From 0bf1eded5ad021447a3c420d7d673ddc5e7e07c4 Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Wed, 12 Oct 2022 12:07:26 +0100 Subject: [PATCH] cosmosdb --- src/azure.go | 7 ++- src/azure_datasource.go | 3 +- src/files_azure.go | 9 ++++ src/files_azure_datasource.go | 4 +- .../azurerm_resource_group.json | 13 ++++++ .../documentdb/azurerm_cosmosdb_account.json | 21 +++++++++ .../documentdb/azurerm_cosmosdb_table.json | 20 +++++++++ .../resource/keyvault/azurerm_key_vault.json | 18 ++++++++ .../azure/backup/azurerm_cosmosdb_account.tf | 43 +++++++++++++++++++ .../azure/backup/azurerm_cosmosdb_table.tf | 35 +++++++++++++++ terraform/azure/backup/azurerm_key_vault.tf | 35 +++++++++++++++ .../backup/data.azurerm_client_config.tf | 6 +++ .../backup/data.azurerm_resource_group.tf | 8 ++++ .../azure/role/azurerm_role_definition.tf | 21 +++++++-- 14 files changed, 234 insertions(+), 9 deletions(-) create mode 100644 src/mapping/azure/data/resourcegroups/azurerm_resource_group.json create mode 100644 src/mapping/azure/resource/documentdb/azurerm_cosmosdb_account.json create mode 100644 src/mapping/azure/resource/documentdb/azurerm_cosmosdb_table.json create mode 100644 src/mapping/azure/resource/keyvault/azurerm_key_vault.json create mode 100644 terraform/azure/backup/azurerm_cosmosdb_account.tf create mode 100644 terraform/azure/backup/azurerm_cosmosdb_table.tf create mode 100644 terraform/azure/backup/azurerm_key_vault.tf create mode 100644 terraform/azure/backup/data.azurerm_client_config.tf create mode 100644 terraform/azure/backup/data.azurerm_resource_group.tf diff --git a/src/azure.go b/src/azure.go index baac8e81..b8bfe5c0 100644 --- a/src/azure.go +++ b/src/azure.go @@ -26,8 +26,11 @@ func GetAZUREPermissions(result ResourceV2) ([]string, error) { // GetAZUREResourcePermissions looks up permissions required for resources func GetAZUREResourcePermissions(result ResourceV2) ([]string, error) { TFLookup := map[string]interface{}{ - "azurerm_resource_group": azurermResourceGroup, - "azurerm_service_plan": azurermServicePlan, + "azurerm_resource_group": azurermResourceGroup, + "azurerm_service_plan": azurermServicePlan, + "azurerm_key_vault": azurermKeyVault, + "azurerm_cosmosdb_account": azureCosmosdbAccount, + "azurerm_cosmosdb_table": azureCosmosdbTable, } var Permissions []string diff --git a/src/azure_datasource.go b/src/azure_datasource.go index 87149d8c..4287608d 100644 --- a/src/azure_datasource.go +++ b/src/azure_datasource.go @@ -6,7 +6,8 @@ import "log" func GetAZUREDataPermissions(result ResourceV2) ([]string, error) { TFLookup := map[string]interface{}{ - // "google_compute_image": placeholder, + "azurerm_resource_group": dataAzurermResourceGroup, + "azurerm_client_config": placeholder, } var Permissions []string diff --git a/src/files_azure.go b/src/files_azure.go index 120a7e27..0829246f 100644 --- a/src/files_azure.go +++ b/src/files_azure.go @@ -9,3 +9,12 @@ var azurermResourceGroup []byte //go:embed mapping/azure/resource/serverfarms/azurerm_service_plan.json var azurermServicePlan []byte + +//go:embed mapping/azure/resource/keyvault/azurerm_key_vault.json +var azurermKeyVault []byte + +//go:embed mapping/azure/resource/documentdb/azurerm_cosmosdb_account.json +var azureCosmosdbAccount []byte + +//go:embed mapping/azure/resource/documentdb/azurerm_cosmosdb_table.json +var azureCosmosdbTable []byte diff --git a/src/files_azure_datasource.go b/src/files_azure_datasource.go index c850a2bc..dfa84f85 100644 --- a/src/files_azure_datasource.go +++ b/src/files_azure_datasource.go @@ -4,5 +4,5 @@ import ( _ "embed" // required for embed ) -////go:embed mapping/gcp/data/cloudkms/google_kms_crypto_key.json -//var dataGoogleKmsCryptoKey []byte +//go:embed mapping/azure/data/resourcegroups/azurerm_resource_group.json +var dataAzurermResourceGroup []byte diff --git a/src/mapping/azure/data/resourcegroups/azurerm_resource_group.json b/src/mapping/azure/data/resourcegroups/azurerm_resource_group.json new file mode 100644 index 00000000..6d18390e --- /dev/null +++ b/src/mapping/azure/data/resourcegroups/azurerm_resource_group.json @@ -0,0 +1,13 @@ +[ + { + "apply": [], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [ + "Microsoft.Resources/subscriptions/resourcegroups/read" + ] + } +] diff --git a/src/mapping/azure/resource/documentdb/azurerm_cosmosdb_account.json b/src/mapping/azure/resource/documentdb/azurerm_cosmosdb_account.json new file mode 100644 index 00000000..efbc9ad2 --- /dev/null +++ b/src/mapping/azure/resource/documentdb/azurerm_cosmosdb_account.json @@ -0,0 +1,21 @@ +[ + { + "apply": [ + "Microsoft.Resources/subscriptions/resourcegroups/read", + "Microsoft.DocumentDB/databaseAccounts/read", + "Microsoft.DocumentDB/databaseAccounts/write", + "Microsoft.DocumentDB/databaseAccounts/delete", + "Microsoft.DocumentDB/databaseAccounts/listKeys/action", + "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action", + "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "Microsoft.DocumentDB/databaseAccounts/delete" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/azure/resource/documentdb/azurerm_cosmosdb_table.json b/src/mapping/azure/resource/documentdb/azurerm_cosmosdb_table.json new file mode 100644 index 00000000..c31f762a --- /dev/null +++ b/src/mapping/azure/resource/documentdb/azurerm_cosmosdb_table.json @@ -0,0 +1,20 @@ +[ + { + "apply": [ + "Microsoft.Resources/subscriptions/resourcegroups/read", + "Microsoft.DocumentDB/databaseAccounts/read", + "Microsoft.DocumentDB/databaseAccounts/tables/read", + "Microsoft.DocumentDB/databaseAccounts/tables/write", + "Microsoft.DocumentDB/databaseAccounts/tables/delete", + "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "Microsoft.DocumentDB/databaseAccounts/tables/delete" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/azure/resource/keyvault/azurerm_key_vault.json b/src/mapping/azure/resource/keyvault/azurerm_key_vault.json new file mode 100644 index 00000000..89afe1ec --- /dev/null +++ b/src/mapping/azure/resource/keyvault/azurerm_key_vault.json @@ -0,0 +1,18 @@ +[ + { + "apply": [ + "Microsoft.Resources/subscriptions/resourcegroups/read", + "Microsoft.KeyVault/vaults/read", + "Microsoft.KeyVault/vaults/write" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "Microsoft.KeyVault/vaults/delete", + "Microsoft.KeyVault/locations/deletedVaults/read" + ], + "modify": [], + "plan": [] + } +] diff --git a/terraform/azure/backup/azurerm_cosmosdb_account.tf b/terraform/azure/backup/azurerm_cosmosdb_account.tf new file mode 100644 index 00000000..683cd6f3 --- /dev/null +++ b/terraform/azure/backup/azurerm_cosmosdb_account.tf @@ -0,0 +1,43 @@ +resource "azurerm_cosmosdb_account" "db" { + name = "pike-cosmos-db" + location = "uksouth" + resource_group_name = "pike" + offer_type = "Standard" + kind = "MongoDB" + + enable_automatic_failover = true + + capabilities { + name = "EnableAggregationPipeline" + } + + capabilities { + name = "mongoEnableDocLevelTTL" + } + + capabilities { + name = "MongoDBv3.4" + } + + capabilities { + name = "EnableMongo" + } + + consistency_policy { + consistency_level = "BoundedStaleness" + max_interval_in_seconds = 350 + max_staleness_prefix = 100000 + } + + geo_location { + location = "eastus" + failover_priority = 1 + } + + geo_location { + location = "westus" + failover_priority = 0 + } + //local_authentication_disabled = true + public_network_access_enabled = false +} diff --git a/terraform/azure/backup/azurerm_cosmosdb_table.tf b/terraform/azure/backup/azurerm_cosmosdb_table.tf new file