feature: Latest changes from likvid-cloudfoundation prod branch

meshcloud · Oct 28, 2024 · 2a342e9 · 2a342e9
1 parent 54a01b2
commit 2a342e9
Show file tree

Hide file tree

Showing 105 changed files with 1,489 additions and 433 deletions.
diff --git a/kit/azure/aviatrix/README.md b/kit/azure/aviatrix/README.md
@@ -17,8 +17,9 @@ Aviatrix
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.46.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.81.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 3.0.2 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | 0.11.1 |
 
 ## Modules
 
@@ -28,23 +29,21 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
-| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
-| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
-| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source |
-| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/app_role_assignment) | resource |
+| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/app_role_assignment) | resource |
+| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/application) | resource |
+| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/application_password) | resource |
+| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/service_principal) | resource |
+| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/application_published_app_ids) | data source |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_user_group_id"></a> [allowed\_user\_group\_id](#input\_allowed\_user\_group\_id) | id of the authorized id which can do changes | `list(string)` | n/a | yes |
-| <a name="input_location"></a> [location](#input\_location) | The Azure location used for creating policy assignments establishing this landing zone's guardrails. | `string` | n/a | yes |
 | <a name="input_parent_management_group"></a> [parent\_management\_group](#input\_parent\_management\_group) | id of the tenant management group | `string` | n/a | yes |
 | <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | id of the tenant management group | `string` | `"avaitrix_deploy_spn"` | no |
 

diff --git a/kit/azure/aviatrix/aviatrix.spn.tf b/kit/azure/aviatrix/aviatrix.spn.tf
@@ -91,7 +91,7 @@ resource "azuread_service_principal" "aviatrix_deploy" {
 resource "azurerm_role_assignment" "aviatrix_deploy" {
   scope              = var.parent_management_group
   role_definition_id = azurerm_role_definition.aviatrix_deploy.role_definition_resource_id
-  principal_id       = azuread_service_principal.aviatrix_deploy.id
+  principal_id       = azuread_service_principal.aviatrix_deploy.object_id
 }
 
 resource "azuread_app_role_assignment" "aviatrix_deploy-directory" {

diff --git a/kit/azure/aviatrix/outputs.tf b/kit/azure/aviatrix/outputs.tf
@@ -8,7 +8,7 @@ output "client_secret" {
 }
 
 output "client_principal_id" {
-  value = azuread_service_principal.aviatrix_deploy.id
+  value = azuread_service_principal.aviatrix_deploy.object_id
 }
 
 output "aviatrix_service_principal" {

diff --git a/kit/azure/aviatrix/variables.tf b/kit/azure/aviatrix/variables.tf
@@ -10,14 +10,3 @@ variable "service_principal_name" {
   default     = "avaitrix_deploy_spn"
   description = "id of the tenant management group"
 }
-
-variable "allowed_user_group_id" {
-  type        = list(string)
-  nullable    = false
-  description = "id of the authorized id which can do changes"
-}
-
-variable "location" {
-  type        = string
-  description = "The Azure location used for creating policy assignments establishing this landing zone's guardrails."
-}
diff --git a/kit/azure/aviatrix/versions.tf b/kit/azure/aviatrix/versions.tf
@@ -4,12 +4,17 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.81.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.46.0"
+      version = "3.0.2"
+    }
+
+    time = {
+      source  = "hashicorp/time"
+      version = "0.11.1"
     }
   }
 }
diff --git a/kit/azure/billing/README.md b/kit/azure/billing/README.md
@@ -22,8 +22,8 @@ Microsoft Cost Management is a suite of tools that help organizations monitor, a
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.41.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 3.0.2 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -33,15 +33,13 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_management_group) | resource |
-| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource |
+| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource |
+| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/consumption_budget_management_group) | resource |
+| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
 
