Skip to content

Commit

Permalink
feat: Terraform implementation refactor (#215)
Browse files Browse the repository at this point in the history
* testing bicep cicd - added new oidc client id for read-only access, testing what-if flag

* Adding region into the bicep yml, env var and to the what-if arm-deploy action

* testing pipeline, adding puysh trigger for this branch

* testing pipeline, adding puysh trigger for this branch

* testing with prod id as the what-if scenario requires same level of permissions

* testing with prod id as the what-if scenario requires same level of permissions

* testing the deployment

* testing the deployment

* testing cicd bicep templates

* testing cicd

* testing cicd

* testing cicd

* disabling psrule for now

* disabling psrule for now

* consolidating tf scenario 1 workflows into a single cicd pipeline

* consolidating tf scenario 1 workflows into a single cicd pipeline

* consolidating tf scenario 1 workflows into a single cicd pipeline

* consolidating tf scenario 1 workflows into a single cicd pipeline

* renaming consolidated scenario 1 tf pipeline

* Adding concurrency, removed redundant param files

* Adding concurrency, removed redundant param files

* removing test branch trigger

* cleanup

* cleanup

* wip

* Functional deployment, further testing required

* Spoke deployment fixes/cleanup

* added backend.hcl file

* shared resource group

* cleaned up windows vm create and custom script

* Add files via upload

* Add files via upload

* pulling latest

* updating latest changes for terraform

* Refactoring TF changes

* pre-commit formatting and docs

* adding scenario deployment input file

* fixing gha tf scenario deployment yaml

* fixed private endpoints for app svc slots

* fixed private endpoints for app svc slots

* fixed private endpoints for app svc slots

* fixed private endpoints for app svc slots

* removing entra data lookups for sql server

* removing entra data lookups for sql server

* removing entra data lookups for sql server

* removing /deployment dir

* constraining deployment to azurerm versions 4.5.0 - 5.0.0

---------

Co-authored-by: ahmeds <[email protected]>
Co-authored-by: Kunal Babre <[email protected]>
  • Loading branch information
3 people authored Nov 20, 2024
1 parent 62bd83c commit 5153a9a
Show file tree
Hide file tree
Showing 88 changed files with 1,922 additions and 674 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/.template.terraform.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:
type: string
description: 'Terraform version'
required: true
default: '1.3.9'
default: '1.9.7'
modulePath:
type: string
description: 'Path to the Terraform module'
Expand Down Expand Up @@ -94,4 +94,4 @@ jobs:
backendStorageContainerName: ${{ secrets.AZURE_TF_STATE_STORAGE_CONTAINER_NAME }}
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
29 changes: 8 additions & 21 deletions .github/workflows/scenario1.terraform.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

name: 'Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline'

concurrency:
Expand Down Expand Up @@ -40,9 +41,9 @@ permissions:

env:
modulePath: 'scenarios/secure-baseline-multitenant/terraform'
terraformVersion: 1.5.2 # must be greater than or equal to 1.2 for OIDC
backendStateKey: 'scenario1.hub.tfstate'
tfvarPath: 'parameters/ase-multitenant.parameters.tfvars'
terraformVersion: 1.9.7 # must be greater than or equal to 1.2 for OIDC
backendStateKey: 'scenario1.appsvclza.tfstate'
tfvarPath: '_parameters/ase-multitenant.parameters.tfvars'

jobs:
prepare-environment:
Expand All @@ -56,31 +57,17 @@ jobs:
backendStateKey: ${{ env.backendStateKey }}
tfvarPath: ${{ env.tfvarPath }}

terraform-deploy-hub:
name: 'Terraform CICD (Hub Multi-tenant Secure Baseline)'
terraform-deploy:
name: 'Terraform CICD (Hub & Spoke Multi-tenant Secure Baseline)'
needs:
- prepare-environment
uses: ./.github/workflows/.template.terraform.yml
with:
modulePath: ${{ needs.prepare-environment.outputs.modulePath }}/hub
modulePath: ${{ needs.prepare-environment.outputs.modulePath }}
terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }}
backendStateKey: 'scenario1.hub.tfstate'
backendStateKey: ${{ needs.prepare-environment.outputs.backendStateKey }}
tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }}
# Ensure this value is a boolean
destroy: ${{ github.event.inputs.destroy == 'true' }}
secrets: inherit

terraform-deploy-spoke:
name: 'Terraform CICD (Spoke Multi-tenant Secure Baseline)'
needs:
- prepare-environment
- terraform-deploy-hub
uses: ./.github/workflows/.template.terraform.yml
with:
modulePath: ${{ needs.prepare-environment.outputs.modulePath }}/spoke
terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }}
backendStateKey: 'scenario1.spoke.tfstate'
tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }}
# Ensure this value is a boolean
destroy: ${{ github.event.inputs.destroy == 'true' }}
secrets: inherit
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
backend.hcl
deployment/bicep/localparam*.json
deployment/bicep/localmain.bicep
deployment/bicep/localtestscript.ps1
Expand All @@ -7,6 +8,8 @@ deployment/bicep/main.json
# local .vscode folder
**/.vscode/*

backend.hcl

# Local .terraform directories
.terraform
**/.terraform/*
Expand Down
3 changes: 2 additions & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ repos:
rev: v1.74.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt
- id: terraform_validate
# Currently disabled due to the openai module not being able to be validated
# - id: terraform_validate
- id: terraform_docs
args:
- --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
Expand Down
1 change: 1 addition & 0 deletions scenarios/secure-baseline-multitenant/.gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
.azure
backend.hcl
139 changes: 136 additions & 3 deletions scenarios/secure-baseline-multitenant/terraform/README.md

Large diffs are not rendered by default.

