From 623d185cdbe4c293f0cc7aa74d07352012626dd4 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Tue, 6 Feb 2024 16:30:07 +0100 Subject: [PATCH 01/12] terraform config for Vulnerability Scanner in C2 + Prod --- .../s940/c2/vulnerability-scanner/backend.tf | 23 ++++++++++ .../s940/c2/vulnerability-scanner/input.tf | 34 +++++++++++++++ .../s940/c2/vulnerability-scanner/main.tf | 43 +++++++++++++++++++ .../c2/vulnerability-scanner/variables.tf | 14 ++++++ .../prod/vulnerability-scanner/backend.tf | 23 ++++++++++ .../s940/prod/vulnerability-scanner/input.tf | 34 +++++++++++++++ .../s940/prod/vulnerability-scanner/main.tf | 43 +++++++++++++++++++ .../prod/vulnerability-scanner/variables.tf | 14 ++++++ 8 files changed, 228 insertions(+) create mode 100644 terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf create mode 100644 terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf create mode 100644 terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf create mode 100644 terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf create mode 100644 terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf create mode 100644 terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf create mode 100644 terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf create mode 100644 terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf new file mode 100644 index 000000000..78477a164 --- /dev/null +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.69.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + key = "c2/vulnerability-scan/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + features { + } +} diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf new file mode 100644 index 000000000..fa57681e3 --- /dev/null +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf @@ -0,0 +1,34 @@ +locals { + + external_outputs = { + common = data.terraform_remote_state.common.outputs + // keyvault = data.terraform_remote_state.keyvault.outputs.data + } + + backend = { + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + } +} + + +data "terraform_remote_state" "common" { + backend = "azurerm" + config = merge( + local.backend, + { key = "c2/common/terraform.tfstate" }) +} + +#data "terraform_remote_state" "keyvault" { +# backend = "azurerm" +# config = merge( +# local.backend, +# { key = "playground/key-vault/terraform.tfstate" }) +#} +# +# +# + + diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf new file mode 100644 index 000000000..16e56a43b --- /dev/null +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -0,0 +1,43 @@ +module "resourcegroup" { + source = "../../../modules/resourcegroups" + name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" + location = local.external_outputs.common.data.location +} +data "azurerm_key_vault" "keyvault" { + name = "radix-vault-c2-prod" + resource_group_name = "common" +} +data "azurerm_key_vault_secret" "keyvault_secrets" { + name = var.keyvault_dbadmin_secret_name + key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id +} + +# MS SQL Server +module "mssql-database" { + source = "../../../modules/mssqldatabase" + env = local.external_outputs.common.data.enviroment + database_name = "radix-vulnerability-scan" + server_name = "sql-radix-vulnerability-scan-${local.external_outputs.common.data.enviroment}" + admin_adgroup = var.admin-adgroup + administrator_login = "radix" + administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value + rg_name = module.resourcegroup.data.name + location = local.external_outputs.common.data.location + public_network_access_enabled = false + zone_redundant = false + + admin_federated_credentials = { + github-master = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/master" + } + github-release = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + +output "mi-client-id" { + value = module.mssql-database.mi-admin +} diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf new file mode 100644 index 000000000..efcfa767b --- /dev/null +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf @@ -0,0 +1,14 @@ +variable "admin-adgroup" { + type = string + default = "Radix SQL server admin - c2" +} + +variable "resourse_group_name" { + type = string + default = "vulnerability-scan" +} + +variable "keyvault_dbadmin_secret_name" { + type = string + default = "radix-vulnerability-scan-db-admin" +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf new file mode 100644 index 000000000..b623598fc --- /dev/null +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.69.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + key = "prod/vulnerability-scan/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + features { + } +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf new file mode 100644 index 000000000..4e57f4176 --- /dev/null +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf @@ -0,0 +1,34 @@ +locals { + + external_outputs = { + common = data.terraform_remote_state.common.outputs + // keyvault = data.terraform_remote_state.keyvault.outputs.data + } + + backend = { + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + } +} + + +data "terraform_remote_state" "common" { + backend = "azurerm" + config = merge( + local.backend, + { key = "prod/common/terraform.tfstate" }) +} + +#data "terraform_remote_state" "keyvault" { +# backend = "azurerm" +# config = merge( +# local.backend, +# { key = "playground/key-vault/terraform.tfstate" }) +#} +# +# +# + + diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf new file mode 100644 index 000000000..61fa6ff6f --- /dev/null +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -0,0 +1,43 @@ +module "resourcegroup" { + source = "../../../modules/resourcegroups" + name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" + location = local.external_outputs.common.data.location +} +data "azurerm_key_vault" "keyvault" { + name = "radix-vault-prod" + resource_group_name = "common" +} +data "azurerm_key_vault_secret" "keyvault_secrets" { + name = var.keyvault_dbadmin_secret_name + key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id +} + +# MS SQL Server +module "mssql-database" { + source = "../../../modules/mssqldatabase" + env = local.external_outputs.common.data.enviroment + database_name = "radix-vulnerability-scan" + server_name = "sql-radix-vulnerability-scan-${local.external_outputs.common.data.enviroment}" + admin_adgroup = var.admin-adgroup + administrator_login = "radix" + administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value + rg_name = module.resourcegroup.data.name + location = local.external_outputs.common.data.location + public_network_access_enabled = false + zone_redundant = false + + admin_federated_credentials = { + github-master = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/master" + } + github-release = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + +output "mi-client-id" { + value = module.mssql-database.mi-admin +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf new file mode 100644 index 000000000..3091271e6 --- /dev/null +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf @@ -0,0 +1,14 @@ +variable "admin-adgroup" { + type = string + default = "Radix SQL server admin - platform" +} + +variable "resourse_group_name" { + type = string + default = "vulnerability-scan" +} + +variable "keyvault_dbadmin_secret_name" { + type = string + default = "radix-vulnerability-scan-db-admin" +} From d02145e80003f343510e85228304743b02f8a959 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Tue, 6 Feb 2024 16:35:23 +0100 Subject: [PATCH 02/12] bugfix c2 --- terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index 16e56a43b..0c6dbe14f 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -5,7 +5,7 @@ module "resourcegroup" { } data "azurerm_key_vault" "keyvault" { name = "radix-vault-c2-prod" - resource_group_name = "common" + resource_group_name = "common-westeurope" } data "azurerm_key_vault_secret" "keyvault_secrets" { name = var.keyvault_dbadmin_secret_name From b4888cb4b466f9ee4255407d66594308d2b53af3 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Tue, 6 Feb 2024 17:36:18 +0100 Subject: [PATCH 03/12] added cost-allocation to terraform --- .../modules/mssqldatabase/variables.tf | 4 ++ .../s941/dev/cost-allocation/backend.tf | 23 +++++++++ .../s941/dev/cost-allocation/input.tf | 34 +++++++++++++ .../s941/dev/cost-allocation/main.tf | 49 +++++++++++++++++++ .../s941/dev/cost-allocation/variables.tf | 14 ++++++ 5 files changed, 124 insertions(+) create mode 100644 terraform/subscriptions/s941/dev/cost-allocation/backend.tf create mode 100644 terraform/subscriptions/s941/dev/cost-allocation/input.tf create mode 100644 terraform/subscriptions/s941/dev/cost-allocation/main.tf create mode 100644 terraform/subscriptions/s941/dev/cost-allocation/variables.tf diff --git a/terraform/subscriptions/modules/mssqldatabase/variables.tf b/terraform/subscriptions/modules/mssqldatabase/variables.tf index d34a8f600..3b943b5da 100644 --- a/terraform/subscriptions/modules/mssqldatabase/variables.tf +++ b/terraform/subscriptions/modules/mssqldatabase/variables.tf @@ -67,6 +67,10 @@ variable "tags" { type = map(string) default = {} } +variable "database_tags" { + type = map(string) + default = {} +} variable "virtual_network" { type = string diff --git a/terraform/subscriptions/s941/dev/cost-allocation/backend.tf b/terraform/subscriptions/s941/dev/cost-allocation/backend.tf new file mode 100644 index 000000000..845eab635 --- /dev/null +++ b/terraform/subscriptions/s941/dev/cost-allocation/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.69.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + resource_group_name = "s941-tfstate" + storage_account_name = "s941radixinfra" + container_name = "infrastructure" + key = "dev/cost-allocation/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + features { + } +} diff --git a/terraform/subscriptions/s941/dev/cost-allocation/input.tf b/terraform/subscriptions/s941/dev/cost-allocation/input.tf new file mode 100644 index 000000000..d4e42da1f --- /dev/null +++ b/terraform/subscriptions/s941/dev/cost-allocation/input.tf @@ -0,0 +1,34 @@ +locals { + + external_outputs = { + common = data.terraform_remote_state.common.outputs + // keyvault = data.terraform_remote_state.keyvault.outputs.data + } + + backend = { + resource_group_name = "s941-tfstate" + storage_account_name = "s941radixinfra" + container_name = "infrastructure" + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + } +} + + +data "terraform_remote_state" "common" { + backend = "azurerm" + config = merge( + local.backend, + { key = "dev/common/terraform.tfstate" }) +} + +#data "terraform_remote_state" "keyvault" { +# backend = "azurerm" +# config = merge( +# local.backend, +# { key = "playground/key-vault/terraform.tfstate" }) +#} +# +# +# + + diff --git a/terraform/subscriptions/s941/dev/cost-allocation/main.tf b/terraform/subscriptions/s941/dev/cost-allocation/main.tf new file mode 100644 index 000000000..98a558b2c --- /dev/null +++ b/terraform/subscriptions/s941/dev/cost-allocation/main.tf @@ -0,0 +1,49 @@ +module "resourcegroup" { + source = "../../../modules/resourcegroups" + name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" + location = local.external_outputs.common.data.location +} +data "azurerm_key_vault" "keyvault" { + name = "radix-vault-dev" + resource_group_name = "common" +} +data "azurerm_key_vault_secret" "keyvault_secrets" { + name = var.keyvault_dbadmin_secret_name + key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id +} + +# MS SQL Server +module "mssql-database" { + source = "../../../modules/mssqldatabase" + env = local.external_outputs.common.data.enviroment + database_name = "sqldb-radix-cost-allocation" + server_name = "sql-radix-cost-allocation-${local.external_outputs.common.data.enviroment}" + admin_adgroup = var.admin-adgroup + administrator_login = "radix" + administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value + rg_name = module.resourcegroup.data.name + location = local.external_outputs.common.data.location + public_network_access_enabled = true + zone_redundant = false + tags = { + displayName = "SqlServer" + } + database_tags = { + displayName = "Database" + } + + admin_federated_credentials = { + github-master = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/master" + } + github-release = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + +output "mi-client-id" { + value = module.mssql-database.mi-admin +} diff --git a/terraform/subscriptions/s941/dev/cost-allocation/variables.tf b/terraform/subscriptions/s941/dev/cost-allocation/variables.tf new file mode 100644 index 000000000..e226bd528 --- /dev/null +++ b/terraform/subscriptions/s941/dev/cost-allocation/variables.tf @@ -0,0 +1,14 @@ +variable "admin-adgroup" { + type = string + default = "Radix SQL server admin - dev" +} + +variable "resourse_group_name" { + type = string + default = "cost-allocation" +} + +variable "keyvault_dbadmin_secret_name" { + type = string + default = "radix-cost-allocation-db-admin" +} From 6f20c22a418bb3dca46727c924febafd6141bca2 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Tue, 6 Feb 2024 17:59:52 +0100 Subject: [PATCH 04/12] added cost-allocation to terraform in playground --- .../modules/mssqldatabase/main.tf | 2 +- .../s941/dev/cost-allocation/main.tf | 8 ++- .../playground/cost-allocation/backend.tf | 23 +++++++++ .../s941/playground/cost-allocation/input.tf | 34 +++++++++++++ .../s941/playground/cost-allocation/main.tf | 49 +++++++++++++++++++ .../playground/cost-allocation/variables.tf | 14 ++++++ 6 files changed, 127 insertions(+), 3 deletions(-) create mode 100644 terraform/subscriptions/s941/playground/cost-allocation/backend.tf create mode 100644 terraform/subscriptions/s941/playground/cost-allocation/input.tf create mode 100644 terraform/subscriptions/s941/playground/cost-allocation/main.tf create mode 100644 terraform/subscriptions/s941/playground/cost-allocation/variables.tf diff --git a/terraform/subscriptions/modules/mssqldatabase/main.tf b/terraform/subscriptions/modules/mssqldatabase/main.tf index 4a89ce0d2..2c83f4a43 100644 --- a/terraform/subscriptions/modules/mssqldatabase/main.tf +++ b/terraform/subscriptions/modules/mssqldatabase/main.tf @@ -29,7 +29,7 @@ resource "azurerm_mssql_database" "mssql_database" { read_scale = var.read_scale sku_name = var.sku_name zone_redundant = var.zone_redundant - tags = var.tags + tags = var.database_tags depends_on = [azurerm_mssql_server.sqlserver] long_term_retention_policy { monthly_retention = "PT0S" diff --git a/terraform/subscriptions/s941/dev/cost-allocation/main.tf b/terraform/subscriptions/s941/dev/cost-allocation/main.tf index 98a558b2c..059b45610 100644 --- a/terraform/subscriptions/s941/dev/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/dev/cost-allocation/main.tf @@ -35,11 +35,15 @@ module "mssql-database" { admin_federated_credentials = { github-master = { issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/master" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/master" } github-release = { issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/release" + } + test = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-cost-allocation:pull_request" } } } diff --git a/terraform/subscriptions/s941/playground/cost-allocation/backend.tf b/terraform/subscriptions/s941/playground/cost-allocation/backend.tf new file mode 100644 index 000000000..c23cb31c3 --- /dev/null +++ b/terraform/subscriptions/s941/playground/cost-allocation/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.69.