diff --git a/.github/workflows/aksbootstrap.yaml b/.github/workflows/aksbootstrap.yaml index e168ee8f8..f0de674e7 100644 --- a/.github/workflows/aksbootstrap.yaml +++ b/.github/workflows/aksbootstrap.yaml @@ -103,7 +103,7 @@ jobs: ARM_USE_OIDC: true ARM_USE_AZUREAD: true run: | - terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" apply + terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" apply -auto-approve - name: Revoke GitHub IP on StorageAccount if: steps.changes.outputs.changed == 'true' run: | diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index 36d198b8f..4aa1eb509 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -26,6 +26,23 @@ module "loganalytics" { local_authentication_disabled = false } +data "azurerm_resource_group" "logs" { + name = "Logs-${module.config.location}" +} + +data "azurerm_resource_group" "clusters" { + name = "clusters-${module.config.environment}" +} + +data "azurerm_resource_group" "networkwatcher" { + name = "NetworkWatcherRG" +} + +data "azurerm_key_vault" "this" { + name = "radix-keyv-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" +} + data "azurerm_virtual_network" "this" { name = "vnet-hub" resource_group_name = module.config.vnet_resource_group @@ -156,6 +173,26 @@ module "radix_id_gitrunner" { role = "Storage Blob Data Contributor" # Needed to read blobdata scope_id = "${module.config.backend.terraform_storage_id}" } + common_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.resourcegroups.data.id}" + } + logs_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.logs.id}" + } + clusters_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.clusters.id}" + } + networkwatcher_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.networkwatcher.id}" + } + keyvault_contributor = { + role = "Key Vault Secrets User" # Needed to read secrets + scope_id = "${data.azurerm_key_vault.this.id}" + } vnet_contributor = { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" @@ -167,6 +204,11 @@ module "radix_id_gitrunner" { issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix:environment:${module.config.environment}" }, + github_radix-platform = { + name = "radix-platform-env-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-platform:environment:${module.config.environment}" + } } } @@ -191,7 +233,6 @@ module "radix-cr-reader" { implicit_grant = { access_token_issuance_enabled = false id_token_issuance_enabled = true - } } diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf index 81d571228..decf713e4 100644 --- a/terraform/subscriptions/s940/extmon/common/main.tf +++ b/terraform/subscriptions/s940/extmon/common/main.tf @@ -17,6 +17,23 @@ module "loganalytics" { local_authentication_disabled = false } +data "azurerm_resource_group" "logs" { + name = "Logs" +} + +data "azurerm_resource_group" "clusters" { + name = "clusters-${module.config.environment}" +} + +data "azurerm_resource_group" "networkwatcher" { + name = "NetworkWatcherRG" +} + +data "azurerm_key_vault" "this" { + name = "radix-keyv-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" +} + data "azurerm_virtual_network" "this" { name = "vnet-hub" resource_group_name = module.config.vnet_resource_group @@ -84,6 +101,63 @@ module "storageaccount" { log_analytics_id = module.loganalytics.workspace_id } +module "radix_id_gitrunner" { + source = "../../../modules/userassignedidentity" + name = "radix-id-gitrunner-${module.config.environment}" + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + privatelink-contributor = { + role = "Radix Privatelink rbac-${module.config.subscription_shortname}" + scope_id = "/subscriptions/${module.config.subscription}" + } + blob_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.config.backend.terraform_storage_id}" + } + storage_blob_contributor = { + role = "Storage Blob Data Contributor" # Needed to read blobdata + scope_id = "${module.config.backend.terraform_storage_id}" + } + common_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.resourcegroups.data.id}" + } + logs_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.logs.id}" + } + clusters_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.clusters.id}" + } + networkwatcher_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.networkwatcher.id}" + } + keyvault_contributor = { + role = "Key Vault Secrets User" # Needed to read secrets + scope_id = "${data.azurerm_key_vault.this.id}" + } + vnet_contributor = { + role = "Contributor" + scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" + } + } + federated_credentials = { + radix-id-gitrunner = { + name = "radix-id-gitrunner-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix:environment:${module.config.environment}" + }, + github_radix-platform = { + name = "radix-platform-env-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-platform:environment:${module.config.environment}" + } + } +} + output "workspace_id" { value = module.loganalytics.workspace_id } diff --git a/terraform/subscriptions/s940/extmon/config.yaml b/terraform/subscriptions/s940/extmon/config.yaml index 431211a83..6c4b97558 100644 --- a/terraform/subscriptions/s940/extmon/config.yaml +++ b/terraform/subscriptions/s940/extmon/config.yaml @@ -9,6 +9,7 @@ backend: subscription_id: "ded7ca41-37c8-4085-862f-b11d21ab341a" tenant_id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" ip_key_vault_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.KeyVault/vaults/radix-keyv-platform" + terraform_storage_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/s940-tfstate/providers/Microsoft.Storage/storageAccounts/s940radixinfra" clusters: ext-mon-11: aksversion: "1.29.2" diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index a3d3875d6..7eda6d2e5 