From b0f198bafd4601e4b3dea0ecb8713780bf9c3cbe Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Fri, 16 Feb 2024 12:54:58 +0100 Subject: [PATCH 1/5] Velero role assignement --- .../subscriptions/modules/storageaccount/main.tf | 15 +++++++++++++++ .../modules/storageaccount/variables.tf | 5 +++++ terraform/subscriptions/s940/c2/common/main.tf | 1 + .../subscriptions/s940/c2/common/variables.tf | 1 + .../s940/c2/vulnerability-scanner/main.tf | 2 +- .../subscriptions/s940/extmon/common/main.tf | 1 + .../subscriptions/s940/extmon/common/variables.tf | 1 + terraform/subscriptions/s940/prod/common/main.tf | 5 +++++ .../subscriptions/s940/prod/common/variables.tf | 1 + .../s940/prod/vulnerability-scanner/main.tf | 6 +++--- terraform/subscriptions/s941/dev/common/main.tf | 1 + .../subscriptions/s941/dev/common/variables.tf | 1 + .../s941/dev/vulnerability-scanner/main.tf | 2 +- .../subscriptions/s941/playground/common/main.tf | 5 +++++ .../s941/playground/common/variables.tf | 1 + .../s941/playground/vulnerability-scanner/main.tf | 2 +- 16 files changed, 44 insertions(+), 6 deletions(-) diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf index 27d8e4933..1cebd13d0 100644 --- a/terraform/subscriptions/modules/storageaccount/main.tf +++ b/terraform/subscriptions/modules/storageaccount/main.tf @@ -57,6 +57,21 @@ resource "azurerm_role_assignment" "roleassignment" { depends_on = [azurerm_storage_account.storageaccount] } +# ####################################################################################### +# ### Role assignment for Velero Service Principal to be used to the Storage account +# ### + +data "azuread_service_principal" "velero" { # wip To be changed to workload identity in the future + display_name = var.velero_service_principal +} + +resource "azurerm_role_assignment" "storage_blob_data_conntributor" { + for_each = can(regex("radixvelero.*", var.name)) ? { "${var.name}" : true } : {} + scope = azurerm_storage_account.storageaccount.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = data.azuread_service_principal.velero.id + depends_on = [azurerm_storage_account.storageaccount] +} ###################################################################################### ## Blob Protection diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf index c5d46b27d..66afd70b2 100644 --- a/terraform/subscriptions/modules/storageaccount/variables.tf +++ b/terraform/subscriptions/modules/storageaccount/variables.tf @@ -74,6 +74,11 @@ variable "principal_id" { type = string } +variable "velero_service_principal" { + description = "The Name of the Principal (User, Group or Service Principal) to assign the Role Definition to" + type = string +} + variable "vault_id" { description = "The ID of the Backup Vault" type = string diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index 322c8f9dd..988f304e7 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -54,5 +54,6 @@ module "storageaccount" { vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name priv_endpoint = each.value.private_endpoint firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal } diff --git a/terraform/subscriptions/s940/c2/common/variables.tf b/terraform/subscriptions/s940/c2/common/variables.tf index fc93f923c..b7d69837d 100644 --- a/terraform/subscriptions/s940/c2/common/variables.tf +++ b/terraform/subscriptions/s940/c2/common/variables.tf @@ -31,6 +31,7 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "ar-radix-velero-c2-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index 2d80ed9f2..44dcf616a 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -19,7 +19,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}-prod" admin_adgroup = var.admin-adgroup diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf index eb515622b..48c10c204 100644 --- a/terraform/subscriptions/s940/extmon/common/main.tf +++ b/terraform/subscriptions/s940/extmon/common/main.tf @@ -52,4 +52,5 @@ module "storageaccount" { vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name priv_endpoint = each.value.private_endpoint firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal } \ No newline at end of file diff --git a/terraform/subscriptions/s940/extmon/common/variables.tf b/terraform/subscriptions/s940/extmon/common/variables.tf index d799bf2c8..2d9eb5582 100644 --- a/terraform/subscriptions/s940/extmon/common/variables.tf +++ b/terraform/subscriptions/s940/extmon/common/variables.tf @@ -12,6 +12,7 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index 322c8f9dd..312b5c402 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -1,3 +1,7 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" @@ -54,5 +58,6 @@ module "storageaccount" { vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name priv_endpoint = each.value.private_endpoint firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal } diff --git a/terraform/subscriptions/s940/prod/common/variables.tf