From bcae4ea575bd5e431ba5a8a227fb974a78597e55 Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Thu, 8 Feb 2024 12:10:20 +0100 Subject: [PATCH] Reconfigure Keyvault --- .../subscriptions/modules/config/main.tf | 10 +++- .../modules/userassignedidentity/main.tf | 7 +++ .../modules/userassignedidentity/variables.tf | 8 +++ .../subscriptions/s940/c2/clusters/input.tf | 36 ----------- .../subscriptions/s940/c2/clusters/main.tf | 47 +++++++++++---- .../subscriptions/s940/c2/clusters/outputs.tf | 3 - .../subscriptions/s940/c2/clusters/shared.tf | 8 --- .../s940/c2/clusters/variables.tf | 11 ++++ .../s940/c2/key-vault/variables.tf | 2 +- .../s940/extmon/clusters/input.tf | 36 ----------- .../s940/extmon/clusters/main.tf | 60 +++++++++++++++++-- .../s940/extmon/clusters/outputs.tf | 3 - .../s940/extmon/clusters/shared.tf | 8 --- .../s940/extmon/clusters/variables.tf | 11 ++++ .../s940/extmon/key-vault/variables.tf | 2 +- .../subscriptions/s940/prod/clusters/input.tf | 36 ----------- .../subscriptions/s940/prod/clusters/main.tf | 46 ++++++++++---- .../s940/prod/clusters/outputs.tf | 3 - .../s940/prod/clusters/shared.tf | 8 --- .../s940/prod/clusters/variables.tf | 11 ++++ .../s940/prod/key-vault/variables.tf | 2 +- .../subscriptions/s941/dev/clusters/input.tf | 36 ----------- .../subscriptions/s941/dev/clusters/main.tf | 47 +++++++++++---- .../s941/dev/clusters/outputs.tf | 3 - .../subscriptions/s941/dev/clusters/shared.tf | 7 --- .../s941/dev/clusters/variables.tf | 12 +++- .../s941/dev/key-vault/variables.tf | 8 +-- .../s941/dev/vulnerability-scanner/main.tf | 2 +- .../s941/playground/clusters/input.tf | 36 ----------- .../s941/playground/clusters/main.tf | 48 +++++++++++---- .../s941/playground/clusters/outputs.tf | 3 - .../s941/playground/clusters/shared.tf | 7 --- .../s941/playground/clusters/variables.tf | 11 ++++ .../s941/playground/key-vault/main.tf | 5 ++ .../s941/playground/key-vault/variables.tf | 2 +- 35 files changed, 295 insertions(+), 290 deletions(-) delete mode 100644 terraform/subscriptions/s940/c2/clusters/input.tf delete mode 100644 terraform/subscriptions/s940/c2/clusters/outputs.tf delete mode 100644 terraform/subscriptions/s940/c2/clusters/shared.tf delete mode 100644 terraform/subscriptions/s940/extmon/clusters/input.tf delete mode 100644 terraform/subscriptions/s940/extmon/clusters/outputs.tf delete mode 100644 terraform/subscriptions/s940/extmon/clusters/shared.tf delete mode 100644 terraform/subscriptions/s940/prod/clusters/input.tf delete mode 100644 terraform/subscriptions/s940/prod/clusters/outputs.tf delete mode 100644 terraform/subscriptions/s940/prod/clusters/shared.tf delete mode 100644 terraform/subscriptions/s941/dev/clusters/input.tf delete mode 100644 terraform/subscriptions/s941/dev/clusters/outputs.tf delete mode 100644 terraform/subscriptions/s941/dev/clusters/shared.tf delete mode 100644 terraform/subscriptions/s941/playground/clusters/input.tf delete mode 100644 terraform/subscriptions/s941/playground/clusters/outputs.tf delete mode 100644 terraform/subscriptions/s941/playground/clusters/shared.tf diff --git a/terraform/subscriptions/modules/config/main.tf b/terraform/subscriptions/modules/config/main.tf index 31991aa8f..a2915b9b8 100644 --- a/terraform/subscriptions/modules/config/main.tf +++ b/terraform/subscriptions/modules/config/main.tf @@ -25,8 +25,16 @@ output "vnet_resource_group" { value = "cluster-vnet-hub-${local.config.environment}" } output "key_vault_name" { - value = "radix-kv-${local.config.environment}" + value = "radix-keyv-${local.config.environment}" +} + +output "log_analytics_name" { + value = "radix-logs-${local.config.environment}" } output "backend" { value = local.config.backend } + +output "policy_aks_diagnostics_cluster" { + value = "Radix-Enforce-Diagnostics-AKS-Clusters" +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/userassignedidentity/main.tf b/terraform/subscriptions/modules/userassignedidentity/main.tf index e6fb32080..6be8b1c90 100644 --- a/terraform/subscriptions/modules/userassignedidentity/main.tf +++ b/terraform/subscriptions/modules/userassignedidentity/main.tf @@ -3,3 +3,10 @@ resource "azurerm_user_assigned_identity" "userassignedidentity" { location = var.location resource_group_name = var.resource_group_name } + +resource "azurerm_role_assignment" "this" { + for_each = var.roleassignments + scope = each.value.scope_id + role_definition_name = each.value.role + principal_id = azurerm_user_assigned_identity.userassignedidentity.principal_id +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/userassignedidentity/variables.tf b/terraform/subscriptions/modules/userassignedidentity/variables.tf index 11c4c43da..7d11e7275 100644 --- a/terraform/subscriptions/modules/userassignedidentity/variables.tf +++ b/terraform/subscriptions/modules/userassignedidentity/variables.tf @@ -12,3 +12,11 @@ variable "location" { description = "The Azure Region where the User Assigned Identity should exist." type = string } + +variable "roleassignments" { + type = map(object({ + role = string + scope_id = string + })) + default = {} +} \ No newline at end of file diff --git a/terraform/subscriptions/s940/c2/clusters/input.tf b/terraform/subscriptions/s940/c2/clusters/input.tf deleted file mode 100644 index d2851acdc..000000000 --- a/terraform/subscriptions/s940/c2/clusters/input.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - external_outputs = { - global = data.terraform_remote_state.global.outputs - common = data.terraform_remote_state.common.outputs - - } - flattened_clusters = { - for key, value in var.clusters : key => { - name = key - resource_group_name = value.resource_group_name - location = value.location - destination_address_prefix = value.destination_address_prefix - } - } - backend = { - resource_group_name = "s940-tfstate" - storage_account_name = "s940radixinfra" - container_name = "infrastructure" - subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" - } -} - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "c2/common/terraform.tfstate" }) -} - -data "terraform_remote_state" "global" { - backend = "azurerm" - config = merge( - local.backend, - { key = "prod/globals/terraform.tfstate" }) -} - diff --git a/terraform/subscriptions/s940/c2/clusters/main.tf b/terraform/subscriptions/s940/c2/clusters/main.tf index 15d82bd99..15cc91279 100644 --- a/terraform/subscriptions/s940/c2/clusters/main.tf +++ b/terraform/subscriptions/s940/c2/clusters/main.tf @@ -1,17 +1,46 @@ + +module "config" { + source = "../../../modules/config" +} + module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" name = each.value - location = local.outputs.location + location = module.config.location +} + +data "azurerm_key_vault" "keyvault" { + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_log_analytics_workspace" "workspace" { + name = module.config.log_analytics_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_user_assigned_identity" "infrastructure_id" { + name = "radix-id-infrastructure-${module.config.environment}" + resource_group_name = module.config.common_resource_group +} + +data "azurerm_policy_definition" "policy_aks_cluster" { + display_name = module.config.policy_aks_diagnostics_cluster } module "radix_id_external_secrets_operator_mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-external-secrets-operator-${local.external_outputs.common.data.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.external_outputs.common.data.enviroment}" - + name = "radix-id-external-secrets-operator-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" + roleassignments = { + kv_user = { + role = "Key Vault Secrets User" + scope_id = data.azurerm_key_vault.keyvault.id + } + } } module "policyassignment_resourcegroup" { @@ -20,13 +49,11 @@ module "policyassignment_resourcegroup" { policy_name = "Radix-Enforce-Diagnostics-AKS-Clusters" location = each.value["data"].location resource_group_id = each.value["data"].id - policy_definition_id = local.external_outputs.global.policy_aks_cluster_id - identity_ids = local.external_outputs.common.mi_id - workspaceId = local.external_outputs.common.workspace_id - + policy_definition_id = data.azurerm_policy_definition.policy_aks_cluster.id + identity_ids = data.azurerm_user_assigned_identity.infrastructure_id.id + workspaceId = data.azurerm_log_analytics_workspace.workspace.id } - module "nsg" { source = "../../../modules/networksecuritygroup" for_each = local.flattened_clusters diff --git a/terraform/subscriptions/s940/c2/clusters/outputs.tf b/terraform/subscriptions/s940/c2/clusters/outputs.tf deleted file mode 100644 index 6162addb0..000000000 --- a/terraform/subscriptions/s940/c2/clusters/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "data" { - value = local.outputs -} \ No newline at end of file diff --git a/terraform/subscriptions/s940/c2/clusters/shared.tf b/terraform/subscriptions/s940/c2/clusters/shared.tf deleted file mode 100644 index 82f25eeed..000000000 --- a/terraform/subscriptions/s940/c2/clusters/shared.tf +++ /dev/null @@ -1,8 +0,0 @@ -locals { - outputs = { - enviroment = "c2" - resource_group = "clusters-westeurope" - location = "westeurope" - backup_location = "northeurope" - } -} diff --git a/terraform/subscriptions/s940/c2/clusters/variables.tf b/terraform/subscriptions/s940/c2/clusters/variables.tf index 910f2546a..a7b09f272 100644 --- a/terraform/subscriptions/s940/c2/clusters/variables.tf +++ b/terraform/subscriptions/s940/c2/clusters/variables.tf @@ -1,3 +1,14 @@ +locals { + flattened_clusters = { + for key, value in var.clusters : key => { + name = key + resource_group_name = value.resource_group_name + location = value.location + destination_address_prefix = value.destination_address_prefix + } + } +} + variable "resource_groups" { type = list(string) default = ["clusters-c2"] diff --git a/terraform/subscriptions/s940/c2/key-vault/variables.tf b/terraform/subscriptions/s940/c2/key-vault/variables.tf index 9544bf92e..a5a1f6af8 100644 --- a/terraform/subscriptions/s940/c2/key-vault/variables.tf +++ b/terraform/subscriptions/s940/c2/key-vault/variables.tf @@ -11,7 +11,7 @@ variable "keyvaults" { radix-vault-c2-prod = { resource_group = "common-westeurope" } - radix-kv-c2 = { + radix-keyv-c2 = { enable_rbac_authorization = true } } diff --git a/terraform/subscriptions/s940/extmon/clusters/input.tf b/terraform/subscriptions/s940/extmon/clusters/input.tf deleted file mode 100644 index a5e6a10f1..000000000 --- a/terraform/subscriptions/s940/extmon/clusters/input.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - external_outputs = { - global = data.terraform_remote_state.global.outputs - common = data.terraform_remote_state.common.outputs - - } - flattened_clusters = { - for key, value in var.clusters : key => { - name = key - resource_group_name = value.resource_group_name - location = value.location - destination_address_prefix = value.destination_address_prefix - } - } - backend = { - resource_group_name = "s940-tfstate" - storage_account_name = "s940radixinfra" - container_name = "infrastructure" - subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" - } -} - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "extmon/common/terraform.tfstate" }) -} - -data "terraform_remote_state" "global" { - backend = "azurerm" - config = merge( - local.backend, - { key = "prod/globals/terraform.tfstate" }) -} - diff --git a/terraform/subscriptions/s940/extmon/clusters/main.tf b/terraform/subscriptions/s940/extmon/clusters/main.tf index bd1c99c70..ee357b593 100644 --- a/terraform/subscriptions/s940/extmon/clusters/main.tf +++ b/terraform/subscriptions/s940/extmon/clusters/main.tf @@ -1,14 +1,64 @@ + + +module "config" { + source = "../../../modules/config" +} + module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" name = each.value - location = local.outputs.location + location = module.config.location +} + +data "azurerm_key_vault" "keyvault" { + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_log_analytics_workspace" "workspace" { + name = module.config.log_analytics_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_user_assigned_identity" "infrastructure_id" { + name = "radix-id-infrastructure-${module.config.environment}" + resource_group_name = module.config.common_resource_group +} + +data "azurerm_policy_definition" "policy_aks_cluster" { + display_name = module.config.policy_aks_diagnostics_cluster } module "radix_id_external_secrets_operator_mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-external-secrets-operator-${local.external_outputs.common.data.