diff --git a/.github/workflows/aksplan.yaml b/.github/workflows/aksplan.yaml
index 13d17ac55..13c7ae6e1 100644
--- a/.github/workflows/aksplan.yaml
+++ b/.github/workflows/aksplan.yaml
@@ -2,7 +2,7 @@ name: AKS Plan
on:
pull_request:
paths:
- - terraform/subscriptions/**
+ - terraform/subscriptions/**
workflow_dispatch:
jobs:
terraform-plan:
@@ -33,12 +33,14 @@ jobs:
uses: actions/checkout@v4 #Clone Repo
with:
fetch-depth: '2'
+
- name: Extract data
id: data
run: |
FILENAME=terraform/subscriptions/${{matrix.target.subscription}}/${{matrix.target.name}}/config.yaml
echo "FILENAME=${FILENAME}" >> $GITHUB_OUTPUT
echo "Checking file: ${FILENAME}"
+
- name: Check if files changed
id: changes
run: |
@@ -48,6 +50,7 @@ jobs:
else
echo "changed=true" >> $GITHUB_OUTPUT
fi
+
- name: 'Az login'
if: steps.changes.outputs.changed == 'true'
uses: azure/login@v2
@@ -55,10 +58,12 @@ jobs:
client-id: ${{ env.ARM_CLIENT_ID }}
tenant-id: ${{ env.ARM_TENANT_ID }}
subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
+
- name: Get GitHub Public IP
id: github_public_ip
if: steps.changes.outputs.changed == 'true'
run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
- name: Add GitHub IP to StorageAccount
if: steps.changes.outputs.changed == 'true'
run: |
@@ -66,20 +71,25 @@ jobs:
--resource-group "${{ matrix.target.subscription }}-tfstate" \
--account-name "${{ matrix.target.subscription }}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
+
- name: Add GitHub IP to KeyVault
if: steps.changes.outputs.changed == 'true'
run: |
az keyvault network-rule add --name "radix-keyv-${{ matrix.target.name }}" \
--resource-group "common-${{ matrix.target.name }}" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
+
- name: Lets sleep for 30 seconds for FW rule to complete
if: steps.changes.outputs.changed == 'true'
run: sleep 30s
+
- name: Setup Terraform
if: steps.changes.outputs.changed == 'true'
+ id: update_firewall
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 'latest'
+
- name: Terraform Init & Plan
if: steps.changes.outputs.changed == 'true'
id: init
@@ -89,6 +99,7 @@ jobs:
run: |
terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" init
terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" plan
+
- name: Revoke GitHub IP on StorageAccount
if: steps.changes.outputs.changed == 'true'
run: |
@@ -96,8 +107,9 @@ jobs:
--resource-group "${{ matrix.target.subscription }}-tfstate" \
--account-name "${{ matrix.target.subscription }}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
+
- name: Revoke GitHub IP on KeyVault
- if: steps.changes.outputs.changed == 'true'
+ if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
run: |
az keyvault network-rule remove --name "radix-keyv-${{ matrix.target.name }}" \
--resource-group "common-${{ matrix.target.name }}" \
diff --git a/.github/workflows/azureAuditlog.yml b/.github/workflows/azureAuditlog.yml
deleted file mode 100644
index 009ecc791..000000000
--- a/.github/workflows/azureAuditlog.yml
+++ /dev/null
@@ -1,246 +0,0 @@
-name: AzureAuditLogs
-
-on: [workflow_dispatch]
-# on:
-# push:
-# branches:
-# - master
-# paths:
-# - '.github/workflows/azureAuditlog.yml'
-# - 'arm-templates/azureAuditLogStorageAccount.json'
-
-# pull_request:
-# branches:
-# - master
-# paths:
-# - '.github/workflows/azureAuditlog.yml'
-# - 'arm-templates/azureAuditLogStorageAccount.json'
-
-env:
- # Prod
- prodSubscriptionId: 'ded7ca41-37c8-4085-862f-b11d21ab341a'
-
- # Dev
- devSubscriptionId: '16ede44b-1f74-40a5-b428-46cca9a5741b'
-
- # Shared
- settingName: azureauditlog
- auditLogStorageName: radixazauditlogs
-
-jobs:
-############## DEV STAGE ##############
-
- dev:
- runs-on: ubuntu-latest
- env:
- envName: dev
- devRgName: rg-radix-shared-dev
- steps:
-
- # Checks-out your repository under $GITHUB_WORKSPACE
- - uses: actions/checkout@v4
-
- # Set dynamic variables for the job
- - name: Set job variables
- shell: pwsh
- run: |
-
- # Set timestamp variable for jobs
- $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ")
- echo "timestamp=$currentTime" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
- # Install powershell modules
- - name: Install powershell modules
- shell: pwsh
- run: |
-
- Install-Module az.resources -force
- Install-Module az.storage -force
-
- # Azure login for powershell
- - name: Azure login
- shell: pwsh
- run: |
- $azureAplicationId = "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_ID }}"
- $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}"
- $azurePassword = ConvertTo-SecureString "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force
- $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
- Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
-
-
- # Set subsctiption to develop and verify
- - name: Set Azure subscription
- shell: pwsh
- run: |
-
- Set-AzContext -SubscriptionId "${{ env.devSubscriptionId }}"
-
- $subscription = (Get-AzContext)
- if ($subscription.Subscription.Id -eq "${{ env.devSubscriptionId }}") {
- Write-Output "Using subscription $($subscription.subscription.Name)"
- exit 0
-
- }
- else {
- Write-Output "Subscription does not match. Terminating script"
- exit 1
- }
-
- # Create storage account for Azure audit logs
