From e29f6063dbc600afab9fa4b366c8dce972f1b35f Mon Sep 17 00:00:00 2001 From: Svein-Petter Johnsen <83902071+sveinpj@users.noreply.github.com> Date: Mon, 14 Oct 2024 13:29:31 +0200 Subject: [PATCH] Privatelinks (#1469) * Privatelinks * Privatelinks * Privatelinks * Privatelinks * Privatelinks * Privatelinks * radix-id-gitrunner * updates * Update terraform/subscriptions/s940/globals/common/main.tf Co-authored-by: Richard Hagen * Update terraform/subscriptions/s940/c2/common/main.tf Co-authored-by: Richard Hagen * Update terraform/subscriptions/s940/prod/common/main.tf Co-authored-by: Richard Hagen * Update terraform/subscriptions/s941/dev/common/main.tf Co-authored-by: Richard Hagen * Update terraform/subscriptions/s941/globals/common/main.tf Co-authored-by: Richard Hagen * Update terraform/subscriptions/s941/playground/common/main.tf Co-authored-by: Richard Hagen * updates --------- Co-authored-by: Automatic Update Co-authored-by: Richard Hagen --- scripts/aks/c2.env | 2 +- scripts/aks/development.env | 2 +- scripts/aks/playground.env | 2 +- scripts/aks/production.env | 2 +- scripts/migrate.sh | 1 + .../modules/storageaccount_global/output.tf | 4 ++ .../subscriptions/s940/c2/common/main.tf | 32 +++++++++++ terraform/subscriptions/s940/c2/config.yaml | 2 +- .../s940/globals/common/.terraform.lock.hcl | 54 +++++++++---------- .../subscriptions/s940/globals/common/main.tf | 39 ++++++++++++++ .../subscriptions/s940/globals/config.yaml | 2 +- .../subscriptions/s940/prod/common/main.tf | 32 +++++++++++ terraform/subscriptions/s940/prod/config.yaml | 1 + .../s940/prod/virtualnetwork/main.tf | 19 ------- .../subscriptions/s941/dev/common/github.tf | 2 - .../subscriptions/s941/dev/common/main.tf | 32 +++++++++++ terraform/subscriptions/s941/dev/config.yaml | 1 + .../s941/dev/virtualnetwork/main.tf | 19 ------- .../s941/globals/common/.terraform.lock.hcl | 54 +++++++++---------- .../subscriptions/s941/globals/common/main.tf | 33 +++++++++++- .../s941/playground/common/main.tf | 32 +++++++++++ .../subscriptions/s941/playground/config.yaml | 1 + .../s941/playground/virtualnetwork/main.tf | 19 ------- 23 files changed, 266 insertions(+), 121 deletions(-) create mode 100644 terraform/subscriptions/modules/storageaccount_global/output.tf diff --git a/scripts/aks/c2.env b/scripts/aks/c2.env index 7855455e6..da73a25ba 100644 --- a/scripts/aks/c2.env +++ b/scripts/aks/c2.env @@ -14,7 +14,7 @@ fi ####################################################################################### ### AKS ### -: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. +: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. ARM_BOOTSTRAP_COUNT="1" ARM_DISK_SIZE="1023" diff --git a/scripts/aks/development.env b/scripts/aks/development.env index 1a3640540..b70859513 100644 --- a/scripts/aks/development.env +++ b/scripts/aks/development.env @@ -16,7 +16,7 @@ fi ####################################################################################### ### AKS ### -: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. +: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. ARM_BOOTSTRAP_COUNT="1" ARM_DISK_SIZE="1023" ARM_VM_SIZE="Standard_B4ps_v2" diff --git a/scripts/aks/playground.env b/scripts/aks/playground.env index 44243d65c..9fc4c7833 100644 --- a/scripts/aks/playground.env +++ b/scripts/aks/playground.env @@ -14,7 +14,7 @@ fi ####################################################################################### ### AKS ### -: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. +: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. ARM_BOOTSTRAP_COUNT="1" ARM_DISK_SIZE="1023" ARM_VM_SIZE="Standard_B8ps_v2" diff --git