Refactor posttasks

.github/workflows/aksapply.yaml

@@ -77,6 +77,7 @@ jobs:
         run: |
           terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" init
           terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" apply -auto-approve
+          terraform -chdir="./terraform/subscriptions/${{ matrix.target.subscription }}/${{ matrix.target.name }}/pre-clusters" apply -auto-approve
       - name: Revoke GitHub IP on StorageAccount
         if: ${{ github.ref == 'refs/heads/master' && inputs.terraformapply }}
         run: |

terraform/subscriptions/modules/app_application_registration/main.tf

@@ -0,0 +1,31 @@
+resource "azuread_application_registration" "this" {
+  display_name                       = var.displayname
+  sign_in_audience                   = "AzureADMyOrg"
+  service_management_reference       = var.service_management_reference
+  notes                              = var.internal_notes
+  requested_access_token_version     = 1
+  implicit_id_token_issuance_enabled = var.implicit_id_token_issuance_enabled
+}
+
+resource "azuread_application_owner" "this" {
+  for_each        = toset(var.radixowners)
+  application_id  = azuread_application_registration.this.id
+  owner_object_id = each.value
+}
+
+resource "azuread_application_api_access" "this" {
+  for_each       = var.permissions
+  application_id = azuread_application_registration.this.id
+  api_client_id  = each.value.id
+  scope_ids      = each.value.scope_ids
+}
+
+resource "azuread_service_principal" "this" {
+  client_id                    = azuread_application_registration.this.client_id
+  app_role_assignment_required = var.app_role_assignment_required
+  owners                       = toset(var.radixowners)
+}
+
+output "azuread_service_principal_id" {
+  value = resource.azuread_service_principal.this.id
+}

terraform/subscriptions/modules/app_application_registration/variables.tf

@@ -0,0 +1,34 @@
+variable "displayname" {
+  type = string
+}
+
+variable "service_management_reference" {
+  type = string
+}
+
+variable "internal_notes" {
+  type = string
+}
+
+variable "radixowners" {
+  type = list(string)
+}
+
+variable "permissions" {
+  type = map(object({
+    id        = string
+    scope_ids = list(string)
+  }))
+  default = {}
+}
+
+variable "implicit_id_token_issuance_enabled" {
+  type    = bool
+  default = false
+}
+
+variable "app_role_assignment_required" {
+  type    = bool
+  default = false
+
+}

terraform/subscriptions/modules/app_registration/main.tf

@@ -5,7 +5,7 @@ resource "azuread_application" "this" {
   service_management_reference = var.service_id
 
   lifecycle {
-    ignore_changes = [required_resource_access, api, identifier_uris, web[0].homepage_url, notes]
+    ignore_changes = [single_page_application, web, identifier_uris, api, notes, required_resource_access]
   }
 
   api {
@@ -14,18 +14,6 @@ resource "azuread_application" "this" {
     requested_access_token_version = 1
   }
 
-  web {
-    redirect_uris = var.web_uris
-    implicit_grant {
-      access_token_issuance_enabled = var.implicit_grant.access_token_issuance_enabled
-      id_token_issuance_enabled     = var.implicit_grant.id_token_issuance_enabled
-    }
-
-  }
-  single_page_application {
-    redirect_uris = var.singlepage_uris
-  }
-
   dynamic "required_resource_access" {
     for_each = var.required_resource_access
     content {

terraform/subscriptions/modules/app_registration_redirect_uris/main.tf

@@ -0,0 +1,5 @@
+resource "azuread_application_redirect_uris" "this" {
+  application_id = var.application_id
+  type           = var.type
+  redirect_uris  = var.redirect_uris
+}

terraform/subscriptions/modules/app_registration_redirect_uris/variables.tf

@@ -0,0 +1,11 @@
+variable "application_id" {
+  type = string
+}
+
+variable "type" {
+  type = string
+}
+
+variable "redirect_uris" {
+  type = list(string)
+}

terraform/subscriptions/modules/config/main.tf

@@ -39,6 +39,10 @@ output "log_storageaccount_name" {
 output "backend" {
   value = local.config.backend
 }
+
+output "appreg" {
+  value = local.config.appreg
+}
 output "subscription" {
   value = local.config.backend.subscription_id
 }

terraform/subscriptions/modules/key-vault/main.tf

@@ -1,6 +1,6 @@
-data "azuread_group" "this" {
-  display_name     = "Radix Platform Operators"
-  security_enabled = true
+data "azuread_group" "this" {	
+  display_name     = "Radix Platform Operators"	
+  security_enabled = true	
 }
 
 data "azurerm_role_definition" "this" {

terraform/subscriptions/modules/storageaccount/main.tf

@@ -63,14 +63,9 @@ resource "azurerm_monitor_diagnostic_setting" "blob" {
   log_analytics_workspace_id = var.log_analytics_id
 
   metric {
-    category = "Capacity"
-    enabled  = false
+    category = "AllMetrics"
   }
 