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.external_outputs.common.data.enviroment}" + name = "radix-id-external-secrets-operator-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" + roleassignments = { + kv_user = { + role = "Key Vault Secrets User" + scope_id = data.azurerm_key_vault.keyvault.id + } + } +} + +# module "policyassignment_resourcegroup" { +# for_each = module.resourcegroups +# source = "../../../modules/policyassignment_resourcegroup" +# policy_name = "Radix-Enforce-Diagnostics-AKS-Clusters" +# location = each.value["data"].location +# resource_group_id = each.value["data"].id +# policy_definition_id = data.azurerm_policy_definition.policy_aks_cluster.id +# identity_ids = data.azurerm_user_assigned_identity.infrastructure_id.id +# workspaceId = data.azurerm_log_analytics_workspace.workspace.id +# } -} \ No newline at end of file +# module "nsg" { +# source = "../../../modules/networksecuritygroup" +# for_each = local.flattened_clusters +# networksecuritygroupname = "nsg-${each.key}" +# location = each.value.location +# resource_group_name = each.value.resource_group_name +# destination_address_prefix = each.value.destination_address_prefix +# } diff --git a/terraform/subscriptions/s940/extmon/clusters/outputs.tf b/terraform/subscriptions/s940/extmon/clusters/outputs.tf deleted file mode 100644 index 6162addb0..000000000 --- a/terraform/subscriptions/s940/extmon/clusters/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "data" { - value = local.outputs -} \ No newline at end of file diff --git a/terraform/subscriptions/s940/extmon/clusters/shared.tf b/terraform/subscriptions/s940/extmon/clusters/shared.tf deleted file mode 100644 index 3713201b0..000000000 --- a/terraform/subscriptions/s940/extmon/clusters/shared.tf +++ /dev/null @@ -1,8 +0,0 @@ -locals { - outputs = { - enviroment = "extmon" - resource_group = "clusters-extmon" - location = "northeurope" - backup_location = "westeurope" - } -} diff --git a/terraform/subscriptions/s940/extmon/clusters/variables.tf b/terraform/subscriptions/s940/extmon/clusters/variables.tf index d0a6270a0..8457c3dd8 100644 --- a/terraform/subscriptions/s940/extmon/clusters/variables.tf +++ b/terraform/subscriptions/s940/extmon/clusters/variables.tf @@ -1,3 +1,14 @@ +locals { + flattened_clusters = { + for key, value in var.clusters : key => { + name = key + resource_group_name = value.resource_group_name + location = value.location + destination_address_prefix = value.destination_address_prefix + } + } +} + variable "resource_groups" { type = list(string) default = ["clusters-extmon"] diff --git a/terraform/subscriptions/s940/extmon/key-vault/variables.tf b/terraform/subscriptions/s940/extmon/key-vault/variables.tf index c9e2e5a8a..48939d237 100644 --- a/terraform/subscriptions/s940/extmon/key-vault/variables.tf +++ b/terraform/subscriptions/s940/extmon/key-vault/variables.tf @@ -11,7 +11,7 @@ variable "keyvaults" { kv-radix-monitoring-prod = { resource_group = "monitoring" } - radix-kv-extmon = { + radix-keyv-extmon = { enable_rbac_authorization = true } } diff --git a/terraform/subscriptions/s940/prod/clusters/input.tf b/terraform/subscriptions/s940/prod/clusters/input.tf deleted file mode 100644 index c4b20eee7..000000000 --- a/terraform/subscriptions/s940/prod/clusters/input.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - external_outputs = { - global = data.terraform_remote_state.global.outputs - common = data.terraform_remote_state.common.outputs - - } - flattened_clusters = { - for key, value in var.clusters : key => { - name = key - resource_group_name = value.resource_group_name - location = value.location - destination_address_prefix = value.destination_address_prefix - } - } - backend = { - resource_group_name = "s940-tfstate" - storage_account_name = "s940radixinfra" - container_name = "infrastructure" - subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" - } -} - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "prod/common/terraform.tfstate" }) -} - -data "terraform_remote_state" "global" { - backend = "azurerm" - config = merge( - local.backend, - { key = "prod/globals/terraform.tfstate" }) -} - diff --git a/terraform/subscriptions/s940/prod/clusters/main.tf b/terraform/subscriptions/s940/prod/clusters/main.tf index 708e71a71..15cc91279 100644 --- a/terraform/subscriptions/s940/prod/clusters/main.tf +++ b/terraform/subscriptions/s940/prod/clusters/main.tf @@ -1,4 +1,5 @@ + module "config" { source = "../../../modules/config" } @@ -7,29 +8,52 @@ module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" name = each.value - location = local.outputs.location + location = module.config.location +} + +data "azurerm_key_vault" "keyvault" { + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_log_analytics_workspace" "workspace" { + name = module.config.log_analytics_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_user_assigned_identity" "infrastructure_id" { + name = "radix-id-infrastructure-${module.config.environment}" + resource_group_name = module.config.common_resource_group +} + +data "azurerm_policy_definition" "policy_aks_cluster" { + display_name = module.config.policy_aks_diagnostics_cluster } module "radix_id_external_secrets_operator_mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-external-secrets-operator-${local.external_outputs.common.data.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.external_outputs.common.data.enviroment}" - + name = "radix-id-external-secrets-operator-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" + roleassignments = { + kv_user = { + role = "Key Vault Secrets User" + scope_id = data.azurerm_key_vault.keyvault.id + } + } } + module "policyassignment_resourcegroup" { for_each = module.resourcegroups source = "../../../modules/policyassignment_resourcegroup" policy_name = "Radix-Enforce-Diagnostics-AKS-Clusters" location = each.value["data"].location resource_group_id = each.value["data"].id - policy_definition_id = local.external_outputs.global.policy_aks_cluster_id - identity_ids = local.external_outputs.common.mi_id - workspaceId = local.external_outputs.common.workspace_id - + policy_definition_id = data.azurerm_policy_definition.policy_aks_cluster.id + identity_ids = data.azurerm_user_assigned_identity.infrastructure_id.id + workspaceId = data.azurerm_log_analytics_workspace.workspace.id } - module "nsg" { source = "../../../modules/networksecuritygroup" for_each = local.flattened_clusters @@ -37,4 +61,4 @@ module "nsg" { location = each.value.location resource_group_name = each.value.resource_group_name destination_address_prefix = each.value.destination_address_prefix -} \ No newline at end of file +} diff --git a/terraform/subscriptions/s940/prod/clusters/outputs.tf b/terraform/subscriptions/s940/prod/clusters/outputs.tf deleted file mode 100644 index 6162addb0..000000000 --- a/terraform/subscriptions/s940/prod/clusters/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "data" { - value = local.outputs -} \ No newline at end of file diff --git a/terraform/subscriptions/s940/prod/clusters/shared.tf b/terraform/subscriptions/s940/prod/clusters/shared.tf deleted file mode 100644 index c558046cc..000000000 --- a/terraform/subscriptions/s940/prod/clusters/shared.tf +++ /dev/null @@ -1,8 +0,0 @@ -locals { - outputs = { - enviroment = "prod" - resource_group = "clusters" - location = "northeurope" - backup_location = "westeurope" - } -} diff --git a/terraform/subscriptions/s940/prod/clusters/variables.tf b/terraform/subscriptions/s940/prod/clusters/variables.tf index cc768616f..a03d5e986 100644 --- a/terraform/subscriptions/s940/prod/clusters/variables.tf +++ b/terraform/subscriptions/s940/prod/clusters/variables.tf @@ -1,3 +1,14 @@ +locals { + flattened_clusters = { + for key, value in var.clusters : key => { + name = key + resource_group_name = value.resource_group_name + location = value.location + destination_address_prefix = value.destination_address_prefix + } + } +} + variable "resource_groups" { type = list(string) default = ["clusters-platform"] diff --git a/terraform/subscriptions/s940/prod/key-vault/variables.tf