From 5915afc1887f747acf79cc83d589851664fc2de7 Mon Sep 17 00:00:00 2001
From: Svein-Petter Johnsen <83902071+sveinpj@users.noreply.github.com>
Date: Thu, 18 Jul 2024 09:56:53 +0200
Subject: [PATCH] GitHub workflows (#1401)

* Add WI for Workflows

* Add WI for Workflows

---------

Co-authored-by: Automatic Update <radix@statoilsrm.onmicrosoft.com>
---
 .../modules/backupvaults/main.tf              |  6 ++--
 .../subscriptions/s940/c2/common/main.tf      | 29 +++++++++++++++++
 .../subscriptions/s940/prod/common/main.tf    | 29 +++++++++++++++++
 .../subscriptions/s941/dev/common/main.tf     | 31 +++++++++++++++++++
 .../s941/playground/common/main.tf            | 28 +++++++++++++++++
 .../s941/playground/post-clusters/grafana.tf  |  1 -
 6 files changed, 120 insertions(+), 4 deletions(-)

diff --git a/terraform/subscriptions/modules/backupvaults/main.tf b/terraform/subscriptions/modules/backupvaults/main.tf
index 765dff2ff..b45894482 100644
--- a/terraform/subscriptions/modules/backupvaults/main.tf
+++ b/terraform/subscriptions/modules/backupvaults/main.tf
@@ -24,9 +24,9 @@ resource "azurerm_data_protection_backup_vault" "backupvault" {
 ###
 
 resource "azurerm_data_protection_backup_policy_blob_storage" "policyblobstorage" {
-  name               = var.policyblobstoragename
-  vault_id           = azurerm_data_protection_backup_vault.backupvault.id
-  retention_duration = "P30D"
+  name                                   = var.policyblobstoragename
+  vault_id                               = azurerm_data_protection_backup_vault.backupvault.id
+  operational_default_retention_duration = "P30D"
 }
 
 #######################################################################################
diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf
index d8d891984..b2582bc8c 100644
--- a/terraform/subscriptions/s940/c2/common/main.tf
+++ b/terraform/subscriptions/s940/c2/common/main.tf
@@ -77,6 +77,35 @@ module "acr" {
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
 }
 
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-release = {
+      name    = "radix-acr-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/release"
+    }
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release"
+    },
+  }
+}
+
 output "workspace_id" {
   value = module.loganalytics.workspace_id
 }
diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf
index bb0c9a632..daca7a4e2 100644
--- a/terraform/subscriptions/s940/prod/common/main.tf
+++ b/terraform/subscriptions/s940/prod/common/main.tf
@@ -75,6 +75,35 @@ module "acr" {
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
 }
 
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-release = {
+      name    = "radix-acr-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/release"
+    }
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release"
+    },
+  }
+}
+
 output "workspace_id" {
   value = module.loganalytics.workspace_id
 }
diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf
index d3eddd21e..890932439 100644
--- a/terraform/subscriptions/s941/dev/common/main.tf
+++ b/terraform/subscriptions/s941/dev/common/main.tf
@@ -63,9 +63,40 @@ module "acr" {
   vnet_resource_group  = module.config.vnet_resource_group
   subnet_id            = data.azurerm_subnet.this.id
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
+}
+
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-master = {
+      name    = "radix-acr-cleanup-master"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/master"
+    },
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-master"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/master"
+    },
+  }
 
 }
 
+
+
 output "workspace_id" {
   value = module.loganalytics.workspace_id
 }
diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf
index 6db4a5028..6ca896f3f 100644
--- a/terraform/subscriptions/s941/playground/common/main.tf
+++ b/terraform/subscriptions/s941/playground/common/main.tf
@@ -63,7 +63,35 @@ module "acr" {
   vnet_resource_group  = module.config.vnet_resource_group
   subnet_id            = data.azurerm_subnet.this.id
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
+}
 
+module "radix-id-acr-workflows" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-acr-workflows-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = module.acr.azurerm_container_registry_id
+    },
+    acrpush = {
+      role     = "AcrPush"
+      scope_id = module.acr.azurerm_container_registry_id
+    }
+  }
+  federated_credentials = {
+    radix-acr-cleanup-release = {
+      name    = "radix-acr-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-acr-cleanup:ref:refs/heads/release"
+    }
+    radix-cluster-cleanup-master = {
+      name    = "radix-cluster-cleanup-release"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix-cluster-cleanup:ref:refs/heads/release"
+    },
+  }
 }
 
 #######################################################################################
diff --git a/terraform/subscriptions/s941/playground/post-clusters/grafana.tf b/terraform/subscriptions/s941/playground/post-clusters/grafana.tf
index 59315ab1b..0b67a4ff2 100644
--- a/terraform/subscriptions/s941/playground/post-clusters/grafana.tf
+++ b/terraform/subscriptions/s941/playground/post-clusters/grafana.tf
@@ -12,7 +12,6 @@ module "grafana" {
   service_id   = "110327"
   web_uris     = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris)
   owners       = data.azuread_group.radix.members
-
 }
 
 data "azurerm_user_assigned_identity" "grafana" {