fixup(ci.jenkins.io) ensure the RG in sponsorship subscription uses t…

…he proper provider (#521) Related to https://github.com/jenkins-infra/helpdesk/milestone/91 This PR fixes up #519 and #520 - Fixup of #520 by adding the proper provider to correct the error ``` │ Error: A resource with the ID "/subscriptions/****/resourceGroups/ci-jenkins-io-controller" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_resource_group" for more information. ``` - Allow specifying a custom storage account name for the new RG in the subscription as storage account name are scope to ALL Azure :'( to correct the error ``` │ Storage Account Name: "cijenkinsioagents"): storage.AccountsClient#Create: Failure sending request: StatusCode=409 -- Original Error: Code="StorageAccountAlreadyTaken" Message="The storage account named cijenkinsioagents is already taken." ``` - Cleanup of the `moved` declaration from #516 --------- Signed-off-by: Damien Duportal <[email protected]>
jenkins-infra · Nov 22, 2023 · 4ce0735 · 4ce0735
1 parent 1ddf07b
commit 4ce0735
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 272 deletions.
diff --git a/.shared-tools b/.shared-tools
diff --git a/cert.ci.jenkins.io.tf b/cert.ci.jenkins.io.tf
@@ -79,95 +79,6 @@ module "cert_ci_jenkins_io_aci_agents" {
   controller_service_principal_id = module.cert_ci_jenkins_io.controler_service_principal_id
 }
 
-### ACI Agents
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor
-  to   = module.cert_ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-  to   = module.cert_ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-}
-
-### Ephemeral Agents
-# Resources
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_storage_account.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents
-}
-
-# AzureAD
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-}
-
-# NSGs
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_group.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents
-}
-
 ## Service DNS records
 resource "azurerm_dns_a_record" "cert_ci_jenkins_io_controller" {
   name                = "controller"

diff --git a/ci.jenkins.io.tf b/ci.jenkins.io.tf
@@ -69,6 +69,7 @@ module "ci_jenkins_io_azurevm_agents" {
 }
 
 resource "azurerm_resource_group" "controller_jenkins_sponsorship" {
+  provider = azurerm.jenkins-sponsorship
   name     = module.ci_jenkins_io.controller_resourcegroup_name # Same name on both subscriptions
   location = var.location
   tags     = local.default_tags
@@ -89,6 +90,7 @@ module "ci_jenkins_io_azurevm_agents_jenkins_sponsorship" {
   controller_ips                   = compact([module.ci_jenkins_io.controller_private_ipv4, module.ci_jenkins_io.controller_public_ipv4])
   controller_service_principal_id  = module.ci_jenkins_io.controler_service_principal_id
   default_tags                     = local.default_tags
+  storage_account_name             = "cijenkinsioagentssub" # Max 24 chars
 
   jenkins_infra_ips = {
     privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes
@@ -103,99 +105,6 @@ module "ci_jenkins_io_aci_agents" {
   controller_service_principal_id = module.ci_jenkins_io.controler_service_principal_id
 }
 
-### ACI Agents
-moved {
-  from = module.ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor
-  to   = module.ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-  to   = module.ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-}
-
-### Ephemeral Agents
-# Resources
-moved {
-  from = module.ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_storage_account.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents
-}
-
-# AzureAD
-moved {
-  from = module.ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-}
-
-# NSGs
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_group.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents
-}
-
 ## Service DNS records
 resource "azurerm_dns_cname_record" "ci_jenkins_io" {
   name                = trimsuffix(trimsuffix(module.ci_jenkins_io.service_fqdn, data.azurerm_dns_zone.jenkinsio.name), ".")

diff --git a/trusted.ci.jenkins.io.tf b/trusted.ci.jenkins.io.tf
@@ -97,95 +97,6 @@ module "trusted_ci_jenkins_io_aci_agents" {
   controller_service_principal_id = module.trusted_ci_jenkins_io.controler_service_principal_id
 }
 
-### ACI Agents
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor
-  to   = module.trusted_ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-  to   = module.trusted_ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-}
-
-### Ephemeral Agents
-# Resources
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_storage_account.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents
-}
-
-# AzureAD
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-}
-
-# NSGs
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_group.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents
-}
-
 resource "azurerm_private_dns_a_record" "trusted_ci_controller" {
   name                = "@"
   zone_name           = azurerm_private_dns_zone.trusted.name
+1 −1		terraform/modules/azure-jenkinsinfra-azurevm-agents/main.tf
+5 −0		terraform/modules/azure-jenkinsinfra-azurevm-agents/variables.tf