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + resource_group_name = "s941-tfstate" + storage_account_name = "s941radixinfra" + container_name = "infrastructure" + key = "playground/cost-allocation/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + features { + } +} diff --git a/terraform/subscriptions/s941/playground/cost-allocation/input.tf b/terraform/subscriptions/s941/playground/cost-allocation/input.tf new file mode 100644 index 000000000..24736915f --- /dev/null +++ b/terraform/subscriptions/s941/playground/cost-allocation/input.tf @@ -0,0 +1,34 @@ +locals { + + external_outputs = { + common = data.terraform_remote_state.common.outputs + // keyvault = data.terraform_remote_state.keyvault.outputs.data + } + + backend = { + resource_group_name = "s941-tfstate" + storage_account_name = "s941radixinfra" + container_name = "infrastructure" + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + } +} + + +data "terraform_remote_state" "common" { + backend = "azurerm" + config = merge( + local.backend, + { key = "playground/common/terraform.tfstate" }) +} + +#data "terraform_remote_state" "keyvault" { +# backend = "azurerm" +# config = merge( +# local.backend, +# { key = "playground/key-vault/terraform.tfstate" }) +#} +# +# +# + + diff --git a/terraform/subscriptions/s941/playground/cost-allocation/main.tf b/terraform/subscriptions/s941/playground/cost-allocation/main.tf new file mode 100644 index 000000000..e2bea2054 --- /dev/null +++ b/terraform/subscriptions/s941/playground/cost-allocation/main.tf @@ -0,0 +1,49 @@ +module "resourcegroup" { + source = "../../../modules/resourcegroups" + name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" + location = local.external_outputs.common.data.location +} +data "azurerm_key_vault" "keyvault" { + name = "radix-vault-dev" + resource_group_name = "common" +} +data "azurerm_key_vault_secret" "keyvault_secrets" { + name = var.keyvault_dbadmin_secret_name + key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id +} + +# MS SQL Server +module "mssql-database" { + source = "../../../modules/mssqldatabase" + env = local.external_outputs.common.data.enviroment + database_name = "sqldb-radix-cost-allocation" + server_name = "sql-radix-cost-allocation-${local.external_outputs.common.data.enviroment}" + admin_adgroup = var.admin-adgroup + administrator_login = "radix" + administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value + rg_name = module.resourcegroup.data.name + location = local.external_outputs.common.data.location + public_network_access_enabled = false + zone_redundant = false + tags = { + displayName = "SqlServer" + } + database_tags = { + displayName = "Database" + } + + admin_federated_credentials = { + github-master = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/master" + } + github-release = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/release" + } + } +} + +output "mi-client-id" { + value = module.mssql-database.mi-admin +} diff --git a/terraform/subscriptions/s941/playground/cost-allocation/variables.tf b/terraform/subscriptions/s941/playground/cost-allocation/variables.tf new file mode 100644 index 000000000..4777ec3b6 --- /dev/null +++ b/terraform/subscriptions/s941/playground/cost-allocation/variables.tf @@ -0,0 +1,14 @@ +variable "admin-adgroup" { + type = string + default = "Radix SQL server admin - playground" +} + +variable "resourse_group_name" { + type = string + default = "cost-allocation" +} + +variable "keyvault_dbadmin_secret_name" { + type = string + default = "radix-cost-allocation-db-admin" +} From 7dbcd26421ca04cc1e7de78d65d2e13642f4d2d3 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Wed, 7 Feb 2024 14:09:34 +0100 Subject: [PATCH 05/12] update cost allocation and vulnerability scanner in c2, platform, dev & playground --- .../subscriptions/modules/config/main.tf | 2 +- .../modules/mssqldatabase/output.tf | 2 +- .../s940/c2/cost-allocation/backend.tf | 23 ++++++++ .../s940/c2/cost-allocation/main.tf | 53 +++++++++++++++++++ .../s940/c2/cost-allocation/variables.tf | 9 ++++ .../s940/c2/vulnerability-scanner/backend.tf | 2 +- .../s940/c2/vulnerability-scanner/input.tf | 34 ------------ .../s940/c2/vulnerability-scanner/main.tf | 21 ++++---- .../c2/vulnerability-scanner/variables.tf | 5 -- .../s940/prod/cost-allocation/backend.tf | 23 ++++++++ .../s940/prod/cost-allocation/main.tf | 53 +++++++++++++++++++ .../s940/prod/cost-allocation/variables.tf | 9 ++++ .../prod/vulnerability-scanner/backend.tf | 2 +- .../s940/prod/vulnerability-scanner/input.tf | 34 ------------ .../s940/prod/vulnerability-scanner/main.tf | 17 +++--- .../prod/vulnerability-scanner/variables.tf | 5 -- .../s941/dev/cost-allocation/input.tf | 34 ------------ .../s941/dev/cost-allocation/main.tf | 20 ++++--- .../s941/dev/cost-allocation/variables.tf | 5 -- .../s941/dev/vulnerability-scanner/main.tf | 6 +-- .../s941/playground/cost-allocation/input.tf | 34 ------------ .../s941/playground/cost-allocation/main.tf | 20 ++++--- .../playground/cost-allocation/variables.tf | 5 -- .../playground/vulnerability-scanner/main.tf | 4 +- 24 files changed, 225 insertions(+), 197 deletions(-) create mode 100644 terraform/subscriptions/s940/c2/cost-allocation/backend.tf create mode 100644 terraform/subscriptions/s940/c2/cost-allocation/main.tf create mode 100644 terraform/subscriptions/s940/c2/cost-allocation/variables.tf delete mode 100644 terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf create mode 100644 terraform/subscriptions/s940/prod/cost-allocation/backend.tf create mode 100644 terraform/subscriptions/s940/prod/cost-allocation/main.tf create mode 100644 terraform/subscriptions/s940/prod/cost-allocation/variables.tf delete mode 100644 terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf delete mode 100644 terraform/subscriptions/s941/dev/cost-allocation/input.tf delete mode 100644 terraform/subscriptions/s941/playground/cost-allocation/input.tf diff --git a/terraform/subscriptions/modules/config/main.tf b/terraform/subscriptions/modules/config/main.tf index 67b82c90c..31991aa8f 100644 --- a/terraform/subscriptions/modules/config/main.tf +++ b/terraform/subscriptions/modules/config/main.tf @@ -1,5 +1,5 @@ variable "configfile" { - type = string + type = string default = "../config.yaml" } diff --git a/terraform/subscriptions/modules/mssqldatabase/output.tf b/terraform/subscriptions/modules/mssqldatabase/output.tf index 43a197aa9..0ceda11ea 100644 --- a/terraform/subscriptions/modules/mssqldatabase/output.tf +++ b/terraform/subscriptions/modules/mssqldatabase/output.tf @@ -5,7 +5,7 @@ output "admin_adgroup" { output "mi-admin" { value = { - name = azurerm_user_assigned_identity.admin.name + name = azurerm_user_assigned_identity.admin.name client_id = azurerm_user_assigned_identity.admin.client_id } } diff --git a/terraform/subscriptions/s940/c2/cost-allocation/backend.tf b/terraform/subscriptions/s940/c2/cost-allocation/backend.tf new file mode 100644 index 000000000..07dd5397d --- /dev/null +++ b/terraform/subscriptions/s940/c2/cost-allocation/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.69.