PerfectThymeTech · marvinbuss · Oct 7, 2024 · Oct 7, 2024 · Oct 7, 2024 · Oct 8, 2024
diff --git a/.github/workflows/_terraformEnvironmentTemplate.yml b/.github/workflows/_terraformEnvironmentTemplate.yml
@@ -0,0 +1,257 @@
+name: Terraform Template
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+        description: "Specifies the environment of the deployment."
+      config:
+        required: true
+        type: string
+        description: "Specifies the configuration folder for the deployment."
+      terraform_version:
+        required: true
+        type: string
+        description: "Specifies the terraform version."
+      node_version:
+        required: true
+        type: number
+        description: "Specifies the node version."
+      working_directory:
+        required: true
+        type: string
+        description: "Specifies the working directory."
+      tenant_id:
+        required: true
+        type: string
+        description: "Specifies the tenant id of the deployment."
+      subscription_id:
+        required: true
+        type: string
+        description: "Specifies the subscription id of the deployment."
+    secrets:
+      CLIENT_ID:
+        required: true
+        description: "Specifies the client id."
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  lint:
+    name: Terraform Lint
+    runs-on: [ubuntu-latest]
+    continue-on-error: false
+
+    steps:
+      # Setup Terraform
+      - name: Setup Terraform
+        id: terraform_setup
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: true
+
+      # Check Out Repository
+      - name: Check Out Repository
+        id: checkout_repository
+        uses: actions/checkout@v4
+
+      # Terraform Format
+      - name: Terraform Format
+        id: terraform_format
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform fmt -check -recursive
+
+      # Add Pull Request Comment
+      - name: Add Pull Request Comment
+        uses: actions/github-script@v7
+        id: pr_comment
+        if: github.event_name == 'pull_request'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Lint Results
+            * Terraform Version 📎\`${{ inputs.terraform_version }}\`
+            * Working Directory 📂\`${{ inputs.working_directory }}\`
+            * Terraform Format and Style 🖌\`${{ steps.terraform_format.outcome }}\``;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+  plan:
+    name: Terraform Plan
+    runs-on: [self-hosted]
+    continue-on-error: false
+    environment: ${{ inputs.environment }}
+    needs: [lint]
+    concurrency:
+      group: terraform-${{ inputs.config }}-${{ inputs.environment }}
+      cancel-in-progress: false
+
+    env:
+      ARM_TENANT_ID: ${{ inputs.tenant_id }}
+      ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
+      ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
+      ARM_USE_OIDC: true
+
+    steps:
+      # Setup Node
+      - name: Setup Node
+        id: node_setup
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+
+      # Setup Terraform
+      - name: Setup Terraform
+        id: terraform_setup
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: true
+
+      # Check Out Repository
+      - name: Check Out Repository
+        id: checkout_repository
+        uses: actions/checkout@v4
+
+      # Azure login
+      - name: Azure login
+        id: azure_login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ inputs.tenant_id }}
+          subscription-id: ${{ inputs.subscription_id }}
+
+      # Terraform Init
+      - name: Terraform Init
+        id: terraform_init
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform init -backend-config=../../config/${CONFIG}/azurerm.tfbackend
+        env:
+          CONFIG: ${{ inputs.config }}
+
+      # Terraform Validate
+      - name: Terraform Validate
+        id: terraform_validate
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform validate
+
+      # Terraform Plan
+      - name: Terraform Plan
+        id: terraform_plan
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform plan -input=false
+        env:
+          CONFIG: ${{ inputs.config }}
+
+      # Add Pull Request Comment
+      - name: Add Pull Request Comment
+        id: pr_comment
+        uses: actions/github-script@v7
+        if: github.event_name == 'pull_request'
+        continue-on-error: true
+        env:
+          PLAN: "terraform\n${{ steps.terraform_plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Validation & Plan Results
+            * Terraform Version 📎\`${{ inputs.terraform_version }}\`
+            * Working Directory 📂\`${{ inputs.working_directory }}\`
+            * Terraform Initialization ⚙️\`${{ steps.terraform_init.outcome }}\`
+            * Terraform Validation 🤖\`${{ steps.terraform_validate.outcome }}\`
+            * Terraform Plan 📖\`${{ steps.terraform_plan.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+
+            </details>`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+  apply:
+    name: Terraform Apply
+    runs-on: [self-hosted]
+    continue-on-error: false
+    environment: ${{ inputs.environment }}
+    # if: github.event_name == 'push' || github.event_name == 'release'
+    needs: [plan]
+    concurrency:
+      group: terraform-${{ inputs.config }}-${{ inputs.environment }}
+      cancel-in-progress: false
+
+    env:
+      ARM_TENANT_ID: ${{ inputs.tenant_id }}
+      ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
+      ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
+      ARM_USE_OIDC: true
+
+    steps:
+      # Setup Node
+      - name: Setup Node
+        id: node_setup
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+
+      # Setup Terraform
+      - name: Setup Terraform
+        id: terraform_setup
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: true
+
+      # Check Out Repository
+      - name: Check Out Repository
+        id: checkout_repository
+        uses: actions/checkout@v4
+
+      # Azure login
+      - name: Azure login
+        id: azure_login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ inputs.tenant_id }}
+          subscription-id: ${{ inputs.subscription_id }}
+
+      # Terraform Init
+      - name: Terraform Init
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform init -backend-config=../../config/${CONFIG}/azurerm.tfbackend
+        env:
+          CONFIG: ${{ inputs.config }}
+
+      # Terraform Apply
+      - name: Terraform Apply
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform apply -auto-approve -input=false
+        env:
+          CONFIG: ${{ inputs.config }}
+          TF_VAR_my_secret: ${{ secrets.MY_SAMPLE_SECRET }}
diff --git a/.github/workflows/terraform-test.yml b/.github/workflows/terraform-test.yml
@@ -0,0 +1,30 @@
+name: test tests
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "modules/test/**"
+      - ".github/workflows/terraform-test.yml"
+
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "modules/test/**"
+      - ".github/workflows/terraform-test.yml"
+
+jobs:
+  terraform_dev:
+    uses: ./.github/workflows/_terraformEnvironmentTemplate.yml
+    name: "Dev"
+    with:
+      environment: "dev"
+      config: "PerfectThymeTech"
+      terraform_version: "1.9.6"
+      node_version: 20
+      working_directory: "./modules/test"
+      tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
+      subscription_id: "1fdab118-1638-419a-8b12-06c9543714a0"
+    secrets:
+      CLIENT_ID: ${{ secrets.CLIENT_ID }}
diff --git a/config/PerfectThymeTech/azurerm.tfbackend b/config/PerfectThymeTech/azurerm.tfbackend
@@ -0,0 +1,7 @@
+environment          = "public"
+subscription_id      = "e82c5267-9dc4-4f45-ac13-abdd5e130d27"
+resource_group_name  = "rg-terraform"
+storage_account_name = "terraformststg001"
+container_name       = "test"
+key                  = "terraform.tfstate"
+use_azuread_auth     = true
diff --git a/modules/aistudiohub/README.md b/modules/aistudiohub/README.md
@@ -106,6 +106,14 @@ map(object({
 
