From 7a5cd883c2f0757d3be00c6aa0ef837e189f855f Mon Sep 17 00:00:00 2001 From: Svein-Petter Johnsen <83902071+sveinpj@users.noreply.github.com> Date: Fri, 16 Feb 2024 14:38:57 +0100 Subject: [PATCH] Velero role assignment (#1205) * Velero role assignement * updates * Velero role assignment * Remove IP * Updates --------- Co-authored-by: Automatic Update --- .../install_prerequisites_in_cluster.sh | 71 +++++++++---------- .../modules/storageaccount/main.tf | 55 +++++++------- .../modules/storageaccount/variables.tf | 28 ++++---- .../subscriptions/s940/c2/common/main.tf | 33 +++++---- .../subscriptions/s940/c2/common/variables.tf | 2 +- .../s940/c2/vulnerability-scanner/main.tf | 2 +- .../subscriptions/s940/extmon/common/main.tf | 33 +++++---- .../s940/extmon/common/variables.tf | 2 +- .../subscriptions/s940/prod/common/main.tf | 33 +++++---- .../s940/prod/common/variables.tf | 2 +- .../s940/prod/vulnerability-scanner/main.tf | 6 +- .../subscriptions/s941/dev/common/main.tf | 29 ++++---- .../s941/dev/common/variables.tf | 2 +- .../s941/dev/vulnerability-scanner/main.tf | 2 +- .../s941/playground/common/main.tf | 33 +++++---- .../s941/playground/common/variables.tf | 2 +- .../playground/vulnerability-scanner/main.tf | 2 +- 17 files changed, 172 insertions(+), 165 deletions(-) diff --git a/scripts/velero/install_prerequisites_in_cluster.sh b/scripts/velero/install_prerequisites_in_cluster.sh index 54ff9fa5c..1cbded1f5 100755 --- a/scripts/velero/install_prerequisites_in_cluster.sh +++ b/scripts/velero/install_prerequisites_in_cluster.sh @@ -188,37 +188,30 @@ function cleanup() { rm -f "$CREDENTIALS_GENERATED_PATH" } -function generateCredentialsFile() { - local SP_JSON="$(az keyvault secret show \ - --vault-name $AZ_RESOURCE_KEYVAULT \ - --name $APP_REGISTRATION_VELERO | - jq '.value | fromjson')" - - # Set variables used in the manifest templates - local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID" - local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')" - local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')" - local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')" - - # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file - CREDENTIALS_GENERATED_PATH="$(mktemp)" - local tmp_heredoc="$(mktemp)" - ( - echo "#!/bin/sh" - echo "cat <>${CREDENTIALS_GENERATED_PATH}" - cat ${CREDENTIALS_TEMPLATE_PATH} - echo "" - echo "EOF" - ) >${tmp_heredoc} && chmod +x ${tmp_heredoc} - source "$tmp_heredoc" - - # Debug - # echo -e "\nCREDENTIALS_GENERATED_PATH=$CREDENTIALS_GENERATED_PATH" - # echo -e "tmp_heredoc=$tmp_heredoc" - - # Remove even if script crashed - #trap "rm -f $CREDENTIALS_GENERATED_PATH" 0 2 3 15 -} +# function generateCredentialsFile() { +# local SP_JSON="$(az keyvault secret show \ +# --vault-name $AZ_RESOURCE_KEYVAULT \ +# --name $APP_REGISTRATION_VELERO | +# jq '.value | fromjson')" + +# # Set variables used in the manifest templates +# local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID" +# local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')" +# local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')" +# local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')" + +# # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file +# CREDENTIALS_GENERATED_PATH="$(mktemp)" +# local tmp_heredoc="$(mktemp)" +# ( +# echo "#!/bin/sh" +# echo "cat <>${CREDENTIALS_GENERATED_PATH}" +# cat ${CREDENTIALS_TEMPLATE_PATH} +# echo "" +# echo "EOF" +# ) >${tmp_heredoc} && chmod +x ${tmp_heredoc} +# source "$tmp_heredoc" +# } # Run cleanup even if script crashed trap cleanup 0 2 3 15 @@ -231,14 +224,14 @@ case "$(kubectl get ns $VELERO_NAMESPACE 2>&1)" in esac printf "...Done" -printf "\nWorking on credentials..." -generateCredentialsFile -kubectl create secret generic cloud-credentials \ - --namespace "$VELERO_NAMESPACE" \ - --from-file=cloud=$CREDENTIALS_GENERATED_PATH \ - --dry-run=client -o yaml | - kubectl apply -f - \ - 2>&1 >/dev/null +# printf "\nWorking on credentials..." +# generateCredentialsFile +# kubectl create secret generic cloud-credentials \ +# --namespace "$VELERO_NAMESPACE" \ +# --from-file=cloud=$CREDENTIALS_GENERATED_PATH \ +# --dry-run=client -o yaml | +# kubectl apply -f - \ +# 2>&1 >/dev/null printf "...Done" MYIP=$(curl http://ifconfig.me/ip) || diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf index 27d8e4933..6a10aebdb 100644 --- a/terraform/subscriptions/modules/storageaccount/main.tf +++ b/terraform/subscriptions/modules/storageaccount/main.tf @@ -57,6 +57,21 @@ resource "azurerm_role_assignment" "roleassignment" { depends_on = [azurerm_storage_account.storageaccount] } +# ####################################################################################### +# ### Role assignment for Velero Service Principal to be used to the Storage account +# ### + +data "azuread_service_principal" "velero" { # wip To be changed to workload identity in the future + display_name = var.velero_service_principal +} + +resource "azurerm_role_assignment" "storage_blob_data_conntributor" { + for_each = can(regex("radixvelero.