Configured managed identity for radix-log-api (#1316)

terraform/subscriptions/modules/config/main.tf

@@ -78,3 +78,7 @@ output "private_dns_zones_names" {
     "privatelink.web.core.windows.net"
   ]
 }
+
+output "radix_log_api_mi_name" {
+  value = "radix-id-log-api-${local.config.environment}"
+}

terraform/subscriptions/modules/userassignedidentity/main.tf

@@ -2,7 +2,9 @@ resource "azurerm_user_assigned_identity" "userassignedidentity" {
   name                = var.name
   location            = var.location
   resource_group_name = var.resource_group_name
-  tags                = var.tags
+  tags = {
+    IaC = "terraform"
+  }
 }
 
 resource "azurerm_role_assignment" "this" {

terraform/subscriptions/s940/c2/log-api/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.100.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "c2/log-api/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+  features {
+  }
+}

terraform/subscriptions/s940/c2/log-api/main.tf

@@ -0,0 +1,28 @@
+module "config" {
+  source = "../../../modules/config"
+}
+
+data "azurerm_log_analytics_workspace" "this" {
+  name = "radix-container-logs-c2-prod"
+  resource_group_name = "logs-westeurope"
+}
+
+module "log-api-mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = module.config.radix_log_api_mi_name
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    role = {
+      role     = "Log Analytics Reader"
+      scope_id = data.azurerm_log_analytics_workspace.this.id
+    }
+  }
+}
+
+output "mi" {
+  value = {
+    client-id = module.log-api-mi.client-id,
+    name      = module.log-api-mi.name
+  }
+}

terraform/subscriptions/s940/c2/post-clusters/log-api.tf

@@ -0,0 +1,25 @@
+data "azurerm_user_assigned_identity" "log-api-mi" {
+  resource_group_name = module.config.common_resource_group
+  name                = module.config.radix_log_api_mi_name
+}
+
+resource "azurerm_federated_identity_credential" "log-api-mi-prod" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-prod:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}
+resource "azurerm_federated_identity_credential" "log-api-mi-qa" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-qa:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}

terraform/subscriptions/s940/prod/log-api/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.100.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+    resource_group_name  = "s940-tfstate"
+    storage_account_name = "s940radixinfra"
+    container_name       = "infrastructure"
+    key                  = "prod/log-api/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
+  features {
+  }
+}

terraform/subscriptions/s940/prod/log-api/main.tf

@@ -0,0 +1,28 @@
+module "config" {
+  source = "../../../modules/config"
+}
+
+data "azurerm_log_analytics_workspace" "this" {
+  name = "radix-container-logs-prod"
+  resource_group_name = "Logs"
+}
+
+module "log-api-mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = module.config.radix_log_api_mi_name
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    role = {
+      role     = "Log Analytics Reader"
+      scope_id = data.azurerm_log_analytics_workspace.this.id
+    }
+  }
+}
+
+output "mi" {
+  value = {
+    client-id = module.log-api-mi.client-id,
+    name      = module.log-api-mi.name
+  }
+}

terraform/subscriptions/s940/prod/post-clusters/log-api.tf

@@ -0,0 +1,25 @@
+data "azurerm_user_assigned_identity" "log-api-mi" {
+  resource_group_name = module.config.common_resource_group
+  name                = module.config.radix_log_api_mi_name
+}
+
+resource "azurerm_federated_identity_credential" "log-api-mi-prod" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-prod:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}
+resource "azurerm_federated_identity_credential" "log-api-mi-qa" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-qa:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}

terraform/subscriptions/s941/dev/log-api/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.100.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "16ede44b-1f74-40a5-b428-46cca9a5741b"
+    resource_group_name  = "s941-tfstate"
+    storage_account_name = "s941radixinfra"
+    container_name       = "infrastructure"
+    key                  = "dev/log-api/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b"
+  features {
+  }
+}

terraform/subscriptions/s941/dev/log-api/main.tf

@@ -0,0 +1,28 @@
+module "config" {
+  source = "../../../modules/config"
+}
+
+data "azurerm_log_analytics_workspace" "this" {
+  name = "radix-container-logs-dev"
+  resource_group_name = "Logs-Dev"
+}
+
+module "log-api-mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = module.config.radix_log_api_mi_name
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    role = {
+      role     = "Log Analytics Reader"
+      scope_id = data.azurerm_log_analytics_workspace.this.id
+    }
+  }
+}
+
+output "mi" {
+  value = {
+    client-id = module.log-api-mi.client-id,
+    name      = module.log-api-mi.name
+  }
+}

terraform/subscriptions/s941/dev/post-clusters/log-api.tf

@@ -0,0 +1,25 @@
+data "azurerm_user_assigned_identity" "log-api-mi" {
+  resource_group_name = module.config.common_resource_group
+  name                = module.config.radix_log_api_mi_name
+}
+
+resource "azurerm_federated_identity_credential" "log-api-mi-prod" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-prod:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}
+resource "azurerm_federated_identity_credential" "log-api-mi-qa" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-qa:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}

terraform/subscriptions/s941/playground/log-api/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<=3.100.0"
+    }
+  }
+
+  backend "azurerm" {
+    tenant_id            = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+    subscription_id      = "16ede44b-1f74-40a5-b428-46cca9a5741b"
+    resource_group_name  = "s941-tfstate"
+    storage_account_name = "s941radixinfra"
+    container_name       = "infrastructure"
+    key                  = "playground/log-api/terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b"
+  features {
+  }
+}

terraform/subscriptions/s941/playground/log-api/main.tf

@@ -0,0 +1,28 @@
+module "config" {
+  source = "../../../modules/config"
+}
+
+data "azurerm_log_analytics_workspace" "this" {
+  name = "radix-container-logs-playground"
+  resource_group_name = "Logs-Dev"
+}
+
+module "log-api-mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = module.config.radix_log_api_mi_name
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    role = {
+      role     = "Log Analytics Reader"
+      scope_id = data.azurerm_log_analytics_workspace.this.id
+    }
+  }
+}
+
+output "mi" {
+  value = {
+    client-id = module.log-api-mi.client-id,
+    name      = module.log-api-mi.name
+  }
+}

terraform/subscriptions/s941/playground/post-clusters/log-api.tf

@@ -0,0 +1,25 @@
+data "azurerm_user_assigned_identity" "log-api-mi" {
+  resource_group_name = module.config.common_resource_group
+  name                = module.config.radix_log_api_mi_name
+}
+
+resource "azurerm_federated_identity_credential" "log-api-mi-prod" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-prod:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}
+resource "azurerm_federated_identity_credential" "log-api-mi-qa" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:radix-log-api-qa:server-sa"
+  parent_id           = data.azurerm_user_assigned_identity.log-api-mi.id
+  resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
+}