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + key = "c2/cost-allocation/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + features { + } +} diff --git a/terraform/subscriptions/s940/c2/cost-allocation/main.tf b/terraform/subscriptions/s940/c2/cost-allocation/main.tf new file mode 100644 index 000000000..cc888327a --- /dev/null +++ b/terraform/subscriptions/s940/c2/cost-allocation/main.tf @@ -0,0 +1,53 @@ +module "config" { + source = "../../../modules/config" +} + +module "resourcegroup" { + source = "../../../modules/resourcegroups" + name = "cost-allocation-${module.config.environment}" + location = module.config.location +} +data "azurerm_key_vault" "keyvault" { + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group +} +data "azurerm_key_vault_secret" "keyvault_secrets" { + name = var.keyvault_dbadmin_secret_name + key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id +} + +# MS SQL Server +module "mssql-database" { + source = "../../../modules/mssqldatabase" + env = module.config.environment + database_name = "sqldb-radix-cost-allocation" + server_name = "sql-radix-cost-allocation-${module.config.environment}" + admin_adgroup = var.admin-adgroup + administrator_login = "radix" + administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value + rg_name = module.resourcegroup.data.name + location = module.config.location + public_network_access_enabled = false + zone_redundant = false + tags = { + displayName = "SqlServer" + } + database_tags = { + displayName = "Database" + } + + admin_federated_credentials = { + github-master = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/master" + } + github-release = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/release" + } + } +} + +output "mi-client-id" { + value = module.mssql-database.mi-admin +} diff --git a/terraform/subscriptions/s940/c2/cost-allocation/variables.tf b/terraform/subscriptions/s940/c2/cost-allocation/variables.tf new file mode 100644 index 000000000..30a6bbff4 --- /dev/null +++ b/terraform/subscriptions/s940/c2/cost-allocation/variables.tf @@ -0,0 +1,9 @@ +variable "admin-adgroup" { + type = string + default = "Radix SQL server admin - c2" +} + +variable "keyvault_dbadmin_secret_name" { + type = string + default = "radix-cost-allocation-db-admin" +} diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf index 78477a164..cfc98cb67 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/backend.tf @@ -17,7 +17,7 @@ terraform { } provider "azurerm" { - subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" features { } } diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf deleted file mode 100644 index fa57681e3..000000000 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/input.tf +++ /dev/null @@ -1,34 +0,0 @@ -locals { - - external_outputs = { - common = data.terraform_remote_state.common.outputs - // keyvault = data.terraform_remote_state.keyvault.outputs.data - } - - backend = { - resource_group_name = "s940-tfstate" - storage_account_name = "s940radixinfra" - container_name = "infrastructure" - subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" - } -} - - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "c2/common/terraform.tfstate" }) -} - -#data "terraform_remote_state" "keyvault" { -# backend = "azurerm" -# config = merge( -# local.backend, -# { key = "playground/key-vault/terraform.tfstate" }) -#} -# -# -# - - diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index 0c6dbe14f..c69786254 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -1,28 +1,31 @@ +module "config" { + source = "../../../modules/config" +} module "resourcegroup" { - source = "../../../modules/resourcegroups" - name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" - location = local.external_outputs.common.data.location + source = "../../../modules/resourcegroups" + name = "vulnerability-scan-${module.config.environment}" + location = module.config.location } data "azurerm_key_vault" "keyvault" { - name = "radix-vault-c2-prod" - resource_group_name = "common-westeurope" + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { name = var.keyvault_dbadmin_secret_name - key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id + key_vault_id = data.azurerm_key_vault.keyvault.id } # MS SQL Server module "mssql-database" { source = "../../../modules/mssqldatabase" - env = local.external_outputs.common.data.enviroment + env = module.config.environment database_name = "radix-vulnerability-scan" - server_name = "sql-radix-vulnerability-scan-${local.external_outputs.common.data.enviroment}" + server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - location = local.external_outputs.common.data.location + location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf index efcfa767b..56b4edea4 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf @@ -3,11 +3,6 @@ variable "admin-adgroup" { default = "Radix SQL server admin - c2" } -variable "resourse_group_name" { - type = string - default = "vulnerability-scan" -} - variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" diff --git a/terraform/subscriptions/s940/prod/cost-allocation/backend.tf b/terraform/subscriptions/s940/prod/cost-allocation/backend.tf new file mode 100644 index 000000000..a815134a8 --- /dev/null +++ b/terraform/subscriptions/s940/prod/cost-allocation/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.69.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + key = "prod/cost-allocation/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + features { + } +} diff --git a/terraform/subscriptions/s940/prod/cost-allocation/main.tf b/terraform/subscriptions/s940/prod/cost-allocation/main.tf new file mode 100644 index 000000000..cc888327a --- /dev/null +++ b/terraform/subscriptions/s940/prod/cost-allocation/main.tf @@ -0,0 +1,53 @@ +module "config" { + source = "../../../modules/config" +} + +module "resourcegroup" { + source = "../../../modules/resourcegroups" + name = "cost-allocation-${module.config.environment}" + location = module.config.location +} +data "azurerm_key_vault" "keyvault" { + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group +} +data "azurerm_key_vault_secret" "keyvault_secrets" { + name = var.keyvault_dbadmin_secret_name + key_vault_id = data.azurerm_key_vault.keyvault.id # local.external_outputs.keyvault.vault_id +} + +# MS SQL Server +module "mssql-database" { + source = "../../../modules/mssqldatabase" + env = module.config.environment + database_name = "sqldb-radix-cost-allocation" + server_name = "sql-radix-cost-allocation-${module.config.environment}" + admin_adgroup = var.admin-adgroup + administrator_login = "radix" + administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value + rg_name = module.resourcegroup.data.name + location = module.config.location + public_network_access_enabled = false + zone_redundant = false + tags = { + displayName = "SqlServer" + } + database_tags = { + displayName = "Database" + } + + admin_federated_credentials = { + github-master = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/master" + } + github-release = { + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-cost-allocation:ref:refs/heads/release" + } + } +} + +output "mi-client-id" { + value = module.mssql-database.mi-admin +} diff --git a/terraform/subscriptions/s940/prod/cost-allocation/variables.tf b/terraform/subscriptions/s940/prod/cost-allocation/variables.tf new file mode 100644 index 000000000..5ed916f91 --- /dev/null +++ b/terraform/subscriptions/s940/prod/cost-allocation/variables.tf @@ -0,0 +1,9 @@ +variable "admin-adgroup" { + type = string + default = "Radix SQL server admin - platform" +} + +variable "keyvault_dbadmin_secret_name" { + type = string + default = "radix-cost-allocation-db-admin" +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf index b623598fc..c036dfcae 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/backend.tf @@ -17,7 +17,7 @@ terraform { } provider "azurerm" { - subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" features { } } diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf deleted file mode 100644 index 4e57f4176..000000000 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/input.tf +++ /dev/null @@ -1,34 +0,0 @@ -locals { - - external_outputs = { - common = data.terraform_remote_state.common.outputs - // keyvault = data.terraform_remote_state.keyvault.outputs.data - } - - backend = { - resource_group_name = "s940-tfstate" - storage_account_name = "s940radixinfra" - container_name = "infrastructure" - subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" - } -} - - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "prod/common/terraform.tfstate" }) -} - -#data "terraform_remote_state" "keyvault" { -# backend = "azurerm" -# config = merge( -# local.backend, -# { key = "playground/key-vault/terraform.tfstate" }) -#} -# -# -# - - diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index 61fa6ff6f..658dc96d2 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -1,11 +1,14 @@ +module "config" { + source = "../../../modules/config" +} module "resourcegroup" { - source = "../../../modules/resourcegroups" - name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" - location = local.external_outputs.common.data.location + source = "../../../modules/resourcegroups" + name = "vulnerability-scan-${module.config.environment}" + location = module.config.location } data "azurerm_key_vault" "keyvault" { - name = "radix-vault-prod" - resource_group_name = "common" + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { name = var.keyvault_dbadmin_secret_name @@ -17,12 +20,12 @@ module "mssql-database" { source = "../../../modules/mssqldatabase" env = local.external_outputs.common.data.enviroment database_name = "radix-vulnerability-scan" - server_name = "sql-radix-vulnerability-scan-${local.external_outputs.common.data.enviroment}" + server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - location = local.external_outputs.common.data.location + location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf index 3091271e6..058e077ea 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf @@ -3,11 +3,6 @@ variable "admin-adgroup" { default = "Radix SQL server admin - platform" } -variable "resourse_group_name" { - type = string - default = "vulnerability-scan" -} - variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" diff --git a/terraform/subscriptions/s941/dev/cost-allocation/input.tf b/terraform/subscriptions/s941/dev/cost-allocation/input.tf deleted file mode 100644 index d4e42da1f..000000000 --- a/terraform/subscriptions/s941/dev/cost-allocation/input.tf +++ /dev/null @@ -1,34 +0,0 @@ -locals { - - external_outputs = { - common = data.terraform_remote_state.common.outputs - // keyvault = data.terraform_remote_state.keyvault.outputs.data - } - - backend = { - resource_group_name = "s941-tfstate" - storage_account_name = "s941radixinfra" - container_name = "infrastructure" - subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" - } -} - - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "dev/common/terraform.tfstate" }) -} - -#data "terraform_remote_state" "keyvault" { -# backend = "azurerm" -# config = merge( -# local.backend, -# { key = "playground/key-vault/terraform.tfstate" }) -#} -# -# -# - - diff --git a/terraform/subscriptions/s941/dev/cost-allocation/main.tf b/terraform/subscriptions/s941/dev/cost-allocation/main.tf index 059b45610..d22641637 100644 --- a/terraform/subscriptions/s941/dev/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/dev/cost-allocation/main.tf @@ -1,11 +1,15 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroup" { - source = "../../../modules/resourcegroups" - name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" - location = local.external_outputs.common.data.location + source = "../../../modules/resourcegroups" + name = "cost-allocation-${module.config.environment}" + location = module.config.location } data "azurerm_key_vault" "keyvault" { - name = "radix-vault-dev" - resource_group_name = "common" + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { name = var.keyvault_dbadmin_secret_name @@ -15,14 +19,14 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { # MS SQL Server module "mssql-database" { source = "../../../modules/mssqldatabase" - env = local.external_outputs.common.data.enviroment + env = module.config.environment database_name = "sqldb-radix-cost-allocation" - server_name = "sql-radix-cost-allocation-${local.external_outputs.common.data.enviroment}" + server_name = "sql-radix-cost-allocation-${module.config.environment}" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - location = local.external_outputs.common.data.location + location = module.config.location public_network_access_enabled = true zone_redundant = false tags = { diff --git a/terraform/subscriptions/s941/dev/cost-allocation/variables.tf b/terraform/subscriptions/s941/dev/cost-allocation/variables.tf index e226bd528..b728d3bc1 100644 --- a/terraform/subscriptions/s941/dev/cost-allocation/variables.tf +++ b/terraform/subscriptions/s941/dev/cost-allocation/variables.tf @@ -3,11 +3,6 @@ variable "admin-adgroup" { default = "Radix SQL server admin - dev" } -variable "resourse_group_name" { - type = string - default = "cost-allocation" -} - variable "keyvault_dbadmin_secret_name" { type = string default = "radix-cost-allocation-db-admin" diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 5f20c6f0b..5b8545d81 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -1,5 +1,5 @@ module "resourcegroup" { - source = "../../../modules/resourcegroups" + source = "../../../modules/resourcegroups" name = "${var.resourse_group_name}-${module.config.environment}" location = module.config.location } @@ -10,8 +10,8 @@ module "config" { # TODO: Migrate keys to radix-kv-dev when ready data "azurerm_key_vault" "keyvault" { - name = "radix-vault-dev" # module.config.key_vault_name - resource_group_name = "common" # module.config.common_resource_group + name = "radix-vault-dev" # module.config.key_vault_name + resource_group_name = "common" # module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { diff --git a/terraform/subscriptions/s941/playground/cost-allocation/input.tf b/terraform/subscriptions/s941/playground/cost-allocation/input.tf deleted file mode 100644 index 24736915f..000000000 --- a/terraform/subscriptions/s941/playground/cost-allocation/input.tf +++ /dev/null @@ -1,34 +0,0 @@ -locals { - - external_outputs = { - common = data.terraform_remote_state.common.outputs - // keyvault = data.terraform_remote_state.keyvault.outputs.data - } - - backend = { - resource_group_name = "s941-tfstate" - storage_account_name = "s941radixinfra" - container_name = "infrastructure" - subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" - } -} - - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "playground/common/terraform.tfstate" }) -} - -#data "terraform_remote_state" "keyvault" { -# backend = "azurerm" -# config = merge( -# local.backend, -# { key = "playground/key-vault/terraform.tfstate" }) -#} -# -# -# - - diff --git a/terraform/subscriptions/s941/playground/cost-allocation/main.tf b/terraform/subscriptions/s941/playground/cost-allocation/main.tf index e2bea2054..cc888327a 100644 --- a/terraform/subscriptions/s941/playground/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/playground/cost-allocation/main.tf @@ -1,11 +1,15 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroup" { - source = "../../../modules/resourcegroups" - name = "${var.resourse_group_name}-${local.external_outputs.common.data.enviroment}" - location = local.external_outputs.common.data.location + source = "../../../modules/resourcegroups" + name = "cost-allocation-${module.config.environment}" + location = module.config.location } data "azurerm_key_vault" "keyvault" { - name = "radix-vault-dev" - resource_group_name = "common" + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { name = var.keyvault_dbadmin_secret_name @@ -15,14 +19,14 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { # MS SQL Server module "mssql-database" { source = "../../../modules/mssqldatabase" - env = local.external_outputs.common.data.enviroment + env = module.config.environment database_name = "sqldb-radix-cost-allocation" - server_name = "sql-radix-cost-allocation-${local.external_outputs.common.data.enviroment}" + server_name = "sql-radix-cost-allocation-${module.config.environment}" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - location = local.external_outputs.common.data.location + location = module.config.location public_network_access_enabled = false zone_redundant = false tags = { diff --git a/terraform/subscriptions/s941/playground/cost-allocation/variables.tf b/terraform/subscriptions/s941/playground/cost-allocation/variables.tf index 4777ec3b6..dd6f71010 100644 --- a/terraform/subscriptions/s941/playground/cost-allocation/variables.tf +++ b/terraform/subscriptions/s941/playground/cost-allocation/variables.tf @@ -3,11 +3,6 @@ variable "admin-adgroup" { default = "Radix SQL server admin - playground" } -variable "resourse_group_name" { - type = string - default = "cost-allocation" -} - variable "keyvault_dbadmin_secret_name" { type = string default = "radix-cost-allocation-db-admin" diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index 07e0f52f5..c307e787d 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -3,13 +3,13 @@ module "config" { source = "../../../modules/config" } module "resourcegroup" { - source = "../../../modules/resourcegroups" + source = "../../../modules/resourcegroups" name = "vulnerability-scan-${module.config.environment}" location = module.config.location } data "azurerm_key_vault" "keyvault" { - name = module.config.key_vault_name + name = module.config.key_vault_name resource_group_name = module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { From 593ea7703a1865f5bd3ac17691725212d2d352ae Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Thu, 8 Feb 2024 13:54:46 +0100 Subject: [PATCH 06/12] add tenant summary script --- terraform/tenant/summary-tenant.sh | 37 ++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 terraform/tenant/summary-tenant.sh diff --git a/terraform/tenant/summary-tenant.sh b/terraform/tenant/summary-tenant.sh new file mode 100755 index 000000000..9e8231ad1 --- /dev/null +++ b/terraform/tenant/summary-tenant.sh @@ -0,0 +1,37 @@ +#!/bin/bash +red=$'\e[1;31m' +grn=$'\e[1;32m' +yel=$'\e[1;33m' +normal=$(tput sgr0) + +# Set the directory you want to search +directory="." + +for dir in "$directory"/*; do + if [ ! -d "$dir" ]; then continue; fi + + printf "%s► Execute %s%s\n" "${grn}" "$dir" "${normal}" + terraform -chdir="$dir" init &>/dev/null || echo "Error during terraform init in $dir" + terraform -chdir="$dir" plan -no-color -out=plan.out &>/dev/null || echo "Error during terraform plan in $dir" + + if [ ! -f "$dir/plan.out" ]; then + echo "plan.out was not created in $dir" + continue + fi + + cd "$dir" || exit + plan=$(terraform show -no-color "plan.out") + cd - >/dev/null || exit + + create=$(echo "$plan" | grep "will be created" | sed 's|# |+|g' | sed 's/^ *//g') + destroy=$(echo "$plan" | grep "will be destroyed" | sed 's|# |-|g' | sed 's/^ *//g') + update=$(echo "$plan" | grep "will be updated in-place" | sed 's|# |~|g' | sed 's/^ *//g') + replace=$(echo "$plan" | grep "must be replaced" | sed 's|# |-/+|g' | sed 's/^ *//g') + + if [ -n "$create" ]; then echo -e "The following resources will be created:\n ${grn}${create}${normal}\n"; fi + if [ -n "$destroy" ]; then echo -e "The following resources will be destroyed:\n ${red}${destroy}${normal}\n"; fi + if [ -n "$update" ]; then echo -e "The following resources will be updated:\n ${yel}${update}${normal}\n"; fi + if [ -n "$replace" ]; then echo -e "The following resources will be replaced:\n ${red}${replace}${normal}\n"; fi + if [ -z "$create$destroy$update$replace" ]; then echo -e "No changes. Your infrastructure matches the configuration.\n"; fi + rm "$dir/plan.out" +done From fb1be5e001fa40cf2d9487d3c4b33baada14487f Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 9 Feb 2024 13:21:03 +0100 Subject: [PATCH 07/12] handle prod/platform special case --- terraform/subscriptions/modules/config/main.tf | 6 ++++-- .../subscriptions/modules/mssqldatabase/networking.tf | 10 ++++------ .../subscriptions/modules/mssqldatabase/variables.tf | 4 +++- .../subscriptions/s940/prod/cost-allocation/main.tf | 4 +++- .../s940/prod/vulnerability-scanner/main.tf | 3 ++- .../subscriptions/s941/dev/cost-allocation/main.tf | 1 + .../s941/dev/vulnerability-scanner/main.tf | 1 + .../s941/playground/cost-allocation/main.tf | 1 + .../s941/playground/vulnerability-scanner/main.tf | 1 + 9 files changed, 20 insertions(+), 11 deletions(-) diff --git a/terraform/subscriptions/modules/config/main.tf b/terraform/subscriptions/modules/config/main.tf index a2915b9b8..d27dc998c 100644 --- a/terraform/subscriptions/modules/config/main.tf +++ b/terraform/subscriptions/modules/config/main.tf @@ -22,7 +22,9 @@ output "cluster_resource_group" { value = "clusters-${local.config.environment}" } output "vnet_resource_group" { - value = "cluster-vnet-hub-${local.config.environment}" + # Todo: Create platform resources next time eu18 is recreated + # Todo: Also fix terraform/subscriptions/modules/mssqldatabase/networking.tf + value = "cluster-vnet-hub-${local.config.environment == "platform" ? "prod" : local.config.environment}" } output "key_vault_name" { value = "radix-keyv-${local.config.environment}" @@ -37,4 +39,4 @@ output "backend" { output "policy_aks_diagnostics_cluster" { value = "Radix-Enforce-Diagnostics-AKS-Clusters" -} \ No newline at end of file +} diff --git a/terraform/subscriptions/modules/mssqldatabase/networking.tf b/terraform/subscriptions/modules/mssqldatabase/networking.tf index a84a150b5..54cfb0e74 100644 --- a/terraform/subscriptions/modules/mssqldatabase/networking.tf +++ b/terraform/subscriptions/modules/mssqldatabase/networking.tf @@ -1,15 +1,13 @@ - - data "azurerm_subnet" "subnet" { name = "private-links" virtual_network_name = var.virtual_network - resource_group_name = "cluster-vnet-hub-${var.env}" + resource_group_name = var.vnet_resource_group } resource "azurerm_private_endpoint" "endpoint" { name = "pe-${var.server_name}" location = var.location - resource_group_name = "cluster-vnet-hub-${var.env}" + resource_group_name = var.vnet_resource_group subnet_id = data.azurerm_subnet.subnet.id private_service_connection { @@ -22,12 +20,12 @@ resource "azurerm_private_endpoint" "endpoint" { data "azurerm_private_dns_zone" "dns_zone" { name = "privatelink.database.windows.net" - resource_group_name = "cluster-vnet-hub-${var.env}" + resource_group_name = var.vnet_resource_group } resource "azurerm_private_dns_a_record" "dns_record" { name = var.server_name zone_name = "privatelink.database.windows.net" - resource_group_name = "cluster-vnet-hub-${var.env}" + resource_group_name = var.vnet_resource_group ttl = 300 records = azurerm_private_endpoint.endpoint.custom_dns_configs[0].ip_addresses } diff --git a/terraform/subscriptions/modules/mssqldatabase/variables.tf b/terraform/subscriptions/modules/mssqldatabase/variables.tf index 3b943b5da..3d90d81ff 100644 --- a/terraform/subscriptions/modules/mssqldatabase/variables.tf +++ b/terraform/subscriptions/modules/mssqldatabase/variables.tf @@ -38,7 +38,9 @@ variable "env" { type = string description = "dev, playground, c2 or prod" } - +variable "vnet_resource_group" { + type = string +} variable "database_name" { type = string diff --git