Skip to content

Commit

Permalink
Velero role assignment (#1205)
Browse files Browse the repository at this point in the history
* Velero role assignement

* updates

* Velero role assignment

* Remove IP

* Updates

---------

Co-authored-by: Automatic Update <radix@statoilsrm.onmicrosoft.com>
  • Loading branch information
sveinpj and Automatic Update authored Feb 16, 2024
1 parent 30a8943 commit 7a5cd88
Show file tree
Hide file tree
Showing 17 changed files with 172 additions and 165 deletions.
71 changes: 32 additions & 39 deletions scripts/velero/install_prerequisites_in_cluster.sh
Original file line number Diff line number Diff line change
Expand Up @@ -188,37 +188,30 @@ function cleanup() {
rm -f "$CREDENTIALS_GENERATED_PATH"
}

function generateCredentialsFile() {
local SP_JSON="$(az keyvault secret show \
--vault-name $AZ_RESOURCE_KEYVAULT \
--name $APP_REGISTRATION_VELERO |
jq '.value | fromjson')"

# Set variables used in the manifest templates
local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID"
local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')"
local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')"
local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')"

# Use the credentials template as a heredoc, then run the heredoc to generate the credentials file
CREDENTIALS_GENERATED_PATH="$(mktemp)"
local tmp_heredoc="$(mktemp)"
(
echo "#!/bin/sh"
echo "cat <<EOF >>${CREDENTIALS_GENERATED_PATH}"
cat ${CREDENTIALS_TEMPLATE_PATH}
echo ""
echo "EOF"
) >${tmp_heredoc} && chmod +x ${tmp_heredoc}
source "$tmp_heredoc"

# Debug
# echo -e "\nCREDENTIALS_GENERATED_PATH=$CREDENTIALS_GENERATED_PATH"
# echo -e "tmp_heredoc=$tmp_heredoc"

# Remove even if script crashed
#trap "rm -f $CREDENTIALS_GENERATED_PATH" 0 2 3 15
}
# function generateCredentialsFile() {
# local SP_JSON="$(az keyvault secret show \
# --vault-name $AZ_RESOURCE_KEYVAULT \
# --name $APP_REGISTRATION_VELERO |
# jq '.value | fromjson')"

# # Set variables used in the manifest templates
# local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID"
# local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')"
# local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')"
# local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')"

# # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file
# CREDENTIALS_GENERATED_PATH="$(mktemp)"
# local tmp_heredoc="$(mktemp)"
# (
# echo "#!/bin/sh"
# echo "cat <<EOF >>${CREDENTIALS_GENERATED_PATH}"
# cat ${CREDENTIALS_TEMPLATE_PATH}
# echo ""
# echo "EOF"
# ) >${tmp_heredoc} && chmod +x ${tmp_heredoc}
# source "$tmp_heredoc"
# }

# Run cleanup even if script crashed
trap cleanup 0 2 3 15
Expand All @@ -231,14 +224,14 @@ case "$(kubectl get ns $VELERO_NAMESPACE 2>&1)" in
esac
printf "...Done"

printf "\nWorking on credentials..."
generateCredentialsFile
kubectl create secret generic cloud-credentials \
--namespace "$VELERO_NAMESPACE" \
--from-file=cloud=$CREDENTIALS_GENERATED_PATH \
--dry-run=client -o yaml |
kubectl apply -f - \
2>&1 >/dev/null
# printf "\nWorking on credentials..."
# generateCredentialsFile
# kubectl create secret generic cloud-credentials \
# --namespace "$VELERO_NAMESPACE" \
# --from-file=cloud=$CREDENTIALS_GENERATED_PATH \
# --dry-run=client -o yaml |
# kubectl apply -f - \
# 2>&1 >/dev/null
printf "...Done"

MYIP=$(curl http://ifconfig.me/ip) ||
Expand Down
55 changes: 31 additions & 24 deletions terraform/subscriptions/modules/storageaccount/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,21 @@ resource "azurerm_role_assignment" "roleassignment" {
depends_on = [azurerm_storage_account.storageaccount]
}

# #######################################################################################
# ### Role assignment for Velero Service Principal to be used to the Storage account
# ###

data "azuread_service_principal" "velero" { # wip To be changed to workload identity in the future
display_name = var.velero_service_principal
}

resource "azurerm_role_assignment" "storage_blob_data_conntributor" {
for_each = can(regex("radixvelero.*", var.name)) ? { "${var.name}" : true } : {}
scope = azurerm_storage_account.storageaccount.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = data.azuread_service_principal.velero.id
depends_on = [azurerm_storage_account.storageaccount]
}