mode 100644 index 00000000..7fc7dd5a --- /dev/null +++ b/terraform/azure/backup/azurerm_cosmosdb_table.tf @@ -0,0 +1,35 @@ +resource "azurerm_cosmosdb_table" "pike2" { + name = "pike2" + resource_group_name = "pike" + account_name = "pike-table" + autoscale_settings { + max_throughput = 1000 + } +} + + +resource "azurerm_cosmosdb_account" "pike-table" { + name = "pike-table" + location = "uksouth" + resource_group_name = "pike" + offer_type = "Standard" + enable_free_tier = true + consistency_policy { + consistency_level = "BoundedStaleness" + max_interval_in_seconds = 86400 + max_staleness_prefix = 1000000 + } + + geo_location { + location = "uksouth" + failover_priority = "0" + zone_redundant = false + } + capabilities { + name = "EnableTable" + } + tags = { + "defaultExperience" = "Azure Table" + "hidden-cosmos-mmspecial" = "" + } +} diff --git a/terraform/azure/backup/azurerm_key_vault.tf b/terraform/azure/backup/azurerm_key_vault.tf new file mode 100644 index 00000000..28ed9f09 --- /dev/null +++ b/terraform/azure/backup/azurerm_key_vault.tf @@ -0,0 +1,35 @@ +resource "azurerm_key_vault" "example" { + name = "pike" + location = "uksouth" + resource_group_name = "pike" + tenant_id = "8e7f742a-4215-44a0-881b-209124f286b1" + sku_name = "premium" + soft_delete_retention_days = 7 + access_policy { + tenant_id = "8e7f742a-4215-44a0-881b-209124f286b1" + object_id = "640b7b1e-da57-4518-a546-cbec8d9a9bce" + + key_permissions = [ + "Create", + "Get", + "Purge", + "Recover" + ] + + secret_permissions = [ + "Set", + ] + } + purge_protection_enabled = true + network_acls { + default_action = "Deny" + bypass = "AzureServices" + } + tags = { + pike = "permissions" + } +} + +output "key_vault" { + value = azurerm_key_vault.example +} diff --git a/terraform/azure/backup/data.azurerm_client_config.tf b/terraform/azure/backup/data.azurerm_client_config.tf new file mode 100644 index 00000000..bf3cba2d --- /dev/null +++ b/terraform/azure/backup/data.azurerm_client_config.tf @@ -0,0 +1,6 @@ + +data "azurerm_client_config" "current" {} + +output "config" { + value = data.azurerm_client_config.current +} diff --git a/terraform/azure/backup/data.azurerm_resource_group.tf b/terraform/azure/backup/data.azurerm_resource_group.tf new file mode 100644 index 00000000..6c2a4c2b --- /dev/null +++ b/terraform/azure/backup/data.azurerm_resource_group.tf @@ -0,0 +1,8 @@ + +data "azurerm_resource_group" "pike" { + name = "pike" +} + +output "rg" { + value = data.azurerm_resource_group.pike +} diff --git a/terraform/azure/role/azurerm_role_definition.tf b/terraform/azure/role/azurerm_role_definition.tf index fde39a4f..a6e478b9 100644 --- a/terraform/azure/role/azurerm_role_definition.tf +++ b/terraform/azure/role/azurerm_role_definition.tf @@ -5,10 +5,23 @@ resource "azurerm_role_definition" "example" { permissions { actions = [ - "Microsoft.Web/serverfarms/read", - "Microsoft.Web/serverfarms/write", - "Microsoft.Web/serverfarms/delete", - "Microsoft.Resources/subscriptions/providers/read" + "Microsoft.Resources/subscriptions/resourcegroups/read", + "Microsoft.KeyVault/vaults/read", + "Microsoft.KeyVault/vaults/write", + "Microsoft.KeyVault/vaults/delete", + "Microsoft.KeyVault/locations/deletedVaults/read", + + "Microsoft.DocumentDB/databaseAccounts/read", + "Microsoft.DocumentDB/databaseAccounts/write", + "Microsoft.DocumentDB/databaseAccounts/delete", + "Microsoft.DocumentDB/databaseAccounts/listKeys/action", + "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action", + "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action", + + "Microsoft.DocumentDB/databaseAccounts/tables/read", + "Microsoft.DocumentDB/databaseAccounts/tables/write", + "Microsoft.DocumentDB/databaseAccounts/tables/delete", + ] not_actions = [] }