Add ACR locks (#1373)

* Add ACR locks

* formatting, cleanup

* formatting, cleanup

terraform/subscriptions/modules/acr/main.tf

@@ -61,6 +61,20 @@ resource "azurerm_container_registry" "env" {
   }
 }
 
+resource "azurerm_management_lock" "this" {
+  name       = "delete-lock"
+  scope      = azurerm_container_registry.this.id
+  lock_level = "CanNotDelete"
+  notes      = "IaC : Terraform"
+}
+
+resource "azurerm_management_lock" "env" {
+  name       = "delete-lock"
+  scope      = azurerm_container_registry.env.id
+  lock_level = "CanNotDelete"
+  notes      = "IaC : Terraform"
+}
+
 resource "azurerm_private_endpoint" "this" {
   name                = "pe-radix-acr-app-${var.acr}"
   resource_group_name = var.vnet_resource_group
@@ -125,4 +139,4 @@ resource "azurerm_private_dns_a_record" "env" {
 
 output "azurerm_container_registry_id" {
   value = azurerm_container_registry.env.id
-}
+}

terraform/subscriptions/modules/federated-credentials/servicenow_proxy/main.tf

@@ -12,19 +12,19 @@ locals {
     for cluster, issuer in var.oidc_issuer_url : [
       for env in ["prod", "qa"] : {
         cluster = cluster
-        issuer = issuer
-        env = env
+        issuer  = issuer
+        env     = env
       }
     ]
   ])
 }
 
 resource "azuread_application_federated_identity_credential" "ar-radix-servicenow-proxy-client" {
-  for_each = { for item in local.oidc_issuers: "${item.cluster}-${item.env}" => item }
+  for_each       = { for item in local.oidc_issuers : "${item.cluster}-${item.env}" => item }
   application_id = data.azuread_application.this.id
-  display_name = "k8s-radix-servicenow-proxy-client-${each.value.cluster}-${each.value.env}"
-  description  = "Application registration Federated Identity Credentials to access ServiceNow API"
-  audiences    = ["api://AzureADTokenExchange"]
-  issuer       = each.value.issuer
-  subject      = "system:serviceaccount:radix-servicenow-proxy-${each.value.env}:api-sa"
+  display_name   = "k8s-radix-servicenow-proxy-client-${each.value.cluster}-${each.value.env}"
+  description    = "Application registration Federated Identity Credentials to access ServiceNow API"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = each.value.issuer
+  subject        = "system:serviceaccount:radix-servicenow-proxy-${each.value.env}:api-sa"
 }

terraform/subscriptions/s940/c2/post-clusters/servicenow-api.tf

@@ -1,5 +1,5 @@
 ### ServiceNow Proxy Federated Identity credentials
 module "servicenow" {
-  source = "../../../modules/federated-credentials/servicenow_proxy"
+  source          = "../../../modules/federated-credentials/servicenow_proxy"
   oidc_issuer_url = module.clusters.oidc_issuer_url
 }

terraform/subscriptions/s940/prod/post-clusters/servicenow-api.tf

@@ -1,5 +1,5 @@
 ### ServiceNow Proxy Federated Identity credentials
 module "servicenow" {
-  source = "../../../modules/federated-credentials/servicenow_proxy"
+  source          = "../../../modules/federated-credentials/servicenow_proxy"
   oidc_issuer_url = module.clusters.oidc_issuer_url
 }

terraform/subscriptions/s941/dev/common/main.tf

@@ -74,4 +74,4 @@ output "log_storageaccount_id" {
 output "acr_id" {
   value = module.acr.azurerm_container_registry_id
 
-}
+}

terraform/subscriptions/s941/dev/post-clusters/servicenow-api.tf

@@ -1,5 +1,5 @@
 ### ServiceNow Proxy Federated Identity credentials
 module "servicenow" {
-  source = "../../../modules/federated-credentials/servicenow_proxy"
+  source          = "../../../modules/federated-credentials/servicenow_proxy"
   oidc_issuer_url = module.clusters.oidc_issuer_url
 }

terraform/subscriptions/s941/playground/post-clusters/servicenow-api.tf

@@ -1,5 +1,5 @@
 ### ServiceNow Proxy Federated Identity credentials
 module "servicenow" {
-  source = "../../../modules/federated-credentials/servicenow_proxy"
+  source          = "../../../modules/federated-credentials/servicenow_proxy"
   oidc_issuer_url = module.clusters.oidc_issuer_url
 }