b/terraform/subscriptions/s940/prod/key-vault/variables.tf index fd2f5b99c..58300cd40 100644 --- a/terraform/subscriptions/s940/prod/key-vault/variables.tf +++ b/terraform/subscriptions/s940/prod/key-vault/variables.tf @@ -11,7 +11,7 @@ variable "keyvaults" { radix-vault-prod = { resource_group = "common" } - radix-kv-platform = { + radix-keyv-platform = { enable_rbac_authorization = true } } diff --git a/terraform/subscriptions/s941/dev/clusters/input.tf b/terraform/subscriptions/s941/dev/clusters/input.tf deleted file mode 100644 index d1ca8a89a..000000000 --- a/terraform/subscriptions/s941/dev/clusters/input.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - external_outputs = { - global = data.terraform_remote_state.global.outputs - common = data.terraform_remote_state.common.outputs - - } - flattened_clusters = { - for key, value in var.clusters : key => { - name = key - resource_group_name = value.resource_group_name - location = value.location - destination_address_prefix = value.destination_address_prefix - } - } - backend = { - resource_group_name = "s941-tfstate" - storage_account_name = "s941radixinfra" - container_name = "infrastructure" - subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" - } -} - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "dev/common/terraform.tfstate" }) -} - -data "terraform_remote_state" "global" { - backend = "azurerm" - config = merge( - local.backend, - { key = "dev/globals/terraform.tfstate" }) -} - diff --git a/terraform/subscriptions/s941/dev/clusters/main.tf b/terraform/subscriptions/s941/dev/clusters/main.tf index c1636f775..15cc91279 100644 --- a/terraform/subscriptions/s941/dev/clusters/main.tf +++ b/terraform/subscriptions/s941/dev/clusters/main.tf @@ -1,17 +1,46 @@ + +module "config" { + source = "../../../modules/config" +} + module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" name = each.value - location = local.outputs.location + location = module.config.location +} + +data "azurerm_key_vault" "keyvault" { + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_log_analytics_workspace" "workspace" { + name = module.config.log_analytics_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_user_assigned_identity" "infrastructure_id" { + name = "radix-id-infrastructure-${module.config.environment}" + resource_group_name = module.config.common_resource_group +} + +data "azurerm_policy_definition" "policy_aks_cluster" { + display_name = module.config.policy_aks_diagnostics_cluster } module "radix_id_external_secrets_operator_mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-external-secrets-operator-${local.external_outputs.common.data.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.external_outputs.common.data.enviroment}" - + name = "radix-id-external-secrets-operator-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" + roleassignments = { + kv_user = { + role = "Key Vault Secrets User" + scope_id = data.azurerm_key_vault.keyvault.id + } + } } module "policyassignment_resourcegroup" { @@ -20,10 +49,9 @@ module "policyassignment_resourcegroup" { policy_name = "Radix-Enforce-Diagnostics-AKS-Clusters" location = each.value["data"].location resource_group_id = each.value["data"].id - policy_definition_id = local.external_outputs.global.policy_aks_cluster_id - identity_ids = local.external_outputs.common.mi_id - workspaceId = local.external_outputs.common.workspace_id - + policy_definition_id = data.azurerm_policy_definition.policy_aks_cluster.id + identity_ids = data.azurerm_user_assigned_identity.infrastructure_id.id + workspaceId = data.azurerm_log_analytics_workspace.workspace.id } module "nsg" { @@ -34,4 +62,3 @@ module "nsg" { resource_group_name = each.value.resource_group_name destination_address_prefix = each.value.destination_address_prefix } - diff --git a/terraform/subscriptions/s941/dev/clusters/outputs.tf b/terraform/subscriptions/s941/dev/clusters/outputs.tf deleted file mode 100644 index 6162addb0..000000000 --- a/terraform/subscriptions/s941/dev/clusters/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "data" { - value = local.outputs -} \ No newline at end of file diff --git a/terraform/subscriptions/s941/dev/clusters/shared.tf b/terraform/subscriptions/s941/dev/clusters/shared.tf deleted file mode 100644 index ea7498783..000000000 --- a/terraform/subscriptions/s941/dev/clusters/shared.tf +++ /dev/null @@ -1,7 +0,0 @@ -locals { - outputs = { - resource_group = "clusters" - location = "northeurope" - backup_location = "westeurope" - } -} diff --git a/terraform/subscriptions/s941/dev/clusters/variables.tf b/terraform/subscriptions/s941/dev/clusters/variables.tf index 63d7fc59f..bb4de809e 100644 --- a/terraform/subscriptions/s941/dev/clusters/variables.tf +++ b/terraform/subscriptions/s941/dev/clusters/variables.tf @@ -1,9 +1,19 @@ +locals { + flattened_clusters = { + for key, value in var.clusters : key => { + name = key + resource_group_name = value.resource_group_name + location = value.location + destination_address_prefix = value.destination_address_prefix + } + } +} + variable "resource_groups" { type = list(string) default = ["clusters-dev"] } - variable "clusters" { type = map(object({ resource_group_name = optional(string, "clusters") diff --git a/terraform/subscriptions/s941/dev/key-vault/variables.tf b/terraform/subscriptions/s941/dev/key-vault/variables.tf index c01cfc794..d1e91cb06 100644 --- a/terraform/subscriptions/s941/dev/key-vault/variables.tf +++ b/terraform/subscriptions/s941/dev/key-vault/variables.tf @@ -11,10 +11,10 @@ variable "keyvaults" { radix-vault-dev = { resource_group = "common" } - # radix-kv-dev = { - # resource_group = "common-dev" - # enable_rbac_authorization = true - # } + radix-keyv-dev = { + resource_group = "common-dev" + enable_rbac_authorization = true + } } } \ No newline at end of file diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 5b8545d81..4682b5b17 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -8,7 +8,7 @@ module "config" { source = "../../../modules/config" } -# TODO: Migrate keys to radix-kv-dev when ready +# TODO: Migrate keys to radix-keyv-dev when ready data "azurerm_key_vault" "keyvault" { name = "radix-vault-dev" # module.config.key_vault_name resource_group_name = "common" # module.config.common_resource_group diff --git a/terraform/subscriptions/s941/playground/clusters/input.tf b/terraform/subscriptions/s941/playground/clusters/input.tf deleted file mode 100644 index c9c1022fa..000000000 --- a/terraform/subscriptions/s941/playground/clusters/input.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - external_outputs = { - global = data.terraform_remote_state.global.outputs - common = data.terraform_remote_state.common.outputs - - } - flattened_clusters = { - for key, value in var.clusters : key => { - name = key - resource_group_name = value.resource_group_name - location = value.location - destination_address_prefix = value.destination_address_prefix - } - } - backend = { - resource_group_name = "s941-tfstate" - storage_account_name = "s941radixinfra" - container_name = "infrastructure" - subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" - } -} - -data "terraform_remote_state" "common" { - backend = "azurerm" - config = merge( - local.backend, - { key = "playground/common/terraform.tfstate" }) -} - -data "terraform_remote_state" "global" { - backend = "azurerm" - config = merge( - local.backend, - { key = "dev/globals/terraform.tfstate" }) -} - diff --git a/terraform/subscriptions/s941/playground/clusters/main.tf b/terraform/subscriptions/s941/playground/clusters/main.tf index 6f4c07dc7..15cc91279 100644 --- a/terraform/subscriptions/s941/playground/clusters/main.tf +++ b/terraform/subscriptions/s941/playground/clusters/main.tf @@ -1,16 +1,46 @@ + + +module "config" { + source = "../../../modules/config" +} + module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" name = each.value - location = local.outputs.location + location = module.config.location +} + +data "azurerm_key_vault" "keyvault" { + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_log_analytics_workspace" "workspace" { + name = module.config.log_analytics_name + resource_group_name = module.config.common_resource_group +} + +data "azurerm_user_assigned_identity" "infrastructure_id" { + name = "radix-id-infrastructure-${module.config.environment}" + resource_group_name = module.config.common_resource_group +} + +data "azurerm_policy_definition" "policy_aks_cluster" { + display_name = module.config.policy_aks_diagnostics_cluster } module "radix_id_external_secrets_operator_mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-external-secrets-operator-${local.external_outputs.common.data.