Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Velero role assignment #1205

Merged
merged 5 commits into from
Feb 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 32 additions & 39 deletions scripts/velero/install_prerequisites_in_cluster.sh
Original file line number Diff line number Diff line change
Expand Up @@ -188,37 +188,30 @@ function cleanup() {
rm -f "$CREDENTIALS_GENERATED_PATH"
}

function generateCredentialsFile() {
local SP_JSON="$(az keyvault secret show \
--vault-name $AZ_RESOURCE_KEYVAULT \
--name $APP_REGISTRATION_VELERO |
jq '.value | fromjson')"

# Set variables used in the manifest templates
local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID"
local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')"
local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')"
local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')"

# Use the credentials template as a heredoc, then run the heredoc to generate the credentials file
CREDENTIALS_GENERATED_PATH="$(mktemp)"
local tmp_heredoc="$(mktemp)"
(
echo "#!/bin/sh"
echo "cat <<EOF >>${CREDENTIALS_GENERATED_PATH}"
cat ${CREDENTIALS_TEMPLATE_PATH}
echo ""
echo "EOF"
) >${tmp_heredoc} && chmod +x ${tmp_heredoc}
source "$tmp_heredoc"

# Debug
# echo -e "\nCREDENTIALS_GENERATED_PATH=$CREDENTIALS_GENERATED_PATH"
# echo -e "tmp_heredoc=$tmp_heredoc"

# Remove even if script crashed
#trap "rm -f $CREDENTIALS_GENERATED_PATH" 0 2 3 15
}
# function generateCredentialsFile() {
# local SP_JSON="$(az keyvault secret show \
# --vault-name $AZ_RESOURCE_KEYVAULT \
# --name $APP_REGISTRATION_VELERO |
# jq '.value | fromjson')"

# # Set variables used in the manifest templates
# local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID"
# local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')"
# local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')"
# local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')"

# # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file
# CREDENTIALS_GENERATED_PATH="$(mktemp)"
# local tmp_heredoc="$(mktemp)"
# (
# echo "#!/bin/sh"
# echo "cat <<EOF >>${CREDENTIALS_GENERATED_PATH}"
# cat ${CREDENTIALS_TEMPLATE_PATH}
# echo ""
# echo "EOF"
# ) >${tmp_heredoc} && chmod +x ${tmp_heredoc}
# source "$tmp_heredoc"
# }

# Run cleanup even if script crashed
trap cleanup 0 2 3 15
Expand All @@ -231,14 +224,14 @@ case "$(kubectl get ns $VELERO_NAMESPACE 2>&1)" in
esac
printf "...Done"

printf "\nWorking on credentials..."
generateCredentialsFile
kubectl create secret generic cloud-credentials \
--namespace "$VELERO_NAMESPACE" \
--from-file=cloud=$CREDENTIALS_GENERATED_PATH \
--dry-run=client -o yaml |
kubectl apply -f - \
2>&1 >/dev/null
# printf "\nWorking on credentials..."
# generateCredentialsFile
# kubectl create secret generic cloud-credentials \
# --namespace "$VELERO_NAMESPACE" \
# --from-file=cloud=$CREDENTIALS_GENERATED_PATH \
# --dry-run=client -o yaml |
# kubectl apply -f - \
# 2>&1 >/dev/null
printf "...Done"

MYIP=$(curl http://ifconfig.me/ip) ||
Expand Down
55 changes: 31 additions & 24 deletions terraform/subscriptions/modules/storageaccount/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,21 @@ resource "azurerm_role_assignment" "roleassignment" {
depends_on = [azurerm_storage_account.storageaccount]
}

# #######################################################################################
# ### Role assignment for Velero Service Principal to be used to the Storage account
# ###

data "azuread_service_principal" "velero" { # wip To be changed to workload identity in the future
display_name = var.velero_service_principal
}

resource "azurerm_role_assignment" "storage_blob_data_conntributor" {
for_each = can(regex("radixvelero.*", var.name)) ? { "${var.name}" : true } : {}
scope = azurerm_storage_account.storageaccount.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = data.azuread_service_principal.velero.id
depends_on = [azurerm_storage_account.storageaccount]
}

######################################################################################
## Blob Protection
Expand All @@ -73,24 +88,24 @@ resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceb
}

resource "azurerm_storage_account_network_rules" "this" {
for_each = var.firewall ? { "${var.name}" : true } : {}
# for_each = var.firewall ? { "${var.name}" : true } : {}
storage_account_id = azurerm_storage_account.storageaccount.id
default_action = "Deny"
ip_rules = ["143.97.110.1"]
virtual_network_subnet_ids = [var.subnet_id]
# bypass = ["Metrics"]
}
ip_rules = []
# virtual_network_subnet_ids = [var.subnet_id]

