Merge pull request #1124 from equinor/terraform-structure-take1

Terraform structure - Take1

terraform/subscriptions/modules/federatedcredential/main.tf

@@ -0,0 +1,8 @@
+resource "azurerm_federated_identity_credential" "federatedcredential" {
+  name                = var.name
+  resource_group_name = var.resource_group_name
+  audience            = var.audiences
+  issuer              = var.issuer
+  parent_id           = var.parent_id
+  subject             = var.subject
+}

terraform/subscriptions/modules/federatedcredential/output.tf

@@ -0,0 +1,4 @@
+output "data" {
+  description = "federatedcredential"
+  value = azurerm_federated_identity_credential.federatedcredential
+}

terraform/subscriptions/modules/federatedcredential/variables.tf

@@ -0,0 +1,24 @@
+variable "parent_id" {
+  description = "Specifies parent ID of User Assigned Identity for this Federated Identity Credential."
+  type = string
+}
+variable "name" {
+  description = "Specifies the name of this Federated Identity Credential."
+  type = string
+}
+variable "audiences" {
+  description = "Specifies the audience for this Federated Identity Credential."
+  type = list(string)
+}
+variable "issuer" {
+  description = "Specifies the issuer of this Federated Identity Credential."
+  type = string
+}
+variable "subject" {
+  description = "Specifies the subject for this Federated Identity Credential."
+  type = string
+}
+variable "resource_group_name" {
+  description = "Specifies the name of the Resource Group within which this Federated Identity Credential should exist."
+  type = string
+}

terraform/subscriptions/modules/networkmanager/main.tf

@@ -0,0 +1,11 @@
+resource "azurerm_network_manager" "networkmanager" {
+  name                = "${var.subscription_shortname}-ANVM"
+  location            = var.location
+  resource_group_name = var.resource_group
+  scope_accesses      = ["Connectivity"]
+  description         = "${var.subscription_shortname}-Azure Network Mananger - ${var.location}"
+
+  scope {
+    subscription_ids = [var.subscription]
+  }
+}

terraform/subscriptions/modules/networkmanager/outputs.tf

@@ -0,0 +1,4 @@
+output "data" {
+  description = "Network mananger"
+  value = azurerm_network_manager.networkmanager
+}

terraform/subscriptions/modules/networkmanager/variables.tf

@@ -0,0 +1,19 @@
+variable "location" {
+  description = "Specifies the Azure Region where the Network Managers should exist. Changing this forces a new resource to be created."
+  type        = string
+}
+
+variable "subscription_shortname" {
+  description = "The shortname to the subscription"
+  type        = string
+}
+
+variable "resource_group" {
+  description = "Specifies the name of the Resource Group where the Network Managers should exist."
+  type        = string
+}
+
+variable "subscription" {
+  description = "The subscription ID"
+  type        = string
+}

terraform/subscriptions/modules/serviceprincipal/main.tf

@@ -0,0 +1,5 @@
+resource "azuread_service_principal" "serviceprincipal" {
+  application_id               = var.client_id
+  app_role_assignment_required = var.app_role_assignment_required
+  owners                       = var.owners
+}

terraform/subscriptions/modules/serviceprincipal/output.tf

@@ -0,0 +1,4 @@
+output "data" {
+  description = "serviceprincipal"
+  value = azuread_service_principal.serviceprincipal
+}

terraform/subscriptions/modules/serviceprincipal/variables.tf

@@ -0,0 +1,13 @@
+variable "client_id" {
+  description = "The client ID of the application for which to create a service principal."
+  type = string
+}
+variable "app_role_assignment_required" {
+  description = "Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application."
+  type = string
+}
+
+variable "owners" {
+  description = "A set of object IDs of principals that will be granted ownership of the service principal."
+  type = set(string)
+}

terraform/subscriptions/modules/userassignedidentity/main.tf

@@ -0,0 +1,5 @@
+resource "azurerm_user_assigned_identity" "userassignedidentity" {
+  name = var.name
+  location = var.location
+  resource_group_name = var.resource_group_name
+}