- - name: Storage Account for Azure Subscription Audit logs
- shell: pwsh
- run: |
-
- # Set task variables
- $rg = "${{ env.devRgName }}"
- $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/azureAuditLogStorageAccount.json"
- $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}"
-
- # Deploy Storage Account for Audit logs
- New-AzResourceGroupDeployment `
- -Name "sql-log-${{ env.timestamp }}" `
- -ResourceGroupName $rg `
- -TemplateFile $templateFile `
- -storageAccountName $storeAccountName `
- -accountType Standard_LRS `
- -kind StorageV2 `
- -accessTier cool
-
-
- # Enable auditlog for dev subsciption
- - name: Enable auditlog for dev subsciption
- shell: pwsh
- run: |
-
- # Set variables
- $rg = "${{ env.devRgName }}"
- $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/auditlogs.json"
- $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}"
- $storageAccountId = (Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $storeAccountName).Id
-
- # Deploy the ARM template
- New-AzDeployment `
- -Name "auditlog-${{ env.timestamp }}" `
- -Location "norwayeast" `
- -TemplateFile $templateFile `
- -settingName ${{ env.settingName }} `
- -storageAccountId "$storageAccountId"
-
- # Azure logout
- - name: logout
- shell: pwsh
- run: |
- Logout-azAccount | Out-Null
-
-
-############## PROD STAGE ##############
-
- prod:
- needs: dev
- if: github.ref == 'refs/heads/master'
- runs-on: ubuntu-latest
- env:
- envName: prod
- prodRgName: rg-radix-shared-prod
- steps:
-
- # Checks-out your repository under $GITHUB_WORKSPACE
- - uses: actions/checkout@v4
-
- # Set dynamic variables for the job
- - name: Set job variables
- shell: pwsh
- run: |
-
- # Set timestamp variable for jobs
- $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ")
- Write-Output "::set-env name=timestamp::$currentTime"
-
- # Install powershell modules
- - name: Install powershell modules
- shell: pwsh
- run: |
-
- Install-Module az.resources -force
- Install-Module az.storage -force
-
- # Azure login for powershell
- - name: Azure login
- shell: pwsh
- run: |
- $azureAplicationId = "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_ID }}"
- $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}"
- $azurePassword = ConvertTo-SecureString "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force
- $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
- Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
-
- # Set subsctiption to develop and verify
- - name: Set Azure subscription
- shell: pwsh
- run: |
-
- Set-AzContext -SubscriptionId "${{ env.prodSubscriptionId }}"
-
- $subscription = (Get-AzContext)
- if ($subscription.Subscription.Id -eq "${{ env.prodSubscriptionId }}") {
- Write-Output "Using subscription $($subscription.subscription.Name)"
- exit 0
-
- }
- else {
- Write-Output "Subscription does not match. Terminating script"
- exit 1
- }
-
-
- # Create storage account for Azure audit logs
- - name: Storage Account for Azure Subscription Audit logs
- shell: pwsh
- run: |
-
- # Set task variables
- $rg = "${{ env.prodRgName }}"
- $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/azureAuditLogStorageAccount.json"
- $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}"
-
- # Deploy Storage Account for Audit logs
- New-AzResourceGroupDeployment `
- -Name "sql-log-${{ env.timestamp }}" `
- -ResourceGroupName $rg `
- -TemplateFile $templateFile `
- -storageAccountName $storeAccountName `
- -accountType Standard_LRS `
- -kind StorageV2 `
- -accessTier cool
-
-
- # Enable auditlog for prod subsciption
- - name: Enable auditlog for prod subsciption
- shell: pwsh
- run: |
-
- Set-AzContext -SubscriptionId "${{ env.prodSubscriptionId }}"
-
- $subscription = (Get-AzContext)
- if ($subscription.Subscription.Id -eq "${{ env.prodSubscriptionId }}") {
- Write-Output "Using subscription $($subscription.subscription.Name)"
- exit 0
-
- }
- else {
- Write-Output "Subscription does not match. Terminating script"
- exit 1
- }
-
-
- # Create storage account and SQL logs
- - name: Storage Account for SQL logs
- shell: pwsh
- run: |
-
-
- # Azure logout
- - name: logout
- shell: pwsh
- run: |
- Logout-azAccount | Out-Null
\ No newline at end of file
diff --git a/.github/workflows/check_terraform.yaml b/.github/workflows/check_terraform.yaml
index 2af538532..51df96e3f 100644
--- a/.github/workflows/check_terraform.yaml
+++ b/.github/workflows/check_terraform.yaml
@@ -1,81 +1,56 @@
name: Check Terraform infrastructure
on:
pull_request:
- workflow_dispatch:
- inputs:
- subscription:
- description: 'Subscription'
- type: choice
- required: true
- options:
- - 's940'
- - 's941'
- default: 's941'
-
- terraformapply:
- description: 'Terraform apply'
- type: boolean
- required: true
- default: false
+ paths:
+ - terraform/subscriptions/**
-
- # secrets:
- # AZURE_CLIENT_ID:
- # description: The client ID of the Azure AD service principal to use for authenticating to Azure.
- # required: true
-
- # AZURE_SUBSCRIPTION_ID:
- # description: The ID of the Azure subscription to create the resources in.
- # required: true
-
- # AZURE_TENANT_ID:
- # description: The ID of the Azure tenant to create the resources in.
