-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(terraform): simplify for single plan and deploy, #22
- key-vault: use RBAC authZ, which has since GA'd - service connections are set directly from terraform instead of indirectly via key vault because: - terraform released 'sensitive=true' feature for outputs - key vault RBAC propagation can take up to 10 minutes, which breaks terraform runs
- Loading branch information
Showing
14 changed files
with
246 additions
and
299 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,39 +1,33 @@ | ||
# 1 - get Service Principal secret from Key Vault | ||
|
||
data "azurerm_key_vault" "workspace" { | ||
name = var.key_vault_name | ||
resource_group_name = var.resource_group_name | ||
} | ||
|
||
data "azurerm_key_vault_secret" "sp_secret" { | ||
name = local.sp_secret_name | ||
key_vault_id = data.azurerm_key_vault.workspace.id | ||
# -------------------- | ||
# Azure DevOps Project | ||
# -------------------- | ||
# Determine project name based on resource group name: | ||
# - fruits-dev-*-rg => project-fruits | ||
# - veggies-prod-*-rg => project-veggies | ||
# - infra-shared-*-rg => central-it | ||
|
||
locals { | ||
project_name = split("-", var.resource_group_name)[0] == "infra" ? "central-it" : "project-${split("-", var.resource_group_name)[0]}" | ||
} | ||
|
||
# 2 - get reference to ADO Project | ||
|
||
data "azuredevops_project" "team" { | ||
name = local.project_name | ||
} | ||
|
||
# 3 -get Subscription Info | ||
|
||
data "azurerm_subscription" "current" { | ||
} | ||
|
||
data "azurerm_client_config" "current" { | ||
} | ||
|
||
# 4 - finally create Service Connection in ADO project | ||
# ------------------ | ||
# Service Connection | ||
# ------------------ | ||
data "azurerm_subscription" "current" {} | ||
data "azurerm_client_config" "current" {} | ||
|
||
resource "azuredevops_serviceendpoint_azurerm" "workspace_endpoint" { | ||
project_id = data.azuredevops_project.team.id | ||
service_endpoint_name = local.connection_name | ||
credentials { | ||
serviceprincipalid = var.service_principal_id | ||
serviceprincipalkey = data.azurerm_key_vault_secret.sp_secret.value | ||
} | ||
service_endpoint_name = "${var.resource_group_name}-connection" | ||
project_id = data.azuredevops_project.team.id | ||
azurerm_spn_tenantid = data.azurerm_client_config.current.tenant_id | ||
azurerm_subscription_id = data.azurerm_client_config.current.subscription_id | ||
azurerm_subscription_name = data.azurerm_subscription.current.display_name | ||
credentials { | ||
serviceprincipalid = var.service_principal_id | ||
serviceprincipalkey = var.service_principal_secret | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,7 @@ | ||
output "service_connection" { | ||
value = azuredevops_serviceendpoint_azurerm.workspace_endpoint | ||
} | ||
output "connection_name" { | ||
value = azuredevops_serviceendpoint_azurerm.workspace_endpoint.service_endpoint_name | ||
} | ||
|
||
output "scope" { | ||
value = azuredevops_serviceendpoint_azurerm.workspace_endpoint.resource_group | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,15 @@ | ||
variable "service_principal_id" { | ||
variable "resource_group_name" { | ||
type = string | ||
description = "ID of Service Principal scoped to workspace/environment. The display name of this service principal uses `fruits-dev-XXXX-rg-sp` format, where `X` is a random character." | ||
description = "Name of resource group of this workspace the service principal is scoped to." | ||
} | ||
|
||
variable "key_vault_name" { | ||
variable "service_principal_id" { | ||
type = string | ||
description = "Name of Key Vault of this workspace, e.g. `fruits-dev-XXXX-kv`, where `X` is a random character." | ||
description = "Client ID for Service Principal" | ||
} | ||
|
||
variable "resource_group_name" { | ||
variable "service_principal_secret" { | ||
type = string | ||
description = "Name of resource group of this workspace, e.g. `fruits-dev-XXXX-rg`, where `X` is a random character." | ||
description = "Client Secret for Service Principal" | ||
sensitive = true | ||
} | ||
|
||
locals { | ||
sp_secret_name = "workspace-sp-secret" | ||
connection_name = "${var.resource_group_name}-connection" | ||
project_name = split("-", var.resource_group_name)[0] == "infra" ? "central-it" : "project-${split("-", var.resource_group_name)[0]}" | ||
} | ||
|
||
# Note: ADO project names are determined based on Resource Group name patterns: | ||
# | ||
# - fruits-dev-u6t7-rg | ||
# - veggies-prod-u6t7-rg | ||
# - infra-shared-u6t7-rg (breaks convetion) |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.