33 changes: 33 additions & 0 deletions scenarios/secure-baseline-multitenant/terraform/_locals.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
locals {
deployment_name = "sec-baseline-1"

global_settings = merge({
environment = try(var.global_settings.environment, var.environment)
passthrough = try(var.global_settings.passthrough, false)
prefixes = try(var.global_settings.prefixes, [local.deployment_name, local.short_location])
suffixes = try(var.global_settings.suffixes, [var.environment])
random_length = try(var.global_settings.random_length, 0)
regions = try(var.global_settings.regions, null)
tags = try(var.global_settings.tags, null)
use_slug = try(var.global_settings.use_slug, true)
}, var.global_settings)

short_location_map = {
"eastus" : "eus"
"eastus2" : "eus2"
"westus" : "wus"
"westus2" : "wus2"
"westeurope" : "weu"
"easteurope" : "eeu"
"southcentralus" : "scus"
}

short_location = try(local.short_location_map[var.location], var.location)

base_tags = merge({
"Terraform" = true
"Environment" = local.global_settings.environment
"Owner" = var.owner
"Project" = "[Scenario 1] App Service Landing Zone Accelerator"
}, var.tags)
}
Original file line number Diff line number Diff line change
@@ -1,78 +1,73 @@
application_name = "eslz2"
environment = "prod"
location = "westus3"
owner = "[email protected]"

# For the hub state, use the same settings as the remote state config on the hub deployment from /hub/main.tf
hub_state_resource_group_name = "backend-appsrvc-dev-westus2-001"
hub_state_storage_account_name = "stbackendappsrwestus2001"
hub_state_container_name = "tfstate"
hub_state_key = "scenario1.hub.tfstate"

entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884"
entra_admin_group_name = "AppSvcLZA Microsoft Entra SQL Admins"

## Lookup the Microsoft Entra User
# vm_entra_admin_username = "[email protected]"
## Reference an existing Microsoft Entra User/Group Object ID to bypass lookup
vm_entra_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Microsoft Entra SQL Admins"


## Optionally provide non-Entra ID admin credentials for the VM
# vm_admin_username = "daniem"
# vm_admin_password = "**************"

## These settings are used for peering the spoke to the hub. Fill in the appropriate settings for your environment
hub_settings = {
rg_name = "rg-hub-scenario1-wus3"
vnet_name = "vnet-hub-scenario1-wus3"

firewall = {
private_ip = "10.242.0.4"
}
}

## Toggle deployment of optional features and services for the Landing Zone
deployment_options = {
enable_waf = true
enable_egress_lockdown = true
enable_diagnostic_settings = true
deploy_bastion = true
deploy_redis = true
deploy_sql_database = true
deploy_app_config = true
deploy_vm = false
deploy_openai = true
}

## Optionally deploy a Github runner, DevOps agent, or both to the VM.
# devops_settings = {
# github_runner = {
# repository_url = "https://github.com/{organization}/{repository}"
# token = "runner_registration_token" # See: https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28
# }
#
# devops_agent = {
# organization_url = "https://dev.azure.com/{organization}/"
# token = "pat_token"
# }
# }

appsvc_options = {
service_plan = {
os_type = "Windows"
sku_name = "S1"

# Optionally configure zone redundancy (requires a minimum of three workers and Premium SKU service plan)
# worker_count = 3
# zone_redundant = true
}

web_app = {
application_stack = {
current_stack = "dotnet"
dotnet_version = "v6.0"
}
slots = ["staging"]
}
}
application_name = "eslztest"
environment = "dev"
location = "westus3"
owner = "[email protected]"

# entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884"
# entra_admin_group_name = "AppSvcLZA Entra SQL Admins"

## Lookup the Entra User
# vm_entra_admin_username = "[email protected]"
## Reference an existing Entra User/Group Object ID to bypass lookup
vm_entra_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Entra SQL Admins"

## Optionally provide non-entra admin credentials for the VM
# vm_admin_username = "daniem"
# vm_admin_password = "**************"

## Toggle deployment of optional features and services for the Landing Zone
deployment_options = {
deploy_asev3 = true
enable_waf = true
enable_egress_lockdown = true
enable_diagnostic_settings = true
deploy_bastion = true
deploy_redis = true
deploy_sql_database = true
deploy_app_config = true
deploy_vm = false
deploy_openai = true
}

