Azure · arnaudlh · Jun 23, 2021 · Apr 27, 2021 · May 3, 2021 · May 3, 2021
diff --git a/.gitignore b/.gitignore
@@ -10,4 +10,5 @@
 **/*.log
 **/backend.azurerm.tf
 public
-aztfmod
+aztfmod
+*output.json
diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf
@@ -1,15 +1,10 @@
 module "launchpad" {
-  source  = "aztfmod/caf/azurerm"
-  version = "~>5.3.2"
+  # source  = "aztfmod/caf/azurerm"
+  # version = "~>5.3.2"
 
-  # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=master"
+  source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=mtms"
+  # source = "../../aztfmod"
 
-  # azuread                               = var.azuread
-  azuread_api_permissions               = var.azuread_api_permissions
-  azuread_apps                          = var.azuread_apps
-  azuread_groups                        = var.azuread_groups
-  azuread_roles                         = var.azuread_roles
-  azuread_users                         = var.azuread_users
   current_landingzone_key               = var.landingzone.key
   custom_role_definitions               = var.custom_role_definitions
   enable                                = var.enable
@@ -22,6 +17,7 @@ module "launchpad" {
   logged_aad_app_objectId               = var.logged_aad_app_objectId
   logged_user_objectId                  = var.logged_user_objectId
   managed_identities                    = var.managed_identities
+  remote_objects                        = local.remote
   resource_groups                       = var.resource_groups
   role_mapping                          = var.role_mapping
   storage_accounts                      = var.storage_accounts
@@ -30,6 +26,18 @@ module "launchpad" {
   tenant_id                             = var.tenant_id
   user_type                             = var.user_type
 
+  azuread = {
+    azuread_api_permissions             = var.azuread_api_permissions
+    azuread_applications                = var.azuread_applications
+    azuread_apps                        = var.azuread_apps
+    azuread_credential_policies         = var.azuread_credential_policies
+    azuread_groups                      = var.azuread_groups
+    azuread_roles                       = var.azuread_roles
+    azuread_service_principal_passwords = var.azuread_service_principal_passwords
+    azuread_service_principals          = var.azuread_service_principals
+    azuread_users                       = var.azuread_users
+  }
+
   diagnostics = {
     diagnostics_definition          = try(var.diagnostics.diagnostics_definition, var.diagnostics_definition)
     diagnostics_destinations        = try(var.diagnostics.diagnostics_destinations, var.diagnostics_destinations)

diff --git a/caf_launchpad/local.remote.tf b/caf_launchpad/local.remote.tf
@@ -0,0 +1,7 @@
+locals {
+  remote = {
+    azuread_service_principals = {
+      for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].azuread_service_principals, {}))
+    }
+  }
+}
diff --git a/caf_launchpad/locals.remote_tfstates.tf b/caf_launchpad/locals.remote_tfstates.tf
@@ -0,0 +1,36 @@
+locals {
+  landingzone = {
+    current = {
+      storage_account_name = var.tfstate_storage_account_name
+      container_name       = var.tfstate_container_name
+      resource_group_name  = var.tfstate_resource_group_name
+    }
+  }
+}
+
+data "terraform_remote_state" "remote" {
+  for_each = try(var.landingzone.tfstates, {})
+
+  backend = var.landingzone.backend_type
+  config = local.remote_state[try(each.value.backend_type, var.landingzone.backend_type, "azurerm")][each.key]
+}
+
+locals {
+
+  remote_state = {
+
+    azurerm = {
+      for key, value in try(var.landingzone.tfstates, {}) : key => {
+        container_name       = value.workspace
+        key                  = value.tfstate
+        resource_group_name  = value.resource_group_name
+        storage_account_name = value.storage_account_name
+        subscription_id      = value.subscription_id
+        tenant_id            = value.tenant_id
+        sas_token            = try(value.sas_token, null) != null ? var.sas_token : null
+      }
+    }
+
+  }
+
+}
diff --git a/caf_launchpad/variables.tf b/caf_launchpad/variables.tf
@@ -16,6 +16,10 @@ variable "tenant_id" {}
 variable "landingzone" {
   description = "The landing zone name is used to reference the tfstate in configuration files. Therefore while set it is recommended not to change"
 }
+variable "sas_token" {
+  description = "SAS Token to access the remote state in another Azure AD tenant."
+  default     = null
+}
 
 variable "passthrough" {
   default = false
@@ -100,6 +104,15 @@ variable "azuread_users" {
 variable "azuread_roles" {
   default = {}
 }
+variable "azuread_credential_policies" {
+  default = {}
+}
+variable "azuread_service_principals" {
+  default = {}
+}
+variable "azuread_service_principal_passwords" {
+  default = {}
+}
 variable "managed_identities" {
   default = {}
 }
@@ -152,6 +165,10 @@ variable "azuread_api_permissions" {
   default = {}
 }
 
