Merge pull request #1 from kaizentm/eedorenko/levels

Eedorenko/levels

.github/workflows/deploy-secure-aks-baseline.yaml

@@ -20,9 +20,8 @@ env:
   ARM_TENANT_ID: ${{ secrets.TENANT }}
   PREFIX: ${{ secrets.RESOURCE_PREFIX }} 
   ENVIRONMENT: ${{ secrets.ENVIRONMENT }}
-  TF_VAR_github_repo: ${{ github.repository }}  
   TF_VAR_github_owner: ${{ github.repository_owner }}  
-  TF_VAR_github_token: ${{secrets.GITHUB_PAT}}
+  TF_VAR_github_token: ${{secrets.FLUX_TOKEN}}
 
 jobs:
   deploy-launchpad:

.pipelines/deploy-secure-aks-baseline.yaml

@@ -0,0 +1,232 @@
+trigger: none
+
+variables:
+  - group: iac-secure-caf
+
+resources:
+  containers:
+  - container: rover
+    image: $(ROVER_IMAGE)
+    options: --user 0:0 -e TF_PLUGIN_CACHE_DIR="/home/vsts_azpcontainer/plugin-cache" -e TF_DATA_DIR="/home/vsts_azpcontainer"
+
+stages:
+- stage: deploy_launchpad
+  jobs:
+  - job: deploy_launchpad
+    displayName: "Deploy Launchpad"
+    container: rover
+
+    steps:
+      - task: AzureCLI@2
+        displayName: Deploy Launchpad
+        name: deploy_launchpad
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cp -rs $(Build.SourcesDirectory)/* /tf/caf && cp -r $(Build.SourcesDirectory)/.devcontainer /tf/caf/                 
+            . /tf/caf/enterprise_scale/construction_sets/aks/scripts/launchpad.sh
+            echo "##vso[task.setvariable variable=LAUNCHPAD_PREFIX;isOutput=true]$LAUNCHPAD_PREFIX"
+        env:
+          ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+
+      - task: GoTool@0
+        displayName: 'Use Go 1.15'   
+        inputs:
+          version: '1.15' 
+      - task: AzureCLI@2
+        displayName: Launchpad Test        
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cd /tf/caf/enterprise_scale/construction_sets/aks/test
+            ./run_test.sh level0_launchpad/launchpad_test.go
+        env:
+          LAUNCHPAD_PREFIX: $(deploy_launchpad.LAUNCHPAD_PREFIX)
+
+- stage: deploy_foundation
+  jobs:
+  - job: deploy_foundation
+    displayName: "Deploy Foundation"
+    container: rover
+
+    steps:
+      - task: AzureCLI@2
+        displayName: Deploy Foundation
+        name: deploy_foundation
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cp -rs $(Build.SourcesDirectory)/* /tf/caf && cp -r $(Build.SourcesDirectory)/.devcontainer /tf/caf/            
+            cd /tf/caf/enterprise_scale/construction_sets/aks
+            ./scripts/deploy_level_with_rover.sh 1_foundation level1
+        env:
+          ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+          TF_VAR_github_token: $(TF_VAR_GITHUB_TOKEN)
+
+      - task: GoTool@0
+        displayName: 'Use Go 1.15'   
+        inputs:
+          version: '1.15' 
+      - task: AzureCLI@2
+        displayName: Foundation Test        
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cd /tf/caf/enterprise_scale/construction_sets/aks/test
+            ./run_test.sh level1_foundation/level1_foundation_test.go
+
+- stage: deploy_shared_services
+  jobs:
+  - job: deploy_shared_services
+    displayName: "Deploy Shared Services"
+    container: rover
+
+    steps:
+      - task: AzureCLI@2
+        displayName: Deploy Shared Services
+        name: deploy_shared_services
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cp -rs $(Build.SourcesDirectory)/* /tf/caf && cp -r $(Build.SourcesDirectory)/.devcontainer /tf/caf/            
+            cd /tf/caf/enterprise_scale/construction_sets/aks
+            ./scripts/deploy_level_with_rover.sh 2_shared_services level2
+        env:
+          ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+          TF_VAR_github_token: $(TF_VAR_GITHUB_TOKEN)
+