b/terraform/subscriptions/s940/prod/common/variables.tf index 4f70d95cf..9c08b166b 100644 --- a/terraform/subscriptions/s940/prod/common/variables.tf +++ b/terraform/subscriptions/s940/prod/common/variables.tf @@ -32,6 +32,7 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index cb56f7497..2248f58cb 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -21,16 +21,16 @@ module "mssql-database" { env = module.config.environment database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-prod" # ${module.config.environment} # Se https://github.com/equinor/radix-platform/issues/1187 - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" admin_adgroup = var.admin-adgroup administrator_login = "radix" administrator_password = data.azurerm_key_vault_secret.keyvault_secrets.value rg_name = module.resourcegroup.data.name - vnet_resource_group = module.config.vnet_resource_group + vnet_resource_group = module.config.vnet_resource_group location = module.config.location public_network_access_enabled = true zone_redundant = false - sku_name = "S6" + sku_name = "S6" admin_federated_credentials = { github-main = { diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 946457f93..ef5e7271f 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -58,5 +58,6 @@ module "storageaccount" { vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name priv_endpoint = each.value.private_endpoint firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal } diff --git a/terraform/subscriptions/s941/dev/common/variables.tf b/terraform/subscriptions/s941/dev/common/variables.tf index f035f9ca7..a139f85ae 100644 --- a/terraform/subscriptions/s941/dev/common/variables.tf +++ b/terraform/subscriptions/s941/dev/common/variables.tf @@ -40,6 +40,7 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-dev") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 744348abc..c311f6f97 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -23,7 +23,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index bb216fca7..ef5e7271f 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -1,3 +1,7 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" @@ -54,5 +58,6 @@ module "storageaccount" { vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name priv_endpoint = each.value.private_endpoint firewall = each.value.firewall + velero_service_principal = each.value.velero_service_principal } diff --git a/terraform/subscriptions/s941/playground/common/variables.tf b/terraform/subscriptions/s941/playground/common/variables.tf index 8a94526a3..d93f6a99e 100644 --- a/terraform/subscriptions/s941/playground/common/variables.tf +++ b/terraform/subscriptions/s941/playground/common/variables.tf @@ -31,6 +31,7 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") + velero_service_principal = optional(string, "radix-velero-dev") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index ff8e1ea06..581e65038 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -21,7 +21,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" admin_adgroup = var.admin-adgroup From 447fd28d2b5c202cfc65b36cc493a126729c2fe4 Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Fri, 16 Feb 2024 12:59:32 +0100 Subject: [PATCH 2/5] updates --- .../install_prerequisites_in_cluster.sh | 71 +++++++++---------- 1 file changed, 32 insertions(+), 39 deletions(-) diff --git a/scripts/velero/install_prerequisites_in_cluster.sh b/scripts/velero/install_prerequisites_in_cluster.sh index 54ff9fa5c..1cbded1f5 100755 --- a/scripts/velero/install_prerequisites_in_cluster.sh +++ b/scripts/velero/install_prerequisites_in_cluster.sh @@ -188,37 +188,30 @@ function cleanup() { rm -f "$CREDENTIALS_GENERATED_PATH" } -function generateCredentialsFile() { - local SP_JSON="$(az keyvault secret show \ - --vault-name $AZ_RESOURCE_KEYVAULT \ - --name $APP_REGISTRATION_VELERO | - jq '.value | fromjson')" - - # Set variables used in the manifest templates - local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID" - local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')" - local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')" - local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')" - - # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file - CREDENTIALS_GENERATED_PATH="$(mktemp)" - local tmp_heredoc="$(mktemp)" - ( - echo "#!/bin/sh" - echo "cat <>${CREDENTIALS_GENERATED_PATH}" - cat ${CREDENTIALS_TEMPLATE_PATH} - echo "" - echo "EOF" - ) >${tmp_heredoc} && chmod +x ${tmp_heredoc} - source "$tmp_heredoc" - - # Debug - # echo -e "\nCREDENTIALS_GENERATED_PATH=$CREDENTIALS_GENERATED_PATH" - # echo -e "tmp_heredoc=$tmp_heredoc" - - # Remove even if script crashed - #trap "rm -f $CREDENTIALS_GENERATED_PATH" 0 2 3 15 -} +# function generateCredentialsFile() { +# local SP_JSON="$(az keyvault secret show \ +# --vault-name $AZ_RESOURCE_KEYVAULT \ +# --name $APP_REGISTRATION_VELERO | +# jq '.value | fromjson')" + +# # Set variables used in the manifest templates +# local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID" +# local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')" +# local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')" +# local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')" + +# # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file +# CREDENTIALS_GENERATED_PATH="$(mktemp)" +# local tmp_heredoc="$(mktemp)" +# ( +# echo "#!