-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* First commit * First commit * Terraform * Major updates * Major updates * Github action * Github action * updates * remove env * remove env * some sttatic values * some more static values * some more static values * dev and playground * dev and playground * firewall rules * firewall rules * echo message * echo message * echo message * echo message * echo message * revert * Move script * Move script * Move script * Variables * Variables * Add s940 * Add s940 --------- Co-authored-by: Automatic Update <radix@statoilsrm.onmicrosoft.com>
- Loading branch information
Showing
18 changed files
with
427 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,161 @@ | ||
name: Check Terraform infrastructure | ||
on: | ||
pull_request: | ||
workflow_dispatch: | ||
inputs: | ||
subscription: | ||
description: 'Subscription' | ||
type: choice | ||
required: true | ||
options: | ||
- 's940' | ||
- 's941' | ||
default: 's941' | ||
|
||
terraformapply: | ||
description: 'Terraform apply' | ||
type: boolean | ||
required: true | ||
default: false | ||
|
||
|
||
# secrets: | ||
# AZURE_CLIENT_ID: | ||
# description: The client ID of the Azure AD service principal to use for authenticating to Azure. | ||
# required: true | ||
|
||
# AZURE_SUBSCRIPTION_ID: | ||
# description: The ID of the Azure subscription to create the resources in. | ||
# required: true | ||
|
||
# AZURE_TENANT_ID: | ||
# description: The ID of the Azure tenant to create the resources in. | ||
# required: true | ||
|
||
|
||
jobs: | ||
terrform-s941: | ||
name: Check infrastructure consistency | ||
runs-on: ubuntu-latest | ||
environment: s941 | ||
strategy: | ||
matrix: | ||
ENVIROMENT: [dev, playground] | ||
env: | ||
# ENVIROMENT: dev #variable passed to scipt | ||
SUBSCRIPTION: s941 #variable passed to scipt | ||
terraform_version: ~1.3.0 | ||
ARM_USE_OIDC: true | ||
ARM_USE_AZUREAD: true | ||
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | ||
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | ||
storage_account_name: ${{ inputs.subscription }}radixinfra | ||
|
||
permissions: | ||
id-token: write | ||
contents: read | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 #Clone Repo | ||
|
||
|
||
- name: 'Az login' | ||
uses: azure/login@v1 | ||
with: | ||
client-id: ${{ secrets.AZURE_CLIENT_ID }} | ||
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | ||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
|
||
- name: Get GitHub Public IP | ||
id: github_public_ip | ||
uses: haythem/public-ip@v1.3 | ||
|
||
- name: Add GitHub IP to StorageAccount | ||
run: | | ||
az storage account network-rule add \ | ||
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | ||
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | ||
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null | ||
- name: Lets sleep for 30 seconds for FW rule to complete | ||
run: sleep 30s | ||
|
||
- name: Setup Terraform | ||
uses: hashicorp/setup-terraform@v2 | ||
with: | ||
terraform_version: ${{ env.terraform_version }} | ||
|
||
- name: Check terrorm in ${{ matrix.ENVIROMENT}} | ||
working-directory: terraform/subscriptions/scripts | ||
run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh | ||
|
||
- name: Revoke GitHub IP on StorageAccount | ||
run: | | ||
az storage account network-rule remove \ | ||
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | ||
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | ||
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null | ||
terrform-s940: | ||
name: Check infrastructure consistency | ||
runs-on: ubuntu-latest | ||
environment: s940 | ||
strategy: | ||
matrix: | ||
ENVIROMENT: [prod, c2] | ||
env: | ||
# ENVIROMENT: dev #variable passed to scipt | ||
SUBSCRIPTION: s940 #variable passed to scipt | ||
terraform_version: ~1.3.0 | ||
ARM_USE_OIDC: true | ||
ARM_USE_AZUREAD: true | ||
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | ||
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | ||
storage_account_name: ${{ inputs.subscription }}radixinfra | ||
|
||
permissions: | ||
id-token: write | ||
contents: read | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 #Clone Repo | ||
|
||
|
||
- name: 'Az login' | ||
uses: azure/login@v1 | ||
with: | ||
client-id: ${{ secrets.AZURE_CLIENT_ID }} | ||
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | ||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
|
||
- name: Get GitHub Public IP | ||
id: github_public_ip | ||
uses: haythem/public-ip@v1.3 | ||
|
||
- name: Add GitHub IP to StorageAccount | ||
run: | | ||
az storage account network-rule add \ | ||
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | ||
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | ||
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null | ||
- name: Lets sleep for 30 seconds for FW rule to complete | ||
run: sleep 30s | ||
|
||
- name: Setup Terraform | ||
uses: hashicorp/setup-terraform@v2 | ||
with: | ||
