From b7e54ca2e861737d205437f74492ae5f97179686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= <65334626+nilsgstrabo@users.noreply.github.com> Date: Fri, 26 Apr 2024 14:13:02 +0200 Subject: [PATCH] Configured managed identity for radix-log-api (#1316) --- .../subscriptions/modules/config/main.tf | 4 +++ .../modules/userassignedidentity/main.tf | 4 ++- .../subscriptions/s940/c2/log-api/backend.tf | 23 +++++++++++++++ .../subscriptions/s940/c2/log-api/main.tf | 28 +++++++++++++++++++ .../s940/c2/post-clusters/log-api.tf | 25 +++++++++++++++++ .../s940/prod/log-api/backend.tf | 23 +++++++++++++++ .../subscriptions/s940/prod/log-api/main.tf | 28 +++++++++++++++++++ .../s940/prod/post-clusters/log-api.tf | 25 +++++++++++++++++ .../subscriptions/s941/dev/log-api/backend.tf | 23 +++++++++++++++ .../subscriptions/s941/dev/log-api/main.tf | 28 +++++++++++++++++++ .../s941/dev/post-clusters/log-api.tf | 25 +++++++++++++++++ .../s941/playground/log-api/backend.tf | 23 +++++++++++++++ .../s941/playground/log-api/main.tf | 28 +++++++++++++++++++ .../s941/playground/post-clusters/log-api.tf | 25 +++++++++++++++++ 14 files changed, 311 insertions(+), 1 deletion(-) create mode 100644 terraform/subscriptions/s940/c2/log-api/backend.tf create mode 100644 terraform/subscriptions/s940/c2/log-api/main.tf create mode 100644 terraform/subscriptions/s940/c2/post-clusters/log-api.tf create mode 100644 terraform/subscriptions/s940/prod/log-api/backend.tf create mode 100644 terraform/subscriptions/s940/prod/log-api/main.tf create mode 100644 terraform/subscriptions/s940/prod/post-clusters/log-api.tf create mode 100644 terraform/subscriptions/s941/dev/log-api/backend.tf create mode 100644 terraform/subscriptions/s941/dev/log-api/main.tf create mode 100644 terraform/subscriptions/s941/dev/post-clusters/log-api.tf create mode 100644 terraform/subscriptions/s941/playground/log-api/backend.tf create mode 100644 terraform/subscriptions/s941/playground/log-api/main.tf create mode 100644 terraform/subscriptions/s941/playground/post-clusters/log-api.tf diff --git a/terraform/subscriptions/modules/config/main.tf b/terraform/subscriptions/modules/config/main.tf index c04478133..de5700884 100644 --- a/terraform/subscriptions/modules/config/main.tf +++ b/terraform/subscriptions/modules/config/main.tf @@ -78,3 +78,7 @@ output "private_dns_zones_names" { "privatelink.web.core.windows.net" ] } + +output "radix_log_api_mi_name" { + value = "radix-id-log-api-${local.config.environment}" +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/userassignedidentity/main.tf b/terraform/subscriptions/modules/userassignedidentity/main.tf index 17c1a3e36..e3d110ae7 100644 --- a/terraform/subscriptions/modules/userassignedidentity/main.tf +++ b/terraform/subscriptions/modules/userassignedidentity/main.tf @@ -2,7 +2,9 @@ resource "azurerm_user_assigned_identity" "userassignedidentity" { name = var.name location = var.location resource_group_name = var.resource_group_name - tags = var.tags + tags = { + IaC = "terraform" + } } resource "azurerm_role_assignment" "this" { diff --git a/terraform/subscriptions/s940/c2/log-api/backend.tf b/terraform/subscriptions/s940/c2/log-api/backend.tf new file mode 100644 index 000000000..1797d72c2 --- /dev/null +++ b/terraform/subscriptions/s940/c2/log-api/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.100.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + key = "c2/log-api/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + features { + } +} diff --git a/terraform/subscriptions/s940/c2/log-api/main.tf b/terraform/subscriptions/s940/c2/log-api/main.tf new file mode 100644 index 000000000..bee236cc4 --- /dev/null +++ b/terraform/subscriptions/s940/c2/log-api/main.tf @@ -0,0 +1,28 @@ +module "config" { + source = "../../../modules/config" +} + +data "azurerm_log_analytics_workspace" "this" { + name = "radix-container-logs-c2-prod" + resource_group_name = "logs-westeurope" +} + +module "log-api-mi" { + source = "../../../modules/userassignedidentity" + name = module.config.radix_log_api_mi_name + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + role = { + role = "Log Analytics Reader" + scope_id = data.azurerm_log_analytics_workspace.this.id + } + } +} + +output "mi" { + value = { + client-id = module.log-api-mi.client-id, + name = module.log-api-mi.name + } +} \ No newline at end of file diff --git a/terraform/subscriptions/s940/c2/post-clusters/log-api.tf b/terraform/subscriptions/s940/c2/post-clusters/log-api.tf new file mode 100644 index 000000000..169b277e6 --- /dev/null +++ b/terraform/subscriptions/s940/c2/post-clusters/log-api.tf @@ -0,0 +1,25 @@ +data "azurerm_user_assigned_identity" "log-api-mi" { + resource_group_name = module.config.common_resource_group + name = module.config.radix_log_api_mi_name +} + +resource "azurerm_federated_identity_credential" "log-api-mi-prod" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-prod:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +} +resource "azurerm_federated_identity_credential" "log-api-mi-qa" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-qa:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +} diff --git a/terraform/subscriptions/s940/prod/log-api/backend.tf b/terraform/subscriptions/s940/prod/log-api/backend.tf new file mode 100644 index 000000000..20f937bc0 --- /dev/null +++ b/terraform/subscriptions/s940/prod/log-api/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.100.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + resource_group_name = "s940-tfstate" + storage_account_name = "s940radixinfra" + container_name = "infrastructure" + key = "prod/log-api/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a" + features { + } +} diff --git a/terraform/subscriptions/s940/prod/log-api/main.tf b/terraform/subscriptions/s940/prod/log-api/main.tf new file mode 100644 index 000000000..9e7d5b940 --- /dev/null +++ b/terraform/subscriptions/s940/prod/log-api/main.tf @@ -0,0 +1,28 @@ +module "config" { + source = "../../../modules/config" +} + +data "azurerm_log_analytics_workspace" "this" { + name = "radix-container-logs-prod" + resource_group_name = "Logs" +} + +module "log-api-mi" { + source = "../../../modules/userassignedidentity" + name = module.config.radix_log_api_mi_name + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + role = { + role = "Log Analytics Reader" + scope_id = data.azurerm_log_analytics_workspace.this.id + } + } +} + +output "mi" { + value = { + client-id = module.log-api-mi.client-id, + name = module.log-api-mi.name + } +} \ No newline at end of file diff --git a/terraform/subscriptions/s940/prod/post-clusters/log-api.tf b/terraform/subscriptions/s940/prod/post-clusters/log-api.tf new file mode 100644 index 000000000..169b277e6 --- /dev/null +++ b/terraform/subscriptions/s940/prod/post-clusters/log-api.tf @@ -0,0 +1,25 @@ +data "azurerm_user_assigned_identity" "log-api-mi" { + resource_group_name = module.config.common_resource_group + name = module.config.radix_log_api_mi_name +} + +resource "azurerm_federated_identity_credential" "log-api-mi-prod" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-prod:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +} +resource "azurerm_federated_identity_credential" "log-api-mi-qa" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-qa:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +} diff --git a/terraform/subscriptions/s941/dev/log-api/backend.tf b/terraform/subscriptions/s941/dev/log-api/backend.tf new file mode 100644 index 000000000..136a22d10 --- /dev/null +++ b/terraform/subscriptions/s941/dev/log-api/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.100.