diff --git a/.github/workflows/aksapply.yaml b/.github/workflows/aksapply.yaml index 9ff7bc7cd..c2bd9bd97 100644 --- a/.github/workflows/aksapply.yaml +++ b/.github/workflows/aksapply.yaml @@ -77,6 +77,7 @@ jobs: run: | terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" init terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" apply -auto-approve + terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" apply -auto-approve - name: Revoke GitHub IP on StorageAccount if: ${{ github.ref == 'refs/heads/master' && inputs.terraformapply }} run: | diff --git a/terraform/subscriptions/modules/app_application_registration/main.tf b/terraform/subscriptions/modules/app_application_registration/main.tf new file mode 100644 index 000000000..2e09285e5 --- /dev/null +++ b/terraform/subscriptions/modules/app_application_registration/main.tf @@ -0,0 +1,31 @@ +resource "azuread_application_registration" "this" { + display_name = var.displayname + sign_in_audience = "AzureADMyOrg" + service_management_reference = var.service_management_reference + notes = var.internal_notes + requested_access_token_version = 1 + implicit_id_token_issuance_enabled = var.implicit_id_token_issuance_enabled +} + +resource "azuread_application_owner" "this" { + for_each = toset(var.radixowners) + application_id = azuread_application_registration.this.id + owner_object_id = each.value +} + +resource "azuread_application_api_access" "this" { + for_each = var.permissions + application_id = azuread_application_registration.this.id + api_client_id = each.value.id + scope_ids = each.value.scope_ids +} + +resource "azuread_service_principal" "this" { + client_id = azuread_application_registration.this.client_id + app_role_assignment_required = var.app_role_assignment_required + owners = toset(var.radixowners) +} + +output "azuread_service_principal_id" { + value = resource.azuread_service_principal.this.id +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/app_application_registration/variables.tf b/terraform/subscriptions/modules/app_application_registration/variables.tf new file mode 100644 index 000000000..5e96f8fa9 --- /dev/null +++ b/terraform/subscriptions/modules/app_application_registration/variables.tf @@ -0,0 +1,34 @@ +variable "displayname" { + type = string +} + +variable "service_management_reference" { + type = string +} + +variable "internal_notes" { + type = string +} + +variable "radixowners" { + type = list(string) +} + +variable "permissions" { + type = map(object({ + id = string + scope_ids = list(string) + })) + default = {} +} + +variable "implicit_id_token_issuance_enabled" { + type = bool + default = false +} + +variable "app_role_assignment_required" { + type = bool + default = false + +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/app_registration/main.tf b/terraform/subscriptions/modules/app_registration/main.tf index dc27af350..e9131d1ca 100644 --- a/terraform/subscriptions/modules/app_registration/main.tf +++ b/terraform/subscriptions/modules/app_registration/main.tf @@ -5,7 +5,7 @@ resource "azuread_application" "this" { service_management_reference = var.service_id lifecycle { - ignore_changes = [required_resource_access, api, identifier_uris, web[0].homepage_url, notes] + ignore_changes = [single_page_application, web, identifier_uris, api, notes, required_resource_access] } api { @@ -14,18 +14,6 @@ resource "azuread_application" "this" { requested_access_token_version = 1 } - web { - redirect_uris = var.web_uris - implicit_grant { - access_token_issuance_enabled = var.implicit_grant.access_token_issuance_enabled - id_token_issuance_enabled = var.implicit_grant.id_token_issuance_enabled - } - - } - single_page_application { - redirect_uris = var.singlepage_uris - } - dynamic "required_resource_access" { for_each = var.required_resource_access content { diff --git a/terraform/subscriptions/modules/app_registration_redirect_uris/main.tf b/terraform/subscriptions/modules/app_registration_redirect_uris/main.tf new file mode 100644 index 000000000..1d881f6ad --- /dev/null +++ b/terraform/subscriptions/modules/app_registration_redirect_uris/main.tf @@ -0,0 +1,5 @@ +resource "azuread_application_redirect_uris" "this" { + application_id = var.application_id + type = var.type + redirect_uris = var.redirect_uris +} diff --git a/terraform/subscriptions/modules/app_registration_redirect_uris/variables.tf