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.external_outputs.common.data.enviroment}" - + name = "radix-id-external-secrets-operator-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" + roleassignments = { + kv_user = { + role = "Key Vault Secrets User" + scope_id = data.azurerm_key_vault.keyvault.id + } + } } module "policyassignment_resourcegroup" { @@ -19,13 +49,11 @@ module "policyassignment_resourcegroup" { policy_name = "Radix-Enforce-Diagnostics-AKS-Clusters" location = each.value["data"].location resource_group_id = each.value["data"].id - policy_definition_id = local.external_outputs.global.policy_aks_cluster_id - identity_ids = local.external_outputs.common.mi_id - workspaceId = local.external_outputs.common.workspace_id - + policy_definition_id = data.azurerm_policy_definition.policy_aks_cluster.id + identity_ids = data.azurerm_user_assigned_identity.infrastructure_id.id + workspaceId = data.azurerm_log_analytics_workspace.workspace.id } - module "nsg" { source = "../../../modules/networksecuritygroup" for_each = local.flattened_clusters diff --git a/terraform/subscriptions/s941/playground/clusters/outputs.tf b/terraform/subscriptions/s941/playground/clusters/outputs.tf deleted file mode 100644 index 6162addb0..000000000 --- a/terraform/subscriptions/s941/playground/clusters/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "data" { - value = local.outputs -} \ No newline at end of file diff --git a/terraform/subscriptions/s941/playground/clusters/shared.tf b/terraform/subscriptions/s941/playground/clusters/shared.tf deleted file mode 100644 index ea7498783..000000000 --- a/terraform/subscriptions/s941/playground/clusters/shared.tf +++ /dev/null @@ -1,7 +0,0 @@ -locals { - outputs = { - resource_group = "clusters" - location = "northeurope" - backup_location = "westeurope" - } -} diff --git a/terraform/subscriptions/s941/playground/clusters/variables.tf b/terraform/subscriptions/s941/playground/clusters/variables.tf index 7baed1a3c..31e23d4c4 100644 --- a/terraform/subscriptions/s941/playground/clusters/variables.tf +++ b/terraform/subscriptions/s941/playground/clusters/variables.tf @@ -1,3 +1,14 @@ +locals { + flattened_clusters = { + for key, value in var.clusters : key => { + name = key + resource_group_name = value.resource_group_name + location = value.location + destination_address_prefix = value.destination_address_prefix + } + } +} + variable "resource_groups" { type = list(string) default = ["clusters-playground"] diff --git a/terraform/subscriptions/s941/playground/key-vault/main.tf b/terraform/subscriptions/s941/playground/key-vault/main.tf index 547eef2a6..270fdeed4 100644 --- a/terraform/subscriptions/s941/playground/key-vault/main.tf +++ b/terraform/subscriptions/s941/playground/key-vault/main.tf @@ -4,6 +4,11 @@ module "config" { source = "../../../modules/config" } +# data "azurerm_user_assigned_identity" "mi_secrets_operator" { +# name = "radix-id-external-secrets-operator-${module.config.environment}" +# resource_group_name = module.config.common_resource_group +# } + module "keyvault" { for_each = var.keyvaults source = "../../../modules/key-vault" diff --git a/terraform/subscriptions/s941/playground/key-vault/variables.tf b/terraform/subscriptions/s941/playground/key-vault/variables.tf index accf8eb94..3af84945c 100644 --- a/terraform/subscriptions/s941/playground/key-vault/variables.tf +++ b/terraform/subscriptions/s941/playground/key-vault/variables.tf @@ -8,7 +8,7 @@ variable "keyvaults" { network_acls_default_action = optional(string, "Allow") })) default = { - radix-kv-playground = { + radix-keyv-playground = { enable_rbac_authorization = true } }