terraform fixes (#1142)

terraform/infrastructure/s940/prod/acr/clusters.tf

@@ -1,5 +1,5 @@
 data "azapi_resource_list" "clusters" {
-  for_each = toset(var.aks_clouster_resource_groups)
+  for_each = toset(var.aks_cluster_resource_groups)
 
   type                   = "Microsoft.ContainerService/managedClusters@2023-09-01"
   parent_id              = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourcegroups/${var.resource_groups[each.value].name}"

terraform/infrastructure/s940/prod/acr/variables.tf

@@ -33,7 +33,7 @@ variable "virtual_networks" {
   }
 }
 
-variable "aks_clouster_resource_groups" {
+variable "aks_cluster_resource_groups" {
   type = list(string)
 }
 variable "resource_groups" {

terraform/infrastructure/s940/prod/keyvaults/main.tf

@@ -9,7 +9,7 @@ provider "azurerm" {
 }
 
 data "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER" {
-  application_id = var.SP_GITHUB_ACTION_CLUSTER_CLIENT_ID
+  display_name = var.APP_GITHUB_ACTION_CLUSTER_NAME
 }
 
 data "azurerm_key_vault" "KV_RADIX_VAULT" {

terraform/infrastructure/s940/prod/keyvaults/variables.tf

@@ -13,8 +13,8 @@ variable "AZ_RESOURCE_GROUP_COMMON" {
   type        = string
 }
 
-variable "SP_GITHUB_ACTION_CLUSTER_CLIENT_ID" {
-  description = "Service principal"
+variable "APP_GITHUB_ACTION_CLUSTER_NAME" {
+  description = "App registration name"
   type        = string
 }
 

terraform/infrastructure/s940/prod/storageaccounts/main.tf

@@ -13,7 +13,6 @@ data "azurerm_subscription" "AZ_SUBSCRIPTION" {
 }
 
 locals {
-  WHITELIST_IPS = jsondecode(textdecodebase64("${data.azurerm_key_vault_secret.whitelist_ips.value}", "UTF-8"))
   storageaccount_private_subnet = merge([
     for sa_key, sa_value in var.storage_accounts : {
       for privlink_key, privlink_value in var.private_link :
@@ -43,11 +42,6 @@ data "azurerm_key_vault" "keyvault_env" {
   resource_group_name = var.AZ_RESOURCE_GROUP_COMMON
 }
 
-data "azurerm_key_vault_secret" "whitelist_ips" {
-  name         = "acr-whitelist-ips-${var.RADIX_ZONE}"
-  key_vault_id = data.azurerm_key_vault.keyvault_env.id
-}
-
 data "azurerm_subnet" "virtual_subnets" {
   for_each = {
     for key, value in var.resource_groups : key => value if length(regexall("cluster-vnet-hub", key)) > 0

terraform/infrastructure/s941/dev/acr/acr.tf

@@ -1,7 +1,7 @@
 resource "azurerm_container_registry" "app" {
   for_each = var.K8S_ENVIROMENTS
 
-  name                    = "radix${each.key}app"
+  name                    = "radix${each.key}app${var.ACR_SUFFIX}"
   location                = var.resource_groups[each.value.resourceGroup].location # Create ACR in same location as k8s
   sku                     = "Premium"
   resource_group_name     = var.AZ_RESOURCE_GROUP_COMMON

terraform/infrastructure/s941/dev/acr/clusters.tf

@@ -1,5 +1,5 @@
 data "azapi_resource_list" "clusters" {
-  for_each = toset(var.aks_clouster_resource_groups)
+  for_each = toset(var.aks_cluster_resource_groups)
 
   type                   = "Microsoft.ContainerService/managedClusters@2023-09-01"
   parent_id              = "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourcegroups/${var.resource_groups[each.value].name}"

terraform/infrastructure/s941/dev/acr/variables.tf

@@ -8,6 +8,11 @@ variable "AZ_LOCATION" {
   type        = string
 }
 
+variable "ACR_SUFFIX" {
+  description = "Suffix added to ACR Name"
+  type        = string
+}
+
 variable "AZ_SUBSCRIPTION_ID" {
   type = string
 }
@@ -33,7 +38,7 @@ variable "virtual_networks" {
   }
 }
 
-variable "aks_clouster_resource_groups" {
+variable "aks_cluster_resource_groups" {
   type = list(string)
 }
 variable "resource_groups" {

terraform/infrastructure/s941/dev/keyvaults/main.tf

@@ -9,7 +9,7 @@ provider "azurerm" {
 }
 
 data "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER" {
-  application_id = var.SP_GITHUB_ACTION_CLUSTER_CLIENT_ID
+  display_name = var.APP_GITHUB_ACTION_CLUSTER_NAME
 }
 
 data "azurerm_key_vault" "KV_RADIX_VAULT" {

terraform/infrastructure/s941/dev/keyvaults/variables.tf

@@ -13,8 +13,8 @@ variable "AZ_RESOURCE_GROUP_COMMON" {
   type        = string
 }
 
