diff --git a/odl/.terraform-version b/odl/.terraform-version index 5849151..fe4e75f 100644 --- a/odl/.terraform-version +++ b/odl/.terraform-version @@ -1 +1 @@ -1.7.5 \ No newline at end of file +1.8.3 \ No newline at end of file diff --git a/odl/.terraform.lock.hcl b/odl/.terraform.lock.hcl new file mode 100644 index 0000000..37dd0c1 --- /dev/null +++ b/odl/.terraform.lock.hcl @@ -0,0 +1,41 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.49.1" + hashes = [ + "h1:KUPYYhL7rMFx090RILByeHgmcDUSQBOqeJNEdknzjEc=", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:402c943f0508f7dae29cabe3352e4430cf7ef9c569433392624ea46d834892ae", + "zh:4cb66ad4e6d40b5a58160d90c1922e2e67e4c89b3c7543b227f5ecafe97a4b41", + "zh:549b966a79433939e154e3bd926069cfd21180546a94e98ee6d5f17d6efca3b1", + "zh:6cba71af694b06563903767a940d701375737ccc7898d8156ed5df10ba4d4118", + "zh:7867c7065bc9eebf79b0dad1b64056fd991490eba9973378e8c8df61fd57f6d7", + "zh:ab280f6ed9b59adff1b25e4d5c86417359adf72aabe49d0a4ab19c93adbfbddf", + "zh:b68fbefe5043bd224265d81629650572095b6c375a2ad0c7046980ba06fa472f", + "zh:c35bf5d22d8051c7da2fdced75d8fe86142c117a746c4fd0ed917b1c3e780838", + "zh:c8826f24bd0a48ad46a56844ef85064c70b64d83214907089f06c3b84a1dca04", + "zh:ccd3bb336ad73b17861c720af41401d9d04f9d0e097c1fc36af56895697ae7a0", + "zh:d2e6f67d31cd334b9af32243f40ed564d4acf67b1dff39c47a752a9e22361e44", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.94.0" + constraints = "~> 3.94.0" + hashes = [ + "h1:Kd1Vhk4bPbiP0ZWo1pDEW1De3oNbODgh2bhX9Y6AJ6I=", + "zh:20d102bc63096ade82f8da81c91afaffa858aa56fe9a7ad02f24f5ae5618bc53", + "zh:3ddb9d6173a4fdb9b2352a76324ee321976915544ae66cbb863c7a60f0593f05", + "zh:4bc6c62142f67192d2def11f4fd419c54dddd89a5448af036bfc60b15eb0509a", + "zh:4c5120c2101a51524af32c4220c5e376f97a227730dd92ec0b06ac677e4b39f2", + "zh:585fa7ab876d09899cd2d842f12bc28c34556b4d47919eceadefab6fa47f909f", + "zh:59de7ea462470dee7088fc4deeff48e1ffd286eaca1185c219be68dadde745b8", + "zh:8421a46dd3bc4bc2eb56f7eb9b91cc84a66070b72195a805862c6022adee2da0", + "zh:a2fcb5a091d5944dc50f1e51f53fa4d370810a507fbf4122920d756083d8df19", + "zh:beb6b93a2a16942625bb6ac1e52bf26878e35f5562f3173279423ca66553b6d7", + "zh:c6846892ea68f49c838d90b75793d1f3a866871dd701ccb575b1eecccd4e7051", + "zh:ddd59492b6d5ce4c83f06a5b16c520048f3e9bb898bab4f3910042f5c01ffeda", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/odl/data.tf b/odl/data.tf index 68d17c5..f825a81 100644 --- a/odl/data.tf +++ b/odl/data.tf @@ -4,6 +4,16 @@ data "azurerm_subscription" "current" { data "azurerm_client_config" "current" { } +data "azuread_group" "rg_reader" { + for_each = toset(var.resource_group_readers) + display_name = each.value +} + +data "azurerm_api_management" "apim" { + count = local.enabled_apim_kv_access ? 1 : 0 + name = var.apim_details.name + resource_group_name = var.apim_details.resource_group +} data "azurerm_key_vault_secret" "eventsub_delivery_secret" { count = local.enabled_keyvault ? 