-
Notifications
You must be signed in to change notification settings - Fork 138
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add the shellcheck extension to the devcontainer (#70) Co-authored-by: Glenn Musa <glennmusa@users.noreply.github.com> * Enable Azure Security Center in MLZ subscriptions (#55) * Updated documentation in script * - Added execution flag to shell scripts - Added configure_asc.sh script - Added code to create subs array to mlz_tf_setup.sh - Added code to call configure_asc.sh from mlz_tf_setup.sh * - Added executable flag to unzipprovider.sh script * - Added executable flag to check scripts * - Updated loop code for workspace setting * - Created folder for ASC scripts - Copied generate_names.sh script into ASC folder * - Removed ASC calling code from setup script - Updated naming in asc script - Added ASC naming to generate script * - Moved LAWS name generation into generate names - Moved generate names call into loop - Updated wait loop to use variables * - Removed message for elapsed time - Added quotes consistently for echo's * - Updated Copyright statement - Added set -e - Modified variables to use env & location from vars file * - Corrected counter logic - Corrected description in names script * output number of attempts remaining * add a comment that this may fail * - Removed creater comment * unusually typo Co-authored-by: Glenn Musa <glennmusa@users.noreply.github.com> * Add persona and business justification to the Issue template (#73) * issue template update * Implement error handling into shell scripts (#72) * - Added error handling to configure_asc script - Suppressed "create" output in configure_asc script * - Added error handling to config_create script - Remove commented lines from configure_asc script * - Added error handling to config_validate script * - Added error handling to get_sp_identity script - Corrected SP lookup * - Added error handling to mlz_config_create script * - Updated echo lines * Implement Sub ID array for Role assignment (#76) * - Updated bullet numbering in README - Added code to create sub id array * - Reverted numbering changes made to README.md * - Added description of sed command * - Added parameter to suppress WARNING on sp create * Remove providers (#84) * use azurerm 2.50 in src/core * removing provider files * updates to readme and scripts for local providers * set tf provider folder Co-authored-by: Glenn Musa <glennmusa@users.noreply.github.com> * unique diagnostic settings names (#82) Co-authored-by: Glenn Musa <glennmusa@users.noreply.github.com> * move scripts to src/scripts (#87) * add a workflow for apply and destroy terraform (#83) * add retries for apply and destroy * update readmes Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> Co-authored-by: Glenn Musa <glennmusa@users.noreply.github.com> Co-authored-by: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> Co-authored-by: Breanna-Stryker <>
- Loading branch information
1 parent
b2a455c
commit b8114aa
Showing
32 changed files
with
596 additions
and
202 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
# workflows | ||
|
||
These are the automated workflows we use for ensuring a quality working product. | ||
|
||
For more on GitHub Actions: <https://docs.github.com/en/actions/> | ||
|
||
For more on workflows: <https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions/> | ||
|
||
## Contents | ||
|
||
- apply-and-destroy-terraform.yml | ||
|
||
This workflow assumes some pre-requisites have been set-up. See: [Configuration Prerequisites](#Configuration-Prerequisites) | ||
|
||
1. Checks out the .devcontainer from a private container registry for common tools | ||
|
||
1. Authenticates against a pre-configured KeyVault that contains | ||
- values for authenticating against a storage account | ||
- values for deploying terraform | ||
|
||
1. Pulls known good MLZ and Terraform configuration variables from that storage account | ||
|
||
1. Applies terraform anew from that configuration (see [build/README.md](../../build/README.md) for how this works) | ||
|
||
1. Destroys terraform from that configuration (see [build/README.md](../../build/README.md) for how this works) | ||