+      - task: GoTool@0
+        displayName: 'Use Go 1.15'   
+        inputs:
+          version: '1.15' 
+      - task: AzureCLI@2
+        displayName: Srared Services Test        
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cd /tf/caf/enterprise_scale/construction_sets/aks/test
+            ./run_test.sh level2_shared_services/level2_shared_services_test.go
+
+- stage: deploy_networking
+  jobs:
+  - job: deploy_networking
+    displayName: "Deploy Networking"
+    container: rover
+
+    steps:
+      - task: AzureCLI@2
+        displayName: Deploy Networking
+        name: deploy_networking
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cp -rs $(Build.SourcesDirectory)/* /tf/caf && cp -r $(Build.SourcesDirectory)/.devcontainer /tf/caf/            
+            cd /tf/caf/enterprise_scale/construction_sets/aks
+            ./scripts/deploy_level_with_rover.sh 2_networking level2
+        env:
+          ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+          TF_VAR_github_token: $(TF_VAR_GITHUB_TOKEN)
+
+      - task: GoTool@0
+        displayName: 'Use Go 1.15'   
+        inputs:
+          version: '1.15' 
+      - task: AzureCLI@2
+        displayName: Networking Test        
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            echo "Invoke integration test"
+
+- stage: deploy_aks
+  jobs:
+  - job: deploy_aks
+    displayName: "Deploy AKS"
+    container: rover
+
+    steps:
+      - task: AzureCLI@2
+        displayName: Deploy AKS
+        name: deploy_aks
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cp -rs $(Build.SourcesDirectory)/* /tf/caf && cp -r $(Build.SourcesDirectory)/.devcontainer /tf/caf/            
+            cd /tf/caf/enterprise_scale/construction_sets/aks
+            ./scripts/deploy_level_with_rover.sh 3_aks level3
+        env:
+          ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+          TF_VAR_github_token: $(TF_VAR_GITHUB_TOKEN)
+
+      - task: GoTool@0
+        displayName: 'Use Go 1.15'   
+        inputs:
+          version: '1.15' 
+      - task: AzureCLI@2
+        displayName: AKS Test        
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cd /tf/caf/enterprise_scale/construction_sets/aks/test
+            ./run_test.sh level3_aks/level3_aks_test.go
+
+- stage: deploy_flux
+  jobs:
+  - job: deploy_flux
+    displayName: "Deploy Flux"
+    container: rover
+
+    steps:
+      - task: AzureCLI@2
+        displayName: Deploy Flux
+        name: deploy_flux
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cp -rs $(Build.SourcesDirectory)/* /tf/caf && cp -r $(Build.SourcesDirectory)/.devcontainer /tf/caf/            
+            cd /tf/caf/enterprise_scale/construction_sets/aks
+            env
+            ./scripts/deploy_level_with_rover.sh 4_flux level4
+            echo $(terraform output -json | jq -r .aks_clusters_kubeconfig.value.cluster_re1.aks_kubeconfig_admin_cmd) | bash
+        env:
+          ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+          TF_VAR_github_token: $(TF_VAR_GITHUB_TOKEN)
+          TF_VAR_github_owner: $(TF_VAR_GITHUB_OWNER)
+
+      - task: GoTool@0
+        displayName: 'Use Go 1.15'   
+        inputs:
+          version: '1.15' 
+      - task: AzureCLI@2
+        displayName: Flux Test        
+        inputs:
+          azureSubscription: $(AZURE_SERVICE_NAME)
+          scriptLocation: inlineScript
+          scriptType: bash
+          inlineScript: |
+            cd /tf/caf/enterprise_scale/construction_sets/aks/test
+            ./run_test.sh level4_flux/level4_flux_test.go
+        env:
+          KUBECONFIGPATH: /home/vsts_azpcontainer/.kube/config