- # required: true
-
+permissions:
+ id-token: write
+ contents: read
jobs:
- terrform-s941:
+ terrform:
name: Check infrastructure consistency
runs-on: ubuntu-latest
- environment: s941
strategy:
+ fail-fast: false
matrix:
- ENVIROMENT: [dev, playground]
- env:
- # ENVIROMENT: dev #variable passed to scipt
- SUBSCRIPTION: s941 #variable passed to scipt
- terraform_version: ~1.3.0
- ARM_USE_OIDC: true
- ARM_USE_AZUREAD: true
- ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
- ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
- storage_account_name: ${{ inputs.subscription }}radixinfra
+ target:
+ - name: "dev"
+ folderName: "dev"
+ subscription: "s941"
+ - name: "playground"
+ folderName: "playground"
+ subscription: "s941"
+ - name: "platform"
+ folderName: "prod"
+ subscription: "s940"
+ - name: "c2"
+ folderName: "c2"
+ subscription: "s940"
+ environment: ${{matrix.target.name }}
- permissions:
- id-token: write
- contents: read
steps:
- name: Checkout
uses: actions/checkout@v4 #Clone Repo
-
- name: 'Az login'
uses: azure/login@v2
with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ client-id: ${{ vars.AZURE_CLIENT_ID }}
+ tenant-id: ${{ vars.AZURE_TENANT_ID }}
+ subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Get GitHub Public IP
id: github_public_ip
run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
- name: Add GitHub IP to StorageAccount
+ id: update_firewall
run: |
az storage account network-rule add \
- --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
- --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
+ --resource-group "${{ matrix.target.subscription }}-tfstate" \
+ --account-name "${{ matrix.target.subscription }}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
- name: Lets sleep for 30 seconds for FW rule to complete
@@ -84,78 +59,25 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
- terraform_version: ${{ env.terraform_version }}
+ terraform_version: 'latest'
- - name: Check terrorm in ${{ matrix.ENVIROMENT}}
+ - name: Check Terraform in ${{ matrix.target.name}}
working-directory: terraform/subscriptions/scripts
- run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh
-
- - name: Revoke GitHub IP on StorageAccount
- run: |
- az storage account network-rule remove \
- --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
- --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
+ shell: bash
+ env:
+ ARM_USE_OIDC: true
+ ARM_USE_AZUREAD: true
+ ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+ ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+ ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+ SUBSCRIPTION: ${{ matrix.target.subscription}}
+ ENVIRONMENT: ${{matrix.target.folderName}}
+ run: ./terraform.sh
- terrform-s940:
- name: Check infrastructure consistency
- runs-on: ubuntu-latest
- environment: s940
- strategy:
- matrix:
- ENVIROMENT: [prod, c2]
- env:
- # ENVIROMENT: dev #variable passed to scipt
- SUBSCRIPTION: s940 #variable passed to scipt
- terraform_version: ~1.3.0
- ARM_USE_OIDC: true
- ARM_USE_AZUREAD: true
- ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
- ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
- storage_account_name: ${{ inputs.subscription }}radixinfra
-
- permissions:
- id-token: write
- contents: read
- steps:
- - name: Checkout
- uses: actions/checkout@v4 #Clone Repo
-
-
- - name: 'Az login'
- uses: azure/login@v2
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
- - name: Get GitHub Public IP
- id: github_public_ip
- run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
- - name: Add GitHub IP to StorageAccount
- run: |
- az storage account network-rule add \
- --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
- --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
-
- - name: Lets sleep for 30 seconds for FW rule to complete
- run: sleep 30s
-
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v3
- with:
- terraform_version: ${{ env.terraform_version }}
-
- - name: Check terrorm in ${{ matrix.ENVIROMENT}}
- working-directory: terraform/subscriptions/scripts
- run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh
-
- name: Revoke GitHub IP on StorageAccount
+ if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
run: |
az storage account network-rule remove \
- --resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
- --account-name "${{ env.SUBSCRIPTION}}radixinfra" \
+ --resource-group "${{ matrix.target.subscription }}-tfstate" \
+ --account-name "${{ matrix.target.subscription }}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
diff --git a/.github/workflows/clean-cache-registry.yml b/.github/workflows/clean-cache-registry.yml
index 9c392548a..cf6d7fafd 100644
--- a/.github/workflows/clean-cache-registry.yml
+++ b/.github/workflows/clean-cache-registry.yml
@@ -1,3 +1,5 @@
+name: Clean old cache in App registries
+
on:
workflow_dispatch:
schedule:
@@ -8,12 +10,21 @@ permissions:
contents: read
jobs:
- purge-prod:
+ purge:
runs-on: ubuntu-latest
- environment: s940
strategy:
+ fail-fast: false
matrix:
- registry: [radixc2app, radixprodapp]
+ target:
+ - name: "dev"
+ registry: "radixdevapp"
+ - name: "playground"
+ registry: "radixplaygroundapp"
+ - name: "platform"
+ registry: "radixprodapp"
+ - name: "c2"
+ registry: "radixc2app"
+ environment: ${{matrix.target.name }}
steps:
- uses: actions/checkout@v4
@@ -33,63 +44,22 @@ jobs:
- name: 'Az CLI login'
uses: azure/login@v2
with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
- - name: Add GitHub IP to ACR
- run: az acr network-rule add --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState
-
- - name: Create ACR Token
- run: echo "token=$(az acr login --name=${{ matrix.registry }} --expose-token | jq -r '.accessToken')" >> $GITHUB_OUTPUT
- id: token
-
- - name: Purge old cache
- run: ./bin/acr purge --registry=${{ matrix.registry }}.azurecr.io --password=${{steps.token.outputs.token}} --username= --filter='*/cache:.*' --ago=7d --untagged
-
- - name: Revoke GitHub IP on ACR
- run: az acr network-rule remove --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState
-
-
- purge-dev:
- runs-on: ubuntu-latest
- environment: s941
- strategy:
- matrix:
- registry: [radixdevapp, radixplaygroundapp]
-
- steps:
- - uses: actions/checkout@v4
- with:
- repository: Azure/acr-cli
- ref: v0.8
+ client-id: ${{ vars.AZURE_CLIENT_ID }}
+ tenant-id: ${{ vars.AZURE_TENANT_ID }}
+ subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- - uses: actions/setup-go@v5
-
- - name: Compile ACR binary
- run: make binaries
-
- - name: Get GitHub Public IP
- id: github_public_ip
- run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
- - name: 'Az CLI login'
- uses: azure/login@v2
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Add GitHub IP to ACR
- run: az acr network-rule add --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState
+ id: update_firewall
+ run: az acr network-rule add --name ${{ matrix.target.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState
- name: Create ACR Token
- run: echo "token=$(az acr login --name=${{ matrix.registry }} --expose-token | jq -r '.accessToken')" >> $GITHUB_OUTPUT
+ run: echo "token=$(az acr login --name=${{ matrix.target.registry }} --expose-token | jq -r '.accessToken')" >> $GITHUB_OUTPUT
id: token
- name: Purge old cache
- run: ./bin/acr purge --registry=${{ matrix.registry }}.azurecr.io --password=${{steps.token.outputs.token}} --username= --filter='*/cache:.*' --ago=7d --untagged
+ run: ./bin/acr purge --registry=${{ matrix.target.registry }}.azurecr.io --password=${{steps.token.outputs.token}} --username= --filter='*/cache:.*' --ago=7d --untagged
- name: Revoke GitHub IP on ACR
- run: az acr network-rule remove --name ${{ matrix.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState
-
+ if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+ run: az acr network-rule remove --name ${{ matrix.target.registry }} --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} --query provisioningState
diff --git a/.github/workflows/lock-resources.yml b/.github/workflows/lock-resources.yml
index 5eadad03c..bb570f05a 100644
--- a/.github/workflows/lock-resources.yml
+++ b/.github/workflows/lock-resources.yml
@@ -3,57 +3,57 @@ on:
schedule:
- cron: '0 18 * * *'
workflow_dispatch:
+ pull_request:
+
permissions:
id-token: write
contents: read
+
jobs:
- lock-clusters-prod:
+ lock-clusters:
runs-on: ubuntu-latest
- environment: lock-operations-prod
+ strategy:
+ fail-fast: false
+ matrix:
+ target:
+ - name: "platform"
+ zoneFile: "radix_zone_prod.env"
+ subscription: "s940"
+ - name: "c2"
+ zoneFile: "radix_zone_c2.env"
+ subscription: "s940"
+ environment: ${{matrix.target.name }}
env:
PROD_ENV: "radix_zone_prod.env"
C2_ENV: "radix_zone_c2.env"
+
steps:
- uses: actions/checkout@v4
- with:
- sparse-checkout: |
- scripts/aks
- scripts/radix-zone
- .github
- - name: 'Az CLI login'
+
+ - name: 'Az login'
uses: azure/login@v2
with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ client-id: ${{ vars.AZURE_CLIENT_ID }}
+ tenant-id: ${{ vars.AZURE_TENANT_ID }}
+ subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
- name: Get GitHub Public IP
id: github_public_ip
run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
- name: Add GitHub IP to KeyVault in Prod
- id: update_prod_firewall
- run: |
- az keyvault network-rule add --name "radix-keyv-platform" \
- --resource-group "common-platform" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
- - name: Add GitHub IP to KeyVault in C2
- id: update_c2_firewall
- run: |
- az keyvault network-rule add --name "radix-keyv-c2" \
- --resource-group "common-c2" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
- - name: lock-resources-prod
- run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_prod.env .github/workflows/scripts/check_resource_lock.sh
- - name: lock-resources-c2
- run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_c2.env .github/workflows/scripts/check_resource_lock.sh
- - name: Revoke GitHub IP on KeyVault in Prod
- if: ${{ steps.update_prod_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+ id: update_firewall
run: |
- az keyvault network-rule remove --name "radix-keyv-platform" \
- --resource-group "common-platform" \
+ az keyvault network-rule add --name "radix-keyv-${{matrix.target.name}}" \
+ --resource-group "common-${{matrix.target.name}}" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
- - name: Revoke GitHub IP on KeyVault in C2
- if: ${{ steps.update_c2_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+
+ - name: lock-resources
+ run: RADIX_ZONE_ENV=./scripts/radix-zone/${{matrix.target.zoneFile}} .github/workflows/scripts/check_resource_lock.sh
+
+ - name: Revoke GitHub IP on KeyVault
+ if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
run: |
- az keyvault network-rule remove --name "radix-keyv-c2" \
- --resource-group "common-c2" \
+ az keyvault network-rule remove --name "radix-keyv-${{matrix.target.name}}" \
+ --resource-group "common-${{matrix.target.name}}" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
diff --git a/.github/workflows/sqlLogStorageAccounts.yml b/.github/workflows/sqlLogStorageAccounts.yml
deleted file mode 100644
index 66cf637a7..000000000
--- a/.github/workflows/sqlLogStorageAccounts.yml
+++ /dev/null
@@ -1,235 +0,0 @@
-name: AzureSqlLogStorageAccounts
-
-on: [workflow_dispatch]
-
-# on:
-# push:
-# branches:
-# - master
-# paths:
-# - '.github/workflows/sqlLogStorageAccounts.yml'
-# pull_request:
-# branches:
-# - master
-# paths:
-# - '.github/workflows/sqlLogStorageAccounts.yml'
-
-env:
- # Prod
- prodRgName: rg-radix-shared-prod
- prodSubscriptionId: 'ded7ca41-37c8-4085-862f-b11d21ab341a'
-
- # Dev
- devRgName: rg-radix-shared-dev
- devSubscriptionId: '16ede44b-1f74-40a5-b428-46cca9a5741b'
-
- # Shared
- sqlLogStorageName: radixsqllogs #Also suffix with environment
- auditLogStorageName: radixauditlogs
-
-jobs:
-############## DEV STAGE ##############
-
- dev:
- runs-on: ubuntu-latest
- env:
- envName: dev
- steps:
-
- # Checks-out your repository under $GITHUB_WORKSPACE
- - uses: actions/checkout@v4
