Skip to content

Commit

Permalink
radix-id-gitrunner
Browse files Browse the repository at this point in the history
  • Loading branch information
Automatic Update committed Oct 14, 2024
1 parent 8dc1c9a commit b925bd3
Show file tree
Hide file tree
Showing 19 changed files with 250 additions and 116 deletions.
1 change: 1 addition & 0 deletions scripts/migrate.sh
Original file line number Diff line number Diff line change
Expand Up @@ -687,6 +687,7 @@ WEB_COMPONENT="web"

# Update replyUrls for those radix apps that require AD authentication
printf "\nWaiting for web-console ingress to be ready so we can add replyUrl to web console aad app..."
printf "\nIf this takes to long, you can try to restart the radix operator (kubectl rollout restart deployment radix-operator) in another console window"
while [[ "$(kubectl get ingress $AUTH_PROXY_COMPONENT --namespace $WEB_CONSOLE_NAMESPACE 2>&1)" == *"Error"* ]]; do
printf "."
sleep 5
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "id" {
description = "storageaccountid"
value = azurerm_storage_account.storageaccount.id
}
32 changes: 32 additions & 0 deletions terraform/subscriptions/s940/c2/common/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,38 @@ module "radix-id-acr-workflows" {
}
}

module "radix_id_gitrunner" {
source = "../../../modules/userassignedidentity"
name = "radix-id-gitrunner-${module.config.environment}"
resource_group_name = module.config.common_resource_group
location = module.config.location
roleassignments = {
contributor = {
role = "Radix Privatelink rbac-${module.config.subscription_shortname}"
scope_id = "/subscriptions/${module.config.subscription}"
}
blob_contributor = {
role = "Contributor" # Needed to open firewall
scope_id = "${module.config.backend.terraform_storage_id}"
}
storage_blob_contributor = {
role = "Storage Blob Data Contributor" # Needed to read blobdata
scope_id = "${module.config.backend.terraform_storage_id}"
}
vnet_contributor = {
role = "Contributor"
scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
}
}
federated_credentials = {
radix-id-gitrunner = {
name = "radix-id-gitrunner-${module.config.environment}"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix:environment:${module.config.environment}"
},
}
}

module "radix-cr-cicd" {
source = "../../../modules/app_registration"
display_name = "radix-cr-cicd-${module.config.environment}"
Expand Down
2 changes: 1 addition & 1 deletion terraform/subscriptions/s940/c2/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ backend:
subscription_id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
ip_key_vault_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-c2/providers/Microsoft.KeyVault/vaults/radix-keyv-c2"

terraform_storage_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/s940-tfstate/providers/Microsoft.Storage/storageAccounts/s940radixinfra"
54 changes: 27 additions & 27 deletions terraform/subscriptions/s940/globals/common/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 32 additions & 0 deletions terraform/subscriptions/s940/globals/common/main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
module "resourcegroups" {
for_each = toset(["common", "monitoring"])

source = "../../../modules/resourcegroups"
name = each.value
location = module.config.location
}

data "azurerm_subscription" "main" {
subscription_id = module.config.subscription
}
Expand Down Expand Up @@ -35,6 +43,30 @@ module "storageaccount" {
log_analytics_id = module.config.backend.log_analytics_workspace_id
}

resource "azurerm_role_definition" "privatelink_role" {
name = "Radix Privatelink rbac-${module.config.environment}"
scope = "/subscriptions/${module.config.subscription}"
description = "The role to manage Private Endpoints"

permissions {
actions = [
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/locations/availablePrivateEndpointTypes/read",
"Microsoft.Network/privateDNSZones/*"
]
}
assignable_scopes = [
data.azurerm_subscription.main.id
]
}

output "environment" {
value = module.config.environment
}
Expand Down
2 changes: 1 addition & 1 deletion terraform/subscriptions/s940/globals/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ backend:
subscription_id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
ip_key_vault_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.KeyVault/vaults/radix-keyv-platform"
log_analytics_workspace_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.OperationalInsights/workspaces/radix-logs-platform"
log_analytics_workspace_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.OperationalInsights/workspaces/radix-logs-platform"
32 changes: 32 additions & 0 deletions terraform/subscriptions/s940/prod/common/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,38 @@ module "radix-id-acr-workflows" {
}
}

module "radix_id_gitrunner" {
source = "../../../modules/userassignedidentity"
name = "radix-id-gitrunner-${module.config.environment}"
resource_group_name = module.config.common_resource_group
location = module.config.location
roleassignments = {
contributor = {
role = "Radix Privatelink rbac-${module.config.subscription_shortname}"
scope_id = "/subscriptions/${module.config.subscription}"
}
blob_contributor = {
role = "Contributor" # Needed to open firewall
scope_id = "${module.config.backend.terraform_storage_id}"
}
storage_blob_contributor = {
role = "Storage Blob Data Contributor" # Needed to read blobdata
scope_id = "${module.config.backend.terraform_storage_id}"
}
vnet_contributor = {
role = "Contributor"
scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
}
}
federated_credentials = {
radix-id-gitrunner = {
name = "radix-id-gitrunner-${module.config.environment}"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix:environment:${module.config.environment}"
},
}
}