caf

@@ -0,0 +1 @@
+/tf/caf

enterprise_scale/construction_sets/aks/flux.tf

@@ -0,0 +1,133 @@
+provider "flux" {}
+
+provider "kubectl" {
+ host                   = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host
+ client_key             = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key)
+ client_certificate     = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate)
+ cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate)  
+}
+
+provider "kubernetes" {
+ host                   = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host
+ client_key             = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key)
+ client_certificate     = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate)
+ cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate)  
+}
+
+provider "github"  {
+  alias = "flux"
+  owner = var.github_owner
+  token = var.github_token
+}
+
+data "flux_install" "main" {
+  target_path = var.target_install_path
+}
+
+data "flux_sync" "main" {    
+  target_path = var.target_sync_path
+  url         = "https://github.com/${var.github_owner}/${var.repository_name}.git"
+  branch      = var.branch   
+  secret      = var.flux_auth_secret
+}
+
+# Kubernetes
+resource "kubernetes_namespace" "flux-system" {
+  count = var.flux_namespace == "" ? 0 : 1 
+  metadata {
+    name = var.flux_namespace
+  }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].labels,
+    ]
+  }
+}
+
+resource "kubernetes_secret" "fluxauth" {
+  count = var.flux_namespace == "" ? 0 : 1
+  metadata {
+    name = var.flux_auth_secret
+    namespace = var.flux_namespace
+  }
+  data = {
+    username = var.github_owner
+    password = var.github_token
+  }
+
+  type = "kubernetes.io/basic-auth"
+}
+
+
+data "kubectl_file_documents" "install" {
+  content = data.flux_install.main.content
+}
+
+data "kubectl_file_documents" "sync" {
+  content = data.flux_sync.main.content
+}
+
+locals {   
+
+  install = var.flux_namespace == "" ? null : [for v in data.kubectl_file_documents.install.documents : {
+    data : yamldecode(v)
+    content : v
+    }
+  ]
+  sync = var.flux_namespace == "" ? null : [for v in data.kubectl_file_documents.sync.documents : {
+    data : yamldecode(v)
+    content : v
+    }
+  ]
+}
+
+resource "kubectl_manifest" "install" {
+  for_each   = var.flux_namespace == "" ? {} : { for v in local.install : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
+  depends_on = [kubernetes_namespace.flux-system]
+  yaml_body  = each.value
+}
+
+resource "kubectl_manifest" "sync" {
+  for_each   = var.flux_namespace == "" ? {} : { for v in local.sync : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
+  depends_on = [kubernetes_namespace.flux-system]
+  yaml_body  = each.value
+}
+
+resource "github_branch_default" "main" {
+  count = var.repository_name == "" ? 0 : 1    
+  provider = github.flux
+  repository = var.repository_name
+  branch     = var.branch
+}
+
+
+resource "github_repository_file" "install" {
+  count = var.repository_name == "" ? 0 : 1    
+  provider = github.flux
+  repository = var.repository_name
+  file       = data.flux_install.main.path
+  content    = data.flux_install.main.content
+  branch     = var.branch
+  overwrite_on_create = true
+}
+
+resource "github_repository_file" "sync" {
+  count = var.repository_name == "" ? 0 : 1    
+  provider = github.flux
+  repository = var.repository_name
+  file       = data.flux_sync.main.path
+  content    = data.flux_sync.main.content
+  branch     = var.branch
+  overwrite_on_create = true
+}
+
+resource "github_repository_file" "kustomize" {
+  count = var.repository_name == "" ? 0 : 1    
+  provider = github.flux
+  repository = var.repository_name
+  file       = data.flux_sync.main.kustomize_path
+  content    = data.flux_sync.main.kustomize_content
+  branch     = var.branch
+  overwrite_on_create = true
+}