-
- # Set dynamic variables for the job
- - name: Set job variables
- shell: pwsh
- run: |
-
- # Set timestamp variable for jobs
- $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ")
- echo "timestamp=$currentTime" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
- # Install powershell modules
- - name: Install powershell modules
- shell: pwsh
- run: |
-
- Install-Module az.resources -force
- Install-Module az.storage -force
-
- # Azure login for powershell
- - name: Azure login
- shell: pwsh
- run: |
- $azureAplicationId = "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_ID }}"
- $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}"
- $azurePassword = ConvertTo-SecureString "${{ secrets.DEV_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force
- $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
- Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
-
-
- # Set subsctiption to develop and verify
- - name: Set Azure subscription
- shell: pwsh
- run: |
-
- Set-AzContext -SubscriptionId "${{ env.devSubscriptionId }}"
-
- $subscription = (Get-AzContext)
- if ($subscription.Subscription.Id -eq "${{ env.devSubscriptionId }}") {
- Write-Output "Using subscription $($subscription.subscription.Name)"
- exit 0
-
- }
- else {
- Write-Output "Subscription does not match. Terminating script"
- exit 1
- }
-
-
- # Create storage account for SQL logs
- - name: Storage Account for SQL logs
- shell: pwsh
- run: |
-
- # Set task variables
- $rg = "${{ env.devRgName }}"
- $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/storageAccount.json"
- $storeAccountName = "${{ env.sqlLogStorageName }}${{ env.envName }}"
-
- # Deploy shared Storage Account for SQL Logging in dev
- New-AzResourceGroupDeployment `
- -Name "sql-log-${{ env.timestamp }}" `
- -ResourceGroupName $rg `
- -TemplateFile $templateFile `
- -storageAccountName $storeAccountName `
- -accountType Standard_LRS `
- -kind StorageV2 `
- -accessTier hot
-
- # Set soft delete protection on Storage Account
- $storageAcoount = Get-AzStorageAccount | where-object{$_.StorageAccountName -match "$storeAccountName"}
- $storageAcoount | Enable-AzStorageDeleteRetentionPolicy -RetentionDays 30
-
- # Azure logout
- - name: logout
- shell: pwsh
- run: |
- Logout-azAccount | Out-Null
-
-
-############## PROD STAGE ##############
-
- prod:
- needs: dev
- if: github.ref == 'refs/heads/master'
- runs-on: ubuntu-latest
- env:
- envName: prod
- steps:
-
- # Checks-out your repository under $GITHUB_WORKSPACE
- - uses: actions/checkout@v4
-
- # Set dynamic variables for the job
- - name: Set job variables
- shell: pwsh
- run: |
-
- # Set timestamp variable for jobs
- $currentTime = (get-date).ToString("dd-MM-yyyyThhMMZ")
- Write-Output "::set-env name=timestamp::$currentTime"
-
- # Install powershell modules
- - name: Install powershell modules
- shell: pwsh
- run: |
-
- Install-Module az.resources -force
- Install-Module az.storage -force
-
- # Azure login for powershell
- - name: Azure login
- shell: pwsh
- run: |
- $azureAplicationId = "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_ID }}"
- $azureTenantId = "${{ secrets.AZURE_TENANT_ID }}"
- $azurePassword = ConvertTo-SecureString "${{ secrets.PROD_AZURE_CREDENTIALS_CLIENT_SECRET }}" -AsPlainText -Force
- $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
- Add-azAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
-
-
- # Set subsctiption to prouction and verify
- - name: Set Azure subscription
- shell: pwsh
- run: |
-
- Set-AzContext -SubscriptionId "${{ env.prodSubscriptionId }}"
-
- $subscription = (Get-AzContext)
- if ($subscription.Subscription.Id -eq "${{ env.prodSubscriptionId }}") {
- Write-Output "Using subscription $($subscription.subscription.Name)"
- exit 0
-
- }
- else {
- Write-Output "Subscription does not match. Terminating script"
- exit 1
- }
-
-
- # Create storage account for SQL logs
- - name: Storage Account for SQL logs
- shell: pwsh
- run: |
-
- # Set task variables
- $rg = "${{ env.prodRgName }}"
- $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/storageAccount.json"
- $storeAccountName = "${{ env.sqlLogStorageName }}${{ env.envName }}"
-
- # Deploy shared Storage Account for SQL Logging in prod
- New-AzResourceGroupDeployment `
- -Name "sql-log-${{ env.timestamp }}" `
- -ResourceGroupName $rg `
- -TemplateFile $templateFile `
- -storageAccountName $storeAccountName `
- -accountType Standard_LRS `
- -kind StorageV2 `
- -accessTier hot
-
- # Set soft delete protection on Storage Account
- $storageAcoount = Get-AzStorageAccount | where-object{$_.StorageAccountName -match "$storeAccountName"}
- $storageAcoount | Enable-AzStorageDeleteRetentionPolicy -RetentionDays 30
-
-
- # Create storage account for Azure audit logs
- - name: Storage Account for Audit logs
- shell: pwsh
- run: |
-
- # Set task variables
- $rg = "${{ env.prodRgName }}"
- $templateFile = "$env:GITHUB_WORKSPACE/arm-templates/storageAccount.json"
- $storeAccountName = "${{ env.auditLogStorageName }}${{ env.envName }}""
-
- # Deploy Storage Account for Audit logs
- New-AzResourceGroupDeployment `
- -Name "sql-log-${{ env.timestamp }}" `
- -ResourceGroupName $rg `
- -TemplateFile $templateFile `
- -storageAccountName $storeAccountName `
- -accountType Standard_LRS `
- -kind StorageV2 `
- -accessTier cool
-
- # Set soft delete protection on Storage Account
- $storageAcoount = Get-AzStorageAccount | where-object{$_.StorageAccountName -match "$storeAccountName"}
- $storageAcoount | Enable-AzStorageDeleteRetentionPolicy -RetentionDays 30
-
-
-
- # Azure logout
- - name: logout
- shell: pwsh
- run: |
- Logout-azAccount | Out-Null
\ No newline at end of file
diff --git a/.github/workflows/startclusters.yml b/.github/workflows/startclusters.yml
index aebc110ae..33c1b363c 100644
--- a/.github/workflows/startclusters.yml
+++ b/.github/workflows/startclusters.yml
@@ -16,6 +16,7 @@ jobs:
ENVIROMENT: dev
steps:
- uses: actions/checkout@v4 #Clone Repo
+
- name: 'Az CLI login'
uses: azure/login@v2
with:
@@ -26,8 +27,9 @@ jobs:
- name: Get GitHub Public IP
