Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump Terraform azuread provider version to 3.0.2 #853

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 16 additions & 16 deletions .terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion cert.ci.jenkins.io.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ module "cert_ci_jenkins_io" {
}

controller_service_principal_ids = [
data.azuread_service_principal.terraform_production.id,
data.azuread_service_principal.terraform_production.object_id,
]
controller_service_principal_end_date = "2024-11-06T00:00:00Z"
controller_packer_rg_ids = [
Expand Down
2 changes: 1 addition & 1 deletion ci.jenkins.io.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ module "ci_jenkins_io_sponsorship" {
privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes
}
controller_service_principal_ids = [
data.azuread_service_principal.terraform_production.id,
data.azuread_service_principal.terraform_production.object_id,
]
controller_service_principal_end_date = "2025-01-13T00:00:00Z"
controller_packer_rg_ids = [
Expand Down
34 changes: 19 additions & 15 deletions infra.ci.jenkins.io.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ resource "azurerm_storage_account" "infra_ci_jenkins_io_agents" {
resource "azuread_application" "infra_ci_jenkins_io" {
display_name = "infra.ci.jenkins.io"
owners = [
data.azuread_service_principal.terraform_production.id,
data.azuread_service_principal.terraform_production.object_id,
]
tags = [for key, value in local.default_tags : "${key}:${value}"]
required_resource_access {
Expand All @@ -38,7 +38,7 @@ resource "azuread_service_principal" "infra_ci_jenkins_io" {
client_id = azuread_application.infra_ci_jenkins_io.client_id
app_role_assignment_required = false
owners = [
data.azuread_service_principal.terraform_production.id,
data.azuread_service_principal.terraform_production.object_id,
]
}
resource "azuread_application_password" "infra_ci_jenkins_io" {
Expand All @@ -50,30 +50,30 @@ resource "azuread_application_password" "infra_ci_jenkins_io" {
resource "azurerm_role_assignment" "infra_ci_jenkins_io_allow_azurerm" {
scope = azurerm_resource_group.infra_ci_jenkins_io_agents.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.infra_ci_jenkins_io.id
principal_id = azuread_service_principal.infra_ci_jenkins_io.object_id
}
resource "azurerm_role_assignment" "infra_ci_jenkins_io_allow_packer" {
scope = azurerm_resource_group.packer_images["prod"].id
role_definition_name = "Reader"
principal_id = azuread_service_principal.infra_ci_jenkins_io.id
principal_id = azuread_service_principal.infra_ci_jenkins_io.object_id
}
resource "azurerm_role_assignment" "infra_ci_jenkins_io_privatek8s_subnet_role" {
scope = data.azurerm_subnet.privatek8s_tier.id
role_definition_name = "Virtual Machine Contributor"
principal_id = azuread_service_principal.infra_ci_jenkins_io.id
principal_id = azuread_service_principal.infra_ci_jenkins_io.object_id
}
resource "azurerm_role_assignment" "infra_ci_jenkins_io_privatek8s_subnet_private_vnet_reader" {
scope = data.azurerm_virtual_network.private.id
role_definition_id = azurerm_role_definition.private_vnet_reader.role_definition_resource_id
principal_id = azuread_service_principal.infra_ci_jenkins_io.id
principal_id = azuread_service_principal.infra_ci_jenkins_io.object_id
}

# Required to allow azcopy sync of contributors.jenkins.io File Share
module "infraci_contributorsjenkinsio_fileshare_serviceprincipal_writer" {
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"

service_fqdn = "infra-ci-jenkins-io-fileshare_serviceprincipal_writer"
active_directory_owners = [data.azuread_service_principal.terraform_production.id]
active_directory_owners = [data.azuread_service_principal.terraform_production.object_id]
active_directory_url = "https://github.com/jenkins-infra/azure"
service_principal_end_date = local.end_dates.infra_ci_jenkins_io.infraci_contributorsjenkinsio_fileshare_serviceprincipal_writer.end_date
file_share_resource_manager_id = azurerm_storage_share.contributors_jenkins_io.resource_manager_id
Expand All @@ -93,7 +93,7 @@ module "infraci_docsjenkinsio_fileshare_serviceprincipal_writer" {
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"

service_fqdn = "infra-ci-jenkins-io-fileshare_serviceprincipal_writer"
active_directory_owners = [data.azuread_service_principal.terraform_production.id]
active_directory_owners = [data.azuread_service_principal.terraform_production.object_id]
active_directory_url = "https://github.com/jenkins-infra/azure"
service_principal_end_date = local.end_dates.infra_ci_jenkins_io.infraci_docsjenkinsio_fileshare_serviceprincipal_writer.end_date
file_share_resource_manager_id = azurerm_storage_share.docs_jenkins_io.resource_manager_id
Expand All @@ -113,7 +113,7 @@ module "infraci_statsjenkinsio_fileshare_serviceprincipal_writer" {
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"

