diff --git a/2021-05-11-ADO/setup/azuread.tf b/2021-05-11-ADO/setup/azuread.tf index 3336976..635e1af 100644 --- a/2021-05-11-ADO/setup/azuread.tf +++ b/2021-05-11-ADO/setup/azuread.tf @@ -6,47 +6,4 @@ # I don't think those should be the same SP. The KV might be in a different sub than the place # you want to create resources. So we'll create two SPs. -# Create SP for service connection in pipeline. Will be used to access KV. - -resource "azuread_application" "service_connection" { - display_name = local.azad_service_connection_sp_name -} - -resource "azuread_service_principal" "service_connection" { - application_id = azuread_application.service_connection.application_id -} - -resource "random_password" "service_connection" { - length = 16 -} - -resource "azuread_service_principal_password" "service_connection" { - service_principal_id = azuread_service_principal.service_connection.object_id - value = random_password.service_connection.result -} - -# Create SP for creation of Azure resources in selected subscription. -# These credentials will be written to the Key Vault and retrieved during pipeline run - -resource "azuread_application" "resource_creation" { - display_name = local.azad_resource_creation_sp_name -} - -resource "azuread_service_principal" "resource_creation" { - application_id = azuread_application.resource_creation.application_id -} - -resource "random_password" "resource_creation" { - length = 16 -} - -resource "azuread_service_principal_password" "resource_creation" { - service_principal_id = azuread_service_principal.resource_creation.object_id - value = random_password.resource_creation.result -} - -resource "azurerm_role_assignment" "resource_creation" { - scope = data.azurerm_subscription.current.id - role_definition_name = "Contributor" - principal_id = azuread_service_principal.resource_creation.object_id -} +# Create SP for service connection in pipeline. Will be used to access KV. \ No newline at end of file diff --git a/2021-05-11-ADO/setup/azuredevops.tf b/2021-05-11-ADO/setup/azuredevops.tf index c1f0b3c..86be4e6 100644 --- a/2021-05-11-ADO/setup/azuredevops.tf +++ b/2021-05-11-ADO/setup/azuredevops.tf @@ -114,20 +114,5 @@ resource "azuredevops_build_definition" "pipeline_1" { ## There needs to be a service connection to an Azure sub with the key vault ## https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/serviceendpoint_azurerm -resource "azuredevops_serviceendpoint_azurerm" "key_vault" { - project_id = azuredevops_project.project.id - service_endpoint_name = "key_vault" - description = "Azure Service Endpoint for Key Vault Access" - - credentials { - serviceprincipalid = azuread_application.service_connection.application_id - serviceprincipalkey = random_password.service_connection.result - } - - azurerm_spn_tenantid = data.azurerm_client_config.current.tenant_id - azurerm_subscription_id = data.azurerm_client_config.current.subscription_id - azurerm_subscription_name = data.azurerm_subscription.current.display_name -} - # Key Vault task is here: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops diff --git a/2021-05-11-ADO/setup/azurekeyvault.tf b/2021-05-11-ADO/setup/azurekeyvault.tf index 68055a0..e69de29 100644 --- a/2021-05-11-ADO/setup/azurekeyvault.tf +++ b/2021-05-11-ADO/setup/azurekeyvault.tf @@ -1,55 +0,0 @@ -data "azurerm_client_config" "current" {} - -data "azurerm_subscription" "current" {} - -# Create a Key Vault -resource "azurerm_key_vault" "setup" { - name = local.az_key_vault_name - location = azurerm_resource_group.setup.location - resource_group_name = azurerm_resource_group.setup.name - tenant_id = data.azurerm_client_config.current.tenant_id - - sku_name = "standard" -} - -# Set access policies -# Grant yourself full access (probably could be restricted to just secret_permissions) -resource "azurerm_key_vault_access_policy" "you" { - key_vault_id = azurerm_key_vault.setup.id - - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azurerm_client_config.current.object_id - - key_permissions = [ - "get", "list", "update", "create", "decrypt", "encrypt", "unwrapKey", "wrapKey", "verify", "sign", - ] - - secret_permissions = [ - "get", "list", "set", "delete", "purge", "recover", "backup" - ] - - certificate_permissions = [ - "get", "list", "create", "import", "delete", "update", - ] -} - -# Grant the pipeline SP access to [get,list] secrets from the KV -resource "azurerm_key_vault_access_policy" "pipeline" { - key_vault_id = azurerm_key_vault.setup.id - - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = azuread_service_principal.service_connection.object_id - - secret_permissions = [ - "get", "list", - ] - -} - -# Populate with secrets to be used by the pipeline -resource "azurerm_key_vault_secret" "pipeline" { - for_each = local.pipeline_variables - name = each.key - value = each.value - key_vault_id = azurerm_key_vault.setup.id -} diff --git a/2021-05-11-ADO/setup/variables.tf b/2021-05-11-ADO/setup/variables.tf index c553727..5740cfd 100644 --- a/2021-05-11-ADO/setup/variables.tf +++ b/2021-05-11-ADO/setup/variables.tf @@ -77,19 +77,5 @@ locals { az_resource_group_name = "${var.prefix}${random_integer.suffix.result}" az_storage_account_name = "${lower(var.prefix)}${random_integer.suffix.result}" - az_key_vault_name = "${var.prefix}${random_integer.suffix.result}" - pipeline_variables = { - storageaccount = azurerm_storage_account.sa.name - container-name = var.az_container_name - key = var.az_state_key - sas-token = data.azurerm_storage_account_sas.state.sas - az-client-id = azuread_service_principal.resource_creation.object_id - az-client-secret = random_password.resource_creation.result - az-subscription = data.azurerm_client_config.current.subscription_id - az-tenant = data.azurerm_client_config.current.tenant_id - } - - azad_service_connection_sp_name = "${var.prefix}-service-connection-${random_integer.suffix.result}" - azad_resource_creation_sp_name = "${var.prefix}-resource-creation-${random_integer.suffix.result}" } \ No newline at end of file diff --git a/2021-05-11-ADO/vnet/azure-pipelines.yaml b/2021-05-11-ADO/vnet/azure-pipelines.yaml index 85c3159..f4d70a3 100644 --- a/2021-05-11-ADO/vnet/azure-pipelines.yaml +++ b/2021-05-11-ADO/vnet/azure-pipelines.yaml @@ -24,24 +24,15 @@ stages: inputs: terraformVersion: 'latest' - # Azure Key Vault - # Download Azure Key Vault secrets - - task: AzureKeyVault@1 - inputs: - ConnectedServiceName: $(service_name) - keyVaultName: $(key_vault_name) - secretsFilter: '*' - runAsPreJob: false # Azure DevOps Services only - - # Init + # Init - task: TerraformCLI@0 displayName: Initialize Terraform env: - ARM_SAS_TOKEN: $(sas-token) + ARM_SAS_TOKEN: $(sas_token) inputs: command: 'init' workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet' - commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container-name) -backend-config=key=$(key)' + commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container_name) -backend-config=key=$(key)' backendType: 'selfConfigured' # Validate @@ -63,35 +54,26 @@ stages: inputs: terraformVersion: 'latest' - # Azure Key Vault - # Download Azure Key Vault secrets - - task: AzureKeyVault@1 - inputs: - ConnectedServiceName: $(service_name) - keyVaultName: $(key_vault_name) - secretsFilter: '*' - runAsPreJob: false # Azure DevOps Services only - - # Init + # Init - task: TerraformCLI@0 displayName: Initialize Terraform env: - ARM_SAS_TOKEN: $(sas-token) + ARM_SAS_TOKEN: $(sas_token) inputs: command: 'init' workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet' - commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container-name) -backend-config=key=$(key)' + commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container_name) -backend-config=key=$(key)' backendType: 'selfConfigured' # Plan - task: TerraformCLI@0 displayName: Plan Terraform Deployment env: - ARM_SAS_TOKEN: $(sas-token) - ARM_CLIENT_ID: $(az-client-id) - ARM_CLIENT_SECRET: $(az-client-secret) - ARM_SUBSCRIPTION_ID: $(az-subscription) - ARM_TENANT_ID: $(az-tenant) + ARM_SAS_TOKEN: $(sas_token) + ARM_CLIENT_ID: $(az_client_id) + ARM_CLIENT_SECRET: $(az_client_secret) + ARM_SUBSCRIPTION_ID: $(az_subscription) + ARM_TENANT_ID: $(az_tenant) inputs: command: 'plan' workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet' @@ -122,42 +104,27 @@ stages: inputs: terraformVersion: 'latest' - # Azure Key Vault - # Download Azure Key Vault secrets - - task: AzureKeyVault@1 - inputs: - ConnectedServiceName: $(service_name) - keyVaultName: $(key_vault_name) - secretsFilter: '*' - runAsPreJob: false # Azure DevOps Services only - # Init - task: TerraformCLI@0 displayName: Initialize Terraform env: - ARM_SAS_TOKEN: $(sas-token) + ARM_SAS_TOKEN: $(sas_token) inputs: command: 'init' workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet' - commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container-name) -backend-config=key=$(key)' + commandOptions: '-backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container_name) -backend-config=key=$(key)' backendType: 'selfConfigured' # Apply - task: TerraformCLI@0 displayName: Apply Terraform Deployment env: - ARM_SAS_TOKEN: $(sas-token) - ARM_CLIENT_ID: $(az-client-id) - ARM_CLIENT_SECRET: $(az-client-secret) - ARM_SUBSCRIPTION_ID: $(az-subscription) - ARM_TENANT_ID: $(az-tenant) + ARM_SAS_TOKEN: $(sas_token) + ARM_CLIENT_ID: $(az_client_id) + ARM_CLIENT_SECRET: $(az_client_secret) + ARM_SUBSCRIPTION_ID: $(az_subscription) + ARM_TENANT_ID: $(az_tenant) inputs: command: 'apply' workingDirectory: '$(System.DefaultWorkingDirectory)/2021-05-11-ADO/vnet' commandOptions: '-auto-approve' - - - - - -