Terraform consolidate keyvault (#1484)

* Consolidate keyvault into common

* updates

---------

Co-authored-by: Automatic Update <radix@statoilsrm.onmicrosoft.com>

scripts/aks/bootstrap.sh

@@ -290,7 +290,6 @@ fi
 
 printf "Initializing Terraform..."
 terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/common" init
-terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/virtualnetwork" init
 terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/pre-clusters" init
 terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/clusters" init
 terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/post-clusters" init
@@ -349,7 +348,7 @@ fi
 # if migrating active to active cluster (eg. dev to dev)
 if [ "$MIGRATION_STRATEGY" = "aa" ]; then
     # Path to Public IP Prefix which contains the public outbound IPs
-    IPPRE=$(terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/virtualnetwork" output -json public_ip_prefix_ids)
+    IPPRE=$(terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/common" output -json public_ip_prefix_ids)
     IPPRE_EGRESS_ID=$(jq -n "${IPPRE}" | jq -r .egress_id)
     IPPRE_INGRESS_ID=$(jq -n "${IPPRE}" | jq -r .ingress_id)
     # IPPRE_EGRESS_ID="/subscriptions/$AZ_SUBSCRIPTION_ID/resourceGroups/$AZ_RESOURCE_GROUP_IPPRE/providers/Microsoft.Network/publicIPPrefixes/$AZ_IPPRE_OUTBOUND_NAME"

terraform/subscriptions/modules/key-vault/main.tf

@@ -37,7 +37,7 @@ resource "azurerm_role_assignment" "this" {
 
 data "azurerm_subnet" "subnet" {
   name                 = "private-links"
-  virtual_network_name = var.virtual_network
+  virtual_network_name = "vnet-hub"
   resource_group_name  = var.vnet_resource_group
 }
 

terraform/subscriptions/modules/key-vault/variables.tf

@@ -1,7 +1,6 @@
 variable "tenant_id" {
   description = "Tenant ID"
   type        = string
-
 }
 
 variable "vault_name" {
@@ -19,27 +18,10 @@ variable "location" {
   type        = string
 }
 
-variable "soft_delete_retention_days" {
-  description = "The number of days that items should be retained for once soft-deleted."
-  type        = number
-  default     = 90
-}
-
 variable "purge_protection_enabled" {
   description = "Is purge protection enabled for this Key vault?"
   type        = bool
-  default     = false
-}
-
-variable "access_policies" {
-  description = "A list of access policies for this Key vault."
-  type = list(object({
-    object_id               = string
-    secret_permissions      = optional(list(string), [])
-    certificate_permissions = optional(list(string), [])
-    key_permissions         = optional(list(string), [])
-  }))
-  default = []
+  default     = true
 }
 
 variable "enable_rbac_authorization" {
@@ -54,63 +36,6 @@ variable "kv_secrets_user_id" {
   default     = ""
 }
 
-variable "public_network_access_enabled" {
-  description = "Should public network access be enabled for this Key Vault?"
-  type        = bool
-  default     = true
-}
-
-variable "network_acls_default_action" {
-  description = "The default action of the network ACLs of this Key Vault."
-  type        = string
-  default     = "Deny"
-
-  validation {
-    condition     = contains(["Allow", "Deny"], var.network_acls_default_action)
-    error_message = "Default action must be \"Allow\" or \"Deny\"."
-  }
-}
-
-variable "network_acls_bypass_azure_services" {
-  description = "Should Azure services be allowed to bypass the network ACLs of this Key Vault?."
-  type        = bool
-  default     = true
-}
-
-variable "network_acls_ip_rules" {
-  description = "A list of IP addresses or CIDR blocks that should be able to bypass the network ACL and access this Key vault."
-  type        = list(string)
-  default     = []
-}
-
-variable "network_acls_virtual_network_subnet_ids" {
-  description = "A list of Virtual Network subnet IDs that should be able to bypass the network ACL and access this Key vault."
-  type        = list(string)
-  default     = []
-}
-
-variable "diagnostic_setting_name" {
-  description = "The name of this diagnostic setting."
-  type        = string
-  default     = "audit-logs"
-}
-
-variable "diagnostic_setting_enabled_log_categories" {
-  description = "A list of log categories to be enabled for this diagnostic setting."
-  type        = list(string)
-  default     = ["AuditEvent"]
-}
-
-variable "tags" {
-  description = "A map of tags to assign to the resources."
-  type        = map(string)
-  default     = {}
-}
-
-variable "virtual_network" {
-  type    = string
-  default = "vnet-hub"
-}
 variable "vnet_resource_group" {
   type = string
 }

terraform/subscriptions/s940/c2/common/keyvault.tf

@@ -0,0 +1,16 @@
+data "azurerm_subscription" "current" {}
+
+data "azurerm_key_vault_secret" "this" {
+  name         = "storageaccounts-ip-rule"
+  key_vault_id = module.config.backend.ip_key_vault_id
+}
+
+module "keyvault" {
+  source              = "../../../modules/key-vault"
+  location            = module.config.location
+  vault_name          = "radix-keyv-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  tenant_id           = data.azurerm_subscription.current.tenant_id
+  vnet_resource_group = module.config.vnet_resource_group
+  ip_rule             = data.azurerm_key_vault_secret.this.value
+}

terraform/subscriptions/s940/c2/common/main.tf

@@ -2,66 +2,6 @@ module "config" {
   source = "../../../modules/config"
 }
 
-###Migrated from 'Virtualnetwork' start
-
-module "vnet_resourcegroup" {
-  source   = "../../../modules/resourcegroups"
-  name     = module.config.vnet_resource_group
-  location = module.config.location
-}
-
-module "azurerm_virtual_network" {
-  source              = "../../../modules/virtualnetwork"
-  location            = module.config.location
-  enviroment          = module.config.environment
-  vnet_resource_group = module.vnet_resourcegroup.data.name
-  private_dns_zones   = tolist(module.config.private_dns_zones_names)
-  depends_on          = [module.vnet_resourcegroup]
-
-}
-
-module "azurerm_public_ip_prefix_ingress" {
-  source              = "../../../modules/network_publicipprefix"
-  location            = module.config.location
-  resource_group_name = var.resource_groups_common_temporary                            #TODO
-  publicipprefixname  = "ippre-ingress-radix-aks-${module.config.environment}-prod-001" #TODO
-  pipprefix           = "ingress-radix-aks"
-  pippostfix          = "prod"
-  enviroment          = module.config.environment
-  prefix_length       = 29
-  publicipcounter     = 8
-  # zones               = ["1", "2", "3"]
-}
-
-module "azurerm_public_ip_prefix_egress" {
-  source              = "../../../modules/network_publicipprefix"
-  location            = module.config.location
-  resource_group_name = var.resource_groups_common_temporary                           #TODO
-  publicipprefixname  = "ippre-egress-radix-aks-${module.config.environment}-prod-001" #TODO
-  pipprefix           = "egress-radix-aks"
-  pippostfix          = "prod"
-  enviroment          = module.config.environment
-  prefix_length       = 29
-  publicipcounter     = 8
-}
-
-output "vnet_hub_id" {
-  value = module.azurerm_virtual_network.data.vnet_hub.id
-}
-
-output "vnet_subnet_id" {
-  value = module.azurerm_virtual_network.data.vnet_subnet.id
-}
-
-output "public_ip_prefix_ids" {
-  value = {
-    egress_id  = module.azurerm_public_ip_prefix_egress.data.id
-    ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
-  }
-}
-
-###Migrated from 'Virtualnetwork' end
-
 module "resourcegroups" {
   source   = "../../../modules/resourcegroups"
   name     = module.config.common_resource_group
@@ -91,11 +31,6 @@ data "azurerm_virtual_network" "this" {
   resource_group_name = module.config.vnet_resource_group
 }
 
-data "azurerm_key_vault_secret" "this" {
-  name         = "storageaccounts-ip-rule"
-  key_vault_id = module.config.backend.ip_key_vault_id
-}
-
 data "azurerm_subnet" "this" {
   name                 = "private-links"
   resource_group_name  = module.config.vnet_resource_group

terraform/subscriptions/s940/c2/common/virtualnetwork.tf

@@ -0,0 +1,55 @@
+module "vnet_resourcegroup" {
+  source   = "../../../modules/resourcegroups"
+  name     = module.config.vnet_resource_group
+  location = module.config.location
+}
+
+module "azurerm_virtual_network" {
+  source              = "../../../modules/virtualnetwork"
+  location            = module.config.location
+  enviroment          = module.config.environment
+  vnet_resource_group = module.vnet_resourcegroup.data.name
+  private_dns_zones   = tolist(module.config.private_dns_zones_names)
+  depends_on          = [module.vnet_resourcegroup]
+
+}
+
+module "azurerm_public_ip_prefix_ingress" {
+  source              = "../../../modules/network_publicipprefix"
+  location            = module.config.location
+  resource_group_name = var.resource_groups_common_temporary                            #TODO
+  publicipprefixname  = "ippre-ingress-radix-aks-${module.config.environment}-prod-001" #TODO
+  pipprefix           = "ingress-radix-aks"
+  pippostfix          = "prod"
+  enviroment          = module.config.environment
+  prefix_length       = 29
+  publicipcounter     = 8
+  # zones               = ["1", "2", "3"]
+}
+
+module "azurerm_public_ip_prefix_egress" {
+  source              = "../../../modules/network_publicipprefix"
+  location            = module.config.location
+  resource_group_name = var.resource_groups_common_temporary                           #TODO
+  publicipprefixname  = "ippre-egress-radix-aks-${module.config.environment}-prod-001" #TODO
+  pipprefix           = "egress-radix-aks"
+  pippostfix          = "prod"
+  enviroment          = module.config.environment
+  prefix_length       = 29
+  publicipcounter     = 8
+}
+
+output "vnet_hub_id" {
+  value = module.azurerm_virtual_network.data.vnet_hub.id
+}
+
+output "vnet_subnet_id" {
+  value = module.azurerm_virtual_network.data.vnet_subnet.id
+}
+
+output "public_ip_prefix_ids" {
+  value = {
+    egress_id  = module.azurerm_public_ip_prefix_egress.data.id
+    ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
+  }
+}