+variable "azuread_applications" {
+  default = {}
+}
+
 variable "environment" {
   type        = string
   description = "This variable is set by the rover during the deployment based on the -env or -environment flags. Default to sandpit"

diff --git a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml
@@ -1,3 +1,5 @@
+# https://github.com/Azure/aad-pod-identity/blob/b3ee1d07209f26c47a96abf3ba20749932763de6/website/content/en/docs/Concepts/azureidentity.md
+
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentity
 metadata:
@@ -13,4 +15,5 @@ metadata:
     name: podmi-gitlab-runner-binding
 spec:
     azureIdentity: podmi-caf-rover-platform-level0
-    selector: podmi-caf-rover-platform-level0
+    selector: podmi-caf-rover-platform-level0
+
diff --git a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf
@@ -1,3 +1,5 @@
+# https://github.com/Azure/aad-pod-identity/blob/b3ee1d07209f26c47a96abf3ba20749932763de6/website/content/en/docs/Concepts/azureidentity.md
+
 resource "kubernetes_namespace" "ns" {
   metadata {
     name = var.aad_pod_identity.namespace

diff --git a/caf_solution/add-ons/aad-pod-identity/variables.tf b/caf_solution/add-ons/aad-pod-identity/variables.tf
@@ -4,7 +4,7 @@ variable "lower_container_name" {}
 variable "lower_resource_group_name" {}
 
 variable "tfstate_subscription_id" {
-  description = "This value is propulated by the rover. subscription id hosting the remote tfstates"
+  description = "This value is populated by the rover. subscription id hosting the remote tfstates"
 }
 variable "tfstate_storage_account_name" {}
 variable "tfstate_container_name" {}

diff --git a/caf_solution/add-ons/aks-secure-baseline/aks-pod-identity-assignment.tf b/caf_solution/add-ons/aks-secure-baseline/aks-pod-identity-assignment.tf
@@ -56,3 +56,13 @@ locals {
     ) : format("%s-%s", msi.key, msi.msi_key) => msi
   }
 }
+
+resource "azurerm_key_vault_access_policy" "keyvault_policy" {
+  # provider = azurerm.launchpad
+  for_each = var.keyvaults
+
+  key_vault_id = local.remote.keyvaults[each.value.lz_key][each.value.key].id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_clusters[var.aks_cluster_key].key].kubelet_identity[0].object_id
+  secret_permissions = each.value.secret_permissions
+}
diff --git a/caf_solution/add-ons/aks-secure-baseline/local.remote_tfstates.tf b/caf_solution/add-ons/aks-secure-baseline/local.remote_tfstates.tf
@@ -43,6 +43,9 @@ locals {
     aks_clusters = {
       for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].aks_clusters, {}))
     }
+    keyvaults = {
+      for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].keyvaults, {}))
+    }
     managed_identities = {
       for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].managed_identities, {}))
     }

diff --git a/caf_solution/add-ons/aks-secure-baseline/providers.tf b/caf_solution/add-ons/aks-secure-baseline/providers.tf
@@ -4,6 +4,13 @@ provider "azurerm" {
   }
 }
 
+provider "azurerm" {
+  alias = "launchpad"
+  subscription_id = var.tfstate_subscription_id
+  features {
+  }
+}
+
 provider "kubernetes" {
   host                   = local.k8sconfigs[var.aks_cluster_key].host
   username               = local.k8sconfigs[var.aks_cluster_key].username
@@ -31,6 +38,8 @@ locals {
   }
 }
 
+data "azurerm_client_config" "current" {}
+
 # Get kubeconfig from AKS clusters
 data "azurerm_kubernetes_cluster" "kubeconfig" {
   for_each = var.aks_clusters

diff --git a/caf_solution/add-ons/aks-secure-baseline/variables.tf b/caf_solution/add-ons/aks-secure-baseline/variables.tf
@@ -33,4 +33,7 @@ variable "managed_identities" {
   description = "Map of the user managed identities."
 }
 
-variable "aad_pod_identity" {}
+variable "aad_pod_identity" {}
+variable "keyvaults" {
+  default = {}
+}
diff --git a/caf_solution/add-ons/aks_applications/app/main.tf b/caf_solution/add-ons/aks_applications/app/main.tf
@@ -1,7 +1,13 @@
-provider "kubernetes" {
-  alias = "k8s"
-}
-
-provider "helm" {
-  alias = "helm"
-}
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+    }
+    kustomization = {
+      source = "kbst/kustomization"
+    }
+  }
+}
diff --git a/caf_solution/add-ons/aks_applications/app/module.tf b/caf_solution/add-ons/aks_applications/app/module.tf
@@ -6,7 +6,6 @@ resource "kubernetes_namespace" "namespaces" {
     name        = each.value.name
   }
 
