revert changes on first ADO phase

ned1313 · May 24, 2021 · 7920561 · 7920561
1 parent da2dadc
commit 7920561
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 179 deletions.
diff --git a/2021-05-11-ADO/setup/azuread.tf b/2021-05-11-ADO/setup/azuread.tf
@@ -6,47 +6,4 @@
 # I don't think those should be the same SP. The KV might be in a different sub than the place
 # you want to create resources. So we'll create two SPs.
 
-# Create SP for service connection in pipeline. Will be used to access KV.
-
-resource "azuread_application" "service_connection" {
-  display_name               = local.azad_service_connection_sp_name
-}
-
-resource "azuread_service_principal" "service_connection" {
-  application_id               = azuread_application.service_connection.application_id
-}
-
-resource "random_password" "service_connection" {
-  length = 16
-}
-
-resource "azuread_service_principal_password" "service_connection" {
-  service_principal_id = azuread_service_principal.service_connection.object_id
-  value = random_password.service_connection.result
-}
-
-# Create SP for creation of Azure resources in selected subscription.
-# These credentials will be written to the Key Vault and retrieved during pipeline run
-
-resource "azuread_application" "resource_creation" {
-  display_name               = local.azad_resource_creation_sp_name
-}
-
-resource "azuread_service_principal" "resource_creation" {
-  application_id               = azuread_application.resource_creation.application_id
-}
-
-resource "random_password" "resource_creation" {
-  length = 16
-}
-
-resource "azuread_service_principal_password" "resource_creation" {
-  service_principal_id = azuread_service_principal.resource_creation.object_id
-  value = random_password.resource_creation.result
-}
-
-resource "azurerm_role_assignment" "resource_creation" {
-  scope = data.azurerm_subscription.current.id
-  role_definition_name = "Contributor"
-  principal_id = azuread_service_principal.resource_creation.object_id
-}
+# Create SP for service connection in pipeline. Will be used to access KV.
diff --git a/2021-05-11-ADO/setup/azuredevops.tf b/2021-05-11-ADO/setup/azuredevops.tf
@@ -114,20 +114,5 @@ resource "azuredevops_build_definition" "pipeline_1" {
 ## There needs to be a service connection to an Azure sub with the key vault
 ## https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/serviceendpoint_azurerm
 
-resource "azuredevops_serviceendpoint_azurerm" "key_vault" {
-  project_id = azuredevops_project.project.id
-  service_endpoint_name = "key_vault"
-  description = "Azure Service Endpoint for Key Vault Access"
-
-  credentials {
-    serviceprincipalid = azuread_application.service_connection.application_id
-    serviceprincipalkey = random_password.service_connection.result
-  }
-
-  azurerm_spn_tenantid = data.azurerm_client_config.current.tenant_id
-  azurerm_subscription_id = data.azurerm_client_config.current.subscription_id
-  azurerm_subscription_name = data.azurerm_subscription.current.display_name
-}
-
 # Key Vault task is here: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops
 
diff --git a/2021-05-11-ADO/setup/azurekeyvault.tf b/2021-05-11-ADO/setup/azurekeyvault.tf
@@ -1,55 +0,0 @@
-data "azurerm_client_config" "current" {}
-
-data "azurerm_subscription" "current" {}
-
-# Create a Key Vault
-resource "azurerm_key_vault" "setup" {
-  name = local.az_key_vault_name
-  location = azurerm_resource_group.setup.location
-  resource_group_name = azurerm_resource_group.setup.name
-  tenant_id = data.azurerm_client_config.current.tenant_id
-
-  sku_name = "standard"
-}
-
-# Set access policies
-# Grant yourself full access (probably could be restricted to just secret_permissions)
-resource "azurerm_key_vault_access_policy" "you" {
-  key_vault_id = azurerm_key_vault.setup.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = data.azurerm_client_config.current.object_id
-
-  key_permissions = [
-    "get", "list", "update", "create", "decrypt", "encrypt", "unwrapKey", "wrapKey", "verify", "sign",
-  ]
-
-  secret_permissions = [
-    "get", "list", "set", "delete", "purge", "recover", "backup"
-  ]
-
-  certificate_permissions = [
-    "get", "list", "create", "import", "delete", "update",
-  ]
-}
-
-# Grant the pipeline SP access to [get,list] secrets from the KV
-resource "azurerm_key_vault_access_policy" "pipeline" {
-  key_vault_id = azurerm_key_vault.setup.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = azuread_service_principal.service_connection.object_id
-
-  secret_permissions = [
-    "get", "list",
-  ]
-
-}
-
-# Populate with secrets to be used by the pipeline
-resource "azurerm_key_vault_secret" "pipeline" {
-  for_each = local.pipeline_variables
-  name         = each.key
-  value        = each.value
-  key_vault_id = azurerm_key_vault.setup.id
-}

diff --git a/2021-05-11-ADO/setup/variables.tf b/2021-05-11-ADO/setup/variables.tf
@@ -77,19 +77,5 @@ locals {
 
   az_resource_group_name  = "${var.prefix}${random_integer.suffix.result}"
   az_storage_account_name = "${lower(var.prefix)}${random_integer.suffix.result}"
-  az_key_vault_name = "${var.prefix}${random_integer.suffix.result}"
 
