terraform config for Vulnerability Scanner in C2 + Prod (#1173)

* terraform config for Vulnerability Scanner in C2 + Prod

* bugfix c2

* added cost-allocation to terraform

* added cost-allocation to terraform in playground

* update cost allocation and vulnerability scanner in c2, platform, dev & playground

* add tenant summary script

* handle prod/platform special case

* handle prod/platform special case

* terraform fmt

* handle cost allocation in c2, update mi in prod

* update mi name in cost allocation in dev and playground

* update mi name in vulnerability can in dev and playground

terraform/subscriptions/modules/config/main.tf

@@ -22,7 +22,9 @@ output "cluster_resource_group" {
   value = "clusters-${local.config.environment}"
 }
 output "vnet_resource_group" {
-  value = "cluster-vnet-hub-${local.config.environment}"
+  # Todo: Create platform resources next time eu18 is recreated
+  # Todo: Also fix terraform/subscriptions/modules/mssqldatabase/networking.tf
+  value = "cluster-vnet-hub-${local.config.environment == "platform" ? "prod" : local.config.environment}"
 }
 output "key_vault_name" {
   value = "radix-keyv-${local.config.environment}"
@@ -37,4 +39,4 @@ output "backend" {
 
 output "policy_aks_diagnostics_cluster" {
   value = "Radix-Enforce-Diagnostics-AKS-Clusters"
-}
+}

terraform/subscriptions/modules/mssqldatabase/iam.tf

@@ -4,7 +4,7 @@ data "azuread_group" "admin" {
 }
 
 resource "azurerm_user_assigned_identity" "admin" {
-  name                = "mi-${var.server_name}-admin-${var.env}"
+  name                = var.managed_identity_admin_name
   location            = var.location
   resource_group_name = var.rg_name
 }

terraform/subscriptions/modules/mssqldatabase/main.tf

@@ -29,7 +29,7 @@ resource "azurerm_mssql_database" "mssql_database" {
   read_scale     = var.read_scale
   sku_name       = var.sku_name
   zone_redundant = var.zone_redundant
-  tags           = var.tags
+  tags           = var.database_tags
   depends_on     = [azurerm_mssql_server.sqlserver]
   long_term_retention_policy {
     monthly_retention = "PT0S"

terraform/subscriptions/modules/mssqldatabase/networking.tf

@@ -1,15 +1,13 @@
-
-
 data "azurerm_subnet" "subnet" {
   name                 = "private-links"
   virtual_network_name = var.virtual_network
-  resource_group_name  = "cluster-vnet-hub-${var.env}"
+  resource_group_name  = var.vnet_resource_group
 }
 
 resource "azurerm_private_endpoint" "endpoint" {
   name                = "pe-${var.server_name}"
   location            = var.location
-  resource_group_name = "cluster-vnet-hub-${var.env}"
+  resource_group_name = var.vnet_resource_group
   subnet_id           = data.azurerm_subnet.subnet.id
 
   private_service_connection {
@@ -22,12 +20,12 @@ resource "azurerm_private_endpoint" "endpoint" {
 
 data "azurerm_private_dns_zone" "dns_zone" {
   name                = "privatelink.database.windows.net"
-  resource_group_name = "cluster-vnet-hub-${var.env}"
+  resource_group_name = var.vnet_resource_group
 }
 resource "azurerm_private_dns_a_record" "dns_record" {
   name                = var.server_name
   zone_name           = "privatelink.database.windows.net"
-  resource_group_name = "cluster-vnet-hub-${var.env}"
+  resource_group_name = var.vnet_resource_group
   ttl                 = 300
   records             = azurerm_private_endpoint.endpoint.custom_dns_configs[0].ip_addresses
 }

terraform/subscriptions/modules/mssqldatabase/variables.tf

@@ -8,6 +8,9 @@ variable "administrator_password" {
 variable "admin_adgroup" {
   type = string
 }
+variable "managed_identity_admin_name" {
+  type = string
+}
 variable "location" {
   default = "northeurope"
   type    = string
@@ -38,7 +41,9 @@ variable "env" {
   type        = string
   description = "dev, playground, c2 or prod"
 }
-
+variable "vnet_resource_group" {
+  type = string
+}
 
 variable "database_name" {
   type = string
@@ -67,6 +72,10 @@ variable "tags" {
   type    = map(string)
   default = {}
 }
+variable "database_tags" {
+  type    = map(string)
+  default = {}
+}
 
 variable "virtual_network" {
   type    = string

terraform/subscriptions/s940/c2/cost-allocation/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.69.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "c2/cost-allocation/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+  features {
+  }
+}

terraform/subscriptions/s940/c2/cost-allocation/main.tf

@@ -0,0 +1,55 @@
+module "config" {
+  source = "../../../modules/config"
+}
+
+module "resourcegroup" {
+  source   = "../../../modules/resourcegroups"
+  name     = "cost-allocation-${module.config.environment}"
+  location = module.config.location
+}
+data "azurerm_key_vault" "keyvault" {
+  name                = module.config.key_vault_name
+  resource_group_name = module.config.common_resource_group
+}
+data "azurerm_key_vault_secret" "keyvault_secrets" {
+  name         = var.keyvault_dbadmin_secret_name
+  key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id
+}
+
+# MS SQL Server
+module "mssql-database" {
+  source                        = "../../../modules/mssqldatabase"
+  env                           = module.config.environment
+  managed_identity_admin_name   = "radix-id-cost-allocation-admin-c2"
+  database_name                 = "sqldb-radix-cost-allocation"
+  server_name                   = "sql-radix-cost-allocation-${module.config.environment}-prod" # https://github.com/equinor/radix-platform/issues/1190
+  admin_adgroup                 = var.admin-adgroup
+  administrator_login           = "radix"
+  administrator_password        = data.azurerm_key_vault_secret.keyvault_secrets.value
+  rg_name                       = module.resourcegroup.data.name
+  vnet_resource_group           = module.config.vnet_resource_group
+  location                      = module.config.location
+  public_network_access_enabled = true
+  zone_redundant                = false
+  tags = {
+    displayName = "SqlServer"
+  }
+  database_tags = {
+    displayName = "Database"
+  }
+
+  admin_federated_credentials = {
+    github-master = {
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/master"
+    }
+    github-release = {
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/release"
+    }
+  }
+}
+
+output "mi-client-id" {
+  value = module.mssql-database.mi-admin
+}