-  provider = kubernetes.k8s
 }
 
 # https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release
@@ -22,6 +21,7 @@ resource "helm_release" "charts" {
   timeout          = try(each.value.timeout, 900)
   skip_crds        = try(each.value.skip_crds, false)
   create_namespace = try(each.value.create_namespace, false)
+  values           = try(each.value.values, null)
 
   dynamic "set" {
     for_each = try(each.value.sets, {})
@@ -39,9 +39,8 @@ resource "helm_release" "charts" {
     }
   }
 
-  provider = helm.helm
 
-  depends_on = [kubernetes_namespace.namespaces]
+  # depends_on = [kubernetes_namespace.namespaces]
   #   values = [
   #     "${file("values.yaml")}"
   #   ]

diff --git a/caf_solution/add-ons/aks_applications/app/variables.tf b/caf_solution/add-ons/aks_applications/app/variables.tf
@@ -1,5 +1,11 @@
-variable "cluster" {}
+variable "namespaces" {
+  default = {}
+}
 
-variable "namespaces" {}
+variable "helm_charts" {
+  default = {}
+}
 
-variable "helm_charts" {}
+variable "kuztomization_settings" {
+  default = {}
+}
diff --git a/caf_solution/add-ons/aks_applications/applications.tf b/caf_solution/add-ons/aks_applications/applications.tf
@@ -1,27 +1,5 @@
-module "app1" {
+module "app" {
   source   = "./app"
-  for_each = try(local.clusters[var.cluster_re1_key], null) != null ? { (var.cluster_re1_key) = local.clusters[var.cluster_re1_key] } : {}
-
-  cluster     = each.value
   namespaces  = var.namespaces
   helm_charts = var.helm_charts
-
-  providers = {
-    kubernetes.k8s = kubernetes.k8s1
-    helm.helm      = helm.helm1
-  }
 }
-
-module "app2" {
-  source   = "./app"
-  for_each = try(local.clusters[var.cluster_re2_key], null) != null ? { (var.cluster_re2_key) = local.clusters[var.cluster_re2_key] } : {}
-
-  cluster     = each.value
-  namespaces  = var.namespaces
-  helm_charts = var.helm_charts
-
-  providers = {
-    kubernetes.k8s = kubernetes.k8s2
-    helm.helm      = helm.helm2
-  }
-}
diff --git a/caf_solution/add-ons/aks_applications/kustomization.tf b/caf_solution/add-ons/aks_applications/kustomization.tf
@@ -0,0 +1,31 @@
+module "kustomization" {
+  source   = "./kustomize"
+  for_each   = try(data.kustomization_overlay.manifest, {})
+
+  settings    = each.value
+
+}
+
+data "kustomization_overlay" "manifest" {
+  for_each = var.kustomization_overlays
+
+  resources = each.value.resources
+
+  namespace = each.value.namespace
+
+  dynamic "patches"{
+    for_each = try(each.value.patches, {})
+    content {
+      patch = patches.value.patch
+      target = patches.value.target
+    }
+  }
+  kustomize_options = {
+    load_restrictor = "none"
+  }
+}
+
+output "manifests" {
+  value = data.kustomization_overlay.manifest
+}
+
diff --git a/caf_solution/add-ons/aks_applications/kustomize/kustomization_build.tf b/caf_solution/add-ons/aks_applications/kustomize/kustomization_build.tf
@@ -0,0 +1,16 @@
+resource "kustomization_resource" "p0" {
+  for_each = var.settings.ids_prio[0]
+  manifest = var.settings.manifests[each.value]
+}
+
+resource "kustomization_resource" "p1" {
+  depends_on = [kustomization_resource.p0]
+  for_each   = var.settings.ids_prio[1]
+  manifest   = var.settings.manifests[each.value]
+}
+
+resource "kustomization_resource" "p2" {
+  depends_on = [kustomization_resource.p1]
+  for_each   = var.settings.ids_prio[2]
+  manifest   = var.settings.manifests[each.value]
+}
diff --git a/caf_solution/add-ons/aks_applications/kustomize/main.tf b/caf_solution/add-ons/aks_applications/kustomize/main.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    kustomization = {
+      source = "kbst/kustomization"
+    }
+  }
+}
diff --git a/caf_solution/add-ons/aks_applications/kustomize/variables.tf b/caf_solution/add-ons/aks_applications/kustomize/variables.tf
@@ -0,0 +1,2 @@
+variable "settings" {
+}