-  pipeline_variables = {
-    storageaccount = azurerm_storage_account.sa.name
-    container-name = var.az_container_name
-    key = var.az_state_key
-    sas-token = data.azurerm_storage_account_sas.state.sas
-    az-client-id = azuread_service_principal.resource_creation.object_id
-    az-client-secret = random_password.resource_creation.result
-    az-subscription = data.azurerm_client_config.current.subscription_id
-    az-tenant = data.azurerm_client_config.current.tenant_id
-  }
-
-  azad_service_connection_sp_name = "${var.prefix}-service-connection-${random_integer.suffix.result}"
-  azad_resource_creation_sp_name = "${var.prefix}-resource-creation-${random_integer.suffix.result}"
 }
diff --git a/2021-05-11-ADO/vnet/azure-pipelines.yaml b/2021-05-11-ADO/vnet/azure-pipelines.yaml
@@ -24,24 +24,15 @@ stages:
       inputs:
         terraformVersion: 'latest'
 
-    # Azure Key Vault
-    # Download Azure Key Vault secrets
-    - task: AzureKeyVault@1
-      inputs:
-        ConnectedServiceName: $(service_name)
-        keyVaultName: $(key_vault_name)
-        secretsFilter: '*'
-        runAsPreJob: false # Azure DevOps Services only
-
-    # Init
+  # Init
     - task: TerraformCLI@0
       displayName: Initialize Terraform
       env:
-        ARM_SAS_TOKEN: $(sas-token)
+        ARM_SAS_TOKEN: $(sas_token)
       inputs:
         command: 'init'
         workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet'
-        commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container-name) -backend-config=key=$(key)'
+        commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container_name) -backend-config=key=$(key)'
         backendType: 'selfConfigured'
 
   # Validate
@@ -63,35 +54,26 @@ stages:
       inputs:
         terraformVersion: 'latest'
 
-    # Azure Key Vault
-    # Download Azure Key Vault secrets
-    - task: AzureKeyVault@1
-      inputs:
-        ConnectedServiceName: $(service_name)
-        keyVaultName: $(key_vault_name)
-        secretsFilter: '*'
-        runAsPreJob: false # Azure DevOps Services only
-
-    # Init
+  # Init
     - task: TerraformCLI@0
       displayName: Initialize Terraform
       env:
-        ARM_SAS_TOKEN: $(sas-token)
+        ARM_SAS_TOKEN: $(sas_token)
       inputs:
         command: 'init'
         workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet'
-        commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container-name) -backend-config=key=$(key)'
+        commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container_name) -backend-config=key=$(key)'
         backendType: 'selfConfigured'
 
   # Plan
     - task: TerraformCLI@0
       displayName: Plan Terraform Deployment
       env:
-        ARM_SAS_TOKEN: $(sas-token)
-        ARM_CLIENT_ID: $(az-client-id)
-        ARM_CLIENT_SECRET: $(az-client-secret)
-        ARM_SUBSCRIPTION_ID: $(az-subscription)
-        ARM_TENANT_ID: $(az-tenant)
+        ARM_SAS_TOKEN: $(sas_token)
+        ARM_CLIENT_ID: $(az_client_id)
+        ARM_CLIENT_SECRET: $(az_client_secret)
+        ARM_SUBSCRIPTION_ID: $(az_subscription)
+        ARM_TENANT_ID: $(az_tenant)
       inputs:
         command: 'plan'
         workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet'
@@ -122,42 +104,27 @@ stages:
       inputs:
         terraformVersion: 'latest'
 
-    # Azure Key Vault
-    # Download Azure Key Vault secrets
-    - task: AzureKeyVault@1
-      inputs:
-        ConnectedServiceName: $(service_name)
-        keyVaultName: $(key_vault_name)
-        secretsFilter: '*'
-        runAsPreJob: false # Azure DevOps Services only
-
   # Init
     - task: TerraformCLI@0
       displayName: Initialize Terraform
       env:
-        ARM_SAS_TOKEN: $(sas-token)
+        ARM_SAS_TOKEN: $(sas_token)
       inputs:
         command: 'init'
         workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet'
-        commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container-name) -backend-config=key=$(key)'
+        commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container_name) -backend-config=key=$(key)'
         backendType: 'selfConfigured'
 
   # Apply
     - task: TerraformCLI@0
       displayName: Apply Terraform Deployment
       env:
-        ARM_SAS_TOKEN: $(sas-token)
-        ARM_CLIENT_ID: $(az-client-id)
-        ARM_CLIENT_SECRET: $(az-client-secret)
-        ARM_SUBSCRIPTION_ID: $(az-subscription)
-        ARM_TENANT_ID: $(az-tenant)
+        ARM_SAS_TOKEN: $(sas_token)
+        ARM_CLIENT_ID: $(az_client_id)
+        ARM_CLIENT_SECRET: $(az_client_secret)
+        ARM_SUBSCRIPTION_ID: $(az_subscription)
+        ARM_TENANT_ID: $(az_tenant)
       inputs:
         command: 'apply'
         workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet'
         commandOptions: '-auto-approve'
-
-
-
-
-
-