...

docs/infrastructure-bootstrapping.md

@@ -74,12 +74,12 @@ cd ..
     - Email: maintainers@fullstaqruby.org
     - Algorithm: 4096-bit RSA (or stronger)
 
-2.  Store this in an Azure Key Vault:
+2.  Store this in the Azure Key Vault for Infra Owners:
 
     Export the private key to a file "fullstaq-ruby-priv.asc" (ASCII armor). Then:
 
     ```bash
-    az keyvault secret set --vault-name server-edition-hisec --name gpg-private-key -f fullstaq-ruby-priv.asc
+    az keyvault secret set --vault-name fsruby2infraowners --name server-edition-gpg-private-key -f fullstaq-ruby-priv.asc
     rm fullstaq-ruby-priv.asc
     ```
 
@@ -94,15 +94,7 @@ Create the following Github repositories:
 
 ## Step 7: Run initial Terraform (normal)
 
-Login Google Cloud CLI if you haven't yet:
-
-```bash
-gcloud auth login --update-adc
-```
-
-Then modify `terraform/variables.tf` and populate the right Google Cloud IDs and Azure object IDs.
-
-Then run Terraform:
+Run Terraform:
 
 ```bash
 cd terraform

terraform/entra_apps.tf → terraform-hisec/entra_apps.tf

@@ -1,13 +1,6 @@
-data "azuread_group" "infra-maintainers" {
-  display_name               = "Fullstaq Ruby Infra Maintainers"
-  security_enabled           = true
-  include_transitive_members = true
-}
-
-
 resource "azuread_application" "server-edition-github-ci-test" {
   display_name = "Server Edition Github CI (test)"
-  owners       = data.azuread_group.infra-maintainers.members
+  owners       = var.infra_owners_azure_group_members
 }
 
 resource "azuread_application_federated_identity_credential" "server-edition-github-ci-test" {
@@ -20,13 +13,16 @@ resource "azuread_application_federated_identity_credential" "server-edition-git
 
 resource "azuread_service_principal" "server-edition-github-ci-test" {
   client_id = azuread_application.server-edition-github-ci-test.client_id
-  owners    = data.azuread_group.infra-maintainers.members
+  owners    = var.infra_owners_azure_group_members
+  feature_tags {
+    enterprise = true
+  }
 }
 
 
 resource "azuread_application" "server-edition-github-ci-deploy" {
   display_name = "Server Edition Github CI (deploy)"
-  owners       = data.azuread_group.infra-maintainers.members
+  owners       = var.infra_owners_azure_group_members
 }
 
 resource "azuread_application_federated_identity_credential" "server-edition-github-ci-deploy" {
@@ -39,5 +35,8 @@ resource "azuread_application_federated_identity_credential" "server-edition-git
 
 resource "azuread_service_principal" "server-edition-github-ci-deploy" {
   client_id = azuread_application.server-edition-github-ci-deploy.client_id
-  owners    = data.azuread_group.infra-maintainers.members
+  owners    = var.infra_owners_azure_group_members
+  feature_tags {
+    enterprise = true
+  }
 }

terraform-hisec/key_vault.tf

@@ -0,0 +1,41 @@
+resource "azurerm_key_vault" "infra-owners" {
+  tenant_id                 = var.azure_tenant_id
+  resource_group_name       = azurerm_resource_group.infra-owners.name
+  location                  = azurerm_resource_group.infra-owners.location
+  name                      = "${var.key_vault_prefix}infraowners"
+  sku_name                  = "standard"
+  enable_rbac_authorization = true
+  tags = {
+    description = "Key Vault for Infra Owners"
+  }
+}
+
+resource "azurerm_role_assignment" "infra-owners-kv-admin-by-infra-owners" {
+  scope                = azurerm_key_vault.infra-owners.id
+  role_definition_name = "Key Vault Secrets Officer"
+  principal_id         = azuread_group.infra-owners.id
+}
+
+
+resource "azurerm_key_vault_secret" "server-edition-gpg-priv-key" {
+  key_vault_id = azurerm_key_vault.infra-owners.id
+  name         = "server-edition-gpg-priv-key"
+  value        = "initial value"
+
+  lifecycle {