 Default: `{}`
 
+### <a name="input_ai_studio_hub_firewall_sku"></a> [ai\_studio\_hub\_firewall\_sku](#input\_ai\_studio\_hub\_firewall\_sku)
+
+Description: Specifies the firewall sku deployed in the managed vnet of the ai studio hub deployment.
+
+Type: `string`
+
+Default: `"Basic"`
+
 ### <a name="input_ai_studio_hub_provision_managed_network"></a> [ai\_studio\_hub\_provision\_managed\_network](#input\_ai\_studio\_hub\_provision\_managed\_network)
 
 Description: Specifies whether the managed vnet should be providioned as part of the ai studio hub deployment.

diff --git a/modules/aistudiohub/main.tf b/modules/aistudiohub/main.tf
@@ -1,5 +1,5 @@
 resource "azapi_resource" "ai_studio_hub" {
-  type      = "Microsoft.MachineLearningServices/workspaces@2024-04-01"
+  type      = "Microsoft.MachineLearningServices/workspaces@2024-10-01"
   name      = var.ai_studio_hub_name
   location  = var.location
   parent_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}"
@@ -23,6 +23,7 @@ resource "azapi_resource" "ai_studio_hub" {
   body = {
     kind = "Hub"
     properties = {
+      allowRoleAssignmentOnRG         = false
       applicationInsights             = var.application_insights_id
       containerRegistry               = var.container_registry_id
       keyVault                        = var.key_vault_id
@@ -42,11 +43,12 @@ resource "azapi_resource" "ai_studio_hub" {
           sparkReady = true
           status     = "Active"
         }
+        firewallSku = var.ai_studio_hub_firewall_sku
       }
       primaryUserAssignedIdentity = null
       publicNetworkAccess         = "Disabled"
       softDeleteRetentionInDays   = 7
-      systemDatastoresAuthMode    = "identity"
+      systemDatastoresAuthMode    = "identity" # "accesskey"
       v1LegacyMode                = false
 
       # TODO: Evaluate adding below properties
@@ -60,6 +62,7 @@ resource "azapi_resource" "ai_studio_hub" {
       #   offlineStoreConnectionName = ""
       #   onlineStoreConnectionName = ""
       # }
+      # systemDatastoresAuthMode    = "identity"
       # workspaceHubConfig = {
       #   additionalWorkspaceStorageAccounts = []
       #   defaultWorkspaceResourceGroup = ""

diff --git a/modules/aistudiohub/variables.tf b/modules/aistudiohub/variables.tf
@@ -33,14 +33,6 @@ variable "ai_studio_hub_name" {
   nullable    = false
 }
 
-variable "ai_studio_hub_provision_managed_network" {
-  description = "Specifies whether the managed vnet should be providioned as part of the ai studio hub deployment."
-  type        = bool
-  sensitive   = false
-  nullable    = false
-  default     = false
-}
-
 variable "application_insights_id" {
   description = "Specifies the id of application insights that will be connected to the ai studio hub."
   type        = string
@@ -85,6 +77,26 @@ variable "storage_account_id" {
   }
 }
 
+variable "ai_studio_hub_firewall_sku" {
+  description = "Specifies the firewall sku deployed in the managed vnet of the ai studio hub deployment."
+  type        = string
+  sensitive   = false
+  nullable    = false
+  default     = "Basic"
+  validation {
+    condition     = contains(["Basic", "Standard"], var.ai_studio_hub_firewall_sku)
+    error_message = "Please specify a valid sku. Allowed values are: [ 'Basic', 'Standard' ]."
+  }
+}
+
+variable "ai_studio_hub_provision_managed_network" {
+  description = "Specifies whether the managed vnet should be providioned as part of the ai studio hub deployment."
+  type        = bool
+  sensitive   = false
+  nullable    = false
+  default     = false
+}
+
 # variable "ai_studio_hub_outbound_rules_fqdns" { # Will be managed using a separate module due to service limitations: https://github.com/PerfectThymeTech/terraform-azurerm-modules/tree/main/modules/aistudiooutboundrules
 #   description = "Specifies the outbound FQDN rules that should be added to the AI Studio Hub. Only provide FQDNs without specific paths such as 'microsoft.com' or '*.microsoft.com' but NOT 'microsoft.com/mypath'."
 #   type        = list(string)