From 4ce073549851a89a60b8cad78c1b57e7d5562aa8 Mon Sep 17 00:00:00 2001 From: Damien Duportal Date: Wed, 22 Nov 2023 19:00:10 +0100 Subject: [PATCH] fixup(ci.jenkins.io) ensure the RG in sponsorship subscription uses the proper provider (#521) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related to https://github.com/jenkins-infra/helpdesk/milestone/91 This PR fixes up #519 and #520 - Fixup of #520 by adding the proper provider to correct the error ``` │ Error: A resource with the ID "/subscriptions/****/resourceGroups/ci-jenkins-io-controller" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_resource_group" for more information. ``` - Allow specifying a custom storage account name for the new RG in the subscription as storage account name are scope to ALL Azure :'( to correct the error ``` │ Storage Account Name: "cijenkinsioagents"): storage.AccountsClient#Create: Failure sending request: StatusCode=409 -- Original Error: Code="StorageAccountAlreadyTaken" Message="The storage account named cijenkinsioagents is already taken." ``` - Cleanup of the `moved` declaration from #516 --------- Signed-off-by: Damien Duportal --- .shared-tools | 2 +- cert.ci.jenkins.io.tf | 89 ------------------------------------- ci.jenkins.io.tf | 95 +--------------------------------------- trusted.ci.jenkins.io.tf | 89 ------------------------------------- 4 files changed, 3 insertions(+), 272 deletions(-) diff --git a/.shared-tools b/.shared-tools index 23ec7072..e797dd96 160000 --- a/.shared-tools +++ b/.shared-tools @@ -1 +1 @@ -Subproject commit 23ec7072579d46feca3893b262c5bef7bd91acd8 +Subproject commit e797dd96c88dcae8273bf2e070f497af67ea6bc0 diff --git a/cert.ci.jenkins.io.tf b/cert.ci.jenkins.io.tf index f87f0296..94ed56f5 100644 --- a/cert.ci.jenkins.io.tf +++ b/cert.ci.jenkins.io.tf @@ -79,95 +79,6 @@ module "cert_ci_jenkins_io_aci_agents" { controller_service_principal_id = module.cert_ci_jenkins_io.controler_service_principal_id } -### ACI Agents -moved { - from = module.cert_ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor - to = module.cert_ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor -} -moved { - from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor - to = module.cert_ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor -} - -### Ephemeral Agents -# Resources -moved { - from = module.cert_ci_jenkins_io.azurerm_resource_group.ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents -} -moved { - from = module.cert_ci_jenkins_io.azurerm_storage_account.ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents -} - -# AzureAD -moved { - from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup -} -moved { - from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents -} - -# NSGs -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_group.ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents -} -moved { - from = module.cert_ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents - to = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents -} -moved { - from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents - to = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents -} - ## Service DNS records resource "azurerm_dns_a_record" "cert_ci_jenkins_io_controller" { name = "controller" diff --git a/ci.jenkins.io.tf b/ci.jenkins.io.tf index 40b4227a..d35f8d2c 100644 --- a/ci.jenkins.io.tf +++ b/ci.jenkins.io.tf @@ -69,6 +69,7 @@ module "ci_jenkins_io_azurevm_agents" { } resource "azurerm_resource_group" "controller_jenkins_sponsorship" { + provider = azurerm.jenkins-sponsorship name = module.ci_jenkins_io.controller_resourcegroup_name # Same name on both subscriptions location = var.location tags = local.default_tags @@ -89,6 +90,7 @@ module "ci_jenkins_io_azurevm_agents_jenkins_sponsorship" { controller_ips = compact([module.ci_jenkins_io.controller_private_ipv4, module.ci_jenkins_io.controller_public_ipv4]) controller_service_principal_id = module.ci_jenkins_io.controler_service_principal_id default_tags = local.default_tags + storage_account_name = "cijenkinsioagentssub" # Max 24 chars jenkins_infra_ips = { privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes @@ -103,99 +105,6 @@ module "ci_jenkins_io_aci_agents" { controller_service_principal_id = module.ci_jenkins_io.controler_service_principal_id } -### ACI Agents -moved { - from = module.ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor - to = module.ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor -} -moved { - from = module.ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor - to = module.ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor -} - -### Ephemeral Agents -# Resources -moved { - from = module.ci_jenkins_io.azurerm_resource_group.ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents -} -moved { - from = module.ci_jenkins_io.azurerm_storage_account.ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents -} - -# AzureAD -moved { - from = module.ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup - to = module.ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup -} -moved { - from = module.ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents -} - -# NSGs -moved { - from = module.ci_jenkins_io.azurerm_network_security_group.ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents -} -moved { - from = module.ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents -} -moved { - from = module.ci_jenkins_io.azurerm_resource_group.ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents - to = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents -} -moved { - from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents - to = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents -} - ## Service DNS records resource "azurerm_dns_cname_record" "ci_jenkins_io" { name = trimsuffix(trimsuffix(module.ci_jenkins_io.service_fqdn, data.azurerm_dns_zone.jenkinsio.name), ".") diff --git a/trusted.ci.jenkins.io.tf b/trusted.ci.jenkins.io.tf index c9e58df9..802d9e8a 100644 --- a/trusted.ci.jenkins.io.tf +++ b/trusted.ci.jenkins.io.tf @@ -97,95 +97,6 @@ module "trusted_ci_jenkins_io_aci_agents" { controller_service_principal_id = module.trusted_ci_jenkins_io.controler_service_principal_id } -### ACI Agents -moved { - from = module.trusted_ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor - to = module.trusted_ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor - to = module.trusted_ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor -} - -### Ephemeral Agents -# Resources -moved { - from = module.trusted_ci_jenkins_io.azurerm_resource_group.ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_storage_account.ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents -} - -# AzureAD -moved { - from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents -} - -# NSGs -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_group.ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents - to = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents -} -moved { - from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents - to = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents -} - resource "azurerm_private_dns_a_record" "trusted_ci_controller" { name = "@" zone_name = azurerm_private_dns_zone.trusted.name