From 46aa62e6a5a0fd35e209234b8369e3041ed18e41 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Thu, 19 Dec 2024 11:47:53 +0100 Subject: [PATCH] Remove unused scripts and fixes outdated scripts (#1558) * Remove unused scripts * Fix check_terraform.yaml * fix typo * fix typo * use vars instead of secrets * fix more typos * print errors from terraform * use oidc and azuread * move terraform env variables to terraform step * fix clean cache registry * fix vars * Add contributor to app cache to gitrunner * fix contributor in playground * fix contributor in prod * replace ' with " * update lock-resources to use new gitrunner * cleanup start/stop clusters --- .github/workflows/aksplan.yaml | 16 +- .github/workflows/azureAuditlog.yml | 246 ------------------ .github/workflows/check_terraform.yaml | 162 +++--------- .github/workflows/clean-cache-registry.yml | 76 ++---- .github/workflows/lock-resources.yml | 68 ++--- .github/workflows/sqlLogStorageAccounts.yml | 235 ----------------- .github/workflows/startclusters.yml | 7 +- .github/workflows/stopclusters.yml | 5 +- .github/workflows/storageaccounts.yml | 144 ---------- .github/workflows/terraform.yml | 238 ----------------- .../subscriptions/s940/c2/common/main.tf | 4 + .../subscriptions/s940/prod/common/main.tf | 4 + .../subscriptions/s941/dev/common/main.tf | 4 + .../s941/playground/common/main.tf | 24 +- terraform/subscriptions/scripts/terraform.sh | 20 +- 15 files changed, 159 insertions(+), 1094 deletions(-) delete mode 100644 .github/workflows/azureAuditlog.yml delete mode 100644 .github/workflows/sqlLogStorageAccounts.yml delete mode 100644 .github/workflows/storageaccounts.yml delete mode 100644 .github/workflows/terraform.yml diff --git a/.github/workflows/aksplan.yaml b/.github/workflows/aksplan.yaml index 13d17ac55..13c7ae6e1 100644 --- a/.github/workflows/aksplan.yaml +++ b/.github/workflows/aksplan.yaml @@ -2,7 +2,7 @@ name: AKS Plan on: pull_request: paths: - - terraform/subscriptions/** + - terraform/subscriptions/** workflow_dispatch: jobs: terraform-plan: @@ -33,12 +33,14 @@ jobs: uses: actions/checkout@v4 #Clone Repo with: fetch-depth: '2' + - name: Extract data id: data run: | FILENAME=terraform/subscriptions/${{matrix.target.subscription}}/${{matrix.target.name}}/config.yaml echo "FILENAME=${FILENAME}" >> $GITHUB_OUTPUT echo "Checking file: ${FILENAME}" + - name: Check if files changed id: changes run: | @@ -48,6 +50,7 @@ jobs: else echo "changed=true" >> $GITHUB_OUTPUT fi + - name: 'Az login' if: steps.changes.outputs.changed == 'true' uses: azure/login@v2 @@ -55,10 +58,12 @@ jobs: client-id: ${{ env.ARM_CLIENT_ID }} tenant-id: ${{ env.ARM_TENANT_ID }} subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }} + - name: Get GitHub Public IP id: github_public_ip if: steps.changes.outputs.changed == 'true' run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT + - name: Add GitHub IP to StorageAccount if: steps.changes.outputs.changed == 'true' run: | @@ -66,20 +71,25 @@ jobs: --resource-group "${{ matrix.target.subscription }}-tfstate" \ --account-name "${{ matrix.target.subscription }}radixinfra" \ --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null + - name: Add GitHub IP to KeyVault if: steps.changes.outputs.changed == 'true' run: | az keyvault network-rule add --name "radix-keyv-${{ matrix.target.name }}" \ --resource-group "common-${{ matrix.target.name }}" \ --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null + - name: Lets sleep for 30 seconds for FW rule to complete if: steps.changes.outputs.changed == 'true' run: sleep 30s + - name: Setup Terraform if: steps.changes.outputs.changed == 'true' + id: update_firewall uses: hashicorp/setup-terraform@v3 with: terraform_version: 'latest' + - name: Terraform Init & Plan if: steps.changes.outputs.changed == 'true' id: init @@ -89,6 +99,7 @@ jobs: run: | terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" init terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" plan + - name: Revoke GitHub IP on StorageAccount if: steps.changes.outputs.changed == 'true' run: | @@ -96,8 +107,9 @@ jobs: --resource-group "${{ matrix.target.subscription }}-tfstate" \ --account-name "${{ matrix.target.subscription }}radixinfra" \ --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null + - name: Revoke GitHub IP on KeyVault - if: steps.changes.outputs.changed == 'true' + if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed run: | az keyvault network-rule remove --name "radix-keyv-${{ matrix.target.name }}" \ --resource-group "common-${{ matrix.target.name }}" \ diff --git a/.github/workflows/azureAuditlog.yml b/.github/workflows/azureAuditlog.yml deleted file mode 100644 index 009ecc791..000000000 --- a/.github/workflows/azureAuditlog.yml +++ /dev/null @@ -1,246 +0,0 @@ -name: AzureAuditLogs - -on: [workflow_dispatch] -# on: -# push: -# branches: -# - master -# paths: -# - '.github/workflows/azureAuditlog.yml' -# - 'arm-templates/azureAuditLogStorageAccount.json' - -# pull_request: -# branches: -# - master -# paths: -# - '.github/workflows/azureAuditlog.yml' -# - 'arm-templates/azureAuditLogStorageAccount.json' - -env: - # Prod - prodSubscriptionId: 'ded7ca41-37c8-4085-862f-b11d21ab341a' - - # Dev - devSubscriptionId: '16ede44b-1f74-40a5-b428-46cca9a5741b' - - # Shared - settingName: azureauditlog - auditLogStorageName: radixazauditlogs - -jobs: -############## DEV STAGE ############## - - dev: - runs-on: ubuntu-latest - env: - envName: dev - devRgName: rg-radix-shared-dev - steps: - - # Checks-out your repository under $GITHUB_WORKSPACE - - uses: actions/checkout@v4 - - # Set dynamic variables for the job - - name: Set job variables - shell: pwsh - run: | - - # Set timestamp variable for jobs - $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ") - echo "timestamp=$currentTime" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - - # Install powershell modules - - name: Install powershell modules - shell: pwsh - run: | - - Install-Module az.resources -force - Install-Module az.storage -force - - # Azure login for powershell - - name: Azure login - shell: pwsh - run: | - $azureAplicationId = "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_ID }}" - $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}" - $azurePassword = ConvertTo-SecureString "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force - $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword) - Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal - - - # Set subsctiption to develop and verify - - name: Set Azure subscription - shell: pwsh - run: | - - Set-AzContext -SubscriptionId "${{ env.devSubscriptionId }}" - - $subscription = (Get-AzContext) - if ($subscription.Subscription.Id -eq "${{ env.devSubscriptionId }}") { - Write-Output "Using subscription $($subscription.subscription.Name)" - exit 0 - - } - else { - Write-Output "Subscription does not match. Terminating script" - exit 1 - } - - # Create storage account for Azure audit logs - - name: Storage Account for Azure Subscription Audit logs - shell: pwsh - run: | - - # Set task variables - $rg = "${{ env.devRgName }}" - $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/azureAuditLogStorageAccount.json" - $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}" - - # Deploy Storage Account for Audit logs - New-AzResourceGroupDeployment ` - -Name "sql-log-${{ env.timestamp }}" ` - -ResourceGroupName $rg ` - -TemplateFile $templateFile ` - -storageAccountName $storeAccountName ` - -accountType Standard_LRS ` - -kind StorageV2 ` - -accessTier cool - - - # Enable auditlog for dev subsciption - - name: Enable auditlog for dev subsciption - shell: pwsh - run: | - - # Set variables - $rg = "${{ env.devRgName }}" - $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/auditlogs.json" - $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}" - $storageAccountId = (Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $storeAccountName).Id - - # Deploy the ARM template - New-AzDeployment ` - -Name "auditlog-${{ env.timestamp }}" ` - -Location "norwayeast" ` - -TemplateFile $templateFile ` - -settingName ${{ env.settingName }} ` - -storageAccountId "$storageAccountId" - - # Azure logout - - name: logout - shell: pwsh - run: | - Logout-azAccount | Out-Null - - -############## PROD STAGE ############## - - prod: - needs: dev - if: github.ref == 'refs/heads/master' - runs-on: ubuntu-latest - env: - envName: prod - prodRgName: rg-radix-shared-prod - steps: - - # Checks-out your repository under $GITHUB_WORKSPACE - - uses: actions/checkout@v4 - - # Set dynamic variables for the job - - name: Set job variables - shell: pwsh - run: | - - # Set timestamp variable for jobs - $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ") - Write-Output "::set-env name=timestamp::$currentTime" - - # Install powershell modules - - name: Install powershell modules - shell: pwsh - run: | - - Install-Module az.resources -force - Install-Module az.storage -force - - # Azure login for powershell - - name: Azure login - shell: pwsh - run: | - $azureAplicationId = "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_ID }}" - $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}" - $azurePassword = ConvertTo-SecureString "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force - $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword) - Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal - - # Set subsctiption to develop and verify - - name: Set Azure subscription - shell: pwsh - run: | - - Set-AzContext -SubscriptionId "${{ env.prodSubscriptionId }}" - - $subscription = (Get-AzContext) - if ($subscription.Subscription.Id -eq "${{ env.prodSubscriptionId }}") { - Write-Output "Using subscription $($subscription.subscription.Name)" - exit 0 - - } - else { - Write-Output "Subscription does not match. Terminating script" - exit 1 - } - - - # Create storage account for Azure audit logs - - name: Storage Account for Azure Subscription Audit logs - shell: pwsh - run: | - - # Set task variables - $rg = "${{ env.prodRgName }}" - $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/azureAuditLogStorageAccount.json" - $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}" - - # Deploy Storage Account for Audit logs - New-AzResourceGroupDeployment ` - -Name "sql-log-${{ env.timestamp }}" ` - -ResourceGroupName $rg ` - -TemplateFile $templateFile ` - -storageAccountName $storeAccountName ` - -accountType Standard_LRS ` - -kind StorageV2 ` - -accessTier cool - - - # Enable auditlog for prod subsciption - - name: Enable auditlog for prod subsciption - shell: pwsh - run: | - - Set-AzContext -SubscriptionId "${{ env.prodSubscriptionId }}" - - $subscription = (Get-AzContext) - if ($subscription.Subscription.Id -eq "${{ env.prodSubscriptionId }}") { - Write-Output "Using subscription $($subscription.subscription.Name)" - exit 0 - - } - else { - Write-Output "Subscription does not match. Terminating script" - exit 1 - } - - - # Create storage account and SQL logs - - name: Storage Account for SQL logs - shell: pwsh - run: | - - - # Azure logout - - name: logout - shell: pwsh - run: | - Logout-azAccount | Out-Null \ No newline at end of file diff --git a/.github/workflows/check_terraform.yaml b/.github/workflows/check_terraform.yaml index 2af538532..51df96e3f 100644 --- a/.github/workflows/check_terraform.yaml +++ b/.github/workflows/check_terraform.yaml @@ -1,81 +1,56 @@ name: Check Terraform infrastructure on: pull_request: - workflow_dispatch: - inputs: - subscription: - description: 