a/scripts/aks/production.env b/scripts/aks/production.env index e96ca36a8..bb0462c33 100644 --- a/scripts/aks/production.env +++ b/scripts/aks/production.env @@ -14,7 +14,7 @@ fi ####################################################################################### ### AKS ### -: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. +: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value. ARM_BOOTSTRAP_COUNT="1" ARM_DISK_SIZE="1023" ARM_VM_SIZE="Standard_E16ps_v5" diff --git a/scripts/migrate.sh b/scripts/migrate.sh index f66608bed..4cde31bb0 100755 --- a/scripts/migrate.sh +++ b/scripts/migrate.sh @@ -687,6 +687,7 @@ WEB_COMPONENT="web" # Update replyUrls for those radix apps that require AD authentication printf "\nWaiting for web-console ingress to be ready so we can add replyUrl to web console aad app..." +printf "\nIf this takes to long, you can try to restart the radix operator (kubectl rollout restart deployment radix-operator) in another console window" while [[ "$(kubectl get ingress $AUTH_PROXY_COMPONENT --namespace $WEB_CONSOLE_NAMESPACE 2>&1)" == *"Error"* ]]; do printf "." sleep 5 diff --git a/terraform/subscriptions/modules/storageaccount_global/output.tf b/terraform/subscriptions/modules/storageaccount_global/output.tf new file mode 100644 index 000000000..abf5994d5 --- /dev/null +++ b/terraform/subscriptions/modules/storageaccount_global/output.tf @@ -0,0 +1,4 @@ +output "id" { + description = "storageaccountid" + value = azurerm_storage_account.storageaccount.id +} diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index 447cb1a64..3f36bb6aa 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -143,6 +143,38 @@ module "radix-id-acr-workflows" { } } +module "radix_id_gitrunner" { + source = "../../../modules/userassignedidentity" + name = "radix-id-gitrunner-${module.config.environment}" + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + privatelink-contributor = { + role = "Radix Privatelink rbac-${module.config.subscription_shortname}" + scope_id = "/subscriptions/${module.config.subscription}" + } + blob_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.config.backend.terraform_storage_id}" + } + storage_blob_contributor = { + role = "Storage Blob Data Contributor" # Needed to read blobdata + scope_id = "${module.config.backend.terraform_storage_id}" + } + vnet_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" + } + } + federated_credentials = { + radix-id-gitrunner = { + name = "radix-id-gitrunner-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix:environment:${module.config.environment}" + }, + } +} + module "radix-cr-cicd" { source = "../../../modules/app_registration" display_name = "radix-cr-cicd-${module.config.environment}" diff --git a/terraform/subscriptions/s940/c2/config.yaml b/terraform/subscriptions/s940/c2/config.yaml index 80c56910d..74c617e05 100644 --- a/terraform/subscriptions/s940/c2/config.yaml +++ b/terraform/subscriptions/s940/c2/config.yaml @@ -8,4 +8,4 @@ backend: subscription_id: "ded7ca41-37c8-4085-862f-b11d21ab341a" tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" ip_key_vault_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-c2/providers/Microsoft.KeyVault/vaults/radix-keyv-c2" - + terraform_storage_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/s940-tfstate/providers/Microsoft.Storage/storageAccounts/s940radixinfra" diff --git a/terraform/subscriptions/s940/globals/common/.terraform.lock.hcl b/terraform/subscriptions/s940/globals/common/.terraform.lock.hcl index c90caadef..b9f4acc20 100644 --- a/terraform/subscriptions/s940/globals/common/.terraform.lock.hcl +++ b/terraform/subscriptions/s940/globals/common/.terraform.lock.hcl @@ -2,40 +2,40 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azuread" { - version = "2.49.1" + version = "3.0.2" hashes = [ - "h1:imGgFTntS9vSVGXmRzrg3JBIwxewVDo3w+1Ov3vkTbY=", + "h1:sYCyzbPpSYu2XDah8XqBUITQAfB0x4j4Twh6lw2C4CA=", + "zh:16e724b80a9004c7978c30f69a73c98ff63eb8a03937dd44c2a8f0ea0438b7a3", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:402c943f0508f7dae29cabe3352e4430cf7ef9c569433392624ea46d834892ae", - "zh:4cb66ad4e6d40b5a58160d90c1922e2e67e4c89b3c7543b227f5ecafe97a4b41", - "zh:549b966a79433939e154e3bd926069cfd21180546a94e98ee6d5f17d6efca3b1", - "zh:6cba71af694b06563903767a940d701375737ccc7898d8156ed5df10ba4d4118", - "zh:7867c7065bc9eebf79b0dad1b64056fd991490eba9973378e8c8df61fd57f6d7", - "zh:ab280f6ed9b59adff1b25e4d5c86417359adf72aabe49d0a4ab19c93adbfbddf", - "zh:b68fbefe5043bd224265d81629650572095b6c375a2ad0c7046980ba06fa472f", - "zh:c35bf5d22d8051c7da2fdced75d8fe86142c117a746c4fd0ed917b1c3e780838", - "zh:c8826f24bd0a48ad46a56844ef85064c70b64d83214907089f06c3b84a1dca04", - "zh:ccd3bb336ad73b17861c720af41401d9d04f9d0e097c1fc36af56895697ae7a0", - "zh:d2e6f67d31cd334b9af32243f40ed564d4acf67b1dff39c47a752a9e22361e44", + "zh:2bbbf13713ca4767267b889471c9fc14a56a8fdf5d1013da3ca78667e3caec64", + "zh:409ccb05431d643a079da082d89db2d95d6afed4769997ac537c8b7de3bff867", + "zh:53e4bca0f5d015380f7f524f36344afe6211ccaf614bfc69af73ca64a9f47d6c", + "zh:5780be2c1981d090604d7fa4cef675462f17f40e7f3dc501a031488e87a35b8f", + "zh:850e61a1b3e64c752c418526ccf48653514c861b36f5feb631619f906f7e99a0", + "zh:8c3565bfcea006a734149cc080452a9daf7d2a9d5362eb7e0a088b6c0d7f0f03", + "zh:908b9e6ad49d5d21173ecefc7924902047611be93bbf8e7d021aa9563358396f", + "zh:a2a79765c029bc58966eff61cb6e9b0ee14d2ac52b0a22fc7dfa35c9a49af669", + "zh:c7f56cbe8743e9ba81fce871bc97d9c07abe86770d9ee7ffefbf3882a61ba89a", + "zh:d4dba80e33421b30d81c62611fb7fc62ad39afecc6484436e635913cd8553e67", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.100.0" - constraints = "<= 3.100.0" + version = "4.5.0" + constraints = ">= 3.110.0" hashes = [ - "h1:/3X1KgoKBqJo0xe3XDUD0fxfqUK+0Fn8SghwvwY+BIA=", - "zh:20c3259fd94ab41c6c3425fb428d8bd279addb755c8ea1fe0b3e1c3bea4363cb", - "zh:4c4a8d5dbd8a9d7b60934b0ffed442fe50ab1b0559b9693399e3f66eca53d045", - "zh:7c21f569b839e40d4976beb6143adaccc5688d1a754dde054cb6f19ca33576b2", - "zh:88042b599de9ff8ec200e26636e06682e024a28331c4c48db8589d6a03279a8a", - "zh:95c20834eee3b46a85e338988bf14a9a70f74f9cae45ec934cf157dedaa40f28", - "zh:beeed81f4483dec0b64bf1aaf611c5030ad6e4c88c4bd75f956835653a1a29c0", - "zh:d76fa7371648b5bdc17115b5e42fa616fe4c6d2998f727a0956c0bddc4842365", - "zh:d89fcaa83a1ff7c9f29c49b31c60c29d8a84486e11d34573d767a5cd208da7d8", - "zh:ddbe18aee99fb7e2c93343f7f8a95837461a047ca660553c88c873761205ed76", - "zh:e6e70c7635bb4472810bfd0a31949640e72c535e6e8707454ea7e86dcb5fcd89", - "zh:f0575689ce28e220bc8daa4d2fefbfd90afde01a14343c61dfd6489960e22ff4", + "h1:bAEb9HTc1Yl0ULs+WQAI6jAoKWv4I2LUGpoESf/iCyc=", + "zh:27ac12977bdb7b82217a3fe35d3206e1e4261465d738aff93244ec90f2bd431a", + "zh:36a619af3767a92ee892c5de24604eeb9f23a5a01bb8455115a5eb4bd656f234", + "zh:45a374637b794427c5e07d23c6312d92d58bed3594789322c109d333ea1865e5", + "zh:538e501d313cfc0b61f3b2e5be9ae7755df3d3d9a3e4f14e0ea6a943d5102109", + "zh:64d8e4b94a1324292fe318bf27c6149aa345eabab8b89d9d78ce447ce5600e65", + "zh:7b3fcc0a724c5e00e6ce0e7da22010b6ae4bd2622544ef4d31fd4100f85985d7", + "zh:84876a614b010ae5dbef1b1edd9a22447cf57b9300b9eaf4321d587bfebf82dc", + "zh:850e3900fb2b55ad85b6def8b580fb851778bb470be5354cb0a0244d03acd5a4", + "zh:b6355d1eb7d165b246ad9c8f7c0ce7ccd5bbc58a01bd853c7ca896c71f4cd295", + "zh:bd4f1558f24af356d372937b810801555471eafbbc0552471bb6760f8ddd6b7e", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f78eaaf507ab56041112b765f6ca1740221773f3b32710bb8d087f29a686f30f", ] } diff --git a/terraform/subscriptions/s940/globals/common/main.tf b/terraform/subscriptions/s940/globals/common/main.tf index dc23d8d23..aa5af5fa9 100644 --- a/terraform/subscriptions/s940/globals/common/main.tf +++ b/terraform/subscriptions/s940/globals/common/main.tf @@ -1,3 +1,11 @@ +module "resourcegroups" { + for_each = toset(["common", "monitoring"]) + + source = "../../../modules/resourcegroups" + name = each.value + location = module.config.location +} + data "azurerm_subscription" "main" { subscription_id = module.config.subscription } @@ -35,6 +43,37 @@ module "storageaccount" { log_analytics_id = module.config.backend.log_analytics_workspace_id } +resource "azurerm_role_definition" "privatelink_role" { + name = "Radix Privatelink rbac-${module.config.environment}" + scope = "/subscriptions/${module.config.subscription}" + description = "The role to manage Private Endpoints" + + permissions { + actions = [ + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + + "Microsoft.Network/privateEndpoints/read", + "Microsoft.Network/privateEndpoints/write", + "Microsoft.Network/privateEndpoints/delete", + + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/write", + "Microsoft.Network/virtualNetworks/subnets/join/action", + + // Persmissions to create Private DNS Zone entry: + "Microsoft.Network/privateDnsZones/join/action", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete", + ] + } + assignable_scopes = [ + data.azurerm_subscription.main.id + ] +} + output "environment" { value = module.config.environment } diff --git a/terraform/subscriptions/s940/globals/config.yaml b/terraform/subscriptions/s940/globals/config.yaml index 1d5cf6236..bb7855f27 100644 --- a/terraform/subscriptions/s940/globals/config.yaml +++ b/terraform/subscriptions/s940/globals/config.yaml @@ -8,4 +8,4 @@ backend: subscription_id: "ded7ca41-37c8-4085-862f-b11d21ab341a" tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" ip_key_vault_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.KeyVault/vaults/radix-keyv-platform" - log_analytics_workspace_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.OperationalInsights/workspaces/radix-logs-platform" \ No newline at end of file + log_analytics_workspace_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.OperationalInsights/workspaces/radix-logs-platform" diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index 3c58a6d43..6a8481c88 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -141,6 +141,38 @@ module "radix-id-acr-workflows" { } } +module "radix_id_gitrunner" { + source = "../../../modules/userassignedidentity" + name = "radix-id-gitrunner-${module.config.environment}" + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + privatelink-contributor = { + role = "Radix Privatelink rbac-${module.config.subscription_shortname}" + scope_id = "/subscriptions/${module.config.subscription}" + } + blob_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.config.backend.terraform_storage_id}" + } + storage_blob_contributor = { + role = "Storage Blob Data Contributor" # Needed to read blobdata + scope_id = "${module.config.backend.terraform_storage_id}" + } + vnet_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" + } + } + federated_credentials = { + radix-id-gitrunner = { + name = "radix-id-gitrunner-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix:environment:${module.config.environment}" + }, + } +} + module "radix-cr-cicd" { source = "../../../modules/app_registration" display_name = "radix-cr-cicd-${module.config.environment}" diff --git a/terraform/subscriptions/s940/prod/config.yaml b/terraform/subscriptions/s940/prod/config.yaml index b47c26559..74b27754d 100644 --- a/terraform/subscriptions/s940/prod/config.yaml +++ b/terraform/subscriptions/s940/prod/config.yaml @@ -8,4 +8,5 @@ backend: subscription_id: "ded7ca41-37c8-4085-862f-b11d21ab341a" tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" ip_key_vault_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.KeyVault/vaults/radix-keyv-platform" + terraform_storage_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/s940-tfstate/providers/Microsoft.Storage/storageAccounts/s940radixinfra" diff --git a/terraform/subscriptions/s940/prod/virtualnetwork/main.tf b/terraform/subscriptions/s940/prod/virtualnetwork/main.tf index e9b2047d6..5cfa0e308 100644 --- a/terraform/subscriptions/s940/prod/virtualnetwork/main.tf +++ b/terraform/subscriptions/s940/prod/virtualnetwork/main.tf @@ -2,12 +2,6 @@ module "config" { source = "../../../modules/config" } -data "github_repository_file" "this" { - repository = "equinor/radix" - branch = "main" - file = "privatelinks/${module.config.environment}.yaml" -} - module "resourcegroups" { source = "../../../modules/resourcegroups" name = module.config.vnet_resource_group @@ -103,16 +97,3 @@ output "public_ip_prefix_ids" { ingress_id = module.azurerm_public_ip_prefix_ingress.data.id } } - -module "private_endpoints" { - source = "../../../modules/private-endpoints" - for_each = yamldecode(data.github_repository_file.this.content) - server_name = each.key - subresourcename = each.value.subresourcename - resource_id = each.value.resource_id - vnet_resource_group = module.resourcegroups.data.name - customdnszone = lookup(each.value, "customdnszone", "") - customname = lookup(each.value, "customname", "") - location = module.config.location - depends_on = [data.github_repository_file.this] -} diff --git a/terraform/subscriptions/s941/dev/common/github.tf b/terraform/subscriptions/s941/dev/common/github.tf index 8098ad35d..c91ffc1b8 100644 --- a/terraform/subscriptions/s941/dev/common/github.tf +++ b/terraform/subscriptions/s941/dev/common/github.tf @@ -38,7 +38,6 @@ resource "azuread_application_federated_identity_credential" "github-operator-fe audiences = ["api://AzureADTokenExchange"] issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-platform:environment:s941" - timeouts {} } @@ -49,6 +48,5 @@ resource "azuread_application_federated_identity_credential" "github-operator-fe audiences = ["api://AzureADTokenExchange"] issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-platform:environment:operations" - timeouts {} } diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 9c6ecfb2c..753a8d059 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -136,6 +136,38 @@ module "radix-id-acr-workflows" { } } +module "radix_id_gitrunner" { + source = "../../../modules/userassignedidentity" + name = "radix-id-gitrunner-${module.config.environment}" + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + privatelink-contributor = { + role = "Radix Privatelink rbac-${module.config.subscription_shortname}" + scope_id = "/subscriptions/${module.config.subscription}" + } + blob_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.config.backend.terraform_storage_id}" + } + storage_blob_contributor = { + role = "Storage Blob Data Contributor" # Needed to read blobdata + scope_id = "${module.config.backend.terraform_storage_id}" + } + vnet_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" + } + } + federated_credentials = { + radix-id-gitrunner = { + name = "radix-id-gitrunner-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix:environment:${module.config.environment}" + }, + } +} + module "radix-cr-cicd" { source = "../../../modules/app_registration" display_name = "radix-cr-cicd-${module.config.environment}" diff --git a/terraform/subscriptions/s941/dev/config.yaml b/terraform/subscriptions/s941/dev/config.yaml index ffc97b07b..5219307f0 100644 --- a/terraform/subscriptions/s941/dev/config.yaml +++ b/terraform/subscriptions/s941/dev/config.yaml @@ -9,3 +9,4 @@ backend: subscription_id: "16ede44b-1f74-40a5-b428-46cca9a5741b" tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" ip_key_vault_id: "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/common-dev/providers/Microsoft.KeyVault/vaults/radix-keyv-dev" + terraform_storage_id: "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/s941-tfstate/providers/Microsoft.Storage/storageAccounts/s941radixinfra" diff --git a/terraform/subscriptions/s941/dev/virtualnetwork/main.tf b/terraform/subscriptions/s941/dev/virtualnetwork/main.tf index d66b44c1b..de5268ad5 100644 --- a/terraform/subscriptions/s941/dev/virtualnetwork/main.tf +++ b/terraform/subscriptions/s941/dev/virtualnetwork/main.tf @@ -2,12 +2,6 @@ module "config" { source = "../../../modules/config" } -data "github_repository_file" "this" { - repository = "equinor/radix" - branch = "main" - file = "privatelinks/${module.config.environment}.yaml" -} - module "resourcegroups" { source = "../../../modules/resourcegroups" name = module.config.vnet_resource_group @@ -61,16 +55,3 @@ output "public_ip_prefix_ids" { ingress_id = module.azurerm_public_ip_prefix_ingress.data.id } } - -module "private_endpoints" { - source = "../../../modules/private-endpoints" - for_each = yamldecode(data.github_repository_file.this.content) - server_name = each.key - subresourcename = each.value.subresourcename - resource_id = each.value.resource_id - vnet_resource_group = module.resourcegroups.data.name - customdnszone = lookup(each.value, "customdnszone", "") - customname = lookup(each.value, "customname", "") - location = module.config.location - depends_on = [data.github_repository_file.this] -} diff --git a/terraform/subscriptions/s941/globals/common/.terraform.lock.hcl b/terraform/subscriptions/s941/globals/common/.terraform.lock.hcl index 070f102fe..8dc762d39 100644 --- a/terraform/subscriptions/s941/globals/common/.terraform.lock.hcl +++ b/terraform/subscriptions/s941/globals/common/.terraform.lock.hcl @@ -2,40 +2,40 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azuread" { - version = "2.48.0" + version = "3.0.2" hashes = [ - "h1:0bqCK3mnamo16MVyEiyYayNAwRMCOentHqw/rPmx7/0=", - "zh:0ec4f1ca1825f038001173c40f4b6edbdbc71d018d782b45c22d5e272ca0ec16", + "h1:sYCyzbPpSYu2XDah8XqBUITQAfB0x4j4Twh6lw2C4CA=", + "zh:16e724b80a9004c7978c30f69a73c98ff63eb8a03937dd44c2a8f0ea0438b7a3", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:22154cd497009b5b1cb6b87131b3f31521b3de392ade1ac64dade3f29b03f8d0", - "zh:2723fe574d7a89242bd642b896ff7006d36f8a5d5a7c3876c7e1e2ada567d599", - "zh:2858abe3209fa0035419a4b2f8f155878fb6ecbc64f72c6f726dad583b1c8217", - "zh:3ba51d3e3ba6f12e8e12b043d7bc5f4415fc1ac08b81306ad546fe1ca2a3aa32", - "zh:49a39fb3713ba1a58fcb7b040bc4430ab4edb5116e8d7d33b73361f07febaead", - "zh:6a043d62a9cbfb805040e33e700cdcbfb5f199a74ae3867fc10c6810741ab222", - "zh:906c0961425d5854b22c9fed4d319248a7c88f0037547ea8472998720487ae25", - "zh:a1d246d8e0362afe397f0aedf0e68cf7d920fbae1adb88841f63dc98c06e5888", - "zh:c7df4d912c970600d9cba97a60c84b1a4ad1031feb723021c6984d99b320fd5c", - "zh:e8fbec893b4feb4410185126f2421ef0bdbbb102d1370ed72bb65b99d8869b98", + "zh:2bbbf13713ca4767267b889471c9fc14a56a8fdf5d1013da3ca78667e3caec64", + "zh:409ccb05431d643a079da082d89db2d95d6afed4769997ac537c8b7de3bff867", + "zh:53e4bca0f5d015380f7f524f36344afe6211ccaf614bfc69af73ca64a9f47d6c", + "zh:5780be2c1981d090604d7fa4cef675462f17f40e7f3dc501a031488e87a35b8f", + "zh:850e61a1b3e64c752c418526ccf48653514c861b36f5feb631619f906f7e99a0", + "zh:8c3565bfcea006a734149cc080452a9daf7d2a9d5362eb7e0a088b6c0d7f0f03", + "zh:908b9e6ad49d5d21173ecefc7924902047611be93bbf8e7d021aa9563358396f", + "zh:a2a79765c029bc58966eff61cb6e9b0ee14d2ac52b0a22fc7dfa35c9a49af669", + "zh:c7f56cbe8743e9ba81fce871bc97d9c07abe86770d9ee7ffefbf3882a61ba89a", + "zh:d4dba80e33421b30d81c62611fb7fc62ad39afecc6484436e635913cd8553e67", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.69.0" - constraints = "<= 3.69.0" + version = "4.4.0" + constraints = ">= 3.110.0" hashes = [ - "h1:Y9P5uiObriBw8Ky39QPu/+I3P9om2M07xBfrhge06c0=", - "zh:00de2580c92828edf5ac02c1287dd247f647ceaa34f8a1e5bf0e2962a99240e4", - "zh:074412944b7d0f5aaf65c0d30c8c82dfb35f0f987a6c94ddfc0e0d9989ea35c2", - "zh:09e1a23ef5331191cee641a71a525c77418e16f666a1c9c82baf01d44d5db66c", - "zh:1c2172a661130d17d982bb6e9228e338bec92763a8cb86bba799357c85238003", - "zh:2f9c7a3a2c269dd3b62dec4a94495694f0ed29b3d7a16bcc6baf8ded9af734d1", - "zh:3d75d487e03ea2f711ffc760aab29aa5a67a19948a4430e61da658edcd2ecb86", - "zh:6e9c98be1768f2b53d43178638832b336e405e65bfa9feb3ec6b7b9444ebd4ea", - "zh:7bbdbb7448147a380077fbf8a356ab9a0e279043a6e7e4beef8cdbebd6243d30", - "zh:ad22c8472f5ec4133860a690ce0b0091a2a834523a0d05e57006b5d86cf0b78e", - "zh:dffe3bce5564841bec9039005aedb464048dad55942e01756d08362b7e81999a", - "zh:e63928a70be9a7afe26b9276b5f1825157670596dec974923759c98fd7e68208", + "h1:UM01c0fXmJd28DvkoHL38uRKm8dlvGt8bDcuZcWVbpc=", + "zh:04890898b58f2c25c8a1e17fec67c442ef2476dfc119642d001741f6d2e8bc42", + "zh:0b99e793c5d56529df51de06ed53599a5c2715cfa09bf4ed59997ed7dbf8b6bc", + "zh:11c3cf86dcf07077f8f3b040afa69205609b1333204cec2ee8779df1223aa4cd", + "zh:12dbc644830aa9e04a332882269ace24f7365e53d0a32a9d193442e61b22bb5a", + "zh:2656f4742245d51a07ae0c7221c5de33b027fce99fe1c37295c9d67d6107db27", + "zh:48bd6c8f32d7849e291ff47e5790f26046a3bc35b9f10219425784804b86f1ab", + "zh:55334716561e630462a719318a172c047ca51c1ebc0d5fa878a0ee2446d7beb9", + "zh:656c7aa2f4b39aa6e8d7d2ae5afb77fae07b795fa7f1b212eaccea90ef71ebbe", + "zh:777c0e7280d9202e7cc5c580bfb538ae34e644777111e05b9553b5e3c1e8f397", + "zh:81fc7b48b8cb87eb27f70da457d3df8eb4a067f9e4d36cf947a2eeca0b7f96f1", + "zh:98e3bfca410207f61c7eb89e670c18b24d77cad82dd104af8d7a68885e2586cb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/terraform/subscriptions/s941/globals/common/main.tf b/terraform/subscriptions/s941/globals/common/main.tf index 3a7d7ad6c..aef5834a0 100644 --- a/terraform/subscriptions/s941/globals/common/main.tf +++ b/terraform/subscriptions/s941/globals/common/main.tf @@ -1,5 +1,5 @@ module "resourcegroups" { - for_each = toset(["backups", "common", "Logs-Dev"]) + for_each = toset(["backups", "common", "Logs-Dev", "monitoring"]) source = "../../../modules/resourcegroups" name = each.value @@ -42,4 +42,33 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id log_analytics_id = module.config.backend.log_analytics_workspace_id -} \ No newline at end of file +} + +resource "azurerm_role_definition" "privatelink_role" { + name = "Radix Privatelink rbac-${module.config.environment}" + scope = "/subscriptions/${module.config.subscription}" + description = "The role to manage Private Endpoints" + + permissions { + actions = [ + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + + "Microsoft.Network/privateEndpoints/read", + "Microsoft.Network/privateEndpoints/write", + "Microsoft.Network/privateEndpoints/delete", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/write", + "Microsoft.Network/virtualNetworks/subnets/join/action", + // Persmissions to create Private DNS Zone entry: + "Microsoft.Network/privateDnsZones/join/action", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete", + ] + } + assignable_scopes = [ + data.azurerm_subscription.main.id + ] +} diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index 715d41399..15a142357 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -136,6 +136,38 @@ module "radix-id-acr-workflows" { } } +module "radix_id_gitrunner" { + source = "../../../modules/userassignedidentity" + name = "radix-id-gitrunner-${module.config.environment}" + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + privatelinks-contributor = { + role = "Radix Privatelink rbac-${module.config.subscription_shortname}" + scope_id = "/subscriptions/${module.config.subscription}" + } + blob_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.config.backend.terraform_storage_id}" + } + storage_blob_contributor = { + role = "Storage Blob Data Contributor" # Needed to read blobdata + scope_id = "${module.config.backend.terraform_storage_id}" + } + vnet_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" + } + } + federated_credentials = { + radix-id-gitrunner = { + name = "radix-id-gitrunner-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix:environment:${module.config.environment}" + }, + } +} + module "radix-cr-cicd" { source = "../../../modules/app_registration" display_name = "radix-cr-cicd-${module.config.environment}" diff --git a/terraform/subscriptions/s941/playground/config.yaml b/terraform/subscriptions/s941/playground/config.yaml index 3d3970a36..fec882700 100644 --- a/terraform/subscriptions/s941/playground/config.yaml +++ b/terraform/subscriptions/s941/playground/config.yaml @@ -8,3 +8,4 @@ backend: subscription_id: "16ede44b-1f74-40a5-b428-46cca9a5741b" tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" ip_key_vault_id: "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/common-playground/providers/Microsoft.KeyVault/vaults/radix-keyv-playground" + terraform_storage_id: "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/s941-tfstate/providers/Microsoft.Storage/storageAccounts/s941radixinfra" diff --git a/terraform/subscriptions/s941/playground/virtualnetwork/main.tf b/terraform/subscriptions/s941/playground/virtualnetwork/main.tf index 3d1c8dd41..85e1bd408 100644 --- a/terraform/subscriptions/s941/playground/virtualnetwork/main.tf +++ b/terraform/subscriptions/s941/playground/virtualnetwork/main.tf @@ -2,12 +2,6 @@ module "config" { source = "../../../modules/config" } -data "github_repository_file" "this" { - repository = "equinor/radix" - branch = "main" - file = "privatelinks/${module.config.environment}.yaml" -} - module "resourcegroups" { source = "../../../modules/resourcegroups" name = module.config.vnet_resource_group @@ -61,16 +55,3 @@ output "public_ip_prefix_ids" { ingress_id = module.azurerm_public_ip_prefix_ingress.data.id } } - -module "private_endpoints" { - source = "../../../modules/private-endpoints" - for_each = yamldecode(data.github_repository_file.this.content) - server_name = each.key - subresourcename = each.value.subresourcename - resource_id = each.value.resource_id - vnet_resource_group = module.resourcegroups.data.name - customdnszone = lookup(each.value, "customdnszone", "") - customname = lookup(each.value, "customname", "") - location = module.config.location - depends_on = [data.github_repository_file.this] -}