service_fqdn = "infra-ci-jenkins-io-fileshare_serviceprincipal_writer"
active_directory_owners = [data.azuread_service_principal.terraform_production.id]
active_directory_owners = [data.azuread_service_principal.terraform_production.object_id]
active_directory_url = "https://github.com/jenkins-infra/azure"
service_principal_end_date = local.end_dates.infra_ci_jenkins_io.infraci_statsjenkinsio_fileshare_serviceprincipal_writer.end_date
file_share_resource_manager_id = azurerm_storage_share.stats_jenkins_io.resource_manager_id
Expand Down Expand Up @@ -158,7 +158,7 @@ resource "azurerm_role_assignment" "infra_controller_vnet_reader" {
provider = azurerm.jenkins-sponsorship
scope = data.azurerm_virtual_network.infra_ci_jenkins_io_sponsorship.id
role_definition_id = azurerm_role_definition.infra_ci_jenkins_io_controller_vnet_sponsorship_reader.role_definition_resource_id
principal_id = azuread_service_principal.infra_ci_jenkins_io.id
principal_id = azuread_service_principal.infra_ci_jenkins_io.object_id
}
module "infra_ci_jenkins_io_azurevm_agents_jenkins_sponsorship" {
providers = {
Expand All @@ -173,7 +173,7 @@ module "infra_ci_jenkins_io_azurevm_agents_jenkins_sponsorship" {
ephemeral_agents_subnet_name = data.azurerm_subnet.infra_ci_jenkins_io_sponsorship_ephemeral_agents.name
controller_rg_name = azurerm_resource_group.infra_ci_jenkins_io_controller_jenkins_sponsorship.name
controller_ips = data.azurerm_subnet.privatek8s_infra_ci_controller_tier.address_prefixes # Pod IPs: controller IP may change in the pods IP subnet
controller_service_principal_id = azuread_service_principal.infra_ci_jenkins_io.id
controller_service_principal_id = azuread_service_principal.infra_ci_jenkins_io.object_id
default_tags = local.default_tags
storage_account_name = "infraciagentssub" # Max 24 chars

Expand Down Expand Up @@ -233,7 +233,7 @@ module "infraci_pluginsjenkinsio_fileshare_serviceprincipal_writer" {
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"

service_fqdn = "infraci-pluginsjenkinsio-fileshare_serviceprincipal_writer"
active_directory_owners = [data.azuread_service_principal.terraform_production.id]
active_directory_owners = [data.azuread_service_principal.terraform_production.object_id]
active_directory_url = "https://github.com/jenkins-infra/azure"
service_principal_end_date = local.end_dates.infra_ci_jenkins_io.infraci_pluginsjenkinsio_fileshare_serviceprincipal_writer.end_date
file_share_resource_manager_id = azurerm_storage_share.plugins_jenkins_io.resource_manager_id
Expand Down Expand Up @@ -366,7 +366,9 @@ resource "azurerm_resource_group" "updatecli_infra_ci_jenkins_io" {
resource "azuread_application" "updatecli_infra_ci_jenkins_io" {
display_name = "updatecli_infra.ci.jenkins.io"
owners = [
data.azuread_service_principal.terraform_production.id,
# Commenting out to migrate to new AzureAD provider
# data.azuread_service_principal.terraform_production.id,
"b847a030-25e1-4791-ad04-9e8484d87bce",
]
tags = [for key, value in local.default_tags : "${key}:${value}"]
required_resource_access {
Expand All @@ -385,7 +387,9 @@ resource "azuread_service_principal" "updatecli_infra_ci_jenkins_io" {
client_id = azuread_application.updatecli_infra_ci_jenkins_io.client_id
app_role_assignment_required = false
owners = [
data.azuread_service_principal.terraform_production.id,
# Commenting out to migrate to new AzureAD provider
# data.azuread_service_principal.terraform_production.id,
"b847a030-25e1-4791-ad04-9e8484d87bce",
]
}
resource "azuread_application_password" "updatecli_infra_ci_jenkins_io" {
Expand All @@ -406,5 +410,5 @@ resource "azurerm_role_definition" "vm_images_reader" {
resource "azurerm_role_assignment" "updatecli_infra_ci_jenkins_io_allow_images_list" {
scope = azurerm_resource_group.updatecli_infra_ci_jenkins_io.id
role_definition_id = azurerm_role_definition.vm_images_reader.role_definition_resource_id
principal_id = azuread_service_principal.updatecli_infra_ci_jenkins_io.id
principal_id = azuread_service_principal.updatecli_infra_ci_jenkins_io.object_id
}
10 changes: 5 additions & 5 deletions packer-resources.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
resource "azuread_application" "packer" {
display_name = "packer"
owners = [
data.azuread_service_principal.terraform_production.id, # terraform-production Service Principal, used by the CI system
data.azuread_service_principal.terraform_production.object_id, # terraform-production Service Principal, used by the CI system
]
tags = [for key, value in local.default_tags : "${key}:${value}"]
required_resource_access {
Expand All @@ -24,7 +24,7 @@ resource "azuread_service_principal" "packer" {
client_id = azuread_application.packer.client_id
app_role_assignment_required = false
owners = [
data.azuread_service_principal.terraform_production.id, # terraform-production Service Principal, used by the CI system
data.azuread_service_principal.terraform_production.object_id, # terraform-production Service Principal, used by the CI system
]
}

