diff --git a/terraform/clusters/dev/radixtfexample/.terraform.lock.hcl b/terraform/clusters/dev/radixtfexample/.terraform.lock.hcl deleted file mode 100644 index 158bcb130..000000000 --- a/terraform/clusters/dev/radixtfexample/.terraform.lock.hcl +++ /dev/null @@ -1,79 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.34.0" - constraints = ">= 3.0.0, ~> 3.34.0" - hashes = [ - "h1:7W2o3Hr5R6ZfD7J2ECOW4KHuIAY++GBg6aCKEtVSlo0=", - "zh:04a3860959a9626469714a9986561ff04697fb6fe268cac6481ee570c3c20519", - "zh:3191647b011cd094c7db1f5709f46e0df7190ab8dad1896e15e763384273931c", - "zh:4428e5503fa614dec1ca3ea33d9479835a1c048a03cdec364ad8ad3340a3e137", - "zh:576df51dfba37c40983552f98077125c2eb12eb4e105bb805e935c75c73a7181", - "zh:5c1f4939a1e9ae96a977058c5056018f6b37220f1d0408531c89ea3295735f81", - "zh:644ebea720c22b3f665f9e087ad57122ce5727631b3d437a425fb97a44515a01", - "zh:87250563eed16db793ae9c309200f074f3b42acb4a44fdef4b26b9f7e988931e", - "zh:b8fff7fb51234eb13a8f3a0107ef6fc8033e28c3b4a1087fc837dfc7706d3274", - "zh:e21ecae5989348e9cbf07295f355a05dcae4758019d81c517f55b45e83a3e0e7", - "zh:ece35f508eda2edf5d4867a6e5ad2e24904278813cfce70e19063d310e66d790", - "zh:f421c6068713237fffce12f504fd5888b668352a22cb1075845fd612954ac3ec", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.2.3" - hashes = [ - "h1:uvOYRWcVIqOZSl8YjjaB18yZFz1AWIt2CnK7O45rckg=", - "zh:184ecd339d764de845db0e5b8a9c87893dcd0c9d822167f73658f89d80ec31c9", - "zh:2661eaca31d17d6bbb18a8f673bbfe3fe1b9b7326e60d0ceb302017003274e3c", - "zh:2c0a180f6d1fc2ba6e03f7dfc5f73b617e45408681f75bca75aa82f3796df0e4", - "zh:4b92ae44c6baef4c4952c47be00541055cb5280dd3bc8031dba5a1b2ee982387", - "zh:5641694d5daf3893d7ea90be03b6fa575211a08814ffe70998d5adb8b59cdc0a", - "zh:5bd55a2be8a1c20d732ac9c604b839e1cadc8c49006315dffa4d709b6874df32", - "zh:6e0ef5d11e1597202424b7d69b9da7b881494c9b13a3d4026fc47012dc651c79", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9e19f89fa25004d3b926a8d15ea630b4bde62f1fa4ed5e11a3d27aabddb77353", - "zh:b763efdd69fd097616b4a4c89cf333b4cee9699ac6432d73d2756f8335d1213f", - "zh:e3b561efdee510b2b445f76a52a902c52bee8e13095e7f4bed7c80f10f8d294a", - "zh:fe660bb8781ee043a093b9a20e53069974475dcaa5791a1f45fd03c61a26478a", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.4.3" - hashes = [ - "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=", - "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", - "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", - "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", - "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", - "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", - "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", - "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", - "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", - "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", - "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", - ] -} diff --git a/terraform/infrastructure/s940/prod/acr/.env.template b/terraform/infrastructure/s940/prod/acr/.env.template deleted file mode 100644 index dde8f75fa..000000000 --- a/terraform/infrastructure/s940/prod/acr/.env.template +++ /dev/null @@ -1,21 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s940-tfstate" -storage_account_name ="s940radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="acr/terraform.tfstate" # dev.radixtfexample.terraform.tfstate - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="043e5510-738f-4c30-8b9d-ee32578c7fe8" # OP-Terraform-Github Action - -# service principal client_secret -client_secret="" # OP-Terraform-Github Action secret - -subscription_id="ded7ca41-37c8-4085-862f-b11d21ab341a" # S940-Omnia-Radix-Production -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" - diff --git a/terraform/infrastructure/s940/prod/acr/.terraform.lock.hcl b/terraform/infrastructure/s940/prod/acr/.terraform.lock.hcl deleted file mode 100644 index 5a125a903..000000000 --- a/terraform/infrastructure/s940/prod/acr/.terraform.lock.hcl +++ /dev/null @@ -1,59 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/azure/azapi" { - version = "1.9.0" - hashes = [ - "h1:zaLH2Owmj61RX2G1Cy6VDy8Ttfzx+lDsSCyiu5cXkm4=", - "zh:349569471fbf387feaaf8b88da1690669e201147c342f905e5eb03df42b3cf87", - "zh:54346d5fb78cbad3eb7cfd96e1dd7ce4f78666cabaaccfec6ee9437476330018", - "zh:64b799da915ea3a9a58ac7a926c6a31c59fd0d911687804d8e815eda88c5580b", - "zh:9336ed9e112555e0fda8af6be9ba21478e30117d79ba662233311d9560d2b7c6", - "zh:a8aace9897b28ea0b2dbd7a3be3df033e158af40412c9c7670be0956f216ed7e", - "zh:ab23df7de700d9e785009a4ca9ceb38ae1ab894a13f5788847f15d018556f415", - "zh:b4f13f0b13560a67d427c71c85246f8920f98987120341830071df4535842053", - "zh:e58377bf36d8a14d28178a002657865ee17446182dac03525fd43435e41a1b5c", - "zh:ea5db4acc6413fd0fe6b35981e58cdc9850f5f3118031cc3d2581de511aee6aa", - "zh:f0b32c06c6bd4e4af2c02a62be07b947766aeeb09289a03f21aba16c2fd3c60f", - "zh:f1518e766a90c257d7eb36d360dafaf311593a4a9352ff8db0bcfe0ed8cf45ae", - "zh:fa89e84cff0776b5b61ff27049b1d8ed52040bd58c81c4628890d644a6fb2989", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.78.0" - hashes = [ - "h1:DWJ+qB1AY68Is827deEJH4pV7BL4PhDmaaWLlYkhqLM=", - "zh:09a965d5a35ddf418c0cc0eda507f79ba65ce679faa1ffc636c965c22cd2da88", - "zh:144523f78596df2843ccf9c4dfa53670c71c66ef1edb96853b4d06b8d2973e26", - "zh:1b2bbd1b2a7a8715f1bc828a174fc8f6810831cfebf3bffef141638b59aa4589", - "zh:223b5f2c07a71ee5d7f4e5cf9b814b276bb27be5f771f886cfd236db4ae67475", - "zh:26cd02f9496b8b9e9465eff24e9c29b0c99076fc3958ceaa84a1a0d6f02984eb", - "zh:6bec0065ba87ea80b151b6398b1ba2295eb967993f15322f25f1c74defc56c6d", - "zh:8aaa89e3403630c73a5280b57aa6e7c993686247b141ec9801365e1bb1677439", - "zh:8d8dd6a9a2baee8e9fea3b1e181d0a17d6a71e64d9692265770a72bfee012a15", - "zh:97ba1582da8ac1b65c9e01b43d1b5ba842c3b8a97d5dee9e033e018d13dbdeda", - "zh:b05930cfe84c06a764f611d3a93035ab779766aeefa22c41616e948b99659da8", - "zh:da5e5752dff248356afb0c861df680e3345fdc3a52dfc92a7f150f4a780128c7", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} diff --git a/terraform/infrastructure/s940/prod/acr/README.md b/terraform/infrastructure/s940/prod/acr/README.md deleted file mode 100644 index d43354cd2..000000000 --- a/terraform/infrastructure/s940/prod/acr/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# ACR Buildah Cache Setup - -**IMPORTANT**: This script will recreate passwords to he container registry, -it might take a few seconds before the secrets are available in the cluster, -and it might cause some downime for Buildah. - -The generated password is uploaded to a Azure Key Vault, and inserted into the cluster. -The AKS Bootstraping/Migration script will *also* copy the secret from the key vault to the cluster. - -Changes here must be reflected in the relevant scripts. - -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to plan - -```sh -# Will plan main.tf -terraform plan --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` diff --git a/terraform/infrastructure/s940/prod/acr/acr.tf b/terraform/infrastructure/s940/prod/acr/acr.tf deleted file mode 100644 index 562fc80d9..000000000 --- a/terraform/infrastructure/s940/prod/acr/acr.tf +++ /dev/null @@ -1,73 +0,0 @@ -resource "azurerm_container_registry" "app" { - for_each = var.K8S_ENVIROMENTS - - name = "radix${each.key}app" - location = var.resource_groups[each.value.resourceGroup].location # Create ACR in same location as k8s - sku = "Premium" - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON - zone_redundancy_enabled = false - admin_enabled = false - anonymous_pull_enabled = false - - public_network_access_enabled = true - - network_rule_set { - default_action = "Deny" - ip_rule = [ - { - action = "Allow" - ip_range = var.EQUINOR_WIFI_IP_CIDR - } - ] - } - - georeplications { - location = var.resource_groups[each.value.resourceGroup].location == "northeurope" ? "westeurope" : "northeurope" - zone_redundancy_enabled = false - } -} - -resource "azurerm_private_endpoint" "acr_app" { - for_each = var.K8S_ENVIROMENTS - - name = "pe-radix-acr-app-${each.key}" - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON - location = var.resource_groups[each.value.resourceGroup].location # Create ACR in same location as k8s - subnet_id = var.private_link[each.key].linkname - - private_service_connection { - name = "Private_Service_Connection" - private_connection_resource_id = azurerm_container_registry.app[each.key].id - is_manual_connection = false - subresource_names = ["registry"] - } -} - - -locals { - acrDnsRecords = flatten([ - for key, value in var.K8S_ENVIROMENTS : - [ - for ip in azurerm_private_endpoint.acr_app[key].custom_dns_configs : - { - ips : ip.ip_addresses, - fqdn : ip.fqdn, - subdomain : replace(ip.fqdn, ".azurecr.io", ""), - env : key - } - ] - ]) -} - -resource "azurerm_private_dns_a_record" "dns_record" { - # Adds a unique key to each value to use it in for_each - for_each = { for value in local.acrDnsRecords : join("-", [value.env, value.subdomain]) => value } - - name = each.value.subdomain - zone_name = azurerm_private_dns_zone.zone[each.value.env].name - resource_group_name = join("", ["cluster-vnet-hub-", each.value.env]) - ttl = 300 - records = each.value.ips - - depends_on = [azurerm_private_endpoint.acr_app] -} diff --git a/terraform/infrastructure/s940/prod/acr/clusters.tf b/terraform/infrastructure/s940/prod/acr/clusters.tf deleted file mode 100644 index 33c55685a..000000000 --- a/terraform/infrastructure/s940/prod/acr/clusters.tf +++ /dev/null @@ -1,38 +0,0 @@ -data "azapi_resource_list" "clusters" { - for_each = toset(var.aks_cluster_resource_groups) - - type = "Microsoft.ContainerService/managedClusters@2023-09-01" - parent_id = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourcegroups/${var.resource_groups[each.value].name}" - response_export_values = ["*"] -} - -locals { - k8s_resources = flatten([ - for key, resource in data.azapi_resource_list.clusters : [ - for cluster in jsondecode(resource.output).value : - { - id : cluster.id, - name : cluster.name, - rgName : key, - location : cluster.location - } - ] - ]) -} - -data "azurerm_kubernetes_cluster" "k8s" { - for_each = { for cluster in local.k8s_resources : cluster.name => cluster } - - name = each.value.name - resource_group_name = each.value.rgName -} - -locals { - clusterEnvironment = { - for cluster in data.azurerm_kubernetes_cluster.k8s : cluster.name => - startswith(lower(cluster.name), "weekly-") ? "dev" : - startswith(lower(cluster.name), "playground-") ? "playground" : - startswith(lower(cluster.name), "eu-") ? "prod" : - startswith(lower(cluster.name), "c2-") ? "c2" : "unknown" - } -} diff --git a/terraform/infrastructure/s940/prod/acr/dns.tf b/terraform/infrastructure/s940/prod/acr/dns.tf deleted file mode 100644 index 458904660..000000000 --- a/terraform/infrastructure/s940/prod/acr/dns.tf +++ /dev/null @@ -1,27 +0,0 @@ -resource "azurerm_private_dns_zone" "zone" { - for_each = var.K8S_ENVIROMENTS - - name = "privatelink.azurecr.io" - resource_group_name = var.virtual_networks[each.key].rg_name -} - - -# Link DNS Zone to Cluster - -data "azurerm_virtual_network" "vnet" { - for_each = data.azurerm_kubernetes_cluster.k8s - - name = "vnet-${each.value.name}" - resource_group_name = data.azurerm_kubernetes_cluster.k8s[each.key].resource_group_name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "link" { - for_each = data.azurerm_virtual_network.vnet - - name = "${each.key}-link" # Cluster Name - private_dns_zone_name = "privatelink.azurecr.io" - resource_group_name = var.virtual_networks[local.clusterEnvironment[each.key]].rg_name - virtual_network_id = each.value.id - - depends_on = [azurerm_container_registry.app] -} diff --git a/terraform/infrastructure/s940/prod/acr/main.tf b/terraform/infrastructure/s940/prod/acr/main.tf deleted file mode 100644 index 0899c5715..000000000 --- a/terraform/infrastructure/s940/prod/acr/main.tf +++ /dev/null @@ -1,20 +0,0 @@ -terraform { - required_providers { - azapi = { - source = "Azure/azapi" - } - } - backend "azurerm" { - - } -} - -provider "azapi" { - subscription_id = var.AZ_SUBSCRIPTION_ID -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} diff --git a/terraform/infrastructure/s940/prod/acr/pull-image-secret.tf b/terraform/infrastructure/s940/prod/acr/pull-image-secret.tf deleted file mode 100644 index 5a2729590..000000000 --- a/terraform/infrastructure/s940/prod/acr/pull-image-secret.tf +++ /dev/null @@ -1,85 +0,0 @@ -resource "azurerm_container_registry_token" "app_acr" { - for_each = var.K8S_ENVIROMENTS - - name = "radix-app-registry-secret-${each.key}" - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON - scope_map_id = "${azurerm_container_registry.app[each.key].id}/scopeMaps/_repositories_admin" - container_registry_name = azurerm_container_registry.app[each.key].name - - depends_on = [azurerm_container_registry.app] -} - -resource "azurerm_container_registry_token_password" "password" { - for_each = var.K8S_ENVIROMENTS - - container_registry_token_id = azurerm_container_registry_token.app_acr[each.key].id - password1 { - expiry = var.ACR_TOKEN_EXPIRES_AT - } - - lifecycle { - ignore_changes = [password2] - } -} - -data "azurerm_key_vault" "vault" { - for_each = var.K8S_ENVIROMENTS - - name = var.key_vault_by_k8s_environment[each.key].name - resource_group_name = var.key_vault_by_k8s_environment[each.key].rg_name -} - -resource "azurerm_key_vault_secret" "secret" { - for_each = var.K8S_ENVIROMENTS - - key_vault_id = data.azurerm_key_vault.vault[each.key].id - name = "radix-app-registry-secret-${each.key}" - value = azurerm_container_registry_token_password.password[each.key].password1[0].value - expiration_date = formatdate("YYYY-MM-DD'T'HH:mm:ssZ", var.ACR_TOKEN_EXPIRES_AT) - tags = { - "rotate-strategy" = "Manually recreate password1 in ACR, then copy secret to cluster" - "source-token" = "radix-app-registry-secret-${each.key}" - "source-acr" = azurerm_container_registry.app[each.key].name - } -} - -locals { - auth = { - for k, v in data.azurerm_kubernetes_cluster.k8s : k => { - server = azurerm_container_registry.app[local.clusterEnvironment[k]].login_server - user = "radix-app-registry-secret-${local.clusterEnvironment[k]}", - pass = azurerm_container_registry_token_password.password[local.clusterEnvironment[k]].password1[0].value - } - } - - nodeCount = { for k, v in data.azurerm_kubernetes_cluster.k8s : k => sum(v.agent_pool_profile[*].count) } - - config = { for k, v in data.azurerm_kubernetes_cluster.k8s : k => base64encode(v.kube_config_raw) } - - secret = { - for k, v in data.azurerm_kubernetes_cluster.k8s : k => base64encode(<<-EOF - apiVersion: v1 - data: - username: ${base64encode(local.auth[k].user)} - password: ${base64encode(local.auth[k].pass)} - kind: Secret - metadata: - name: radix-app-registry - namespace: default - type: Opaque - EOF - ) - } -} - -resource "null_resource" "create_token" { - triggers = { always_run = var.ACR_TOKEN_EXPIRES_AT } - - # Dont try to exec on clusters that are off, it will fail - for_each = { for k, v in data.azurerm_kubernetes_cluster.k8s : k => v if local.nodeCount[k] > 0 } - - provisioner "local-exec" { - interpreter = ["/bin/bash", "-c"] - command = "kubectl --kubeconfig <(echo ${local.config[each.key]} | base64 --decode) apply -f <(echo ${local.secret[each.key]} | base64 --decode)" - } -} diff --git a/terraform/infrastructure/s940/prod/acr/variables.tf b/terraform/infrastructure/s940/prod/acr/variables.tf deleted file mode 100644 index a079071de..000000000 --- a/terraform/infrastructure/s940/prod/acr/variables.tf +++ /dev/null @@ -1,71 +0,0 @@ -variable "AZ_RESOURCE_GROUP_COMMON" { - description = "Resource group name for common" - type = string -} - -variable "AZ_LOCATION" { - description = "Azure resource location" - type = string -} - -variable "AZ_SUBSCRIPTION_ID" { - type = string -} - -variable "private_link" { - description = "Subnet connection." - type = map(object({ - linkname = string - })) - default = null -} -variable "virtual_networks" { - type = map(object({ - rg_name = string - })) - default = { - "dev" = { - rg_name = "cluster-vnet-hub-dev" - } - "playground" = { - rg_name = "cluster-vnet-hub-playground" - } - } -} - -variable "aks_cluster_resource_groups" { - type = list(string) -} -variable "resource_groups" { - type = map(object({ - name = string # Mandatory - location = optional(string, "northeurope") # Optional - })) - default = {} -} - -variable "K8S_ENVIROMENTS" { - description = "A map of cluster enviroments and their resource group" - type = map(object({ - name = string - resourceGroup = string - })) -} - -variable "key_vault_by_k8s_environment" { - description = "Name of Keyvault." - type = map(object({ - name = string - rg_name = string - })) - default = {} -} - -variable "ACR_TOKEN_EXPIRES_AT" { - type = string -} - -variable "EQUINOR_WIFI_IP_CIDR" { - description = "Range of IP addresses to allow firewall connections." - type = string -} diff --git a/terraform/infrastructure/s940/prod/keyvaults/.env.template b/terraform/infrastructure/s940/prod/keyvaults/.env.template deleted file mode 100644 index 34ac783ee..000000000 --- a/terraform/infrastructure/s940/prod/keyvaults/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s940-tfstate" -storage_account_name ="s940radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="keyvaults/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="043e5510-738f-4c30-8b9d-ee32578c7fe8" # OP-Terraform-Github Action - -# service principal client_secret -client_secret="" # OP-Terraform-Github Action secret - -subscription_id="ded7ca41-37c8-4085-862f-b11d21ab341a" # S940-Omnia-Radix-Production -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s940/prod/keyvaults/README.md b/terraform/infrastructure/s940/prod/keyvaults/README.md deleted file mode 100644 index c52132dcf..000000000 --- a/terraform/infrastructure/s940/prod/keyvaults/README.md +++ /dev/null @@ -1,26 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` diff --git a/terraform/infrastructure/s940/prod/keyvaults/main.tf b/terraform/infrastructure/s940/prod/keyvaults/main.tf deleted file mode 100644 index d8f9b0810..000000000 --- a/terraform/infrastructure/s940/prod/keyvaults/main.tf +++ /dev/null @@ -1,26 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -data "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER" { - display_name = var.APP_GITHUB_ACTION_CLUSTER_NAME -} - -data "azurerm_key_vault" "KV_RADIX_VAULT" { - name = var.KV_RADIX_VAULT - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON -} - -resource "azurerm_key_vault_access_policy" "AP_KV_SP_GITHUB_ACTION_CLUSTER" { - key_vault_id = data.azurerm_key_vault.KV_RADIX_VAULT.id - object_id = data.azuread_service_principal.SP_GITHUB_ACTION_CLUSTER.object_id - tenant_id = var.AZ_TENANT_ID - - secret_permissions = ["Get", "List", "Set"] -} diff --git a/terraform/infrastructure/s940/prod/keyvaults/variables.tf b/terraform/infrastructure/s940/prod/keyvaults/variables.tf deleted file mode 100644 index ddb8b68d1..000000000 --- a/terraform/infrastructure/s940/prod/keyvaults/variables.tf +++ /dev/null @@ -1,24 +0,0 @@ -variable "AZ_TENANT_ID" { - description = "Tenant ID" - type = string -} - -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "AZ_RESOURCE_GROUP_COMMON" { - description = "Resource group name for common" - type = string -} - -variable "APP_GITHUB_ACTION_CLUSTER_NAME" { - description = "App registration name" - type = string -} - -variable "KV_RADIX_VAULT" { - description = "Radix keyvault" - type = string -} diff --git a/terraform/infrastructure/s940/prod/logicapps/.env.template b/terraform/infrastructure/s940/prod/logicapps/.env.template deleted file mode 100644 index 9b946d8b4..000000000 --- a/terraform/infrastructure/s940/prod/logicapps/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s940-tfstate" -storage_account_name ="s940radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="logicapps/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="043e5510-738f-4c30-8b9d-ee32578c7fe8" # OP-Terraform-Github Action - -# service principal client_secret -client_secret="" # OP-Terraform-Github Action secret - -subscription_id="ded7ca41-37c8-4085-862f-b11d21ab341a" # S940-Omnia-Radix-Production -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s940/prod/logicapps/.terraform.lock.hcl b/terraform/infrastructure/s940/prod/logicapps/.terraform.lock.hcl deleted file mode 100644 index 16a1f0dd2..000000000 --- a/terraform/infrastructure/s940/prod/logicapps/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.77.0" - hashes = [ - "h1:Ie29CiuuS6LeQLO0Cdf0k54oMgZd9rkuwOKjVAa4mfw=", - "zh:071c82025cda506af90302b3e89f61e086ad9e3b97b8c55382d5aed6f207cf10", - "zh:10464b6a85343fdcc5f8d3d60304c3e0bfcfff014b3067f6ead61d0c59fe8371", - "zh:5fd48cbeb13ead9158051e563e5354acbc94668fa3d5306c20d476e746e62991", - "zh:64b47c2150e1f0a8473c8f79d35be72786777772ab1a7e79d8039de4bc10e8c9", - "zh:6958e7d22e6efda97dde6e50d033c4a0f48da3c7e597482bf14774cf8d1f612e", - "zh:aad939983c1f28a27c01be636a8079e5f973f9bb640348cf264b35bf6a956bb8", - "zh:bb211cbcfb643a7d041afc597e1c8a10749e1d3a0141c16e5c643614b16895c8", - "zh:db30a46d335cc1c1e2dd0707c40c6b6b3c8dd72f8905e3177998e1b212d0ace0", - "zh:e04f4d086e546cc7ab565bde64e93ed6716c3764579918ecf9077e539b99dd4c", - "zh:ea92d15b18a17a31e9f7568efe3bbd07b77906f4585aec98e6d03942788efad8", - "zh:f03164fadd13e4991dde22ab31c09731a00aee6ad723c61d0d2835abc79a1a8c", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s940/prod/logicapps/README.md b/terraform/infrastructure/s940/prod/logicapps/README.md deleted file mode 100644 index 27fb54060..000000000 --- a/terraform/infrastructure/s940/prod/logicapps/README.md +++ /dev/null @@ -1,22 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` -Run below commands to destroy -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` \ No newline at end of file diff --git a/terraform/infrastructure/s940/prod/logicapps/main.tf b/terraform/infrastructure/s940/prod/logicapps/main.tf deleted file mode 100644 index 1e23ec15e..000000000 --- a/terraform/infrastructure/s940/prod/logicapps/main.tf +++ /dev/null @@ -1,205 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -data "azurerm_managed_api" "azureblob" { - name = "azureblob" - location = var.AZ_LOCATION -} - -data "azurerm_managed_api" "azuremonitorlogs" { - name = "azuremonitorlogs" - location = var.AZ_LOCATION -} - -data "azurerm_user_assigned_identity" "managed_identity" { - for_each = var.managed_identity - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -resource "azurerm_logic_app_workflow" "logic_app_workflow" { - for_each = var.logic_app_workflow - name = each.value["name"] - location = each.value["location"] - resource_group_name = each.value["rg_name"] - enabled = true - identity { - identity_ids = [ - data.azurerm_user_assigned_identity.managed_identity[each.value["managed_identity_name"]].id - ] - type = "UserAssigned" - } - - parameters = { - "$connections" = jsonencode( - { - azureblob = { - connectionId = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourceGroups/${each.value["rg_name"]}/providers/Microsoft.Web/connections/${data.azurerm_managed_api.azureblob.name}" - connectionName = data.azurerm_managed_api.azureblob.name - connectionProperties = { - authentication = { - identity = data.azurerm_user_assigned_identity.managed_identity[each.value["managed_identity_name"]].id - type = "ManagedServiceIdentity" - } - } - id = data.azurerm_managed_api.azureblob.id - } - azuremonitorlogs = { - connectionId = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourceGroups/${each.value["rg_name"]}/providers/Microsoft.Web/connections/${data.azurerm_managed_api.azuremonitorlogs.name}" - connectionName = data.azurerm_managed_api.azuremonitorlogs.name - connectionProperties = { - authentication = { - identity = data.azurerm_user_assigned_identity.managed_identity[each.value["managed_identity_name"]].id - type = "ManagedServiceIdentity" - } - } - id = data.azurerm_managed_api.azuremonitorlogs.id - } - } - ) - } - workflow_parameters = { - "$connections" = jsonencode( - { - defaultValue = {} - type = "Object" - } - ) - } -} - -resource "azurerm_logic_app_trigger_recurrence" "recurrence" { - for_each = var.logic_app_workflow - name = "Recurrence" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - frequency = "Hour" - interval = 1 - depends_on = [data.azurerm_user_assigned_identity.managed_identity] -} - -resource "azurerm_logic_app_action_custom" "query" { - for_each = var.logic_app_workflow - name = "Run_query_and_list_results" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_trigger_recurrence.recurrence] - - body = jsonencode( - { - inputs = { - body = "let dt = now();\nlet year = datetime_part('year', dt);\nlet month = datetime_part('month', dt);\nlet day = datetime_part('day', dt);\nlet hour = datetime_part('hour', dt);\nlet startTime = make_datetime(year,month,day,hour,0)-1h;\nlet endTime = startTime + 1h - 1tick;\nAzureDiagnostics\n| where ingestion_time() between(startTime .. endTime)\n| project\n TenantId,\n TimeGenerated,\n ResourceId,\n Category,\n ResourceGroup,\n SubscriptionId,\n ResourceProvider,\n Resource,\n ResourceType,\n OperationName,\n SourceSystem,\n stream_s,\n pod_s,\n collectedBy_s,\n log_s,\n containerID_s,\n Type,\n _ResourceId", - host = { - connection = { - name = "@parameters('$connections')['azuremonitorlogs']['connectionId']" - } - }, - method = "post", - path = "/queryData", - queries = { - resourcegroups = each.value["rg_name"], - resourcename = each.value["loganalytics"], - resourcetype = "Log Analytics Workspace", - subscriptions = var.AZ_SUBSCRIPTION_ID, - timerange = "Last hour" - } - }, - runAfter = {}, - type = "ApiConnection" - } - ) -} - -resource "azurerm_logic_app_action_custom" "parse_json" { - for_each = var.logic_app_workflow - name = "Parse_JSON" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_action_custom.query] - - body = jsonencode( - { - - inputs = { - content = "@body('Run_query_and_list_results')", - schema = {} - }, - runAfter = { - "Run_query_and_list_results" = [ - "Succeeded" - ] - }, - type = "ParseJson" - } - ) -} - -resource "azurerm_logic_app_action_custom" "compose" { - for_each = var.logic_app_workflow - name = "Compose" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_action_custom.parse_json] - - body = jsonencode( - { - - inputs = { - content = "@body('Parse_JSON')", - schema = {} - }, - runAfter = { - "Parse_JSON" = [ - "Succeeded" - ] - }, - type = "ParseJson" - } - ) -} - -resource "azurerm_logic_app_action_custom" "create_blob" { - for_each = var.logic_app_workflow - name = "Create_blob_(V2)" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_action_custom.compose] - - body = jsonencode( - { - - inputs = { - body = "@outputs('Compose')", - headers = { - ReadFileMetadataFromServer = true - }, - host = { - connection = { - name = "@parameters('$connections')['azureblob']['connectionId']" - } - }, - method = "post", - path = "/v2/datasets/@{encodeURIComponent(encodeURIComponent('${each.value["storageaccount"]}'))}/files", - queries = { - folderPath = "/archive-log-analytics-${each.value["folder"]}/@{formatDateTime(utcNow(), 'yyyy')}/@{formatDateTime(utcNow(), 'MM')}/@{formatDateTime(utcNow(), 'dd')}", - name = "@{subtractFromTime(formatDateTime(utcNow(),'yyyy-MM-ddTHH:00:00'), 1,'Hour')}", - queryParametersSingleEncoded = true - } - }, - runAfter = { - "Compose" = [ - "Succeeded" - ] - }, - runtimeConfiguration = { - contentTransfer = { - transferMode = "Chunked" - } - }, - type = "ApiConnection" - } - ) -} - diff --git a/terraform/infrastructure/s940/prod/logicapps/variables.tf b/terraform/infrastructure/s940/prod/logicapps/variables.tf deleted file mode 100644 index 3f1d50545..000000000 --- a/terraform/infrastructure/s940/prod/logicapps/variables.tf +++ /dev/null @@ -1,32 +0,0 @@ -variable "AZ_LOCATION" { - description = "The location to create the resources in." - type = string -} - -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "logic_app_workflow" { - description = "Logic App Workflows" - type = map(object({ - name = string - location = optional(string, "northeurope") - rg_name = string - managed_identity_name = string - loganalytics = string - storageaccount = string - folder = string - })) - default = {} -} - -variable "managed_identity" { - description = "Managed Identity" - type = map(object({ - name = string - rg_name = string - })) - default = {} -} diff --git a/terraform/infrastructure/s940/prod/managedidentity/.env.template b/terraform/infrastructure/s940/prod/managedidentity/.env.template deleted file mode 100644 index 6df9dffe4..000000000 --- a/terraform/infrastructure/s940/prod/managedidentity/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s940-tfstate" -storage_account_name ="s940radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="managedidentity/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="043e5510-738f-4c30-8b9d-ee32578c7fe8" # OP-Terraform-Github Action - -# service principal client_secret -client_secret="" # OP-Terraform-Github Action secret - -subscription_id="ded7ca41-37c8-4085-862f-b11d21ab341a" # S940-Omnia-Radix-Production -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s940/prod/managedidentity/.terraform.lock.hcl b/terraform/infrastructure/s940/prod/managedidentity/.terraform.lock.hcl deleted file mode 100644 index ef22515b5..000000000 --- a/terraform/infrastructure/s940/prod/managedidentity/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.75.0" - hashes = [ - "h1:jdCddD1ADiQQB/rjC2aB7fFzOMZswHRPcVVC6YmL5K0=", - "zh:0d881d7b499367400ced6e315e32a1948d823309c5677a16056367001a8785ce", - "zh:384acba136f1b347cac7831bb4e0396a370f6664e1c1242fce42a6fc55b9db8a", - "zh:409a01af5d873e4ac7e62cfd8c9a27638a719394ccf6a8de89ac4a1049275c20", - "zh:547eab553ea24cc9079fd80093c1611d036df089385bb4a38c5db21f6126e75e", - "zh:714a1fc3d1485deec10f4a49be556997f8ea0cc717db78fa0613f5bee728fcd7", - "zh:90d197c03a3bad2a8cfa7fc2396dc1601bf08be9368d399d58ec51654201c6fb", - "zh:9587b44249147b0e9d7619568cf46de126ec947ca5c56a1d740d8142b89919c2", - "zh:9d910ae66496833d4f85a4fe6b24649f74a1624f1502f63e9ff8201f29c0c1d1", - "zh:9f355767fc7f5ab769a60b46e42f9498f33ee95c3833b7d95c7f7c69fe101564", - "zh:d11d91da699d8c62f873cdea72bc26ab40cde4f18bc88ab6583ea836fee26ecd", - "zh:e0f9d50274f54acc2c5e300537d96a5aa03be650cfb66249a14ed45375014c77", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s940/prod/managedidentity/README.md b/terraform/infrastructure/s940/prod/managedidentity/README.md deleted file mode 100644 index 27fb54060..000000000 --- a/terraform/infrastructure/s940/prod/managedidentity/README.md +++ /dev/null @@ -1,22 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` -Run below commands to destroy -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` \ No newline at end of file diff --git a/terraform/infrastructure/s940/prod/managedidentity/main.tf b/terraform/infrastructure/s940/prod/managedidentity/main.tf deleted file mode 100644 index 03c3a7071..000000000 --- a/terraform/infrastructure/s940/prod/managedidentity/main.tf +++ /dev/null @@ -1,72 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -locals { - storageaccount_role_assignment = merge([ - for storageaccount_key, storageaccount_value in data.azurerm_storage_account.storageaccounts : { - for mi_key, mi_value in var.managed_identity : - "${storageaccount_key}-${mi_key}" => { - managedidentity = mi_value.name - storageaccount = storageaccount_value.name - id = storageaccount_value.id - } - } - ]...) - - loganalytics_role_assignment = merge([ - for loganalytics_key, loganalytics_value in data.azurerm_log_analytics_workspace.loganalytics : { - for mi_key, mi_value in var.managed_identity : - "${loganalytics_key}-${mi_key}" => { - managedidentity = mi_value.name - storageaccount = loganalytics_value.name - id = loganalytics_value.id - } - } - ]...) -} - -data "azurerm_log_analytics_workspace" "loganalytics" { - for_each = { - for key in compact([for key, value in var.loganalytics : value.managed_identity ? key : ""]) : key => - var.loganalytics[key] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -data "azurerm_storage_account" "storageaccounts" { - for_each = { - for key in compact([for key, value in var.storage_accounts : value.managed_identity ? key : ""]) : key => - var.storage_accounts[key] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -resource "azurerm_user_assigned_identity" "managed_identity" { - for_each = var.managed_identity - name = each.value["name"] - location = each.value["location"] - resource_group_name = each.value["rg_name"] -} - -resource "azurerm_role_assignment" "assign_identity_storage_blob_data_contributor" { - for_each = local.storageaccount_role_assignment - scope = each.value["id"] - role_definition_name = "Storage Blob Data Contributor" - principal_id = azurerm_user_assigned_identity.managed_identity[each.value["managedidentity"]].principal_id -} - -resource "azurerm_role_assignment" "assign_identity_log_analytics_reader" { - for_each = local.loganalytics_role_assignment - scope = each.value["id"] - role_definition_name = "Log Analytics Reader" - principal_id = azurerm_user_assigned_identity.managed_identity[each.value["managedidentity"]].principal_id -} diff --git a/terraform/infrastructure/s940/prod/managedidentity/variables.tf b/terraform/infrastructure/s940/prod/managedidentity/variables.tf deleted file mode 100644 index 3faedf08e..000000000 --- a/terraform/infrastructure/s940/prod/managedidentity/variables.tf +++ /dev/null @@ -1,31 +0,0 @@ -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "managed_identity" { - type = map(object({ - name = string - location = optional(string, "northeurope") - rg_name = string - })) - default = {} -} - -variable "storage_accounts" { - type = map(object({ - name = string - rg_name = string - managed_identity = optional(bool, false) - })) - default = {} -} - -variable "loganalytics" { - type = map(object({ - name = string - rg_name = string - managed_identity = optional(bool, false) - })) - default = {} -} diff --git a/terraform/infrastructure/s940/prod/mysql/.env.template b/terraform/infrastructure/s940/prod/mysql/.env.template deleted file mode 100644 index c8193ce44..000000000 --- a/terraform/infrastructure/s940/prod/mysql/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s940-tfstate" -storage_account_name ="s940radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="mysql/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="043e5510-738f-4c30-8b9d-ee32578c7fe8" # OP-Terraform-Github Action - -# service principal client_secret -client_secret="" # OP-Terraform-Github Action secret - -subscription_id="ded7ca41-37c8-4085-862f-b11d21ab341a" # S940-Omnia-Radix-Production -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s940/prod/mysql/.terraform.lock.hcl b/terraform/infrastructure/s940/prod/mysql/.terraform.lock.hcl deleted file mode 100644 index c28463d5e..000000000 --- a/terraform/infrastructure/s940/prod/mysql/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.44.1" - hashes = [ - "h1:EkFaulKIAb3nb7svbpM18Tf7rl+ajVCXnXvP//Yvw2M=", - "zh:0a1761b5aeec47d5019114976de5eb9832dea1d57d632ca6fa464b99b782d1c1", - "zh:0e9c96fa7ed6d55a3f3a646ff346298c8b7728331bb3a74875f78ecb7d245c16", - "zh:1aa953a692c7b5b10219343f0238f4624ac988e247721b6ec6b1bed2b81f7ceb", - "zh:237258af1a1ce8a0aed8f6cdb03c69ea83ff4f3a46d5bd1466cd503f0b5aded8", - "zh:542067eeeb3b4e286e92d646e0f40426e204ed268973343e585aa521f075f8dc", - "zh:8326d52460252fd335ae97d0fabd9f5d90061a4fbeb273618f4067be3eb4e75a", - "zh:97a2b802bf6e204476131ddb7a91e832568ee8da3b0515ed23361c9f72ca9706", - "zh:9ae5a52ec85e0ad218e2ce9d33859f17afbb2fb2a690bf60d5f48fc7680e7fb0", - "zh:b17e77aff310e232f541334ba1858b5125ea0e527a5d6824de017192d8d8a3a2", - "zh:c469ba6681535c07c58dad6c1b59b056912300a7c91137ddc0103ef16b1d5697", - "zh:cea6026ef8fb5512d14c1ba6fdf36b90a09de536d4e4afad96b926af39114f74", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s940/prod/mysql/README.md b/terraform/infrastructure/s940/prod/mysql/README.md deleted file mode 100644 index 27fb54060..000000000 --- a/terraform/infrastructure/s940/prod/mysql/README.md +++ /dev/null @@ -1,22 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` -Run below commands to destroy -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` \ No newline at end of file diff --git a/terraform/infrastructure/s940/prod/mysql/main.tf b/terraform/infrastructure/s940/prod/mysql/main.tf deleted file mode 100644 index 9104b655b..000000000 --- a/terraform/infrastructure/s940/prod/mysql/main.tf +++ /dev/null @@ -1,84 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -locals { - mysql_flexible_server_firewall_rules = merge([ - for server_key, server_value in var.mysql_flexible_server : { - for rule_key, rule_value in var.firewall_rules : - "${server_key}-${rule_key}" => { - start_ip_address = rule_value.start_ip_address - end_ip_address = rule_value.end_ip_address - server_name = server_value.name - resource_group_name = server_value.rg_name - } - } - ]...) - - mysql_server_firewall_rules = merge([ - for server_key, server_value in var.mysql_server : { - for rule_key, rule_value in var.firewall_rules : - "${server_key}-${rule_key}" => { - start_ip_address = rule_value.start_ip_address - end_ip_address = rule_value.end_ip_address - server_name = server_value.name - resource_group_name = server_value.rg_name - } - } - ]...) - - all_sql_servers = merge( - (var.mysql_flexible_server), - (var.mysql_server), - ) -} - -####################################################################################### -### Keyvault & Secrets -### - -data "azurerm_key_vault" "keyvault" { - for_each = var.key_vault - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -data "azurerm_key_vault_secret" "keyvault_secret" { - for_each = local.all_sql_servers - name = each.value["secret"] - key_vault_id = data.azurerm_key_vault.keyvault[each.value["vault"]].id - depends_on = [data.azurerm_key_vault.keyvault] -} - -####################################################################################### -### MYSQL Flexible Server -### - -resource "azurerm_mysql_flexible_server" "mysql_flexible_server" { - for_each = var.mysql_flexible_server - name = each.value["name"] - administrator_password = data.azurerm_key_vault_secret.keyvault_secret[each.value["name"]].value - resource_group_name = each.value["rg_name"] - location = each.value["location"] - administrator_login = each.value["administrator_login"] - backup_retention_days = each.value["backup_retention_days"] - sku_name = each.value["sku_name"] - version = each.value["version"] - zone = each.value["zone"] -} - -resource "azurerm_mysql_flexible_server_firewall_rule" "main" { - for_each = local.mysql_flexible_server_firewall_rules - name = each.key - start_ip_address = each.value["start_ip_address"] - end_ip_address = each.value["end_ip_address"] - server_name = each.value["server_name"] - resource_group_name = each.value["resource_group_name"] - depends_on = [azurerm_mysql_flexible_server.mysql_flexible_server] -} diff --git a/terraform/infrastructure/s940/prod/mysql/variables.tf b/terraform/infrastructure/s940/prod/mysql/variables.tf deleted file mode 100644 index 769cf100f..000000000 --- a/terraform/infrastructure/s940/prod/mysql/variables.tf +++ /dev/null @@ -1,56 +0,0 @@ -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "mysql_flexible_server" { - type = map(object({ - name = string - rg_name = optional(string, "monitoring") - location = optional(string, "northeurope") - administrator_login = optional(string, "radixadmin") - backup_retention_days = optional(number, 35) - sku_name = optional(string, "B_Standard_B2ms") - version = optional(string, "5.7") - zone = optional(number, 2) - secret = string - vault = optional(string, "kv-radix-monitoring-prod") # Vault that keeps the secret - })) - default = {} -} - -variable "mysql_server" { - description = "Legacy Mysql servers" - type = map(object({ - name = string - rg_name = optional(string, "monitoring") - location = optional(string, "northeurope") - administrator_login = optional(string, "radixadmin") - sku_name = optional(string, "B_Gen5_1") - version = optional(string, "5.7") - ssl_minimal_tls_version_enforced = optional(string, "TLSEnforcementDisabled") - storage_mb = optional(number, 102400) - tags = optional(map(string), {}) - secret = string - vault = optional(string, "kv-radix-monitoring-prod") # Vault that keeps the secret - })) - default = {} -} - -variable "firewall_rules" { - description = "Range of IP addresses to allow firewall connections." - type = map(object({ - start_ip_address = string - end_ip_address = string - })) - default = null -} - -variable "key_vault" { - description = "Name of Keyvault." - type = map(object({ - name = string - rg_name = string - })) - default = {} -} diff --git a/terraform/infrastructure/s940/prod/networkmanager/.env.template b/terraform/infrastructure/s940/prod/networkmanager/.env.template deleted file mode 100644 index 1d21e9f76..000000000 --- a/terraform/infrastructure/s940/prod/networkmanager/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s940-tfstate" -storage_account_name ="s940radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="networkmanager/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="043e5510-738f-4c30-8b9d-ee32578c7fe8" # OP-Terraform-Github Action - -# service principal client_secret -client_secret="" # OP-Terraform-Github Action secret - -subscription_id="ded7ca41-37c8-4085-862f-b11d21ab341a" # S940-Omnia-Radix-Production -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" \ No newline at end of file diff --git a/terraform/infrastructure/s940/prod/networkmanager/.terraform.lock.hcl b/terraform/infrastructure/s940/prod/networkmanager/.terraform.lock.hcl deleted file mode 100644 index 84f8b44ef..000000000 --- a/terraform/infrastructure/s940/prod/networkmanager/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.56.0" - hashes = [ - "h1:qoV9BwWKSQ2znS9w9o8XTfUKSawX3tZlKRy36AkyNwg=", - "zh:0c35cf5c57edc337cc8a63399b605f1ec3316841869098f6b5b1f40f76f03d04", - "zh:230b82b9ef64983505920a66e655f8ca807fccf6e0e2ccbdb5ede301871270b2", - "zh:3d1ef558437be0853dc183c9926e6da6d85089dc653ac53bc1c54262b00287e5", - "zh:5f240a33ba87b1a30790cebae50a1234ed864953c8324d3e7a03aca3cfbec9e7", - "zh:67954796a1f22b28172817f613f071981f46b4cf162d549794e96ac3dbf16303", - "zh:6e8422b39f4dba9d9e294bd8c6772e6b89707b814a022898b83b7d5d4eaba914", - "zh:8b595ad75123b88b67b2b32a9c3e942da34c13e051a7858b5f4549429aa81142", - "zh:bffb8df9cf7f6336510f2d7a497c89d9e2c35c113a09915b6422a7fd332dca33", - "zh:d172642393754112c8d2c15e500b37b62b29917b376e93c0a519046d30603201", - "zh:eac016f21218fae0ff4f3121b944316dc367fc180e875a402edbaae298c8108a", - "zh:eee76e35fe8786045f565e0ca20bb8c8b0cf46c14b7f7d84f0a1d45cde3257e5", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s940/prod/networkmanager/README.md b/terraform/infrastructure/s940/prod/networkmanager/README.md deleted file mode 100644 index c52132dcf..000000000 --- a/terraform/infrastructure/s940/prod/networkmanager/README.md +++ /dev/null @@ -1,26 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` diff --git a/terraform/infrastructure/s940/prod/networkmanager/main.tf b/terraform/infrastructure/s940/prod/networkmanager/main.tf deleted file mode 100644 index b9e352ff9..000000000 --- a/terraform/infrastructure/s940/prod/networkmanager/main.tf +++ /dev/null @@ -1,58 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -data "azurerm_resource_group" "rg_group" { - name = "clusters" -} - -data "azurerm_subscription" "current" {} - -resource "azurerm_network_manager" "networkmanager" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-ANVM" - location = data.azurerm_resource_group.rg_group.location - resource_group_name = data.azurerm_resource_group.rg_group.name - scope_accesses = ["Connectivity"] - description = "${var.AZ_SUBSCRIPTION_SHORTNAME}-Azure Network Mananger - northeurope" - - scope { - subscription_ids = [data.azurerm_subscription.current.id] - } -} - -resource "azurerm_network_manager_network_group" "group" { - for_each = var.K8S_ENVIROMENTS - name = each.key - network_manager_id = azurerm_network_manager.networkmanager.id - description = "Network Group for ${each.key} virtual networks" -} - -data "azurerm_virtual_network" "vnet-hub" { - for_each = var.K8S_ENVIROMENTS - name = "vnet-hub" - resource_group_name = lookup(var.vnet_rg_names, "${each.key}", "") -} - -resource "azurerm_network_manager_connectivity_configuration" "config" { - for_each = var.K8S_ENVIROMENTS - name = "Hub-and-Spoke-${each.key}" - description = "Hub-and-Spoke config" - network_manager_id = azurerm_network_manager.networkmanager.id - connectivity_topology = "HubAndSpoke" - - applies_to_group { - group_connectivity = "None" - network_group_id = azurerm_network_manager_network_group.group[each.key].id - } - - hub { - resource_id = data.azurerm_virtual_network.vnet-hub[each.key].id - resource_type = "Microsoft.Network/virtualNetworks" - } -} diff --git a/terraform/infrastructure/s940/prod/networkmanager/variables.tf b/terraform/infrastructure/s940/prod/networkmanager/variables.tf deleted file mode 100644 index b4e4c696b..000000000 --- a/terraform/infrastructure/s940/prod/networkmanager/variables.tf +++ /dev/null @@ -1,25 +0,0 @@ -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "AZ_SUBSCRIPTION_SHORTNAME" { - description = "Subscription shortname" - type = string -} - -variable "K8S_ENVIROMENTS" { - description = "A map of cluster enviroments and their resource group" - type = map(object({ - name = string - resourceGroup = string - })) -} - -variable "vnet_rg_names" { - type = map(any) - default = { - prod = "cluster-vnet-hub-prod" - c2 = "cluster-vnet-hub-c2" - } -} diff --git a/terraform/infrastructure/s940/prod/policy/.env.template b/terraform/infrastructure/s940/prod/policy/.env.template deleted file mode 100644 index abad901d5..000000000 --- a/terraform/infrastructure/s940/prod/policy/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s940-tfstate" -storage_account_name ="s940radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="policy/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="043e5510-738f-4c30-8b9d-ee32578c7fe8" # OP-Terraform-Github Action - -# service principal client_secret -client_secret="" # OP-Terraform-Github Action secret - -subscription_id="ded7ca41-37c8-4085-862f-b11d21ab341a" # S940-Omnia-Radix-Production -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s940/prod/policy/.terraform.lock.hcl b/terraform/infrastructure/s940/prod/policy/.terraform.lock.hcl deleted file mode 100644 index 14b771cf1..000000000 --- a/terraform/infrastructure/s940/prod/policy/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.55.0" - hashes = [ - "h1:kLdMnCROSED38jnl6KDt3k0G19xFRfYvxH592RM2ACo=", - "zh:0987ee8a114142a25f84301ead4ce06eb21f9a67071d9d8710b3adbd52e565a8", - "zh:2e8e8eb14e3ec07ee8abff881e462ed09734b17a0df3189801843a8eeffb0967", - "zh:559b404de5995e32728219ea5c87022839f01ce6213acb4a6a10852683379c09", - "zh:70ed0f6a18d22b6e637974f1342ba7395da03dd309735666570292641a621950", - "zh:8a03321aae7ad208d32933ab16a823f8899236680a1e56c49593dd7d45ee8bd3", - "zh:957a856739fc40e3b1bccb3b16e76b4f3dd77b7481fa236c212590213be0dd55", - "zh:a54ee15ab415a252f1b6e955fda4059882a93ca9fb7af45048d26acc95e3f92c", - "zh:c1f72e3aa0e899451cf84455e943e9c14edef92171f62c0e79135c8f2fd5bec3", - "zh:d32a697f35a1470cd58d8ae13ed622e1c4c635bbc712aa643e7974ea9801c4cb", - "zh:ddb5bd812217b0a911a80841d9fb68bc31af8a597b4091ec68d5c44caaa1613b", - "zh:e590d1205840e9824e7d24a57041f330b175b3e2d1795a654943013d48a2fcbc", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s940/prod/policy/README.md b/terraform/infrastructure/s940/prod/policy/README.md deleted file mode 100644 index c52132dcf..000000000 --- a/terraform/infrastructure/s940/prod/policy/README.md +++ /dev/null @@ -1,26 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_prod.tfvars -``` diff --git a/terraform/infrastructure/s940/prod/policy/main.tf b/terraform/infrastructure/s940/prod/policy/main.tf deleted file mode 100644 index e57b5e45d..000000000 --- a/terraform/infrastructure/s940/prod/policy/main.tf +++ /dev/null @@ -1,59 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -resource "azurerm_policy_definition" "policy" { - for_each = var.K8S_ENVIROMENTS - name = "Kubernetes-vnets-in-${each.key}" - policy_type = "Custom" - mode = "Microsoft.Network.Data" - display_name = "Kubernetes vnets in ${each.key}" - - metadata = < { - name = sa_value.name - resource_group_name = sa_value.rg_name - location = sa_value.location - subnet_id = privlink_value.linkname - private_endpoint = sa_value.private_endpoint - } - } - ]...) - privatelink_dns_record = merge([ - for sa_key, sa_value in var.storage_accounts : { - for virtual_networks_key, virtual_networks_value in var.virtual_networks : - "${sa_key}-${virtual_networks_key}" => { - name = sa_value.name - resource_group_name = virtual_networks_value.rg_name - private_endpoint = sa_value.private_endpoint - } - } - ]...) -} - -data "azurerm_key_vault" "keyvault_env" { - name = var.KV_RADIX_VAULT - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON -} - -data "azurerm_subnet" "virtual_subnets" { - for_each = { - for key, value in var.resource_groups : key => value if length(regexall("cluster-vnet-hub", key)) > 0 - } - name = "private-links" - virtual_network_name = "vnet-hub" - resource_group_name = each.value["name"] -} - -data "azurerm_private_dns_zone" "dns-zone" { - for_each = { - for key, value in var.resource_groups : key => value if length(regexall("cluster-vnet-hub", key)) > 0 - } - name = "privatelink.blob.core.windows.net" - resource_group_name = each.value["name"] -} - -####################################################################################### -### Storage Accounts -### - -data "azurerm_storage_account" "storageaccounts" { - for_each = { - for key in compact([for key, value in var.storage_accounts : value.create_with_rbac ? key : ""]) : key => - var.storage_accounts[key] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -resource "azurerm_storage_account" "storageaccounts" { - for_each = { - for key, value in var.storage_accounts : key => var.storage_accounts[key] if !value["create_with_rbac"] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] - location = each.value["location"] - account_kind = each.value["kind"] - account_replication_type = each.value["repl"] - account_tier = each.value["tier"] - allow_nested_items_to_be_public = each.value["allow_nested_items_to_be_public"] - cross_tenant_replication_enabled = each.value["cross_tenant_replication_enabled"] - shared_access_key_enabled = each.value["shared_access_key_enabled"] - tags = each.value["tags"] - - dynamic "blob_properties" { - for_each = each.value["kind"] == "BlobStorage" || each.value["kind"] == "Storage" ? [1] : [0] - - content { - change_feed_enabled = each.value["change_feed_enabled"] - versioning_enabled = each.value["versioning_enabled"] - change_feed_retention_in_days = each.value["change_feed_days"] - - dynamic "container_delete_retention_policy" { - for_each = each.value["container_delete_retention_policy"] == true ? [30] : [] - - content { - days = container_delete_retention_policy.value - } - } - - dynamic "delete_retention_policy" { - for_each = each.value["delete_retention_policy"] == true ? [35] : [] - - content { - days = delete_retention_policy.value - } - } - - dynamic "restore_policy" { - for_each = each.value["backup_center"] == true ? [30] : [] - - content { - days = restore_policy.value - } - } - } - } -} - -####################################################################################### -### Private endpoint -### - -resource "azurerm_private_endpoint" "northeurope" { - for_each = { - for key in compact([ - for key, value in local.storageaccount_private_subnet : - value.location == var.AZ_LOCATION && endswith(key, "prod") && value.private_endpoint ? key : ""]) : key => - local.storageaccount_private_subnet[key] - } - name = each.key - resource_group_name = each.value["resource_group_name"] - location = each.value["location"] - subnet_id = each.value["subnet_id"] - depends_on = [azurerm_storage_account.storageaccounts] - - private_service_connection { - name = "Private_Service_Connection" - private_connection_resource_id = azurerm_storage_account.storageaccounts[each.value["name"]].id - is_manual_connection = false - subresource_names = ["blob"] - } -} -resource "azurerm_private_endpoint" "westeurope" { - for_each = { - for key in compact([ - for key, value in local.storageaccount_private_subnet : - value.location == "westeurope" && endswith(key, "c2") && value.private_endpoint ? key : ""]) : key => - local.storageaccount_private_subnet[key] - } - name = each.key - resource_group_name = each.value["resource_group_name"] - location = each.value["location"] - subnet_id = each.value["subnet_id"] - depends_on = [azurerm_storage_account.storageaccounts] - - private_service_connection { - name = "Private_Service_Connection" - private_connection_resource_id = azurerm_storage_account.storageaccounts[each.value["name"]].id - is_manual_connection = false - subresource_names = ["blob"] - } -} - -## DNS -resource "azurerm_private_dns_a_record" "dns_a_northeurope" { - for_each = { - for key in compact([ - for key, value in local.privatelink_dns_record : - endswith(key, "prod") && endswith(value.name, "prod") && value.private_endpoint ? key : ""]) : key => - local.privatelink_dns_record[key] - } - name = each.value["name"] - zone_name = "privatelink.blob.core.windows.net" - resource_group_name = each.value["resource_group_name"] - ttl = 10 - records = [azurerm_private_endpoint.northeurope[each.key].private_service_connection.0.private_ip_address] - depends_on = [azurerm_private_endpoint.northeurope] -} - -resource "azurerm_private_dns_a_record" "dns_a_westeurope" { - for_each = { - for key in compact([ - for key, value in local.privatelink_dns_record : - endswith(key, "c2") && endswith(value.name, "c2") && value.private_endpoint ? key : ""]) : key => - local.privatelink_dns_record[key] - } - name = each.value["name"] - zone_name = "privatelink.blob.core.windows.net" - resource_group_name = each.value["resource_group_name"] - ttl = 10 - records = [azurerm_private_endpoint.westeurope[each.key].private_service_connection.0.private_ip_address] - depends_on = [azurerm_private_endpoint.westeurope] -} - -####################################################################################### -### Role assignment -### - -resource "azurerm_role_assignment" "northeurope" { - for_each = { - for key in compact([ - for key, value in var.storage_accounts : - value.backup_center && value.location == var.AZ_LOCATION && value.kind == "StorageV2" ? key : ""]) : key => - var.storage_accounts[key] - } - scope = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - role_definition_name = "Storage Account Backup Contributor" - principal_id = azurerm_data_protection_backup_vault.northeurope.identity[0].principal_id - depends_on = [azurerm_storage_account.storageaccounts] -} - -resource "azurerm_role_assignment" "westeurope" { - for_each = { - for key in compact([ - for key, value in var.storage_accounts : - value.backup_center && value.location == "westeurope" && value.kind == "StorageV2" ? key : ""]) : key => - var.storage_accounts[key] - } - scope = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - role_definition_name = "Storage Account Backup Contributor" - principal_id = azurerm_data_protection_backup_vault.westeurope.identity[0].principal_id - depends_on = [azurerm_storage_account.storageaccounts] -} - -####################################################################################### -### Blob Protection -### - -resource "azurerm_data_protection_backup_instance_blob_storage" "northeurope" { - for_each = { - for key in compact([ - for key, value in var.storage_accounts : - value.backup_center && value.location == var.AZ_LOCATION && value.kind == "StorageV2" ? key : ""]) : key => - var.storage_accounts[key] - } - name = each.value.name - vault_id = azurerm_data_protection_backup_vault.northeurope.id - location = each.value.location - storage_account_id = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - backup_policy_id = azurerm_data_protection_backup_policy_blob_storage.northeurope.id - depends_on = [azurerm_role_assignment.northeurope] -} - -resource "azurerm_data_protection_backup_instance_blob_storage" "westeurope" { - for_each = { - for key in compact([ - for key, value in var.storage_accounts : - value.backup_center && value.location == "westeurope" && value.kind == "StorageV2" ? key : ""]) : key => - var.storage_accounts[key] - } - name = each.value.name - vault_id = azurerm_data_protection_backup_vault.westeurope.id - location = each.value.location - storage_account_id = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - backup_policy_id = azurerm_data_protection_backup_policy_blob_storage.westeurope.id - depends_on = [azurerm_role_assignment.westeurope] -} - -####################################################################################### -### Management Policy -### - -resource "azurerm_storage_management_policy" "sapolicy" { - for_each = { - for key in compact([for key, value in var.storage_accounts : value.life_cycle ? key : ""]) : key => - var.storage_accounts[key] - } - storage_account_id = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - depends_on = [azurerm_storage_account.storageaccounts] - - rule { - name = "lifecycle-${var.RADIX_ZONE}" - enabled = true - - filters { - blob_types = ["blockBlob"] - } - - actions { - dynamic "version" { - for_each = each.value["life_cycle_version"] != 0 ? [60] : [] - content { - delete_after_days_since_creation = each.value["life_cycle_version"] - } - } - - dynamic "base_blob" { - for_each = each.value["life_cycle_blob"] != 0 ? [90] : [] - content { - delete_after_days_since_modification_greater_than = each.value["life_cycle_blob"] - tier_to_cool_after_days_since_modification_greater_than = each.value["life_cycle_blob_cool"] - } - } - } - } -} - -####################################################################################### -### Protection Vault -### - -resource "azurerm_data_protection_backup_vault" "northeurope" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-backupvault-${var.AZ_LOCATION}" - resource_group_name = "backups" - location = var.AZ_LOCATION - datastore_type = "VaultStore" - redundancy = "LocallyRedundant" - - identity { - type = "SystemAssigned" - } -} - -resource "azurerm_data_protection_backup_vault" "westeurope" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-backupvault-westeurope" - resource_group_name = "backups" - location = "westeurope" - datastore_type = "VaultStore" - redundancy = "LocallyRedundant" - - identity { - type = "SystemAssigned" - } -} - -####################################################################################### -### Protection Backup Policy -### - -resource "azurerm_data_protection_backup_policy_blob_storage" "northeurope" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-backuppolicy-${var.AZ_LOCATION}" - vault_id = azurerm_data_protection_backup_vault.northeurope.id - retention_duration = "P30D" -} - -resource "azurerm_data_protection_backup_policy_blob_storage" "westeurope" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-backuppolicy-westeurope" - vault_id = azurerm_data_protection_backup_vault.westeurope.id - retention_duration = "P30D" -} diff --git a/terraform/infrastructure/s940/prod/storageaccounts/sync.sh b/terraform/infrastructure/s940/prod/storageaccounts/sync.sh deleted file mode 100755 index d927861fd..000000000 --- a/terraform/infrastructure/s940/prod/storageaccounts/sync.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash - -# ACTION={checkin | checkout} ./sync.sh - -if [[ -z "$ACTION" ]]; then - echo "ERROR: Please provide ACTION" >&2 - exit 1 -fi - -hash azcopy 2>/dev/null || { - echo "ERROR: azcopy not found in PATH. Exiting..." >&2 - exit 1 -} - -if [[ ${ACTION} == "checkin" ]]; then - # Exit if source cluster does not exist - echo "" - echo "Downloading terraform.state file..." - azcopy copy 'https://s940radixinfra.blob.core.windows.net/tfstate/storageaccounts/terraform.tfstate' terraform.tfstate - echo "" -elif [[ ${ACTION} == "checkout" ]]; then - echo "" - echo "Uploading terraform.state file..." - azcopy copy terraform.tfstate 'https://s940radixinfra.blob.core.windows.net/tfstate/storageaccounts/terraform.tfstate' - echo "" -fi diff --git a/terraform/infrastructure/s940/prod/storageaccounts/variables.tf b/terraform/infrastructure/s940/prod/storageaccounts/variables.tf deleted file mode 100644 index 98d0d8457..000000000 --- a/terraform/infrastructure/s940/prod/storageaccounts/variables.tf +++ /dev/null @@ -1,82 +0,0 @@ -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "AZ_LOCATION" { - description = "The location to create the resources in." - type = string -} - -variable "AZ_RESOURCE_GROUP_COMMON" { - description = "Resource group name for common" - type = string -} - -variable "RADIX_ZONE" { - description = "Radix zone" - type = string -} - -variable "AZ_SUBSCRIPTION_SHORTNAME" { - description = "Subscription shortname" - type = string -} - -variable "storage_accounts" { - type = map(object({ - name = string # Mandatory - rg_name = string # Mandatory - location = optional(string, "northeurope") # Optional - kind = optional(string, "StorageV2") # Optional - repl = optional(string, "LRS") # Optional - tier = optional(string, "Standard") # Optional - backup_center = optional(bool, false) # Optional - life_cycle = optional(bool, true) - firewall = optional(bool, true) - container_delete_retention_policy = optional(bool, true) - tags = optional(map(string), {}) - allow_nested_items_to_be_public = optional(bool, false) #GUI: Configuration Allow Blob public access - shared_access_key_enabled = optional(bool, true) - cross_tenant_replication_enabled = optional(bool, true) - delete_retention_policy = optional(bool, true) - versioning_enabled = optional(bool, true) - change_feed_enabled = optional(bool, true) - change_feed_days = optional(number, 35) - life_cycle_version = optional(number, 60) - life_cycle_blob = optional(number, 90) - life_cycle_blob_cool = optional(number, 30) - create_with_rbac = optional(bool, false) - private_endpoint = optional(bool, false) - })) - default = {} -} - -variable "resource_groups" { - type = map(object({ - name = string # Mandatory - location = optional(string, "northeurope") # Optional - })) - default = {} -} - -variable "virtual_networks" { - type = map(object({ - name = optional(string, "vnet-hub") - rg_name = string - })) - default = {} -} - -variable "private_link" { - description = "Subnet connection." - type = map(object({ - linkname = string - })) - default = null -} - -variable "KV_RADIX_VAULT" { - description = "Radix keyvault" - type = string -} diff --git a/terraform/infrastructure/s941/dev/acr/.env.template b/terraform/infrastructure/s941/dev/acr/.env.template deleted file mode 100644 index a5098a0e4..000000000 --- a/terraform/infrastructure/s941/dev/acr/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s941-tfstate" -storage_account_name ="s941radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="acr/terraform.tfstate" # dev.radixtfexample.terraform.tfstate - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86" # ar-radix-platform-github-dev-cluster-maintenance - -# service principal client_secret -client_secret="" # ar-radix-platform-github-dev-cluster-maintenance secret - -subscription_id="16ede44b-1f74-40a5-b428-46cca9a5741b" # S941-Omnia-Radix-Development -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s941/dev/acr/.terraform.lock.hcl b/terraform/infrastructure/s941/dev/acr/.terraform.lock.hcl deleted file mode 100644 index 2b8567e88..000000000 --- a/terraform/infrastructure/s941/dev/acr/.terraform.lock.hcl +++ /dev/null @@ -1,60 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/azure/azapi" { - version = "1.13.1" - hashes = [ - "h1:xDZG4lbtQJeyJa3Gzo8qecYxyw+AIXYcdDRlkaSLNz8=", - "zh:1f2aceddd67ceeb82a75c2f15dc01e54781e9aed5968507dbc29590c165b2e2b", - "zh:397f0bfbac899d48e23cecf38d362c27562150aa20b19157b5bd370b8e6801ee", - "zh:652263b7d00623684e29ef7b8ff285a17c5bd7cc8ba7d22967c66d0b3a3c568a", - "zh:652c53320a41434942877515780296a1509be03f32d54e60178f39200f960a67", - "zh:666426faf686401e54ec09fe06e9d7c06a6455ec398764f70558440c73aeb7f9", - "zh:6aa91ae8ba78f2494f99b4c99e66d15ed0b14d735cd1f77adc12ff9dfa075807", - "zh:a529e5a13c37d1805c469227f08cdbe7527d04dd64d18709d26627c6a0b588b1", - "zh:a589c049205e8e5bf94a13d56b28f400d908ad27e13e16df64408ee82eb8a0ff", - "zh:a9a50defdee230f315f74be6c77ff104fe2610a1b3ad6b87326f555e80d13b18", - "zh:ba49ef70d96e13795e2dbffd6cb2ff976dfe84e0373a5971ebe3b4c9c9b7af60", - "zh:d3ed50efe5f8c80d3d7d464ab9a13ccf82440d871c9ce3032ce476845364c6b9", - "zh:e3eb48ee8c36ee4f81850d8a21fc59b81886c729d7c3b7adece4a25f355bed2f", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.100.0" - constraints = "<= 3.100.0" - hashes = [ - "h1:/3X1KgoKBqJo0xe3XDUD0fxfqUK+0Fn8SghwvwY+BIA=", - "zh:20c3259fd94ab41c6c3425fb428d8bd279addb755c8ea1fe0b3e1c3bea4363cb", - "zh:4c4a8d5dbd8a9d7b60934b0ffed442fe50ab1b0559b9693399e3f66eca53d045", - "zh:7c21f569b839e40d4976beb6143adaccc5688d1a754dde054cb6f19ca33576b2", - "zh:88042b599de9ff8ec200e26636e06682e024a28331c4c48db8589d6a03279a8a", - "zh:95c20834eee3b46a85e338988bf14a9a70f74f9cae45ec934cf157dedaa40f28", - "zh:beeed81f4483dec0b64bf1aaf611c5030ad6e4c88c4bd75f956835653a1a29c0", - "zh:d76fa7371648b5bdc17115b5e42fa616fe4c6d2998f727a0956c0bddc4842365", - "zh:d89fcaa83a1ff7c9f29c49b31c60c29d8a84486e11d34573d767a5cd208da7d8", - "zh:ddbe18aee99fb7e2c93343f7f8a95837461a047ca660553c88c873761205ed76", - "zh:e6e70c7635bb4472810bfd0a31949640e72c535e6e8707454ea7e86dcb5fcd89", - "zh:f0575689ce28e220bc8daa4d2fefbfd90afde01a14343c61dfd6489960e22ff4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.2" - hashes = [ - "h1:zT1ZbegaAYHwQa+QwIFugArWikRJI9dqohj8xb0GY88=", - "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", - "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", - "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", - "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", - "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", - "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", - "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", - "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", - "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", - "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", - ] -} diff --git a/terraform/infrastructure/s941/dev/acr/README.md b/terraform/infrastructure/s941/dev/acr/README.md deleted file mode 100644 index d43354cd2..000000000 --- a/terraform/infrastructure/s941/dev/acr/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# ACR Buildah Cache Setup - -**IMPORTANT**: This script will recreate passwords to he container registry, -it might take a few seconds before the secrets are available in the cluster, -and it might cause some downime for Buildah. - -The generated password is uploaded to a Azure Key Vault, and inserted into the cluster. -The AKS Bootstraping/Migration script will *also* copy the secret from the key vault to the cluster. - -Changes here must be reflected in the relevant scripts. - -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to plan - -```sh -# Will plan main.tf -terraform plan --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` diff --git a/terraform/infrastructure/s941/dev/acr/acr.tf b/terraform/infrastructure/s941/dev/acr/acr.tf deleted file mode 100644 index 989232a23..000000000 --- a/terraform/infrastructure/s941/dev/acr/acr.tf +++ /dev/null @@ -1,73 +0,0 @@ -resource "azurerm_container_registry" "app" { - for_each = var.K8S_ENVIROMENTS - - name = "radix${each.key}app${var.ACR_SUFFIX}" - location = var.resource_groups[each.value.resourceGroup].location # Create ACR in same location as k8s - sku = "Premium" - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON - zone_redundancy_enabled = false - admin_enabled = false - anonymous_pull_enabled = false - - public_network_access_enabled = true - - network_rule_set { - default_action = "Deny" - ip_rule = [ - { - action = "Allow" - ip_range = var.EQUINOR_WIFI_IP_CIDR - } - ] - } - - georeplications { - location = var.resource_groups[each.value.resourceGroup].location == "northeurope" ? "westeurope" : "northeurope" - zone_redundancy_enabled = false - } -} - -resource "azurerm_private_endpoint" "acr_app" { - for_each = var.K8S_ENVIROMENTS - - name = "pe-radix-acr-app-${each.key}" - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON - location = var.resource_groups[each.value.resourceGroup].location # Create ACR in same location as k8s - subnet_id = var.private_link[each.key].linkname - - private_service_connection { - name = "Private_Service_Connection" - private_connection_resource_id = azurerm_container_registry.app[each.key].id - is_manual_connection = false - subresource_names = ["registry"] - } -} - - -locals { - acrDnsRecords = flatten([ - for key, value in var.K8S_ENVIROMENTS : - [ - for ip in azurerm_private_endpoint.acr_app[key].custom_dns_configs : - { - ips : ip.ip_addresses, - fqdn : ip.fqdn, - subdomain : replace(ip.fqdn, ".azurecr.io", ""), - env : key - } - ] - ]) -} - -resource "azurerm_private_dns_a_record" "dns_record" { - # Adds