Skip to content
This repository has been archived by the owner on Aug 20, 2020. It is now read-only.

Moving to az do live subscription #24

Merged
merged 18 commits into from Aug 6, 2019
Merged

Moving to az do live subscription #24

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
45cdd3d
using F8 whilst we work out subscription issue
elduddz Aug 2, 2019
13460de
reference to latest ws2019 version
elduddz Aug 2, 2019
aa2ab43
outputs for machines created
elduddz Aug 2, 2019
8124bc2
vUp of agent for linux
elduddz Aug 2, 2019
b45ea65
project startup script
elduddz Aug 2, 2019
f0d5367
file format change
elduddz Aug 2, 2019
c0153d9
use of makefile to run behaviour
elduddz Aug 2, 2019
7dde4a8
aligning version
elduddz Aug 2, 2019
9dc8fc8
Remove unnecessary comments
elduddz Aug 3, 2019
1fc358e
removed iptest build
elduddz Aug 5, 2019
39ea76a
Merge branch 'movingToAzDoLive' of https://github.com/UKHO/AzurePipel…
elduddz Aug 5, 2019
86fb0c4
comment around chmod
elduddz Aug 5, 2019
2e32f0a
removing list directory command
elduddz Aug 5, 2019
87bbcdf
default branch to master
elduddz Aug 5, 2019
83af011
updated read me
elduddz Aug 5, 2019
ad64824
caps on gallery name
elduddz Aug 5, 2019
ec99801
readme edits
elduddz Aug 5, 2019
95ba10e
Merge remote-tracking branch 'origin/master' into movingToAzDoLive
elduddz Aug 6, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Expand Up @@ -7,4 +7,4 @@

# .tfvars files
*.tfvars
*.tfvars.*
tfplan
42 changes: 42 additions & 0 deletions Makefile
View file
Open in desktop
@@ -0,0 +1,42 @@
DECRYPT= ./secret -d
ENCRYPT= ./secret
PLAN= tfplan
PLAINTEXT= secrets.auto.tfvars
ENCRYPTED= ${PLAINTEXT}.enc
TF= terraform

all: login apply clean

clean:
@rm -f ${PLAINTEXT} ${PLAN}

plan: ${PLAN}

${ENCRYPTED}: encrypt
${PLAINTEXT}: decrypt

${PLAN}: ${PLAINTEXT}
@-echo "Validating ..."
@${TF} validate
@-echo "Creating ${PLAN} ..."
@${TF} plan -out=${PLAN} -input=false

login:
@-echo "Azure Login ..."
@az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} --tenant ${ARM_TENANT_ID}

decrypt:
@-echo "Decrypting ${ENCRYPTED} > ${PLAINTEXT} ..."
@${DECRYPT} ${ENCRYPTED} > ${PLAINTEXT}

encrypt:
@-echo "Encrypting ${PLAINTEXT} > ${ENCRYPTED} ..."
${ENCRYPT} ${PLAINTEXT} > ${ENCRYPTED}

init:
@-echo "Initialising ..."
@${TF} init -input=false

apply: ${PLAN}
@-echo "Applying ${PLAN} ..."
@${TF} apply -input=false -auto-approve tfplan
66 changes: 41 additions & 25 deletions README.md
View file
Open in desktop
Expand Up @@ -36,51 +36,67 @@ Any terraform variables can be defined as an environmental, but will need the p

you will also notice in the pipeline.yml that the plan step is being passed some `env:` values, these are secret values that are not available by default so need to be opted in.

## initialise terraform
## secrets.auto.tfvars.enc

Some secrets are encrypted and stored in the source code. the secret used is the access key found in the terraform vault for this project. these are decrypted and encypted using the `./secret` script.

## initialise terraform using make

- Install make, for windows, this is easily done with chocolatey `choco install make`
- Remember that make runs best from bash.