terraform/subscriptions/s940/c2/cost-allocation/variables.tf

@@ -0,0 +1,9 @@
+variable "admin-adgroup" {
+  type    = string
+  default = "Radix SQL server admin - c2"
+}
+
+variable "keyvault_dbadmin_secret_name" {
+  type    = string
+  default = "radix-cost-allocation-db-admin"
+}

terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.69.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "c2/vulnerability-scan/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+  features {
+  }
+}

terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf

@@ -0,0 +1,48 @@
+module "config" {
+  source = "../../../modules/config"
+}
+module "resourcegroup" {
+  source   = "../../../modules/resourcegroups"
+  name     = "vulnerability-scan-${module.config.environment}"
+  location = module.config.location
+}
+data "azurerm_key_vault" "keyvault" {
+  name                = module.config.key_vault_name
+  resource_group_name = module.config.common_resource_group
+}
+data "azurerm_key_vault_secret" "keyvault_secrets" {
+  name         = var.keyvault_dbadmin_secret_name
+  key_vault_id = data.azurerm_key_vault.keyvault.id
+}
+
+# MS SQL Server
+module "mssql-database" {
+  source                        = "../../../modules/mssqldatabase"
+  env                           = module.config.environment
+  managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}"
+  database_name                 = "radix-vulnerability-scan"
+  server_name                   = "sql-radix-vulnerability-scan-${module.config.environment}-prod"
+  admin_adgroup                 = var.admin-adgroup
+  administrator_login           = "radix"
+  administrator_password        = data.azurerm_key_vault_secret.keyvault_secrets.value
+  rg_name                       = module.resourcegroup.data.name
+  vnet_resource_group           = module.config.vnet_resource_group
+  location                      = module.config.location
+  public_network_access_enabled = true
+  zone_redundant                = false
+
+  admin_federated_credentials = {
+    github-master = {
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/master"
+    }
+    github-release = {
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release"
+    }
+  }
+}
+
+output "mi-client-id" {
+  value = module.mssql-database.mi-admin
+}

terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf

@@ -0,0 +1,9 @@
+variable "admin-adgroup" {
+  type    = string
+  default = "Radix SQL server admin - c2"
+}
+
+variable "keyvault_dbadmin_secret_name" {
+  type    = string
+  default = "radix-vulnerability-scan-db-admin"
+}

terraform/subscriptions/s940/prod/cost-allocation/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.69.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "prod/cost-allocation/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+  features {
+  }
+}

terraform/subscriptions/s940/prod/cost-allocation/main.tf

@@ -0,0 +1,56 @@
+module "config" {
+  source = "../../../modules/config"
+}
+
+module "resourcegroup" {
+  source   = "../../../modules/resourcegroups"
+  name     = "cost-allocation-${module.config.environment}"
+  location = module.config.location
+}
+data "azurerm_key_vault" "keyvault" {
+  name                = module.config.key_vault_name
+  resource_group_name = module.config.common_resource_group
+}
+data "azurerm_key_vault_secret" "keyvault_secrets" {
+  name         = var.keyvault_dbadmin_secret_name
+  key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id
+}
+
+# MS SQL Server
+module "mssql-database" {
+  source                        = "../../../modules/mssqldatabase"
+  env                           = module.config.environment
+  managed_identity_admin_name   = "radix-id-cost-allocation-admin-platform"
+  database_name                 = "sqldb-radix-cost-allocation"
+  server_name                   = "sql-radix-cost-allocation-prod" # ${module.config.environment} # See https://github.com/equinor/radix-platform/issues/1186
+  admin_adgroup                 = var.admin-adgroup
+  administrator_login           = "radix"
+  administrator_password        = data.azurerm_key_vault_secret.keyvault_secrets.value
+  rg_name                       = module.resourcegroup.data.name
+  location                      = module.config.location
+  vnet_resource_group           = module.config.vnet_resource_group
+  sku_name                      = "S3"
+  public_network_access_enabled = false
+  zone_redundant                = false
+  tags = {
+    displayName = "SqlServer"
+  }
+  database_tags = {
+    displayName = "Database"
+  }
+
+  admin_federated_credentials = {
+    github-master = {
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/master"
+    }
+    github-release = {
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/release"
+    }
+  }
+}
+
+output "mi-client-id" {
+  value = module.mssql-database.mi-admin
+}

terraform/subscriptions/s940/prod/cost-allocation/variables.tf

@@ -0,0 +1,9 @@
+variable "admin-adgroup" {
+  type    = string
+  default = "Radix SQL server admin - platform"
+}
+
+variable "keyvault_dbadmin_secret_name" {
+  type    = string
+  default = "radix-cost-allocation-db-admin"
+}

terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.69.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "prod/vulnerability-scan/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+  features {
+  }
+}