'Subscription' - type: choice - required: true - options: - - 's940' - - 's941' - default: 's941' - - terraformapply: - description: 'Terraform apply' - type: boolean - required: true - default: false + paths: + - terraform/subscriptions/** - - # secrets: - # AZURE_CLIENT_ID: - # description: The client ID of the Azure AD service principal to use for authenticating to Azure. - # required: true - - # AZURE_SUBSCRIPTION_ID: - # description: The ID of the Azure subscription to create the resources in. - # required: true - - # AZURE_TENANT_ID: - # description: The ID of the Azure tenant to create the resources in. - # required: true - +permissions: + id-token: write + contents: read jobs: - terrform-s941: + terrform: name: Check infrastructure consistency runs-on: ubuntu-latest - environment: s941 strategy: + fail-fast: false matrix: - ENVIROMENT: [dev, playground] - env: - # ENVIROMENT: dev #variable passed to scipt - SUBSCRIPTION: s941 #variable passed to scipt - terraform_version: ~1.3.0 - ARM_USE_OIDC: true - ARM_USE_AZUREAD: true - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - storage_account_name: ${{ inputs.subscription }}radixinfra + target: + - name: "dev" + folderName: "dev" + subscription: "s941" + - name: "playground" + folderName: "playground" + subscription: "s941" + - name: "platform" + folderName: "prod" + subscription: "s940" + - name: "c2" + folderName: "c2" + subscription: "s940" + environment: ${{matrix.target.name }} - permissions: - id-token: write - contents: read steps: - name: Checkout uses: actions/checkout@v4 #Clone Repo - - name: 'Az login' uses: azure/login@v2 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - name: Get GitHub Public IP id: github_public_ip run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - name: Add GitHub IP to StorageAccount + id: update_firewall run: | az storage account network-rule add \ - --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ - --account-name "${{ env.SUBSCRIPTION}}radixinfra" \ + --resource-group "${{ matrix.target.subscription }}-tfstate" \ + --account-name "${{ matrix.target.subscription }}radixinfra" \ --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - name: Lets sleep for 30 seconds for FW rule to complete @@ -84,78 +59,25 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: - terraform_version: ${{ env.terraform_version }} + terraform_version: 'latest' - - name: Check terrorm in ${{ matrix.ENVIROMENT}} + - name: Check Terraform in ${{ matrix.target.name}} working-directory: terraform/subscriptions/scripts - run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh - - - name: Revoke GitHub IP on StorageAccount - run: | - az storage account network-rule remove \ - --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ - --account-name "${{ env.SUBSCRIPTION}}radixinfra" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null + shell: bash + env: + ARM_USE_OIDC: true + ARM_USE_AZUREAD: true + ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + SUBSCRIPTION: ${{ matrix.target.subscription}} + ENVIRONMENT: ${{matrix.target.folderName}} + run: ./terraform.sh - terrform-s940: - name: Check infrastructure consistency - runs-on: ubuntu-latest - environment: s940 - strategy: - matrix: - ENVIROMENT: [prod, c2] - env: - # ENVIROMENT: dev #variable passed to scipt - SUBSCRIPTION: s940 #variable passed to scipt - terraform_version: ~1.3.0 - ARM_USE_OIDC: true - ARM_USE_AZUREAD: true - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - storage_account_name: ${{ inputs.subscription }}radixinfra - - permissions: - id-token: write - contents: read - steps: - - name: Checkout - uses: actions/checkout@v4 #Clone Repo - - - - name: 'Az login' - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Get GitHub Public IP - id: github_public_ip - run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - - - name: Add GitHub IP to StorageAccount - run: | - az storage account network-rule add \ - --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ - --account-name "${{ env.SUBSCRIPTION}}radixinfra" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - - - name: Lets sleep for 30 seconds for FW rule to complete - run: sleep 30s - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ env.terraform_version }} - - - name: Check terrorm in ${{ matrix.ENVIROMENT}} - working-directory: terraform/subscriptions/scripts - run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh - - name: Revoke GitHub IP on StorageAccount + if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed run: | az storage account network-rule remove \ - --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ - --account-name "${{ env.SUBSCRIPTION}}radixinfra" \ + --resource-group "${{ matrix.target.subscription }}-tfstate" \ + --account-name "${{ matrix.target.subscription }}radixinfra" \ --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null diff --git a/.github/workflows/clean-cache-registry.yml b/.github/workflows/clean-cache-registry.yml index 9c392548a..cf6d7fafd 100644 --- a/.github/workflows/clean-cache-registry.yml +++ b/.github/workflows/clean-cache-registry.yml @@ -1,3 +1,5 @@ +name: Clean old cache in App registries + on: workflow_dispatch: schedule: @@ -8,12 +10,21 @@ permissions: contents: read jobs: - purge-prod: + purge: runs-on: ubuntu-latest - environment: s940 strategy: + fail-fast: false matrix: - registry: [radixc2app, radixprodapp] + target: + - name: "dev" + registry: "radixdevapp" + - name: "playground" + registry: "radixplaygroundapp" + - name: "platform" + registry: "radixprodapp" + - name: "c2" + registry: "radixc2app" + environment: ${{matrix.target.name }} steps: - uses: actions/checkout@v4 @@ -33,63 +44,22 @@ jobs: - name: 'Az CLI login' uses: azure/login@v2 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Add GitHub IP to ACR - run: az acr network-rule add --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState - - - name: Create ACR Token - run: echo "token=$(az acr login --name=${{ matrix.registry }} --expose-token | jq -r '.accessToken')" >> $GITHUB_OUTPUT - id: token - - - name: Purge old cache - run: ./bin/acr purge --registry=${{ matrix.registry }}.azurecr.io --password=${{steps.token.outputs.token}} --username= --filter='*/cache:.