diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 61937d93d6..69c2f6fee2 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.2.5-2208.0208 + image: aztfmod/rover:1.3.1-2210.0303 user: vscode labels: diff --git a/.github/workflows/standalone-regressor-tf100.yaml b/.github/workflows/standalone-regressor-tf100.yaml index 8b8ef826d2..29f8704d16 100644 --- a/.github/workflows/standalone-regressor-tf100.yaml +++ b/.github/workflows/standalone-regressor-tf100.yaml @@ -55,7 +55,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.2.5-2208.0208 + image: aztfmod/rover:1.3.1-2210.0303 options: --user 0 steps: @@ -165,7 +165,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.2.5-2208.0208 + image: aztfmod/rover:1.3.1-2210.0303 options: --user 0 steps: diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 3b6382b447..27c2875125 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -27,6 +27,8 @@ "compute/availability_set/100-simple-availabilityset", "compute/availability_set/101-availabilityset-with-proximity-placement-group", "compute/azure_virtual_desktop/wvd_resources", + "compute/azure_redhat_openshift/101_basic_private_cluster", + "compute/azure_redhat_openshift/102_basic_public_cluster", "compute/batch/batch_account/100-batch-account-storage", "compute/batch/batch_account/100-batch-account", "compute/batch/batch_account/200-batch-account-private-endpoint", diff --git a/.github/workflows/standalone-tf100.yaml b/.github/workflows/standalone-tf100.yaml index 3139645588..2cdb415af6 100644 --- a/.github/workflows/standalone-tf100.yaml +++ b/.github/workflows/standalone-tf100.yaml @@ -51,7 +51,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.2.5-2208.0208 + image: aztfmod/rover:1.3.1-2210.0303 options: --user 0 steps: @@ -136,7 +136,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.2.5-2208.0208 + image: aztfmod/rover:1.3.1-2210.0303 options: --user 0 steps: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 23fec63c76..4bd307e68b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See http://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.74.1 + rev: v1.75.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/azure_redhat_openshift.tf b/azure_redhat_openshift.tf new file mode 100644 index 0000000000..e36444f0c0 --- /dev/null +++ b/azure_redhat_openshift.tf @@ -0,0 +1,31 @@ +module "aro" { + source = "./modules/compute/azure_redhat_openshift" + for_each = local.compute.aro_clusters + depends_on = [time_sleep.azurerm_role_assignment_for] + + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name + resource_group = can(each.value.resource_group.id) || can(each.value.resource_group_id) ? try(each.value.resource_group.id, each.value.resource_group_id) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].id + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + client_config = local.client_config + combined_diagnostics = local.combined_diagnostics + diagnostic_profiles = try(each.value.diagnostic_profiles, {}) + global_settings = local.global_settings + settings = each.value + dynamic_keyvault_secrets = try(local.security.dynamic_keyvault_secrets, {}) + + combined_resources = { + resource_groups = local.combined_objects_resource_groups + keyvaults = local.combined_objects_keyvaults + managed_identities = local.combined_objects_managed_identities + vnets = local.combined_objects_networking + virtual_subnets = local.combined_objects_virtual_subnets + service_principals = local.combined_objects_azuread_service_principals + disk_encryption_sets = local.combined_objects_disk_encryption_sets + } +} + +output "aro" { + value = module.aro +} + diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars new file mode 100644 index 0000000000..dda45774c1 --- /dev/null +++ b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars @@ -0,0 +1,99 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus" + region2 = "australiacentral" + } +} + +resource_groups = { + aro1 = { + name = "aro-test" + region = "region1" + } +} + +aro_clusters = { + aro1 = { + name = "aro" + resource_group_key = "aro1" + + service_principal = { + key = "sp1" + keyvault = { + key = "test_client" + secret_prefix = "test-client" + } + ## support for litterals + # client_id = "" + # client_secret = "" + # # { + } + + api_server_profile = { + visibility = "Private" + } + + ingress_profiles = [ + { + name = "default" + visibility = "Private" + } + ] + + + cluster_profile = { + domain = "testcafaro43" + fips_validated_modules = "Disabled" + # pull_secret = { + # secret = "your_secret" + # secret_id = "resource_id_of_the_secret" + #} + version = "4.10.20" + resource_group = { + # cant be an existing RG, you can specify the name of the RG to create with id="" or just a name="" + # id = "resource_group_id" + name = "test-aro" + } + } + + master_profile = { + vm_size = "Standard_D8s_v3" + encryption_at_host = "Disabled" + subnet = { + key = "subnet1" + vnet = { + key = "vnet1" + } + //id = "resource_id" + } + # disk_encryption_set = { + # key = "disk-encryption-set1" + # id = "resource_id" + # } + } + + worker_profiles = [ + { + name = "worker" + vm_size = "Standard_D4s_v3" + disk_size_gb = "128" + node_count = "4" + encryption_at_host = "Disabled" + subnet = { + key = "subnet2" + vnet = { + key = "vnet1" + } + //id = "resource_id" + } + } + ] + + network_profile = { + pod_cidr = "10.128.0.0/14" + service_cidr = "172.30.0.0/16" + } + + } +} diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/principal.