id: github_public_ip
run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
+
- name: Add GitHub IP to KeyVault
+ id: update_firewall
run: |
az keyvault network-rule add --name "radix-keyv-${{ env.ENVIROMENT}}" \
--resource-group "${{ env.KV_GROUP}}" \
@@ -38,8 +40,9 @@ jobs:
- name: Start clusters
run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_dev.env TASK=start .github/workflows/scripts/dailytasks.sh
-
+
- name: Revoke GitHub IP on KeyVault
+ if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
run: |
az keyvault network-rule remove --name "radix-keyv-${{ env.ENVIROMENT}}" \
--resource-group "${{ env.KV_GROUP}}" \
diff --git a/.github/workflows/stopclusters.yml b/.github/workflows/stopclusters.yml
index 363ed79c4..10a371826 100644
--- a/.github/workflows/stopclusters.yml
+++ b/.github/workflows/stopclusters.yml
@@ -18,6 +18,7 @@ jobs:
ENVIROMENT: dev
steps:
- uses: actions/checkout@v4 #Clone Repo
+
- name: 'Az CLI login'
uses: azure/login@v2
with:
@@ -28,8 +29,9 @@ jobs:
- name: Get GitHub Public IP
id: github_public_ip
run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
+
- name: Add GitHub IP to KeyVault
+ id: update_firewall
run: |
az keyvault network-rule add --name "radix-keyv-${{ env.ENVIROMENT}}" \
--resource-group "${{ env.KV_GROUP}}" \
@@ -42,6 +44,7 @@ jobs:
run: RADIX_ZONE_ENV=./scripts/radix-zone/radix_zone_dev.env TASK=stop .github/workflows/scripts/dailytasks.sh
- name: Revoke GitHub IP on KeyVault
+ if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
run: |
az keyvault network-rule remove --name "radix-keyv-${{ env.ENVIROMENT}}" \
--resource-group "${{ env.KV_GROUP}}" \
diff --git a/.github/workflows/storageaccounts.yml b/.github/workflows/storageaccounts.yml
deleted file mode 100644
index 842072624..000000000
--- a/.github/workflows/storageaccounts.yml
+++ /dev/null
@@ -1,144 +0,0 @@
-name: Storage Accounts
-on:
- workflow_dispatch:
- inputs:
- subscription:
- description: 'Subscription'
- type: choice
- required: true
- options:
- - 's940'
- - 's941'
- default: 's941'
-
- terraformapply:
- description: 'Terraform apply'
- type: boolean
- required: true
- default: false
-
- secrets:
- AZURE_CLIENT_ID:
- description: The client ID of the Azure AD service principal to use for authenticating to Azure.
- required: true
-
- AZURE_SUBSCRIPTION_ID:
- description: The ID of the Azure subscription to create the resources in.
- required: true
-
- AZURE_TENANT_ID:
- description: The ID of the Azure tenant to create the resources in.
- required: true
-
-env:
- container_name: infrastructure
-
-jobs:
- GetEnvironment:
- name: GetEnvironments
- runs-on: ubuntu-latest
-
- outputs:
- radix_environment: ${{ steps.set-matrix.outputs.radix_environment }}
-
- steps:
- - uses: actions/checkout@v4
- - id: set-matrix
- name: Get radix environment
- run: echo "radix_environment=$(ls ./terraform/${{ env.container_name }}/${{ inputs.subscription }} | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
-
- StorageAccounts:
- needs: GetEnvironment
- name: StorageAccounts
- runs-on: ubuntu-latest
- environment: ${{ inputs.subscription }}
- strategy:
- matrix:
- radix_environment: ${{ fromJson(needs.GetEnvironment.outputs.radix_environment) }}
-
- # Set permissions required to login to Azure using OIDC.
- permissions:
- id-token: write
- contents: read
-
- defaults:
- run:
- shell: bash
- working-directory: ./terraform/${{ env.container_name }}/${{ inputs.subscription }}/${{ matrix.radix_environment }}/${{ env.path }}
-
- # Configure OIDC authentication to Azure using environment variables.
- # Required by the AzureRM backend and provider.
- env:
- terraform_version: ~1.3.0
- ARM_USE_OIDC: true
- ARM_USE_AZUREAD: true
- ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
- ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
- resource_group_name: ${{ inputs.subscription }}-tfstate
- storage_account_name: ${{ inputs.subscription }}radixinfra
- path: storageaccounts
- key: terraform.tfstate
-
- steps:
- - name: Checkout
- uses: actions/checkout@v4
-
- - name: 'Az login'
- uses: azure/login@v2
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
- - name: Get GitHub Public IP
- id: github_public_ip
- run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
- - name: Add GitHub IP to StorageAccount
- run: |
- az storage account network-rule add \
- --resource-group "${{ env.resource_group_name }}" \
- --account-name "${{ env.storage_account_name }}" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
-
- - name: Lets sleep for 30 seconds for FW rule to complete
- run: sleep 30s
-
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v3
- with:
- terraform_version: ${{ env.terraform_version }}
-
- - name: Terraform Init
- run: |
- terraform init \
- -backend-config='container_name=${{ env.container_name }}' \
- -backend-config='key=${{ env.path }}/${{ env.key }}' \
- -backend-config='resource_group_name=${{ env.resource_group_name }}' \
- -backend-config='storage_account_name=${{ env.storage_account_name }}'
-
- - name: Terraform Validate
- run: terraform validate
-
- - name: Terraform Plan
- if: inputs.terraformapply == false
- run: |
- terraform plan \
- --var-file=../../../../radix-zone/radix_zone_${{ matrix.radix_environment }}.tfvars \
- -lock=false
-
- - name: Terraform Apply
- if: (inputs.terraformapply && github.ref == 'refs/heads/master')
- run: |
- terraform apply \
- --var-file=../../../../radix-zone/radix_zone_${{ matrix.radix_environment }}.tfvars \
- -auto-approve \
- -lock=false
-
- - name: Revoke GitHub IP on StorageAccount
- run: |
- az storage account network-rule remove \
- --resource-group "${{ env.resource_group_name }}" \
- --account-name "${{ env.storage_account_name }}" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
deleted file mode 100644
index 49607138f..000000000
--- a/.github/workflows/terraform.yml
+++ /dev/null
@@ -1,238 +0,0 @@
-# Install Terraform, configure OpenID Connect (OIDC) authentication to Azure, create a Terraform plan, and apply the plan on push to branch 'master'.