*' --ago=7d --untagged - - - name: Revoke GitHub IP on ACR - run: az acr network-rule remove --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState - - - purge-dev: - runs-on: ubuntu-latest - environment: s941 - strategy: - matrix: - registry: [radixdevapp, radixplaygroundapp] - - steps: - - uses: actions/checkout@v4 - with: - repository: Azure/acr-cli - ref: v0.8 + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - - uses: actions/setup-go@v5 - - - name: Compile ACR binary - run: make binaries - - - name: Get GitHub Public IP - id: github_public_ip - run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - - - name: 'Az CLI login' - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Add GitHub IP to ACR - run: az acr network-rule add --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState + id: update_firewall + run: az acr network-rule add --name ${{ matrix.target.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState - name: Create ACR Token - run: echo "token=$(az acr login --name=${{ matrix.registry }} --expose-token | jq -r '.accessToken')" >> $GITHUB_OUTPUT + run: echo "token=$(az acr login --name=${{ matrix.target.registry }} --expose-token | jq -r '.accessToken')" >> $GITHUB_OUTPUT id: token - name: Purge old cache - run: ./bin/acr purge --registry=${{ matrix.registry }}.azurecr.io --password=${{steps.token.outputs.token}} --username= --filter='*/cache:.*' --ago=7d --untagged + run: ./bin/acr purge --registry=${{ matrix.target.registry }}.azurecr.io --password=${{steps.token.outputs.token}} --username= --filter='*/cache:.*' --ago=7d --untagged - name: Revoke GitHub IP on ACR - run: az acr network-rule remove --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState - + if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed + run: az acr network-rule remove --name ${{ matrix.target.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState diff --git a/.github/workflows/lock-resources.yml b/.github/workflows/lock-resources.yml index 5eadad03c..bb570f05a 100644 --- a/.github/workflows/lock-resources.yml +++ b/.github/workflows/lock-resources.yml @@ -3,57 +3,57 @@ on: schedule: - cron: '0 18 * * *' workflow_dispatch: + pull_request: + permissions: id-token: write contents: read + jobs: - lock-clusters-prod: + lock-clusters: runs-on: ubuntu-latest - environment: lock-operations-prod + strategy: + fail-fast: false + matrix: + target: + - name: "platform" + zoneFile: "radix_zone_prod.env" + subscription: "s940" + - name: "c2" + zoneFile: "radix_zone_c2.env" + subscription: "s940" + environment: ${{matrix.target.name }} env: PROD_ENV: "radix_zone_prod.env" C2_ENV: "radix_zone_c2.env" + steps: - uses: actions/checkout@v4 - with: - sparse-checkout: | - scripts/aks - scripts/radix-zone - .github - - name: 'Az CLI login' + + - name: 'Az login' uses: azure/login@v2 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Get GitHub Public IP id: github_public_ip run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT + - name: Add GitHub IP to KeyVault in Prod - id: update_prod_firewall - run: | - az keyvault network-rule add --name "radix-keyv-platform" \ - --resource-group "common-platform" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - - name: Add GitHub IP to KeyVault in C2 - id: update_c2_firewall - run: | - az keyvault network-rule add --name "radix-keyv-c2" \ - --resource-group "common-c2" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - - name: lock-resources-prod - run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_prod.env .github/workflows/scripts/check_resource_lock.sh - - name: lock-resources-c2 - run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_c2.env .github/workflows/scripts/check_resource_lock.sh - - name: Revoke GitHub IP on KeyVault in Prod - if: ${{ steps.update_prod_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed + id: update_firewall run: | - az keyvault network-rule remove --name "radix-keyv-platform" \ - --resource-group "common-platform" \ + az keyvault network-rule add --name "radix-keyv-${{matrix.target.name}}" \ + --resource-group "common-${{matrix.target.name}}" \ --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - - name: Revoke GitHub IP on KeyVault in C2 - if: ${{ steps.update_c2_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed + + - name: lock-resources + run: RADIX_ZONE_ENV=./scripts/radix-zone/${{matrix.target.zoneFile}} .github/workflows/scripts/check_resource_lock.sh + + - name: Revoke GitHub IP on KeyVault + if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed run: | - az keyvault network-rule remove --name "radix-keyv-c2" \ - --resource-group "common-c2" \ + az keyvault network-rule remove --name "radix-keyv-${{matrix.target.name}}" \ + --resource-group "common-${{matrix.target.name}}" \ --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null diff --git a/.github/workflows/sqlLogStorageAccounts.yml b/.github/workflows/sqlLogStorageAccounts.yml deleted file mode 100644 index 66cf637a7..000000000 --- a/.github/workflows/sqlLogStorageAccounts.yml +++ /dev/null @@ -1,235 +0,0 @@ -name: AzureSqlLogStorageAccounts - -on: [workflow_dispatch] - -# on: -# push: -# branches: -# - master -# paths: -# - '.github/workflows/sqlLogStorageAccounts.yml' -# pull_request: -# branches: -# - master -# paths: -# - '.github/workflows/sqlLogStorageAccounts.yml' - -env: - # Prod - prodRgName: rg-radix-shared-prod - prodSubscriptionId: 'ded7ca41-37c8-4085-862f-b11d21ab341a' - - # Dev - devRgName: rg-radix-shared-dev - devSubscriptionId: '16ede44b-1f74-40a5-b428-46cca9a5741b' - - # Shared - sqlLogStorageName: radixsqllogs #Also suffix with environment - auditLogStorageName: radixauditlogs - -jobs: -############## DEV STAGE ############## - - dev: - runs-on: ubuntu-latest - env: - envName: dev - steps: - - # Checks-out your repository under $GITHUB_WORKSPACE - - uses: actions/checkout@v4 - - # Set dynamic variables for the job - - name: Set job variables - shell: pwsh - run: | - - # Set timestamp variable for jobs - $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ") - echo "timestamp=$currentTime" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - - # Install powershell modules - - name: Install powershell modules - shell: pwsh - run: | - - Install-Module az.resources -force - Install-Module az.storage -force - - # Azure login for powershell - - name: Azure login - shell: pwsh - run: | - $azureAplicationId = "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_ID }}" - $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}" - $azurePassword = ConvertTo-SecureString "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force - $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword) - Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal - - - # Set subsctiption to develop and verify - - name: Set Azure subscription - shell: pwsh - run: | - - Set-AzContext -SubscriptionId "${{ env.devSubscriptionId }}" - - $subscription = (Get-AzContext) - if ($subscription.Subscription.Id -eq "${{ env.devSubscriptionId }}") { - Write-Output "Using subscription $($subscription.subscription.Name)" - exit 0 - - } - else { - Write-Output "Subscription does not match. Terminating script" - exit 1 - } - - - # Create storage account for SQL logs - - name: Storage Account for SQL logs - shell: pwsh - run: | - - # Set task variables - $rg = "${{ env.devRgName }}" - $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/storageAccount.json" - $storeAccountName = "${{ env.sqlLogStorageName }}${{ env.envName }}" - - # Deploy shared Storage Account for SQL Logging in dev - New-AzResourceGroupDeployment ` - -Name "sql-log-${{ env.timestamp }}" ` - -ResourceGroupName $rg ` - -TemplateFile $templateFile ` - -storageAccountName $storeAccountName ` - -accountType Standard_LRS ` - -kind StorageV2 ` - -accessTier hot - - # Set soft delete protection on Storage Account - $storageAcoount = Get-AzStorageAccount | where-object{$_.StorageAccountName -match "$storeAccountName"} - $storageAcoount | Enable-AzStorageDeleteRetentionPolicy -RetentionDays 30 - - # Azure logout - - name: logout - shell: pwsh - run: | - Logout-azAccount | Out-Null - - -############## PROD STAGE ############## - - prod: - needs: dev - if: github.ref == 'refs/heads/master' - runs-on: ubuntu-latest - env: - envName: prod - steps: - - # Checks-out your repository under $GITHUB_WORKSPACE - - uses: actions/checkout@v4 - - # Set dynamic variables for the job - - name: Set job variables - shell: pwsh - run: | - - # Set timestamp variable for jobs - $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ") - Write-Output "::set-env name=timestamp::$currentTime" - - # Install powershell modules - - name: Install powershell modules - shell: pwsh - run: | - - Install-Module az.resources -force - Install-Module az.storage -force - - # Azure login for powershell - - name: Azure login - shell: pwsh - run: | - $azureAplicationId = "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_ID }}" - $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}" - $azurePassword = ConvertTo-SecureString "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force - $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword) - Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal - - - # Set subsctiption to prouction and verify - - name: Set Azure subscription - shell: pwsh - run: | - - Set-AzContext -SubscriptionId "${{ env.prodSubscriptionId }}" - - $subscription = (Get-AzContext) - if ($subscription.Subscription.Id -eq "${{ env.prodSubscriptionId }}") { - Write-Output "Using subscription $($subscription.subscription.Name)" - exit 0 - - } - else { - Write-Output "Subscription does not match. Terminating script" - exit 1 - } - - - # Create storage account for SQL logs - - name: Storage Account for SQL logs - shell: pwsh - run: | - - # Set task variables - $rg = "${{ env.prodRgName }}" - $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/storageAccount.json" - $storeAccountName = "${{ env.sqlLogStorageName }}${{ env.envName }}" - - # Deploy shared Storage Account for SQL Logging in prod - New-AzResourceGroupDeployment ` - -Name "sql-log-${{ env.timestamp }}" ` - -ResourceGroupName $rg ` - -TemplateFile $templateFile ` - -storageAccountName $storeAccountName ` - -accountType Standard_LRS ` - -kind StorageV2 ` - -accessTier hot - - # Set soft delete protection on Storage Account - $storageAcoount = Get-AzStorageAccount | where-object{$_.StorageAccountName -match "$storeAccountName"} - $storageAcoount | Enable-AzStorageDeleteRetentionPolicy -RetentionDays 30 - - - # Create storage account for Azure audit logs - - name: Storage Account for Audit logs - shell: pwsh - run: | - - # Set task variables - $rg = "${{ env.prodRgName }}" - $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/storageAccount.json" - $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}"" - - # Deploy Storage Account for Audit logs - New-AzResourceGroupDeployment ` - -Name "sql-log-${{ env.timestamp }}" ` - -ResourceGroupName $rg ` - -TemplateFile $templateFile ` - -storageAccountName $storeAccountName ` - -accountType Standard_LRS ` - -kind StorageV2 ` - -accessTier cool - - # Set soft delete protection on Storage Account - $storageAcoount = Get-AzStorageAccount | where-object{$_.StorageAccountName -match "$storeAccountName"} - $storageAcoount | Enable-AzStorageDeleteRetentionPolicy -RetentionDays 30 - - - - # Azure logout - - name: logout - shell: pwsh - run: | - Logout-azAccount | Out-Null \ No newline at end of file diff --git a/.github/workflows/startclusters.yml b/.github/workflows/startclusters.yml index aebc110ae..33c1b363c 100644 --- a/.github/workflows/startclusters.yml +++ b/.github/workflows/startclusters.yml @@ -16,6 +16,7 @@ jobs: ENVIROMENT: dev steps: - uses: actions/checkout@v4 #Clone Repo + - name: 'Az CLI login' uses: azure/login@v2 with: @@ -26,8 +27,9 @@ jobs: - name: Get GitHub Public IP id: github_public_ip run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - + - name: Add GitHub IP to KeyVault + id: update_firewall run: | az keyvault network-rule add --name "radix-keyv-${{ env.ENVIROMENT}}" \ --resource-group "${{ env.KV_GROUP}}" \ @@ -38,8 +40,9 @@ jobs: - name: Start clusters run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_dev.env TASK=start .github/workflows/scripts/dailytasks.sh - + - name: Revoke GitHub IP on KeyVault + if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed run: | az keyvault network-rule remove --name "radix-keyv-${{ env.ENVIROMENT}}" \ --resource-group "${{ env.KV_GROUP}}" \ diff --git a/.github/workflows/stopclusters.yml b/.github/workflows/stopclusters.yml index 363ed79c4..10a371826 100644 --- a/.github/workflows/stopclusters.yml +++ b/.github/workflows/stopclusters.yml @@ -18,6 +18,7 @@ jobs: ENVIROMENT: dev steps: - uses: actions/checkout@v4 #Clone Repo + - name: 'Az CLI login' uses: azure/login@v2 with: @@ -28,8 +29,9 @@ jobs: - name: Get GitHub Public IP id: github_public_ip run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - + - name: Add GitHub IP to KeyVault + id: update_firewall run: | az keyvault network-rule add --name "radix-keyv-${{ env.ENVIROMENT}}" \ --resource-group "${{ env.KV_GROUP}}" \ @@ -42,6 +44,7 @@ jobs: run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_dev.env TASK=stop .github/workflows/scripts/dailytasks.sh - name: Revoke GitHub IP on KeyVault + if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed run: | az keyvault network-rule remove --name "radix-keyv-${{ env.ENVIROMENT}}" \ --resource-group "${{ env.KV_GROUP}}" \ diff --git a/.github/workflows/storageaccounts.yml b/.github/workflows/storageaccounts.yml deleted file mode 100644 index 842072624..000000000 --- a/.github/workflows/storageaccounts.yml +++ /dev/null @@ -1,144 +0,0 @@ -name: Storage Accounts -on: - workflow_dispatch: - inputs: - subscription: - description: 'Subscription' - type: choice - required: true - options: - - 's940' - - 's941' - default: 's941' - - terraformapply: - description: 'Terraform apply' - type: boolean - required: true - default: false - - secrets: - AZURE_CLIENT_ID: - description: The client ID of the Azure AD service principal to use for authenticating to Azure. - required: true - - AZURE_SUBSCRIPTION_ID: - description: The ID of the Azure subscription to create the resources in. - required: true - - AZURE_TENANT_ID: - description: The ID of the Azure tenant to create the resources in. - required: true - -env: - container_name: infrastructure - -jobs: - GetEnvironment: - name: GetEnvironments - runs-on: ubuntu-latest - - outputs: - radix_environment: ${{ steps.set-matrix.outputs.radix_environment }} - - steps: - - uses: actions/checkout@v4 - - id: set-matrix - name: Get radix environment - run: echo "radix_environment=$(ls ./terraform/${{ env.container_name }}/${{ inputs.subscription }} | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT - - StorageAccounts: - needs: GetEnvironment - name: StorageAccounts - runs-on: ubuntu-latest - environment: ${{ inputs.subscription }} - strategy: - matrix: - radix_environment: ${{ fromJson(needs.GetEnvironment.outputs.radix_environment) }} - - # Set permissions required to login to Azure using OIDC. - permissions: - id-token: write - contents: read - - defaults: - run: - shell: bash - working-directory: ./terraform/${{ env.container_name }}/${{ inputs.subscription }}/${{ matrix.radix_environment }}/${{ env.path }} - - # Configure OIDC authentication to Azure using environment variables. - # Required by the AzureRM backend and provider. - env: - terraform_version: ~1.3.0 - ARM_USE_OIDC: true - ARM_USE_AZUREAD: true - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - resource_group_name: ${{ inputs.subscription }}-tfstate - storage_account_name: ${{ inputs.subscription }}radixinfra - path: storageaccounts - key: terraform.tfstate - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: 'Az login' - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Get GitHub Public IP - id: github_public_ip - run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - - - name: Add GitHub IP to StorageAccount - run: | - az storage account network-rule add \ - --resource-group "${{ env.resource_group_name }}" \ - --account-name "${{ env.storage_account_name }}" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - - - name: Lets sleep for 30 seconds for FW rule to complete - run: sleep 30s - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ env.terraform_version }} - - - name: Terraform Init - run: | - terraform init \ - -backend-config='container_name=${{ env.container_name }}' \ - -backend-config='key=${{ env.path }}/${{ env.key }}' \ - -backend-config='resource_group_name=${{ env.resource_group_name }}' \ - -backend-config='storage_account_name=${{ env.storage_account_name }}' - - - name: Terraform Validate - run: terraform validate - - - name: Terraform Plan - if: inputs.terraformapply == false - run: | - terraform plan \ - --var-file=../../../../radix-zone/radix_zone_${{ matrix.radix_environment }}.tfvars \ - -lock=false - - - name: Terraform Apply - if: (inputs.terraformapply && github.ref == 'refs/heads/master') - run: | - terraform apply \ - --var-file=../../../../radix-zone/radix_zone_${{ matrix.radix_environment }}.tfvars \ - -auto-approve \ - -lock=false - - - name: Revoke GitHub IP on StorageAccount - run: | - az storage account network-rule remove \ - --resource-group "${{ env.resource_group_name }}" \ - --account-name "${{ env.storage_account_name }}" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml deleted file mode 100644 index 49607138f..000000000 --- a/.github/workflows/terraform.yml +++ /dev/null @@ -1,238 +0,0 @@ -# Install Terraform, configure OpenID Connect (OIDC) authentication to Azure, create a Terraform plan, and apply the plan on push to branch 'master'. - -on: - workflow_call: - inputs: - cluster_name: - description: Name of the cluster - type: string - required: true - - environment: - description: The environment that the job references. - type: string - required: true - - radix_environment: - description: The radix_environment that the job references. - type: string - required: true - - subscription: - description: The subscription to deploy in - type: string - required: true - - terraform_version: - description: The version of Terraform to install. - type: string - required: false - default: latest - - working_directory: - description: The working directory to run the Terraform commands in. - type: string - required: false - default: '.' - - secrets: - AZURE_CLIENT_ID: - description: The client ID of the Azure AD service principal to use for authenticating to Azure. - required: true - - AZURE_SUBSCRIPTION_ID: - description: The ID of the Azure subscription to create the resources in. - required: true - - AZURE_TENANT_ID: - description: The ID of the Azure tenant to create the resources in. - required: true - -jobs: - Terraform: - name: Terraform - runs-on: ubuntu-latest - environment: ${{ inputs.environment }} - - # Queue jobs that target the same Terraform configuration. - concurrency: - group: terraform @ ${{ inputs.working_directory }} - cancel-in-progress: false - - # Set permissions required to login to Azure using OIDC. - permissions: - id-token: write - contents: read - - defaults: - run: - shell: bash - working-directory: ${{ inputs.working_directory }} - - # Configure OIDC authentication to Azure using environment variables. - # Required by the AzureRM backend and provider. - env: - root_src: '../../../../../..' - ARM_USE_OIDC: true - ARM_USE_AZUREAD: true - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - container_name: clusters - key: ${{ inputs.radix_environment }}.${{ inputs.cluster_name }}.terraform.tfstate - resource_group_name: ${{ inputs.subscription }}-tfstate - storage_account_name: ${{ inputs.subscription }}radixinfra - - outputs: - tf-fmt: ${{ steps.fmt.outcome }} - tf-init: ${{ steps.init.outcome }} - tf-validate: ${{ steps.validate.outcome }} - tf-plan: ${{ steps.plan.outcome }} - plan: ${{ steps.get_content.outputs.plan }} - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Az CLI login - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - - - name: Get GitHub Public IP - id: github_public_ip - run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - - - name: Add GitHub IP to StorageAccount - run: | - az storage account network-rule add \ - --resource-group "${{ env.resource_group_name }}" \ - --account-name "${{ env.storage_account_name }}" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - - - name: Lets sleep for 30 seconds for FW rule to complete - run: sleep 30s - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ inputs.terraform_version }} - terraform_wrapper: false - - - name: Terraform Format - id: fmt - run: terraform fmt -check - - - name: Terraform Init - id: init - run: | - terraform init \ - -backend-config='container_name=${{ env.container_name }}' \ - -backend-config='key=${{ env.key }}' \ - -backend-config='resource_group_name=${{ env.resource_group_name }}' \ - -backend-config='storage_account_name=${{ env.storage_account_name }}' - - - name: Terraform Validate - id: validate - run: terraform validate -no-color - - - name: Terraform Plan - id: plan - if: github.event_name == 'pull_request' - run: | - terraform plan \ - --var-file=${{ env.root_src }}/terraform/radix-zone/radix_zone_dev.tfvars \ - -no-color \ - -out tf.plan - continue-on-error: true - - - name: Terraform Show - id: show - if: github.event_name == 'pull_request' - run: terraform show -no-color tf.plan 2>&1 > /tmp/plan.txt - - - name: Get content - id: get_content - if: github.event_name == 'pull_request' - run: | - plan=$(cat /tmp/plan.txt) - - create="" - createOut="" - destroy="" - destroyOut="" - update="" - updateOut="" - changesOut="" - - while read -r line; do - if [[ "$line" == *"will be created"* ]]; then - create+="${line//"# "/"+ "}
" - elif [[ "$line" == *"will be destroyed"* ]]; then - destroy+="${line//"# "/"- "}
" - elif [[ "$line" == *"will be updated in-place"* ]]; then - update+="${line//"# "/"~ "}
" - fi - done < <(echo "${plan}") - - numberOfChanges=$((${#create} + ${#destroy} + ${#update})) - - if [ ${#create} -gt 0 ]; then - createOut+="The following resources will be created
${create}" - fi - - if [ ${#destroy} -gt 0 ]; then - destroyOut+="The following resources will be destroyed
${destroy}" - fi - - if [ ${#update} -gt 0 ]; then - updateOut+="The following resources will be updated
${update}" - fi - - if [ ${numberOfChanges} -eq 0 ]; then - changesOut+="No changes. Your infrastructure matches the configuration.
