From 36a068e7bdaf0efe48c223577dfe85f21b7a9845 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 18 Jun 2024 15:43:15 +0000 Subject: [PATCH] feature: Latest changes from likvid-cloudfoundation prod branch --- kit/azure/aviatrix/README.md | 64 +++++++++ kit/azure/aviatrix/aviatrix.spn.tf | 127 ++++++++++++++++++ kit/azure/aviatrix/documentation.tf | 6 + kit/azure/aviatrix/outputs.tf | 16 +++ .../template/platform-module/terragrunt.hcl | 40 ++++++ kit/azure/aviatrix/variables.tf | 23 ++++ kit/azure/aviatrix/versions.tf | 15 +++ kit/azure/bootstrap/README.md | 2 +- .../template/platform-module/terragrunt.hcl | 7 +- kit/azure/bootstrap/variables.tf | 2 +- kit/azure/buildingblocks/automation/README.md | 2 +- .../automation/documentation.tf | 1 + .../template/platform-module/terragrunt.hcl | 10 +- .../budget-alert/backplane/README.md | 54 ++++++++ .../budget-alert/buildingblock/versions.tf | 2 +- .../connectivity/backplane/README.md | 59 ++++++++ .../connectivity/buildingblock/variables.tf | 3 +- .../connectivity/buildingblock/versions.tf | 2 +- .../github-repo/buildingblock/README.md | 75 +++++++++++ .../subscription/backplane/README.md | 54 ++++++++ .../subscription/buildingblock/versions.tf | 2 +- .../template/platform-module/terragrunt.hcl | 38 ++++++ .../landingzones/corp-online/documentation.tf | 1 - kit/azure/meshplatform/README.md | 2 +- kit/azure/meshplatform/variables.tf | 2 +- kit/azure/networking/README.md | 1 - kit/azure/networking/documentation.tf | 7 + 27 files changed, 592 insertions(+), 25 deletions(-) create mode 100644 kit/azure/aviatrix/README.md create mode 100644 kit/azure/aviatrix/aviatrix.spn.tf create mode 100644 kit/azure/aviatrix/documentation.tf create mode 100644 kit/azure/aviatrix/outputs.tf create mode 100644 kit/azure/aviatrix/template/platform-module/terragrunt.hcl create mode 100644 kit/azure/aviatrix/variables.tf create mode 100644 kit/azure/aviatrix/versions.tf create mode 100644 kit/azure/buildingblocks/budget-alert/backplane/README.md create mode 100644 kit/azure/buildingblocks/connectivity/backplane/README.md create mode 100644 kit/azure/buildingblocks/github-repo/buildingblock/README.md create mode 100644 kit/azure/buildingblocks/subscription/backplane/README.md create mode 100644 kit/azure/buildingblocks/subscription/template/platform-module/terragrunt.hcl diff --git a/kit/azure/aviatrix/README.md b/kit/azure/aviatrix/README.md new file mode 100644 index 00000000..6defe786 --- /dev/null +++ b/kit/azure/aviatrix/README.md @@ -0,0 +1,64 @@ +--- +name: Azure Aviatrix +summary: | + Set +compliance: + - control: cfmm/cost-management/monthly-cloud-tenant-billing-report + statement: | + Enables + - control: cfmm/cost-management/billing-alerts + statement: | + Sets +--- + +# Azure Aviatrix + +Aviatrix + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azuread](#requirement\_azuread) | ~> 2.46.0 | +| [azurerm](#requirement\_azurerm) | ~> 3.81.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource | +| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource | +| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | +| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource | +| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | +| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | +| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | +| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source | +| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [allowed\_user\_group\_id](#input\_allowed\_user\_group\_id) | id of the authorized id which can do changes | `list(string)` | n/a | yes | +| [location](#input\_location) | The Azure location used for creating policy assignments establishing this landing zone's guardrails. | `string` | n/a | yes | +| [parent\_management\_group](#input\_parent\_management\_group) | id of the tenant management group | `string` | n/a | yes | +| [service\_principal\_name](#input\_service\_principal\_name) | id of the tenant management group | `string` | `"avaitrix_deploy_spn"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aviatrix\_service\_principal](#output\_aviatrix\_service\_principal) | n/a | +| [client\_id](#output\_client\_id) | n/a | +| [client\_principal\_id](#output\_client\_principal\_id) | n/a | +| [client\_secret](#output\_client\_secret) | n/a | +| [documentation\_md](#output\_documentation\_md) | n/a | + diff --git a/kit/azure/aviatrix/aviatrix.spn.tf