b/terraform/subscriptions/modules/app_registration_redirect_uris/variables.tf new file mode 100644 index 000000000..a0b0ea232 --- /dev/null +++ b/terraform/subscriptions/modules/app_registration_redirect_uris/variables.tf @@ -0,0 +1,11 @@ +variable "application_id" { + type = string +} + +variable "type" { + type = string +} + +variable "redirect_uris" { + type = list(string) +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/config/main.tf b/terraform/subscriptions/modules/config/main.tf index 68938c0da..893425435 100644 --- a/terraform/subscriptions/modules/config/main.tf +++ b/terraform/subscriptions/modules/config/main.tf @@ -39,6 +39,10 @@ output "log_storageaccount_name" { output "backend" { value = local.config.backend } + +output "appreg" { + value = local.config.appreg +} output "subscription" { value = local.config.backend.subscription_id } diff --git a/terraform/subscriptions/modules/key-vault/main.tf b/terraform/subscriptions/modules/key-vault/main.tf index 3665d6643..9a8bc6096 100644 --- a/terraform/subscriptions/modules/key-vault/main.tf +++ b/terraform/subscriptions/modules/key-vault/main.tf @@ -1,6 +1,6 @@ -data "azuread_group" "this" { - display_name = "Radix Platform Operators" - security_enabled = true +data "azuread_group" "this" { + display_name = "Radix Platform Operators" + security_enabled = true } data "azurerm_role_definition" "this" { diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf index d2e8b5ee1..180cbc4eb 100644 --- a/terraform/subscriptions/modules/storageaccount/main.tf +++ b/terraform/subscriptions/modules/storageaccount/main.tf @@ -63,14 +63,9 @@ resource "azurerm_monitor_diagnostic_setting" "blob" { log_analytics_workspace_id = var.log_analytics_id metric { - category = "Capacity" - enabled = false + category = "AllMetrics" } - metric { - category = "Transaction" - enabled = false - } } ######################################################################################## diff --git a/terraform/subscriptions/s940/c2/config.yaml b/terraform/subscriptions/s940/c2/config.yaml index 73deced16..0dabb312f 100644 --- a/terraform/subscriptions/s940/c2/config.yaml +++ b/terraform/subscriptions/s940/c2/config.yaml @@ -2,6 +2,9 @@ environment: "c2" subscription_shortname: "s940" location: "westeurope" developers: ["be5526de-1b7d-4389-b1ab-a36a99ef5cc5"] # Radix Platform Operators +appreg: + grafana: "24e39d19-c4c3-4ed5-b7ff-965433ebb466" + web: "f8066a06-d033-428f-b5a0-d7ba714f796d" backend: resource_group_name: "s940-tfstate" storage_account_name: "s940radixinfra" diff --git a/terraform/subscriptions/s940/c2/post-clusters/servicenow-api.tf b/terraform/subscriptions/s940/c2/post-clusters/servicenow-api.tf index d877fc071..b3f228340 100644 --- a/terraform/subscriptions/s940/c2/post-clusters/servicenow-api.tf +++ b/terraform/subscriptions/s940/c2/post-clusters/servicenow-api.tf @@ -2,4 +2,5 @@ module "servicenow" { source = "../../../modules/federated-credentials/servicenow_proxy" oidc_issuer_url = module.clusters.oidc_issuer_url + clientid = module.config.ar-radix-servicenow-proxy-client } diff --git a/terraform/subscriptions/s940/prod/config.yaml b/terraform/subscriptions/s940/prod/config.yaml index 38f2615f3..192ea1328 100644 --- a/terraform/subscriptions/s940/prod/config.yaml +++ b/terraform/subscriptions/s940/prod/config.yaml @@ -2,6 +2,9 @@ environment: "platform" subscription_shortname: "s940" location: "northeurope" developers: ["be5526de-1b7d-4389-b1ab-a36a99ef5cc5"] # Radix Platform Operators +appreg: + grafana: "14c54d0b-21d0-4de1-a3af-82a413aca29a" + web: "02c5c437-4f66-4e81-bd8d-95180005f3fc" backend: resource_group_name: "s940-tfstate" storage_account_name: "s940radixinfra" diff --git a/terraform/subscriptions/s940/prod/post-clusters/servicenow-api.tf b/terraform/subscriptions/s940/prod/post-clusters/servicenow-api.tf index d877fc071..b3f228340 100644 --- a/terraform/subscriptions/s940/prod/post-clusters/servicenow-api.tf +++ b/terraform/subscriptions/s940/prod/post-clusters/servicenow-api.tf @@ -2,4 +2,5 @@ module "servicenow" { source = "../../../modules/federated-credentials/servicenow_proxy" oidc_issuer_url = module.clusters.oidc_issuer_url + clientid = module.config.ar-radix-servicenow-proxy-client } diff --git a/terraform/subscriptions/s941/dev/common/appregistration.tf b/terraform/subscriptions/s941/dev/common/appregistration.tf