- You will also need the access key stored as an environmental add a line to your .bash_profile to `export ARM_ACCESS_KEY="<fromVault>"`

**N.B.** If you do not have access to make, you will still be able to run the standard `terraform` commmand.

```shell
teraform init
make init
```

## test what it might do

```shell
terraform plan
make plan
```

## Apply changes

```shell
terraform apply
make apply
```

You have to provide `-auto-approve` to get it not to ask you "are you sure?"

## What is missing

you will need a local `terraform.tfvars` file to map the required variable against.
you will need some extra variable if you are running local `.tfvars`.

```shell
BRANCH = "master"
PREFIX = "agents"
TAGS = {
ENVIRONMENT = "DEV"
SERVICE = "AzDO"
SERVICE_OWNER = "Bob Martin"
RESPONSIBLE_TEAM = "Digital"
}
```

an example of the vars needed are listed below:

**NOTE** this terraform is not used to build the VNET, as there are other systems pinning to that. So these are referenced as known data objects. To run this you will need to create a separate RG for you VNET and internal and then provide those details at the run time of this process.

the secrets that are decrypted are for the following variables:

```shell
PREFIX = "agent-prefix"
VNET_NAME = "existing-vnetname"
INTERNAL_NETWORK_NAME = "existing-internalname"
VNET_RG = "existing-vnetrg"
AZURE_CLIENT_ID = "AZURE_CLIENT_ID"
AZURE_SUBSCRIPTION_ID = "AZURE_SUBSCRIPTION_ID"
AZURE_CLIENT_SECRET = "AZURE_CLIENT_SECRET"
AZURE_TENANT_ID = "AZURE_TENANT_ID"
AZURE_REGION = "<Region>"
VSTS_TOKEN = "xyz"
VSTS_POOL_PREFIX = "PoolNamePrefix"
VSTS_ACCOUNT = "VSTS_ACCOUNT"
ADMIN_USERNAME = "account"
ADMIN_PASSWORD = "Password"
ADMIN_SSHKEYPATH = "/home/azureagent/.ssh/authorized_keys"
ADMIN_SSHKEYDATA = "ssh-rsa xxxxadasdasdasd"
SERVERNAMES = ["VM01", "VM02", "VM03", "VM04"]
BRANCH = "master"
ADMIN_PASSWORD = "<PASSWORD>"
ADMIN_SSHKEYDATA = "<SSHRSA>"
VNET_NAME = "<VNETNAME>"
INTERNAL_NETWORK_NAME = "<SUBNETNAME>"
VNET_RG = "<RG>"
AZURE_REGION = "<REGION>"
VSTS_POOL_PREFIX = "TEST"
VSTS_ACCOUNT = "<VSTSAccount>"
VSTS_TOKEN = "<PATTOKEN>"
ADMIN_USERNAME = "agentagents"
ADMIN_SSHKEYPATH = "/home/agentagents/.ssh/authorized_keys"
SERVERNAMES = ["VM01", "VM02", "VM03", "VM04", "VM05", "VM06"]
```
11 changes: 3 additions & 8 deletions azure-pipelines.yml
View file
Open in desktop
Expand Up @@ -10,20 +10,15 @@ pr: none

pool:
vmImage: 'ubuntu-latest'

