Terraform common resources (#1153)

* First commit

* First commit

* Terraform

* Major updates

* Major updates

* Github action

* Github action

* updates

* remove env

* remove env

* some sttatic values

* some more static values

* some more static values

* dev and playground

* dev and playground

* firewall rules

* firewall rules

* echo message

* echo message

* echo message

* echo message

* echo message

* revert

* Move script

* Move script

* Move script

* Variables

* Variables

* Add s940

* Add s940

---------

Co-authored-by: Automatic Update <[email protected]>

.github/workflows/check_terraform.yaml

@@ -0,0 +1,161 @@
+name: Check Terraform infrastructure
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      subscription:
+        description: 'Subscription'
+        type: choice
+        required: true
+        options:
+          - 's940'
+          - 's941'
+        default: 's941'
+
+      terraformapply:
+        description: 'Terraform apply'
+        type: boolean
+        required: true
+        default: false
+
+
+    # secrets:
+    #   AZURE_CLIENT_ID:
+    #     description: The client ID of the Azure AD service principal to use for authenticating to Azure.
+    #     required: true
+
+    #   AZURE_SUBSCRIPTION_ID:
+    #     description: The ID of the Azure subscription to create the resources in.
+    #     required: true
+
+    #   AZURE_TENANT_ID:
+    #     description: The ID of the Azure tenant to create the resources in.
+    #     required: true
+
+
+jobs:
+  terrform-s941:
+    name: Check infrastructure consistency
+    runs-on: ubuntu-latest
+    environment: s941
+    strategy:
+      matrix:
+        ENVIROMENT: [dev, playground]
+    env:
+      # ENVIROMENT: dev #variable passed to scipt
+      SUBSCRIPTION: s941 #variable passed to scipt
+      terraform_version: ~1.3.0
+      ARM_USE_OIDC: true
+      ARM_USE_AZUREAD: true
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      storage_account_name: ${{ inputs.subscription }}radixinfra
+
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3 #Clone Repo
+
+
+      - name: 'Az login'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Get GitHub Public IP
+        id: github_public_ip
+        uses: haythem/[email protected]
+
+      - name: Add GitHub IP to StorageAccount
+        run: |
+          az storage account network-rule add \
+            --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
+            --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
+            --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
+
+      - name: Lets sleep for 30 seconds for FW rule to complete
+        run: sleep 30s
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ env.terraform_version }}
+
+      - name: Check terrorm in ${{ matrix.ENVIROMENT}}
+        working-directory: terraform/subscriptions/scripts
+        run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh
+
+      - name: Revoke GitHub IP on StorageAccount
+        run: |
+          az storage account network-rule remove \
+            --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
+            --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
+            --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
+
+  terrform-s940:
+    name: Check infrastructure consistency
+    runs-on: ubuntu-latest
+    environment: s940
+    strategy:
+      matrix:
+        ENVIROMENT: [prod, c2]
+    env:
+      # ENVIROMENT: dev #variable passed to scipt
+      SUBSCRIPTION: s940 #variable passed to scipt
+      terraform_version: ~1.3.0
+      ARM_USE_OIDC: true
+      ARM_USE_AZUREAD: true
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      storage_account_name: ${{ inputs.subscription }}radixinfra
+
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3 #Clone Repo
+
+
+      - name: 'Az login'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Get GitHub Public IP
+        id: github_public_ip
+        uses: haythem/[email protected]
+
+      - name: Add GitHub IP to StorageAccount
+        run: |
+          az storage account network-rule add \
+            --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
+            --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
+            --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
+
+      - name: Lets sleep for 30 seconds for FW rule to complete
+        run: sleep 30s
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ env.terraform_version }}
+
+      - name: Check terrorm in ${{ matrix.ENVIROMENT}}
+        working-directory: terraform/subscriptions/scripts
+        run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh
+
+      - name: Revoke GitHub IP on StorageAccount
+        run: |
+          az storage account network-rule remove \
+            --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
+            --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
+            --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null