new file mode 100644 index 000000000..a25846d4d --- /dev/null +++ b/terraform/subscriptions/s941/dev/common/appregistration.tf @@ -0,0 +1,11 @@ +module "app_application_registration" { + source = "../../../modules/app_application_registration" + for_each = var.appregistrations + displayname = each.value.display_name + internal_notes = each.value.notes + service_management_reference = each.value.service_management_reference + radixowners = keys(nonsensitive(jsondecode(data.azurerm_key_vault_secret.radixowners.value))) + permissions = each.value.permissions + implicit_id_token_issuance_enabled = each.value.implicit_id_token_issuance_enabled + app_role_assignment_required = each.value.app_role_assignment_required +} diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 5d51879cc..0cf463514 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -81,7 +81,7 @@ module "acr" { vnet_resource_group = module.config.vnet_resource_group subnet_id = data.azurerm_subnet.this.id dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker" - radix_cr_cicd = module.radix-cr-cicd.azuread_service_principal_id + radix_cr_cicd = replace(replace(module.app_application_registration.cr_cicd.azuread_service_principal_id, "/servicePrincipals/", ""), "/", "") } module "radix-id-acr-workflows" { @@ -223,16 +223,12 @@ module "radix_id_gitrunner" { } } -module "radix-cr-cicd" { - source = "../../../modules/app_registration" - display_name = "radix-cr-cicd-${module.config.environment}" - service_id = "110327" - owners = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value)) - expose_API = true - implicit_grant = { - access_token_issuance_enabled = false - id_token_issuance_enabled = true - } +module "rediscache" { + source = "../../../modules/redis_cache" + name = "radix-${module.config.environment}" + rg_name = module.config.cluster_resource_group + vnet_resource_group = module.config.vnet_resource_group + sku_name = "Basic" } output "workspace_id" { diff --git a/terraform/subscriptions/s941/dev/common/variables.tf b/terraform/subscriptions/s941/dev/common/variables.tf index f27f0276c..da713ecb1 100644 --- a/terraform/subscriptions/s941/dev/common/variables.tf +++ b/terraform/subscriptions/s941/dev/common/variables.tf @@ -26,6 +26,74 @@ variable "storageaccounts" { } } +variable "appregistrations" { + description = "App registrations" + type = map(object({ + display_name = string + service_management_reference = string + notes = string + implicit_id_token_issuance_enabled = optional(bool, false) + app_role_assignment_required = optional(bool, false) + permissions = optional(map(object({ + id = string + scope_ids = list(string) + }))) + })) + default = { + webconsole = { + display_name = "Omnia Radix Web Console - Development" + service_management_reference = "110327" + notes = "Omnia Radix Web Console - Development" + app_role_assignment_required = true + permissions = { + msgraph = { + id = "00000003-0000-0000-c000-000000000000" # msgraph + scope_ids = [ + "c79f8feb-a9db-4090-85f9-90d820caa0eb", # Application.Read.All + "bc024368-1153-4739-b217-4326f2e966d0", # GroupMember.Read.All + "e1fe6dd8-ba31-4d61-89e7-88639da4683d", # User.Read + "7427e0e9-2fba-42fe-b0c0-848c9e6a8182", # offline_access + "37f7f235-527c-4136-accd-4a02d197296e", # openid + "14dad69e-099b-42c9-810b-d002981feec1" # profile + ] + } + servicenow_proxy_server = { + id = "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786" # ar-radix-servicenow-proxy-server + scope_ids = [ + "4781537a-ed53-49fd-876b-32c274831456" # Application.Read + ] + } + kubernetes_aad_server = { + id = "6dae42f8-4368-4678-94ff-3960e28e3630" # Azure Kubernetes Service AAD Server + scope_ids = [ + "34a47c2f-cd0d-47b4-a93c-2c41130c671c" # user.read + ] + } + } + } + grafana = { + display_name = "radix-ar-grafana-dev" + service_management_reference = "110327" + notes = "Grafana Oauth, main app for user authentication to Grafana" + permissions = { + msgraph = { + id = "00000003-0000-0000-c000-000000000000" # msgraph + scope_ids = [ + "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + ] + } + } + } + cr_cicd = { + display_name = "radix-cr-cicd-dev" + service_management_reference = "110327" + notes = "Used by radix-image-builder" + implicit_id_token_issuance_enabled = true + permissions = {} + } + } +} + variable "enviroment_temporary" { type = string default = "development" @@ -35,5 +103,3 @@ variable "resource_groups_common_temporary" { type = string default = "common" } - - diff --git a/terraform/subscriptions/s941/dev/config.yaml b/terraform/subscriptions/s941/dev/config.yaml index 6bf7c62e7..52d5e3602 100644 --- a/terraform/subscriptions/s941/dev/config.yaml +++ b/terraform/subscriptions/s941/dev/config.yaml @@ -3,6 +3,9 @@ subscription_shortname: "s941" location: "northeurope" all_ip_prefix_enviroments: ["development","playground"] developers: ["bed2b667-ceec-4377-83f7-46888ed23887","a5dfa635-dc00-4a28-9ad9-9e7f1e56919d"] +appreg: + grafana: "762b8580-c42f-4a6b-ba6d-c246925f2739" + web: "eb9a6a59-d542-4e6d-b3f6-d5955d1b919a" backend: resource_group_name: "s941-tfstate" storage_account_name: "s941radixinfra" @@ -29,9 +32,9 @@ clusters: aksversion: "1.29.8" networkset: "networkset2" network_policy: "cilium" - autostartupschedule: true - weekly-02: + # autostartupschedule: true + weekly-04: aksversion: "1.29.8" networkset: "networkset1" network_policy: "cilium" - # autostartupschedule: true + autostartupschedule: true diff --git a/terraform/subscriptions/s941/dev/post-clusters/backend.tf b/terraform/subscriptions/s941/dev/post-clusters/backend.tf index 80d98a64d..2734e81b4 100644 --- a/terraform/subscriptions/s941/dev/post-clusters/backend.tf +++ b/terraform/subscriptions/s941/dev/post-clusters/backend.tf @@ -34,9 +34,3 @@ module "clusters" { resource_group_name = module.config.cluster_resource_group subscription = module.config.subscription } - -data "azurerm_key_vault_secret" "radixowners" { - name = "radixowners" - key_vault_id = module.config.backend.ip_key_vault_id -} - diff --git a/terraform/subscriptions/s941/dev/post-clusters/grafana.tf b/terraform/subscriptions/s941/dev/post-clusters/grafana.tf index 78eb316f7..92981f00d 100644 --- a/terraform/subscriptions/s941/dev/post-clusters/grafana.tf +++ b/terraform/subscriptions/s941/dev/post-clusters/grafana.tf @@ -1,17 +1,6 @@ -locals { - grafana_uris = [ - for k, v in module.clusters.oidc_issuer_url : - "https://grafana.${k}.${module.config.environment}.radix.equinor.com/login/generic_oauth" - ] -} - -module "grafana" { - source = "../../../modules/app_registration" - display_name = "radix-ar-grafana-${module.config.environment}" - notes = "Grafana Oauth, main app for user authentication to Grafana" - service_id = "110327" - web_uris = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris) - owners = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value)) -} - - +module "grafana_redirect_uris" { + source = "../../../modules/app_registration_redirect_uris" + application_id = "/applications/${module.config.appreg.grafana}" + type = "Web" + redirect_uris = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris) +} \ No newline at end of file diff --git a/terraform/subscriptions/s941/dev/post-clusters/main.tf b/terraform/subscriptions/s941/dev/post-clusters/main.tf new file mode 100644 index 000000000..7d31e4062 --- /dev/null +++ b/terraform/subscriptions/s941/dev/post-clusters/main.tf @@ -0,0 +1,44 @@ +locals { + grafana_uris = [ + for k, v in module.clusters.oidc_issuer_url : + "https://grafana.${k}.${module.config.environment}.radix.equinor.com/login/generic_oauth" + ] + + environment = "qa" + + web-uris = distinct(flatten( + [for k, v in module.clusters.oidc_issuer_url : [ + "http://localhost:8000/oauth2/callback", + + "https://console.radix.equinor.com/oauth2/callback", + "https://console.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://console.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", + + "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-qa.radix.equinor.com/oauth2/callback", + + "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-prod.radix.equinor.com/oauth2/callback", + ]] + )) + + singlepage-uris = distinct(flatten( + [for k, v in module.clusters.oidc_issuer_url : [ + "http://localhost:8080/applications", + "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/applications", + "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/applications", + + "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/applications", + "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/applications", + + "https://console.radix.equinor.com/applications", + "https://console.${k}.${module.config.environment}.radix.equinor.com/applications", + "https://console.