container: ant59/terraform-azure-make:latest
steps:
- bash: terraform -v
displayName: 'terraform version'
- task: AzureCLI@1
inputs:
azureSubscription: 'TPE General Dev'
azureSubscription: 'AzDo Live'
scriptLocation: 'scriptPath'
scriptPath: 'tfplan.sh'
arguments: |
tpe-keyvault
terraform-ukhogov
env:
TF_VAR_ADMIN_PASSWORD: $(TF_VAR_ADMIN_PASSWORD)
TF_VAR_ADMIN_SSHKEYDATA: $(TF_VAR_ADMIN_SSHKEYDATA)
TF_VAR_BRANCH: $(Build.SourceBranchName)
displayName: 'plan and apply'
displayName: 'initialise, plan and apply'
2 changes: 1 addition & 1 deletion modules/azdo_ubuntuagent/main.tf
View file
Open in desktop
Expand Up @@ -19,7 +19,7 @@ resource "azurerm_virtual_machine" "VM" {
location = "${var.AZURERM_RESOURCE_GROUP_MAIN_LOCATION}"
resource_group_name = "${var.AZURERM_RESOURCE_GROUP_MAIN_NAME}"
network_interface_ids = ["${azurerm_network_interface.VM.id}"]
vm_size = "Standard_F8s_v2"
vm_size = "Standard_F8s"
delete_os_disk_on_termination = true
delete_data_disks_on_termination = true

Expand Down
3 changes: 3 additions & 0 deletions modules/azdo_ubuntuagent/outputs.tf
View file
Open in desktop
@@ -0,0 +1,3 @@
output "vmName" {
value = azurerm_virtual_machine.VM.name
}
4 changes: 2 additions & 2 deletions modules/azdo_ws2019agent/main.tf
View file
Open in desktop
@@ -1,8 +1,8 @@
data "azurerm_shared_image_version" "existing" {
name = "0.153.3"
name = "0.154.3"
gallery_name = "UKHOSharedImageGallery"
image_name = "azure-pipelines-image-vs2019-ws2019"
resource_group_name = "UKHOSharedImageGalleryRG"
resource_group_name = "AzDOLive-SharedImageGallery"
}

resource "azurerm_network_interface" "WSVM" {
Expand Down
3 changes: 3 additions & 0 deletions modules/azdo_ws2019agent/outputs.tf
View file
Open in desktop
@@ -0,0 +1,3 @@
output "vmName" {
value = azurerm_virtual_machine.WSVM.name
}
2 changes: 0 additions & 2 deletions modules/azdo_ws2019agent/variables.tf
View file
Open in desktop
Expand Up @@ -51,11 +51,9 @@ variable "AZURERM_SUBNET_ID" {
variable "AZURERM_NETWORK_SECURITY_GROUP_MAIN_ID" {
type = "string"
}

variable "BRANCH" {
type = "string"
}

variable "VSTS_AGENT_COUNT" {
type = number
description = "The number of Azure DevOps agents to install on the VM"
Expand Down
59 changes: 59 additions & 0 deletions secret
View file
Open in desktop
@@ -0,0 +1,59 @@
#! /bin/bash

PROG=$(basename $0)

printerr() {
echo "$@" 1>&2
}

usage() {
printerr "Usage: $PROG [-d] [-k <key>] file"
printerr " $PROG -h"
[ -n "$1" ] && exit 1
}

help() {
usage
printerr " -d decrypt. Default is to encrypt"
printerr " -h help"
printerr " -k <key> Key. Default \$ARM_ACCESS_KEY"
exit 0
}

fail() { printerr "$@"; exit 1; }

while getopts ":df:hk:" o; do
case "${o}" in
d)
DECRYPT=1
;;
h)
help
;;
k)
K=$OPTARG
;;
*)
usage 1
;;
esac
done
shift $((OPTIND-1))

[ "$#" != "1" ] && usage && exit 0

KEY=${K:-$ARM_ACCESS_KEY}
FILE=$1

[ -z "$KEY" ] && fail "Key not specified"
[ ! -f "$FILE" ] && fail "$FILE: no such file"

OPENSSL="openssl enc -aes-256-cbc -md md5 -k $KEY"

if [ -n "$DECRYPT" ]
then
base64 -d $FILE | $OPENSSL -d
else
$OPENSSL -in $FILE | base64
fi