######################################################################################
## Private Link
##
}

data "azurerm_subnet" "subnet" {
name = "private-links"
virtual_network_name = var.virtual_network
resource_group_name = var.vnet_resource_group
}
resource "azurerm_private_endpoint" "this" {
for_each = var.priv_endpoint ? { "${var.name}" : true } : {} # { for key in compact([for key, value in var.priv_endpoint : value.private_endpoint ? key : ""]) : key => var.priv_endpoint[key] }
name = azurerm_storage_account.storageaccount.name
resource_group_name = azurerm_storage_account.storageaccount.resource_group_name
location = azurerm_storage_account.storageaccount.location
subnet_id = var.subnet_id
name = "pe-${var.name}"
location = var.location
resource_group_name = var.vnet_resource_group
subnet_id = data.azurerm_subnet.subnet.id
depends_on = [azurerm_storage_account.storageaccount]

private_service_connection {
Expand All @@ -100,18 +115,10 @@ resource "azurerm_private_endpoint" "this" {
subresource_names = ["blob"]
}
}


######################################################################################
## Private DNS
##
resource "azurerm_private_dns_a_record" "this" {
for_each = var.priv_endpoint ? { "${var.name}" : true } : {}
name = azurerm_storage_account.storageaccount.name
zone_name = "privatelink.blob.core.windows.net"
resource_group_name = var.vnethub_resource_group
ttl = 10
records = [azurerm_private_endpoint.this[each.key].private_service_connection.0.private_ip_address]
depends_on = [azurerm_private_endpoint.this]
resource_group_name = var.vnet_resource_group
ttl = 60
records = [azurerm_private_endpoint.this.private_service_connection.0.private_ip_address]
}

28 changes: 12 additions & 16 deletions terraform/subscriptions/modules/storageaccount/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ variable "principal_id" {
type = string
}

variable "velero_service_principal" {
description = "The Name of the Principal (User, Group or Service Principal) to assign the Role Definition to"
type = string
}

variable "vault_id" {
description = "The ID of the Backup Vault"
type = string
Expand All @@ -90,25 +95,16 @@ variable "subnet_id" {

}

variable "vnethub_resource_group" {
description = "Specifies the resource group where the DNS Zone (parent resource) exists"
type = string
}

variable "priv_endpoint" {
description = "Create private endpoint?"
variable "backup" {
description = "Enable backup"
type = bool
default = false
}

variable "firewall" {
description = "Enable FW rules on StorageAccount?"
type = bool
default = true

variable "virtual_network" {
type = string
default = "vnet-hub"
}

variable "backup" {
description = "Enable backup"
type = bool
variable "vnet_resource_group" {
type = string
}
33 changes: 18 additions & 15 deletions terraform/subscriptions/s940/c2/common/main.tf
Original file line number Diff line number Diff line change
@@ -1,48 +1,52 @@
module "config" {
source = "../../../modules/config"
}

module "resourcegroups_ver1" {
for_each = var.resource_groups_ver1
source = "../../../modules/resourcegroups_ver1"
name = each.value.name
location = local.outputs.location
location = module.config.location
roleassignment = each.value.roleassignment
principal_id = module.mi.data.principal_id
role_definition_name = each.value.role_definition_name
}

module "mi" {
source = "../../../modules/userassignedidentity"
name = "radix-id-infrastructure-${local.outputs.enviroment}"
location = local.outputs.location
resource_group_name = "common-${local.outputs.enviroment}"
name = "radix-id-infrastructure-${module.config.environment}"
location = module.config.location
resource_group_name = "common-${module.config.environment}"