${module.config.environment}.radix.equinor.com/applications", + ]] + )) +} + + + diff --git a/terraform/subscriptions/s941/dev/post-clusters/servicenow-api.tf b/terraform/subscriptions/s941/dev/post-clusters/servicenow-api.tf index b3f228340..08668e17a 100644 --- a/terraform/subscriptions/s941/dev/post-clusters/servicenow-api.tf +++ b/terraform/subscriptions/s941/dev/post-clusters/servicenow-api.tf @@ -1,6 +1,5 @@ -### ServiceNow Proxy Federated Identity credentials module "servicenow" { source = "../../../modules/federated-credentials/servicenow_proxy" oidc_issuer_url = module.clusters.oidc_issuer_url clientid = module.config.ar-radix-servicenow-proxy-client -} +} \ No newline at end of file diff --git a/terraform/subscriptions/s941/dev/post-clusters/web-console.tf b/terraform/subscriptions/s941/dev/post-clusters/web-console.tf index d3d28e270..65354270f 100644 --- a/terraform/subscriptions/s941/dev/post-clusters/web-console.tf +++ b/terraform/subscriptions/s941/dev/post-clusters/web-console.tf @@ -1,90 +1,13 @@ -locals { - environment = "qa" - - web-uris = distinct(flatten( - [for k, v in module.clusters.oidc_issuer_url : [ - "http://localhost:8000/oauth2/callback", - - "https://console.radix.equinor.com/oauth2/callback", - "https://console.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://console.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", - - "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-qa.radix.equinor.com/oauth2/callback", - - "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-prod.radix.equinor.com/oauth2/callback", - ]] - )) - - singlepage-uris = distinct(flatten( - [for k, v in module.clusters.oidc_issuer_url : [ - "http://localhost:8000/applications", - "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/applications", - "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/applications", - - "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/applications", - "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/applications", - - "https://console.radix.equinor.com/applications", - "https://console.${k}.${module.config.environment}.radix.equinor.com/applications", - "https://console.${module.config.environment}.radix.equinor.com/applications", - ]] - )) -} - -data "azuread_application_published_app_ids" "well_known" {} -data "azuread_service_principal" "servicenow" { - display_name = "ar-radix-servicenow-proxy-server" -} -data "azuread_service_principal" "msgraph" { - client_id = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"] -} -data "azuread_service_principal" "kubernetes" { - client_id = data.azuread_application_published_app_ids.well_known.result["AzureKubernetesServiceAadServer"] -} -module "webconsole" { - source = "../../../modules/app_registration" - display_name = "Omnia Radix Web Console - Development" - notes = "Omnia Radix Web Console - Development" - service_id = "110327" - web_uris = local.web-uris - singlepage_uris = local.singlepage-uris - owners = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value)) - assignment_required = true - - resource_access = { - servicenow = { - app_id = data.azuread_service_principal.servicenow.client_id - scope_ids = [ - data.azuread_service_principal.servicenow.oauth2_permission_scope_ids["Application.Read"] - ] - } - kubernetes = { - app_id = data.azuread_application_published_app_ids.well_known.result["AzureKubernetesServiceAadServer"] - scope_ids = [ - data.azuread_service_principal.kubernetes.oauth2_permission_scope_ids["user.read"], - ] - } - msgraph = { - app_id = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"] - scope_ids = [ - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["Application.Read.All"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["GroupMember.Read.All"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["offline_access"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["profile"], - ] - } - } -} -module "rediscache" { - source = "../../../modules/redis_cache" - name = "radix-${module.config.environment}" - rg_name = module.config.cluster_resource_group - vnet_resource_group = module.config.vnet_resource_group - sku_name = "Basic" +module "webconsole_redirect_uris" { + source = "../../../modules/app_registration_redirect_uris" + application_id = "/applications/${module.config.appreg.web}" + type = "Web" + redirect_uris = local.web-uris +} + +module "webconsole_spa" { + source = "../../../modules/app_registration_redirect_uris" + application_id = "/applications/${module.config.appreg.web}" + type = "SPA" + redirect_uris = local.singlepage-uris } diff --git a/terraform/subscriptions/s941/playground/common/appregistration.tf b/terraform/subscriptions/s941/playground/common/appregistration.tf new file mode 100644 index 000000000..a25846d4d --- /dev/null +++ b/terraform/subscriptions/s941/playground/common/appregistration.tf @@ -0,0 +1,11 @@ +module "app_application_registration" { + source = "../../../modules/app_application_registration" + for_each = var.appregistrations + displayname = each.value.display_name + internal_notes = each.value.notes + service_management_reference = each.value.service_management_reference + radixowners = keys(nonsensitive(jsondecode(data.azurerm_key_vault_secret.radixowners.value))) + permissions = each.value.permissions + implicit_id_token_issuance_enabled = each.value.implicit_id_token_issuance_enabled + app_role_assignment_required = each.value.app_role_assignment_required +} diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index 7f4773ea0..06cd0ac03 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -76,7 +76,7 @@ module "acr" { vnet_resource_group = module.config.vnet_resource_group subnet_id = data.azurerm_subnet.this.id dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker" - radix_cr_cicd = module.radix-cr-cicd.azuread_service_principal_id + radix_cr_cicd = replace(replace(module.app_application_registration.cr_cicd.azuread_service_principal_id, "/servicePrincipals/", ""), "/", "") } module "radix-id-acr-workflows" { @@ -214,16 +214,12 @@ module "radix_id_gitrunner" { } } -module "radix-cr-cicd" { - source = "../../../modules/app_registration" - display_name = "radix-cr-cicd-${module.config.environment}" - service_id = "110327" - owners = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value)) - expose_API = true - implicit_grant = { - access_token_issuance_enabled = false - id_token_issuance_enabled = true - } +module "rediscache" { + source = "../../../modules/redis_cache" + name = "radix-${module.config.environment}" + rg_name = module.config.cluster_resource_group + vnet_resource_group = module.config.vnet_resource_group + sku_name = "Standard" } output "workspace_id" { diff --git a/terraform/subscriptions/s941/playground/common/variables.tf b/terraform/subscriptions/s941/playground/common/variables.tf index 6e55eb419..930bd261b 100644 --- a/terraform/subscriptions/s941/playground/common/variables.tf +++ b/terraform/subscriptions/s941/playground/common/variables.tf @@ -27,6 +27,74 @@ variable "storageaccounts" { } } +variable "appregistrations" { + description = "App registrations" + type = map(object({ + display_name = string + service_management_reference = string + notes = string + implicit_id_token_issuance_enabled = optional(bool, false) + app_role_assignment_required = optional(bool, false) + permissions = optional(map(object({ + id = string + scope_ids = list(string) + }))) + })) + default = { + webconsole = { + display_name = "Omnia Radix Web Console - Playground" + service_management_reference = "110327" + notes = "Omnia Radix Web Console - Playground Clusters" + app_role_assignment_required = true + permissions = { + msgraph = { + id = "00000003-0000-0000-c000-000000000000" # msgraph + scope_ids = [ + "c79f8feb-a9db-4090-85f9-90d820caa0eb", # Application.Read.All + "bc024368-1153-4739-b217-4326f2e966d0", # GroupMember.Read.All + "e1fe6dd8-ba31-4d61-89e7-88639da4683d", # User.Read + "7427e0e9-2fba-42fe-b0c0-848c9e6a8182", # offline_access + "37f7f235-527c-4136-accd-4a02d197296e", # openid + "14dad69e-099b-42c9-810b-d002981feec1" # profile + ] + } + servicenow_proxy_server = { + id = "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786" # ar-radix-servicenow-proxy-server + scope_ids = [ + "4781537a-ed53-49fd-876b-32c274831456" # Application.Read + ] + } + kubernetes_aad_server = { + id = "6dae42f8-4368-4678-94ff-3960e28e3630" # Azure Kubernetes Service AAD Server + scope_ids = [ + "34a47c2f-cd0d-47b4-a93c-2c41130c671c" # user.read + ] + } + } + } + grafana = { + display_name = "radix-ar-grafana-playground" + service_management_reference = "110327" + notes = "Grafana Oauth, main app for user authentication to Grafana" + permissions = { + msgraph = { + id = "00000003-0000-0000-c000-000000000000" # msgraph + scope_ids = [ + "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + ] + } + } + } + cr_cicd = { + display_name = "radix-cr-cicd-playground" + service_management_reference = "110327" + notes = "Used by radix-image-builder" + implicit_id_token_issuance_enabled = true + permissions = {} + } + } +} + variable "resource_groups_common_temporary" { type = string default = "common" diff --git a/terraform/subscriptions/s941/playground/config.yaml b/terraform/subscriptions/s941/playground/config.yaml index 9d2b7f3b6..e33b74b66 100644 --- a/terraform/subscriptions/s941/playground/config.yaml +++ b/terraform/subscriptions/s941/playground/config.yaml @@ -2,6 +2,9 @@ environment: "playground" subscription_shortname: "s941" location: "northeurope" developers: ["bed2b667-ceec-4377-83f7-46888ed23887","a5dfa635-dc00-4a28-9ad9-9e7f1e56919d"] +appreg: + grafana: "a8f5d777-90fb-4273-8a54-ab890dae9e7b" + web: "f9de8756-88e6-4e19-995e-c4bcf57ffbc9" backend: resource_group_name: "s941-tfstate" storage_account_name: "s941radixinfra" diff --git a/terraform/subscriptions/s941/playground/post-clusters/backend.tf b/terraform/subscriptions/s941/playground/post-clusters/backend.tf index b71324706..3abfb3c58 100644 --- a/terraform/subscriptions/s941/playground/post-clusters/backend.tf +++ b/terraform/subscriptions/s941/playground/post-clusters/backend.tf @@ -35,7 +35,7 @@ module "clusters" { subscription = module.config.subscription } -data "azurerm_key_vault_secret" "radixowners" { - name = "radixowners" - key_vault_id = module.config.backend.ip_key_vault_id -} +# data "azurerm_key_vault_secret" "radixowners" { +# name = "radixowners" +# key_vault_id = module.config.backend.ip_key_vault_id +# } diff --git a/terraform/subscriptions/s941/playground/post-clusters/grafana.tf b/terraform/subscriptions/s941/playground/post-clusters/grafana.tf index 88618cc4f..5541793cc 100644 --- a/terraform/subscriptions/s941/playground/post-clusters/grafana.tf +++ b/terraform/subscriptions/s941/playground/post-clusters/grafana.tf @@ -1,16 +1,6 @@ -locals { - grafana_uris = [ - for k, v in module.clusters.oidc_issuer_url : - "https://grafana.${k}.${module.config.environment}.radix.equinor.com/login/generic_oauth" - ] +module "grafana_redirect_uris" { + source = "../../../modules/app_registration_redirect_uris" + application_id = "/applications/${module.config.appreg.grafana}" + type = "Web" + redirect_uris = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris) } - -module "grafana" { - source = "../../../modules/app_registration" - display_name = "radix-ar-grafana-${module.config.environment}" - notes = "Grafana Oauth, main app for user authentication to Grafana" - service_id = "110327" - web_uris = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris) - owners = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value)) -} - diff --git a/terraform/subscriptions/s941/playground/post-clusters/main.tf b/terraform/subscriptions/s941/playground/post-clusters/main.tf new file mode 100644 index 000000000..7d31e4062 --- /dev/null +++ b/terraform/subscriptions/s941/playground/post-clusters/main.tf @@ -0,0 +1,44 @@ +locals { + grafana_uris = [ + for k, v in module.clusters.oidc_issuer_url : + "https://grafana.${k}.${module.config.environment}.radix.equinor.com/login/generic_oauth" + ] + + environment = "qa" + + web-uris = distinct(flatten( + [for k, v in module.clusters.oidc_issuer_url : [ + "http://localhost:8000/oauth2/callback", + + "https://console.radix.equinor.com/oauth2/callback", + "https://console.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://console.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", + + "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-qa.radix.equinor.com/oauth2/callback", + + "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/oauth2/callback", + "https://web-radix-web-console-prod.radix.equinor.com/oauth2/callback", + ]] + )) + + singlepage-uris = distinct(flatten( + [for k, v in module.clusters.oidc_issuer_url : [ + "http://localhost:8080/applications", + "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/applications", + "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/applications", + + "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/applications", + "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/applications", + + "https://console.radix.equinor.com/applications", + "https://console.