/bin/sh" +# echo "cat <>${CREDENTIALS_GENERATED_PATH}" +# cat ${CREDENTIALS_TEMPLATE_PATH} +# echo "" +# echo "EOF" +# ) >${tmp_heredoc} && chmod +x ${tmp_heredoc} +# source "$tmp_heredoc" +# } # Run cleanup even if script crashed trap cleanup 0 2 3 15 @@ -231,14 +224,14 @@ case "$(kubectl get ns $VELERO_NAMESPACE 2>&1)" in esac printf "...Done" -printf "\nWorking on credentials..." -generateCredentialsFile -kubectl create secret generic cloud-credentials \ - --namespace "$VELERO_NAMESPACE" \ - --from-file=cloud=$CREDENTIALS_GENERATED_PATH \ - --dry-run=client -o yaml | - kubectl apply -f - \ - 2>&1 >/dev/null +# printf "\nWorking on credentials..." +# generateCredentialsFile +# kubectl create secret generic cloud-credentials \ +# --namespace "$VELERO_NAMESPACE" \ +# --from-file=cloud=$CREDENTIALS_GENERATED_PATH \ +# --dry-run=client -o yaml | +# kubectl apply -f - \ +# 2>&1 >/dev/null printf "...Done" MYIP=$(curl http://ifconfig.me/ip) || From 82904648a9bc414c3dfdfe0f80e73cb3a21adbe9 Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Fri, 16 Feb 2024 14:08:28 +0100 Subject: [PATCH 3/5] Velero role assignment --- .../modules/storageaccount/main.tf | 34 +++++++------------ .../modules/storageaccount/variables.tf | 20 +++++------ .../subscriptions/s940/c2/common/main.tf | 31 +++++++++-------- .../subscriptions/s940/extmon/common/main.tf | 31 +++++++++-------- .../subscriptions/s940/prod/common/main.tf | 27 +++++++-------- .../subscriptions/s941/dev/common/main.tf | 27 +++++++-------- .../s941/playground/common/main.tf | 27 +++++++-------- 7 files changed, 95 insertions(+), 102 deletions(-) diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf index 1cebd13d0..dd54736f8 100644 --- a/terraform/subscriptions/modules/storageaccount/main.tf +++ b/terraform/subscriptions/modules/storageaccount/main.tf @@ -93,19 +93,19 @@ resource "azurerm_storage_account_network_rules" "this" { default_action = "Deny" ip_rules = ["143.97.110.1"] virtual_network_subnet_ids = [var.subnet_id] - # bypass = ["Metrics"] -} -###################################################################################### -## Private Link -## +} +data "azurerm_subnet" "subnet" { + name = "private-links" + virtual_network_name = var.virtual_network + resource_group_name = var.vnet_resource_group +} resource "azurerm_private_endpoint" "this" { - for_each = var.priv_endpoint ? { "${var.name}" : true } : {} # { for key in compact([for key, value in var.priv_endpoint : value.private_endpoint ? key : ""]) : key => var.priv_endpoint[key] } - name = azurerm_storage_account.storageaccount.name - resource_group_name = azurerm_storage_account.storageaccount.resource_group_name - location = azurerm_storage_account.storageaccount.location - subnet_id = var.subnet_id + name = "pe-${var.name}" + location = var.location + resource_group_name = var.vnet_resource_group + subnet_id = data.azurerm_subnet.subnet.id depends_on = [azurerm_storage_account.storageaccount] private_service_connection { @@ -115,18 +115,10 @@ resource "azurerm_private_endpoint" "this" { subresource_names = ["blob"] } } - - -###################################################################################### -## Private DNS -## resource "azurerm_private_dns_a_record" "this" { - for_each = var.priv_endpoint ? { "${var.name}" : true } : {} name = azurerm_storage_account.storageaccount.name zone_name = "privatelink.blob.core.windows.net" - resource_group_name = var.vnethub_resource_group - ttl = 10 - records = [azurerm_private_endpoint.this[each.key].private_service_connection.0.private_ip_address] - depends_on = [azurerm_private_endpoint.this] + resource_group_name = var.vnet_resource_group + ttl = 60 + records = [azurerm_private_endpoint.this.private_service_connection.0.private_ip_address] } - diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf index 66afd70b2..625c19ea6 100644 --- a/terraform/subscriptions/modules/storageaccount/variables.tf +++ b/terraform/subscriptions/modules/storageaccount/variables.tf @@ -95,17 +95,6 @@ variable "subnet_id" { } -variable "vnethub_resource_group" { - description = "Specifies the resource group where the DNS Zone (parent resource) exists" - type = string -} - -variable "priv_endpoint" { - description = "Create private endpoint?" - type = bool - default = false -} - variable "firewall" { description = "Enable FW rules on StorageAccount?" type = bool @@ -116,4 +105,13 @@ variable "firewall" { variable "backup" { description = "Enable backup" type = bool +} + +variable "virtual_network" { + type = string + default = "vnet-hub" +} + +variable "vnet_resource_group" { + type = string } \ No newline at end of file diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index 988f304e7..06d23275d 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -1,8 +1,12 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -10,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -37,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment + environment = module.config.environment kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -51,9 +55,8 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf index 48c10c204..789a2a0e1 100644 --- a/terraform/subscriptions/s940/extmon/common/main.tf +++ b/terraform/subscriptions/s940/extmon/common/main.tf @@ -1,32 +1,36 @@ +module "config" { + source = "../../../modules/config" +} + module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" name = each.value - location = local.outputs.location + location = module.config.location } module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -35,12 +39,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment + environment = module.config.environment kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -49,8 +53,7 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } \ No newline at end of file diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index 312b5c402..06d23275d 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -6,7 +6,7 @@ module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -14,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -41,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment + environment = module.config.environment kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -55,9 +55,8 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index ef5e7271f..61b250255 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -6,7 +6,7 @@ module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -14,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -41,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment_L + environment = module.config.environment_L kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -55,9 +55,8 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index ef5e7271f..61b250255 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -6,7 +6,7 @@ module "resourcegroups_ver1" { for_each = var.resource_groups_ver1 source = "../../../modules/resourcegroups_ver1" name = each.value.name - location = local.outputs.location + location = module.config.location roleassignment = each.value.roleassignment principal_id = module.mi.data.principal_id role_definition_name = each.value.role_definition_name @@ -14,26 +14,26 @@ module "resourcegroups_ver1" { module "mi" { source = "../../../modules/userassignedidentity" - name = "radix-id-infrastructure-${local.outputs.enviroment}" - location = local.outputs.location - resource_group_name = "common-${local.outputs.enviroment}" + name = "radix-id-infrastructure-${module.config.environment}" + location = module.config.location + resource_group_name = "common-${module.config.environment}" } module "backupvault" { source = "../../../modules/backupvaults" - name = "Backupvault-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + name = "Backupvault-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location policyblobstoragename = "Backuppolicy-blob" depends_on = [module.resourcegroups_ver1] } module "loganalytics" { source = "../../../modules/log-analytics" - workspace_name = "radix-logs-${local.outputs.enviroment}" - resource_group_name = "common-${local.outputs.enviroment}" - location = local.outputs.location + workspace_name = "radix-logs-${module.config.environment}" + resource_group_name = "common-${module.config.environment}" + location = module.config.location retention_in_days = 30 local_authentication_disabled = false } @@ -41,12 +41,12 @@ module "loganalytics" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "radix${each.key}${local.outputs.enviroment}" + name = "radix${each.key}${module.config.environment}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name location = each.value.location - environment = local.outputs.enviroment_L + environment = module.config.environment_L kind = each.value.kind change_feed_enabled = each.value.change_feed_enabled versioning_enabled = each.value.versioning_enabled @@ -55,9 +55,8 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name - priv_endpoint = each.value.private_endpoint firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal + vnet_resource_group = module.config.vnet_resource_group } From 8ce80e50ef6147553f572434029c780ccf2943d2 Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Fri, 16 Feb 2024 14:31:29 +0100 Subject: [PATCH 4/5] Remove IP --- terraform/subscriptions/modules/storageaccount/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf index dd54736f8..6a10aebdb 100644 --- a/terraform/subscriptions/modules/storageaccount/main.tf +++ b/terraform/subscriptions/modules/storageaccount/main.tf @@ -88,11 +88,11 @@ resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceb } resource "azurerm_storage_account_network_rules" "this" { - for_each = var.firewall ? { "${var.name}" : true } : {} + # for_each = var.firewall ? { "${var.name}" : true } : {} storage_account_id = azurerm_storage_account.storageaccount.id default_action = "Deny" - ip_rules = ["143.97.110.1"] - virtual_network_subnet_ids = [var.subnet_id] + ip_rules = [] + # virtual_network_subnet_ids = [var.subnet_id] } From 3508d0d171de402b3777e4135a035a4b6c3af917 Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Fri, 16 Feb 2024 14:36:58 +0100 Subject: [PATCH 5/5] Updates --- .../subscriptions/modules/storageaccount/variables.tf | 7 ------- terraform/subscriptions/s940/c2/common/main.tf | 1 - terraform/subscriptions/s940/c2/common/variables.tf | 1 - terraform/subscriptions/s940/extmon/common/main.tf | 1 - terraform/subscriptions/s940/extmon/common/variables.tf | 1 - terraform/subscriptions/s940/prod/common/main.tf | 1 - terraform/subscriptions/s940/prod/common/variables.tf | 1 - terraform/subscriptions/s941/dev/common/main.tf | 1 - terraform/subscriptions/s941/dev/common/variables.tf | 1 - terraform/subscriptions/s941/playground/common/main.tf | 1 - .../subscriptions/s941/playground/common/variables.tf | 1 - 11 files changed, 17 deletions(-) diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf index 625c19ea6..adb736421 100644 --- a/terraform/subscriptions/modules/storageaccount/variables.tf +++ b/terraform/subscriptions/modules/storageaccount/variables.tf @@ -95,13 +95,6 @@ variable "subnet_id" { } -variable "firewall" { - description = "Enable FW rules on StorageAccount?" - type = bool - default = true - -} - variable "backup" { description = "Enable backup" type = bool diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index 06d23275d..7e27d609f 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -55,7 +55,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s940/c2/common/variables.tf b/terraform/subscriptions/s940/c2/common/variables.tf index b7d69837d..0a8124f2c 100644 --- a/terraform/subscriptions/s940/c2/common/variables.tf +++ b/terraform/subscriptions/s940/c2/common/variables.tf @@ -37,7 +37,6 @@ variable "storageaccounts" { backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf index 789a2a0e1..ea45bcd27 100644 --- a/terraform/subscriptions/s940/extmon/common/main.tf +++ b/terraform/subscriptions/s940/extmon/common/main.tf @@ -53,7 +53,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group } \ No newline at end of file diff --git a/terraform/subscriptions/s940/extmon/common/variables.tf b/terraform/subscriptions/s940/extmon/common/variables.tf index 2d9eb5582..c2341852f 100644 --- a/terraform/subscriptions/s940/extmon/common/variables.tf +++ b/terraform/subscriptions/s940/extmon/common/variables.tf @@ -18,7 +18,6 @@ variable "storageaccounts" { backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index 06d23275d..7e27d609f 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -55,7 +55,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s940/prod/common/variables.tf b/terraform/subscriptions/s940/prod/common/variables.tf index 9c08b166b..5e1b96e3a 100644 --- a/terraform/subscriptions/s940/prod/common/variables.tf +++ b/terraform/subscriptions/s940/prod/common/variables.tf @@ -38,7 +38,6 @@ variable "storageaccounts" { backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 61b250255..8e046b073 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -55,7 +55,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s941/dev/common/variables.tf b/terraform/subscriptions/s941/dev/common/variables.tf index a139f85ae..619d583de 100644 --- a/terraform/subscriptions/s941/dev/common/variables.tf +++ b/terraform/subscriptions/s941/dev/common/variables.tf @@ -46,7 +46,6 @@ variable "storageaccounts" { backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = { diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index 61b250255..8e046b073 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -55,7 +55,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id - firewall = each.value.firewall velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group } diff --git a/terraform/subscriptions/s941/playground/common/variables.tf b/terraform/subscriptions/s941/playground/common/variables.tf index d93f6a99e..754f7b587 100644 --- a/terraform/subscriptions/s941/playground/common/variables.tf +++ b/terraform/subscriptions/s941/playground/common/variables.tf @@ -37,7 +37,6 @@ variable "storageaccounts" { backup = optional(bool, false) principal_id = optional(string) private_endpoint = optional(bool, false) - firewall = optional(bool, true) })) default = { log = {