18 changes: 18 additions & 0 deletions secrets.auto.tfvars.enc
View file
Open in desktop
@@ -0,0 +1,18 @@
U2FsdGVkX19+YgSa9+rKQJbKtDptckwOWxQrc9BIjIhhbV9nwNR6z9yGGIAnK0+rHQBnce3ZP+Y1
QhogkCIlY5nUNrUSW7PeZP8/wEFXp5y2MULSVr8OAGbcohLmvZdiN7H39tNYFr2Xe6/0iglQVwTy
QTnztCuEXWvOZ+Ah4QA6+xbyqTWfKbs6gYHzBq5noXxSxxlxIVst5M1L5gBb9BAQraMzd9e62/Rc
x3yw2bkf3E5hot9ePE+o6N033RhCWphJ2cMgjWaJvBnDzaMGVncTfvNmtreMa4Qqcjwew6sPDglV
OoJ9gJWYiRxlMXeHD8nOq9kO2K+uve0tRP2V8vWJrGKUCyoUEF5LeSnxvPwiKZv9hVDkMvNfgwbc
AWY0WsGxpbJcTCwLQOLXEarzBuXMVnc1gC7Ze2/7fbFS990WM+tinr5MVxNq+R+BwzCHB8zqNX/k
uo5rCLU8vtAIOW4ze2I+R4QjuDTUVfVrdLB0QLuQjSOLh7q8YsV3sfXToh3EiQ5kxClSKSDV4SlT
nXxkz8PDxwWApPWzIQRwRFVn4BWHQ5ILMZ4GFclisozkmWgvijkjxtepFQixRm8MPoZeKZF6x/FI
pE60CyqlXCqb4YDABrxzseTJOYqkcF6wTWY5HbIxf9HJFBNWYeM69dgz07G/OEB624vOhPNHgKo1
89jjCOENsds6XZNt6/NTLrcDP5DY269YmiDvOcwiMJJGTLwbjt+x9fUUcbYF21iWoFzoYLZs1+rw
HOzUqYiEiTxkWadBupOdhvyLbuv2jzE7yY79VDWxz8Jt+SRzli3e6s2py8vBg1EhkpyfnE4hDJNY
ohf3NxuA8Z2WO5F1LGiRWUYhtNZevfvUQh1gat8Dte+WxVXkswvr+tqSykFF5ZDCLnmSmfcXMBw3
qPtHuG8ub4WRgE7seLsLF7r613MkEGAOnQnb6pKnYduN5ojC7EVyhpqnjOhrV0f7vm15IpXphPmK
j+djOFeJ7UCqXRQchWXsMqcey54Hb04DTai8xiFjxstqKxyhb0SyQ4wVK7noalusNHVN85o1GNUT
irPFzHvmdzfV/mEI1cm+w5uQ9s0KsLJSHVPWUptpobwbPSnaSWDSDGZy4Gjq2gpk7Oy+BlgeRu5X
tTyuFz+zw3zvhjQgdqZfrrG1jBnCz5BBZY362aa6TIEMV76ullYMQcKfhL8mTxv0Vza7y9Ff+eBA
U2yuNkKr9v26g2EbCHm7BpohSZA4U0r6pjagLb3PaISjdtJD9SZkvtewMqioRblSVK65S3MCHLmb
xLIUY6GXCg==
53 changes: 53 additions & 0 deletions startup/main.tf
View file
Open in desktop
@@ -0,0 +1,53 @@
terraform {
backend "azurerm" {
resource_group_name = "AzDoLive-rg"
storage_account_name = "azdolivestorageaccount"
container_name = "azdolivecontainer"
key = "subscription.tfstate"
}
}