terraform/subscriptions/modules/userassignedidentity/output.tf

@@ -0,0 +1,4 @@
+output "data" {
+  description = "userassignedidentity"
+  value = azurerm_user_assigned_identity.userassignedidentity
+}

terraform/subscriptions/modules/userassignedidentity/variables.tf

@@ -0,0 +1,14 @@
+variable "name" {
+  description = "Specifies the name of this User Assigned Identity."
+  type        = string
+}
+
+variable "resource_group_name" {
+  description = "Specifies the name of the Resource Group within which this User Assigned Identity should exist."
+  type        = string
+}
+
+variable "location" {
+  description = "The Azure Region where the User Assigned Identity should exist."
+  type        = string
+}

terraform/subscriptions/modules/virtualnetwork/main.tf

@@ -0,0 +1,6 @@
+resource "azurerm_virtual_network" "vnet-hub" {
+  name                = "vnet-hub"
+  resource_group_name = "cluster-vnet-hub-${var.enviroment}"
+  address_space       = ["10.0.0.0/16"]
+  location            = var.location
+}

terraform/subscriptions/modules/virtualnetwork/outputs.tf

@@ -0,0 +1,4 @@
+output "data" {
+  description = "IDs of vnet-hub"
+  value       = azurerm_virtual_network.vnet-hub
+}

terraform/subscriptions/modules/virtualnetwork/variables.tf

@@ -0,0 +1,9 @@
+variable "enviroment" {
+  description = "Name of the Enviroment."
+  type        = string
+}
+
+variable "location" {
+  description = "The location/region where the virtual network is created"
+  type        = string
+}

terraform/subscriptions/s940/c2/clusters/backend.tf

@@ -0,0 +1,22 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.69.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    client_id            = "043e5510-738f-4c30-8b9d-ee32578c7fe8"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "c2/clusters/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {}
+}

terraform/subscriptions/s940/c2/clusters/outputs.tf

@@ -0,0 +1,3 @@
+output "clusters" {
+  value = local.output
+}

terraform/subscriptions/s940/c2/clusters/shared.tf

@@ -0,0 +1,8 @@
+locals {
+  output = {
+    enviroment      = "c2"
+    resource_group  = "clusters-westeurope"
+    location        = "westeurope"
+    backup_location = "northeurope"
+  }
+}

terraform/subscriptions/s940/c2/common/backend.tf

@@ -0,0 +1,22 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.69.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    client_id            = "043e5510-738f-4c30-8b9d-ee32578c7fe8"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "c2/common/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {}
+}

terraform/subscriptions/s940/c2/common/outputs.tf

@@ -0,0 +1,3 @@
+output "shared" {
+  value = local.shared
+}

terraform/subscriptions/s940/c2/common/shared.tf

@@ -0,0 +1,8 @@
+locals {
+  shared = {
+    subscription_id        = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    tenant_id              = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    location               = "westeurope"
+    subscription_shortname = "s940"
+  }
+}

terraform/subscriptions/s940/c2/networkmanager/backend.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.69.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    client_id            = "043e5510-738f-4c30-8b9d-ee32578c7fe8"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "c2/networkmanager/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = local.external_outputs.common.shared.subscription_id
+  features {
+  }
+}

terraform/subscriptions/s940/c2/networkmanager/inputs.tf

@@ -0,0 +1,45 @@
+locals {
+  external_outputs = {
+    common         = data.terraform_remote_state.common.outputs
+    networkmanager = data.terraform_remote_state.networkmanager
+    virtualnetwork = data.terraform_remote_state.virtualnetwork
+    clusters       = data.terraform_remote_state.clusters
+  }
+  ## Backend Config
+  backend = {
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+  }
+}
+
+### Remote States
+## Common
+data "terraform_remote_state" "common" {
+  backend = "azurerm"
+  config = merge(
+    local.backend,
+  { key = "c2/common/terraform.tfstate" })
+}
+
+## Networkmananger
+data "terraform_remote_state" "networkmanager" {
+  backend = "azurerm"
+  config = merge(
+    local.backend,
+  { key = "prod/networkmanager/terraform.tfstate" })
+}
+
+data "terraform_remote_state" "virtualnetwork" {
+  backend = "azurerm"
+  config = merge(
+    local.backend,
+  { key = "c2/virtualnetwork/terraform.tfstate" })
+}
+
+data "terraform_remote_state" "clusters" {
+  backend = "azurerm"
+  config = merge(
+    local.backend,
+  { key = "c2/clusters/terraform.tfstate" })
+}

