migrate to hetzner

migrate most google cloud infra to azure
use github-azure OIDC authentication

Author: FooBarWidget

terraform-hisec/entra_id_groups.tf renamed to terraform-hisec/entra_groups.tf

@@ -11,6 +11,37 @@ resource "azurerm_storage_account" "server-edition-ci" {
   }
 }
 
+
+resource "azurerm_storage_container" "server-edition-ci-artifacts" {
+  name                  = "server-edition-ci-artifacts"
+  storage_account_name  = azurerm_storage_account.server-edition-ci.name
+  container_access_type = "private"
+}
+
+resource "azurerm_storage_management_policy" "server-edition-ci-artifacts-expiry" {
+  storage_account_id = azurerm_storage_account.server-edition-ci.id
+  rule {
+    name    = "expire-old-entries"
+    enabled = true
+    filters {
+      prefix_match = ["${azurerm_storage_container.server-edition-ci-artifacts.name}/"]
+      blob_types   = ["blockBlob"]
+    }
+    actions {
+      base_blob {
+        delete_after_days_since_creation_greater_than = "30"
+      }
+    }
+  }
+}
+
+resource "azurerm_role_assignment" "server-edition-ci-artifacts-owned-by-infra-maintainers" {
+  scope                = azurerm_storage_container.server-edition-ci-artifacts.resource_manager_id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = data.azuread_group.infra-maintainers.id
+}
+
+
 resource "azurerm_storage_container" "server-edition-ci-cache" {
   name                  = "server-edition-ci-cache"
   storage_account_name  = azurerm_storage_account.server-edition-ci.name

terraform/ci_cache_storage.tf renamed to terraform/ci_storage.tf

@@ -0,0 +1,70 @@
+# resource "google_service_account" "apiserver" {
+#   depends_on   = [google_project_service.iam-api]
+#   account_id   = "apiserver"
+#   display_name = "API server"
+# }
+
+
+# resource "google_service_account" "infra-ci-bot" {
+#   depends_on   = [google_project_service.iam-api]
+#   account_id   = "infra-ci-bot"
+#   display_name = "Infrastructure CI bot"
+# }
+
+# resource "google_service_account_key" "infra-ci-bot-sa-key" {
+#   service_account_id = google_service_account.infra-ci-bot.name
+# }
+
+
+# resource "google_service_account" "server-edition-ci-bot" {
+#   depends_on   = [google_project_service.iam-api]
+#   account_id   = "server-edition-ci-bot"
+#   display_name = "Server Edition CI bot"
+# }
+
+# resource "google_service_account_key" "server-editions-ci-bot-sa-key" {
+#   service_account_id = google_service_account.server-edition-ci-bot.name
+# }
+
+data "azuread_group" "infra-maintainers" {
+  display_name     = "Fullstaq Ruby Infra Maintainers"
+  security_enabled = true
+}
+
+
+resource "azuread_application" "server-edition-github-ci-test" {
+  display_name = "Server Edition Github CI (test)"
+  owners = [azuread_group.infra-maintainers.id]
+}
+
+resource "azuread_application_federated_identity_credential" "server-edition-github-ci-test" {
+  application_id = azuread_application_registration.server-edition-github-ci-test.application_id
+  display_name   = "Server Edition Github CI (test)"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer = "https://token.actions.githubusercontent.com"
+  subject = "repo:fullstaq-ruby/server-edition:environment:test"
+}
+
+resource "azuread_service_principal" "server-edition-github-ci-test" {
+  client_id = azuread_application.server-edition-github-ci-test.application_id
+  owners = [azuread_group.infra-maintainers.id]
+}
+
+
+resource "azuread_application" "server-edition-github-ci-deploy" {
+  display_name = "Server Edition Github CI (deploy)"
+  owners = [azuread_group.infra-maintainers.id]
+}
+
+resource "azuread_application_federated_identity_credential" "server-edition-github-ci-deploy" {
+  application_id = azuread_application_registration.server-edition-github-ci-deploy.application_id
+  display_name   = "Server Edition Github CI (deploy)"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer = "https://token.actions.githubusercontent.com"
+  subject = "repo:fullstaq-ruby/server-edition:environment:deploy"
+}
+
+resource "azuread_service_principal" "server-edition-github-ci-deploy" {
+  client_id = azuread_application.server-edition-github-ci-deploy.application_id
+  owners = [azuread_group.infra-maintainers.id]
+}

terraform/entra_apps.tf

@@ -1,8 +1,3 @@
-data "azuread_group" "infra-maintainers" {
-  display_name     = "Fullstaq Ruby Infra Maintainers"
-  security_enabled = true
-}
-
 resource "azurerm_resource_group" "infra-maintainers" {
   name     = "fullstaq-ruby-infra-maintainers"
   location = "westeurope"