a unique key to each value to use it in for_each - for_each = { for value in local.acrDnsRecords : join("-", [value.env, value.subdomain]) => value } - - name = each.value.subdomain - zone_name = azurerm_private_dns_zone.zone[each.value.env].name - resource_group_name = join("", ["cluster-vnet-hub-", each.value.env]) - ttl = 300 - records = each.value.ips - - depends_on = [azurerm_private_endpoint.acr_app] -} diff --git a/terraform/infrastructure/s941/dev/acr/clusters.tf b/terraform/infrastructure/s941/dev/acr/clusters.tf deleted file mode 100644 index 33c55685a..000000000 --- a/terraform/infrastructure/s941/dev/acr/clusters.tf +++ /dev/null @@ -1,38 +0,0 @@ -data "azapi_resource_list" "clusters" { - for_each = toset(var.aks_cluster_resource_groups) - - type = "Microsoft.ContainerService/managedClusters@2023-09-01" - parent_id = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourcegroups/${var.resource_groups[each.value].name}" - response_export_values = ["*"] -} - -locals { - k8s_resources = flatten([ - for key, resource in data.azapi_resource_list.clusters : [ - for cluster in jsondecode(resource.output).value : - { - id : cluster.id, - name : cluster.name, - rgName : key, - location : cluster.location - } - ] - ]) -} - -data "azurerm_kubernetes_cluster" "k8s" { - for_each = { for cluster in local.k8s_resources : cluster.name => cluster } - - name = each.value.name - resource_group_name = each.value.rgName -} - -locals { - clusterEnvironment = { - for cluster in data.azurerm_kubernetes_cluster.k8s : cluster.name => - startswith(lower(cluster.name), "weekly-") ? "dev" : - startswith(lower(cluster.name), "playground-") ? "playground" : - startswith(lower(cluster.name), "eu-") ? "prod" : - startswith(lower(cluster.name), "c2-") ? "c2" : "unknown" - } -} diff --git a/terraform/infrastructure/s941/dev/acr/dns.tf b/terraform/infrastructure/s941/dev/acr/dns.tf deleted file mode 100644 index 458904660..000000000 --- a/terraform/infrastructure/s941/dev/acr/dns.tf +++ /dev/null @@ -1,27 +0,0 @@ -resource "azurerm_private_dns_zone" "zone" { - for_each = var.K8S_ENVIROMENTS - - name = "privatelink.azurecr.io" - resource_group_name = var.virtual_networks[each.key].rg_name -} - - -# Link DNS Zone to Cluster - -data "azurerm_virtual_network" "vnet" { - for_each = data.azurerm_kubernetes_cluster.k8s - - name = "vnet-${each.value.name}" - resource_group_name = data.azurerm_kubernetes_cluster.k8s[each.key].resource_group_name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "link" { - for_each = data.azurerm_virtual_network.vnet - - name = "${each.key}-link" # Cluster Name - private_dns_zone_name = "privatelink.azurecr.io" - resource_group_name = var.virtual_networks[local.clusterEnvironment[each.key]].rg_name - virtual_network_id = each.value.id - - depends_on = [azurerm_container_registry.app] -} diff --git a/terraform/infrastructure/s941/dev/acr/main.tf b/terraform/infrastructure/s941/dev/acr/main.tf deleted file mode 100644 index 0899c5715..000000000 --- a/terraform/infrastructure/s941/dev/acr/main.tf +++ /dev/null @@ -1,20 +0,0 @@ -terraform { - required_providers { - azapi = { - source = "Azure/azapi" - } - } - backend "azurerm" { - - } -} - -provider "azapi" { - subscription_id = var.AZ_SUBSCRIPTION_ID -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} diff --git a/terraform/infrastructure/s941/dev/acr/pull-image-secret.tf b/terraform/infrastructure/s941/dev/acr/pull-image-secret.tf deleted file mode 100644 index 5a2729590..000000000 --- a/terraform/infrastructure/s941/dev/acr/pull-image-secret.tf +++ /dev/null @@ -1,85 +0,0 @@ -resource "azurerm_container_registry_token" "app_acr" { - for_each = var.K8S_ENVIROMENTS - - name = "radix-app-registry-secret-${each.key}" - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON - scope_map_id = "${azurerm_container_registry.app[each.key].id}/scopeMaps/_repositories_admin" - container_registry_name = azurerm_container_registry.app[each.key].name - - depends_on = [azurerm_container_registry.app] -} - -resource "azurerm_container_registry_token_password" "password" { - for_each = var.K8S_ENVIROMENTS - - container_registry_token_id = azurerm_container_registry_token.app_acr[each.key].id - password1 { - expiry = var.ACR_TOKEN_EXPIRES_AT - } - - lifecycle { - ignore_changes = [password2] - } -} - -data "azurerm_key_vault" "vault" { - for_each = var.K8S_ENVIROMENTS - - name = var.key_vault_by_k8s_environment[each.key].name - resource_group_name = var.key_vault_by_k8s_environment[each.key].rg_name -} - -resource "azurerm_key_vault_secret" "secret" { - for_each = var.K8S_ENVIROMENTS - - key_vault_id = data.azurerm_key_vault.vault[each.key].id - name = "radix-app-registry-secret-${each.key}" - value = azurerm_container_registry_token_password.password[each.key].password1[0].value - expiration_date = formatdate("YYYY-MM-DD'T'HH:mm:ssZ", var.ACR_TOKEN_EXPIRES_AT) - tags = { - "rotate-strategy" = "Manually recreate password1 in ACR, then copy secret to cluster" - "source-token" = "radix-app-registry-secret-${each.key}" - "source-acr" = azurerm_container_registry.app[each.key].name - } -} - -locals { - auth = { - for k, v in data.azurerm_kubernetes_cluster.k8s : k => { - server = azurerm_container_registry.app[local.clusterEnvironment[k]].login_server - user = "radix-app-registry-secret-${local.clusterEnvironment[k]}", - pass = azurerm_container_registry_token_password.password[local.clusterEnvironment[k]].password1[0].value - } - } - - nodeCount = { for k, v in data.azurerm_kubernetes_cluster.k8s : k => sum(v.agent_pool_profile[*].count) } - - config = { for k, v in data.azurerm_kubernetes_cluster.k8s : k => base64encode(v.kube_config_raw) } - - secret = { - for k, v in data.azurerm_kubernetes_cluster.k8s : k => base64encode(<<-EOF - apiVersion: v1 - data: - username: ${base64encode(local.auth[k].user)} - password: ${base64encode(local.auth[k].pass)} - kind: Secret - metadata: - name: radix-app-registry - namespace: default - type: Opaque - EOF - ) - } -} - -resource "null_resource" "create_token" { - triggers = { always_run = var.ACR_TOKEN_EXPIRES_AT } - - # Dont try to exec on clusters that are off, it will fail - for_each = { for k, v in data.azurerm_kubernetes_cluster.k8s : k => v if local.nodeCount[k] > 0 } - - provisioner "local-exec" { - interpreter = ["/bin/bash", "-c"] - command = "kubectl --kubeconfig <(echo ${local.config[each.key]} | base64 --decode) apply -f <(echo ${local.secret[each.key]} | base64 --decode)" - } -} diff --git a/terraform/infrastructure/s941/dev/acr/variables.tf b/terraform/infrastructure/s941/dev/acr/variables.tf deleted file mode 100644 index f119809a1..000000000 --- a/terraform/infrastructure/s941/dev/acr/variables.tf +++ /dev/null @@ -1,76 +0,0 @@ -variable "AZ_RESOURCE_GROUP_COMMON" { - description = "Resource group name for common" - type = string -} - -variable "AZ_LOCATION" { - description = "Azure resource location" - type = string -} - -variable "ACR_SUFFIX" { - description = "Suffix added to ACR Name" - type = string -} - -variable "AZ_SUBSCRIPTION_ID" { - type = string -} - -variable "private_link" { - description = "Subnet connection." - type = map(object({ - linkname = string - })) - default = null -} -variable "virtual_networks" { - type = map(object({ - rg_name = string - })) - default = { - "dev" = { - rg_name = "cluster-vnet-hub-dev" - } - "playground" = { - rg_name = "cluster-vnet-hub-playground" - } - } -} - -variable "aks_cluster_resource_groups" { - type = list(string) -} -variable "resource_groups" { - type = map(object({ - name = string # Mandatory - location = optional(string, "northeurope") # Optional - })) - default = {} -} - -variable "K8S_ENVIROMENTS" { - description = "A map of cluster enviroments and their resource group" - type = map(object({ - name = string - resourceGroup = string - })) -} - -variable "key_vault_by_k8s_environment" { - description = "Name of Keyvault." - type = map(object({ - name = string - rg_name = string - })) - default = {} -} - -variable "ACR_TOKEN_EXPIRES_AT" { - type = string -} - -variable "EQUINOR_WIFI_IP_CIDR" { - description = "Range of IP addresses to allow firewall connections." - type = string -} diff --git a/terraform/infrastructure/s941/dev/keyvaults/.env.template b/terraform/infrastructure/s941/dev/keyvaults/.env.template deleted file mode 100644 index b92892e85..000000000 --- a/terraform/infrastructure/s941/dev/keyvaults/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s941-tfstate" -storage_account_name ="s941radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="keyvaults/terraform.tfstate" # dev.radixtfexample.terraform.tfstate - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86" # ar-radix-platform-github-dev-cluster-maintenance - -# service principal client_secret -client_secret="" # ar-radix-platform-github-dev-cluster-maintenance secret - -subscription_id="16ede44b-1f74-40a5-b428-46cca9a5741b" # S941-Omnia-Radix-Development -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s941/dev/keyvaults/.terraform.lock.hcl b/terraform/infrastructure/s941/dev/keyvaults/.terraform.lock.hcl deleted file mode 100644 index 0e4ccafde..000000000 --- a/terraform/infrastructure/s941/dev/keyvaults/.terraform.lock.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azuread" { - version = "2.47.0" - hashes = [ - "h1:KB9BNRNStbdsfdRmVXUwXtN77qgX5VjBy2UALcqp218=", - "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001", - "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f", - "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17", - "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569", - "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a", - "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e", - "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee", - "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57", - "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb", - "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.85.0" - hashes = [ - "h1:UW2HuNrkVexKwNYbkI1Xr/B3ip/cCgizIjfKN+ulpPs=", - "zh:1ae6c0d82b5801641a17094b84f2ec1dcac699c1c4e40669a267511061414a34", - "zh:259e9386a43aabecb1205b0ceea2d205223637c09b66d806a89fed04f3343253", - "zh:4d940f9c14fece4f1d9219ac9d104202e5561bddc5024e5ac97f3f93eea20110", - "zh:530bca70b950e835f63c796c694106d701e5de0e2cf096fa35f08afd5c254594", - "zh:69e6b7f44ffbe0383b6485bb9db26781eb7869503889303e202967900a6b35ed", - "zh:8528e7d054254daae06eeb2bf343d566d3908a024fdfb5e515fbdbe0669c15eb", - "zh:98d66edfa89ed9a431ca37be384e5dfe7fa20bdc732c6e7d30f3f922ca3b29dc", - "zh:b8d37cedeffeb6bd37d4ec79fc2da19ed6b57d1ac08d835395dfa4fb3cfdf447", - "zh:bbc94e89cd6c0d59c2e5ed0bce852cac8435b6dc2e979691ee84af4c8b2c9bb8", - "zh:ceb4c624e8bb56bbcfe53e3c4ed4b4d27c3a5b62e5f4890b32c98b60b83c7827", - "zh:f08c5bf19eb25f668633964c6bfa823aa0ead785824082533c4a6cff3959e3d0", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s941/dev/keyvaults/README.md b/terraform/infrastructure/s941/dev/keyvaults/README.md deleted file mode 100644 index c8b8320c1..000000000 --- a/terraform/infrastructure/s941/dev/keyvaults/README.md +++ /dev/null @@ -1,26 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` diff --git a/terraform/infrastructure/s941/dev/keyvaults/main.tf b/terraform/infrastructure/s941/dev/keyvaults/main.tf deleted file mode 100644 index d8f9b0810..000000000 --- a/terraform/infrastructure/s941/dev/keyvaults/main.tf +++ /dev/null @@ -1,26 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -data "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER" { - display_name = var.APP_GITHUB_ACTION_CLUSTER_NAME -} - -data "azurerm_key_vault" "KV_RADIX_VAULT" { - name = var.KV_RADIX_VAULT - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON -} - -resource "azurerm_key_vault_access_policy" "AP_KV_SP_GITHUB_ACTION_CLUSTER" { - key_vault_id = data.azurerm_key_vault.KV_RADIX_VAULT.id - object_id = data.azuread_service_principal.SP_GITHUB_ACTION_CLUSTER.object_id - tenant_id = var.AZ_TENANT_ID - - secret_permissions = ["Get", "List", "Set"] -} diff --git a/terraform/infrastructure/s941/dev/keyvaults/variables.tf b/terraform/infrastructure/s941/dev/keyvaults/variables.tf deleted file mode 100644 index ddb8b68d1..000000000 --- a/terraform/infrastructure/s941/dev/keyvaults/variables.tf +++ /dev/null @@ -1,24 +0,0 @@ -variable "AZ_TENANT_ID" { - description = "Tenant ID" - type = string -} - -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "AZ_RESOURCE_GROUP_COMMON" { - description = "Resource group name for common" - type = string -} - -variable "APP_GITHUB_ACTION_CLUSTER_NAME" { - description = "App registration name" - type = string -} - -variable "KV_RADIX_VAULT" { - description = "Radix keyvault" - type = string -} diff --git a/terraform/infrastructure/s941/dev/logicapps/.env.template b/terraform/infrastructure/s941/dev/logicapps/.env.template deleted file mode 100644 index 1c396c0a8..000000000 --- a/terraform/infrastructure/s941/dev/logicapps/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s941-tfstate" -storage_account_name ="s941radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="logicapps/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86" # ar-radix-platform-github-dev-cluster-maintenance - -# service principal client_secret -client_secret="" # ar-radix-platform-github-dev-cluster-maintenance secret - -subscription_id="16ede44b-1f74-40a5-b428-46cca9a5741b" # S941-Omnia-Radix-Development -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" \ No newline at end of file diff --git a/terraform/infrastructure/s941/dev/logicapps/.terraform.lock.hcl b/terraform/infrastructure/s941/dev/logicapps/.terraform.lock.hcl deleted file mode 100644 index b0b952e4a..000000000 --- a/terraform/infrastructure/s941/dev/logicapps/.terraform.lock.hcl +++ /dev/null @@ -1,38 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.79.0" - hashes = [ - "h1:7Bf5Bagy9v33QKJKlFN2++WjE/E5UIElfpC/7sqUMV8=", - "zh:0cd62eff55944be5bee31b376b410f07232227490b902af8f4785021edeb707f", - "zh:168128566331d18b89565205ed78a6a64c3f55a2555956f7e4c15773de56905c", - "zh:63068b268ae4080fe3e33f75c174e83ed2355b5812ec62a29e5f7c7e71399ab9", - "zh:6e88c32eafc7c01d9564bca18f2e47a7f54f2fec1b64700f3f7a6f927757a034", - "zh:8f1f40fc00bc22eb5ea4fa6a4b4815d2a44a2a7ba086cadf2a37366f8fa65c88", - "zh:96e6309019a0367bb77bec52cd0bcbd049ac943e7a28ed0b7635b8e9ed5776d3", - "zh:ba4840eb4da0df74adfe9bf59ff7e63d4a38c1ae0028c93c06285d766fc06f0f", - "zh:dd49b4cc241251077dbdbae5137f03f1d66873408b0b43d3ff5f98fa254ffca4", - "zh:e0a99adb8b1c1b951e2b19c677fb4c1ba78350b829f0ff73aa141ec1bc1ecd8b", - "zh:ee523758d5b17fd04fa869b7f6ad92f1b321eaaa9e1508609dcca1577dee3c44", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fbc79c9a3cc63e6f3f154cdca23b8ccb6de86495c0b9ae605bea50072c514032", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} diff --git a/terraform/infrastructure/s941/dev/logicapps/README.md b/terraform/infrastructure/s941/dev/logicapps/README.md deleted file mode 100644 index ca459b73b..000000000 --- a/terraform/infrastructure/s941/dev/logicapps/README.md +++ /dev/null @@ -1,26 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` \ No newline at end of file diff --git a/terraform/infrastructure/s941/dev/logicapps/main.tf b/terraform/infrastructure/s941/dev/logicapps/main.tf deleted file mode 100644 index d2f3048fe..000000000 --- a/terraform/infrastructure/s941/dev/logicapps/main.tf +++ /dev/null @@ -1,206 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -data "azurerm_managed_api" "azureblob" { - name = "azureblob" - location = var.AZ_LOCATION -} - -data "azurerm_managed_api" "azuremonitorlogs" { - name = "azuremonitorlogs" - location = var.AZ_LOCATION -} - -data "azurerm_user_assigned_identity" "managed_identity" { - for_each = var.managed_identity - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - - -resource "azurerm_logic_app_workflow" "logic_app_workflow" { - for_each = var.logic_app_workflow - name = each.value["name"] - location = each.value["location"] - resource_group_name = each.value["rg_name"] - enabled = true - identity { - identity_ids = [ - data.azurerm_user_assigned_identity.managed_identity[each.value["managed_identity_name"]].id - ] - type = "UserAssigned" - } - - parameters = { - "$connections" = jsonencode( - { - azureblob = { - connectionId = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourceGroups/${each.value["rg_name"]}/providers/Microsoft.Web/connections/${data.azurerm_managed_api.azureblob.name}" - connectionName = data.azurerm_managed_api.azureblob.name - connectionProperties = { - authentication = { - identity = data.azurerm_user_assigned_identity.managed_identity[each.value["managed_identity_name"]].id - type = "ManagedServiceIdentity" - } - } - id = data.azurerm_managed_api.azureblob.id - } - azuremonitorlogs = { - connectionId = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourceGroups/${each.value["rg_name"]}/providers/Microsoft.Web/connections/${data.azurerm_managed_api.azuremonitorlogs.name}" - connectionName = data.azurerm_managed_api.azuremonitorlogs.name - connectionProperties = { - authentication = { - identity = data.azurerm_user_assigned_identity.managed_identity[each.value["managed_identity_name"]].id - type = "ManagedServiceIdentity" - } - } - id = data.azurerm_managed_api.azuremonitorlogs.id - } - } - ) - } - workflow_parameters = { - "$connections" = jsonencode( - { - defaultValue = {} - type = "Object" - } - ) - } -} - - -resource "azurerm_logic_app_trigger_recurrence" "recurrence" { - for_each = var.logic_app_workflow - name = "Recurrence" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - frequency = "Hour" - interval = 1 - depends_on = [data.azurerm_user_assigned_identity.managed_identity] -} - -resource "azurerm_logic_app_action_custom" "query" { - for_each = var.logic_app_workflow - name = "Run_query_and_list_results" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_trigger_recurrence.recurrence] - - body = jsonencode( - { - inputs = { - body = "let dt = now();\nlet year = datetime_part('year', dt);\nlet month = datetime_part('month', dt);\nlet day = datetime_part('day', dt);\nlet hour = datetime_part('hour', dt);\nlet startTime = make_datetime(year,month,day,hour,0)-1h;\nlet endTime = startTime + 1h - 1tick;\nAzureDiagnostics\n| where ingestion_time() between(startTime .. endTime)\n| project\n TenantId,\n TimeGenerated,\n ResourceId,\n Category,\n ResourceGroup,\n SubscriptionId,\n ResourceProvider,\n Resource,\n ResourceType,\n OperationName,\n SourceSystem,\n stream_s,\n pod_s,\n collectedBy_s,\n log_s,\n containerID_s,\n Type,\n _ResourceId", - host = { - connection = { - name = "@parameters('$connections')['azuremonitorlogs']['connectionId']" - } - }, - method = "post", - path = "/queryData", - queries = { - resourcegroups = each.value["rg_name"], - resourcename = each.value["loganalytics"], - resourcetype = "Log Analytics Workspace", - subscriptions = var.AZ_SUBSCRIPTION_ID, - timerange = "Last hour" - } - }, - runAfter = {}, - type = "ApiConnection" - } - ) -} - -resource "azurerm_logic_app_action_custom" "parse_json" { - for_each = var.logic_app_workflow - name = "Parse_JSON" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_action_custom.query] - - body = jsonencode( - { - - inputs = { - content = "@body('Run_query_and_list_results')", - schema = {} - }, - runAfter = { - "Run_query_and_list_results" = [ - "Succeeded" - ] - }, - type = "ParseJson" - } - ) -} - -resource "azurerm_logic_app_action_custom" "compose" { - for_each = var.logic_app_workflow - name = "Compose" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_action_custom.parse_json] - - body = jsonencode( - { - - inputs = { - content = "@body('Parse_JSON')", - schema = {} - }, - runAfter = { - "Parse_JSON" = [ - "Succeeded" - ] - }, - type = "ParseJson" - } - ) -} - -resource "azurerm_logic_app_action_custom" "create_blob" { - for_each = var.logic_app_workflow - name = "Create_blob_(V2)" - logic_app_id = azurerm_logic_app_workflow.logic_app_workflow[each.key].id - depends_on = [azurerm_logic_app_action_custom.compose] - - body = jsonencode( - { - - inputs = { - body = "@outputs('Compose')", - headers = { - ReadFileMetadataFromServer = true - }, - host = { - connection = { - name = "@parameters('$connections')['azureblob']['connectionId']" - } - }, - method = "post", - path = "/v2/datasets/@{encodeURIComponent(encodeURIComponent('${each.value["storageaccount"]}'))}/files", - queries = { - folderPath = "/archive-log-analytics-${each.value["folder"]}/@{formatDateTime(utcNow(), 'yyyy')}/@{formatDateTime(utcNow(), 'MM')}/@{formatDateTime(utcNow(), 'dd')}", - name = "@{subtractFromTime(formatDateTime(utcNow(),'yyyy-MM-ddTHH:00:00'), 1,'Hour')}", - queryParametersSingleEncoded = true - } - }, - runAfter = { - "Compose" = [ - "Succeeded" - ] - }, - runtimeConfiguration = { - contentTransfer = { - transferMode = "Chunked" - } - }, - type = "ApiConnection" - } - ) -} diff --git a/terraform/infrastructure/s941/dev/logicapps/variables.tf b/terraform/infrastructure/s941/dev/logicapps/variables.tf deleted file mode 100644 index 3f1d50545..000000000 --- a/terraform/infrastructure/s941/dev/logicapps/variables.tf +++ /dev/null @@ -1,32 +0,0 @@ -variable "AZ_LOCATION" { - description = "The location to create the resources in." - type = string -} - -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "logic_app_workflow" { - description = "Logic App Workflows" - type = map(object({ - name = string - location = optional(string, "northeurope") - rg_name = string - managed_identity_name = string - loganalytics = string - storageaccount = string - folder = string - })) - default = {} -} - -variable "managed_identity" { - description = "Managed Identity" - type = map(object({ - name = string - rg_name = string - })) - default = {} -} diff --git a/terraform/infrastructure/s941/dev/managedidentity/.env.template b/terraform/infrastructure/s941/dev/managedidentity/.env.template deleted file mode 100644 index 3c6a6a07b..000000000 --- a/terraform/infrastructure/s941/dev/managedidentity/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s941-tfstate" -storage_account_name ="s941radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="managedidentity/terraform.tfstate" # dev.radixtfexample.terraform.tfstate - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86" # ar-radix-platform-github-dev-cluster-maintenance - -# service principal client_secret -client_secret="" # ar-radix-platform-github-dev-cluster-maintenance secret - -subscription_id="16ede44b-1f74-40a5-b428-46cca9a5741b" # S941-Omnia-Radix-Development -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" \ No newline at end of file diff --git a/terraform/infrastructure/s941/dev/managedidentity/.terraform.lock.hcl b/terraform/infrastructure/s941/dev/managedidentity/.terraform.lock.hcl deleted file mode 100644 index ef22515b5..000000000 --- a/terraform/infrastructure/s941/dev/managedidentity/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.75.0" - hashes = [ - "h1:jdCddD1ADiQQB/rjC2aB7fFzOMZswHRPcVVC6YmL5K0=", - "zh:0d881d7b499367400ced6e315e32a1948d823309c5677a16056367001a8785ce", - "zh:384acba136f1b347cac7831bb4e0396a370f6664e1c1242fce42a6fc55b9db8a", - "zh:409a01af5d873e4ac7e62cfd8c9a27638a719394ccf6a8de89ac4a1049275c20", - "zh:547eab553ea24cc9079fd80093c1611d036df089385bb4a38c5db21f6126e75e", - "zh:714a1fc3d1485deec10f4a49be556997f8ea0cc717db78fa0613f5bee728fcd7", - "zh:90d197c03a3bad2a8cfa7fc2396dc1601bf08be9368d399d58ec51654201c6fb", - "zh:9587b44249147b0e9d7619568cf46de126ec947ca5c56a1d740d8142b89919c2", - "zh:9d910ae66496833d4f85a4fe6b24649f74a1624f1502f63e9ff8201f29c0c1d1", - "zh:9f355767fc7f5ab769a60b46e42f9498f33ee95c3833b7d95c7f7c69fe101564", - "zh:d11d91da699d8c62f873cdea72bc26ab40cde4f18bc88ab6583ea836fee26ecd", - "zh:e0f9d50274f54acc2c5e300537d96a5aa03be650cfb66249a14ed45375014c77", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s941/dev/managedidentity/README.md b/terraform/infrastructure/s941/dev/managedidentity/README.md deleted file mode 100644 index 592931785..000000000 --- a/terraform/infrastructure/s941/dev/managedidentity/README.md +++ /dev/null @@ -1,22 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` -Run below commands to destroy -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` diff --git a/terraform/infrastructure/s941/dev/managedidentity/main.tf b/terraform/infrastructure/s941/dev/managedidentity/main.tf deleted file mode 100644 index 03c3a7071..000000000 --- a/terraform/infrastructure/s941/dev/managedidentity/main.tf +++ /dev/null @@ -1,72 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -locals { - storageaccount_role_assignment = merge([ - for storageaccount_key, storageaccount_value in data.azurerm_storage_account.storageaccounts : { - for mi_key, mi_value in var.managed_identity : - "${storageaccount_key}-${mi_key}" => { - managedidentity = mi_value.name - storageaccount = storageaccount_value.name - id = storageaccount_value.id - } - } - ]...) - - loganalytics_role_assignment = merge([ - for loganalytics_key, loganalytics_value in data.azurerm_log_analytics_workspace.loganalytics : { - for mi_key, mi_value in var.managed_identity : - "${loganalytics_key}-${mi_key}" => { - managedidentity = mi_value.name - storageaccount = loganalytics_value.name - id = loganalytics_value.id - } - } - ]...) -} - -data "azurerm_log_analytics_workspace" "loganalytics" { - for_each = { - for key in compact([for key, value in var.loganalytics : value.managed_identity ? key : ""]) : key => - var.loganalytics[key] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -data "azurerm_storage_account" "storageaccounts" { - for_each = { - for key in compact([for key, value in var.storage_accounts : value.managed_identity ? key : ""]) : key => - var.storage_accounts[key] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -resource "azurerm_user_assigned_identity" "managed_identity" { - for_each = var.managed_identity - name = each.value["name"] - location = each.value["location"] - resource_group_name = each.value["rg_name"] -} - -resource "azurerm_role_assignment" "assign_identity_storage_blob_data_contributor" { - for_each = local.storageaccount_role_assignment - scope = each.value["id"] - role_definition_name = "Storage Blob Data Contributor" - principal_id = azurerm_user_assigned_identity.managed_identity[each.value["managedidentity"]].principal_id -} - -resource "azurerm_role_assignment" "assign_identity_log_analytics_reader" { - for_each = local.loganalytics_role_assignment - scope = each.value["id"] - role_definition_name = "Log Analytics Reader" - principal_id = azurerm_user_assigned_identity.managed_identity[each.value["managedidentity"]].principal_id -} diff --git a/terraform/infrastructure/s941/dev/managedidentity/variables.tf b/terraform/infrastructure/s941/dev/managedidentity/variables.tf deleted file mode 100644 index 3faedf08e..000000000 --- a/terraform/infrastructure/s941/dev/managedidentity/variables.tf +++ /dev/null @@ -1,31 +0,0 @@ -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "managed_identity" { - type = map(object({ - name = string - location = optional(string, "northeurope") - rg_name = string - })) - default = {} -} - -variable "storage_accounts" { - type = map(object({ - name = string - rg_name = string - managed_identity = optional(bool, false) - })) - default = {} -} - -variable "loganalytics" { - type = map(object({ - name = string - rg_name = string - managed_identity = optional(bool, false) - })) - default = {} -} diff --git a/terraform/infrastructure/s941/dev/mysql/.env.template b/terraform/infrastructure/s941/dev/mysql/.env.template deleted file mode 100644 index cd7aabece..000000000 --- a/terraform/infrastructure/s941/dev/mysql/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s941-tfstate" -storage_account_name ="s941radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="mysql/terraform.tfstate" - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86" # ar-radix-platform-github-dev-cluster-maintenance - -# service principal client_secret -client_secret="" # ar-radix-platform-github-dev-cluster-maintenance secret - -subscription_id="16ede44b-1f74-40a5-b428-46cca9a5741b" # S941-Omnia-Radix-Development -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" \ No newline at end of file diff --git a/terraform/infrastructure/s941/dev/mysql/.terraform.lock.hcl b/terraform/infrastructure/s941/dev/mysql/.terraform.lock.hcl deleted file mode 100644 index e65ca9070..000000000 --- a/terraform/infrastructure/s941/dev/mysql/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.43.0" - hashes = [ - "h1:L22zvfaO7m696KBqtCaID1xEPhAKq1UUwR4EP66GLGo=", - "zh:1a6d3553a8b9c85193d8334e8678aae305d14ec1d69b0d45799c322145d41475", - "zh:1cb9ecd6531060c8f52d4f70863754ef18d3c297dee2aa173ce6dbd6f3c62621", - "zh:21effe14cf1f5bace7aa172198ee2aa6ffc78324e4648af9b8df8b29995fa711", - "zh:29e53d13567d1497388c4264fea7548a45a3d1065129a475f0c8708eb0b9fa4d", - "zh:6c9036ed1371220709fab11ecd790953bb066bc8113707d3f4b9334d07fddf11", - "zh:7f26877a5216fb92e2a1594da7eb61058a984e7f8b305c45745ad181c0357b71", - "zh:a080ea3a591b353dd3432d5f1a7fe717dc733a02429b50ff38ef0fba92bd93e2", - "zh:b880602640876fbccf7d2d6dbbf6a076bf42126e07990975a29995c1a899563b", - "zh:c46125c6fcf67f69b8d33f29e5362ae78fc305787be77076c10f36561c2076d2", - "zh:f08642f55085ac03bfad32917abd42b75f2dffb7b9d8e7c310cc230f9a15e756", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f85af4d3af54ebad40ea6cf4dfd5cb1f7b0666cf4793711a1bff719f059177f7", - ] -} diff --git a/terraform/infrastructure/s941/dev/mysql/README.md b/terraform/infrastructure/s941/dev/mysql/README.md deleted file mode 100644 index f37bc2179..000000000 --- a/terraform/infrastructure/s941/dev/mysql/README.md +++ /dev/null @@ -1,39 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` -Run below commands to destroy -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` -Variants of query: - # } - # dynamic "identity" { - # for_each = var.identity != null ? [var.identity] : [] - - # content { - # type = identity.value["type"] - # identity_ids = identity.value["identity_ids"] - # } - # } - # dynamic "identity" { - # for_each = each.value["identity"] != null ? [each.value["identity"]] : [] - # content { - # type = identity.value["type"] - # } - - diff --git a/terraform/infrastructure/s941/dev/mysql/main.tf b/terraform/infrastructure/s941/dev/mysql/main.tf deleted file mode 100644 index bb43e4758..000000000 --- a/terraform/infrastructure/s941/dev/mysql/main.tf +++ /dev/null @@ -1,84 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -locals { - mysql_flexible_server_firewall_rules = merge([ - for server_key, server_value in var.mysql_flexible_server : { - for rule_key, rule_value in var.firewall_rules : - "${server_key}-${rule_key}" => { - start_ip_address = rule_value.start_ip_address - end_ip_address = rule_value.end_ip_address - server_name = server_value.name - resource_group_name = server_value.rg_name - } - } - ]...) - - mysql_server_firewall_rules = merge([ - for server_key, server_value in var.mysql_server : { - for rule_key, rule_value in var.firewall_rules : - "${server_key}-${rule_key}" => { - start_ip_address = rule_value.start_ip_address - end_ip_address = rule_value.end_ip_address - server_name = server_value.name - resource_group_name = server_value.rg_name - } - } - ]...) - - all_sql_servers = merge( - (var.mysql_flexible_server), - (var.mysql_server), - ) -} - -####################################################################################### -### Keyvault & Secrets -### - -data "azurerm_key_vault" "keyvault" { - for_each = var.key_vault - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -data "azurerm_key_vault_secret" "keyvault_secret" { - depends_on = [data.azurerm_key_vault.keyvault] - for_each = local.all_sql_servers - name = each.value["secret"] - key_vault_id = data.azurerm_key_vault.keyvault[each.value["vault"]].id -} - -####################################################################################### -### MYSQL Flexible Server -### - -resource "azurerm_mysql_flexible_server" "mysql_flexible_server" { - for_each = var.mysql_flexible_server - name = each.value["name"] - administrator_password = data.azurerm_key_vault_secret.keyvault_secret[each.value["name"]].value - resource_group_name = each.value["rg_name"] - location = each.value["location"] - administrator_login = each.value["administrator_login"] - backup_retention_days = each.value["backup_retention_days"] - sku_name = each.value["sku_name"] - version = each.value["version"] - zone = each.value["zone"] -} - -resource "azurerm_mysql_flexible_server_firewall_rule" "main" { - for_each = local.mysql_flexible_server_firewall_rules - name = each.key - start_ip_address = each.value["start_ip_address"] - end_ip_address = each.value["end_ip_address"] - server_name = each.value["server_name"] - resource_group_name = each.value["resource_group_name"] - depends_on = [azurerm_mysql_flexible_server.mysql_flexible_server] -} diff --git a/terraform/infrastructure/s941/dev/mysql/variables.tf b/terraform/infrastructure/s941/dev/mysql/variables.tf deleted file mode 100644 index 3e08329df..000000000 --- a/terraform/infrastructure/s941/dev/mysql/variables.tf +++ /dev/null @@ -1,56 +0,0 @@ -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "mysql_flexible_server" { - type = map(object({ - name = string - rg_name = optional(string, "monitoring") - location = optional(string, "northeurope") - administrator_login = optional(string, "radixadmin") - backup_retention_days = optional(number, 7) - sku_name = optional(string, "B_Standard_B1ms") - version = optional(string, "5.7") - zone = optional(number, 2) - secret = string - vault = optional(string, "kv-radix-monitoring-dev") # Vault that keeps the secret - })) - default = {} -} - -variable "mysql_server" { - description = "Legacy Mysql servers" - type = map(object({ - name = string - rg_name = optional(string, "monitoring") - location = optional(string, "northeurope") - administrator_login = optional(string, "radixadmin") - sku_name = optional(string, "B_Gen5_1") - version = optional(string, "5.7") - ssl_minimal_tls_version_enforced = optional(string, "TLSEnforcementDisabled") - storage_mb = optional(number, 102400) - tags = optional(map(string), {}) - secret = string - vault = optional(string, "kv-radix-monitoring-dev") # Vault that keeps the secret - })) - default = {} -} - -variable "firewall_rules" { - description = "Range of IP addresses to allow firewall connections." - type = map(object({ - start_ip_address = string - end_ip_address = string - })) - default = null -} - -variable "key_vault" { - description = "Name of Keyvault." - type = map(object({ - name = string - rg_name = string - })) - default = {} -} diff --git a/terraform/infrastructure/s941/dev/mytest/.terraform.lock.hcl b/terraform/infrastructure/s941/dev/mytest/.terraform.lock.hcl deleted file mode 100644 index e3ec90d16..000000000 --- a/terraform/infrastructure/s941/dev/mytest/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.82.0" - hashes = [ - "h1:NUSEjQHU/KLAFoUdoeNcyRnZNx784mMES1Su4qmfvxM=", - "zh:2042c5485476b0b9dbcebfc01d95e1cec50b37b2c443ffd9824a4fc6a7b293bd", - "zh:3fc6753c039bac1866b90f5faf5f72edc7470cb64c1e84f830e71931dfced865", - "zh:4760c4595a5e8a07c5eef08304877909f88252c1536432e443211ae668456459", - "zh:4886aadcafcd88d036c3e36019ca3b0b39a6b7cfbd34f88fe8a544ca337af14f", - "zh:631602a5e38cb3ee8f8a2a2257e669f41ff05766a774eb19933d54ae1832c100", - "zh:6c03c113c729614598cb197415a3dd7b7d0fcb0aec9055b0491f02274e244582", - "zh:95390bd4037f695329a38ff1a736e4f03c134097d19201f89c5e6c08a11becb9", - "zh:ac1a1dd5559c53f72f89320f0cd9aeb8fc84ad1351b6578f99efc07c16486a2a", - "zh:b96d4ca8a05a1903accd5c1b16109444d05868198a4698e31c17ef7ab95c4541", - "zh:ccc5895c0579e4f5b0dc2d358579d417c21281104591f1877525d87f31079f96", - "zh:e0c496ab8f07ea381bbed86eefde47480b9b156bb022b2215c94cb01779c7076", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s941/dev/networkmanager/.env.template b/terraform/infrastructure/s941/dev/networkmanager/.env.template deleted file mode 100644 index 7fecb10d1..000000000 --- a/terraform/infrastructure/s941/dev/networkmanager/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s941-tfstate" -storage_account_name ="s941radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="networkmanager/terraform.tfstate" # dev.radixtfexample.terraform.tfstate - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86" # ar-radix-platform-github-dev-cluster-maintenance - -# service principal client_secret -client_secret="" # ar-radix-platform-github-dev-cluster-maintenance secret - -subscription_id="16ede44b-1f74-40a5-b428-46cca9a5741b" # S941-Omnia-Radix-Development -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s941/dev/networkmanager/.terraform.lock.hcl b/terraform/infrastructure/s941/dev/networkmanager/.terraform.lock.hcl deleted file mode 100644 index 79c2f7dc2..000000000 --- a/terraform/infrastructure/s941/dev/networkmanager/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.78.0" - hashes = [ - "h1:DWJ+qB1AY68Is827deEJH4pV7BL4PhDmaaWLlYkhqLM=", - "zh:09a965d5a35ddf418c0cc0eda507f79ba65ce679faa1ffc636c965c22cd2da88", - "zh:144523f78596df2843ccf9c4dfa53670c71c66ef1edb96853b4d06b8d2973e26", - "zh:1b2bbd1b2a7a8715f1bc828a174fc8f6810831cfebf3bffef141638b59aa4589", - "zh:223b5f2c07a71ee5d7f4e5cf9b814b276bb27be5f771f886cfd236db4ae67475", - "zh:26cd02f9496b8b9e9465eff24e9c29b0c99076fc3958ceaa84a1a0d6f02984eb", - "zh:6bec0065ba87ea80b151b6398b1ba2295eb967993f15322f25f1c74defc56c6d", - "zh:8aaa89e3403630c73a5280b57aa6e7c993686247b141ec9801365e1bb1677439", - "zh:8d8dd6a9a2baee8e9fea3b1e181d0a17d6a71e64d9692265770a72bfee012a15", - "zh:97ba1582da8ac1b65c9e01b43d1b5ba842c3b8a97d5dee9e033e018d13dbdeda", - "zh:b05930cfe84c06a764f611d3a93035ab779766aeefa22c41616e948b99659da8", - "zh:da5e5752dff248356afb0c861df680e3345fdc3a52dfc92a7f150f4a780128c7", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/infrastructure/s941/dev/networkmanager/README.md b/terraform/infrastructure/s941/dev/networkmanager/README.md deleted file mode 100644 index c8b8320c1..000000000 --- a/terraform/infrastructure/s941/dev/networkmanager/README.md +++ /dev/null @@ -1,26 +0,0 @@ -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` diff --git a/terraform/infrastructure/s941/dev/networkmanager/main.tf b/terraform/infrastructure/s941/dev/networkmanager/main.tf deleted file mode 100644 index f011671ed..000000000 --- a/terraform/infrastructure/s941/dev/networkmanager/main.tf +++ /dev/null @@ -1,128 +0,0 @@ -terraform { - backend "azurerm" {} -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -data "azurerm_resource_group" "rg_group" { - name = "clusters" -} - -data "azurerm_subscription" "current" { - subscription_id = var.AZ_SUBSCRIPTION_ID -} - -resource "azurerm_network_manager" "networkmanager" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-ANVM" - location = data.azurerm_resource_group.rg_group.location - resource_group_name = data.azurerm_resource_group.rg_group.name - scope_accesses = ["Connectivity"] - description = "${var.AZ_SUBSCRIPTION_SHORTNAME}-Azure Network Mananger - northeurope" - - scope { - subscription_ids = [data.azurerm_subscription.current.id] - } -} - -resource "azurerm_network_manager_network_group" "group" { - for_each = var.K8S_ENVIROMENTS - name = each.key - network_manager_id = azurerm_network_manager.networkmanager.id - description = "Network Group for ${each.key} virtual networks" -} - -data "azurerm_virtual_network" "vnet-hub" { - for_each = var.K8S_ENVIROMENTS - name = "vnet-hub" - resource_group_name = lookup(var.vnet_rg_names, "${each.key}", "") -} - -resource "azurerm_network_manager_connectivity_configuration" "config" { - for_each = var.K8S_ENVIROMENTS - name = "Hub-and-Spoke-${each.key}" - description = "Hub-and-Spoke config" - network_manager_id = azurerm_network_manager.networkmanager.id - connectivity_topology = "HubAndSpoke" - - applies_to_group { - group_connectivity = "None" - network_group_id = azurerm_network_manager_network_group.group[each.key].id - } - - hub { - resource_id = data.azurerm_virtual_network.vnet-hub[each.key].id - resource_type = "Microsoft.Network/virtualNetworks" - } -} - -resource "azurerm_policy_definition" "policy" { - depends_on = [azurerm_network_manager.networkmanager] - for_each = var.K8S_ENVIROMENTS - name = "Kubernetes-vnets-in-${each.key}" - policy_type = "Custom" - mode = "Microsoft.Network.Data" - display_name = "Kubernetes vnets in ${each.key}" - - metadata = < { - name = sa_value.name - resource_group_name = sa_value.rg_name - location = sa_value.location - subnet_id = privlink_value.linkname - private_endpoint = sa_value.private_endpoint - } - } - ]...) - privatelink_dns_record = merge([ - for sa_key, sa_value in var.storage_accounts : { - for virtual_networks_key, virtual_networks_value in var.virtual_networks : - "${sa_key}-${virtual_networks_key}" => { - name = sa_value.name - resource_group_name = virtual_networks_value.rg_name - private_endpoint = sa_value.private_endpoint - } - } - ]...) -} - -data "azurerm_key_vault" "keyvault_env" { - name = var.KV_RADIX_VAULT - resource_group_name = var.AZ_RESOURCE_GROUP_COMMON -} - -data "azurerm_subnet" "virtual_subnets" { - for_each = { - for key, value in var.resource_groups : key => value if length(regexall("cluster-vnet-hub", key)) > 0 - } - name = "private-links" - virtual_network_name = "vnet-hub" - resource_group_name = each.value["name"] -} - -data "azurerm_private_dns_zone" "dns-zone" { - for_each = { - for key, value in var.resource_groups : key => value if length(regexall("cluster-vnet-hub", key)) > 0 - } - name = "privatelink.blob.core.windows.net" - resource_group_name = each.value["name"] -} - -####################################################################################### -### Storage Accounts -### - -data "azurerm_storage_account" "storageaccounts" { - for_each = { - for key in compact([for key, value in var.storage_accounts : value.create_with_rbac ? key : ""]) : key => - var.storage_accounts[key] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] -} - -resource "azurerm_storage_account" "storageaccounts" { - for_each = { - for key, value in var.storage_accounts : key => var.storage_accounts[key] if !value["create_with_rbac"] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] - location = each.value["location"] - account_kind = each.value["kind"] - account_replication_type = each.value["repl"] - account_tier = each.value["tier"] - allow_nested_items_to_be_public = each.value["allow_nested_items_to_be_public"] - cross_tenant_replication_enabled = each.value["cross_tenant_replication_enabled"] - shared_access_key_enabled = each.value["shared_access_key_enabled"] - tags = each.value["tags"] - - dynamic "blob_properties" { - for_each = each.value["kind"] == "BlobStorage" || each.value["kind"] == "Storage" ? [1] : [0] - - content { - change_feed_enabled = each.value["change_feed_enabled"] - versioning_enabled = each.value["versioning_enabled"] - change_feed_retention_in_days = each.value["change_feed_days"] - - dynamic "container_delete_retention_policy" { - for_each = each.value["container_delete_retention_policy"] == true ? [30] : [] - - content { - days = container_delete_retention_policy.value - } - } - - dynamic "delete_retention_policy" { - for_each = each.value["delete_retention_policy"] == true ? [35] : [] - - content { - days = delete_retention_policy.value - } - } - - dynamic "restore_policy" { - for_each = each.value["backup_center"] == true ? [30] : [] - - content { - days = restore_policy.value - } - } - } - } -} - -####################################################################################### -### Private endpoint -### - -resource "azurerm_private_endpoint" "northeurope" { - for_each = { - for key in compact([ - for key, value in local.storageaccount_private_subnet : - value.location == var.AZ_LOCATION && value.private_endpoint ? key : ""]) : key => - local.storageaccount_private_subnet[key] - } - name = each.key - resource_group_name = each.value["resource_group_name"] - location = each.value["location"] - subnet_id = each.value["subnet_id"] - depends_on = [azurerm_storage_account.storageaccounts] - - private_service_connection { - name = "Private_Service_Connection" - private_connection_resource_id = azurerm_storage_account.storageaccounts[each.value["name"]].id - is_manual_connection = false - subresource_names = ["blob"] - } - -} - -## DNS -resource "azurerm_private_dns_a_record" "dns_a_northeurope" { - for_each = { - for key in compact([for key, value in local.privatelink_dns_record : value.private_endpoint ? key : ""]) : key => - local.privatelink_dns_record[key] - } - name = each.value["name"] - zone_name = "privatelink.blob.core.windows.net" - resource_group_name = each.value["resource_group_name"] - ttl = 10 - records = [azurerm_private_endpoint.northeurope[each.key].private_service_connection.0.private_ip_address] - depends_on = [azurerm_private_endpoint.northeurope] -} - -####################################################################################### -### Role assignment -### - -resource "azurerm_role_assignment" "northeurope" { - for_each = { - for key in compact([ - for key, value in var.storage_accounts : - value.backup_center && value.location == var.AZ_LOCATION && value.kind == "StorageV2" ? key : ""]) : key => - var.storage_accounts[key] - } - scope = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - role_definition_name = "Storage Account Backup Contributor" - principal_id = azurerm_data_protection_backup_vault.northeurope.identity[0].principal_id - depends_on = [azurerm_storage_account.storageaccounts] -} - -####################################################################################### -### Blob Protection -### - -resource "azurerm_data_protection_backup_instance_blob_storage" "northeurope" { - for_each = { - for key in compact([ - for key, value in var.storage_accounts : - value.backup_center && value.location == var.AZ_LOCATION && value.kind == "StorageV2" ? key : ""]) : key => - var.storage_accounts[key] - } - name = each.value.name - vault_id = azurerm_data_protection_backup_vault.northeurope.id - location = each.value.location - storage_account_id = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - backup_policy_id = azurerm_data_protection_backup_policy_blob_storage.northeurope.id - depends_on = [azurerm_role_assignment.northeurope] -} - -####################################################################################### -### Management Policy -### - -resource "azurerm_storage_management_policy" "sapolicy" { - for_each = { - for key in compact([for key, value in var.storage_accounts : value.life_cycle ? key : ""]) : key => - var.storage_accounts[key] - } - storage_account_id = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id - depends_on = [azurerm_storage_account.storageaccounts] - - rule { - name = "lifecycle-${var.RADIX_ZONE}" - enabled = true - - filters { - blob_types = ["blockBlob"] - } - - actions { - dynamic "version" { - for_each = each.value["life_cycle_version"] != 0 ? [60] : [] - content { - delete_after_days_since_creation = each.value["life_cycle_version"] - } - } - - dynamic "base_blob" { - for_each = each.value["life_cycle_blob"] != 0 ? [180] : [] - content { - delete_after_days_since_modification_greater_than = each.value["life_cycle_blob"] - tier_to_cool_after_days_since_modification_greater_than = each.value["life_cycle_blob_cool"] - } - } - } - } -} - -####################################################################################### -### Protection Vault -### - -resource "azurerm_data_protection_backup_vault" "northeurope" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-backupvault-${var.AZ_LOCATION}" - resource_group_name = "backups" - location = var.AZ_LOCATION - datastore_type = "VaultStore" - redundancy = "LocallyRedundant" - - identity { - type = "SystemAssigned" - } -} - -####################################################################################### -### Protection Backup Policy -### - -resource "azurerm_data_protection_backup_policy_blob_storage" "northeurope" { - name = "${var.AZ_SUBSCRIPTION_SHORTNAME}-backuppolicy-${var.AZ_LOCATION}" - vault_id = azurerm_data_protection_backup_vault.northeurope.id - retention_duration = "P30D" -} diff --git a/terraform/infrastructure/s941/dev/storageaccounts/sync.sh b/terraform/infrastructure/s941/dev/storageaccounts/sync.sh deleted file mode 100755 index 6564b8d96..000000000 --- a/terraform/infrastructure/s941/dev/storageaccounts/sync.