-
-on:
- workflow_call:
- inputs:
- cluster_name:
- description: Name of the cluster
- type: string
- required: true
-
- environment:
- description: The environment that the job references.
- type: string
- required: true
-
- radix_environment:
- description: The radix_environment that the job references.
- type: string
- required: true
-
- subscription:
- description: The subscription to deploy in
- type: string
- required: true
-
- terraform_version:
- description: The version of Terraform to install.
- type: string
- required: false
- default: latest
-
- working_directory:
- description: The working directory to run the Terraform commands in.
- type: string
- required: false
- default: '.'
-
- secrets:
- AZURE_CLIENT_ID:
- description: The client ID of the Azure AD service principal to use for authenticating to Azure.
- required: true
-
- AZURE_SUBSCRIPTION_ID:
- description: The ID of the Azure subscription to create the resources in.
- required: true
-
- AZURE_TENANT_ID:
- description: The ID of the Azure tenant to create the resources in.
- required: true
-
-jobs:
- Terraform:
- name: Terraform
- runs-on: ubuntu-latest
- environment: ${{ inputs.environment }}
-
- # Queue jobs that target the same Terraform configuration.
- concurrency:
- group: terraform @ ${{ inputs.working_directory }}
- cancel-in-progress: false
-
- # Set permissions required to login to Azure using OIDC.
- permissions:
- id-token: write
- contents: read
-
- defaults:
- run:
- shell: bash
- working-directory: ${{ inputs.working_directory }}
-
- # Configure OIDC authentication to Azure using environment variables.
- # Required by the AzureRM backend and provider.
- env:
- root_src: '../../../../../..'
- ARM_USE_OIDC: true
- ARM_USE_AZUREAD: true
- ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
- ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
- container_name: clusters
- key: ${{ inputs.radix_environment }}.${{ inputs.cluster_name }}.terraform.tfstate
- resource_group_name: ${{ inputs.subscription }}-tfstate
- storage_account_name: ${{ inputs.subscription }}radixinfra
-
- outputs:
- tf-fmt: ${{ steps.fmt.outcome }}
- tf-init: ${{ steps.init.outcome }}
- tf-validate: ${{ steps.validate.outcome }}
- tf-plan: ${{ steps.plan.outcome }}
- plan: ${{ steps.get_content.outputs.plan }}
-
- steps:
- - name: Checkout
- uses: actions/checkout@v4
-
- - name: Az CLI login
- uses: azure/login@v2
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-
- - name: Get GitHub Public IP
- id: github_public_ip
- run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
- - name: Add GitHub IP to StorageAccount
- run: |
- az storage account network-rule add \
- --resource-group "${{ env.resource_group_name }}" \
- --account-name "${{ env.storage_account_name }}" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
-
- - name: Lets sleep for 30 seconds for FW rule to complete
- run: sleep 30s
-
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v3
- with:
- terraform_version: ${{ inputs.terraform_version }}
- terraform_wrapper: false
-
- - name: Terraform Format
- id: fmt
- run: terraform fmt -check
-
- - name: Terraform Init
- id: init
- run: |
- terraform init \
- -backend-config='container_name=${{ env.container_name }}' \
- -backend-config='key=${{ env.key }}' \
- -backend-config='resource_group_name=${{ env.resource_group_name }}' \
- -backend-config='storage_account_name=${{ env.storage_account_name }}'
-
- - name: Terraform Validate
- id: validate
- run: terraform validate -no-color
-
- - name: Terraform Plan
- id: plan
- if: github.event_name == 'pull_request'
- run: |
- terraform plan \
- --var-file=${{ env.root_src }}/terraform/radix-zone/radix_zone_dev.tfvars \
- -no-color \
- -out tf.plan
- continue-on-error: true
-
- - name: Terraform Show
- id: show
- if: github.event_name == 'pull_request'
- run: terraform show -no-color tf.plan 2>&1 > /tmp/plan.txt
-
- - name: Get content
- id: get_content
- if: github.event_name == 'pull_request'
- run: |
- plan=$(cat /tmp/plan.txt)
-
- create=""
- createOut=""
- destroy=""
- destroyOut=""
- update=""
- updateOut=""
- changesOut=""
-
- while read -r line; do
- if [[ "$line" == *"will be created"* ]]; then
- create+="${line//"# "/"+ "}
"
- elif [[ "$line" == *"will be destroyed"* ]]; then
- destroy+="${line//"# "/"- "}
"
- elif [[ "$line" == *"will be updated in-place"* ]]; then
- update+="${line//"# "/"~ "}
"
- fi
- done < <(echo "${plan}")
-
- numberOfChanges=$((${#create} + ${#destroy} + ${#update}))
-
- if [ ${#create} -gt 0 ]; then
- createOut+="The following resources will be created
${create}"
- fi
-
- if [ ${#destroy} -gt 0 ]; then
- destroyOut+="The following resources will be destroyed
${destroy}"
- fi
-
- if [ ${#update} -gt 0 ]; then
- updateOut+="The following resources will be updated
${update}"
- fi
-
- if [ ${numberOfChanges} -eq 0 ]; then
- changesOut+="No changes. Your infrastructure matches the configuration.