1 : 0 diff --git a/odl/eventgrid.tf b/odl/eventgrid.tf index bb148c1..19f8a21 100644 --- a/odl/eventgrid.tf +++ b/odl/eventgrid.tf @@ -1,6 +1,6 @@ module "eventgrid_topics" { for_each = local.eventgrid_topics - source = "git@ssh.dev.azure.com:v3/ELX-Marketing-DevOps/infra-modules/infra-mod-eventgrid//iasc?ref=v0.0.6" + source = "git@ssh.dev.azure.com:v3/ELX-Marketing-DevOps/infra-modules/infra-mod-eventgrid//iasc?ref=8d5c82ed09cb1f00837e91e91a5f70bb81f7f99f" tenant_id = local.tenant_id subscription_id = local.subscription_id resource_group_name = azurerm_resource_group.rg.name diff --git a/odl/kv.tf b/odl/kv.tf index ce79680..f23923c 100644 --- a/odl/kv.tf +++ b/odl/kv.tf @@ -28,3 +28,25 @@ resource "azurerm_key_vault_key" "keys" { } +resource "azurerm_key_vault_access_policy" "apim_read" { + for_each = tomap({ + for i in local.apim_identities : + "${i.principal_id}" => i.principal_id + }) + + object_id = each.key + tenant_id = local.tenant_id + key_vault_id = module.kv[0].key_vault_id + + secret_permissions = [ + "Get", + "List" + ] +} + +resource "azurerm_key_vault_secret" "eventgrid_topic_key" { + for_each = local.eventgrid_topics + name = format("%s-key1", each.value.eventgrid_custom_topic_name) + value = module.eventgrid_topics[each.key].primary_access_key + key_vault_id = module.kv[0].key_vault_id +} \ No newline at end of file diff --git a/odl/locals.tf b/odl/locals.tf index bc88e25..b2ad76b 100644 --- a/odl/locals.tf +++ b/odl/locals.tf @@ -9,7 +9,9 @@ locals { # 75f9a0c1-6e61-4cbe-beba-9ab39034b9a0 ---> CSA-AAD-PRJ-Concent-PE-Admin kv_admin_object_ids = ["75f9a0c1-6e61-4cbe-beba-9ab39034b9a0", local.current_user_id] enabled_keyvault = var.enabled && var.enabled_keyvault ? true : false + enabled_apim_kv_access = local.enabled_keyvault && var.kv_read_access_apim ? true : false sops_key_name = format("odl-sopskey-%s", "${terraform.workspace}") eventsub_delivery_secret_key = "api-key" eventgrid_topics = local.enabled_keyvault ? var.eventgrid_topics : {} + apim_identities = local.enabled_apim_kv_access ? data.azurerm_api_management.apim[0].identity : [] } diff --git a/odl/rg.tf b/odl/rg.tf index 842400e..da36d08 100644 --- a/odl/rg.tf +++ b/odl/rg.tf @@ -1,4 +1,16 @@ resource "azurerm_resource_group" "rg" { name = var.resource_group_name location = var.resource_group_location + tags = local.tags + lifecycle { + ignore_changes = [tags] + } +} + +resource "azurerm_role_assignment" "rg_reader" { + for_each = toset(var.resource_group_readers) + + scope = azurerm_resource_group.rg.id + role_definition_name = "Reader" + principal_id = data.azuread_group.rg_reader[each.key].object_id } \ No newline at end of file diff --git a/odl/variables.tf b/odl/variables.tf index 2e9888e..b03bc48 100644 --- a/odl/variables.tf +++ b/odl/variables.tf @@ -9,6 +9,12 @@ variable "resource_group_location" { description = "Location of the resource group" } +variable "resource_group_readers" { + type = list(string) + default = ["CSA-AAD-PRJ-Concent-ODL-Developer"] + description = "Names of the principals that need to have reader access" +} + variable "storage_account_name" { description = "Storage account name" @@ -70,7 +76,23 @@ variable "kv_resource_group_location" { description = "Location of the resource group for Keyvault" } +variable "kv_read_access_apim" { + type = bool + description = "Granting keyvault access to apim? If true, apim_details var must be provided" + default = true +} +variable "apim_details" { + type = object({ + name = string + resource_group = string + }) + description = "Details of apim to grant keyvault read access. List and Get on secrets will be provided to attached identities" + default = { + name = "elxapimglnonprod01" + resource_group = "RG-GL-ELX-EU-NonProd-01" + } +} variable "enabled_keyvault" { type = bool