Move azurerm federated identity credential (#1553)

* Move azurerm_federated_identity_credential to pre-cluster section * Remove module.aks from depenendcy * Update azapi in active clusters * Remove config from playground --------- Co-authored-by: Automatic Update <radix@statoilsrm.onmicrosoft.com>
equinor · Dec 18, 2024 · 1ce014a · 1ce014a
1 parent 86ad281
commit 1ce014a
Show file tree

Hide file tree

Showing 15 changed files with 127 additions and 103 deletions.
diff --git a/terraform/subscriptions/modules/active-clusters/backend.tf b/terraform/subscriptions/modules/active-clusters/backend.tf
@@ -5,7 +5,8 @@ terraform {
       version = ">=3.110.0"
     }
     azapi = {
-      source = "Azure/azapi"
+      source  = "Azure/azapi"
+      version = ">=2.0"
     }
   }
 }
diff --git a/terraform/subscriptions/modules/active-clusters/main.tf b/terraform/subscriptions/modules/active-clusters/main.tf
@@ -6,13 +6,13 @@ data "azapi_resource_list" "clusters" {
   response_export_values = ["*"]
 }
 output "ids" {
-  value = { for k, v in jsondecode(data.azapi_resource_list.clusters.output).value : v.name => v.id }
+  value = { for k, v in data.azapi_resource_list.clusters.output.value : v.name => v.id }
 }
 output "oidc_issuer_url" {
-  value = { for k, v in jsondecode(data.azapi_resource_list.clusters.output).value : v.name => v.properties.oidcIssuerProfile.issuerURL }
+  value = { for k, v in data.azapi_resource_list.clusters.output.value : v.name => v.properties.oidcIssuerProfile.issuerURL }
 }
 output "data" {
-  value = { for k, v in jsondecode(data.azapi_resource_list.clusters.output).value : v.name => v }
+  value = { for k, v in data.azapi_resource_list.clusters.output.value : v.name => v }
 }
 
 #Current Vnets
@@ -23,7 +23,7 @@ data "azapi_resource_list" "vnets" {
 }
 
 output "vnets_url" {
-  value = { for k, v in jsondecode(data.azapi_resource_list.vnets.output).value : v.name => v.id }
+  value = { for k, v in data.azapi_resource_list.vnets.output.value : v.name => v.id }
 }
 
 #Current NSGs
@@ -35,7 +35,7 @@ data "azapi_resource_list" "nsg" {
 }
 
 output "nsg" {
-  value = { for k, v in jsondecode(data.azapi_resource_list.nsg.output).value : v.name => v.id }
+  value = { for k, v in data.azapi_resource_list.nsg.output.value : v.name => v.id }
 }
 
 
diff --git a/terraform/subscriptions/s941/dev/post-clusters/.terraform.lock.hcl b/terraform/subscriptions/s941/dev/post-clusters/.terraform.lock.hcl
diff --git a/terraform/subscriptions/s941/dev/post-clusters/grafana.tf b/terraform/subscriptions/s941/dev/post-clusters/grafana.tf
@@ -14,18 +14,4 @@ module "grafana" {
   owners       = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value))
 }
 
-data "azurerm_user_assigned_identity" "grafana" {
-  resource_group_name = "monitoring"
-  name                = "radix-id-grafana-admin-${module.config.environment}"
-}
-
-resource "azurerm_federated_identity_credential" "grafana-mi-fedcred" {
-  for_each = module.clusters.oidc_issuer_url
 
-  audience            = ["api://AzureADTokenExchange"]
-  name                = "k8s-grafana-${each.key}"
-  issuer              = each.value
-  subject             = "system:serviceaccount:monitor:grafana"
-  parent_id           = data.azurerm_user_assigned_identity.grafana.id
-  resource_group_name = data.azurerm_user_assigned_identity.grafana.resource_group_name
-}
diff --git a/terraform/subscriptions/s941/dev/post-clusters/velero.tf b/terraform/subscriptions/s941/dev/post-clusters/velero.tf
@@ -1,19 +1,3 @@
-data "azurerm_user_assigned_identity" "velero" {
-  resource_group_name = module.config.common_resource_group
-  name                = "radix-id-velero-${module.config.environment}"
-}
-
-resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
-  for_each = module.clusters.oidc_issuer_url
-
-  audience            = ["api://AzureADTokenExchange"]
-  name                = "k8s-velero-${each.key}-${module.config.environment}"
-  issuer              = each.value
-  subject             = "system:serviceaccount:velero:velero"
-  parent_id           = data.azurerm_user_assigned_identity.velero.id
-  resource_group_name = module.config.common_resource_group
-}
-
 resource "azurerm_storage_container" "velero" {
   for_each              = module.clusters.oidc_issuer_url
   name                  = each.key

diff --git a/...v/post-clusters/azure-service-operator.tf → ...ev/pre-clusters/azure-service-operator.tf b/...v/post-clusters/azure-service-operator.tf → ...ev/pre-clusters/azure-service-operator.tf
@@ -12,4 +12,5 @@ resource "azurerm_federated_identity_credential" "azure-service-operator-fedcred
   subject             = "system:serviceaccount:azure-service-operator-system:azureserviceoperator-default"
   parent_id           = data.azurerm_user_assigned_identity.azure-service-operator.id
   resource_group_name = data.azurerm_user_assigned_identity.azure-service-operator.resource_group_name
+  depends_on          = [module.aks]
 }
diff --git a/terraform/subscriptions/s941/dev/pre-clusters/backend.tf b/terraform/subscriptions/s941/dev/pre-clusters/backend.tf
@@ -37,3 +37,9 @@ module "config" {
   source = "../../../modules/config"
 }
 
+module "clusters" {
+  source              = "../../../modules/active-clusters"
+  resource_group_name = module.config.cluster_resource_group
+  subscription        = module.config.subscription
+}
+
diff --git a/...ns/s941/dev/post-clusters/cert-manager.tf → ...ons/s941/dev/pre-clusters/cert-manager.tf b/...ns/s941/dev/post-clusters/cert-manager.tf → ...ons/s941/dev/pre-clusters/cert-manager.tf
@@ -12,4 +12,5 @@ resource "azurerm_federated_identity_credential" "cert-manager-mi-fedcred" {
   subject             = "system:serviceaccount:cert-manager:cert-manager"
   parent_id           = data.azurerm_user_assigned_identity.cert-manager-mi.id
   resource_group_name = data.azurerm_user_assigned_identity.cert-manager-mi.resource_group_name
+  depends_on          = [module.aks]
 }
diff --git a/...s941/dev/post-clusters/cost-allocation.tf → .../s941/dev/pre-clusters/cost-allocation.tf b/...s941/dev/post-clusters/cost-allocation.tf → .../s941/dev/pre-clusters/cost-allocation.tf
@@ -14,6 +14,7 @@ resource "azurerm_federated_identity_credential" "cost-allocation-writer" {
   subject             = "system:serviceaccount:radix-cost-allocation:radix-cost-allocation"
   parent_id           = data.azurerm_user_assigned_identity.cost-allocation-writer.id
   resource_group_name = data.azurerm_user_assigned_identity.cost-allocation-writer.resource_group_name
+  depends_on          = [module.aks]
 }
 
 ### Vulnerability Scanner API - Reader
@@ -31,6 +32,7 @@ resource "azurerm_federated_identity_credential" "cost-allocation-api-reader-pro
   subject             = "system:serviceaccount:radix-cost-allocation-api-prod:server-sa"
   parent_id           = data.azurerm_user_assigned_identity.cost-allocation-api-reader.id
   resource_group_name = data.azurerm_user_assigned_identity.cost-allocation-api-reader.resource_group_name
+  depends_on          = [module.aks]
 }
 resource "azurerm_federated_identity_credential" "cost-allocation-api-reader-qa" {
   for_each = module.clusters.oidc_issuer_url
@@ -41,5 +43,6 @@ resource "azurerm_federated_identity_credential" "cost-allocation-api-reader-qa"
   subject             = "system:serviceaccount:radix-cost-allocation-api-qa:server-sa"
   parent_id           = data.azurerm_user_assigned_identity.cost-allocation-api-reader.id
   resource_group_name = data.azurerm_user_assigned_identity.cost-allocation-api-reader.resource_group_name
+  depends_on          = [module.aks]
 }
 