-variable "SP_GITHUB_ACTION_CLUSTER_CLIENT_ID" {
-  description = "Service principal"
+variable "APP_GITHUB_ACTION_CLUSTER_NAME" {
+  description = "App registration name"
   type        = string
 }
 

terraform/infrastructure/s941/dev/mysql/main.tf

@@ -50,10 +50,10 @@ data "azurerm_key_vault" "keyvault" {
 }
 
 data "azurerm_key_vault_secret" "keyvault_secret" {
+  depends_on   = [data.azurerm_key_vault.keyvault]
   for_each     = local.all_sql_servers
   name         = each.value["secret"]
   key_vault_id = data.azurerm_key_vault.keyvault[each.value["vault"]].id
-  depends_on   = [data.azurerm_key_vault.keyvault]
 }
 
 #######################################################################################

terraform/infrastructure/s941/dev/networkmanager/main.tf

@@ -59,22 +59,70 @@ resource "azurerm_network_manager_connectivity_configuration" "config" {
   }
 }
 
+resource "azurerm_policy_definition" "policy" {
+  depends_on   = [azurerm_network_manager.networkmanager]
+  for_each     = var.K8S_ENVIROMENTS
+  name         = "Kubernetes-vnets-in-${each.key}"
+  policy_type  = "Custom"
+  mode         = "Microsoft.Network.Data"
+  display_name = "Kubernetes vnets in ${each.key}"
+
+  metadata = <<METADATA
+    {
+    "category": "Azure Virtual Network Manager"
+    }
+
+METADATA
+
+
+  policy_rule = <<POLICY_RULE
+  {
+    "if": {
+      "allOf": [
+        {
+          "field": "type",
+          "equals": "Microsoft.Network/virtualNetworks"
+        },
+        {
+          "allOf": [
+            {
+              "value": "[resourceGroup().Name]",
+              "contains": "${lookup(var.cluster_rg, "${each.key}", "")}"
+            },
+            {
+              "field": "location",
+              "contains": "${lookup(var.cluster_location, "${each.key}", "")}"
+            },
+            {
+              "field": "Name",
+              "${lookup(var.enviroment_condition, "${each.key}", "")}": "playground"
+            }
+          ]
+        }
+      ]
+    },
+    "then": {
+      "effect": "addToNetworkGroup",
+      "details": {
+        "networkGroupId": "/subscriptions/${var.AZ_SUBSCRIPTION_ID}/resourceGroups/clusters/providers/Microsoft.Network/networkManagers/${var.AZ_SUBSCRIPTION_SHORTNAME}-ANVM/networkGroups/${each.key}"
+      }
+    }
+  }
+  POLICY_RULE
+}
+
 resource "azurerm_subscription_policy_assignment" "assign_vnets_in_zone_policy" {
+  depends_on           = [azurerm_policy_definition.policy]
   for_each             = azurerm_network_manager_network_group.group
-  name                 = data.azurerm_policy_definition.vnets_in_zone_policy[each.key].name
-  policy_definition_id = data.azurerm_policy_definition.vnets_in_zone_policy[each.key].id
+  name                 = azurerm_policy_definition.policy[each.key].name
+  policy_definition_id = azurerm_policy_definition.policy[each.key].id
   subscription_id      = data.azurerm_subscription.current.id
 }
 
-data "azurerm_policy_definition" "vnets_in_zone_policy" {
-  for_each = var.K8S_ENVIROMENTS
-  name     = "Kubernetes-vnets-in-${each.key}"
-}
-
 resource "azurerm_network_manager_deployment" "connectivity_topology" {
   for_each           = var.K8S_ENVIROMENTS
   network_manager_id = azurerm_network_manager.networkmanager.id
   location           = var.AZ_LOCATION
   scope_access       = "Connectivity"
   configuration_ids  = [azurerm_network_manager_connectivity_configuration.config[each.key].id]
-}
+}

terraform/infrastructure/s941/dev/networkmanager/variables.tf

@@ -8,11 +8,6 @@ variable "AZ_SUBSCRIPTION_SHORTNAME" {
   type        = string
 }
 
-variable "AZ_SUBSCRIPTION_ID" {
-  description = "Azure subscription id"
-  type        = string
-}
-
 variable "AZ_LOCATION" {
   description = "Azure location"
   type        = string
@@ -32,4 +27,31 @@ variable "vnet_rg_names" {
     dev        = "cluster-vnet-hub-dev"
     playground = "cluster-vnet-hub-playground"
   }
-}
+}
+
+variable "cluster_rg" {
+  type = map(any)
+
+  default = {
+    dev        = "clusters"
+    playground = "clusters"
+  }
+}
+
+variable "cluster_location" {
+  type = map(any)
+
+  default = {
+    dev        = "northeurope"
+    playground = "northeurope"
+  }
+}
+
+variable "enviroment_condition" {
+  type = map(any)
+
+  default = {
+    dev        = "notcontains"
+    playground = "contains"
+  }
+}