"
- fi
-
- out="$createOut $destroyOut $updateOut $changesOut"
-
- echo "plan=$(echo ${out})" >> $GITHUB_OUTPUT
-
- - name: Terraform Apply
- if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'schedule'
- run: terraform apply --var-file=../../../../../radix-zone/radix_zone_${{ inputs.radix_environment }}.tfvars -auto-approve
-
- - name: Revoke GitHub IP on StorageAccount
- run: |
- az storage account network-rule remove \
- --resource-group "${{ env.resource_group_name }}" \
- --account-name "${{ env.storage_account_name }}" \
- --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
-
- Create_comment:
- if: github.event_name == 'pull_request'
- needs: [Terraform]
- name: Create comment
- runs-on: ubuntu-latest
- steps:
- - name: Create comment
- uses: actions/github-script@v7
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- github.rest.issues.createComment({
- owner: context.repo.owner,
- issue_number: github.event.pull_request.number,
- repo: context.repo.repo,
- body: |
- #### Directory: ${{ inputs.working_directory }}
- #### Terraform Format and Style š ${{ needs.Terraform.outputs.tf-fmt }}
- #### Terraform Initialization āļø ${{ needs.Terraform.outputs.tf-init }}
- #### Terraform Validation š¤ ${{ needs.Terraform.outputs.tf-validate }}
- #### Terraform Plan š ${{ needs.Terraform.outputs.tf-plan }}
-
- Show Plan
- ${{ needs.Terraform.outputs.plan }}
-
- })
diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf
index b50ba073f..2b7af2efe 100644
--- a/terraform/subscriptions/s940/c2/common/main.tf
+++ b/terraform/subscriptions/s940/c2/common/main.tf
@@ -208,6 +208,10 @@ module "radix_id_gitrunner" {
role = "Contributor"
scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
}
+ app_registry_contributor = {
+ role = "Contributor"
+ scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app"
+ }
}
federated_credentials = {
radix-id-gitrunner = {
diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf
index 9607b4e3f..6849d4d31 100644
--- a/terraform/subscriptions/s940/prod/common/main.tf
+++ b/terraform/subscriptions/s940/prod/common/main.tf
@@ -205,6 +205,10 @@ module "radix_id_gitrunner" {
role = "Contributor"
scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
}
+ app_registry_contributor = {
+ role = "Contributor"
+ scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radixprodapp" # TODO: Replace resource name when fixed
+ }
}
federated_credentials = {
radix-id-gitrunner = {
diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf
index 900ebd051..ae7723cd8 100644
--- a/terraform/subscriptions/s941/dev/common/main.tf
+++ b/terraform/subscriptions/s941/dev/common/main.tf
@@ -205,6 +205,10 @@ module "radix_id_gitrunner" {
role = "Contributor"
scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
}
+ app_registry_contributor = {
+ role = "Contributor"
+ scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app"
+ }
}
federated_credentials = {
radix-id-gitrunner = {
diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf
index 55bde652c..a52f4f99a 100644
--- a/terraform/subscriptions/s941/playground/common/main.tf
+++ b/terraform/subscriptions/s941/playground/common/main.tf
@@ -105,52 +105,52 @@ module "radix-id-acr-workflows" {
name = "radix-cluster-cleanup-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release"
- },
+ }
radix-cicd-canary-release = {
name = "radix-cicd-canary-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-cicd-canary:ref:refs/heads/release"
- },
+ }
radix-vulnerability-scanner-release = {
name = "radix-vulnerability-scanner-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release"
- },
+ }
radix-image-builder-release = {
name = "radix-image-builder-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-image-builder:ref:refs/heads/release"
- },
+ }
radix-tekton-release = {
name = "radix-tekton-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-tekton:ref:refs/heads/release"
- },
+ }
radix-operator-master = {
name = "radix-operator-master"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-operator:ref:refs/heads/master"
- },
+ }
radix-operator-release = {
name = "radix-operator-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-operator:ref:refs/heads/release"
- },
+ }
radix-velero-plugin-release = {
name = "radix-velero-plugin-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-velero-plugin:ref:refs/heads/release"
- },
+ }
radix-job-scheduler-release = {
name = "radix-job-scheduler-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-job-scheduler:ref:refs/heads/release"
- },
+ }
radix-buildkit-builder-release = {
name = "radix-buildkit-builder-release"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:equinor/radix-buildkit-builder:ref:refs/heads/release"
- },
+ }
}
}
@@ -196,6 +196,10 @@ module "radix_id_gitrunner" {
role = "Contributor"
scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
}
+ app_registry_contributor = {
+ role = "Contributor"
+ scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app"
+ }
}
federated_credentials = {
radix-id-gitrunner = {
diff --git a/terraform/subscriptions/scripts/terraform.sh b/terraform/subscriptions/scripts/terraform.sh
index a10666646..59f01e8d1 100755
--- a/terraform/subscriptions/scripts/terraform.sh
+++ b/terraform/subscriptions/scripts/terraform.sh
@@ -4,8 +4,8 @@ grn=$'\e[1;32m'
yel=$'\e[1;33m'
normal=$(tput sgr0)
-if [[ -z "$ENVIROMENT" ]]; then
- echo "ERROR: Please provide ENVIROMENT" >&2
+if [[ -z "$ENVIRONMENT" ]]; then
+ echo "ERROR: Please provide ENVIRONMENT" >&2
exit 1
fi
@@ -14,19 +14,21 @@ if [[ -z "$SUBSCRIPTION" ]]; then
exit 1
fi
-
-
# Set the directory you want to search
-# directory="../${SUBSCRIPTION}/${ENVIROMENT}"
+# directory="../${SUBSCRIPTION}/${ENVIRONMENT}"
# directory="../s940/dev/"
-directory="../${SUBSCRIPTION}/${ENVIROMENT}"
+directory="../${SUBSCRIPTION}/${ENVIRONMENT}"
for dir in "$directory"/*; do
if [ ! -d "$dir" ]; then continue; fi
+ echo ""
printf "%sāŗ Execute %s%s\n" "${grn}" "$dir" "${normal}"
- terraform -chdir="$dir" init &>/dev/null || echo "Error during terraform init in $dir"
- terraform -chdir="$dir" plan -no-color -out=plan.out &>/dev/null || echo "Error during terraform plan in $dir"
+ terraform -chdir="$dir" init
+ terraform -chdir="$dir" plan -no-color -out=plan.out
+
+ # Add some vertical space incase the previus steps failed
+ echo ""
if [ ! -f "$dir/plan.out" ]; then
echo "plan.out was not created in $dir"
@@ -48,4 +50,4 @@ for dir in "$directory"/*; do
if [ -n "$replace" ]; then echo -e "The following resources will be replaced:\n ${red}${replace}${normal}\n"; fi
if [ -z "$create$destroy$update$replace" ]; then echo -e "No changes. Your infrastructure matches the configuration.\n"; fi
rm "$dir/plan.out"
-done
\ No newline at end of file
+done