 ## Inputs
 

diff --git a/kit/azure/billing/documentation.tf b/kit/azure/billing/documentation.tf
@@ -20,8 +20,8 @@ The following AAD groups control access and are used to implement [Privileged Ac
 
 |group|description|object_id|
 |-|-|-|
-| ${azuread_group.billing_admins.display_name} | ${azuread_group.billing_admins.description} | ${azuread_group.billing_admins.id} |
-| ${azuread_group.billing_readers.display_name} | ${azuread_group.billing_readers.description} | ${azuread_group.billing_readers.id} |
+| ${azuread_group.billing_admins.display_name} | ${azuread_group.billing_admins.description} | ${azuread_group.billing_admins.object_id} |
+| ${azuread_group.billing_readers.display_name} | ${azuread_group.billing_readers.description} | ${azuread_group.billing_readers.object_id} |
 
 ## How can I review Cost Management data for my subscription
 

diff --git a/kit/azure/billing/outputs.tf b/kit/azure/billing/outputs.tf
@@ -1,7 +1,7 @@
 output "billing_admins_azuread_group_id" {
-  value = azuread_group.billing_admins.id
+  value = azuread_group.billing_admins.object_id
 }
 
 output "billing_readers_azuread_group_id" {
-  value = azuread_group.billing_readers.id
+  value = azuread_group.billing_readers.object_id
 }
diff --git a/kit/azure/billing/resources.group.tf b/kit/azure/billing/resources.group.tf
@@ -1,7 +1,3 @@
-data "azuread_client_config" "current" {}
-
-data "azurerm_subscription" "current" {}
-
 resource "azuread_group" "billing_admins" {
   display_name     = var.billing_admin_group
   description      = "Privileged Cloud Foundation group. Members can manage billing profiles, reserved instances and have full access to all Azure Cost Management data."

diff --git a/kit/azure/billing/versions.tf b/kit/azure/billing/versions.tf
@@ -4,12 +4,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.41.0"
+      version = "3.0.2"
     }
   }
 }

diff --git a/kit/azure/bootstrap/README.md b/kit/azure/bootstrap/README.md
@@ -77,7 +77,7 @@ collie foundation deploy --bootstrap -- destroy
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 3.0.2 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
@@ -90,9 +90,9 @@ collie foundation deploy --bootstrap -- destroy
 
 | Name | Type |
 |------|------|
-| [azuread_directory_role.readers](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/directory_role) | resource |
-| [azuread_directory_role_assignment.validation_reader](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/directory_role_assignment) | resource |
-| [azuread_group.platform_engineers](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azuread_directory_role.readers](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/directory_role) | resource |
+| [azuread_directory_role_assignment.validation_reader](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/directory_role_assignment) | resource |
+| [azuread_group.platform_engineers](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource |
 | [azurerm_federated_identity_credential.docs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/federated_identity_credential) | resource |
 | [azurerm_federated_identity_credential.validation](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/federated_identity_credential) | resource |
 | [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/key_vault) | resource |
@@ -108,8 +108,8 @@ collie foundation deploy --bootstrap -- destroy
 | [azurerm_role_definition.validation_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
 | [azurerm_user_assigned_identity.docs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/user_assigned_identity) | resource |
 | [azurerm_user_assigned_identity.validation](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/user_assigned_identity) | resource |
-| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/client_config) | data source |
-| [azuread_users.platform_engineers_members](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/users) | data source |
+| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/client_config) | data source |
+| [azuread_users.platform_engineers_members](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/users) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/client_config) | data source |
 | [azurerm_management_group.parent](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/management_group) | data source |
 | [azurerm_role_definition.keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/role_definition) | data source |
@@ -122,7 +122,7 @@ collie foundation deploy --bootstrap -- destroy
 | <a name="input_documentation_uami"></a> [documentation\_uami](#input\_documentation\_uami) | read-only UAMI with access to terraform states to generate documentation in CI pipelines | <pre>object({<br>    name = string<br>    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373<br>    oidc_subject = string<br>  })</pre> | `null` | no |
 | <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. | <pre>object({<br>    name                = string,<br>    resource_group_name = string<br>  })</pre> | <pre>{<br>  "name": "cloudfoundation-kv",<br>  "resource_group_name": "cloudfoundation-rg"<br>}</pre> | no |
 | <a name="input_parent_management_group_name"></a> [parent\_management\_group\_name](#input\_parent\_management\_group\_name) | Name of the management group you want to use as parent for your foundation. | `string` | n/a | yes |
-| <a name="input_platform_engineers_group"></a> [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | n/a | yes |
+| <a name="input_platform_engineers_group"></a> [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | `"cloudfoundation-platform-engineers"` | no |
 | <a name="input_platform_engineers_members"></a> [platform\_engineers\_members](#input\_platform\_engineers\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | <pre>list(object({<br>    email = string,<br>    upn   = string,<br>  }))</pre> | n/a | yes |
 | <a name="input_terraform_state_storage"></a> [terraform\_state\_storage](#input\_terraform\_state\_storage) | Configure this object to enable setting up a terraform state store in Azure Storage. | <pre>object({<br>    location            = string,<br>    name                = string,<br>    config_file_path    = string,<br>    resource_group_name = optional(string)<br>  })</pre> | n/a | yes |
 | <a name="input_validation_uami"></a> [validation\_uami](#input\_validation\_uami) | read-only UAMI with access to terraform states and read-only access on the landingzone architecture for validation of the deployment in CI pipelines | <pre>object({<br>    name = string<br>    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373<br>    oidc_subject = string<br>  })</pre> | `null` | no |