.github/workflows/scripts/terraform.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+red=$'\e[1;31m'
+grn=$'\e[1;32m'
+yel=$'\e[1;33m'
+normal=$(tput sgr0)
+
+# Set the directory you want to search
+directory="../../../terraform/subscriptions/s941/dev"
+
+for dir in "$directory"/*; do
+    if [ ! -d "$dir" ]; then continue; fi
+
+    printf "%s► Execute %s%s\n" "${grn}" "$dir" "${normal}"
+    terraform -chdir="$dir" init &>/dev/null || echo "Error during terraform init in $dir"
+    terraform -chdir="$dir" plan -no-color -out=plan.out &>/dev/null || echo "Error during terraform plan in $dir"
+
+    if [ ! -f "$dir/plan.out" ]; then
+        echo "plan.out was not created in $dir"
+        continue
+    fi
+
+    cd "$dir" || exit
+    plan=$(terraform show -no-color "plan.out")
+    cd - >/dev/null || exit
+
+    create=$(echo "$plan" | grep "will be created" | sed 's|# |+|g' | sed 's/^ *//g')
+    destroy=$(echo "$plan" | grep "will be destroyed" | sed 's|# |-|g' | sed 's/^ *//g')
+    update=$(echo "$plan" | grep "will be updated in-place" | sed 's|# |~|g' | sed 's/^ *//g')
+    replace=$(echo "$plan" | grep "must be replaced" | sed 's|# |-/+|g' | sed 's/^ *//g')
+
+    if [ -n "$create" ]; then echo -e "The following resources will be created:\n ${grn}${create}${normal}\n"; fi
+    if [ -n "$destroy" ]; then echo -e "The following resources will be destroyed:\n ${red}${destroy}${normal}\n"; fi
+    if [ -n "$update" ]; then echo -e "The following resources will be updated:\n ${yel}${update}${normal}\n"; fi
+    if [ -n "$replace" ]; then echo -e "The following resources will be replaced:\n ${red}${replace}${normal}\n"; fi
+    if [ -z "$create$destroy$update$replace" ]; then echo -e "No changes. Your infrastructure matches the configuration.\n"; fi
+    rm "$dir/plan.out"
+done

terraform/radix-zone/radix_zone_prod.tfvars

@@ -418,7 +418,7 @@ virtual_networks = {
 ### Service principal
 ###
 
-APP_GITHUB_ACTION_CLUSTER_NAME     = "OP-Terraform-Github Action"
+APP_GITHUB_ACTION_CLUSTER_NAME = "OP-Terraform-Github Action"
 
 #######################################################################################
 ### Github

terraform/subscriptions/s940/c2/common/input.tf

@@ -0,0 +1,19 @@
+locals {
+  external_outputs = {
+    global = data.terraform_remote_state.global.outputs
+    # virtualnetwork = data.terraform_remote_state.virtualnetwork.outputs
+  }
+
+  backend = {
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+  }
+
+}
+data "terraform_remote_state" "global" {
+  backend = "azurerm"
+  config = merge(
+    local.backend,
+  { key = "prod/globals/terraform.tfstate" })
+}

terraform/subscriptions/s940/c2/common/main.tf

@@ -0,0 +1,6 @@
+module "resourcegroups" {
+  for_each = toset(var.resource_groups)
+  source   = "../../../modules/resourcegroups"
+  name     = "${local.external_outputs.global.data.aad_radix_group}-${each.value}"
+  location = local.outputs.location
+}

terraform/subscriptions/s940/c2/common/variables.tf

@@ -0,0 +1,4 @@
+variable "resource_groups" {
+  type    = list(string)
+  default = ["c2"]
+}

terraform/subscriptions/s940/globals/input.tf

@@ -0,0 +1,8 @@
+locals {
+  flattened_resource_groups = {
+    for key, value in var.resource_groups : key => {
+      name     = key
+      location = value.location
+    }
+  }
+}

terraform/subscriptions/s940/globals/main.tf

@@ -0,0 +1,6 @@
+# module "resourcegroups" {
+#   for_each = local.flattened_resource_groups
+#   source   = "../../modules/resourcegroups"
+#   name     = each.value.name
+#   location = each.value.location
+# }

terraform/subscriptions/s940/globals/variables.tf

@@ -0,0 +1,8 @@
+variable "resource_groups" {
+  description = "Shared resourcegroups across enviroments."
+  type = map(object({
+    location = optional(string, "northeurope")
+  }))
+  default = {
+  }
+}

terraform/subscriptions/s940/prod/common/input.tf

@@ -0,0 +1,19 @@
+locals {
+  external_outputs = {
+    global = data.terraform_remote_state.global.outputs
+    # virtualnetwork = data.terraform_remote_state.virtualnetwork.outputs
+  }
+
+  backend = {
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+  }
+
+}
+data "terraform_remote_state" "global" {
+  backend = "azurerm"
+  config = merge(
+    local.backend,
+  { key = "prod/globals/terraform.tfstate" })
+}

terraform/subscriptions/s940/prod/common/main.tf

@@ -0,0 +1,6 @@
+module "resourcegroups" {
+  for_each = toset(var.resource_groups)
+  source   = "../../../modules/resourcegroups"
+  name     = "${local.external_outputs.global.data.aad_radix_group}-${each.value}"
+  location = local.outputs.location
+}

terraform/subscriptions/s940/prod/common/variables.tf

@@ -0,0 +1,4 @@
+variable "resource_groups" {
+  type    = list(string)
+  default = ["production"]
+}

terraform/subscriptions/s941/dev/common/main.tf

@@ -2,47 +2,47 @@
 module "resourcegroups" {
   for_each = toset(var.resource_groups)
   source   = "../../../modules/resourcegroups"
-  name     = "${local.external_outputs.global.data.subscription_shortname}-${each.value}"
+  name     = "${local.external_outputs.global.data.aad_radix_group}-${each.value}"
   location = local.outputs.location
 }
 