-  metric {
-    category = "Transaction"
-    enabled  = false
-  }
 }
 
 ########################################################################################

terraform/subscriptions/s940/c2/config.yaml

@@ -2,6 +2,9 @@ environment: "c2"
 subscription_shortname: "s940"
 location: "westeurope"
 developers: ["be5526de-1b7d-4389-b1ab-a36a99ef5cc5"] # Radix Platform Operators
+appreg:
+  grafana:  "24e39d19-c4c3-4ed5-b7ff-965433ebb466"
+  web:      "f8066a06-d033-428f-b5a0-d7ba714f796d"
 backend:
   resource_group_name: "s940-tfstate"
   storage_account_name: "s940radixinfra"

terraform/subscriptions/s940/c2/post-clusters/servicenow-api.tf

@@ -2,4 +2,5 @@
 module "servicenow" {
   source          = "../../../modules/federated-credentials/servicenow_proxy"
   oidc_issuer_url = module.clusters.oidc_issuer_url
+  clientid        = module.config.ar-radix-servicenow-proxy-client
 }

terraform/subscriptions/s940/prod/config.yaml

@@ -2,6 +2,9 @@ environment: "platform"
 subscription_shortname: "s940"
 location: "northeurope"
 developers: ["be5526de-1b7d-4389-b1ab-a36a99ef5cc5"] # Radix Platform Operators
+appreg:
+  grafana:  "14c54d0b-21d0-4de1-a3af-82a413aca29a"
+  web:      "02c5c437-4f66-4e81-bd8d-95180005f3fc"
 backend:
   resource_group_name: "s940-tfstate"
   storage_account_name: "s940radixinfra"

terraform/subscriptions/s940/prod/post-clusters/servicenow-api.tf

@@ -2,4 +2,5 @@
 module "servicenow" {
   source          = "../../../modules/federated-credentials/servicenow_proxy"
   oidc_issuer_url = module.clusters.oidc_issuer_url
+  clientid        = module.config.ar-radix-servicenow-proxy-client
 }

terraform/subscriptions/s941/dev/common/appregistration.tf

@@ -0,0 +1,11 @@
+module "app_application_registration" {
+  source                             = "../../../modules/app_application_registration"
+  for_each                           = var.appregistrations
+  displayname                        = each.value.display_name
+  internal_notes                     = each.value.notes
+  service_management_reference       = each.value.service_management_reference
+  radixowners                        = keys(nonsensitive(jsondecode(data.azurerm_key_vault_secret.radixowners.value)))
+  permissions                        = each.value.permissions
+  implicit_id_token_issuance_enabled = each.value.implicit_id_token_issuance_enabled
+  app_role_assignment_required       = each.value.app_role_assignment_required
+}

terraform/subscriptions/s941/dev/common/main.tf

@@ -81,7 +81,7 @@ module "acr" {
   vnet_resource_group  = module.config.vnet_resource_group
   subnet_id            = data.azurerm_subnet.this.id
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
-  radix_cr_cicd        = module.radix-cr-cicd.azuread_service_principal_id
+  radix_cr_cicd        = replace(replace(module.app_application_registration.cr_cicd.azuread_service_principal_id, "/servicePrincipals/", ""), "/", "")
 }
 
 module "radix-id-acr-workflows" {
@@ -223,16 +223,12 @@ module "radix_id_gitrunner" {
   }
 }
 
-module "radix-cr-cicd" {
-  source       = "../../../modules/app_registration"
-  display_name = "radix-cr-cicd-${module.config.environment}"
-  service_id   = "110327"
-  owners       = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value))
-  expose_API   = true
-  implicit_grant = {
-    access_token_issuance_enabled = false
-    id_token_issuance_enabled     = true
-  }
+module "rediscache" {
+  source              = "../../../modules/redis_cache"
+  name                = "radix-${module.config.environment}"
+  rg_name             = module.config.cluster_resource_group
+  vnet_resource_group = module.config.vnet_resource_group
+  sku_name            = "Basic"
 }
 