terraform/subscriptions/s940/c2/networkmanager/main.tf

@@ -0,0 +1,88 @@
+
+data "azurerm_subscription" "current" {}
+
+resource "azurerm_network_manager_network_group" "group" {
+  name               = local.external_outputs.clusters.outputs.clusters.enviroment
+  network_manager_id = local.external_outputs.networkmanager.outputs.networkmanager_id
+  description        = "Network Group for ${local.external_outputs.clusters.outputs.clusters.enviroment} virtual networks"
+}
+
+resource "azurerm_network_manager_connectivity_configuration" "config" {
+  name                  = "Hub-and-Spoke-${local.external_outputs.clusters.outputs.clusters.enviroment}"
+  description           = "Hub-and-Spoke config"
+  network_manager_id    = local.external_outputs.networkmanager.outputs.networkmanager_id
+  connectivity_topology = "HubAndSpoke"
+
+  applies_to_group {
+    group_connectivity = "None"
+    network_group_id   = azurerm_network_manager_network_group.group.id
+  }
+
+  hub {
+    resource_id   = local.external_outputs.virtualnetwork.outputs.vnethub_id
+    resource_type = "Microsoft.Network/virtualNetworks"
+  }
+}
+
+resource "azurerm_policy_definition" "policy" {
+  name         = "Kubernetes-vnets-in-${local.external_outputs.clusters.outputs.clusters.enviroment}"
+  policy_type  = "Custom"
+  mode         = "Microsoft.Network.Data"
+  display_name = "Kubernetes vnets in ${local.external_outputs.clusters.outputs.clusters.enviroment}"
+
+  metadata = <<METADATA
+    {
+    "category": "Azure Virtual Network Manager"
+    }
+
+METADATA
+
+  policy_rule = <<POLICY_RULE
+  {
+    "if": {
+      "allOf": [
+        {
+          "field": "type",
+          "equals": "Microsoft.Network/virtualNetworks"
+        },
+        {
+          "allOf": [
+            {
+              "value": "[resourceGroup().Name]",
+              "contains": "${local.external_outputs.clusters.outputs.clusters.resource_group}"
+            },
+            {
+              "field": "location",
+              "contains": "${local.external_outputs.clusters.outputs.clusters.location}"
+            },
+            {
+              "field": "Name",
+              "contains": "${local.external_outputs.clusters.outputs.clusters.enviroment}"
+            }
+          ]
+        }
+      ]
+    },
+    "then": {
+      "effect": "addToNetworkGroup",
+      "details": {
+        "networkGroupId": "/subscriptions/${local.external_outputs.common.shared.subscription_id}/resourceGroups/clusters/providers/Microsoft.Network/networkManagers/${local.external_outputs.common.shared.AZ_SUBSCRIPTION_SHORTNAME}-ANVM/networkGroups/${local.external_outputs.clusters.outputs.clusters.enviroment}"
+      }
+    }
+  }
+  POLICY_RULE
+}
+
+resource "azurerm_subscription_policy_assignment" "assignment" {
+  display_name         = "Kubernetes-vnets-in-${local.external_outputs.clusters.outputs.clusters.enviroment}"
+  name                 = "8fc02786d3ad4dd7aa06e254"
+  location             = "eastus"
+  policy_definition_id = azurerm_policy_definition.policy.id
+  subscription_id      = data.azurerm_subscription.current.id
+  parameters           = jsonencode({})
+  identity {
+    identity_ids = []
+    type         = "SystemAssigned"
+  }
+
+}