## OpenAI Deployment Models
oai_deployment_models = {
"text-embedding-ada-002" = {
name = "text-embedding-ada-002"
model_format = "OpenAI"
model_name = "text-embedding-ada-002"
model_version = "2"
sku_name = "Standard"
}
}

## Optionally deploy a Github runner, DevOps agent, or both to the VM.
# devops_settings = {
# github_runner = {
# repository_url = "https://github.com/{organization}/{repository}"
# token = "runner_registration_token" # See: https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28
# }
#
# devops_agent = {
# organization_url = "https://dev.azure.com/{organization}/"
# token = "pat_token"
# }
# }

appsvc_options = {
service_plan = {
os_type = "Windows"
sku_name = "I1v2"

# Optionally configure zone redundancy (requires a minimum of three workers and Premium SKU service plan)
# worker_count = 3
# zone_redundant = true
}

web_app = {
application_stack = {
current_stack = "dotnet"
dotnet_version = "v6.0"
}
slots = ["staging"]
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
### To use this template, rename the file to `backend.tf`
### and update the values below to match your remote state config
###
### To use this file as part of your deployment, provide the following flag as you initialize:
### terraform init -backend-config=backend.tf

resource_group_name = "my-tf-remote-state-rg-name"
storage_account_name = "my-tf-remote-state-sa-name"
container_name = "my-tf-remote-state-container-name"
key = "my-state-file-name.tfstate"
24 changes: 12 additions & 12 deletions scenarios/secure-baseline-multitenant/terraform/hub/README.md
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
# hub

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
# hub

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.3 |
| <a name="requirement_azurecaf"></a> [azurecaf](#requirement\_azurecaf) | >=1.2.23 |
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.66.0 |
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.5.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_azurecaf"></a> [azurecaf](#provider\_azurecaf) | 1.2.26 |
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.85.0 |
| <a name="provider_azurecaf"></a> [azurecaf](#provider\_azurecaf) | >=1.2.23 |
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.5.0 |

## Modules

Expand All @@ -29,7 +29,7 @@
| Name | Type |
|------|------|
| [azurecaf_name.caf_name_hub_rg](https://registry.terraform.io/providers/aztfmod/azurecaf/latest/docs/resources/name) | resource |
| [azurerm_resource_group.hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.hub](https://registry.terraform.io/providers/hashicorp/azurerm/4.5.0/docs/resources/resource_group) | resource |

## Inputs

Expand All @@ -54,10 +54,10 @@

| Name | Description |
|------|-------------|
| <a name="output_bastion_name"></a> [bastion\_name](#output\_bastion\_name) | n/a |
| <a name="output_firewall_private_ip"></a> [firewall\_private\_ip](#output\_firewall\_private\_ip) | n/a |
| <a name="output_firewall_rules"></a> [firewall\_rules](#output\_firewall\_rules) | n/a |
| <a name="output_rg_name"></a> [rg\_name](#output\_rg\_name) | n/a |
| <a name="output_vnet_id"></a> [vnet\_id](#output\_vnet\_id) | n/a |
| <a name="output_vnet_name"></a> [vnet\_name](#output\_vnet\_name) | n/a |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
| <a name="output_resource_group_name"></a> [resource\_group\_name](#output\_resource\_group\_name) | n/a |
| <a name="output_virtual_network"></a> [virtual\_network](#output\_virtual\_network) | n/a |
| <a name="output_virtual_network_id"></a> [virtual\_network\_id](#output\_virtual\_network\_id) | n/a |
| <a name="output_virtual_network_name"></a> [virtual\_network\_name](#output\_virtual\_network\_name) | n/a |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
locals {
deployment_name = "sec-baseline-1-hub"
deployment_name = "sec-baseline-hub"

global_settings = merge({
environment = try(var.global_settings.environment, var.environment)
Expand Down
24 changes: 21 additions & 3 deletions scenarios/secure-baseline-multitenant/terraform/hub/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,16 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=3.66.0"
version = ">=4.0"
}
azurecaf = {
source = "aztfmod/azurecaf"
version = ">=1.2.23"
}
}
backend "azurerm" {}

# If called as a module, this backend configuration block will have no effect.
# backend "azurerm" {}
}

provider "azurerm" {
Expand All @@ -32,5 +34,21 @@ provider "azurerm" {
partner_id = "cf7e9f0a-f872-49db-b72f-f2e318189a6d"
}

provider "azurecaf" {}
## Create Hub Resource Group with the name generated from global_settings
resource "azurecaf_name" "caf_name_hub_rg" {
name = var.application_name
resource_type = "azurerm_resource_group"
prefixes = local.global_settings.prefixes
suffixes = local.global_settings.suffixes
random_length = local.global_settings.random_length
clean_input = true
passthrough = local.global_settings.passthrough
use_slug = local.global_settings.use_slug
}

resource "azurerm_resource_group" "hub" {
name = azurecaf_name.caf_name_hub_rg.result
location = var.location

tags = local.base_tags
}
Loading

0 comments on commit 5153a9a

Please sign in to comment.