-module "loganalytics" {
-  source                        = "../../../modules/log-analytics"
-  workspace_name                = "${local.external_outputs.global.data.subscription_shortname}-diagnostics-${local.outputs.enviroment_L}"
-  resource_group_name           = "${local.external_outputs.global.data.subscription_shortname}-${local.outputs.enviroment_L}"
-  location                      = local.outputs.location
-  retention_in_days             = 30
-  local_authentication_disabled = false
-}
+# module "loganalytics" {
+#   source                        = "../../../modules/log-analytics"
+#   workspace_name                = "${local.external_outputs.global.data.subscription_shortname}-diagnostics-${local.outputs.enviroment_L}"
+#   resource_group_name           = "${local.external_outputs.global.data.subscription_shortname}-${local.outputs.enviroment_L}"
+#   location                      = local.outputs.location
+#   retention_in_days             = 30
+#   local_authentication_disabled = false
+# }
 
-module "backupvault" {
-  source                = "../../../modules/backupvaults"
-  name                  = "${local.external_outputs.global.data.subscription_shortname}-backupvault-${local.outputs.enviroment_L}"
-  resource_group_name   = "${local.external_outputs.global.data.subscription_shortname}-${local.outputs.enviroment_L}"
-  location              = local.outputs.location
-  policyblobstoragename = "${local.external_outputs.global.data.subscription_shortname}-backuppolicy-blob-${local.outputs.enviroment_L}"
-  depends_on            = [module.resourcegroups]
-}
+# module "backupvault" {
+#   source                = "../../../modules/backupvaults"
+#   name                  = "${local.external_outputs.global.data.subscription_shortname}-backupvault-${local.outputs.enviroment_L}"
+#   resource_group_name   = "${local.external_outputs.global.data.subscription_shortname}-${local.outputs.enviroment_L}"
+#   location              = local.outputs.location
+#   policyblobstoragename = "${local.external_outputs.global.data.subscription_shortname}-backuppolicy-blob-${local.outputs.enviroment_L}"
+#   depends_on            = [module.resourcegroups]
+# }
 
-module "storageaccount" {
-  source                   = "../../../modules/storageaccount"
-  for_each                 = var.storageaccounts
-  name                     = "${local.external_outputs.global.data.subscription_shortname}${each.key}${local.outputs.enviroment_S}"
-  tier                     = each.value.account_tier
-  account_replication_type = each.value.account_replication_type
-  resource_group_name      = each.value.resource_group_name
-  location                 = each.value.location
-  environment              = local.outputs.enviroment_L
-  kind                     = each.value.kind
-  change_feed_enabled      = each.value.change_feed_enabled
-  versioning_enabled       = each.value.versioning_enabled
-  roleassignment           = each.value.roleassignment
-  principal_id             = module.backupvault.data.backupvault.identity[0].principal_id
-  vault_id                 = module.backupvault.data.backupvault.id
-  policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
-  subnet_id                = local.external_outputs.virtualnetwork.data.vnet_subnet.id
-  vnethub_resource_group   = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name
-  priv_endpoint            = each.value.private_endpoint
-  firewall                 = each.value.firewall
-}
+# module "storageaccount" {
+#   source                   = "../../../modules/storageaccount"
+#   for_each                 = var.storageaccounts
+#   name                     = "${local.external_outputs.global.data.subscription_shortname}${each.key}${local.outputs.enviroment_S}"
+#   tier                     = each.value.account_tier
+#   account_replication_type = each.value.account_replication_type
+#   resource_group_name      = each.value.resource_group_name
+#   location                 = each.value.location
+#   environment              = local.outputs.enviroment_L
+#   kind                     = each.value.kind
+#   change_feed_enabled      = each.value.change_feed_enabled
+#   versioning_enabled       = each.value.versioning_enabled
+#   roleassignment           = each.value.roleassignment
+#   principal_id             = module.backupvault.data.backupvault.identity[0].principal_id
+#   vault_id                 = module.backupvault.data.backupvault.id
+#   policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
+#   subnet_id                = local.external_outputs.virtualnetwork.data.vnet_subnet.id
+#   vnethub_resource_group   = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name
+#   priv_endpoint            = each.value.private_endpoint
+#   firewall                 = each.value.firewall
+# }
 

terraform/subscriptions/s941/globals/variables.tf

@@ -5,7 +5,6 @@ variable "resource_groups" {
   }))
   default = {
     backups            = {},
-    clusters           = {},
     common             = {},
     cost-allocation    = {},
     Logs-Dev           = {},