 output "workspace_id" {

terraform/subscriptions/s941/dev/common/variables.tf

@@ -26,6 +26,74 @@ variable "storageaccounts" {
   }
 }
 
+variable "appregistrations" {
+  description = "App registrations"
+  type = map(object({
+    display_name                       = string
+    service_management_reference       = string
+    notes                              = string
+    implicit_id_token_issuance_enabled = optional(bool, false)
+    app_role_assignment_required       = optional(bool, false)
+    permissions = optional(map(object({
+      id        = string
+      scope_ids = list(string)
+    })))
+  }))
+  default = {
+    webconsole = {
+      display_name                 = "Omnia Radix Web Console - Development"
+      service_management_reference = "110327"
+      notes                        = "Omnia Radix Web Console - Development"
+      app_role_assignment_required = true
+      permissions = {
+        msgraph = {
+          id = "00000003-0000-0000-c000-000000000000" # msgraph
+          scope_ids = [
+            "c79f8feb-a9db-4090-85f9-90d820caa0eb", # Application.Read.All
+            "bc024368-1153-4739-b217-4326f2e966d0", # GroupMember.Read.All
+            "e1fe6dd8-ba31-4d61-89e7-88639da4683d", # User.Read
+            "7427e0e9-2fba-42fe-b0c0-848c9e6a8182", # offline_access
+            "37f7f235-527c-4136-accd-4a02d197296e", # openid
+            "14dad69e-099b-42c9-810b-d002981feec1"  # profile
+          ]
+        }
+        servicenow_proxy_server = {
+          id = "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786" # ar-radix-servicenow-proxy-server
+          scope_ids = [
+            "4781537a-ed53-49fd-876b-32c274831456" # Application.Read
+          ]
+        }
+        kubernetes_aad_server = {
+          id = "6dae42f8-4368-4678-94ff-3960e28e3630" # Azure Kubernetes Service AAD Server
+          scope_ids = [
+            "34a47c2f-cd0d-47b4-a93c-2c41130c671c" # user.read
+          ]
+        }
+      }
+    }
+    grafana = {
+      display_name                 = "radix-ar-grafana-dev"
+      service_management_reference = "110327"
+      notes                        = "Grafana Oauth, main app for user authentication to Grafana"
+      permissions = {
+        msgraph = {
+          id = "00000003-0000-0000-c000-000000000000" # msgraph
+          scope_ids = [
+            "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
+          ]
+        }
+      }
+    }
+    cr_cicd = {
+      display_name                       = "radix-cr-cicd-dev"
+      service_management_reference       = "110327"
+      notes                              = "Used by radix-image-builder"
+      implicit_id_token_issuance_enabled = true
+      permissions                        = {}
+    }
+  }
+}
+
 variable "enviroment_temporary" {
   type    = string
   default = "development"
@@ -35,5 +103,3 @@ variable "resource_groups_common_temporary" {
   type    = string
   default = "common"
 }
-
-

terraform/subscriptions/s941/dev/config.yaml

@@ -3,6 +3,9 @@ subscription_shortname: "s941"
 location: "northeurope"
 all_ip_prefix_enviroments: ["development","playground"]
 developers: ["bed2b667-ceec-4377-83f7-46888ed23887","a5dfa635-dc00-4a28-9ad9-9e7f1e56919d"]
+appreg:
+  grafana:  "762b8580-c42f-4a6b-ba6d-c246925f2739"
+  web:      "eb9a6a59-d542-4e6d-b3f6-d5955d1b919a"
 backend:
   resource_group_name:   "s941-tfstate"
   storage_account_name:  "s941radixinfra"
@@ -29,9 +32,9 @@ clusters:
     aksversion: "1.29.8"
     networkset: "networkset2"
     network_policy: "cilium"
-    autostartupschedule: true
-  weekly-02:
+    # autostartupschedule: true
+  weekly-04:
     aksversion: "1.29.8"
     networkset: "networkset1"
     network_policy: "cilium"
-    # autostartupschedule: true
+    autostartupschedule: true

terraform/subscriptions/s941/dev/post-clusters/backend.tf

@@ -34,9 +34,3 @@ module "clusters" {
   resource_group_name = module.config.cluster_resource_group
   subscription        = module.config.subscription
 }
-
-data "azurerm_key_vault_secret" "radixowners" {
-  name         = "radixowners"
-  key_vault_id = module.config.backend.ip_key_vault_id
-}
-

terraform/subscriptions/s941/dev/post-clusters/grafana.tf

@@ -1,17 +1,6 @@
-locals {
-  grafana_uris = [
-    for k, v in module.clusters.oidc_issuer_url :
-    "https://grafana.${k}.${module.config.environment}.radix.equinor.com/login/generic_oauth"
-  ]
-}
-
-module "grafana" {
-  source       = "../../../modules/app_registration"
-  display_name = "radix-ar-grafana-${module.config.environment}"
-  notes        = "Grafana Oauth, main app for user authentication to Grafana"
-  service_id   = "110327"
-  web_uris     = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris)
-  owners       = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value))
-}
-
-
+module "grafana_redirect_uris" {
+  source         = "../../../modules/app_registration_redirect_uris"
+  application_id = "/applications/${module.config.appreg.grafana}"
+  type           = "Web"
+  redirect_uris  = concat(["https://grafana.${module.config.environment}.radix.equinor.com/login/generic_oauth"], local.grafana_uris)
+}