-refresh=false'
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
  ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
  TF_REGISTRY_DISCOVERY_RETRY: 5
  TF_REGISTRY_CLIENT_TIMEOUT: 15
  ROVER_RUNNER: true

jobs:
  foundations100:
    name: foundations-100
    runs-on: ubuntu-latest

    strategy:
      fail-fast: true
      max-parallel: 1
      matrix:
          random_length: ['5']

    container:
      image: aztfmod/rover:1.6.6-2401.0402
      options: --user 0

    steps:
      - uses: actions/checkout@v3

      - name: Login azure
        run: |
          az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
          az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}

          echo "local user: $(whoami)"

      - name: Github Actions permissions workaround
        run: |
          git config --global --add safe.directory ${GITHUB_WORKSPACE}

      - name: launchpad
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \
            -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/100 \
            -level level0 \
            -launchpad \
            -parallelism=30 \
            --environment ${{ github.run_id }} \
            '-var random_length=${{ matrix.random_length }}' \
            '-var prefix=g${{ github.run_id }}' \
            '-var tags={testing_job_id="${{ github.run_id }}"}'

      - name: foundations
        run: |
          sleep 180
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \
            -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/100-passthrough \
            -tfstate caf_foundations.tfstate \
            -level level1 \
            -parallelism=30 \
            --environment ${{ github.run_id }} \
            '-var tags={testing_job_id="${{ github.run_id }}"}'

  networking100:
    name: networking-100
    runs-on: ubuntu-latest

    needs: foundations100

    strategy:
      fail-fast: false
      matrix:
          config_files: [
            "caf_solution/scenario/networking/100-single-region-hub",
            "caf_solution/scenario/networking/101-multi-region-hub",
            "caf_solution/scenario/networking/105-hub-and-spoke",
            "caf_solution/scenario/networking/106-hub-virtual-wan-firewall"
          ]

    container:
      image: aztfmod/rover:1.6.6-2401.0402
      options: --user 0

    steps:
      - uses: actions/checkout@v3

      - name: Login azure
        run: |
          az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
          az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}

      - name: Github Actions permissions workaround
        run: |
          git config --global --add safe.directory ${GITHUB_WORKSPACE}

      - name: deploy example
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \
            -tfstate $(basename ${{ matrix.config_files }}).tfstate \
            -level level2 \
            -parallelism=30 \
            -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \
            --environment ${{ github.run_id }}

      - name: destroy example
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \
            -tfstate $(basename ${{ matrix.config_files }}).tfstate \
            -level level2 \
            -parallelism=30 \
            -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \
            --environment ${{ github.run_id }} \
            -refresh=false

  foundations200:
    name: foundations-200
    runs-on: ubuntu-latest
    needs: networking100
    if: always()

    strategy:
      fail-fast: true
      max-parallel: 1
      matrix:
          random_length: ['5']

    container:
      image: aztfmod/rover:1.6.6-2401.0402
      options: --user 0

    steps:
      - uses: actions/checkout@v3

      - name: Login azure
        run: |
          az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
          az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}

          echo "local user: $(whoami)"

      - name: Github Actions permissions workaround
        run: |
          git config --global --add safe.directory ${GITHUB_WORKSPACE}

      - name: launchpad-200-upgrade
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \
            -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \
            -level level0 \
            -launchpad \
            -parallelism=30 \
            --environment ${{ github.run_id }} \
            '-var random_length=${{ matrix.random_length }}' \
            '-var prefix=g${{ github.run_id }}' \
            '-var tags={testing_job_id="${{ github.run_id }}"}'

      - name: foundations-200-upgrade
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \
            -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \
            -tfstate caf_foundations.tfstate \
            -level level1 \
            -parallelism=30 \
            --environment ${{ github.run_id }} \
             '-var tags={testing_job_id="${{ github.run_id }}"}'

  networking200:
    name: networking-200
    runs-on: ubuntu-latest

    needs: foundations200

    strategy:
      fail-fast: false
      matrix:
          config_files: [
            "caf_solution/scenario/networking/200-single-region-hub",
            "caf_solution/scenario/networking/201-multi-region-hub",
            "caf_solution/scenario/networking/210-aks-private"
          ]

    container:
      image: aztfmod/rover:1.6.6-2401.0402
      options: --user 0

    steps:
      - uses: actions/checkout@v3

      - name: Login azure
        run: |
          az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
          az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}

      - name: Github Actions permissions workaround
        run: |
          git config --global --add safe.directory ${GITHUB_WORKSPACE}

      - name: deploy example
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \
            -tfstate $(basename ${{ matrix.config_files }}).tfstate \
            -level level2 \
            -parallelism=30 \
            -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \
            --environment ${{ github.run_id }}

      - name: destroy example
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \
            -tfstate $(basename ${{ matrix.config_files }}).tfstate \
            -level level2 \
            -parallelism=30 \
            -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \
            --environment ${{ github.run_id }} \
            -refresh=false

  foundations_destroy:
    name: foundations_destroy
    runs-on: ubuntu-latest
    if: always()
    needs: networking200

    strategy:
      fail-fast: false
      matrix:
        random_length: ['5']

    container:
      image: aztfmod/rover:1.6.6-2401.0402
      options: --user 0

    steps:
      - uses: actions/checkout@v3

      - name: Login azure
        run: |
          az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
          az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}

          echo "local user: $(whoami)"

      - name: Github Actions permissions workaround
        run: |
          git config --global --add safe.directory ${GITHUB_WORKSPACE}

      - name: foundations
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a destroy \
            -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \
            -tfstate caf_foundations.tfstate \
            -level level1 \
            -parallelism=30 \
            --environment ${{ github.run_id }} \
            '-var tags={testing_job_id="${{ github.run_id }}"}'

      - name: Remove launchpad
        run: |
          /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a destroy \
            -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \
            -level level0 \
            -launchpad \
            -parallelism=30 \
            --environment ${{ github.run_id }} \
            '-var random_length=${{ matrix.random_length }}' \
            '-var prefix=g${{ github.run_id }}' \
            '-var tags={testing_job_id="${{ github.run_id }}"}'


      - name: Complete purge
        if: ${{ always() }}
        run: |
          for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done
          for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done
          for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].objectId" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done
          for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done
          for i in `az keyvault list-deleted --query "[?tags.caf_environment=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done
          for i in `az group list --query "[?tags.caf_environment=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done
          for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done
          for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done