b/kit/azure/aviatrix/aviatrix.spn.tf new file mode 100644 index 00000000..edb25394 --- /dev/null +++ b/kit/azure/aviatrix/aviatrix.spn.tf @@ -0,0 +1,127 @@ +resource "azurerm_role_definition" "aviatrix_deploy" { + name = var.service_principal_name + scope = var.parent_management_group + description = "Permissions required to deploy the avaitrix" + + permissions { + actions = [ + #https://docs.aviatrix.com/documentation/latest/accounts-and-users/custom-role-azure.html?expand=true + "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*", + "Microsoft.Compute/*/read", + "Microsoft.Compute/availabilitySets/*", + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Network/*/read", + "Microsoft.Network/publicIPAddresses/*", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/networkSecurityGroups/*", + "Microsoft.Network/loadBalancers/*", + "Microsoft.Network/routeTables/*", + "Microsoft.Network/virtualNetworks/*", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.Resources/*/read", + "Microsoft.Resourcehealth/healthevent/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/tags/*", + "Microsoft.Resources/marketplace/purchase/action", + "Microsoft.Resources/subscriptions/resourceGroups/*" + ] + } + + assignable_scopes = [ + var.parent_management_group + ] +} + +data "azuread_application_published_app_ids" "well_known" {} + +data "azuread_service_principal" "msgraph" { + client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph +} + +resource "azuread_application" "aviatrix_deploy" { + display_name = var.service_principal_name + + web { + implicit_grant { + access_token_issuance_enabled = false + } + } + required_resource_access { + resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph + + resource_access { + id = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"] + type = "Role" + } + resource_access { + id = data.azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"] + type = "Role" + } + resource_access { + id = data.azuread_service_principal.msgraph.app_role_ids["AppRoleAssignment.ReadWrite.All"] + type = "Role" + } + + resource_access { + id = data.azuread_service_principal.msgraph.app_role_ids["Application.ReadWrite.All"] + type = "Role" + } + } + + # NOTE: currently it is not possible to automate the "Grant admin consent button" + # https://github.com/terraform-providers/terraform-provider-azuread/issues/33 + # As a result we have to ignore this value in terraform for now + # In addition please keep in mind you have to grant admin consent manually + lifecycle { + ignore_changes = [ + app_role + ] + } +} + +resource "azuread_service_principal" "aviatrix_deploy" { + client_id = azuread_application.aviatrix_deploy.client_id + # The following tags are needed to create an Enterprise Application + # See https://github.com/hashicorp/terraform-provider-azuread/issues/7#issuecomment-529597534 + tags = [ + "WindowsAzureActiveDirectoryIntegratedApp", + ] +} + +resource "azurerm_role_assignment" "aviatrix_deploy" { + scope = var.parent_management_group + role_definition_id = azurerm_role_definition.aviatrix_deploy.role_definition_resource_id + principal_id = azuread_service_principal.aviatrix_deploy.id +} + +resource "azuread_app_role_assignment" "aviatrix_deploy-directory" { + app_role_id = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"] + principal_object_id = azuread_service_principal.aviatrix_deploy.object_id + resource_object_id = data.azuread_service_principal.msgraph.object_id +} +# This azuread_app_role_assignment is necessary if you want to manage groups through Terraform. +# Productive use in a cloud foundation should probably manage groups not via Terraform but +# via existing IAM processes, but this is a good lean start. +# resource "azuread_app_role_assignment" "aviatrix_deploy-group" { +# app_role_id = data.azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"] +# principal_object_id = azuread_service_principal.aviatrix_deploy.object_id +# resource_object_id = data.azuread_service_principal.msgraph.object_id +# } + +resource "azuread_app_role_assignment" "aviatrix_deploy-approle" { + app_role_id = data.azuread_service_principal.msgraph.app_role_ids["AppRoleAssignment.ReadWrite.All"] + principal_object_id = azuread_service_principal.aviatrix_deploy.object_id + resource_object_id = data.azuread_service_principal.msgraph.object_id +} + +# note this requires the terraform to be run regularly +resource "time_rotating" "key_rotation" { + rotation_days = 365 +} + +resource "azuread_application_password" "aviatrix_deploy" { + application_id = azuread_application.aviatrix_deploy.id + rotate_when_changed = { + rotation = time_rotating.key_rotation.id + } +} diff --git a/kit/azure/aviatrix/documentation.tf b/kit/azure/aviatrix/documentation.tf new file mode 100644 index 00000000..a50f3e64 --- /dev/null +++ b/kit/azure/aviatrix/documentation.tf @@ -0,0 +1,6 @@ +output "documentation_md" { + value = < [aad\_tenant\_id](#input\_aad\_tenant\_id) | Id of the AAD Tenant. This is also the simultaneously the id of the root management group. | `string` | n/a | yes | | [documentation\_uami](#input\_documentation\_uami) | read-only UAMI with access to terraform states to generate documentation in CI pipelines |
object({
name = string
# note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373
oidc_subject = string
})
| `null` | no | -| [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. |
object({
name = string,
resource_group_name = string
})
|
{
"name": "cloudfoundation-kv",
"resource_group_name": "cloudfoundation-keyvault"
}
| no | +| [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. |
object({
name = string,
resource_group_name = string
})
|
{
"name": "cloudfoundation-kv",
"resource_group_name": "cloudfoundation-rg"
}
| no | | [parent\_management\_group\_name](#input\_parent\_management\_group\_name) | Name of the management group you want to use as parent for your foundation. | `string` | n/a | yes | | [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | `"cloudfoundation-platform-engineers"` | no | | [platform\_engineers\_members](#input\_platform\_engineers\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage |
list(object({
email = string,
upn = string,
}))
| n/a | yes | diff --git a/kit/azure/bootstrap/template/platform-module/terragrunt.hcl b/kit/azure/bootstrap/template/platform-module/terragrunt.hcl index d74e828a..1a9fad0e 100644 --- a/kit/azure/bootstrap/template/platform-module/terragrunt.hcl +++ b/kit/azure/bootstrap/template/platform-module/terragrunt.hcl @@ -37,8 +37,7 @@ EOF } inputs = { - aad_tenant_id = include.platform.locals.platform.azure.aadTenantId - parent_management_group_name = "cloudfoundation-management-group" #TODO the cloudfoundation is created in a separate management group so as not to jeopardize the existing infrastructure + aad_tenant_id = include.platform.locals.platform.azure.aadTenantId terraform_state_storage = { name = "${include.platform.locals.cloudfoundation.name}" @@ -53,8 +52,8 @@ inputs = { } ] key_vault = { - name = "cloudfoundation-kv" - resource_group_name = "cloudfoundation-keyvault" + name = "likvid-cloudfoundation-kv" + resource_group_name = "likvid-cloudfoundation-keyvault" } diff --git a/kit/azure/bootstrap/variables.tf b/kit/azure/bootstrap/variables.tf index 9e1011b9..0e233ffa 100644 --- a/kit/azure/bootstrap/variables.tf +++ b/kit/azure/bootstrap/variables.tf @@ -29,7 +29,7 @@ variable "key_vault" { description = "This object contains configuration details for setting up a key vault." default = { name = "cloudfoundation-kv" - resource_group_name = "cloudfoundation-keyvault" + resource_group_name = "cloudfoundation-rg" } } diff --git a/kit/azure/buildingblocks/automation/README.md b/kit/azure/buildingblocks/automation/README.md index 7b9bdb8f..0524a61a 100644 --- a/kit/azure/buildingblocks/automation/README.md +++ b/kit/azure/buildingblocks/automation/README.md @@ -79,4 +79,4 @@ No modules. | [storage\_account\_name](#output\_storage\_account\_name) | n/a | | [subscription\_id](#output\_subscription\_id) | n/a | | [tenant\_id](#output\_tenant\_id) | n/a | - + \ No newline at end of file diff --git a/kit/azure/buildingblocks/automation/documentation.tf b/kit/azure/buildingblocks/automation/documentation.tf index 8516d424..ba090f71 100644 --- a/kit/azure/buildingblocks/automation/documentation.tf +++ b/kit/azure/buildingblocks/automation/documentation.tf @@ -19,3 +19,4 @@ This module automates the deployment of building blocks within Azure. It utilize EOF } + diff --git a/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl b/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl index 000b5190..eecb82e5 100644 --- a/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl +++ b/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl @@ -7,10 +7,6 @@ dependency "organization-hierarchy" { config_path = "../../organization-hierarchy" } -dependency "bootstrap" { - config_path = "../../bootstrap" -} - generate "provider" { path = "provider.tf" if_exists = "overwrite" @@ -33,9 +29,5 @@ terraform { inputs = { location = "germanywestcentral" service_principal_name = "cloud_foundation_tf_buildingblock_user" - key_vault = { - name = dependency.bootstrap.outputs.azurerm_key_vault.name - resource_group_name = dependency.bootstrap.outputs.azurerm_key_vault_rg_name - } - scope = dependency.organization-hierarchy.outputs.landingzones_id + scope = dependency.organization-hierarchy.outputs.landingzones_id } diff --git a/kit/azure/buildingblocks/budget-alert/backplane/README.md b/kit/azure/buildingblocks/budget-alert/backplane/README.md new file mode 100644 index 00000000..4982e357 --- /dev/null +++ b/kit/azure/buildingblocks/budget-alert/backplane/README.md @@ -0,0 +1,54 @@ +--- +name: Azure Building Block - Subscription Budget Alert +summary: | + Building block module for adding a simple monthly budget alert to a subscription. +--- + +# Azure Subscription Budget Alert + +This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module. + +## Permissions + +This is a very simple building block, which means we let the SPN have access to deploy budget alerts +across all subscriptions underneath a management group (typically the top-level management group for landing zones). + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | name of the building block, used for naming resources | `string` | `"budget-alert"` | no | +| [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes | +| [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Budget Alert building block backplane | +| [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. | +| [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. | +| [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to subscriptions. | +| [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the building block to subscriptions. | +| [scope](#output\_scope) | The scope where the role definition and role assignments are applied. | + \ No newline at end of file diff --git a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf index 327a95c4..4917af3d 100644 --- a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf +++ b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "~> 3.108.0" } time = { source = "hashicorp/time" diff --git a/kit/azure/buildingblocks/connectivity/backplane/README.md b/kit/azure/buildingblocks/connectivity/backplane/README.md new file mode 100644 index 00000000..9cdfdd98 --- /dev/null +++ b/kit/azure/buildingblocks/connectivity/backplane/README.md @@ -0,0 +1,59 @@ +--- +name: Azure Building Block - Connectivity +summary: | + Building block module for adding on-premise connectivity to a subscription. +--- + +# Azure Connect + +This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module. + +## Permissions + +This is a complex building block backplane that requires permission across the central network hub as well as into the +target subscription for creating a spoke network. This backplane thus needs to work with multiple `azurerm` terraform providers. + +We establish a clear shared responsibility boundary in the target subscription by +deploying a `connectivity` resource group to target subscription. This resource group is exclusively owned by the connectivity building block backplane SPN. + +An Azure Policy confines the access of the SPN to that resource group. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_role_assignment.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes | +| [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes | +| [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Connectivity building block backplane | +| [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. | +| [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. | +| [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the Connectivity building block to the hub. | +| [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the Connectivity building block to the hub. | +| [scope](#output\_scope) | The scope where the role definition and role assignments are applied. | + \ No newline at end of file diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf index b6615eab..7f45dd0e 100644 --- a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf +++ b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf @@ -29,5 +29,4 @@ variable "azure_delay_seconds" { type = number description = "Number of additional seconds to wait between Azure API operations to mitigate eventual consistency issues in order to increase automation reliabilty." default = 30 -} - +} \ No newline at end of file diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf index 53fb53d9..56843d8e 100644 --- a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf +++ b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf @@ -5,7 +5,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.106.1" + version = "~> 3.108.0" configuration_aliases = [azurerm.spoke, azurerm.hub] } diff --git a/kit/azure/buildingblocks/github-repo/buildingblock/README.md b/kit/azure/buildingblocks/github-repo/buildingblock/README.md new file mode 100644 index 00000000..0efb5ff2 --- /dev/null +++ b/kit/azure/buildingblocks/github-repo/buildingblock/README.md @@ -0,0 +1,75 @@ +--- +name: Azure Building Block - GitHub Repository +summary: | + Building block module for creating a GitHub repository. +--- + +# Azure GitHub Repository + +This documentation is intended as a reference for cloud foundation or platform engineers using this module. + +## Permissions + +This building block requires a service principal with permissions to manage GitHub repositories. The service principal should have a GitHub App installed with the necessary permissions to create repositories. + +The private key of the GitHub App should be stored in Azure Key Vault and the service principal should have permissions to read this secret. + +The service principal also needs permissions to assign the "Key Vault Reader" role to itself for the Key Vault where the GitHub App's private key is stored. + +## Usage + +This building block creates a GitHub repository with the specified name, description, and visibility. It also supports creating a repository based on a template repository. + +You can specify the name of the GitHub organization, the name of the repository, whether to create a new repository or use a template, the owner and name of the template repository, and the visibility of the repository. + +The GitHub token is retrieved from Azure Key Vault and used to authenticate with the GitHub API. + +The building block outputs the name, description, and visibility of the created repository. + + +## Requirements + +| Name | Version | +|------|---------| +| [azurerm](#requirement\_azurerm) | ~> 3.81.0 | +| [github](#requirement\_github) | 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [github_repository.repository](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository) | resource | +| [azurerm_key_vault.cloudfoundation_keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_key_vault_secret.github_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [create\_new](#input\_create\_new) | Flag to indicate whether to create a new repository | `bool` | n/a | yes | +| [description](#input\_description) | Description of the GitHub repository | `string` | `"created by github-repo-building-block"` | no | +| [github\_app\_id](#input\_github\_app\_id) | ID of the GitHub App | `string` | n/a | yes | +| [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | Installation ID of the GitHub App | `string` | n/a | yes | +| [github\_org](#input\_github\_org) | Name of the GitHub organization | `string` | n/a | yes | +| [github\_token\_secret\_name](#input\_github\_token\_secret\_name) | Name of the secret in Key Vault that holds the GitHub token | `string` | n/a | yes | +| [key\_vault\_name](#input\_key\_vault\_name) | Name of the Key Vault | `string` | n/a | yes | +| [key\_vault\_rg](#input\_key\_vault\_rg) | Name of the Resource Group where the Key Vault is located | `string` | n/a | yes | +| [repo\_name](#input\_repo\_name) | Name of the GitHub repository | `string` | `"github-repo"` | no | +| [template\_owner](#input\_template\_owner) | Owner of the template repository | `string` | `"template-owner"` | no | +| [template\_repo](#input\_template\_repo) | Name of the template repository | `string` | `"github-repo"` | no | +| [use\_template](#input\_use\_template) | Flag to indicate whether to create a repo based on a Template Repository | `bool` | `false` | no | +| [visibility](#input\_visibility) | Visibility of the GitHub repository | `string` | `"private"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [repo\_full\_name](#output\_repo\_full\_name) | n/a | +| [repo\_git\_clone\_url](#output\_repo\_git\_clone\_url) | n/a | +| [repo\_html\_url](#output\_repo\_html\_url) | n/a | +| [repo\_name](#output\_repo\_name) | n/a | + diff --git a/kit/azure/buildingblocks/subscription/backplane/README.md b/kit/azure/buildingblocks/subscription/backplane/README.md new file mode 100644 index 00000000..ed970cd6 --- /dev/null +++ b/kit/azure/buildingblocks/subscription/backplane/README.md @@ -0,0 +1,54 @@ +--- +name: Azure Building Block - Subscription Baseline +summary: | + Baseline for all subscriptions managed by the Likvid Bank Cloud Foundation Team. +--- + +# Azure Subscription Baseline + +This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module. + +## Permissions + +This is a very simple building block backplane, which means it sets up permission to deploy the building block +across all subscriptions underneath a management group (typically the top-level management group for landing zones). + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | name of the building block, used for naming resources | `string` | `"budget-alert"` | no | +| [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes | +| [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Subscription building block backplane | +| [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. | +| [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. | +| [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the Subscription building block to subscriptions. | +| [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the Subscription building block to subscriptions. | +| [scope](#output\_scope) | The scope where the role definition and role assignments are applied. | + \ No newline at end of file diff --git a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf index a0c42f5d..374ea43b 100644 --- a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf +++ b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "~> 3.108.0" } } } diff --git a/kit/azure/buildingblocks/subscription/template/platform-module/terragrunt.hcl b/kit/azure/buildingblocks/subscription/template/platform-module/terragrunt.hcl new file mode 100644 index 00000000..9e4e4662 --- /dev/null +++ b/kit/azure/buildingblocks/subscription/template/platform-module/terragrunt.hcl @@ -0,0 +1,38 @@ +include "platform" { + path = find_in_parent_folders("platform.hcl") + expose = true +} + +dependency "bootstrap" { + config_path = "../../bootstrap" +} + +dependency "organization-hierarchy" { + config_path = "../../organization-hierarchy" +} + +# we deploy to the management subscription here, as the subscription building block is central to all LZs +# we also deploy the backplane like all other platform modules with azure-cli auth +generate "provider" { + path = "provider.tf" + if_exists = "overwrite" + contents = < [metering\_credentials](#output\_metering\_credentials) | Metering Service Principal. | | [replicator\_client\_secret](#output\_replicator\_client\_secret) | Password for Replicator Service Principal. | | [replicator\_credentials](#output\_replicator\_credentials) | Replicator Service Principal. | - + \ No newline at end of file diff --git a/kit/azure/meshplatform/variables.tf b/kit/azure/meshplatform/variables.tf index 04cdecf8..80315718 100644 --- a/kit/azure/meshplatform/variables.tf +++ b/kit/azure/meshplatform/variables.tf @@ -98,4 +98,4 @@ variable "can_cancel_subscriptions_in_scopes" { type = list(string) description = "The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups//`." default = [] -} +} \ No newline at end of file diff --git a/kit/azure/networking/README.md b/kit/azure/networking/README.md index 19fad434..07f129b7 100644 --- a/kit/azure/networking/README.md +++ b/kit/azure/networking/README.md @@ -1,4 +1,3 @@ - --- name: Azure Network summary: | diff --git a/kit/azure/networking/documentation.tf b/kit/azure/networking/documentation.tf index 1ba5484c..8bcc6757 100644 --- a/kit/azure/networking/documentation.tf +++ b/kit/azure/networking/documentation.tf @@ -12,6 +12,13 @@ Upon request, we will peer a VNet in your subscription with the hub. All Firewall related logs are in the Log Anlytics Workspace - `${local.parsed_diag.log_analytics_id}` +## Hub and spoke vnet-peering +| name | adress_sapce | description | +|-|-|-| +glaskugel| 10.1.0.0/24 | Project Palantíri, stackholder Saruman | + + + ## Subnets | name | prefixes | description | |-|-|-|