|
||
- validate-terraform.yml | ||
|
||
1. Checks out the .devcontainer from a private container registry for common tools | ||
|
||
1. Recursively validates and lints all the terraform referenced at src/core | ||
|
||
## Configuration Prerequisites | ||
|
||
1. MLZ Setup | ||
|
||
To apply terraform at all, locally, or from this automation, `scripts/mlz_tf_setup.sh` must be run to create the storage accounts to store Terraform state and create the Service Principal with authorization to deploy resources into the configured subscription(s). | ||
|
||
See the root README's [Configure the Terraform Backend](#../..//README.md/#Configure-the-Terraform-Backend) on how to do this. | ||
|
||
1. Configuration store | ||
|
||
When applying terraform locally or from this automation, an MLZ Configuration file (commonly mlz_tf_cfg.var) and Terraform-specific variables files (commonly *.tfvars) are required. | ||
|
||
You should end up with a container with these files: | ||
|
||
File Name | Value | ||
------------ | ------------- | ||
mlz_tf_cfg.var | An MLZ Configuration file that comes from mlz_tf_setup.sh | ||
globals.tfvars | Global MLZ terraform values | ||
saca-hub.tfvars | SACA Hub MLZ terraform values | ||
tier-0.tfvars | Tier 0 MLZ terraform values | ||
tier-1.tfvars | Tier 1 MLZ terraform values | ||
tier-2.tfvars | Tier 2 MLZ terraform values | ||
|
||
Running this from your local machine, you can provide these files yourself, but, today, for automation these files are stored in an Azure Storage Account and retrieved at workflow execution time. See [build/get_vars.sh](../../build/get_vars.sh) to see how we retrieve | ||
|
||
```plaintext | ||
./build/get_vars.sh | ||
# pulls down these files: | ||
vars/mlz_tf_cfg.var | ||
vars/globals.tfvars | ||
vars/saca-hub.tfvars | ||
vars/tier-0.tfvars | ||
vars/tier-1.tfvars | ||
vars/tier-2.tfvars | ||
``` | ||
|
||
1. Secret store and minimally scoped Service Principal | ||
|
||
See [glennmusa/keyvault-for-actions](https://github.com/glennmusa/keyvault-for-actions) to create a minimally scoped Service Principal to pull sensitive values from an Azure Key Vault. | ||
|
||
Supply that Key Vault the values for: | ||
|
||
Secret Name | Value | ||
------------ | ------------- | ||
MLZCLIENTID | The Service Principal Authorized to deploy resources into MLZ Terraform Subscriptions | ||
MLZCLIENTSECRET | The credential for the Service Principal above | ||
STORAGEACCOUNT | The Azure Storage Account for the files in the previous step | ||
STORAGECONTAINER | The container contianing the files in the previous step | ||
STORAGETOKEN | A token to access the storage account (we used a Container SAS) | ||
|
||
For more on creating a minimally scoped token to access storage see: <https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview/> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT License. | ||
|
||
name: apply-and-destroy-terraform | ||
on: [workflow_dispatch] | ||
jobs: | ||
apply-and-destroy-terraform: | ||
runs-on: ubuntu-latest | ||
|
||
container: | ||
image: acrmlzcicd.azurecr.io/missionlzdev | ||
credentials: | ||
username: ${{ secrets.acr_username }} | ||
password: ${{ secrets.acr_password }} | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- uses: azure/login@v1 | ||
with: | ||
creds: ${{ secrets.AZURE_CREDENTIALS }} | ||
|
||
- uses: Azure/get-keyvault-secrets@v1 | ||
with: | ||
keyvault: ${{ secrets.KEY_VAULT_NAME }} | ||
secrets: '*' | ||
|
||
- name: get vars | ||
run : | | ||
cd build | ||
./get_vars.sh | ||
- name: login | ||
run : | | ||
cd build | ||
./login_azcli.sh vars/mlz_tf_cfg.var | ||
- name: apply terraform | ||
run : | | ||
cd build | ||
./apply_tf.sh \ | ||
vars/mlz_tf_cfg.var \ | ||
vars/globals.tfvars \ | ||
vars/saca-hub.tfvars \ | ||
vars/tier-0.tfvars \ | ||
vars/tier-1.tfvars \ | ||
vars/tier-2.tfvars \ | ||
n | ||
- name: destroy terraform | ||
run : | | ||
cd build | ||
./destroy_tf.sh \ | ||
vars/mlz_tf_cfg.var \ | ||
vars/globals.tfvars \ | ||
vars/saca-hub.tfvars \ | ||
vars/tier-0.tfvars \ | ||
vars/tier-1.tfvars \ | ||
vars/tier-2.tfvars \ | ||
n |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.