*", var.name)) ? { "${var.name}" : true } : {} + scope = azurerm_storage_account.storageaccount.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = data.azuread_service_principal.velero.id + depends_on = [azurerm_storage_account.storageaccount] +} ###################################################################################### ## Blob Protection @@ -73,24 +88,24 @@ resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceb } resource "azurerm_storage_account_network_rules" "this" { - for_each = var.firewall ? { "${var.name}" : true } : {} + # for_each = var.firewall ? { "${var.name}" : true } : {} storage_account_id = azurerm_storage_account.storageaccount.id default_action = "Deny" - ip_rules = ["143.97.110.1"] - virtual_network_subnet_ids = [var.subnet_id] - # bypass = ["Metrics"] -} + ip_rules = [] + # virtual_network_subnet_ids = [var.subnet_id] -###################################################################################### -## Private Link -## +} +data "azurerm_subnet" "subnet" { + name = "private-links" + virtual_network_name = var.virtual_network + resource_group_name = var.vnet_resource_group +} resource "azurerm_private_endpoint" "this" { - for_each = var.priv_endpoint ? { "${var.name}" : true } : {} # { for key in compact([for key, value in var.priv_endpoint : value.private_endpoint ? key : ""]) : key => var.priv_endpoint[key] } - name = azurerm_storage_account.storageaccount.name - resource_group_name = azurerm_storage_account.storageaccount.resource_group_name - location = azurerm_storage_account.storageaccount.location - subnet_id = var.subnet_id + name = "pe-${var.name}" + location = var.location + resource_group_name = var.vnet_resource_group + subnet_id = data.azurerm_subnet.subnet.id depends_on = [azurerm_storage_account.storageaccount] private_service_connection { @@ -100,18 +115,10 @@ resource "azurerm_private_endpoint" "this" { subresource_names = ["blob"] } } - - -###################################################################################### -## Private DNS -## resource "azurerm_private_dns_a_record" "this" { - for_each = var.priv_endpoint ? { "${var.name}" : true } : {} name = azurerm_storage_account.storageaccount.name zone_name = "privatelink.blob.core.windows.net" - resource_group_name = var.vnethub_resource_group - ttl = 10 - records = [azurerm_private_endpoint.this[each.key].private_service_connection.0.private_ip_address] - depends_on = [azurerm_private_endpoint.this] + resource_group_name = var.vnet_resource_group + ttl = 60 + records = [azurerm_private_endpoint.this.private_service_connection.0.private_ip_address] } - diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf index c5d46b27d..adb736421 100644 --- a/terraform/subscriptions/modules/storageaccount/variables.tf +++ b/terraform/subscriptions/modules/storageaccount/variables.tf @@ -74,6 +74,11 @@ variable "principal_id" { type = string } +variable "velero_service_principal" { + description = "The Name of the Principal (User, Group or Service Principal) to assign the Role Definition to" + type = string +} + variable "vault_id" { description = "The ID of the Backup Vault" type = string @@ -90,25 +95,16 @@ variable "subnet_id" { } -variable "vnethub_resource_group" { - description = "Specifies the resource group where the DNS Zone (parent resource) exists" - type = string -} - -variable "priv_endpoint" { - description = "Create private endpoint?" +variable "backup" { + description = "Enable backup" type = bool - default = false } -variable "firewall" { - description = "Enable FW rules on StorageAccount?" - type = bool - default = true - +variable "virtual_network" { + type = string + default = "vnet-hub" } -variable "backup" { - description = "Enable backup" - type = bool +variable "vnet_resource_group" { + type = string } \ No newline at end of file diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index 322c8f9dd..7e27d609f 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -1,8 +1,12 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -10,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -37,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment + environment = module.config.environment kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -51,8 +55,7 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint - firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s940/c2/common/variables.tf b/terraform/subscriptions/s940/c2/common/variables.tf index fc93f923c..0a8124f2c 100644 --- a/terraform/subscriptions/s940/c2/common/variables.tf +++ b/terraform/subscriptions/s940/c2/common/variables.tf @@ -31,12 +31,12 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "ar-radix-velero-c2-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index 2d80ed9f2..44dcf616a 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -19,7 +19,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}-prod" admin_adgroup = var.admin-adgroup diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf index eb515622b..ea45bcd27 100644 --- a/terraform/subscriptions/s940/extmon/common/main.tf +++ b/terraform/subscriptions/s940/extmon/common/main.tf @@ -1,32 +1,36 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" name = each.value - location = local.outputs.location + location = module.config.location } module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -35,12 +39,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment + environment = module.config.environment kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -49,7 +53,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint - firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } \ No newline at end of file diff --git a/terraform/subscriptions/s940/extmon/common/variables.tf b/terraform/subscriptions/s940/extmon/common/variables.tf index d799bf2c8..c2341852f 100644 --- a/terraform/subscriptions/s940/extmon/common/variables.tf +++ b/terraform/subscriptions/s940/extmon/common/variables.tf @@ -12,12 +12,12 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index 322c8f9dd..7e27d609f 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -1,8 +1,12 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -10,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -37,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment + environment = module.config.environment kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -51,8 +55,7 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint - firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s940/prod/common/variables.tf b/terraform/subscriptions/s940/prod/common/variables.tf index 4f70d95cf..5e1b96e3a 100644 --- a/terraform/subscriptions/s940/prod/common/variables.tf +++ b/terraform/subscriptions/s940/prod/common/variables.tf @@ -32,12 +32,12 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index cb56f7497..2248f58cb 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -21,16 +21,16 @@ module "mssql-database" { env = module.config.environment database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-prod" # ${module.config.environment} # Se https://github.com/equinor/radix-platform/issues/1187 - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = true zone_redundant = false - sku_name = "S6" + sku_name = "S6" admin_federated_credentials = { github-main = { diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 946457f93..8e046b073 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -6,7 +6,7 @@ module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -14,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -41,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment_L + environment = module.config.environment_L kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -55,8 +55,7 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint - firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s941/dev/common/variables.tf b/terraform/subscriptions/s941/dev/common/variables.tf index f035f9ca7..619d583de 100644 --- a/terraform/subscriptions/s941/dev/common/variables.tf +++ b/terraform/subscriptions/s941/dev/common/variables.tf @@ -40,12 +40,12 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-dev") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 744348abc..c311f6f97 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -23,7 +23,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index bb216fca7..8e046b073 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -1,8 +1,12 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -10,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -37,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment_L + environment = module.config.environment_L kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -51,8 +55,7 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint - firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s941/playground/common/variables.tf b/terraform/subscriptions/s941/playground/common/variables.tf index 8a94526a3..754f7b587 100644 --- a/terraform/subscriptions/s941/playground/common/variables.tf +++ b/terraform/subscriptions/s941/playground/common/variables.tf @@ -31,12 +31,12 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-dev") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index ff8e1ea06..581e65038 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -21,7 +21,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup