-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/buildingblocks standard vnet conf edit #87
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,7 @@ terraform { | |
|
||
azuread = { | ||
source = "hashicorp/azuread" | ||
version = "~> 2.41.0" | ||
version = "~> 2.45.0" | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
name: Buildingblocks-azure-standard-vnet-config | ||
summary: | | ||
Prepares the infrastructure to create a new building block definition for "Azure Virtual Network". | ||
--- | ||
|
||
# Buildingblocks azure virtual network configuration | ||
|
||
This module, will creates a new **Service Principal** and a **Storage Account's Container** which then will be leveraged for generating Terraform's Backend and Provider values. | ||
|
||
## How to use | ||
- Take the "generated-backend.tf" and "generated-provider.tf" inside of "outputs" folder and drop them as encrypted inputs in your buildingblock definition. | ||
<!-- BEGIN_TF_DOCS --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | | ||
| <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | ~>1.10.0 | | ||
| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.45.0 | | ||
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.79.0 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [azapi_resource.container](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) | resource | | ||
| [azuread_application.building_blocks](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | | ||
| [azuread_application_password.building_blocks_application_pw](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource | | ||
| [azuread_service_principal.building_blocks_spn](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | | ||
| [azurerm_role_assignment.building_blocks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [local_file.backend](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | ||
| [local_file.provider](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | ||
| [time_rotating.building_blocks_secret_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | | ||
| [azurerm_role_definition.builtin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source | | ||
| [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | | ||
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | ||
| [azurerm_subscription.sta_subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_backend_tf_config_path"></a> [backend\_tf\_config\_path](#input\_backend\_tf\_config\_path) | n/a | `string` | n/a | yes | | ||
| <a name="input_deployment_scope"></a> [deployment\_scope](#input\_deployment\_scope) | The scope where this service principal have access on. Usually in the format of '/providers/Microsoft.Management/managementGroups/0000-0000-0000' | `string` | n/a | yes | | ||
| <a name="input_provider_tf_config_path"></a> [provider\_tf\_config\_path](#input\_provider\_tf\_config\_path) | n/a | `string` | n/a | yes | | ||
| <a name="input_storage_account_resource_id"></a> [storage\_account\_resource\_id](#input\_storage\_account\_resource\_id) | This is the ID of the storage account resource and it retrievable via panel. It is in the format of '/subscription/<sub\_id>/resourcegroups/<rg\_name>/... | `string` | n/a | yes | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_backend_tf"></a> [backend\_tf](#output\_backend\_tf) | Generates a config.tf that can be dropped into meshStack's BuildingBlock Definition as an encrypted file input to configure this building block. | | ||
| <a name="output_provider_tf"></a> [provider\_tf](#output\_provider\_tf) | Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block. | | ||
<!-- END_TF_DOCS --> |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,6 +3,10 @@ variable "storage_account_resource_id" { | |
description = "This is the ID of the storage account resource and it retrievable via panel. It is in the format of '/subscription/<sub_id>/resourcegroups/<rg_name>/..." | ||
} | ||
|
||
variable "backend_tf_config_path" { | ||
type = string | ||
} | ||
|
||
locals { | ||
sta_resource_id = split("/", "${var.storage_account_resource_id}") | ||
sta_subscription_id = local.sta_resource_id[2] | ||
|
@@ -14,35 +18,65 @@ data "azurerm_subscription" "sta_subscription" { | |
subscription_id = local.sta_subscription_id | ||
} | ||
|
||
data "azurerm_storage_account" "tfstates" { | ||
name = local.sta_name | ||
resource_group_name = local.sta_rg_name | ||
} | ||
|
||
// There is still an issue when creating a container in a storage account with disabled 'Access Key' in azurerm provider (v3.77). | ||
// We will use 'azapi' instead, until it get fixed in the newer version of Azurerm. | ||
# resource "azurerm_storage_container" "tfstates" { | ||
# name = "tfstates-standard-vnet" | ||
# storage_account_name = data.azurerm_storage_account.tfstates.name | ||
# container_access_type = "blob" | ||
# } | ||
|
||
resource "azapi_resource" "container" { | ||
type = "Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01" | ||
name = "tfstates-standard-vnet" | ||
parent_id = "${data.azurerm_storage_account.tfstates.id}/blobServices/default" | ||
body = jsonencode({ | ||
properties = { | ||
defaultEncryptionScope = "$account-encryption-key" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Q: Which encryption scope does What's the advantage of a dedicate scope over using the scope created for the storage account? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is the default one that the other containers have, in general you can change the encryption key on the blob level if e.g. different teams use a same storage account. can be microsoft managed or customer managed keys There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If it's the default one, can we leave it out of the definition or does it have to be here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it has to be there, azapi is a bit different, needs more manual intervention |
||
denyEncryptionScopeOverride = true | ||
immutableStorageWithVersioning = { | ||
enabled = false | ||
} | ||
metadata = {} | ||
publicAccess = "None" | ||
} | ||
}) | ||
} | ||
output "backend_tf" { | ||
sensitive = true | ||
description = "Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block." | ||
description = "Generates a config.tf that can be dropped into meshStack's BuildingBlock Definition as an encrypted file input to configure this building block." | ||
value = <<EOF | ||
terraform { | ||
backend "azurerm" { | ||
tenant_id = "${data.azurerm_subscription.sta_subscription.tenant_id}" | ||
subscription_id = "${local.sta_subscription_id}" | ||
resource_group_name = "${local.sta_rg_name}" | ||
storage_account_name = "${local.sta_name}" | ||
container_name = "tfstates" | ||
container_name = "${azapi_resource.container.name}" | ||
key = "building-block-standard-vnet" | ||
} | ||
} | ||
EOF | ||
} | ||
|
||
resource "local_file" "backend" { | ||
filename = "./outputs/generated-backend.tf" | ||
filename = var.backend_tf_config_path | ||
content = <<-EOT | ||
terraform { | ||
backend "azurerm" { | ||
tenant_id = "${data.azurerm_subscription.sta_subscription.tenant_id}" | ||
subscription_id = "${local.sta_subscription_id}" | ||
resource_group_name = "${local.sta_rg_name}" | ||
storage_account_name = "${local.sta_name}" | ||
container_name = "tfstates" | ||
container_name = "${azapi_resource.container.name}" | ||
key = "building-block-standard-vnet" | ||
} | ||
} | ||
EOT | ||
} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
include "platform" { | ||
path = find_in_parent_folders("platform.hcl") | ||
expose = true | ||
} | ||
|
||
dependency "bootstrap" { | ||
config_path = "${path_relative_from_include()}/bootstrap" | ||
} | ||
|
||
terraform { | ||
source = "${get_repo_root()}//kit/azure/buildingblocks/standard-vnet-configuration" | ||
} | ||
generate "provider" { | ||
path = "provider.tf" | ||
if_exists = "overwrite" | ||
contents = <<EOF | ||
provider "azurerm" { | ||
features {} | ||
skip_provider_registration = true | ||
tenant_id = "${include.platform.locals.platform.azure.aadTenantId}" | ||
subscription_id = "${include.platform.locals.platform.azure.subscriptionId}" | ||
client_id = "${dependency.bootstrap.outputs.client_id}" | ||
client_secret = "${dependency.bootstrap.outputs.client_secret}" | ||
} | ||
provider "azapi" { | ||
tenant_id = "${include.platform.locals.platform.azure.aadTenantId}" | ||
subscription_id = "${include.platform.locals.platform.azure.subscriptionId}" | ||
client_id = "${dependency.bootstrap.outputs.client_id}" | ||
client_secret = "${dependency.bootstrap.outputs.client_secret}" | ||
} | ||
EOF | ||
} | ||
|
||
inputs = { | ||
# todo: set input variables | ||
storage_account_resource_id = dependency.bootstrap.outputs.module_storage_account_resource_id | ||
|
||
#"The scope where this service principal have access on. Usually in the format of '/providers/Microsoft.Management/managementGroups/0000-0000-0000'" | ||
deployment_scope = "/providers/Microsoft.Management/managementGroups/XXXXXXXX" | ||
backend_tf_config_path = "${get_repo_root()}//kit/azure/buildingblocks/standard-vnet-configuration/outputs/generated-backend.tf" | ||
provider_tf_config_path = "${get_repo_root()}//kit/azure/buildingblocks/standard-vnet-configuration/outputs/generated-provider.tf" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
terraform { | ||
required_version = ">= 1.0" | ||
required_providers { | ||
azurerm = { | ||
source = "hashicorp/azurerm" | ||
version = ">= 3.79.0" | ||
} | ||
azuread = { | ||
source = "hashicorp/azuread" | ||
version = "~> 2.45.0" | ||
} | ||
azapi = { | ||
source = "Azure/azapi" | ||
version = "~>1.10.0" | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you adding a comment why its commented out or removing it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are creating the container using another provider here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, please remove it (or add a comment why it's there but commented out, but if there is another provider, removing it seems better to me).