Skip to content

Commit

Permalink
whitespace, different userg assigned identities for backend and frontend
Browse files Browse the repository at this point in the history
  • Loading branch information
@vrsorheim
vrsorheim committed Jul 19, 2024
1 parent f499f51 commit b1a685d
Show file tree
Hide file tree
Showing 17 changed files with 119 additions and 144 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/apply_infra_on_push.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Apply On Push Infrastructure Terraform
on:
push:
branches:
- master
- terraform-modules
paths:
- 'terraform/**'
- '.github/workflows/**'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build_and_push_images.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Docker Build, Push, and Deploy
on:
push:
branches:
- master
- terraform-modules
paths-ignore:
- 'terraform/**'
- '.github/workflows/**'
Expand Down
121 changes: 59 additions & 62 deletions terraform/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
locals {
env = terraform.workspace
alphabetical_env = replace(terraform.workspace, "-", "")
env = terraform.workspace
alphabetical_env = replace(terraform.workspace, "-", "")
}

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
source = "hashicorp/azurerm"
version = "~>3.110.0"
}
}
Expand All @@ -28,81 +28,78 @@ provider "azurerm" {
}

resource "azurerm_resource_group" "imo_app" {
name = "rg-${var.app}-${local.env}"
location = var.location
name = "rg-${var.app}-${local.env}"
location = var.location
}

data "azurerm_client_config" "current" {}

module "access" {
source = "./modules/access"
env = local.env
app = var.app
resource_group_id = azurerm_resource_group.imo_app.id
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
azure_current_object_id = data.azurerm_client_config.current.object_id
key_vault_id = module.keyvault.key_vault_id
container_registry_id = module.appenv.container_registry_id
source = "./modules/access"
env = local.env
app = var.app
resource_group_id = azurerm_resource_group.imo_app.id
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
azure_current_object_id = data.azurerm_client_config.current.object_id
key_vault_id = module.keyvault.key_vault_id
container_registry_id = module.appenv.container_registry_id
}

module "keyvault" {
source = "./modules/keyvault"
env = local.env
app = var.app
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
azure_current_tenant_id = data.azurerm_client_config.current.tenant_id
keyvault_role_assignment = module.access.keyvault_role_assignment
}
source = "./modules/keyvault"
env = local.env
app = var.app
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
azure_current_tenant_id = data.azurerm_client_config.current.tenant_id
keyvault_role_assignment = module.access.keyvault_role_assignment
}

module "database" {
source = "./modules/database"
env = local.env
app = var.app
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
db_password = module.keyvault.db_password
backend_app = module.backend.backend_container_app
outbound_backend_ip = module.backend.outbound_backend_ip
}
source = "./modules/database"
env = local.env
app = var.app
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
db_password = module.keyvault.db_password
outbound_backend_ip = module.backend.outbound_backend_ip
}

module "appenv" {
source = "./modules/appenv"
env = local.env
alphabetical_env = local.alphabetical_env
app = var.app
alphabetical_app = var.alphabetical_app
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
source = "./modules/appenv"
env = local.env
alphabetical_env = local.alphabetical_env
app = var.app
alphabetical_app = var.alphabetical_app
resource_group_name = azurerm_resource_group.imo_app.name
location = var.location
}

module "backend"{
source = "./modules/backend"
env = local.env
app = var.app
pghost = module.database.pghost
pgdatabase = module.database.pgdatabase
pgport = module.database.pgport
pguser = module.database.pguser
resource_group_name = azurerm_resource_group.imo_app.name
container_registry_server = module.appenv.container_registry_server
container_app_environment_id = module.appenv.container_app_environment_id
user_assigned_identity_vault = module.access.user_assigned_identity_vault
user_assigned_identity_cr = module.access.user_assigned_identity_cr
db_key_vault_secret_id = module.keyvault.db_key_vault_secret_id
appsettings_secret = module.keyvault.appsettings_secret
module "backend" {
source = "./modules/backend"
env = local.env
app = var.app
pghost = module.database.pghost
pgdatabase = module.database.pgdatabase
pgport = module.database.pgport
pguser = module.database.pguser
resource_group_name = azurerm_resource_group.imo_app.name
user_assigned_backend = module.access.user_assigned_identity_backend
container_registry_server = module.appenv.container_registry_server
container_app_environment_id = module.appenv.container_app_environment_id
db_key_vault_secret_id = module.keyvault.db_key_vault_secret_id
appsettings_secret = module.keyvault.appsettings_secret
appsettings_secret_key_vault_secret_id = module.keyvault.appsettings_secret_key_vault_secret_id
}

module "frontend" {
source = "./modules/frontend"
env = local.env
app = var.app
backend_container_app = module.backend.backend_container_app
resource_group_name = azurerm_resource_group.imo_app.name
user_assigned_identity_cr = module.access.user_assigned_identity_cr
container_app_environment_id = module.appenv.container_app_environment_id
container_registry_server = module.appenv.container_registry_server
backend_internal_URL = module.backend.backend_internal_URL
source = "./modules/frontend"
env = local.env
app = var.app
resource_group_name = azurerm_resource_group.imo_app.name
container_app_environment_id = module.appenv.container_app_environment_id
container_registry_server = module.appenv.container_registry_server
backend_internal_URL = module.backend.backend_internal_URL
user_assigned_frontend = module.access.user_assigned_identity_frontend
}
32 changes: 18 additions & 14 deletions terraform/modules/access/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,36 @@
resource "azurerm_user_assigned_identity" "imo_app_cr" {
name = "id-${var.app}-assign-id-cr-${var.env}"
resource "azurerm_user_assigned_identity" "backend" {
name = "id-${var.app}-backend-${var.env}"
resource_group_name = var.resource_group_name
location = var.location
}