}

module "backupvault" {
source = "../../../modules/backupvaults"
name = "Backupvault-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
name = "Backupvault-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
policyblobstoragename = "Backuppolicy-blob"
depends_on = [module.resourcegroups_ver1]
}

module "loganalytics" {
source = "../../../modules/log-analytics"
workspace_name = "radix-logs-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
workspace_name = "radix-logs-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
retention_in_days = 30
local_authentication_disabled = false
}

module "storageaccount" {
source = "../../../modules/storageaccount"
for_each = var.storageaccounts
name = "radix${each.key}${local.outputs.enviroment}"
name = "radix${each.key}${module.config.environment}"
tier = each.value.account_tier
account_replication_type = each.value.account_replication_type
resource_group_name = each.value.resource_group_name
location = each.value.location
environment = local.outputs.enviroment
environment = module.config.environment
kind = each.value.kind
change_feed_enabled = each.value.change_feed_enabled
versioning_enabled = each.value.versioning_enabled
Expand All @@ -51,8 +55,7 @@ module "storageaccount" {
vault_id = module.backupvault.data.backupvault.id
policyblobstorage_id = module.backupvault.data.policyblobstorage.id
subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id
vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name
priv_endpoint = each.value.private_endpoint
firewall = each.value.firewall
velero_service_principal = each.value.velero_service_principal
vnet_resource_group = module.config.vnet_resource_group
}

2 changes: 1 addition & 1 deletion terraform/subscriptions/s940/c2/common/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ variable "storageaccounts" {
account_tier = optional(string, "Standard")
account_replication_type = optional(string, "LRS")
kind = optional(string, "StorageV2")
velero_service_principal = optional(string, "ar-radix-velero-c2-prod")
change_feed_enabled = optional(bool, false)
versioning_enabled = optional(bool, false)
backup = optional(bool, false)
principal_id = optional(string)
private_endpoint = optional(bool, false)
firewall = optional(bool, true)
}))
default = {
log = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" {
module "mssql-database" {
source = "../../../modules/mssqldatabase"
env = module.config.environment
managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}"
managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}"
database_name = "radix-vulnerability-scan"
server_name = "sql-radix-vulnerability-scan-${module.config.environment}-prod"
admin_adgroup = var.admin-adgroup
Expand Down
33 changes: 18 additions & 15 deletions terraform/subscriptions/s940/extmon/common/main.tf
Original file line number Diff line number Diff line change
@@ -1,32 +1,36 @@
module "config" {
source = "../../../modules/config"
}

module "resourcegroups" {
for_each = toset(var.resource_groups)
source = "../../../modules/resourcegroups"
name = each.value
location = local.outputs.location
location = module.config.location
}

module "mi" {
source = "../../../modules/userassignedidentity"
name = "radix-id-infrastructure-${local.outputs.enviroment}"
location = local.outputs.location
resource_group_name = "common-${local.outputs.enviroment}"
name = "radix-id-infrastructure-${module.config.environment}"
location = module.config.location
resource_group_name = "common-${module.config.environment}"

}

module "backupvault" {
source = "../../../modules/backupvaults"
name = "Backupvault-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
name = "Backupvault-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
policyblobstoragename = "Backuppolicy-blob"
depends_on = [module.resourcegroups]
}

module "loganalytics" {
source = "../../../modules/log-analytics"
workspace_name = "radix-logs-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
workspace_name = "radix-logs-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
retention_in_days = 30
local_authentication_disabled = false
}
Expand All @@ -35,12 +39,12 @@ module "loganalytics" {
module "storageaccount" {
source = "../../../modules/storageaccount"
for_each = var.storageaccounts
name = "radix${each.key}${local.outputs.enviroment}"
name = "radix${each.key}${module.config.environment}"
tier = each.value.account_tier
account_replication_type = each.value.account_replication_type
resource_group_name = each.value.resource_group_name
location = each.value.location
environment = local.outputs.enviroment
environment = module.config.environment
kind = each.value.kind
change_feed_enabled = each.value.change_feed_enabled
versioning_enabled = each.value.versioning_enabled
Expand All @@ -49,7 +53,6 @@ module "storageaccount" {
vault_id = module.backupvault.data.backupvault.id
policyblobstorage_id = module.backupvault.data.policyblobstorage.id
subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id
vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name
priv_endpoint = each.value.private_endpoint
firewall = each.value.firewall
velero_service_principal = each.value.velero_service_principal
vnet_resource_group = module.config.vnet_resource_group
}
2 changes: 1 addition & 1 deletion terraform/subscriptions/s940/extmon/common/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ variable "storageaccounts" {
account_tier = optional(string, "Standard")
account_replication_type = optional(string, "LRS")
kind = optional(string, "StorageV2")
velero_service_principal = optional(string, "radix-velero-prod")
change_feed_enabled = optional(bool, false)
versioning_enabled = optional(bool, false)
backup = optional(bool, false)
principal_id = optional(string)
private_endpoint = optional(bool, false)
firewall = optional(bool, true)
}))
default = {
log = {
Expand Down
Loading
Loading