${k}.${module.config.environment}.radix.equinor.com/applications", + "https://console.${module.config.environment}.radix.equinor.com/applications", + ]] + )) +} + + + diff --git a/terraform/subscriptions/s941/playground/post-clusters/web-console.tf b/terraform/subscriptions/s941/playground/post-clusters/web-console.tf index b59d2af2d..fa8087ac6 100644 --- a/terraform/subscriptions/s941/playground/post-clusters/web-console.tf +++ b/terraform/subscriptions/s941/playground/post-clusters/web-console.tf @@ -1,90 +1,13 @@ -locals { - environment = "prod" - web-uris = distinct(flatten( - [for k, v in module.clusters.oidc_issuer_url : [ - "http://localhost:8000/oauth2/callback", - - "https://console.radix.equinor.com/oauth2/callback", - "https://console.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://console.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", - - "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-qa.radix.equinor.com/oauth2/callback", - - "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/oauth2/callback", - "https://web-radix-web-console-prod.radix.equinor.com/oauth2/callback", - ]] - )) - singlepage-uris = distinct(flatten( - [for k, v in module.clusters.oidc_issuer_url : [ - "http://localhost:8080/applications", - - "https://web-radix-web-console-prod.${k}.${module.config.environment}.radix.equinor.com/applications", - "https://web-radix-web-console-prod.${module.config.environment}.radix.equinor.com/applications", - - "https://web-radix-web-console-qa.${k}.${module.config.environment}.radix.equinor.com/applications", - "https://web-radix-web-console-qa.${module.config.environment}.radix.equinor.com/applications", - - "https://console.radix.equinor.com/applications", - "https://console.${k}.${module.config.environment}.radix.equinor.com/applications", - "https://console.${module.config.environment}.radix.equinor.com/applications", - ]] - )) -} - -data "azuread_application_published_app_ids" "well_known" {} -data "azuread_service_principal" "servicenow" { - display_name = "ar-radix-servicenow-proxy-server" -} -data "azuread_service_principal" "msgraph" { - client_id = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"] -} -data "azuread_service_principal" "kubernetes" { - client_id = data.azuread_application_published_app_ids.well_known.result["AzureKubernetesServiceAadServer"] -} -module "webconsole" { - source = "../../../modules/app_registration" - display_name = "Omnia Radix Web Console - Playground" - notes = "Omnia Radix Web Console - Playground" - service_id = "110327" - web_uris = local.web-uris - singlepage_uris = local.singlepage-uris - owners = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value)) - assignment_required = true - - resource_access = { - servicenow = { - app_id = data.azuread_service_principal.servicenow.client_id - scope_ids = [ - data.azuread_service_principal.servicenow.oauth2_permission_scope_ids["Application.Read"] - ] - } - kubernetes = { - app_id = data.azuread_application_published_app_ids.well_known.result["AzureKubernetesServiceAadServer"] - scope_ids = [ - data.azuread_service_principal.kubernetes.oauth2_permission_scope_ids["user.read"], - ] - } - msgraph = { - app_id = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"] - scope_ids = [ - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["Application.Read.All"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["GroupMember.Read.All"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["offline_access"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"], - data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["profile"], - ] - } - } -} - -module "rediscache" { - source = "../../../modules/redis_cache" - name = "radix-${module.config.environment}" - rg_name = module.config.cluster_resource_group - vnet_resource_group = module.config.vnet_resource_group - sku_name = "Standard" -} +module "webconsole_redirect_uris" { + source = "../../../modules/app_registration_redirect_uris" + application_id = "/applications/${module.config.appreg.web}" + type = "Web" + redirect_uris = local.web-uris +} + +module "webconsole_spa" { + source = "../../../modules/app_registration_redirect_uris" + application_id = "/applications/${module.config.appreg.web}" + type = "SPA" + redirect_uris = local.singlepage-uris +} \ No newline at end of file