resource "azurerm_user_assigned_identity" "imo_app_vault" {
name = "id-${var.app}-assign-id-vault-${var.env}"
resource "azurerm_user_assigned_identity" "frontend" {
name = "id-${var.app}-frontend-${var.env}"
resource_group_name = var.resource_group_name
location = var.location
}

resource "azurerm_role_assignment" "acr_pull" {
resource "azurerm_role_assignment" "acr_pull_backend" {
scope = var.container_registry_id
role_definition_name = "acrpull"
principal_id = azurerm_user_assigned_identity.imo_app_cr.principal_id
depends_on = [
azurerm_user_assigned_identity.imo_app_cr
]
principal_id = azurerm_user_assigned_identity.backend.principal_id
}

resource "azurerm_role_assignment" "admin_key_vault" {
scope = var.resource_group_id
role_definition_name = "Key Vault Administrator"
principal_id = var.azure_current_object_id
resource "azurerm_role_assignment" "acr_pull_frontend" {
scope = var.container_registry_id
role_definition_name = "acrpull"
principal_id = azurerm_user_assigned_identity.frontend.principal_id
}


resource "azurerm_role_assignment" "user_key_vault" {
scope = var.key_vault_id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.imo_app_vault.principal_id
principal_id = azurerm_user_assigned_identity.backend.principal_id
}

resource "azurerm_role_assignment" "admin_key_vault" {
scope = var.resource_group_id
role_definition_name = "Key Vault Administrator"
principal_id = var.azure_current_object_id
}
8 changes: 4 additions & 4 deletions terraform/modules/access/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
output "user_assigned_identity_vault" {
value = azurerm_user_assigned_identity.imo_app_vault.id
output "user_assigned_identity_frontend" {
value = azurerm_user_assigned_identity.frontend.id
}

output "user_assigned_identity_cr" {
value = azurerm_user_assigned_identity.imo_app_cr.id
output "user_assigned_identity_backend" {
value = azurerm_user_assigned_identity.backend.id
}

output "keyvault_role_assignment" {
Expand Down
2 changes: 1 addition & 1 deletion terraform/modules/access/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ variable "azure_current_object_id" {

variable "env" {
description = "The application environment"
type = string
type = string
}

variable "app" {
Expand Down
4 changes: 2 additions & 2 deletions terraform/modules/appenv/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@ variable "resource_group_name" {

variable "env" {
description = "The application environment"
type = string
type = string
}

variable "app" {
description = "The application name"
type = string
}

variable "alphabetical_app"{
variable "alphabetical_app" {
description = "The application name with only alphanumeric characters"
type = string
}
Expand Down
19 changes: 9 additions & 10 deletions terraform/modules/backend/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,45 +6,44 @@ resource "azurerm_container_app" "backend" {

identity {
type = "UserAssigned"
identity_ids = [var.user_assigned_identity_cr, var.user_assigned_identity_vault]
identity_ids = [var.user_assigned_backend]
}

registry {
server = var.container_registry_server
identity = var.user_assigned_identity_cr
identity = var.user_assigned_backend
}

ingress {
external_enabled = false
target_port = 5000
allow_insecure_connections = false
traffic_weight {
percentage = 100
percentage = 100
latest_revision = true
}
}

secret {
name = "db-password"
key_vault_secret_id = var.db_key_vault_secret_id
identity = var.user_assigned_identity_vault
identity = var.user_assigned_backend
}

secret {
name = "appsettings-secret"
key_vault_secret_id = var.appsettings_secret_key_vault_secret_id
identity = var.user_assigned_identity_vault
identity = var.user_assigned_backend
}



template {
container {
name = "backend"
name = "backend"
image = "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest"
cpu = 0.5
memory = "1Gi"

env {
name = "PGHOST"
value = var.pghost
Expand All @@ -62,15 +61,15 @@ resource "azurerm_container_app" "backend" {
value = var.pgdatabase
}
env {
name = "PGPASSWORD"
name = "PGPASSWORD"
secret_name = "db-password"
}
env {
name = "PGSSLMODE"
value = "require"
}
env {
name = "APPSETTINGS_SECRET"
name = "APPSETTINGS_SECRET"
secret_name = "appsettings-secret"
}

Expand Down
2 changes: 1 addition & 1 deletion terraform/modules/backend/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ output "backend_container_app" {
}
output "outbound_backend_ip" {
description = "The IP adress of the backend container app"
value = azurerm_container_app.backend.outbound_ip_addresses
value = azurerm_container_app.backend.outbound_ip_addresses[0]
}
10 changes: 3 additions & 7 deletions terraform/modules/backend/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,11 @@ variable "container_registry_server" {
type = string
}

variable "user_assigned_identity_cr" {
description = "The ID of the user managed identity for the container registry"
variable "user_assigned_backend" {
description = "The ID of the user managed identity for the backend container app"
type = string
}

variable "user_assigned_identity_vault" {
description = "The ID of the user managed identity for the key vault"
type = string
}

variable "db_key_vault_secret_id" {
description = "The key vault secret ID for the database password"
Expand Down Expand Up @@ -50,7 +46,7 @@ variable "pgdatabase" {

variable "env" {
description = "The application environment"
type = string
type = string
}

variable "app" {
Expand Down
Loading

0 comments on commit b1a685d

Please sign in to comment.