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash - -# ACTION={checkin | checkout} ./sync.sh - -if [[ -z "$ACTION" ]]; then - echo "ERROR: Please provide ACTION" >&2 - exit 1 -fi - -hash azcopy 2>/dev/null || { - echo "ERROR: azcopy not found in PATH. Exiting..." >&2 - exit 1 -} - -if [[ ${ACTION} == "checkin" ]]; then - # Exit if source cluster does not exist - echo "" - echo "Downloading terraform.state file..." - azcopy copy 'https://s941radixinfra.blob.core.windows.net/tfstate/storageaccounts/terraform.tfstate' terraform.tfstate - echo "" -elif [[ ${ACTION} == "checkout" ]]; then - echo "" - echo "Uploading terraform.state file..." - azcopy copy terraform.tfstate 'https://s941radixinfra.blob.core.windows.net/infrastructure/storageaccounts/terraform.tfstate' - echo "" -fi diff --git a/terraform/infrastructure/s941/dev/storageaccounts/variables.tf b/terraform/infrastructure/s941/dev/storageaccounts/variables.tf deleted file mode 100644 index 7feff8ff9..000000000 --- a/terraform/infrastructure/s941/dev/storageaccounts/variables.tf +++ /dev/null @@ -1,82 +0,0 @@ -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} - -variable "AZ_LOCATION" { - description = "The location to create the resources in." - type = string -} - -variable "AZ_RESOURCE_GROUP_COMMON" { - description = "Resource group name for common" - type = string -} - -variable "RADIX_ZONE" { - description = "Radix zone" - type = string -} - -variable "AZ_SUBSCRIPTION_SHORTNAME" { - description = "Subscription shortname" - type = string -} - -variable "storage_accounts" { - type = map(object({ - name = string # Mandatory - rg_name = string # Mandatory - location = optional(string, "northeurope") # Optional - kind = optional(string, "StorageV2") # Optional - repl = optional(string, "LRS") # Optional - tier = optional(string, "Standard") # Optional - backup_center = optional(bool, false) # Optional - life_cycle = optional(bool, true) - firewall = optional(bool, true) - container_delete_retention_policy = optional(bool, true) - tags = optional(map(string), {}) - allow_nested_items_to_be_public = optional(bool, false) #GUI: Configuration Allow Blob public access - shared_access_key_enabled = optional(bool, true) - cross_tenant_replication_enabled = optional(bool, true) - delete_retention_policy = optional(bool, true) - versioning_enabled = optional(bool, true) - change_feed_enabled = optional(bool, true) - change_feed_days = optional(number, 35) - life_cycle_version = optional(number, 60) - life_cycle_blob = optional(number, 180) - life_cycle_blob_cool = optional(number, 90) - create_with_rbac = optional(bool, false) - private_endpoint = optional(bool, false) - })) - default = {} -} - -variable "resource_groups" { - type = map(object({ - name = string # Mandatory - location = optional(string, "northeurope") # Optional - })) - default = {} -} - -variable "virtual_networks" { - type = map(object({ - name = optional(string, "vnet-hub") - rg_name = string - })) - default = {} -} - -variable "private_link" { - description = "Subnet connection." - type = map(object({ - linkname = string - })) - default = null -} - -variable "KV_RADIX_VAULT" { - description = "Radix keyvault" - type = string -} diff --git a/terraform/infrastructure/s941/dev/test/.env.template b/terraform/infrastructure/s941/dev/test/.env.template deleted file mode 100644 index d4034d952..000000000 --- a/terraform/infrastructure/s941/dev/test/.env.template +++ /dev/null @@ -1,20 +0,0 @@ -## For local development: copy this file, rename it to `backend_config.env`, and populate accordingly - -resource_group_name="s941-tfstate" -storage_account_name ="s941radixinfra" -container_name="infrastructure" -use_azuread_auth=true - -# tfstate name -key="test/terraform.tfstate" # dev.radixtfexample.terraform.tfstate - -# Configure the Microsoft Azure Provider - -# service principal client_id -client_id="f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86" # ar-radix-platform-github-dev-cluster-maintenance - -# service principal client_secret -client_secret="" # ar-radix-platform-github-dev-cluster-maintenance secret - -subscription_id="16ede44b-1f74-40a5-b428-46cca9a5741b" # S941-Omnia-Radix-Development -tenant_id="3aa4a235-b6e2-48d5-9195-7fcf05b459b0" diff --git a/terraform/infrastructure/s941/dev/test/README.md b/terraform/infrastructure/s941/dev/test/README.md deleted file mode 100644 index 4bf3bf3cd..000000000 --- a/terraform/infrastructure/s941/dev/test/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# TEST Folder to test random terraform stuff - -## How to use (locally) - -1. cluster name will be the same as folder name -2. Copy `.env.template`, rename it to `.env`, and populate accordingly - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -# This will connect terraform backend to Azure -terraform init -backend-config=.env -``` - -Run below commands to plan - -```sh -# Will plan main.tf -terraform plan --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to deploy - -```sh -# Will deploy main.tf -terraform apply --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to destroy - -```sh -# Will destroy main.tf -terraform destroy --var-file=../../../../radix-zone/radix_zone_dev.tfvars -``` diff --git a/terraform/infrastructure/s941/dev/test/aks.tf b/terraform/infrastructure/s941/dev/test/aks.tf deleted file mode 100644 index 5e53ffeb2..000000000 --- a/terraform/infrastructure/s941/dev/test/aks.tf +++ /dev/null @@ -1,44 +0,0 @@ -data "azapi_resource_list" "clusters" { - for_each = toset(var.aks_cluster_resource_groups) - - type = "Microsoft.ContainerService/managedClusters@2023-09-01" - parent_id = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourcegroups/${var.resource_groups[each.value].name}" - response_export_values = ["*"] -} - -locals { - k8s_resources = flatten([ - for key, resource in data.azapi_resource_list.clusters : [ - for cluster in jsondecode(resource.output).value : - { - id : cluster.id, - name : cluster.name, - rgName : key, - location : cluster.location - } - ] - ]) -} - - -data "azurerm_kubernetes_cluster" "k8s" { - for_each = { for cluster in local.k8s_resources : cluster.name => cluster } - - name = each.value.name - resource_group_name = each.value.rgName -} -output "clusters" { - value = [for c in data.azurerm_kubernetes_cluster.k8s : c.name] -} - -# -#locals { -# clusterEnvironment = { -# for cluster in data.azurerm_kubernetes_cluster.k8s : cluster.name => -# startswith( lower(cluster.name), "weekly-" ) ? "dev" : -# startswith(lower( cluster.name), "playground-") ? "playground" : -# startswith(lower( cluster.name), "eu-") ? "prod" : -# startswith(lower( cluster.name), "c2-") ? "c2" : "unknown" -# } -#} -# diff --git a/terraform/infrastructure/s941/dev/test/main.tf b/terraform/infrastructure/s941/dev/test/main.tf deleted file mode 100644 index c8cb015ca..000000000 --- a/terraform/infrastructure/s941/dev/test/main.tf +++ /dev/null @@ -1,35 +0,0 @@ -terraform { - required_providers { - azapi = { - source = "Azure/azapi" - } - } - backend "azurerm" {} -} - - -provider "azapi" { - subscription_id = var.AZ_SUBSCRIPTION_ID -} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - - -variable "AZ_SUBSCRIPTION_ID" { - type = string -} - -variable "aks_cluster_resource_groups" { - type = list(string) -} -variable "resource_groups" { - type = map(object({ - name = string # Mandatory - location = optional(string, "northeurope") # Optional - })) - default = {} -} diff --git a/terraform/oidc/rbac/README.md b/terraform/oidc/rbac/README.md deleted file mode 100644 index 1f0011004..000000000 --- a/terraform/oidc/rbac/README.md +++ /dev/null @@ -1,78 +0,0 @@ -## How to use (locally) - -Run below commands to Initialize terraform in current directory - -```sh -# Initialize terraform -terraform init -``` - -Run below commands to deploy - -```sh -terraform apply --var-file=../../radix-zone/radix_zone_dev.tfvars -``` - -Run below commands to destroy - -```sh -terraform destroy --var-file=../../radix-zone/radix_zone_dev.tfvars -``` - - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3.0 | -| [azuread](#requirement\_azuread) | ~> 2.15.0 | -| [azurerm](#requirement\_azurerm) | >= 3.39.0 | - -## Providers - -| Name | Version | -|------|---------| -| [azuread](#provider\_azuread) | 2.15.0 | -| [azurerm](#provider\_azurerm) | 3.43.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [azuread_application.APP_GITHUB_ACTION_CLUSTER](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | -| [azuread_application_federated_identity_credential.APP_GITHUB_DEV_CLUSTER_FED](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource | -| [azuread_service_principal.SP_GITHUB_ACTION_CLUSTER](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | -| [azurerm_role_assignment.RA_CONTRIBUTOR_ROLE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.RA_STORAGE_BLOB_DATA_OWNER](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.RA_USER_ACCESS_ADMINISTRATOR](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_storage_account.SA_INFRASTRUCTURE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | -| [azurerm_storage_container.SA_INFRASTRUCTURE_CONTAINER_CLUSTERS](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | -| [azurerm_storage_container.SA_INFRASTRUCTURE_CONTAINER_INFRASTRUCTURE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | -| [azuread_group.radix_group](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | -| [azurerm_client_config.CLIENT_CONFIG](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | -| [azurerm_subscription.AZ_SUBSCRIPTION](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [AAD\_RADIX\_GROUP](#input\_AAD\_RADIX\_GROUP) | Radix group name | `string` | n/a | yes | -| [APP\_GITHUB\_ACTION\_CLUSTER\_NAME](#input\_APP\_GITHUB\_ACTION\_CLUSTER\_NAME) | Application name | `string` | n/a | yes | -| [AZ\_SUBSCRIPTION\_ID](#input\_AZ\_SUBSCRIPTION\_ID) | Azure subscription id | `string` | n/a | yes | -| [GH\_ENVIRONMENT](#input\_GH\_ENVIRONMENT) | Github environment | `string` | n/a | yes | -| [GH\_ORGANIZATION](#input\_GH\_ORGANIZATION) | Github organization | `string` | n/a | yes | -| [GH\_REPOSITORY](#input\_GH\_REPOSITORY) | Github repository | `string` | n/a | yes | -| [storage\_accounts](#input\_storage\_accounts) | n/a | 
map(object({
    name                              = string                          # Mandatory
    rg_name                           = string                          # Mandatory
    location                          = optional(string, "northeurope") # Optional
    kind                              = optional(string, "StorageV2")   # Optional
    repl                              = optional(string, "LRS")         # Optional
    tier                              = optional(string, "Standard")    # Optional
    backup_center                     = optional(bool, false)           # Optional      
    life_cycle                        = optional(bool, true)
    firewall                          = optional(bool, true)
    container_delete_retention_policy = optional(bool, true)
    tags                              = optional(map(string), {})
    allow_nested_items_to_be_public   = optional(bool, false) #GUI: Configuration Allow Blob public access
    shared_access_key_enabled         = optional(bool, true)
    cross_tenant_replication_enabled  = optional(bool, true)
    delete_retention_policy           = optional(bool, true)
    versioning_enabled                = optional(bool, true)
    change_feed_enabled               = optional(bool, true)
    change_feed_days                  = optional(number, 35)
    create_with_rbac                  = optional(bool, false)
  }))
| `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [GITHUB\_DEV\_CLUSTER\_FED](#output\_GITHUB\_DEV\_CLUSTER\_FED) | n/a | - - diff --git a/terraform/oidc/rbac/main.tf b/terraform/oidc/rbac/main.tf deleted file mode 100644 index a05e19386..000000000 --- a/terraform/oidc/rbac/main.tf +++ /dev/null @@ -1,140 +0,0 @@ -terraform {} - -provider "azurerm" { - subscription_id = var.AZ_SUBSCRIPTION_ID - - features {} -} - -provider "azuread" {} - -data "azurerm_client_config" "CLIENT_CONFIG" {} - -data "azurerm_subscription" "AZ_SUBSCRIPTION" { - subscription_id = var.AZ_SUBSCRIPTION_ID -} - -data "azuread_group" "radix_group" { - display_name = var.AAD_RADIX_GROUP -} - -resource "azuread_application" "APP_GITHUB_ACTION_CLUSTER" { - display_name = var.APP_GITHUB_ACTION_CLUSTER_NAME - owners = data.azuread_group.radix_group.members - sign_in_audience = "AzureADandPersonalMicrosoftAccount" - - api { - known_client_applications = [] - mapped_claims_enabled = false - requested_access_token_version = 2 - } -} - -resource "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER" { - application_id = azuread_application.APP_GITHUB_ACTION_CLUSTER.application_id - app_role_assignment_required = false - owners = azuread_application.APP_GITHUB_ACTION_CLUSTER.owners -} - -resource "azurerm_role_assignment" "RA_CONTRIBUTOR_ROLE" { - scope = data.azurerm_subscription.AZ_SUBSCRIPTION.id - role_definition_name = "Contributor" - principal_id = azuread_service_principal.SP_GITHUB_ACTION_CLUSTER.object_id -} - -resource "azurerm_role_assignment" "RA_STORAGE_BLOB_DATA_OWNER" { - for_each = { - for key, value in var.storage_accounts : key => var.storage_accounts[key] if value["create_with_rbac"] - } - scope = azurerm_storage_account.SA_INFRASTRUCTURE[each.key].id - role_definition_name = "Storage Blob Data Owner" - principal_id = azuread_service_principal.SP_GITHUB_ACTION_CLUSTER.object_id -} - -resource "azurerm_role_assignment" "RA_USER_ACCESS_ADMINISTRATOR" { - for_each = { - for key, value in var.storage_accounts : key => var.storage_accounts[key] if value["create_with_rbac"] - } - scope = azurerm_storage_account.SA_INFRASTRUCTURE[each.key].id - role_definition_name = "User Access Administrator" - principal_id = azuread_service_principal.SP_GITHUB_ACTION_CLUSTER.object_id -} - -resource "azuread_application_federated_identity_credential" "APP_GITHUB_DEV_CLUSTER_FED" { - application_object_id = azuread_application.APP_GITHUB_ACTION_CLUSTER.object_id - display_name = "${var.GH_REPOSITORY}-${var.GH_ENVIRONMENT}" - description = "Allow Github to authenticate" - audiences = ["api://AzureADTokenExchange"] - issuer = "https://token.actions.githubusercontent.com" - subject = "repo:${var.GH_ORGANIZATION}/${var.GH_REPOSITORY}:environment:${var.GH_ENVIRONMENT}" - - timeouts {} -} - -resource "azurerm_storage_account" "SA_INFRASTRUCTURE" { - for_each = { - for key, value in var.storage_accounts : key => var.storage_accounts[key] if value["create_with_rbac"] - } - name = each.value["name"] - resource_group_name = each.value["rg_name"] - location = each.value["location"] - account_kind = each.value["kind"] - account_replication_type = each.value["repl"] - account_tier = each.value["tier"] - allow_nested_items_to_be_public = each.value["allow_nested_items_to_be_public"] - cross_tenant_replication_enabled = each.value["cross_tenant_replication_enabled"] - shared_access_key_enabled = each.value["shared_access_key_enabled"] - tags = each.value["tags"] - - dynamic "blob_properties" { - for_each = each.value["kind"] == "BlobStorage" || each.value["kind"] == "Storage" ? [1] : [0] - - content { - change_feed_enabled = each.value["change_feed_enabled"] - versioning_enabled = each.value["versioning_enabled"] - change_feed_retention_in_days = each.value["change_feed_days"] - - dynamic "container_delete_retention_policy" { - for_each = each.value["container_delete_retention_policy"] == true ? [30] : [] - - content { - days = container_delete_retention_policy.value - } - } - - dynamic "delete_retention_policy" { - for_each = each.value["delete_retention_policy"] == true ? [35] : [] - - content { - days = delete_retention_policy.value - } - } - - dynamic "restore_policy" { - for_each = each.value["backup_center"] == true ? [30] : [] - - content { - days = restore_policy.value - } - } - } - } -} - -resource "azurerm_storage_container" "SA_INFRASTRUCTURE_CONTAINER_CLUSTERS" { - depends_on = [azurerm_storage_account.SA_INFRASTRUCTURE] - for_each = { - for key, value in var.storage_accounts : key => var.storage_accounts[key] if value["create_with_rbac"] - } - storage_account_name = each.value["name"] - name = "clusters" -} - -resource "azurerm_storage_container" "SA_INFRASTRUCTURE_CONTAINER_INFRASTRUCTURE" { - depends_on = [azurerm_storage_account.SA_INFRASTRUCTURE] - for_each = { - for key, value in var.storage_accounts : key => var.storage_accounts[key] if value["create_with_rbac"] - } - storage_account_name = each.value["name"] - name = "infrastructure" -} diff --git a/terraform/oidc/rbac/outputs.tf b/terraform/oidc/rbac/outputs.tf deleted file mode 100644 index d7936bc4f..000000000 --- a/terraform/oidc/rbac/outputs.tf +++ /dev/null @@ -1,12 +0,0 @@ -output "GITHUB_DEV_CLUSTER_FED" { - value = { - "environments" = { - "environment" = var.GH_ENVIRONMENT, - "secrets" = { - "AZURE_CLIENT_ID" = data.azurerm_client_config.CLIENT_CONFIG.client_id, - "AZURE_SUBSCRIPTION_ID" = data.azurerm_subscription.AZ_SUBSCRIPTION.id, - "AZURE_TENANT_ID" = data.azurerm_client_config.CLIENT_CONFIG.tenant_id, - } - } - } -} diff --git a/terraform/oidc/rbac/variables.tf b/terraform/oidc/rbac/variables.tf deleted file mode 100644 index 173b69175..000000000 --- a/terraform/oidc/rbac/variables.tf +++ /dev/null @@ -1,53 +0,0 @@ -variable "AAD_RADIX_GROUP" { - description = "Radix group name" - type = string -} - -variable "APP_GITHUB_ACTION_CLUSTER_NAME" { - description = "Application name" - type = string -} - -variable "AZ_SUBSCRIPTION_ID" { - description = "Azure subscription id" - type = string -} -variable "GH_ORGANIZATION" { - description = "Github organization" - type = string -} - -variable "GH_REPOSITORY" { - description = "Github repository" - type = string -} - -variable "GH_ENVIRONMENT" { - description = "Github environment" - type = string -} - -variable "storage_accounts" { - type = map(object({ - name = string # Mandatory - rg_name = string # Mandatory - location = optional(string, "northeurope") # Optional - kind = optional(string, "StorageV2") # Optional - repl = optional(string, "LRS") # Optional - tier = optional(string, "Standard") # Optional - backup_center = optional(bool, false) # Optional - life_cycle = optional(bool, true) - firewall = optional(bool, true) - container_delete_retention_policy = optional(bool, true) - tags = optional(map(string), {}) - allow_nested_items_to_be_public = optional(bool, false) #GUI: Configuration Allow Blob public access - shared_access_key_enabled = optional(bool, true) - cross_tenant_replication_enabled = optional(bool, true) - delete_retention_policy = optional(bool, true) - versioning_enabled = optional(bool, true) - change_feed_enabled = optional(bool, true) - change_feed_days = optional(number, 35) - create_with_rbac = optional(bool, false) - })) - default = {} -} diff --git a/terraform/oidc/rbac/versions.tf b/terraform/oidc/rbac/versions.tf deleted file mode 100644 index 900b95b06..000000000 --- a/terraform/oidc/rbac/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = ">= 1.3.