+    # Value is managed outside Terraform, populated manually
+    ignore_changes = [value]
+  }
+}
+
+resource "azurerm_role_assignment" "server-edition-gpg-priv-key-readable-by-github-ci-test" {
+  scope                = azurerm_key_vault_secret.server-edition-gpg-priv-key.resource_versionless_id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azuread_service_principal.server-edition-github-ci-test.id
+}
+
+resource "azurerm_role_assignment" "server-edition-gpg-priv-key-readable-by-github-ci-deploy" {
+  scope                = azurerm_key_vault_secret.server-edition-gpg-priv-key.resource_versionless_id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azuread_service_principal.server-edition-github-ci-deploy.id
+}

terraform-hisec/tfstate_maintainers_storage.tf

@@ -13,6 +13,10 @@ resource "azurerm_storage_account" "tfstate-infra-maintainers" {
   account_replication_type        = "ZRS"
   default_to_oauth_authentication = true
   shared_access_key_enabled       = false
+
+  tags = {
+    description = "Terraform state storage for Infra Maintainers"
+  }
 }
 
 resource "azurerm_storage_container" "tfstate-infra-maintainers" {

terraform-hisec/variables.tf

@@ -23,6 +23,11 @@ variable "storage_account_prefix" {
   default = "fsruby2"
 }
 
+variable "key_vault_prefix" {
+  type    = string
+  default = "fsruby2"
+}
+
 variable "gcloud_org_id" {
   type    = string
   default = "252249970036"

terraform/ci_storage.tf

@@ -1,3 +1,12 @@
+data "azuread_group" "infra-maintainers" {
+  display_name = "Fullstaq Ruby Infra Maintainers"
+}
+
+data "azuread_service_principal" "server-edition-github-ci-test" {
+  display_name = "Server Edition Github CI (test)"
+}
+
+
 resource "azurerm_storage_account" "server-edition-ci" {
   name                     = "${var.storage_account_prefix}seredci1"
   resource_group_name      = "fullstaq-ruby-infra-maintainers"
@@ -9,6 +18,10 @@ resource "azurerm_storage_account" "server-edition-ci" {
   blob_properties {
     last_access_time_enabled = true
   }
+
+  tags = {
+    description = "Server Edition CI storage"
+  }
 }
 
 
@@ -59,7 +72,7 @@ resource "azurerm_role_assignment" "server-edition-ci-artifacts-owned-by-infra-m
 resource "azurerm_role_assignment" "server-edition-ci-artifacts-writable-by-github-ci-test" {
   scope                = azurerm_storage_container.server-edition-ci-artifacts.resource_manager_id
   role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = azuread_service_principal.server-edition-github-ci-test.id
+  principal_id         = data.azuread_service_principal.server-edition-github-ci-test.id
 }
 
 
@@ -78,7 +91,7 @@ resource "azurerm_role_assignment" "server-edition-ci-cache-owned-by-infra-maint
 resource "azurerm_role_assignment" "server-edition-ci-cache-writable-by-github-ci-test" {
   scope                = azurerm_storage_container.server-edition-ci-cache.resource_manager_id
   role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = azuread_service_principal.server-edition-github-ci-test.id
+  principal_id         = data.azuread_service_principal.server-edition-github-ci-test.id
 }
 
 
@@ -105,12 +118,6 @@ resource "google_storage_bucket_iam_binding" "server-edition-ci-artifacts-public
   members = ["allUsers"]
 }
 
-# resource "google_storage_bucket_iam_binding" "server-edition-ci-artifacts-writable-by-ci-bot" {
-#   bucket  = google_storage_bucket.server-edition-ci-artifacts.self_link
-#   role    = "roles/storage.objectAdmin"
-#   members = ["serviceAccount:${google_service_account.server-edition-ci-bot.email}"]
-# }
-
 resource "google_storage_bucket_iam_binding" "server-edition-ci-artifacts-writable-by-github-ci" {
   bucket  = google_storage_bucket.server-edition-ci-artifacts.self_link
   role    = "roles/storage.objectAdmin"