diff --git a/kit/azure/bootstrap/documentation.tf b/kit/azure/bootstrap/documentation.tf
@@ -1,43 +1,37 @@
 output "documentation_md" {
   value = <<EOF
 
-# 🌐 Cloud Foundation Deployment
+# Cloud Foundation Deployment
 
 %{if var.terraform_state_storage != null}
-## 🔒 Terraform State Management
+## Terraform State Management
 
-Terraform state for the cloud foundation repository is stored in an Azure Blob Storage Container. 🗄️
-This container is located in the subscription `${data.azurerm_subscription.current.display_name}`. 🎫
-Resource Group: `${module.terraform_state.resource_group_name}` 📁
-
-Access to terraform state is restricted to members of the `${azuread_group.platform_engineers.display_name}` group. 👥
+Terraform state for the cloud foundation repository is stored in an Azure Blob Storage Container.
+This container is located in the subscription `${data.azurerm_subscription.current.display_name}`.
 
+Access to terraform state is restricted to members of the `${azuread_group.platform_engineers.display_name}` group.
 %{endif}
 
 %{if var.documentation_uami != null || var.validation_uami != null}
-## 🤖 Automation
+## Automation
 
 %{if var.documentation_uami != null}
 The UAMI `${azurerm_user_assigned_identity.docs[0].name}` has been set up for the automated creation of
-landing zone documentation via a GitHub actions pipeline. This UAMI has read-only access to terraform state. 📚
+landing zone documentation via a GitHub actions pipeline. This UAMI has read-only access to terraform state.
 %{endif}
 
 %{if var.validation_uami != null}
 The UAMI `${azurerm_user_assigned_identity.validation[0].name}` has been set up for the automated validation a GitHub actions pipeline.
-This UAMI has read-only access to terraform state and read only access to the entire landing zone architecture. 🏗️
+This UAMI has read-only access to terraform state and read only access to the entire landing zone architecture.
 %{endif}
 %{endif}
 
-## 👨‍💻 Platform Engineer Access Management
+## Platform Engineer Access Management
 
 The `${azuread_group.platform_engineers.display_name}` group is used to grant privileged access to members of the
 cloud foundation team. The group has the following members:
 
 ${join("\n", formatlist("- %s", var.platform_engineers_members[*].email))}
 
-|permissions|
-|-|
-${join("\n", formatlist("| %s |", azurerm_role_definition.cloudfoundation_deploy.permissions[0].actions))}
-
 EOF
 }
diff --git a/kit/azure/bootstrap/main.tf b/kit/azure/bootstrap/main.tf
@@ -77,5 +77,5 @@ resource "azurerm_role_definition" "cloudfoundation_deploy" {
 resource "azurerm_role_assignment" "cloudfoundation_deploy" {
   scope              = data.azurerm_management_group.parent.id
   role_definition_id = azurerm_role_definition.cloudfoundation_deploy.role_definition_resource_id
-  principal_id       = azuread_group.platform_engineers.id
+  principal_id       = azuread_group.platform_engineers.object_id
 }