a/terraform/subscriptions/s940/prod/cost-allocation/main.tf b/terraform/subscriptions/s940/prod/cost-allocation/main.tf index cc888327a..26e07476f 100644 --- a/terraform/subscriptions/s940/prod/cost-allocation/main.tf +++ b/terraform/subscriptions/s940/prod/cost-allocation/main.tf @@ -21,12 +21,14 @@ module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment database_name = "sqldb-radix-cost-allocation" - server_name = "sql-radix-cost-allocation-${module.config.environment}" + server_name = "sql-radix-cost-allocation-prod" # ${module.config.environment} # See https://github.com/equinor/radix-platform/issues/1186 admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name location = module.config.location + vnet_resource_group = module.config.vnet_resource_group + sku_name = "S3" public_network_access_enabled = false zone_redundant = false tags = { diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index 658dc96d2..3646daf14 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -20,11 +20,12 @@ module "mssql-database" { source = "../../../modules/mssqldatabase" env = local.external_outputs.common.data.enviroment database_name = "radix-vulnerability-scan" - server_name = "sql-radix-vulnerability-scan-${module.config.environment}" + server_name = "sql-radix-vulnerability-scan-prod" # ${module.config.environment} # Se https://github.com/equinor/radix-platform/issues/1187 admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s941/dev/cost-allocation/main.tf b/terraform/subscriptions/s941/dev/cost-allocation/main.tf index d22641637..02c5436bf 100644 --- a/terraform/subscriptions/s941/dev/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/dev/cost-allocation/main.tf @@ -26,6 +26,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = true zone_redundant = false diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 4682b5b17..8adafacbf 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -29,6 +29,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = true zone_redundant = false diff --git a/terraform/subscriptions/s941/playground/cost-allocation/main.tf b/terraform/subscriptions/s941/playground/cost-allocation/main.tf index cc888327a..7eacedb94 100644 --- a/terraform/subscriptions/s941/playground/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/playground/cost-allocation/main.tf @@ -26,6 +26,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index c307e787d..d2e1dbc12 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -27,6 +27,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false From 296d4d8a0791a8fb0c6bb4c6a4b46a77d5633c64 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 9 Feb 2024 13:25:15 +0100 Subject: [PATCH 08/12] handle prod/platform special case --- terraform/subscriptions/s940/c2/cost-allocation/main.tf | 1 + terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/terraform/subscriptions/s940/c2/cost-allocation/main.tf b/terraform/subscriptions/s940/c2/cost-allocation/main.tf index cc888327a..7eacedb94 100644 --- a/terraform/subscriptions/s940/c2/cost-allocation/main.tf +++ b/terraform/subscriptions/s940/c2/cost-allocation/main.tf @@ -26,6 +26,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index c69786254..ae818dd65 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -25,6 +25,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false From 58b36fb6501beac1ad8d0ee0ef7c31be399adbe0 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 9 Feb 2024 13:25:58 +0100 Subject: [PATCH 09/12] terraform fmt --- .../subscriptions/s940/c2/cost-allocation/main.tf | 2 +- .../s940/c2/vulnerability-scanner/main.tf | 2 +- .../subscriptions/s940/prod/cost-allocation/main.tf | 4 ++-- .../s940/prod/vulnerability-scanner/main.tf | 2 +- .../subscriptions/s941/dev/cost-allocation/main.tf | 2 +- .../s941/dev/vulnerability-scanner/main.tf | 2 +- .../s941/playground/cost-allocation/main.tf | 2 +- .../s941/playground/vulnerability-scanner/main.tf | 2 +- terraform/tenant/entra/main.tf | 12 ++++++------ terraform/tenant/entra/variables.tf | 6 +++--- 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/terraform/subscriptions/s940/c2/cost-allocation/main.tf b/terraform/subscriptions/s940/c2/cost-allocation/main.tf index 7eacedb94..283abed20 100644 --- a/terraform/subscriptions/s940/c2/cost-allocation/main.tf +++ b/terraform/subscriptions/s940/c2/cost-allocation/main.tf @@ -26,7 +26,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index ae818dd65..134df2b13 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -25,7 +25,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s940/prod/cost-allocation/main.tf b/terraform/subscriptions/s940/prod/cost-allocation/main.tf index 26e07476f..85d4528d5 100644 --- a/terraform/subscriptions/s940/prod/cost-allocation/main.tf +++ b/terraform/subscriptions/s940/prod/cost-allocation/main.tf @@ -27,8 +27,8 @@ module "mssql-database" { administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name location = module.config.location - vnet_resource_group = module.config.vnet_resource_group - sku_name = "S3" + vnet_resource_group = module.config.vnet_resource_group + sku_name = "S3" public_network_access_enabled = false zone_redundant = false tags = { diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index 3646daf14..720d2bfec 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -25,7 +25,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s941/dev/cost-allocation/main.tf b/terraform/subscriptions/s941/dev/cost-allocation/main.tf index 02c5436bf..e3c49ff1f 100644 --- a/terraform/subscriptions/s941/dev/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/dev/cost-allocation/main.tf @@ -26,7 +26,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = true zone_redundant = false diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 8adafacbf..07cb83f84 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -29,7 +29,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = true zone_redundant = false diff --git a/terraform/subscriptions/s941/playground/cost-allocation/main.tf b/terraform/subscriptions/s941/playground/cost-allocation/main.tf index 7eacedb94..283abed20 100644 --- a/terraform/subscriptions/s941/playground/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/playground/cost-allocation/main.tf @@ -26,7 +26,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index d2e1dbc12..8cd775f51 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -27,7 +27,7 @@ module "mssql-database" { administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = false zone_redundant = false diff --git a/terraform/tenant/entra/main.tf b/terraform/tenant/entra/main.tf index 9ebef4765..808af0fce 100644 --- a/terraform/tenant/entra/main.tf +++ b/terraform/tenant/entra/main.tf @@ -7,22 +7,22 @@ data "azuread_group" "radix-platform-operators" { display_name = "Radix Platform Operators" security_enabled = true } -data "azurerm_subscription" "subscriptions" { - for_each = var.subscriptions +data "azurerm_subscription" "subscriptions" { + for_each = var.subscriptions subscription_id = each.value } resource "azurerm_role_assignment" "operator-roles" { for_each = var.operator-roles - principal_id = data.azuread_group.radix-platform-operators.id - scope = data.azurerm_subscription.subscriptions[each.value.subscription].id + principal_id = data.azuread_group.radix-platform-operators.id + scope = data.azurerm_subscription.subscriptions[each.value.subscription].id role_definition_name = each.value.role } resource "azurerm_role_assignment" "developer-roles" { for_each = var.developer-roles - principal_id = data.azuread_group.radix-platform-developers.id - scope = data.azurerm_subscription.subscriptions[each.value.subscription].id + principal_id = data.azuread_group.radix-platform-developers.id + scope = data.azurerm_subscription.subscriptions[each.value.subscription].id role_definition_name = each.value.role } diff --git a/terraform/tenant/entra/variables.tf b/terraform/tenant/entra/variables.tf index 20ba80a3f..aaa92a4f0 100644 --- a/terraform/tenant/entra/variables.tf +++ b/terraform/tenant/entra/variables.tf @@ -24,16 +24,16 @@ variable "subscriptions" { variable "operator-roles" { type = map(object({ - role = string + role = string subscription = string })) default = { - s940 = {role = "Key Vault Secrets Officer", subscription : "s940"} + s940 = { role = "Key Vault Secrets Officer", subscription : "s940" } } } variable "developer-roles" { type = map(object({ - role = string + role = string subscription = string })) default = { From 5cdb97572a65b5113e9f184bae114401db5349be Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 9 Feb 2024 13:55:34 +0100 Subject: [PATCH 10/12] handle cost allocation in c2, update mi in prod --- terraform/subscriptions/modules/mssqldatabase/iam.tf | 2 +- terraform/subscriptions/modules/mssqldatabase/variables.tf | 3 +++ terraform/subscriptions/s940/c2/cost-allocation/main.tf | 5 +++-- terraform/subscriptions/s940/prod/cost-allocation/main.tf | 1 + 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/terraform/subscriptions/modules/mssqldatabase/iam.tf b/terraform/subscriptions/modules/mssqldatabase/iam.tf index 20498641d..6864936f1 100644 --- a/terraform/subscriptions/modules/mssqldatabase/iam.tf +++ b/terraform/subscriptions/modules/mssqldatabase/iam.tf @@ -4,7 +4,7 @@ data "azuread_group" "admin" { } resource "azurerm_user_assigned_identity" "admin" { - name = "mi-${var.server_name}-admin-${var.env}" + name = var.managed_identity_admin_name location = var.location resource_group_name = var.rg_name } diff --git a/terraform/subscriptions/modules/mssqldatabase/variables.tf b/terraform/subscriptions/modules/mssqldatabase/variables.tf index 3d90d81ff..26b4c5ac4 100644 --- a/terraform/subscriptions/modules/mssqldatabase/variables.tf +++ b/terraform/subscriptions/modules/mssqldatabase/variables.tf @@ -8,6 +8,9 @@ variable "administrator_password" { variable "admin_adgroup" { type = string } +variable "managed_identity_admin_name" { + type = string +} variable "location" { default = "northeurope" type = string diff --git a/terraform/subscriptions/s940/c2/cost-allocation/main.tf b/terraform/subscriptions/s940/c2/cost-allocation/main.tf index 283abed20..5336878bc 100644 --- a/terraform/subscriptions/s940/c2/cost-allocation/main.tf +++ b/terraform/subscriptions/s940/c2/cost-allocation/main.tf @@ -20,15 +20,16 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment + managed_identity_admin_name = "radix-id-cost-allocation-admin-c2" database_name = "sqldb-radix-cost-allocation" - server_name = "sql-radix-cost-allocation-${module.config.environment}" + server_name = "sql-radix-cost-allocation-${module.config.environment}-prod" # https://github.com/equinor/radix-platform/issues/1190 admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name vnet_resource_group = module.config.vnet_resource_group location = module.config.location - public_network_access_enabled = false + public_network_access_enabled = true zone_redundant = false tags = { displayName = "SqlServer" diff --git a/terraform/subscriptions/s940/prod/cost-allocation/main.tf b/terraform/subscriptions/s940/prod/cost-allocation/main.tf index 85d4528d5..880e38b47 100644 --- a/terraform/subscriptions/s940/prod/cost-allocation/main.tf +++ b/terraform/subscriptions/s940/prod/cost-allocation/main.tf @@ -20,6 +20,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment + managed_identity_admin_name = "radix-id-cost-allocation-admin-platform" database_name = "sqldb-radix-cost-allocation" server_name = "sql-radix-cost-allocation-prod" # ${module.config.environment} # See https://github.com/equinor/radix-platform/issues/1186 admin_adgroup = var.admin-adgroup From 0559529735f17572565f347c85c37bf1d82eb69f Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 9 Feb 2024 14:02:33 +0100 Subject: [PATCH 11/12] update mi name in cost allocation in dev and playground --- terraform/subscriptions/s941/dev/cost-allocation/main.tf | 1 + terraform/subscriptions/s941/playground/cost-allocation/main.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/terraform/subscriptions/s941/dev/cost-allocation/main.tf b/terraform/subscriptions/s941/dev/cost-allocation/main.tf index e3c49ff1f..e815b5120 100644 --- a/terraform/subscriptions/s941/dev/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/dev/cost-allocation/main.tf @@ -20,6 +20,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment + managed_identity_admin_name = "radix-id-cost-allocation-admin-${module.config.environment}" database_name = "sqldb-radix-cost-allocation" server_name = "sql-radix-cost-allocation-${module.config.environment}" admin_adgroup = var.admin-adgroup diff --git a/terraform/subscriptions/s941/playground/cost-allocation/main.tf b/terraform/subscriptions/s941/playground/cost-allocation/main.tf index 283abed20..2d050d004 100644 --- a/terraform/subscriptions/s941/playground/cost-allocation/main.tf +++ b/terraform/subscriptions/s941/playground/cost-allocation/main.tf @@ -20,6 +20,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment + managed_identity_admin_name = "radix-id-cost-allocation-admin-${module.config.environment}" database_name = "sqldb-radix-cost-allocation" server_name = "sql-radix-cost-allocation-${module.config.environment}" admin_adgroup = var.admin-adgroup From e0453462e8e1adf84258f09ca32064e352fa9f1c Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 9 Feb 2024 15:50:35 +0100 Subject: [PATCH 12/12] update mi name in vulnerability can in dev and playground --- .../subscriptions/s940/c2/vulnerability-scanner/main.tf | 5 +++-- .../subscriptions/s940/prod/vulnerability-scanner/main.tf | 8 +++++--- .../subscriptions/s941/dev/vulnerability-scanner/main.tf | 1 + .../s941/playground/vulnerability-scanner/main.tf | 1 + 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index 134df2b13..0b70e8dae 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -19,15 +19,16 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" - server_name = "sql-radix-vulnerability-scan-${module.config.environment}" + server_name = "sql-radix-vulnerability-scan-${module.config.environment}-prod" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name vnet_resource_group = module.config.vnet_resource_group location = module.config.location - public_network_access_enabled = false + public_network_access_enabled = true zone_redundant = false admin_federated_credentials = { diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index 720d2bfec..2b84ca371 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -18,17 +18,19 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { # MS SQL Server module "mssql-database" { source = "../../../modules/mssqldatabase" - env = local.external_outputs.common.data.enviroment + env = module.config.environment database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-prod" # ${module.config.environment} # Se https://github.com/equinor/radix-platform/issues/1187 + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location - public_network_access_enabled = false + public_network_access_enabled = true zone_redundant = false + sku_name = "S6" admin_federated_credentials = { github-master = { diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 07cb83f84..d46334021 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -23,6 +23,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index 8cd775f51..d088dac22 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -21,6 +21,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup