GitHub workflows (#1401)

* Add WI for Workflows * Add WI for Workflows --------- Co-authored-by: Automatic Update <radix@statoilsrm.onmicrosoft.com>
equinor · Jul 18, 2024 · 5915afc · 5915afc
1 parent 80dfb38
commit 5915afc
Show file tree

Hide file tree

Showing 6 changed files with 120 additions and 4 deletions.
diff --git a/terraform/subscriptions/modules/backupvaults/main.tf b/terraform/subscriptions/modules/backupvaults/main.tf
@@ -24,9 +24,9 @@ resource "azurerm_data_protection_backup_vault" "backupvault" {
 ###
 
 resource "azurerm_data_protection_backup_policy_blob_storage" "policyblobstorage" {
-  name               = var.policyblobstoragename
-  vault_id           = azurerm_data_protection_backup_vault.backupvault.id
-  retention_duration = "P30D"
+  name                                   = var.policyblobstoragename
+  vault_id                               = azurerm_data_protection_backup_vault.backupvault.id
+  operational_default_retention_duration = "P30D"
 }
 
 #######################################################################################

diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf
@@ -77,6 +77,35 @@ module "acr" {
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
 }
 
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-release = {
+      name    = "radix-acr-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/release"
+    }
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release"
+    },
+  }
+}
+
 output "workspace_id" {
   value = module.loganalytics.workspace_id
 }

diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf
@@ -75,6 +75,35 @@ module "acr" {
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
 }
 
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-release = {
+      name    = "radix-acr-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/release"
+    }
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release"
+    },
+  }
+}
+
 output "workspace_id" {
   value = module.loganalytics.workspace_id
 }

diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf
@@ -63,9 +63,40 @@ module "acr" {
   vnet_resource_group  = module.config.vnet_resource_group
   subnet_id            = data.azurerm_subnet.this.id
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
+}
+
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-master = {
+      name    = "radix-acr-cleanup-master"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/master"
+    },
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-master"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/master"
+    },
+  }
 
 }
 
+
+
 output "workspace_id" {
   value = module.loganalytics.workspace_id
 }

diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf
@@ -63,7 +63,35 @@ module "acr" {
   vnet_resource_group  = module.config.vnet_resource_group
   subnet_id            = data.azurerm_subnet.this.id
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
+}
 
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-release = {
+      name    = "radix-acr-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/release"
+    }
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release"
+    },
+  }
 }
 
 #######################################################################################

diff --git a/terraform/subscriptions/s941/playground/post-clusters/grafana.tf b/terraform/subscriptions/s941/playground/post-clusters/grafana.tf
@@ -12,7 +12,6 @@ module "grafana" {
   service_id   = "110327"
   web_uris     = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris)
   owners       = data.azuread_group.radix.members
-
 }
 
 data "azurerm_user_assigned_identity" "grafana" {