Expand Down Expand Up @@ -119,7 +119,7 @@ resource "azurerm_role_assignment" "packer_role_images_assignement" {

scope = each.value.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.packer.id
principal_id = azuread_service_principal.packer.object_id
}
# Allow packer Service Principal to manage AzureRM resources inside the packer resource groups
resource "azurerm_role_assignment" "packer_role_builds_assignement" {
Expand All @@ -128,11 +128,11 @@ resource "azurerm_role_assignment" "packer_role_builds_assignement" {

scope = each.value.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.packer.id
principal_id = azuread_service_principal.packer.object_id
}
resource "azurerm_role_assignment" "packer_role_manage_subnet" {
provider = azurerm.jenkins-sponsorship
scope = data.azurerm_subnet.infra_ci_jenkins_io_sponsorship_packer_builds.id
role_definition_name = "Network Contributor"
principal_id = azuread_service_principal.packer.id
principal_id = azuread_service_principal.packer.object_id
}
2 changes: 1 addition & 1 deletion publick8s.tf
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,7 @@ module "cronjob_geoip_data_fileshare_serviceprincipal_writer" {
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"

service_fqdn = "${azurerm_resource_group.publick8s.name}-fileshare_serviceprincipal_writer-redirects"
active_directory_owners = [data.azuread_service_principal.terraform_production.id]
active_directory_owners = [data.azuread_service_principal.terraform_production.object_id]
active_directory_url = "https://github.com/jenkins-infra/azure"
service_principal_end_date = "2024-12-23T00:00:00Z"
file_share_resource_manager_id = azurerm_storage_share.geoip_data.resource_manager_id
Expand Down
10 changes: 5 additions & 5 deletions test.ci.jenkins.io.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ data "azurerm_subnet" "test_azurevm_agents_agents_sponsorship" {
####################################################################################
resource "azuread_application" "test_azurevm_agents_sponsorship" {
display_name = "test.jay.onboarding"
owners = [data.azuread_service_principal.terraform_production.id]
owners = [data.azuread_service_principal.terraform_production.object_id]
tags = [for key, value in local.default_tags : "${key}:${value}"]
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
Expand All @@ -48,7 +48,7 @@ resource "azuread_application" "test_azurevm_agents_sponsorship" {
resource "azuread_service_principal" "test_azurevm_agents_sponsorship" {
client_id = azuread_application.test_azurevm_agents_sponsorship.client_id
app_role_assignment_required = false
owners = [data.azuread_service_principal.terraform_production.id]
owners = [data.azuread_service_principal.terraform_production.object_id]
}
resource "azuread_application_password" "test_azurevm_agents_sponsorship" {
application_id = azuread_application.test_azurevm_agents_sponsorship.id
Expand All @@ -58,7 +58,7 @@ resource "azuread_application_password" "test_azurevm_agents_sponsorship" {
resource "azurerm_role_assignment" "controller_read_packer_prod_images" {
scope = azurerm_resource_group.packer_images["prod"].id
role_definition_name = "Reader"
principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.id
principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.object_id
}
resource "azurerm_role_definition" "jayonboarding_vnet_writer" {
name = "write-test.jay.onboarding-VNET"
Expand All @@ -71,7 +71,7 @@ resource "azurerm_role_definition" "jayonboarding_vnet_writer" {
resource "azurerm_role_assignment" "jayonboarding_vnet_writer" {
scope = data.azurerm_virtual_network.test_azurevm_agents_sponsorship.id
role_definition_id = azurerm_role_definition.jayonboarding_vnet_writer.role_definition_resource_id
principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.id
principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.object_id
}

module "test_azurevm_agents_sponsorship" {
Expand All @@ -90,7 +90,7 @@ module "test_azurevm_agents_sponsorship" {
"135.237.163.64", # VM (manually managed) public IP
"10.0.0.4", # VM (manually managed) private IP
])
controller_service_principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.id
controller_service_principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.object_id
default_tags = local.default_tags
storage_account_name = "jayagentssub" # Max 24 chars

Expand Down
Loading