data "azurerm_client_config" "current" {}

data "azurerm_subscription" "current" {

}

data "azurerm_resource_group" "main" {
name = "${var.PROJECT_IDENTITY}-rg"
}

module "keyvault4tf" {
source = "github.com/ukho/terraform-modules/TerraformKeyVaultSecrets"
ResourceGroupName = "${data.azurerm_resource_group.main.name}"
SubscriptionId = "${var.SUBSCRIPTION_ID}"
SubscriptionName = "${var.PROJECT_IDENTITY}"
AdminAccessObjectId = "${var.AdminAccessObjectId}"
TenantId = "${var.TENANT_ID}"
ClientId = "${var.CLIENT_ID}"
ClientSecret = "${var.CLIENT_SECRET}"
AccessKey = "${var.ACCESS_KEY}"
PipelineSp = "${var.PIPELINE_SP}"
Location = "${data.azurerm_resource_group.main.location}"
tags = "${var.TAGS}"
}

module "staticVNet" {
source = "github.com/UKHO/terraform-modules/vnet"
rg = "${data.azurerm_resource_group.main.name}"
loc = "${data.azurerm_resource_group.main.location}"
tags = "${var.TAGS}"
name = "${var.PROJECT_IDENTITY}-network"
addressspace = ["10.1.0.0/16"]
dnsservers = []
subnet_names = ["${var.PROJECT_IDENTITY}-internal"]
subnet_prefixes = ["10.1.0.0/24"]
}

module "nsgAssignment" {
source = "github.com/UKHO/terraform-modules/networksecuritygroup"
rg = "${data.azurerm_resource_group.main.name}"
loc = "${data.azurerm_resource_group.main.location}"
nsg_name = "${var.PROJECT_IDENTITY}-nsg"
vnet_subnet_id = "${module.staticVNet.vnet_subnet_id}"
}
13 changes: 13 additions & 0 deletions startup/terraform.tfvars.enc
View file
Open in desktop
@@ -0,0 +1,13 @@
U2FsdGVkX1/GGY4zUIZLJea4q/9/bi9PNPKYJmcgYD5bVPBFmI3Y4lENF3sMkjw7E23twvUuRbQQ
6JIPLjJ2yZJxBO5YrjD/+uTKwSPhXlEJ65YThIMt5287cU/jcuPN19UeQBId8MBBq/kp+Bn8DbWe
IjyxGISCa/XnqEBGg6Gmeg/LN0sfXAfsE6GsHbpY5isH6MQt24TqQ3JJN/G7Iem2eBpXaYtrHb6o
f85ehMO1xkJZMIL+hqcb5ICClIBFC/8Tuzbo0BVBvPKER03Z+H+RjmrPOZ3qbpLzyiwspSyP4LJf
IFaBIuXrn5JWmakiVHLRbdPG8ueNL6s/JzpzmC6zzNR2LpaHUfLKdReZIgCbmuhgI48CEG/IdAkV
qo4sSZ3r6HeHHUrjgihlzJGKy/mQNqqtXwRiGXwQ59ZmjnbAwfw/9WFrwkKXYP7ZZD4iEF2aLbIm
YkmYIdPnhBEEefEWREonulf3lMN7AG0wE/9pcDVXhJ5HPyGIhyUisjGjkot0DI8M0gFF/Da40Wbx
OTS/5m2QOoaY16Yr7yPNWzV8dFbUzs1QV+XKc3wSPavYj6WF5wZH6pj0bgT6yj9mTSWy09MV+kmw
+u2V5JwfQ/lQTB82qGIZyXziNHhzX+UzdYPX11hmE5E4PBkF9SUcuRhKxfbHmbyzCGPQmSglo4HI
3EsgeRARIY2+W+pMAmFYvv8eI7cMDblvOw1jsMtvO3Bh4jZH1En0OQQiXhwJ3y5rT5mzFuwmzv2i
nB0kri1/dgViupIAJBWykJEukdTqKBjJl6AjQ/BGcZMAYMsSQWd3TVkmZ97o1c0fzN18abTUj+0r
gOjWnDxVD4UkNpyIWsb+KzfFzM257n4vN6TKxFY9CcRcH9TyAPL8FvPJx8RPArT+1GX7Z6HCGfBS
mrg75SbcRQTMQBnIL587c3fy+EyETRKlcym0HH1sIQX9Lrga