-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
126 lines (102 loc) · 4 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
terraform {
required_version = "> 1.1"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=4.11.0"
}
azuread = {
source = "hashicorp/azuread"
version = ">=3.0.2"
}
azapi = {
source = "Azure/azapi"
version = ">=1.13.1"
}
}
}
data "azurerm_management_group" "replicator_custom_role_scope" {
name = var.replicator_custom_role_scope
}
data "azurerm_management_group" "replicator_assignment_scopes" {
for_each = toset(var.replicator_assignment_scopes)
name = each.key
}
data "azurerm_management_group" "metering_assignment_scopes" {
for_each = toset(var.metering_assignment_scopes)
name = each.key
}
locals {
replicator_assignment_scopes = [
for management_group in data.azurerm_management_group.replicator_assignment_scopes : management_group.id
]
metering_assignment_scopes = [
for management_group in data.azurerm_management_group.metering_assignment_scopes : management_group.id
]
}
data "azuread_client_config" "current" {
# This precondition doesn't have anything to do with the data source but we want to check this condition on the top level.
lifecycle {
precondition {
condition = anytrue([var.create_passwords, var.workload_identity_federation != null])
error_message = "Set at least one of `create_passwords` and `workload_identity_federation`."
}
}
}
module "replicator_service_principal" {
count = var.replicator_enabled || var.replicator_rg_enabled ? 1 : 0
source = "./modules/meshcloud-replicator-service-principal/"
replicator_rg_enabled = var.replicator_rg_enabled
service_principal_name = var.replicator_service_principal_name
custom_role_scope = data.azurerm_management_group.replicator_custom_role_scope.id
assignment_scopes = local.replicator_assignment_scopes
can_cancel_subscriptions_in_scopes = var.can_cancel_subscriptions_in_scopes
can_delete_rgs_in_scopes = var.can_delete_rgs_in_scopes
additional_required_resource_accesses = var.additional_required_resource_accesses
additional_permissions = var.additional_permissions
create_password = var.create_passwords
workload_identity_federation = var.workload_identity_federation == null ? null : {
issuer = var.workload_identity_federation.issuer,
subject = var.workload_identity_federation.replicator_subject
}
application_owners = var.application_owners
}
module "mca_service_principal" {
count = var.mca != null ? 1 : 0
source = "./modules/meshcloud-mca-service-principal"
service_principal_names = var.mca.service_principal_names
billing_account_name = var.mca.billing_account_name
billing_profile_name = var.mca.billing_profile_name
invoice_section_name = var.mca.invoice_section_name
application_owners = var.application_owners
}
module "metering_service_principal" {
count = var.metering_enabled ? 1 : 0
source = "./modules/meshcloud-metering-service-principal/"
service_principal_name = var.metering_service_principal_name
assignment_scopes = local.metering_assignment_scopes
create_password = var.create_passwords
workload_identity_federation = var.workload_identity_federation == null ? null : {
issuer = var.workload_identity_federation.issuer,
subject = var.workload_identity_federation.kraken_subject
}
application_owners = var.application_owners
}
module "sso_service_principal" {
count = var.sso_enabled ? 1 : 0
source = "./modules/meshcloud-sso/"
service_principal_name = var.sso_service_principal_name
meshstack_idp_domain = var.sso_meshstack_idp_domain
identity_provider_alias = var.sso_identity_provider_alias
app_role_assignment_required = var.sso_app_role_assignment_required
application_owners = var.application_owners
}
# facilitate migration from v0.1.0 of the module
moved {
from = module.replicator_spp
to = module.replicator_service_principal
}
moved {
from = module.metering_spp
to = module.metering_service_principal
}