Skip to content

Commit

Permalink
feat: add missing infra and policies
Browse files Browse the repository at this point in the history
  • Loading branch information
Kamran Manzoor committed May 17, 2024
1 parent 28fe6be commit a90f86a
Show file tree
Hide file tree
Showing 8 changed files with 111 additions and 2 deletions.
2 changes: 1 addition & 1 deletion odl/.terraform-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.7.5
1.8.3
41 changes: 41 additions & 0 deletions odl/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions odl/data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,16 @@ data "azurerm_subscription" "current" {
data "azurerm_client_config" "current" {
}

data "azuread_group" "rg_reader" {
for_each = toset(var.resource_group_readers)
display_name = each.value
}

data "azurerm_api_management" "apim" {
count = local.enabled_apim_kv_access ? 1 : 0
name = var.apim_details.name
resource_group_name = var.apim_details.resource_group
}

data "azurerm_key_vault_secret" "eventsub_delivery_secret" {
count = local.enabled_keyvault ? 1 : 0
Expand Down
2 changes: 1 addition & 1 deletion odl/eventgrid.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module "eventgrid_topics" {
for_each = local.eventgrid_topics
source = "[email protected]:v3/ELX-Marketing-DevOps/infra-modules/infra-mod-eventgrid//iasc?ref=v0.0.6"
source = "[email protected]:v3/ELX-Marketing-DevOps/infra-modules/infra-mod-eventgrid//iasc?ref=8d5c82ed09cb1f00837e91e91a5f70bb81f7f99f"
tenant_id = local.tenant_id
subscription_id = local.subscription_id
resource_group_name = azurerm_resource_group.rg.name
Expand Down
22 changes: 22 additions & 0 deletions odl/kv.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,25 @@ resource "azurerm_key_vault_key" "keys" {

}

resource "azurerm_key_vault_access_policy" "apim_read" {
for_each = tomap({
for i in local.apim_identities :
"${i.principal_id}" => i.principal_id
})

object_id = each.key
tenant_id = local.tenant_id
key_vault_id = module.kv[0].key_vault_id

secret_permissions = [
"Get",
"List"
]
}

resource "azurerm_key_vault_secret" "eventgrid_topic_key" {
for_each = local.eventgrid_topics
name = format("%s-key1", each.value.eventgrid_custom_topic_name)
value = module.eventgrid_topics[each.key].primary_access_key
key_vault_id = module.kv[0].key_vault_id
}
2 changes: 2 additions & 0 deletions odl/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ locals {
# 75f9a0c1-6e61-4cbe-beba-9ab39034b9a0 ---> CSA-AAD-PRJ-Concent-PE-Admin
kv_admin_object_ids = ["75f9a0c1-6e61-4cbe-beba-9ab39034b9a0", local.current_user_id]
enabled_keyvault = var.enabled && var.enabled_keyvault ? true : false
enabled_apim_kv_access = local.enabled_keyvault && var.kv_read_access_apim ? true : false
sops_key_name = format("odl-sopskey-%s", "${terraform.workspace}")
eventsub_delivery_secret_key = "api-key"
eventgrid_topics = local.enabled_keyvault ? var.eventgrid_topics : {}
apim_identities = local.enabled_apim_kv_access ? data.azurerm_api_management.apim[0].identity : []
}
12 changes: 12 additions & 0 deletions odl/rg.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,16 @@
resource "azurerm_resource_group" "rg" {
name = var.resource_group_name
location = var.resource_group_location
tags = local.tags
lifecycle {
ignore_changes = [tags]
}
}

resource "azurerm_role_assignment" "rg_reader" {
for_each = toset(var.resource_group_readers)

scope = azurerm_resource_group.rg.id
role_definition_name = "Reader"
principal_id = data.azuread_group.rg_reader[each.key].object_id
}
22 changes: 22 additions & 0 deletions odl/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ variable "resource_group_location" {
description = "Location of the resource group"
}

variable "resource_group_readers" {
type = list(string)
default = ["CSA-AAD-PRJ-Concent-ODL-Developer"]
description = "Names of the principals that need to have reader access"
}


variable "storage_account_name" {
description = "Storage account name"
Expand Down Expand Up @@ -70,7 +76,23 @@ variable "kv_resource_group_location" {
description = "Location of the resource group for Keyvault"
}

variable "kv_read_access_apim" {
type = bool
description = "Granting keyvault access to apim? If true, apim_details var must be provided"
default = true
}

variable "apim_details" {
type = object({
name = string
resource_group = string
})
description = "Details of apim to grant keyvault read access. List and Get on secrets will be provided to attached identities"
default = {
name = "elxapimglnonprod01"
resource_group = "RG-GL-ELX-EU-NonProd-01"
}
}

variable "enabled_keyvault" {
type = bool
Expand Down

0 comments on commit a90f86a

Please sign in to comment.