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -23,6 +23,22 @@ module "loganalytics" { #TODO: No setting for 100 GB/day Commitment Tier. Done manually } +data "azurerm_resource_group" "logs" { + name = "Logs" +} + +data "azurerm_resource_group" "clusters" { + name = "clusters" +} + +data "azurerm_resource_group" "networkwatcher" { + name = "NetworkWatcherRG" +} + +data "azurerm_key_vault" "this" { + name = "radix-keyv-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" +} data "azurerm_virtual_network" "this" { name = "vnet-hub" @@ -154,6 +170,26 @@ module "radix_id_gitrunner" { role = "Storage Blob Data Contributor" # Needed to read blobdata scope_id = "${module.config.backend.terraform_storage_id}" } + common_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.resourcegroups.data.id}" + } + logs_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.logs.id}" + } + clusters_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.clusters.id}" + } + networkwatcher_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.networkwatcher.id}" + } + keyvault_contributor = { + role = "Key Vault Secrets User" # Needed to read secrets + scope_id = "${data.azurerm_key_vault.this.id}" + } vnet_contributor = { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" @@ -165,6 +201,11 @@ module "radix_id_gitrunner" { issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix:environment:${module.config.environment}" }, + github_radix-platform = { + name = "radix-platform-env-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-platform:environment:${module.config.environment}" + } } } diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 8d54cc52d..a252f780c 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -17,6 +17,23 @@ module "loganalytics" { local_authentication_disabled = false } +data "azurerm_resource_group" "logs" { + name = "Logs-${module.config.environment}" +} + +data "azurerm_resource_group" "clusters" { + name = "clusters-${module.config.environment}" +} + +data "azurerm_resource_group" "networkwatcher" { + name = "NetworkWatcherRG" +} + +data "azurerm_key_vault" "this" { + name = "radix-keyv-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" +} + data "azurerm_virtual_network" "this" { name = "vnet-hub" resource_group_name = module.config.vnet_resource_group @@ -149,6 +166,26 @@ module "radix_id_gitrunner" { role = "Storage Blob Data Contributor" # Needed to read blobdata scope_id = "${module.config.backend.terraform_storage_id}" } + common_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.resourcegroups.data.id}" + } + logs_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.logs.id}" + } + clusters_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.clusters.id}" + } + networkwatcher_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.networkwatcher.id}" + } + keyvault_contributor = { + role = "Key Vault Secrets User" # Needed to read secrets + scope_id = "${data.azurerm_key_vault.this.id}" + } vnet_contributor = { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" @@ -160,6 +197,11 @@ module "radix_id_gitrunner" { issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix:environment:${module.config.environment}" }, + github_radix-platform = { + name = "radix-platform-env-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-platform:environment:${module.config.environment}" + } } } diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index b9e389297..d85b6ed1a 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -17,6 +17,23 @@ module "loganalytics" { local_authentication_disabled = false } +data "azurerm_resource_group" "logs" { + name = "Logs-Dev" +} + +data "azurerm_resource_group" "clusters" { + name = "clusters-${module.config.environment}" +} + +data "azurerm_resource_group" "networkwatcher" { + name = "NetworkWatcherRG" +} + +data "azurerm_key_vault" "this" { + name = "radix-keyv-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" +} + data "azurerm_virtual_network" "this" { name = "vnet-hub" resource_group_name = module.config.vnet_resource_group @@ -149,6 +166,26 @@ module "radix_id_gitrunner" { role = "Storage Blob Data Contributor" # Needed to read blobdata scope_id = "${module.config.backend.terraform_storage_id}" } + common_contributor = { + role = "Contributor" # Needed to open firewall + scope_id = "${module.resourcegroups.data.id}" + } + logs_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.logs.id}" + } + clusters_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.clusters.id}" + } + networkwatcher_contributor = { + role = "Contributor" + scope_id = "${data.azurerm_resource_group.networkwatcher.id}" + } + keyvault_contributor = { + role = "Key Vault Secrets User" # Needed to read secrets + scope_id = "${data.azurerm_key_vault.this.id}" + } vnet_contributor = { role = "Contributor" scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}" @@ -160,6 +197,11 @@ module "radix_id_gitrunner" { issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix:environment:${module.config.environment}" }, + github_radix-platform = { + name = "radix-platform-env-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-platform:environment:${module.config.environment}" + } } } diff --git a/terraform/subscriptions/s941/playground/config.yaml b/terraform/subscriptions/s941/playground/config.yaml index b01599cf2..eccaac553 100644 --- a/terraform/subscriptions/s941/playground/config.yaml +++ b/terraform/subscriptions/s941/playground/config.yaml @@ -16,3 +16,7 @@ clusters: networkset: "clusterset1" network_policy: "cilium" dns_prefix: "playground-clusters-playgro-16ede4" + playground-30: + aksversion: "1.29.2" + networkset: "clusterset2" + network_policy: "cilium"