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = ">= 3.39.0" - } - azuread = { - source = "hashicorp/azuread" - version = "~> 2.15.0" - } - } -} diff --git a/terraform/radix-zone/radix_zone_dev.tfvars b/terraform/radix-zone/radix_zone_dev.tfvars deleted file mode 100644 index 156ae7458..000000000 --- a/terraform/radix-zone/radix_zone_dev.tfvars +++ /dev/null @@ -1,369 +0,0 @@ -####################################################################################### -### Zone and cluster settings -### - -AZ_LOCATION = "northeurope" -RADIX_ZONE = "dev" -K8S_ENVIROMENTS = { - "dev" = { "name" = "dev", "resourceGroup" = "clusters" }, - "playground" = { "name" = "playground", "resourceGroup" = "clusters" } -} - -####################################################################################### -### Resource groups -### - -AZ_RESOURCE_GROUP_COMMON = "common" - -####################################################################################### -### Shared environment, az region and az subscription -### - -AZ_SUBSCRIPTION_ID = "16ede44b-1f74-40a5-b428-46cca9a5741b" -AZ_TENANT_ID = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" -AZ_SUBSCRIPTION_SHORTNAME = "s941" - -####################################################################################### -### AAD -### - -AAD_RADIX_GROUP = "radix" - -####################################################################################### -### Managed Identities -### - -managed_identity = { - "id-radix-logicapp-operator-dev" = { - name = "id-radix-logicapp-operator-dev" - rg_name = "Logs-Dev" - } -} - -####################################################################################### -### Log Analytics -### - -loganalytics = { - "s941-northeurope-diagnostics" = { - name = "s941-northeurope-diagnostics" - rg_name = "Logs-dev" - managed_identity = true - } -} - -####################################################################################### -### Logic Apps -### - -logic_app_workflow = { - "archive-s941-northeurope-diagnostics" = { - name = "archive-s941-northeurope-diagnostics" - rg_name = "Logs-Dev" - managed_identity_name = "id-radix-logicapp-operator-dev" - loganalytics = "s941-northeurope-diagnostics" - storageaccount = "radixflowlogsplayground" - folder = "playground" - } -} - - -####################################################################################### -### Resouce Groups -### - -resource_groups = { - "backups" = { - name = "backups" - } - "clusters" = { - name = "clusters" - } - "cluster-vnet-hub-dev" = { - name = "cluster-vnet-hub-dev" - } - "cluster-vnet-hub-playground" = { - name = "cluster-vnet-hub-playground" - } - "common" = { - name = "common" - } - "cost-allocation" = { - name = "cost-allocation" - } - "dashboards" = { - name = "dashboards" - } - "monitoring" = { - name = "monitoring" - } - "S941-log" = { - name = "S941-log" - location = "westeurope" - } - "s941-tfstate" = { - name = "s941-tfstate" - } - "Logs-Dev" = { - name = "Logs-Dev" - } - "vulnerability-scan" = { - name = "vulnerability-scan" - } -} - -aks_cluster_resource_groups = ["clusters"] - -####################################################################################### -### Storage Accounts -### - -storage_accounts = { - "radixflowlogsdev" = { - name = "radixflowlogsdev" - rg_name = "Logs-Dev" - backup_center = true - } - "radixflowlogsplayground" = { - name = "radixflowlogsplayground" - rg_name = "Logs-Dev" - backup_center = true - managed_identity = true - life_cycle = true - life_cycle_version = 3 - life_cycle_blob = 90 - life_cycle_blob_cool = 7 - } - "s941radixinfra" = { - name = "s941radixinfra" - rg_name = "s941-tfstate" - backup_center = true - life_cycle = false - repl = "RAGRS" - allow_nested_items_to_be_public = false - create_with_rbac = true - firewall = false - } - "s941radixvelerodev" = { - name = "s941radixvelerodev" - rg_name = "backups" - backup_center = true - repl = "GRS" - allow_nested_items_to_be_public = false - firewall = true - private_endpoint = true - - } - "s941sqllogsdev" = { - name = "s941sqllogsdev" - rg_name = "common" - backup_center = true - } - "s941sqllogsplayground" = { - name = "s941sqllogsplayground" - rg_name = "common" - backup_center = true - } -} - -####################################################################################### -### SQL Server -### - -sql_server = { - "sql-radix-cost-allocation-dev" = { - name = "sql-radix-cost-allocation-dev" - rg_name = "cost-allocation" - db_admin = "radix-cost-allocation-db-admin" - minimum_tls_version = "Disabled" - vault = "radix-vault-dev" - env = "dev" - tags = { - "displayName" = "SqlServer" - } - } - "sql-radix-cost-allocation-playground" = { - name = "sql-radix-cost-allocation-playground" - rg_name = "cost-allocation" - db_admin = "radix-cost-allocation-db-admin-playground" - vault = "radix-vault-dev" - env = "playground" - tags = { - "displayName" = "SqlServer" - } - } - "sql-radix-vulnerability-scan-dev" = { - name = "sql-radix-vulnerability-scan-dev" - rg_name = "vulnerability-scan" - db_admin = "radix-vulnerability-scan-db-admin" - identity = true - vault = "radix-vault-dev" - env = "dev" - } - "sql-radix-vulnerability-scan-playground" = { - name = "sql-radix-vulnerability-scan-playground" - rg_name = "vulnerability-scan" - db_admin = "radix-vulnerability-scan-db-admin-playground" - identity = false - vault = "radix-vault-dev" - env = "playground" - } -} - -####################################################################################### -### SQL Database -### - -sql_database = { - "sql-radix-cost-allocation-dev" = { - name = "sqldb-radix-cost-allocation" - server = "sql-radix-cost-allocation-dev" - tags = { - "displayName" = "Database" - } - } - "sql-radix-cost-allocation-playground" = { - name = "sqldb-radix-cost-allocation" - server = "sql-radix-cost-allocation-playground" - tags = { - "displayName" = "Database" - } - } - "sql-radix-vulnerability-scan-dev" = { - name = "radix-vulnerability-scan" - server = "sql-radix-vulnerability-scan-dev" - } - "sql-radix-vulnerability-scan-playground" = { - name = "radix-vulnerability-scan" - server = "sql-radix-vulnerability-scan-playground" - } -} - -####################################################################################### -### MYSQL Flexible Server -### - -mysql_flexible_server = { - "s941-radix-grafana-dev" = { - name = "s941-radix-grafana-dev" - secret = "s941-radix-grafana-dev-mysql-admin-pwd" - } - "s941-radix-grafana-playground" = { - name = "s941-radix-grafana-playground" - secret = "s941-radix-grafana-playground-mysql-admin-pwd" - } -} - -####################################################################################### -### MYSQL Server -### - -mysql_server = { - "mysql-radix-grafana-dev" = { - name = "mysql-radix-grafana-dev" - fw_rule = true - secret = "mysql-grafana-dev-admin-password" - } -} - -####################################################################################### -### Key Vault -### - -key_vault = { - "kv-radix-monitoring-dev" = { - name = "kv-radix-monitoring-dev" - rg_name = "monitoring" - } - "radix-vault-dev" = { - name = "radix-vault-dev" - rg_name = "common" - } -} - -key_vault_by_k8s_environment = { - "dev" = { - name = "radix-vault-dev" - rg_name = "common" - } - "playground" = { - name = "radix-vault-dev" - rg_name = "common" - } - "monitoring" = { - name = "kv-radix-monitoring-dev" - rg_name = "monitoring" - } -} - -firewall_rules = { - "equinor-wifi" = { - start_ip_address = "143.97.110.1" - end_ip_address = "143.97.110.1" - } - "equinor_north_europe" = { - start_ip_address = "40.85.141.13" - end_ip_address = "40.85.141.13" - } - "ext-mon-dev" = { - start_ip_address = "20.54.47.154" - end_ip_address = "20.54.47.154" - } - "runnerIp" = { - start_ip_address = "20.36.193.46" - end_ip_address = "20.36.193.46" - } - "weekly-42-b" = { - start_ip_address = "20.67.128.243" - end_ip_address = "20.67.128.243" - } - "Enable-Azure-services" = { - start_ip_address = "0.0.0.0" - end_ip_address = "0.0.0.0" - } -} - -EQUINOR_WIFI_IP_CIDR = "143.97.110.1/32" - -KV_RADIX_VAULT = "radix-vault-dev" - -private_link = { - "dev" = { - linkname = "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/cluster-vnet-hub-dev/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/private-links" - } - "playground" = { - linkname = "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/cluster-vnet-hub-playground/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/private-links" - } -} - -####################################################################################### -### Virtual network -### - -virtual_networks = { - "dev" = { - rg_name = "cluster-vnet-hub-dev" - } - "playground" = { - rg_name = "cluster-vnet-hub-playground" - } -} - -####################################################################################### -### Service principal -### - -APP_GITHUB_ACTION_CLUSTER_NAME = "ar-radix-platform-github-dev-cluster-maintenance" - -####################################################################################### -### Github -### - -GH_ORGANIZATION = "equinor" -GH_REPOSITORY = "radix-platform" -GH_ENVIRONMENT = "operations" - -# Update this and run terraform in acr to rotate secrets. -# Remember to restart Operator afterwards to get refreshed tokens -ACR_TOKEN_EXPIRES_AT = "2024-11-01T12:00:00+00:00" -ACR_SUFFIX = "dev" diff --git a/terraform/radix-zone/radix_zone_dr.tfvars b/terraform/radix-zone/radix_zone_dr.tfvars deleted file mode 100644 index 08d79e98d..000000000 --- a/terraform/radix-zone/radix_zone_dr.tfvars +++ /dev/null @@ -1,415 +0,0 @@ -####################################################################################### -### AKS -### - -AKS_KUBERNETES_VERSION = "1.26.6" -AKS_NODE_POOL_VM_SIZE = "Standard_B4ms" -AKS_SYSTEM_NODE_MAX_COUNT = "2" -AKS_SYSTEM_NODE_MIN_COUNT = "1" -AKS_SYSTEM_NODE_POOL_NAME = "systempool" -AKS_USER_NODE_MAX_COUNT = "5" -AKS_USER_NODE_MIN_COUNT = "2" -AKS_USER_NODE_POOL_NAME = "userpool" -TAGS_AA = { "autostartupschedule " = "true", "migrationStrategy" = "aa" } -TAGS_AT = { "autostartupschedule " = "false", "migrationStrategy" = "at" } - -aks_cluster_resource_groups = ["clusters"] -####################################################################################### -### Zone and cluster settings -### - -AZ_LOCATION = "northeurope" -CLUSTER_TYPE = "development" -RADIX_ZONE = "dev" -RADIX_ENVIRONMENT = "dev" -RADIX_WEB_CONSOLE_ENVIRONMENTS = ["qa", "prod"] -K8S_ENVIROMENTS = { - "dev" = { "name" = "dev", "resourceGroup" = "clusters" }, -} -# K8S_ENVIROMENTS = ["dev", "playground"] - -####################################################################################### -### Resource groups -### - -AZ_RESOURCE_GROUP_CLUSTERS = "clusters" -AZ_RESOURCE_GROUP_COMMON = "common" - -####################################################################################### -### Shared environment, az region and az subscription -### - -AZ_SUBSCRIPTION_ID = "939950ec-da7e-4349-8b8d-77d9c278af04" -AZ_TENANT_ID = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" -AZ_SUBSCRIPTION_SHORTNAME = "s612" - -####################################################################################### -### AAD -### - -AAD_RADIX_GROUP = "radix" - -####################################################################################### -### System users -### - -MI_AKSKUBELET = [{ - client_id = "117df4c6-ff5b-4921-9c40-5bea2e1c52d8" - id = "/subscriptions/939950ec-da7e-4349-8b8d-77d9c278af04/resourceGroups/common/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-radix-akskubelet-development-northeurope" - object_id = "89541870-e10a-403c-8d4c-d80e92dd5eb7" -}] - -MI_AKS = [{ - client_id = "1ff97b0f-f824-47d9-a98f-a045b6a759bc" - id = "/subscriptions/939950ec-da7e-4349-8b8d-77d9c278af04/resourceGroups/common/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-radix-aks-development-northeurope", - object_id = "7112e202-51f7-4fd2-b6a1-b944f14f0be3" -}] - -AZ_PRIVATE_DNS_ZONES = [ - "privatelink.database.windows.net", - "privatelink.blob.core.windows.net", - "privatelink.table.core.windows.net", - "privatelink.queue.core.windows.net", - "privatelink.file.core.windows.net", - "privatelink.web.core.windows.net", - "privatelink.dfs.core.windows.net", - "privatelink.documents.azure.com", - "privatelink.mongo.cosmos.azure.com", - "privatelink.cassandra.cosmos.azure.com", - "privatelink.gremlin.cosmos.azure.com", - "privatelink.table.cosmos.azure.com", - "privatelink.postgres.database.azure.com", - "privatelink.mysql.database.azure.com", - "privatelink.mariadb.database.azure.com", - "privatelink.vaultcore.azure.net", - "private.radix.equinor.com" -] - -#To do -#Alphabetical order -####################################################################################### -### Managed Identities -### - -managed_identity = { - "id-radix-logicapp-operator-dev" = { - name = "id-radix-logicapp-operator-dev" - rg_name = "Logs-Dev" - } -} - -####################################################################################### -### Log Analytics -### - -loganalytics = { - "s612-northeurope-diagnostics" = { - name = "s612-northeurope-diagnostics" - rg_name = "Logs-dev" - managed_identity = true - } -} - -####################################################################################### -### Logic Apps -### - -logic_app_workflow = { - "archive-s612-northeurope-diagnostics" = { - name = "archive-s612-northeurope-diagnostics" - rg_name = "Logs-Dev" - managed_identity_name = "id-radix-logicapp-operator-dev" - loganalytics = "s612-northeurope-diagnostics" - storageaccount = "radixflowlogsplayground" - folder = "playground" - } -} - - -####################################################################################### -### Resouce Groups -### - -resource_groups = { - "backups" = { - name = "backups" - } - "clusters" = { - name = "clusters" - } - "cluster-vnet-hub-dev" = { - name = "cluster-vnet-hub-dev" - } - # "cluster-vnet-hub-playground" = { - # name = "cluster-vnet-hub-playground" - # } - "common" = { - name = "common" - } - "cost-allocation" = { - name = "cost-allocation" - } - "dashboards" = { - name = "dashboards" - } - "monitoring" = { - name = "monitoring" - } - "s612-log" = { - name = "s612-log" - location = "westeurope" - } - "s612-tfstate" = { - name = "s612-tfstate" - } - "Logs-Dev" = { - name = "Logs-Dev" - } - "vulnerability-scan" = { - name = "vulnerability-scan" - } -} - -####################################################################################### -### Storage Accounts -### - -storage_accounts = { - "radixflowlogsdevdr" = { - name = "radixflowlogsdevdr" - rg_name = "Logs-Dev" - backup_center = true - } - # "radixflowlogsplayground" = { - # name = "radixflowlogsplayground" - # rg_name = "Logs-Dev" - # backup_center = true - # managed_identity = true - # } - "s612radixinfra" = { - name = "s612radixinfra" - rg_name = "s612-tfstate" - backup_center = true - repl = "RAGRS" - allow_nested_items_to_be_public = false - create_with_rbac = true - firewall = false - } - "s612radixvelerodev" = { - name = "s612radixvelerodev" - rg_name = "backups" - backup_center = true - repl = "GRS" - allow_nested_items_to_be_public = false - firewall = true - private_endpoint = true - - } - "s612sqllogsdev" = { - name = "s612sqllogsdev" - rg_name = "common" - backup_center = true - } - # "s612sqllogsplayground" = { - # name = "s612sqllogsplayground" - # rg_name = "common" - # backup_center = true - # } -} - -####################################################################################### -### SQL Server -### - -sql_server = { - "sql-radix-cost-allocation-dev-dr" = { - name = "sql-radix-cost-allocation-dev-dr" - rg_name = "cost-allocation" - db_admin = "radix-cost-allocation-db-admin" - minimum_tls_version = "Disabled" - vault = "radix-vault-dev-dr2" - env = "dev" - tags = { - "displayName" = "SqlServer" - } - } - # "sql-radix-cost-allocation-playground" = { - # name = "sql-radix-cost-allocation-playground" - # rg_name = "cost-allocation" - # db_admin = "radix-cost-allocation-db-admin-playground" - # minimum_tls_version = "Disabled" - # vault = "radix-vault-dev-dr2" - # tags = { - # "displayName" = "SqlServer" - # } - # } - "sql-radix-vulnerability-scan-dev-dr" = { - name = "sql-radix-vulnerability-scan-dev-dr" - rg_name = "vulnerability-scan" - db_admin = "radix-vulnerability-scan-db-admin" - identity = false - vault = "radix-vault-dev-dr2" - env = "dev" - } - # "sql-radix-vulnerability-scan-playground" = { - # name = "sql-radix-vulnerability-scan-playground" - # rg_name = "vulnerability-scan" - # db_admin = "radix-vulnerability-scan-db-admin-playground" - # identity = false - # vault = "radix-vault-dev-dr2" - # } -} - -####################################################################################### -### SQL Database -### - -sql_database = { - "sql-radix-cost-allocation-dev-dr" = { - name = "sqldb-radix-cost-allocation" - server = "sql-radix-cost-allocation-dev-dr" - tags = { - "displayName" = "Database" - } - } - # "sql-radix-cost-allocation-playground" = { - # name = "sqldb-radix-cost-allocation" - # server = "sql-radix-cost-allocation-playground" - # tags = { - # "displayName" = "Database" - # } - # } - "sql-radix-vulnerability-scan-dev-dr" = { - name = "radix-vulnerability-scan" - server = "sql-radix-vulnerability-scan-dev-dr" - } - # "sql-radix-vulnerability-scan-playground" = { - # name = "radix-vulnerability-scan" - # server = "sql-radix-vulnerability-scan-playground" - # } -} - -####################################################################################### -### MYSQL Flexible Server -### - -mysql_flexible_server = { - "s612-radix-grafana-dev" = { - name = "s612-radix-grafana-dev" - secret = "s612-radix-grafana-dev-mysql-admin-pwd" - } - # "s612-radix-grafana-playground" = { - # name = "s612-radix-grafana-playground" - # secret = "s612-radix-grafana-playground-mysql-admin-pwd" - # } -} - -####################################################################################### -### MYSQL Server -### - -mysql_server = { - "mysql-radix-grafana-dev" = { - name = "mysql-radix-grafana-dev" - fw_rule = true - secret = "mysql-grafana-dev-admin-password" - } -} - -####################################################################################### -### Key Vault -### - -key_vault = { - "radix-monitoring-dev-dr" = { - name = "radix-monitoring-dev-dr" - rg_name = "monitoring" - } - "radix-vault-dev-dr2" = { - name = "radix-vault-dev-dr2" - rg_name = "common" - } -} - -key_vault_by_k8s_environment = { - "dev" = { - name = "radix-vault-dev-dr2" - rg_name = "common" - } - "monitoring" = { - name = "radix-monitoring-dev-dr" - rg_name = "monitoring" - } -} - -firewall_rules = { - "equinor-wifi" = { - start_ip_address = "143.97.110.1" - end_ip_address = "143.97.110.1" - } - "equinor_north_europe" = { - start_ip_address = "40.85.141.13" - end_ip_address = "40.85.141.13" - } - "ext-mon-dev" = { - start_ip_address = "20.54.47.154" - end_ip_address = "20.54.47.154" - } - "runnerIp" = { - start_ip_address = "20.36.193.46" - end_ip_address = "20.36.193.46" - } - "weekly-42-b" = { - start_ip_address = "20.67.128.243" - end_ip_address = "20.67.128.243" - } - "Enable-Azure-services" = { - start_ip_address = "0.0.0.0" - end_ip_address = "0.0.0.0" - } -} - -EQUINOR_WIFI_IP_CIDR = "143.97.110.1/32" - -KV_RADIX_VAULT = "radix-vault-dev-dr2" - -private_link = { - "dev" = { - linkname = "/subscriptions/939950ec-da7e-4349-8b8d-77d9c278af04/resourceGroups/cluster-vnet-hub-dev/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/private-links" - } - # "playground" = { - # linkname = "/subscriptions/939950ec-da7e-4349-8b8d-77d9c278af04/resourceGroups/cluster-vnet-hub-playground/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/private-links" - # } -} - -####################################################################################### -### Virtual network -### - -virtual_networks = { - "dev" = { - rg_name = "cluster-vnet-hub-dev" - } - # "playground" = { - # rg_name = "cluster-vnet-hub-playground" - # } -} - -####################################################################################### -### Service principal -### - -APP_GITHUB_ACTION_CLUSTER_NAME = "ar-radix-platform-github-dev-cluster-maintenance-dr" - -####################################################################################### -### Github -### - -GH_ORGANIZATION = "equinor" -GH_REPOSITORY = "radix-platform" -GH_ENVIRONMENT = "operations-dr" - -# Update this and run terraform in acr to rotate secrets. -# Remember to restart Operator afterwards to get refreshed tokens -ACR_TOKEN_EXPIRES_AT = "2024-11-01T12:00:00+00:00" -ACR_SUFFIX = "DR" \ No newline at end of file diff --git a/terraform/radix-zone/radix_zone_prod.tfvars b/terraform/radix-zone/radix_zone_prod.tfvars deleted file mode 100644 index cbb829043..000000000 --- a/terraform/radix-zone/radix_zone_prod.tfvars +++ /dev/null @@ -1,433 +0,0 @@ -####################################################################################### -### Zone and cluster settings -### - -AZ_LOCATION = "northeurope" -RADIX_ZONE = "prod" - -K8S_ENVIROMENTS = { - "prod" = { "name" = "prod", "resourceGroup" = "clusters" }, - "c2" = { "name" = "c2", "resourceGroup" = "clusters-westeurope" } -} -####################################################################################### -### Resource groups -### - -AZ_RESOURCE_GROUP_COMMON = "common" - -####################################################################################### -### Shared environment, az region and az subscription -### - -AZ_SUBSCRIPTION_ID = "ded7ca41-37c8-4085-862f-b11d21ab341a" -AZ_TENANT_ID = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" -AZ_SUBSCRIPTION_SHORTNAME = "s940" - -####################################################################################### -### AAD -### - -AAD_RADIX_GROUP = "radix" - -####################################################################################### -### Managed Identities -### - -managed_identity = { - "id-radix-logicapp-operator-prod" = { - name = "id-radix-logicapp-operator-prod" - rg_name = "Logs" - } - "id-radix-logicapp-operator-c2" = { - name = "id-radix-logicapp-operator-c2" - location = "westeurope" - rg_name = "logs-westeurope" - } -} - -####################################################################################### -### Log Analytics -### - -loganalytics = { - "s940-northeurope-diagnostics" = { - name = "s940-northeurope-diagnostics" - rg_name = "Logs" - managed_identity = true - } - "s940-westeurope-diagnostics" = { - name = "s940-westeurope-diagnostics" - rg_name = "logs-westeurope" - managed_identity = true - } -} - - -####################################################################################### -### Logic Apps -### - -logic_app_workflow = { - "archive-s940-northeurope-diagnostics" = { - name = "archive-s940-northeurope-diagnostics" - rg_name = "Logs" - managed_identity_name = "id-radix-logicapp-operator-prod" - loganalytics = "s940-northeurope-diagnostics" - storageaccount = "radixflowlogsprod" - folder = "prod" - } - "archive-s940-westeurope-diagnostics" = { - name = "archive-s940-westeurope-diagnostics" - location = "westeurope" - rg_name = "logs-westeurope" - managed_identity_name = "id-radix-logicapp-operator-c2" - loganalytics = "s940-westeurope-diagnostics" - storageaccount = "radixflowlogsc2prod" - folder = "c2" - } -} - - -####################################################################################### -### Resouce Groups -### - -resource_groups = { - "backups" = { - name = "backups" - } - "clusters" = { - name = "clusters" - } - "cluster-vnet-hub-c2" = { - name = "cluster-vnet-hub-c2" - location = "westeurope" - } - "cluster-vnet-hub-prod" = { - name = "cluster-vnet-hub-prod" - } - "common" = { - name = "common" - } - "cost-allocation" = { - name = "cost-allocation" - } - "dashboards" = { - name = "dashboards" - location = "westeurope" - } - "monitoring" = { - name = "monitoring" - } - "s940-tfstate" = { - name = "s940-tfstate" - } - "vulnerability-scan" = { - name = "vulnerability-scan" - } - "clusters-westeurope" = { - name = "clusters-westeurope" - location = "westeurope" - } - "common-westeurope" = { - name = "common-westeurope" - location = "westeurope" - } - "cost-allocation-westeurope" = { - name = "cost-allocation-westeurope" - location = "westeurope" - } - "Logs" = { - name = "Logs" - location = "westeurope" - } - "logs-westeurope" = { - name = "logs-westeurope" - location = "westeurope" - } - "monitoring-westeurope" = { - name = "monitoring-westeurope" - location = "westeurope" - } - "rg-protection-we" = { - name = "rg-protection-we" - location = "westeurope" - } - "S940-log" = { - name = "S940-log" - location = "westeurope" - } - "vulnerability-scan-westeurope" = { - name = "vulnerability-scan-westeurope" - location = "westeurope" - } -} - -aks_cluster_resource_groups = ["clusters-westeurope", "clusters"] - -####################################################################################### -### Storage Accounts -### - -storage_accounts = { - "radixflowlogsc2prod" = { - name = "radixflowlogsc2prod" - rg_name = "logs-westeurope" - location = "westeurope" - backup_center = true - life_cycle = false - managed_identity = true - life_cycle = true - life_cycle_version = 3 - life_cycle_blob = 90 - life_cycle_blob_cool = 7 - } - "radixflowlogsprod" = { - name = "radixflowlogsprod" - rg_name = "Logs" - backup_center = true - life_cycle = false - managed_identity = true - life_cycle = true - life_cycle_version = 3 - life_cycle_blob = 90 - life_cycle_blob_cool = 7 - } - "s940radixinfra" = { - name = "s940radixinfra" - rg_name = "s940-tfstate" - repl = "RAGRS" - life_cycle = true - backup_center = true - firewall = false - create_with_rbac = true - life_cycle_blob = 0 - } - "s940radixveleroc2" = { - name = "s940radixveleroc2" - rg_name = "backups" - location = "westeurope" - repl = "GRS" - backup_center = true - private_endpoint = true - } - "s940radixveleroprod" = { - name = "s940radixveleroprod" - rg_name = "backups" - repl = "GRS" - backup_center = true - private_endpoint = true - } - "s940sqllogsc2prod" = { - name = "s940sqllogsc2prod" - rg_name = "common-westeurope" - location = "westeurope" - backup_center = true - life_cycle = false - } - "s940sqllogsprod" = { - name = "s940sqllogsprod" - rg_name = "common" - backup_center = true - life_cycle = false - } -} - -####################################################################################### -### SQL Server -### - -sql_server = { - "sql-radix-cost-allocation-c2-prod" = { - name = "sql-radix-cost-allocation-c2-prod" - rg_name = "cost-allocation-westeurope" - location = "westeurope" - db_admin = "radix-cost-allocation-db-admin" - vault = "radix-vault-c2-prod" - env = "c2" - tags = { - "displayName" = "SqlServer" - } - identity = false - } - "sql-radix-cost-allocation-prod" = { - name = "sql-radix-cost-allocation-prod" - rg_name = "cost-allocation" - db_admin = "radix-cost-allocation-db-admin" - vault = "radix-vault-prod" - env = "prod" - sku_name = "S3" - tags = { - "displayName" = "SqlServer" - } - } - "sql-radix-vulnerability-scan-c2-prod" = { - name = "sql-radix-vulnerability-scan-c2-prod" - rg_name = "vulnerability-scan-westeurope" - location = "westeurope" - db_admin = "radix-vulnerability-scan-db-admin" - identity = false - vault = "radix-vault-c2-prod" - env = "c2" - } - "sql-radix-vulnerability-scan-prod" = { - name = "sql-radix-vulnerability-scan-prod" - rg_name = "vulnerability-scan" - db_admin = "radix-vulnerability-scan-db-admin" - vault = "radix-vault-prod" - env = "prod" - sku_name = "S3" - } -} - -####################################################################################### -### SQL Database -### - -sql_database = { - "sql-radix-cost-allocation-c2-prod" = { - name = "sqldb-radix-cost-allocation" - server = "sql-radix-cost-allocation-c2-prod" - tags = { - "displayName" = "Database" - } - } - "sql-radix-cost-allocation-prod" = { - name = "sqldb-radix-cost-allocation" - server = "sql-radix-cost-allocation-prod" - sku_name = "S3" - tags = { - "displayName" = "Database" - } - } - "sql-radix-vulnerability-scan-c2" = { - name = "radix-vulnerability-scan" - server = "sql-radix-vulnerability-scan-c2" - } - "sql-radix-vulnerability-scan-prod" = { - name = "radix-vulnerability-scan" - server = "sql-radix-vulnerability-scan-prod" - sku_name = "S3" - } -} - -####################################################################################### -### MYSQL Flexible Server -### - -mysql_flexible_server = { - "s940-radix-grafana-c2-prod" = { - name = "s940-radix-grafana-c2-prod" - location = "westeurope" - secret = "s940-radix-grafana-c2-prod-mysql-admin-pwd" - } - "s940-radix-grafana-extmon-prod" = { - name = "s940-radix-grafana-extmon-prod" - secret = "s940-radix-grafana-extmon-prod-mysql-admin-pwd" - } - "s940-radix-grafana-platform-prod" = { - name = "s940-radix-grafana-platform-prod" - secret = "s940-radix-grafana-platform-prod-mysql-admin-pwd" - } -} - -####################################################################################### -### Key Vault -### - -key_vault = { - "kv-radix-monitoring-prod" = { - name = "kv-radix-monitoring-prod" - rg_name = "monitoring" - } - "radix-vault-c2-prod" = { - name = "radix-vault-c2-prod" - rg_name = "common-westeurope" - } - "radix-vault-prod" = { - name = "radix-vault-prod" - rg_name = "common" - } -} - -key_vault_by_k8s_environment = { - "prod" = { - name = "radix-vault-prod" - rg_name = "common" - } - "c2" = { - name = "radix-vault-c2-prod" - rg_name = "common-westeurope" - } - "monitoring" = { - name = "kv-radix-monitoring-prod" - rg_name = "monitoring" - } -} - -firewall_rules = { - "equinor-wifi" = { - start_ip_address = "143.97.110.1" - end_ip_address = "143.97.110.1" - } - "bouvet-trondheim" = { - start_ip_address = "85.19.71.228" - end_ip_address = "85.19.71.228" - } - "equinor_vpn" = { - start_ip_address = "143.97.2.35" - end_ip_address = "143.97.2.35" - } - "equinor_wifi" = { - start_ip_address = "143.97.2.129" - end_ip_address = "143.97.2.129" - } - "Enable-Azure-services" = { - start_ip_address = "0.0.0.0" - end_ip_address = "0.0.0.0" - } -} - -EQUINOR_WIFI_IP_CIDR = "143.97.110.1/32" - -KV_RADIX_VAULT = "radix-vault-prod" - -private_link = { - "c2" = { - linkname = "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/cluster-vnet-hub-c2/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/private-links" - } - "prod" = { - linkname = "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/cluster-vnet-hub-prod/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/private-links" - } -} - -####################################################################################### -### Virtual network -### - -virtual_networks = { - "c2" = { - rg_name = "cluster-vnet-hub-c2" - } - "prod" = { - rg_name = "cluster-vnet-hub-prod" - } -} - -####################################################################################### -### Service principal -### - -APP_GITHUB_ACTION_CLUSTER_NAME = "OP-Terraform-Github Action" - -####################################################################################### -### Github -### - -GH_ORGANIZATION = "equinor" -GH_REPOSITORY = "radix-platform" -GH_ENVIRONMENT = "operations" - -# Update this and run terraform in acr to rotate secrets. -# Remember to restart Operator afterwards to get refreshed tokens -ACR_TOKEN_EXPIRES_AT = "2024-11-01T12:00:00+00:00" diff --git a/terraform/rbac/s940/.terraform.lock.hcl b/terraform/rbac/s940/.terraform.lock.hcl deleted file mode 100644 index 3c5632cdd..000000000 --- a/terraform/rbac/s940/.terraform.lock.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azuread" { - version = "2.33.0" - hashes = [ - "h1:Z28tjly5UfKOE+HL/oALxCPhmCuBwUgZ4uaYt68VR3M=", - "zh:0602d03d7d7e38819f78dc377e64f365427496edf1065bfbb113e3921ab1c34e", - "zh:08843838f4fe146084592472648d4ea7191931eabe042a96c3b3c6eaf8ddfb43", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:26a0d8a186e3b47ea0b7217a8e420b03fda59b7a680bb3ea52cf7d3e6d965ef3", - "zh:352a1cacaacd39e796de15a52d192ab0e6eb98dd36b5fbf8ebddd37e6dafa4ac", - "zh:3702ad4c534e67e2e07b060bfe5e6edc244c59c911906c8b15b96e7fecb0ff2c", - "zh:93b5248d26bdd44845b2ab051a2168c7edad788ae9836f62ea5fb632fd59d7ea", - "zh:a7b880155f4a67b52a5bfe78de33dc55254ef80006234f00e36aaf6533b1de4a", - "zh:a7cf0829364127c9bca26ec01ea3d66988b43987b2d26a3290487d1fc0da50eb", - "zh:b1f82b0d30af733b36a2f849799e0b1ed6a72888fa32a438c829c4e5cff88e20", - "zh:b6c2b23770852de8f56b549579c2f5a82afd84a9ca0616d53a25d48488f7aaf0", - "zh:d87dfbdfe8ab9d3a2e33f210333d40f211ea7d33bfa671063e6807c6ddd85a52", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.40.0" - hashes = [ - "h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=", - "zh:00fa6dc05bf2643c6a3c741edb7d88263698086835a8a613f1d7bd76d1b918fd", - "zh:0da9b788e773272a7aa9d59bd9e3d5842edd4acc8c3895bea469e66dc14205a0", - "zh:25a8c39d1f042fc7c83ba9dd745c3569ea9e577fadb57563a575fb115ac2b9f1", - "zh:4423666dbeae8bc22c6e8898ffbb88745681dc27668ca9104b665dd7f3d7292c", - "zh:78c07308e7407b558d15737a98fb5eaf15529d297fc3798de6a7d61e0466e2e3", - "zh:894aca7e6f4f331ee8eb51957a180dc03d399d2b1727e0d7842e9b3f022a8c6a", - "zh:bb0e620c2161b4c4892a6f50b1c4c69ed70f66bb5e92543a03d79d0e4b1d9441", - "zh:c7d8e6a791159ca63b30908c9efe72ab65f60d64b30f0c1eb5a64972f4994844", - "zh:d04c11bfd346c1ac34d16bbdca70b23b006e822f6beb236b85375e8343888eb4", - "zh:f4edea9660327c7c70a823d786fd1b1c1b186c8759770447f63da72f23e1a73c", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f986e268949cf445ff53a66af48a87c6f6dba5964e8a5b1dc0ea02afabdd71f7", - ] -} diff --git a/terraform/rbac/s941/.terraform.lock.hcl b/terraform/rbac/s941/.terraform.lock.hcl deleted file mode 100644 index 3324df931..000000000 --- a/terraform/rbac/s941/.terraform.lock.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azuread" { - version = "2.32.0" - hashes = [ - "h1:K3uwNf+SJV7Ie1bhYQJ44ERM5CK48GZtwgrSrWLBO5o=", - "zh:1142c8f1e4a51467997ecbd218661b7bc365e2a46cd1c0cf2a17045d0943f73b", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:6733af76a0e8473d62d11fb855aa5d823ad9eee75ea0cc508b63cf0782f2b30b", - "zh:777f13db12b2820112f05e5728ad69901b2e8de9a63bfae081370c92dbc4e70b", - "zh:7c357e89acb549341dc276430ed7caf6c5f90abf282b55a90d2ed05f63f358e2", - "zh:7cc5ef7b97f9e632728b04c0f12d7f4b5c3ed123664b775d1857589ba079ebac", - "zh:9405827a7fb475629e99feefd4a11d25fee4a3e730d724d1e0090fb80cc4d85d", - "zh:a4ed113615fdc25ccb5349300f36f8eca0c490232c6dab6a45447642f8d4fea1", - "zh:e61c96da855b06eafab100941d70a65c5971d479a8812bf2d3998f6300e26095", - "zh:ea51577835d845ff4536ed1c3208d0ff54017d847d719a3e7b485ff7b7f7ba11", - "zh:ed8de8b088c6abb3bf4a47f37dd34e60c321d9f96f1b787f8ac2e9a3c8eb1e28", - "zh:fcc37e75e1a782379378a51e7a8fb5f103c1016cb5a4b186eb9c7e5f77f07008", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.39.1" - hashes = [ - "h1:RoF6P0vyKApcYvDRQM6ZO52IGgGLZ9RlVopI/hErWuQ=", - "zh:0429544b1a1385ab396e4c7b23c74184f071fdd069c2a779f3523b692677fe9e", - "zh:19a9857cbaa40613550667f30d8dd59ad88302f36aef3f04d784ac98681dfa15", - "zh:505b830c31f9a78b087a07ba72d68696e27845164befabf2d57641c3ae007434", - "zh:52942f003c1244c6f39d954618b01a02fac5f6cf104588bd7d7081a375b569d1", - "zh:536ee1dab964f1358c6c42addb04e008a0d27022c88ae1972d7ed973546f9011", - "zh:5aab6c071a7637f492b0d3500f743ea1fc01a2c8df0c8f583150b787a2d98f6e", - "zh:69a645d631bcd31cb196ca96f46280d8af1ce6cc285b7e41c86c1bc868fd9cf6", - "zh:70f05f9d71b73def03967cc24d437808ae8a3e46e17c466ea2b4559a55f0f45c", - "zh:ace40e00fce5fb2e49b6ec747690c65eafa48e5b929d89b60f26b1dc8d835748", - "zh:cf88e8e00851d8948a67790e4ecf70d1b0e1f8863e3ba8450428b75c111c521f", - "zh:de9b4db5e5425fe1284faa9373ad7b4f0c169ee720144053b2f4a22f1310947a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/secrets-operator/.terraform.lock.hcl b/terraform/secrets-operator/.terraform.lock.hcl deleted file mode 100644 index 1d472ae67..000000000 --- a/terraform/secrets-operator/.terraform.lock.hcl +++ /dev/null @@ -1,22 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.69.0" - constraints = "<= 3.69.0" - hashes = [ - "h1:Y9P5uiObriBw8Ky39QPu/+I3P9om2M07xBfrhge06c0=", - "zh:00de2580c92828edf5ac02c1287dd247f647ceaa34f8a1e5bf0e2962a99240e4", - "zh:074412944b7d0f5aaf65c0d30c8c82dfb35f0f987a6c94ddfc0e0d9989ea35c2", - "zh:09e1a23ef5331191cee641a71a525c77418e16f666a1c9c82baf01d44d5db66c", - "zh:1c2172a661130d17d982bb6e9228e338bec92763a8cb86bba799357c85238003", - "zh:2f9c7a3a2c269dd3b62dec4a94495694f0ed29b3d7a16bcc6baf8ded9af734d1", - "zh:3d75d487e03ea2f711ffc760aab29aa5a67a19948a4430e61da658edcd2ecb86", - "zh:6e9c98be1768f2b53d43178638832b336e405e65bfa9feb3ec6b7b9444ebd4ea", - "zh:7bbdbb7448147a380077fbf8a356ab9a0e279043a6e7e4beef8cdbebd6243d30", - "zh:ad22c8472f5ec4133860a690ce0b0091a2a834523a0d05e57006b5d86cf0b78e", - "zh:dffe3bce5564841bec9039005aedb464048dad55942e01756d08362b7e81999a", - "zh:e63928a70be9a7afe26b9276b5f1825157670596dec974923759c98fd7e68208", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/subscriptions/s940/extmon/monitor/.terraform.lock.hcl b/terraform/subscriptions/s940/extmon/monitor/.terraform.lock.hcl index d349bd76a..bd738933a 100644 --- a/terraform/subscriptions/s940/extmon/monitor/.terraform.lock.hcl +++ b/terraform/subscriptions/s940/extmon/monitor/.terraform.lock.hcl @@ -21,21 +21,21 @@ provider "registry.terraform.io/hashicorp/azuread" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.100.0" - constraints = "<= 3.100.0" + version = "4.2.0" + constraints = ">= 3.110.0" hashes = [ - "h1:/3X1KgoKBqJo0xe3XDUD0fxfqUK+0Fn8SghwvwY+BIA=", - "zh:20c3259fd94ab41c6c3425fb428d8bd279addb755c8ea1fe0b3e1c3bea4363cb", - "zh:4c4a8d5dbd8a9d7b60934b0ffed442fe50ab1b0559b9693399e3f66eca53d045", - "zh:7c21f569b839e40d4976beb6143adaccc5688d1a754dde054cb6f19ca33576b2", - "zh:88042b599de9ff8ec200e26636e06682e024a28331c4c48db8589d6a03279a8a", - "zh:95c20834eee3b46a85e338988bf14a9a70f74f9cae45ec934cf157dedaa40f28", - "zh:beeed81f4483dec0b64bf1aaf611c5030ad6e4c88c4bd75f956835653a1a29c0", - "zh:d76fa7371648b5bdc17115b5e42fa616fe4c6d2998f727a0956c0bddc4842365", - "zh:d89fcaa83a1ff7c9f29c49b31c60c29d8a84486e11d34573d767a5cd208da7d8", - "zh:ddbe18aee99fb7e2c93343f7f8a95837461a047ca660553c88c873761205ed76", - "zh:e6e70c7635bb4472810bfd0a31949640e72c535e6e8707454ea7e86dcb5fcd89", - "zh:f0575689ce28e220bc8daa4d2fefbfd90afde01a14343c61dfd6489960e22ff4", + "h1:pWbLnqrd3olgCCMj06w4PG6R096QY3Coctb2XdcPsrg=", + "zh:44d84b8a5f2bc6a71a32d85b706200d4dbb2b6a2a9babb25193a852fbbdb9e23", + "zh:57633b586c7b73b169d047a25dd2aa8931ba86bfea22f8e54228b849525708d6", + "zh:58f4e6a80cbc3ad5c92b9c6352f8b1fce6fa0b8a3231e1317bc9b3efba605355", + "zh:a2e2cc82b0d018abe8a9535dcbc173f55b36354fe9778941bdd71c975999fb52", + "zh:a7040aac14e384137f263f1d31a6183556a5acedcc19679647f0deda3c42ba1b", + "zh:c476526f7d54766b627758134a9340984888bacd41954dd11239cbe9b592fc46", + "zh:d001651de98256162c6dc351f4a22d446b6a77d65c487a59bd987d6783a93e71", + "zh:d7bffe913c2fb2a2b7abcf7d747c707a03182a2dc0dbd60a7b5da7a8c7705c3d", + "zh:e2b04f060c72050e7b53582edaaae10d1ed41d07a07babc933c04e9f600a4542", + "zh:eed6694ca700dae58f4a1aa12e02c58d2bfb0a2f09be72f43608bb1ffe709b6b", + "zh:f29200bafe66af9700dc3eb23aa2430a68d5e3dfdd3fc41ad7ceab743c10e164", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/terraform/subscriptions/s940/globals/.terraform.lock.hcl b/terraform/subscriptions/s940/globals/.terraform.lock.hcl deleted file mode 100644 index 070f102fe..000000000 --- a/terraform/subscriptions/s940/globals/.terraform.lock.hcl +++ /dev/null @@ -1,41 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azuread" { - version = "2.48.0" - hashes = [ - "h1:0bqCK3mnamo16MVyEiyYayNAwRMCOentHqw/rPmx7/0=", - "zh:0ec4f1ca1825f038001173c40f4b6edbdbc71d018d782b45c22d5e272ca0ec16", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:22154cd497009b5b1cb6b87131b3f31521b3de392ade1ac64dade3f29b03f8d0", - "zh:2723fe574d7a89242bd642b896ff7006d36f8a5d5a7c3876c7e1e2ada567d599", - "zh:2858abe3209fa0035419a4b2f8f155878fb6ecbc64f72c6f726dad583b1c8217", - "zh:3ba51d3e3ba6f12e8e12b043d7bc5f4415fc1ac08b81306ad546fe1ca2a3aa32", - "zh:49a39fb3713ba1a58fcb7b040bc4430ab4edb5116e8d7d33b73361f07febaead", - "zh:6a043d62a9cbfb805040e33e700cdcbfb5f199a74ae3867fc10c6810741ab222", - "zh:906c0961425d5854b22c9fed4d319248a7c88f0037547ea8472998720487ae25", - "zh:a1d246d8e0362afe397f0aedf0e68cf7d920fbae1adb88841f63dc98c06e5888", - "zh:c7df4d912c970600d9cba97a60c84b1a4ad1031feb723021c6984d99b320fd5c", - "zh:e8fbec893b4feb4410185126f2421ef0bdbbb102d1370ed72bb65b99d8869b98", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.69.0" - constraints = "<= 3.69.0" - hashes = [ - "h1:Y9P5uiObriBw8Ky39QPu/+I3P9om2M07xBfrhge06c0=", - "zh:00de2580c92828edf5ac02c1287dd247f647ceaa34f8a1e5bf0e2962a99240e4", - "zh:074412944b7d0f5aaf65c0d30c8c82dfb35f0f987a6c94ddfc0e0d9989ea35c2", - "zh:09e1a23ef5331191cee641a71a525c77418e16f666a1c9c82baf01d44d5db66c", - "zh:1c2172a661130d17d982bb6e9228e338bec92763a8cb86bba799357c85238003", - "zh:2f9c7a3a2c269dd3b62dec4a94495694f0ed29b3d7a16bcc6baf8ded9af734d1", - "zh:3d75d487e03ea2f711ffc760aab29aa5a67a19948a4430e61da658edcd2ecb86", - "zh:6e9c98be1768f2b53d43178638832b336e405e65bfa9feb3ec6b7b9444ebd4ea", - "zh:7bbdbb7448147a380077fbf8a356ab9a0e279043a6e7e4beef8cdbebd6243d30", - "zh:ad22c8472f5ec4133860a690ce0b0091a2a834523a0d05e57006b5d86cf0b78e", - "zh:dffe3bce5564841bec9039005aedb464048dad55942e01756d08362b7e81999a", - "zh:e63928a70be9a7afe26b9276b5f1825157670596dec974923759c98fd7e68208", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/subscriptions/s940/globals/common/main.tf b/terraform/subscriptions/s940/globals/common/main.tf index 4f8e4a47c..dc23d8d23 100644 --- a/terraform/subscriptions/s940/globals/common/main.tf +++ b/terraform/subscriptions/s940/globals/common/main.tf @@ -37,4 +37,5 @@ module "storageaccount" { output "environment" { value = module.config.environment -} \ No newline at end of file +} + diff --git a/terraform/subscriptions/s940/prod/common/github.tf b/terraform/subscriptions/s940/prod/common/github.tf new file mode 100644 index 000000000..64ecee1a1 --- /dev/null +++ b/terraform/subscriptions/s940/prod/common/github.tf @@ -0,0 +1,43 @@ + +data "azuread_application" "github_operator" { + display_name = "OP-Terraform-Github Action" +} +data "azuread_service_principal" "github_operator" { + display_name = data.azuread_application.github_operator.display_name +} +data "azurerm_storage_account" "infra" { + name = module.config.backend.storage_account_name + resource_group_name = module.config.backend.resource_group_name +} +data "azurerm_subscription" "subscription" { + subscription_id = module.config.subscription +} + +resource "azurerm_role_assignment" "github-operator-contributor" { + scope = data.azurerm_subscription.subscription.id + role_definition_name = "Contributor" + principal_id = data.azuread_service_principal.github_operator.object_id +} + +resource "azurerm_role_assignment" "github-operator-data-owner" { + scope = data.azurerm_storage_account.infra.id + role_definition_name = "Storage Blob Data Owner" + principal_id = data.azuread_service_principal.github_operator.object_id +} + +resource "azurerm_role_assignment" "github-operator-user-admin" { + scope = data.azurerm_storage_account.infra.id + role_definition_name = "User Access Administrator" + principal_id = data.azuread_service_principal.github_operator.object_id +} + +resource "azuread_application_federated_identity_credential" "github-operator-federated-credentials" { + application_id = data.azuread_application.github_operator.id + display_name = "radix-platform-operations" + description = "Allow Github to authenticate" + audiences = ["api://AzureADTokenExchange"] + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-platform:environment:s940" + + timeouts {} +} diff --git a/terraform/subscriptions/s941/dev/common/github.tf b/terraform/subscriptions/s941/dev/common/github.tf new file mode 100644 index 000000000..d9835be44 --- /dev/null +++ b/terraform/subscriptions/s941/dev/common/github.tf @@ -0,0 +1,43 @@ + +data "azuread_application" "github_operator" { + display_name = "ar-radix-platform-github-dev-cluster-maintenance" +} +data "azuread_service_principal" "github_operator" { + display_name = data.azuread_application.github_operator.display_name +} +data "azurerm_storage_account" "infra" { + name = module.config.backend.storage_account_name + resource_group_name = module.config.backend.resource_group_name +} +data "azurerm_subscription" "subscription" { + subscription_id = module.config.subscription +} + +resource "azurerm_role_assignment" "github-operator-contributor" { + scope = data.azurerm_subscription.subscription.id + role_definition_name = "Contributor" + principal_id = data.azuread_service_principal.github_operator.object_id +} + +resource "azurerm_role_assignment" "github-operator-data-owner" { + scope = data.azurerm_storage_account.infra.id + role_definition_name = "Storage Blob Data Owner" + principal_id = data.azuread_service_principal.github_operator.object_id +} + +resource "azurerm_role_assignment" "github-operator-user-admin" { + scope = data.azurerm_storage_account.infra.id + role_definition_name = "User Access Administrator" + principal_id = data.azuread_service_principal.github_operator.object_id +} + +resource "azuread_application_federated_identity_credential" "github-operator-federated-credentials" { + application_id = data.azuread_application.github_operator.id + display_name = "radix-platform-operations" + description = "Allow Github to authenticate" + audiences = ["api://AzureADTokenExchange"] + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-platform:environment:s941" + + timeouts {} +} diff --git a/terraform/tenant/entra/github.tf b/terraform/tenant/entra/github.tf new file mode 100644 index 000000000..7cb9775e7 --- /dev/null +++ b/terraform/tenant/entra/github.tf @@ -0,0 +1,59 @@ + + +resource "azuread_application" "APP_GITHUB_ACTION_CLUSTER_S941" { + display_name = "ar-radix-platform-github-dev-cluster-maintenance" + owners = data.azuread_group.radix.members + sign_in_audience = "AzureADandPersonalMicrosoftAccount" + service_management_reference = "110327" + tags = ["iac=terraform"] + + api { + known_client_applications = [] + mapped_claims_enabled = false + requested_access_token_version = 2 + } +} +resource "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER_S941" { + client_id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.client_id + app_role_assignment_required = false + owners = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.owners +} + +resource "azuread_application" "APP_GITHUB_ACTION_CLUSTER_S940" { + display_name = "OP-Terraform-Github Action" + owners = data.azuread_group.radix-platform-operators.members + sign_in_audience = "AzureADMyOrg" + tags = ["iac=terraform"] + service_management_reference = "110327" + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" + type = "Scope" + } + } + + api { + known_client_applications = [] + mapped_claims_enabled = false + requested_access_token_version = 1 + } +} +resource "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER_S940" { + client_id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.client_id + app_role_assignment_required = false + owners = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.owners +} + +output "s941-github-operator-client-id" { + value = { + client-id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.client_id + name = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.display_name + } +} +output "s940-github-operator-client-id" { + value = { + client-id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.client_id + name = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.display_name + } +} diff --git a/terraform/tenant/entra/variables.tf b/terraform/tenant/entra/variables.tf index 5dd32f726..857d28342 100644 --- a/terraform/tenant/entra/variables.tf +++ b/terraform/tenant/entra/variables.tf @@ -46,3 +46,4 @@ variable "service-manager-ref" { default = "110327" description = "Service Manager Reference, required on all App Registrations" } +