" - fi - - out="$createOut $destroyOut $updateOut $changesOut" - - echo "plan=$(echo ${out})" >> $GITHUB_OUTPUT - - - name: Terraform Apply - if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'schedule' - run: terraform apply --var-file=../../../../../radix-zone/radix_zone_${{ inputs.radix_environment }}.tfvars -auto-approve - - - name: Revoke GitHub IP on StorageAccount - run: | - az storage account network-rule remove \ - --resource-group "${{ env.resource_group_name }}" \ - --account-name "${{ env.storage_account_name }}" \ - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null - - Create_comment: - if: github.event_name == 'pull_request' - needs: [Terraform] - name: Create comment - runs-on: ubuntu-latest - steps: - - name: Create comment - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - github.rest.issues.createComment({ - owner: context.repo.owner, - issue_number: github.event.pull_request.number, - repo: context.repo.repo, - body: | - #### Directory: ${{ inputs.working_directory }} - #### Terraform Format and Style šŸ–Œ ${{ needs.Terraform.outputs.tf-fmt }} - #### Terraform Initialization āš™ļø ${{ needs.Terraform.outputs.tf-init }} - #### Terraform Validation šŸ¤– ${{ needs.Terraform.outputs.tf-validate }} - #### Terraform Plan šŸ“– ${{ needs.Terraform.outputs.tf-plan }} - -
Show Plan - ${{ needs.Terraform.outputs.plan }} -
- }) diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index b50ba073f..2b7af2efe 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -208,6 +208,10 @@ module "radix_id_gitrunner" { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" } + app_registry_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app" + } } federated_credentials = { radix-id-gitrunner = { diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index 9607b4e3f..6849d4d31 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -205,6 +205,10 @@ module "radix_id_gitrunner" { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" } + app_registry_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radixprodapp" # TODO: Replace resource name when fixed + } } federated_credentials = { radix-id-gitrunner = { diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 900ebd051..ae7723cd8 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -205,6 +205,10 @@ module "radix_id_gitrunner" { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" } + app_registry_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app" + } } federated_credentials = { radix-id-gitrunner = { diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index 55bde652c..a52f4f99a 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -105,52 +105,52 @@ module "radix-id-acr-workflows" { name = "radix-cluster-cleanup-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release" - }, + } radix-cicd-canary-release = { name = "radix-cicd-canary-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-cicd-canary:ref:refs/heads/release" - }, + } radix-vulnerability-scanner-release = { name = "radix-vulnerability-scanner-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" - }, + } radix-image-builder-release = { name = "radix-image-builder-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-image-builder:ref:refs/heads/release" - }, + } radix-tekton-release = { name = "radix-tekton-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-tekton:ref:refs/heads/release" - }, + } radix-operator-master = { name = "radix-operator-master" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-operator:ref:refs/heads/master" - }, + } radix-operator-release = { name = "radix-operator-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-operator:ref:refs/heads/release" - }, + } radix-velero-plugin-release = { name = "radix-velero-plugin-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-velero-plugin:ref:refs/heads/release" - }, + } radix-job-scheduler-release = { name = "radix-job-scheduler-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-job-scheduler:ref:refs/heads/release" - }, + } radix-buildkit-builder-release = { name = "radix-buildkit-builder-release" issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-buildkit-builder:ref:refs/heads/release" - }, + } } } @@ -196,6 +196,10 @@ module "radix_id_gitrunner" { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" } + app_registry_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app" + } } federated_credentials = { radix-id-gitrunner = { diff --git a/terraform/subscriptions/scripts/terraform.sh b/terraform/subscriptions/scripts/terraform.sh index a10666646..59f01e8d1 100755 --- a/terraform/subscriptions/scripts/terraform.sh +++ b/terraform/subscriptions/scripts/terraform.sh @@ -4,8 +4,8 @@ grn=$'\e[1;32m' yel=$'\e[1;33m' normal=$(tput sgr0) -if [[ -z "$ENVIROMENT" ]]; then - echo "ERROR: Please provide ENVIROMENT" >&2 +if [[ -z "$ENVIRONMENT" ]]; then + echo "ERROR: Please provide ENVIRONMENT" >&2 exit 1 fi @@ -14,19 +14,21 @@ if [[ -z "$SUBSCRIPTION" ]]; then exit 1 fi - - # Set the directory you want to search -# directory="../${SUBSCRIPTION}/${ENVIROMENT}" +# directory="../${SUBSCRIPTION}/${ENVIRONMENT}" # directory="../s940/dev/" -directory="../${SUBSCRIPTION}/${ENVIROMENT}" +directory="../${SUBSCRIPTION}/${ENVIRONMENT}" for dir in "$directory"/*; do if [ ! -d "$dir" ]; then continue; fi + echo "" printf "%sā–ŗ Execute %s%s\n" "${grn}" "$dir" "${normal}" - terraform -chdir="$dir" init &>/dev/null || echo "Error during terraform init in $dir" - terraform -chdir="$dir" plan -no-color -out=plan.out &>/dev/null || echo "Error during terraform plan in $dir" + terraform -chdir="$dir" init + terraform -chdir="$dir" plan -no-color -out=plan.out + + # Add some vertical space incase the previus steps failed + echo "" if [ ! -f "$dir/plan.out" ]; then echo "plan.out was not created in $dir" @@ -48,4 +50,4 @@ for dir in "$directory"/*; do if [ -n "$replace" ]; then echo -e "The following resources will be replaced:\n ${red}${replace}${normal}\n"; fi if [ -z "$create$destroy$update$replace" ]; then echo -e "No changes. Your infrastructure matches the configuration.\n"; fi rm "$dir/plan.out" -done \ No newline at end of file +done