feature: Latest changes from likvid-cloudfoundation prod branch

meshcloud · Oct 4, 2024 · a40e846 · a40e846
1 parent 54a01b2
commit a40e846
Show file tree

Hide file tree

Showing 83 changed files with 1,207 additions and 403 deletions.
diff --git a/kit/azure/aviatrix/README.md b/kit/azure/aviatrix/README.md
@@ -17,8 +17,9 @@ Aviatrix
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.46.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.81.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | 0.11.1 |
 
 ## Modules
 
@@ -28,23 +29,21 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
-| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
-| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
-| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source |
-| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/app_role_assignment) | resource |
+| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/app_role_assignment) | resource |
+| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/application) | resource |
+| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/application_password) | resource |
+| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/service_principal) | resource |
+| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/application_published_app_ids) | data source |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_user_group_id"></a> [allowed\_user\_group\_id](#input\_allowed\_user\_group\_id) | id of the authorized id which can do changes | `list(string)` | n/a | yes |
-| <a name="input_location"></a> [location](#input\_location) | The Azure location used for creating policy assignments establishing this landing zone's guardrails. | `string` | n/a | yes |
 | <a name="input_parent_management_group"></a> [parent\_management\_group](#input\_parent\_management\_group) | id of the tenant management group | `string` | n/a | yes |
 | <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | id of the tenant management group | `string` | `"avaitrix_deploy_spn"` | no |
 

diff --git a/kit/azure/aviatrix/variables.tf b/kit/azure/aviatrix/variables.tf
@@ -10,14 +10,3 @@ variable "service_principal_name" {
   default     = "avaitrix_deploy_spn"
   description = "id of the tenant management group"
 }
-
-variable "allowed_user_group_id" {
-  type        = list(string)
-  nullable    = false
-  description = "id of the authorized id which can do changes"
-}
-
-variable "location" {
-  type        = string
-  description = "The Azure location used for creating policy assignments establishing this landing zone's guardrails."
-}
diff --git a/kit/azure/aviatrix/versions.tf b/kit/azure/aviatrix/versions.tf
@@ -4,12 +4,17 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.81.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.46.0"
+      version = "2.53.1"
+    }
+
+    time = {
+      source  = "hashicorp/time"
+      version = "0.11.1"
     }
   }
 }
diff --git a/kit/azure/billing/README.md b/kit/azure/billing/README.md
@@ -22,8 +22,8 @@ Microsoft Cost Management is a suite of tools that help organizations monitor, a
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.41.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -33,15 +33,13 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_management_group) | resource |
-| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/consumption_budget_management_group) | resource |
+| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
 
 ## Inputs
 

diff --git a/kit/azure/billing/resources.group.tf b/kit/azure/billing/resources.group.tf
@@ -1,7 +1,3 @@
-data "azuread_client_config" "current" {}
-
-data "azurerm_subscription" "current" {}
-
 resource "azuread_group" "billing_admins" {
   display_name     = var.billing_admin_group
   description      = "Privileged Cloud Foundation group. Members can manage billing profiles, reserved instances and have full access to all Azure Cost Management data."

diff --git a/kit/azure/billing/versions.tf b/kit/azure/billing/versions.tf
@@ -4,12 +4,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.41.0"
+      version = "2.53.1"
     }
   }
 }

diff --git a/kit/azure/bootstrap/README.md b/kit/azure/bootstrap/README.md
@@ -122,7 +122,7 @@ collie foundation deploy --bootstrap -- destroy
 | <a name="input_documentation_uami"></a> [documentation\_uami](#input\_documentation\_uami) | read-only UAMI with access to terraform states to generate documentation in CI pipelines | <pre>object({<br>    name = string<br>    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373<br>    oidc_subject = string<br>  })</pre> | `null` | no |
 | <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. | <pre>object({<br>    name                = string,<br>    resource_group_name = string<br>  })</pre> | <pre>{<br>  "name": "cloudfoundation-kv",<br>  "resource_group_name": "cloudfoundation-rg"<br>}</pre> | no |
 | <a name="input_parent_management_group_name"></a> [parent\_management\_group\_name](#input\_parent\_management\_group\_name) | Name of the management group you want to use as parent for your foundation. | `string` | n/a | yes |
-| <a name="input_platform_engineers_group"></a> [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | n/a | yes |
+| <a name="input_platform_engineers_group"></a> [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | `"cloudfoundation-platform-engineers"` | no |
 | <a name="input_platform_engineers_members"></a> [platform\_engineers\_members](#input\_platform\_engineers\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | <pre>list(object({<br>    email = string,<br>    upn   = string,<br>  }))</pre> | n/a | yes |
 | <a name="input_terraform_state_storage"></a> [terraform\_state\_storage](#input\_terraform\_state\_storage) | Configure this object to enable setting up a terraform state store in Azure Storage. | <pre>object({<br>    location            = string,<br>    name                = string,<br>    config_file_path    = string,<br>    resource_group_name = optional(string)<br>  })</pre> | n/a | yes |
 | <a name="input_validation_uami"></a> [validation\_uami](#input\_validation\_uami) | read-only UAMI with access to terraform states and read-only access on the landingzone architecture for validation of the deployment in CI pipelines | <pre>object({<br>    name = string<br>    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373<br>    oidc_subject = string<br>  })</pre> | `null` | no |

diff --git a/kit/azure/bootstrap/documentation.tf b/kit/azure/bootstrap/documentation.tf
@@ -1,43 +1,37 @@
 output "documentation_md" {
   value = <<EOF
 