module "radix-cr-cicd" {
source = "../../../modules/app_registration"
display_name = "radix-cr-cicd-${module.config.environment}"
Expand Down
1 change: 1 addition & 0 deletions terraform/subscriptions/s940/prod/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@ backend:
subscription_id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
ip_key_vault_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.KeyVault/vaults/radix-keyv-platform"
terraform_storage_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/s940-tfstate/providers/Microsoft.Storage/storageAccounts/s940radixinfra"

19 changes: 0 additions & 19 deletions terraform/subscriptions/s940/prod/virtualnetwork/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@ module "config" {
source = "../../../modules/config"
}

data "github_repository_file" "this" {
repository = "equinor/radix"
branch = "main"
file = "privatelinks/${module.config.environment}.yaml"
}

module "resourcegroups" {
source = "../../../modules/resourcegroups"
name = module.config.vnet_resource_group
Expand Down Expand Up @@ -103,16 +97,3 @@ output "public_ip_prefix_ids" {
ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
}
}

module "private_endpoints" {
source = "../../../modules/private-endpoints"
for_each = yamldecode(data.github_repository_file.this.content)
server_name = each.key
subresourcename = each.value.subresourcename
resource_id = each.value.resource_id
vnet_resource_group = module.resourcegroups.data.name
customdnszone = lookup(each.value, "customdnszone", "")
customname = lookup(each.value, "customname", "")
location = module.config.location
depends_on = [data.github_repository_file.this]
}
2 changes: 0 additions & 2 deletions terraform/subscriptions/s941/dev/common/github.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ resource "azuread_application_federated_identity_credential" "github-operator-fe
audiences = ["api://AzureADTokenExchange"]
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-platform:environment:s941"

timeouts {}
}

Expand All @@ -49,6 +48,5 @@ resource "azuread_application_federated_identity_credential" "github-operator-fe
audiences = ["api://AzureADTokenExchange"]
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-platform:environment:operations"

timeouts {}
}
32 changes: 32 additions & 0 deletions terraform/subscriptions/s941/dev/common/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,38 @@ module "radix-id-acr-workflows" {
}
}

module "radix_id_gitrunner" {
source = "../../../modules/userassignedidentity"
name = "radix-id-gitrunner-${module.config.environment}"
resource_group_name = module.config.common_resource_group
location = module.config.location
roleassignments = {
contributor = {
role = "Radix Privatelink rbac-${module.config.subscription_shortname}"
scope_id = "/subscriptions/${module.config.subscription}"
}
blob_contributor = {
role = "Contributor" # Needed to open firewall
scope_id = "${module.config.backend.terraform_storage_id}"
}
storage_blob_contributor = {
role = "Storage Blob Data Contributor" # Needed to read blobdata
scope_id = "${module.config.backend.terraform_storage_id}"
}
vnet_contributor = {
role = "Contributor"
scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
}
}
federated_credentials = {
radix-id-gitrunner = {
name = "radix-id-gitrunner-${module.config.environment}"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix:environment:${module.config.environment}"
},
}
}

module "radix-cr-cicd" {
source = "../../../modules/app_registration"
display_name = "radix-cr-cicd-${module.config.environment}"
Expand Down
1 change: 1 addition & 0 deletions terraform/subscriptions/s941/dev/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ backend:
subscription_id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
ip_key_vault_id: "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/common-dev/providers/Microsoft.KeyVault/vaults/radix-keyv-dev"
terraform_storage_id: "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/s941-tfstate/providers/Microsoft.Storage/storageAccounts/s941radixinfra"
19 changes: 0 additions & 19 deletions terraform/subscriptions/s941/dev/virtualnetwork/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@ module "config" {
source = "../../../modules/config"
}

data "github_repository_file" "this" {
repository = "equinor/radix"
branch = "main"
file = "privatelinks/${module.config.environment}.yaml"
}

module "resourcegroups" {
source = "../../../modules/resourcegroups"
name = module.config.vnet_resource_group
Expand Down Expand Up @@ -61,16 +55,3 @@ output "public_ip_prefix_ids" {
ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
}
}

module "private_endpoints" {
source = "../../../modules/private-endpoints"
for_each = yamldecode(data.github_repository_file.this.content)
server_name = each.key
subresourcename = each.value.subresourcename
resource_id = each.value.resource_id
vnet_resource_group = module.resourcegroups.data.name
customdnszone = lookup(each.value, "customdnszone", "")
customname = lookup(each.value, "customname", "")
location = module.config.location
depends_on = [data.github_repository_file.this]
}
Loading

0 comments on commit b925bd3

Please sign in to comment.