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + resource_group_name = "s941-tfstate" + storage_account_name = "s941radixinfra" + container_name = "infrastructure" + key = "dev/log-api/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + features { + } +} diff --git a/terraform/subscriptions/s941/dev/log-api/main.tf b/terraform/subscriptions/s941/dev/log-api/main.tf new file mode 100644 index 000000000..07053cf3b --- /dev/null +++ b/terraform/subscriptions/s941/dev/log-api/main.tf @@ -0,0 +1,28 @@ +module "config" { + source = "../../../modules/config" +} + +data "azurerm_log_analytics_workspace" "this" { + name = "radix-container-logs-dev" + resource_group_name = "Logs-Dev" +} + +module "log-api-mi" { + source = "../../../modules/userassignedidentity" + name = module.config.radix_log_api_mi_name + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + role = { + role = "Log Analytics Reader" + scope_id = data.azurerm_log_analytics_workspace.this.id + } + } +} + +output "mi" { + value = { + client-id = module.log-api-mi.client-id, + name = module.log-api-mi.name + } +} \ No newline at end of file diff --git a/terraform/subscriptions/s941/dev/post-clusters/log-api.tf b/terraform/subscriptions/s941/dev/post-clusters/log-api.tf new file mode 100644 index 000000000..169b277e6 --- /dev/null +++ b/terraform/subscriptions/s941/dev/post-clusters/log-api.tf @@ -0,0 +1,25 @@ +data "azurerm_user_assigned_identity" "log-api-mi" { + resource_group_name = module.config.common_resource_group + name = module.config.radix_log_api_mi_name +} + +resource "azurerm_federated_identity_credential" "log-api-mi-prod" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-prod:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +} +resource "azurerm_federated_identity_credential" "log-api-mi-qa" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-qa:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +} diff --git a/terraform/subscriptions/s941/playground/log-api/backend.tf b/terraform/subscriptions/s941/playground/log-api/backend.tf new file mode 100644 index 000000000..64102b832 --- /dev/null +++ b/terraform/subscriptions/s941/playground/log-api/backend.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<=3.100.0" + } + } + + backend "azurerm" { + tenant_id = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + resource_group_name = "s941-tfstate" + storage_account_name = "s941radixinfra" + container_name = "infrastructure" + key = "playground/log-api/terraform.tfstate" + } +} + +provider "azurerm" { + subscription_id = "16ede44b-1f74-40a5-b428-46cca9a5741b" + features { + } +} diff --git a/terraform/subscriptions/s941/playground/log-api/main.tf b/terraform/subscriptions/s941/playground/log-api/main.tf new file mode 100644 index 000000000..2c0d48d9e --- /dev/null +++ b/terraform/subscriptions/s941/playground/log-api/main.tf @@ -0,0 +1,28 @@ +module "config" { + source = "../../../modules/config" +} + +data "azurerm_log_analytics_workspace" "this" { + name = "radix-container-logs-playground" + resource_group_name = "Logs-Dev" +} + +module "log-api-mi" { + source = "../../../modules/userassignedidentity" + name = module.config.radix_log_api_mi_name + resource_group_name = module.config.common_resource_group + location = module.config.location + roleassignments = { + role = { + role = "Log Analytics Reader" + scope_id = data.azurerm_log_analytics_workspace.this.id + } + } +} + +output "mi" { + value = { + client-id = module.log-api-mi.client-id, + name = module.log-api-mi.name + } +} \ No newline at end of file diff --git a/terraform/subscriptions/s941/playground/post-clusters/log-api.tf b/terraform/subscriptions/s941/playground/post-clusters/log-api.tf new file mode 100644 index 000000000..169b277e6 --- /dev/null +++ b/terraform/subscriptions/s941/playground/post-clusters/log-api.tf @@ -0,0 +1,25 @@ +data "azurerm_user_assigned_identity" "log-api-mi" { + resource_group_name = module.config.common_resource_group + name = module.config.radix_log_api_mi_name +} + +resource "azurerm_federated_identity_credential" "log-api-mi-prod" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-prod:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +} +resource "azurerm_federated_identity_credential" "log-api-mi-qa" { + for_each = module.clusters.oidc_issuer_url + + audience = ["api://AzureADTokenExchange"] + name = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}" + issuer = each.value + subject = "system:serviceaccount:radix-log-api-qa:server-sa" + parent_id = data.azurerm_user_assigned_identity.log-api-mi.id + resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name +}