######################################################################################
## Blob Protection
Expand All @@ -73,24 +88,24 @@ resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceb
}

resource "azurerm_storage_account_network_rules" "this" {
for_each = var.firewall ? { "${var.name}" : true } : {}
# for_each = var.firewall ? { "${var.name}" : true } : {}
storage_account_id = azurerm_storage_account.storageaccount.id
default_action = "Deny"
ip_rules = ["143.97.110.1"]
virtual_network_subnet_ids = [var.subnet_id]
# bypass = ["Metrics"]
}
ip_rules = []
# virtual_network_subnet_ids = [var.subnet_id]

######################################################################################
## Private Link
##
}

data "azurerm_subnet" "subnet" {
name = "private-links"
virtual_network_name = var.virtual_network
resource_group_name = var.vnet_resource_group
}
resource "azurerm_private_endpoint" "this" {
for_each = var.priv_endpoint ? { "${var.name}" : true } : {} # { for key in compact([for key, value in var.priv_endpoint : value.private_endpoint ? key : ""]) : key => var.priv_endpoint[key] }
name = azurerm_storage_account.storageaccount.name
resource_group_name = azurerm_storage_account.storageaccount.resource_group_name
location = azurerm_storage_account.storageaccount.location
subnet_id = var.subnet_id
name = "pe-${var.name}"
location = var.location
resource_group_name = var.vnet_resource_group
subnet_id = data.azurerm_subnet.subnet.id
depends_on = [azurerm_storage_account.storageaccount]

private_service_connection {
Expand All @@ -100,18 +115,10 @@ resource "azurerm_private_endpoint" "this" {
subresource_names = ["blob"]
}
}


######################################################################################
## Private DNS
##
resource "azurerm_private_dns_a_record" "this" {
for_each = var.priv_endpoint ? { "${var.name}" : true } : {}
name = azurerm_storage_account.storageaccount.name
zone_name = "privatelink.blob.core.windows.net"
resource_group_name = var.vnethub_resource_group
ttl = 10
records = [azurerm_private_endpoint.this[each.key].private_service_connection.0.private_ip_address]
depends_on = [azurerm_private_endpoint.this]
resource_group_name = var.vnet_resource_group
ttl = 60
records = [azurerm_private_endpoint.this.private_service_connection.0.private_ip_address]
}

28 changes: 12 additions & 16 deletions terraform/subscriptions/modules/storageaccount/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ variable "principal_id" {
type = string
}

variable "velero_service_principal" {
description = "The Name of the Principal (User, Group or Service Principal) to assign the Role Definition to"
type = string
}

variable "vault_id" {
description = "The ID of the Backup Vault"
type = string
Expand All @@ -90,25 +95,16 @@ variable "subnet_id" {

}

variable "vnethub_resource_group" {
description = "Specifies the resource group where the DNS Zone (parent resource) exists"
type = string
}

variable "priv_endpoint" {
description = "Create private endpoint?"
variable "backup" {
description = "Enable backup"
type = bool
default = false
}

variable "firewall" {
description = "Enable FW rules on StorageAccount?"
type = bool
default = true

variable "virtual_network" {
type = string
default = "vnet-hub"
}

variable "backup" {
description = "Enable backup"
type = bool
variable "vnet_resource_group" {
type = string
}
33 changes: 18 additions & 15 deletions terraform/subscriptions/s940/c2/common/main.tf
Original file line number Diff line number Diff line change
@@ -1,48 +1,52 @@
module "config" {
source = "../../../modules/config"
}

module "resourcegroups_ver1" {
for_each = var.resource_groups_ver1
source = "../../../modules/resourcegroups_ver1"
name = each.value.name
location = local.outputs.location
location = module.config.location
roleassignment = each.value.roleassignment
principal_id = module.mi.data.principal_id
role_definition_name = each.value.role_definition_name
}

module "mi" {
source = "../../../modules/userassignedidentity"
name = "radix-id-infrastructure-${local.outputs.enviroment}"
location = local.outputs.location
resource_group_name = "common-${local.outputs.enviroment}"
name = "radix-id-infrastructure-${module.config.environment}"
location = module.config.location
resource_group_name = "common-${module.config.environment}"