terraform_version: ${{ env.terraform_version }} | ||
|
||
- name: Check terrorm in ${{ matrix.ENVIROMENT}} | ||
working-directory: terraform/subscriptions/scripts | ||
run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh | ||
|
||
- name: Revoke GitHub IP on StorageAccount | ||
run: | | ||
az storage account network-rule remove \ | ||
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | ||
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | ||
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#!/bin/bash | ||
red=$'\e[1;31m' | ||
grn=$'\e[1;32m' | ||
yel=$'\e[1;33m' | ||
normal=$(tput sgr0) | ||
|
||
# Set the directory you want to search | ||
directory="../../../terraform/subscriptions/s941/dev" | ||
|
||
for dir in "$directory"/*; do | ||
if [ ! -d "$dir" ]; then continue; fi | ||
|
||
printf "%s► Execute %s%s\n" "${grn}" "$dir" "${normal}" | ||
terraform -chdir="$dir" init &>/dev/null || echo "Error during terraform init in $dir" | ||
terraform -chdir="$dir" plan -no-color -out=plan.out &>/dev/null || echo "Error during terraform plan in $dir" | ||
|
||
if [ ! -f "$dir/plan.out" ]; then | ||
echo "plan.out was not created in $dir" | ||
continue | ||
fi | ||
|
||
cd "$dir" || exit | ||
plan=$(terraform show -no-color "plan.out") | ||
cd - >/dev/null || exit | ||
|
||
create=$(echo "$plan" | grep "will be created" | sed 's|# |+|g' | sed 's/^ *//g') | ||
destroy=$(echo "$plan" | grep "will be destroyed" | sed 's|# |-|g' | sed 's/^ *//g') | ||
update=$(echo "$plan" | grep "will be updated in-place" | sed 's|# |~|g' | sed 's/^ *//g') | ||
replace=$(echo "$plan" | grep "must be replaced" | sed 's|# |-/+|g' | sed 's/^ *//g') | ||
|
||
if [ -n "$create" ]; then echo -e "The following resources will be created:\n ${grn}${create}${normal}\n"; fi | ||
if [ -n "$destroy" ]; then echo -e "The following resources will be destroyed:\n ${red}${destroy}${normal}\n"; fi | ||
if [ -n "$update" ]; then echo -e "The following resources will be updated:\n ${yel}${update}${normal}\n"; fi | ||
if [ -n "$replace" ]; then echo -e "The following resources will be replaced:\n ${red}${replace}${normal}\n"; fi | ||
if [ -z "$create$destroy$update$replace" ]; then echo -e "No changes. Your infrastructure matches the configuration.\n"; fi | ||
rm "$dir/plan.out" | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
locals { | ||
external_outputs = { | ||
global = data.terraform_remote_state.global.outputs | ||
# virtualnetwork = data.terraform_remote_state.virtualnetwork.outputs | ||
} | ||
|
||
backend = { | ||
resource_group_name = "s940-tfstate" | ||
storage_account_name = "s940radixinfra" | ||
container_name = "infrastructure" | ||
} | ||
|
||
} | ||
data "terraform_remote_state" "global" { | ||
backend = "azurerm" | ||
config = merge( | ||
local.backend, | ||
{ key = "prod/globals/terraform.tfstate" }) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
module "resourcegroups" { | ||
for_each = toset(var.resource_groups) | ||
source = "../../../modules/resourcegroups" | ||
name = "${local.external_outputs.global.data.aad_radix_group}-${each.value}" | ||
location = local.outputs.location | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
variable "resource_groups" { | ||
type = list(string) | ||
default = ["c2"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
locals { | ||
flattened_resource_groups = { | ||
for key, value in var.resource_groups : key => { | ||
name = key | ||
location = value.location | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# module "resourcegroups" { | ||
# for_each = local.flattened_resource_groups | ||
# source = "../../modules/resourcegroups" | ||
# name = each.value.name | ||
# location = each.value.location | ||
# } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
variable "resource_groups" { | ||
description = "Shared resourcegroups across enviroments." | ||
type = map(object({ | ||
location = optional(string, "northeurope") | ||
})) | ||
default = { | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
locals { | ||
external_outputs = { | ||
global = data.terraform_remote_state.global.outputs | ||
# virtualnetwork = data.terraform_remote_state.virtualnetwork.outputs | ||
} | ||
|
||
backend = { | ||
resource_group_name = "s940-tfstate" | ||
storage_account_name = "s940radixinfra" | ||
container_name = "infrastructure" | ||
} | ||
|
||
} | ||
data "terraform_remote_state" "global" { | ||
backend = "azurerm" | ||
config = merge( | ||
local.backend, | ||
{ key = "prod/globals/terraform.tfstate" }) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
module "resourcegroups" { | ||
for_each = toset(var.resource_groups) | ||
source = "../../../modules/resourcegroups" | ||
name = "${local.external_outputs.global.data.aad_radix_group}-${each.value}" | ||
location = local.outputs.location | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
variable "resource_groups" { | ||
type = list(string) | ||
default = ["production"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.