-# 🌐 Cloud Foundation Deployment
+# Cloud Foundation Deployment
 
 %{if var.terraform_state_storage != null}
-## 🔒 Terraform State Management
+## Terraform State Management
 
-Terraform state for the cloud foundation repository is stored in an Azure Blob Storage Container. 🗄️
-This container is located in the subscription `${data.azurerm_subscription.current.display_name}`. 🎫
-Resource Group: `${module.terraform_state.resource_group_name}` 📁
-
-Access to terraform state is restricted to members of the `${azuread_group.platform_engineers.display_name}` group. 👥
+Terraform state for the cloud foundation repository is stored in an Azure Blob Storage Container.
+This container is located in the subscription `${data.azurerm_subscription.current.display_name}`.
 
+Access to terraform state is restricted to members of the `${azuread_group.platform_engineers.display_name}` group.
 %{endif}
 
 %{if var.documentation_uami != null || var.validation_uami != null}
-## 🤖 Automation
+## Automation
 
 %{if var.documentation_uami != null}
 The UAMI `${azurerm_user_assigned_identity.docs[0].name}` has been set up for the automated creation of
-landing zone documentation via a GitHub actions pipeline. This UAMI has read-only access to terraform state. 📚
+landing zone documentation via a GitHub actions pipeline. This UAMI has read-only access to terraform state.
 %{endif}
 
 %{if var.validation_uami != null}
 The UAMI `${azurerm_user_assigned_identity.validation[0].name}` has been set up for the automated validation a GitHub actions pipeline.
-This UAMI has read-only access to terraform state and read only access to the entire landing zone architecture. 🏗️
+This UAMI has read-only access to terraform state and read only access to the entire landing zone architecture.
 %{endif}
 %{endif}
 
-## 👨‍💻 Platform Engineer Access Management
+## Platform Engineer Access Management
 
 The `${azuread_group.platform_engineers.display_name}` group is used to grant privileged access to members of the
 cloud foundation team. The group has the following members:
 
 ${join("\n", formatlist("- %s", var.platform_engineers_members[*].email))}
 
-|permissions|
-|-|
-${join("\n", formatlist("| %s |", azurerm_role_definition.cloudfoundation_deploy.permissions[0].actions))}
-
 EOF
 }
diff --git a/kit/azure/bootstrap/template/platform-module/terragrunt.hcl b/kit/azure/bootstrap/template/platform-module/terragrunt.hcl
@@ -36,27 +36,25 @@ provider "azuread" {
 EOF
 }
 
-locals {
-  location = "germanywestcentral" #TODO change, the azure location of the resource group and storage account
-}
-
 inputs = {
-  parent_management_group_name = "cloudfoundation-management-group" #TODO the cloudfoundation is created in a separate management group so as not to jeopardize the existing infrastructure
+  aad_tenant_id = include.platform.locals.platform.azure.aadTenantId
 
   terraform_state_storage = {
     name             = "${include.platform.locals.cloudfoundation.name}"
-    location         = local.location
+    location         = "germanywestcentral"                                     #TODO change, the azure location of the resource group and storage account
     config_file_path = include.platform.locals.terraform_state_config_file_path # platform.hcl expects state configuration output in this location, do not change
   }
-  platform_engineers_group = "cloudfoundation-platform-engineers"
+
   platform_engineers_members = [
     {
       email = "[email protected]"              #TODO change, enter PLATFORM ENGINEERS MAIL here
       upn   = "[email protected]" #TODO change, enter PLATFORM ENGINEERS UPN here
     }
   ]
   key_vault = {
-    name                = "cloudfoundation-kv"
-    resource_group_name = "cloudfoundation-keyvault"
+    name                = "likvid-cloudfoundation-kv"
+    resource_group_name = "likvid-cloudfoundation-keyvault"
   }
+
+
 }
diff --git a/kit/azure/bootstrap/variables.tf b/kit/azure/bootstrap/variables.tf
@@ -38,6 +38,7 @@ variable "platform_engineers_members" {
 
 variable "platform_engineers_group" {
   type        = string
+  default     = "cloudfoundation-platform-engineers"
   description = "the name of the cloud foundation platform engineers group"
 }