}

module "backupvault" {
source = "../../../modules/backupvaults"
name = "Backupvault-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
name = "Backupvault-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
policyblobstoragename = "Backuppolicy-blob"
depends_on = [module.resourcegroups_ver1]
}

module "loganalytics" {
source = "../../../modules/log-analytics"
workspace_name = "radix-logs-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
workspace_name = "radix-logs-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
retention_in_days = 30
local_authentication_disabled = false
}

module "storageaccount" {
source = "../../../modules/storageaccount"
for_each = var.storageaccounts
name = "radix${each.key}${local.outputs.enviroment}"
name = "radix${each.key}${module.config.environment}"
tier = each.value.account_tier
account_replication_type = each.value.account_replication_type
resource_group_name = each.value.resource_group_name
location = each.value.location
environment = local.outputs.enviroment
environment = module.config.environment
kind = each.value.kind
change_feed_enabled = each.value.change_feed_enabled
versioning_enabled = each.value.versioning_enabled
Expand All @@ -51,8 +55,7 @@ module "storageaccount" {
vault_id = module.backupvault.data.backupvault.id
policyblobstorage_id = module.backupvault.data.policyblobstorage.id
subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id
vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name
priv_endpoint = each.value.private_endpoint
firewall = each.value.firewall
velero_service_principal = each.value.velero_service_principal
vnet_resource_group = module.config.vnet_resource_group
}

2 changes: 1 addition & 1 deletion terraform/subscriptions/s940/c2/common/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ variable "storageaccounts" {
account_tier = optional(string, "Standard")
account_replication_type = optional(string, "LRS")
kind = optional(string, "StorageV2")
velero_service_principal = optional(string, "ar-radix-velero-c2-prod")
change_feed_enabled = optional(bool, false)
versioning_enabled = optional(bool, false)
backup = optional(bool, false)
principal_id = optional(string)
private_endpoint = optional(bool, false)
firewall = optional(bool, true)
}))
default = {
log = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ data "azurerm_key_vault_secret" "keyvault_secrets" {
module "mssql-database" {
source = "../../../modules/mssqldatabase"
env = module.config.environment
managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}"
managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}"
database_name = "radix-vulnerability-scan"
server_name = "sql-radix-vulnerability-scan-${module.config.environment}-prod"
admin_adgroup = var.admin-adgroup
Expand Down
33 changes: 18 additions & 15 deletions terraform/subscriptions/s940/extmon/common/main.tf
Original file line number Diff line number Diff line change
@@ -1,32 +1,36 @@
module "config" {
source = "../../../modules/config"
}

module "resourcegroups" {
for_each = toset(var.resource_groups)
source = "../../../modules/resourcegroups"
name = each.value
location = local.outputs.location
location = module.config.location
}

module "mi" {
source = "../../../modules/userassignedidentity"
name = "radix-id-infrastructure-${local.outputs.enviroment}"
location = local.outputs.location
resource_group_name = "common-${local.outputs.enviroment}"
name = "radix-id-infrastructure-${module.config.environment}"
location = module.config.location
resource_group_name = "common-${module.config.environment}"

}

module "backupvault" {
source = "../../../modules/backupvaults"
name = "Backupvault-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
name = "Backupvault-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
policyblobstoragename = "Backuppolicy-blob"
depends_on = [module.resourcegroups]
}

module "loganalytics" {
source = "../../../modules/log-analytics"
workspace_name = "radix-logs-${local.outputs.enviroment}"
resource_group_name = "common-${local.outputs.enviroment}"
location = local.outputs.location
workspace_name = "radix-logs-${module.config.environment}"
resource_group_name = "common-${module.config.environment}"
location = module.config.location
retention_in_days = 30
local_authentication_disabled = false
}
Expand All @@ -35,12 +39,12 @@ module "loganalytics" {
module "storageaccount" {
source = "../../../modules/storageaccount"
for_each = var.storageaccounts
name = "radix${each.key}${local.outputs.enviroment}"
name = "radix${each.key}${module.config.environment}"
tier = each.value.account_tier
account_replication_type = each.value.account_replication_type
resource_group_name = each.value.resource_group_name
location = each.value.location
environment = local.outputs.enviroment
environment = module.config.environment
kind = each.value.kind
change_feed_enabled = each.value.change_feed_enabled
versioning_enabled = each.value.versioning_enabled
Expand All @@ -49,7 +53,6 @@ module "storageaccount" {
vault_id = module.backupvault.data.backupvault.id
policyblobstorage_id = module.backupvault.data.policyblobstorage.id
subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id
vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name
priv_endpoint = each.value.private_endpoint
firewall = each.value.firewall
velero_service_principal = each.value.velero_service_principal
vnet_resource_group = module.config.vnet_resource_group
}
2 changes: 1 addition & 1 deletion terraform/subscriptions/s940/extmon/common/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ variable "storageaccounts" {
account_tier = optional(string, "Standard")
account_replication_type = optional(string, "LRS")
kind = optional(string, "StorageV2")
velero_service_principal = optional(string, "radix-velero-prod")
change_feed_enabled = optional(bool, false)
versioning_enabled = optional(bool, false)
backup = optional(bool, false)
principal_id = optional(string)
private_endpoint = optional(bool, false)
firewall = optional(bool, true)
}))
default = {
log = {
Expand Down
Loading

0 comments on commit 7a5cd88

Please sign in to comment.