diff --git a/...ost-clusters/external-secrets-operator.tf → ...pre-clusters/external-secrets-operator.tf b/...ost-clusters/external-secrets-operator.tf → ...pre-clusters/external-secrets-operator.tf
@@ -1,16 +1,3 @@
-resource "local_file" "templates" {
-  for_each = toset([
-    for file in fileset(path.module, "templates/**") :      # The subfolder in current dir
-    file if length(regexall(".*app-template.*", file)) == 0 # Ignore paths with "app-template"
-  ])
-
-  content = templatefile(each.key, {
-    identity_id = data.azurerm_user_assigned_identity.this.client_id
-  })
-
-  filename = replace("${path.module}/${each.key}", "templates", "rendered")
-}
-
 data "azurerm_user_assigned_identity" "this" {
   resource_group_name = module.config.common_resource_group
   name                = "radix-id-external-secrets-operator-${module.config.environment}"
@@ -25,4 +12,5 @@ resource "azurerm_federated_identity_credential" "eso" {
   parent_id           = data.azurerm_user_assigned_identity.this.id
   resource_group_name = module.config.common_resource_group
   subject             = "system:serviceaccount:external-secrets:workload-identity-sa"
-}
+  depends_on          = [module.aks]
+}
diff --git a/terraform/subscriptions/s941/dev/pre-clusters/grafana.tf b/terraform/subscriptions/s941/dev/pre-clusters/grafana.tf
@@ -0,0 +1,16 @@
+data "azurerm_user_assigned_identity" "grafana" {
+  resource_group_name = "monitoring"
+  name                = "radix-id-grafana-admin-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "grafana-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-grafana-${each.key}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:monitor:grafana"
+  parent_id           = data.azurerm_user_assigned_identity.grafana.id
+  resource_group_name = data.azurerm_user_assigned_identity.grafana.resource_group_name
+  depends_on          = [module.aks]
+}
diff --git a/...iptions/s941/dev/post-clusters/log-api.tf → ...riptions/s941/dev/pre-clusters/log-api.tf b/...iptions/s941/dev/post-clusters/log-api.tf → ...riptions/s941/dev/pre-clusters/log-api.tf
@@ -12,6 +12,7 @@ resource "azurerm_federated_identity_credential" "log-api-mi-prod" {
   subject             = "system:serviceaccount:radix-log-api-prod:server-sa"
   parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
   resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+  depends_on          = [module.aks]
 }
 resource "azurerm_federated_identity_credential" "log-api-mi-qa" {
   for_each = module.clusters.oidc_issuer_url
@@ -22,4 +23,5 @@ resource "azurerm_federated_identity_credential" "log-api-mi-qa" {
   subject             = "system:serviceaccount:radix-log-api-qa:server-sa"
   parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
   resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+  depends_on          = [module.aks]
 }
diff --git a/terraform/subscriptions/s941/dev/pre-clusters/velero.tf b/terraform/subscriptions/s941/dev/pre-clusters/velero.tf
@@ -0,0 +1,16 @@
+data "azurerm_user_assigned_identity" "velero" {
+  resource_group_name = module.config.common_resource_group
+  name                = "radix-id-velero-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-velero-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:velero:velero"
+  parent_id           = data.azurerm_user_assigned_identity.velero.id
+  resource_group_name = module.config.common_resource_group
+  depends_on          = [module.aks]
+}
diff --git a/...ev/post-clusters/vulnerability-scanner.tf → ...dev/pre-clusters/vulnerability-scanner.tf b/...ev/post-clusters/vulnerability-scanner.tf → ...dev/pre-clusters/vulnerability-scanner.tf
@@ -14,6 +14,7 @@ resource "azurerm_federated_identity_credential" "vulnerability-scanner-writer"
   subject             = "system:serviceaccount:radix-vulnerability-scanner:radix-vulnerability-scanner"
   parent_id           = data.azurerm_user_assigned_identity.vulnerability-scanner-writer.id
   resource_group_name = data.azurerm_user_assigned_identity.vulnerability-scanner-writer.resource_group_name
+  depends_on          = [module.aks]
 }
 
 ### Vulnerability Scanner API - Reader
@@ -31,6 +32,7 @@ resource "azurerm_federated_identity_credential" "vulnerability-scanner-api-read
   subject             = "system:serviceaccount:radix-vulnerability-scanner-api-prod:server-sa"
   parent_id           = data.azurerm_user_assigned_identity.vulnerability-scanner-api-reader.id
   resource_group_name = data.azurerm_user_assigned_identity.vulnerability-scanner-api-reader.resource_group_name
+  depends_on          = [module.aks]
 }
 resource "azurerm_federated_identity_credential" "vulnerability-scanner-api-reader-qa" {
   for_each = module.clusters.oidc_issuer_url
@@ -41,5 +43,6 @@ resource "azurerm_federated_identity_credential" "vulnerability-scanner-api-read
   subject             = "system:serviceaccount:radix-vulnerability-scanner-api-qa:server-sa"
   parent_id           = data.azurerm_user_assigned_identity.vulnerability-scanner-api-reader.id
   resource_group_name = data.azurerm_user_assigned_identity.vulnerability-scanner-api-reader.resource_group_name
+  depends_on          = [module.aks]
 }
 
diff --git a/terraform/subscriptions/s941/playground/pre-clusters/cert-manager.tf b/terraform/subscriptions/s941/playground/pre-clusters/cert-manager.tf
@@ -0,0 +1,16 @@
+data "azurerm_user_assigned_identity" "cert-manager-mi" {
+  resource_group_name = module.config.common_resource_group
+  name                = "radix-id-certmanager-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "cert-manager-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-cert-manager-dns01-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:cert-manager:cert-manager"
+  parent_id           = data.azurerm_user_assigned_identity.cert-manager-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.cert-manager-mi.resource_group_name
+  depends_on          = [module.aks]
+}