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/principal.tfvars new file mode 100644 index 0000000000..25f3ca0c31 --- /dev/null +++ b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/principal.tfvars @@ -0,0 +1,106 @@ +keyvaults = { + test_client = { + name = "testkv" + resource_group_key = "aro1" + sku_name = "standard" + soft_delete_enabled = true + creation_policies = { + logged_in_user = { + # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy + # More examples in /examples/keyvault + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + } + } +} + +keyvault_access_policies_azuread_apps = { + test_client = { + test_client = { + azuread_application_key = "test_client" + secret_permissions = ["Set", "Get", "List", "Delete"] + } + } +} + +azuread_applications = { + test_client = { + useprefix = true + application_name = "aro-test" + } +} + +azuread_service_principals = { + sp1 = { + azuread_application = { + key = "test_client" + } + tags = [ + "AzureRedHatOpenShift" + ] + } +} + +azuread_credential_policies = { + default_policy = { + # Length of the password + length = 250 + special = false + upper = true + number = true + # Password Expiration date + expire_in_days = 90 + rotation_key0 = { + # Odd number + days = 33 + } + rotation_key1 = { + # Even number + days = 58 + } + } +} + +azuread_credentials = { + test1 = { + type = "password" + azuread_credential_policy_key = "default_policy" + azuread_application = { + key = "test_client" + } + keyvaults = { + test_client = { + secret_prefix = "test-client" + } + } + } +} + +#complete list of built-in-roles : https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles + +role_mapping = { + built_in_role_mapping = { + networking = { + # subcription level access + vnet1 = { + "Contributor" = { + azuread_service_principals = { + keys = ["sp1"] + } + object_ids = { + keys = ["004c3094-aa2e-47f3-87aa-f82a155ada54"] + // To get the value for your tenant use the following coommand: + // az ad sp list --display-name "Azure Red Hat OpenShift RP" --query "[0].id" -o tsv + // Todo: get object ID from ARO RP ID + // add capability to specify SP by name: azuread_service_principal_names = { + // # keys = [] + // cond data source to crack the names to GUID + //} + } + } + } + } + + } +} + diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars new file mode 100644 index 0000000000..65746d4fa8 --- /dev/null +++ b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars @@ -0,0 +1,24 @@ +vnets = { + vnet1 = { + resource_group_key = "aro1" + vnet = { + name = "aro-vnet" + address_space = ["10.1.0.0/16"] + } + subnets = { + subnet1 = { + name = "master" + cidr = ["10.1.1.0/24"] + service_endpoints = ["Microsoft.ContainerRegistry", "Microsoft.Storage"] + enforce_private_link_service_network_policies = true + enforce_private_link_endpoint_network_policies = true + } + subnet2 = { + name = "worker" + cidr = ["10.1.2.0/24"] + service_endpoints = ["Microsoft.ContainerRegistry", "Microsoft.Storage"] + } + + } + } +} \ No newline at end of file diff --git a/examples/compute/azure_redhat_openshift/102_basic_public_cluster/aro.tfvars b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/aro.tfvars new file mode 100644 index 0000000000..6a042c22d8 --- /dev/null +++ b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/aro.tfvars @@ -0,0 +1,98 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus" + region2 = "australiacentral" + } +} + +resource_groups = { + aro1 = { + name = "aro-test" + region = "region1" + } +} + +aro_clusters = { + aro1 = { + name = "aro" + resource_group_key = "aro1" + + service_principal = { + key = "sp1" + keyvault = { + key = "test_client" + secret_prefix = "test-client" + } + ## support for litterals + # client_id = "" + # client_secret = "" + # # { + } + + api_server_profile = { + visibility = "Public" + } + + ingress_profiles = [ + { + name = "default" + visibility = "Public" + } + ] + + cluster_profile = { + domain = "testcafaro431" + fips_validated_modules = "Disabled" + # pull_secret = { + # secret = "your_secret" + # secret_id = "resource_id_of_the_secret" + #} + version = "4.10.20" + resource_group = { + # cant be an existing RG, you can specify the name of the RG to create with id="" or just a name="" + # id = "resource_group_id" + name = "aro-res" + } + } + + master_profile = { + vm_size = "Standard_D8s_v3" + encryption_at_host = "Disabled" + subnet = { + key = "subnet1" + vnet = { + key = "vnet1" + } + //id = "resource_id" + } + # disk_encryption_set = { + # key = "disk-encryption-set1" + # id = "resource_id" + # } + } + + worker_profiles = [ + { + name = "worker" + vm_size = "Standard_D4s_v3" + disk_size_gb = "128" + node_count = "4" + encryption_at_host = "Disabled" + subnet = { + key = "subnet2" + vnet = { + key = "vnet1" + } + //id = "resource_id" + } + } + ] + + network_profile = { + pod_cidr = "10.128.0.0/14" + service_cidr = "172.30.0.0/16" + } + + } +} diff --git a/examples/compute/azure_redhat_openshift/102_basic_public_cluster/principal.tfvars b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/principal.tfvars new file mode 100644 index 0000000000..2853ede12f --- /dev/null +++ b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/principal.tfvars @@ -0,0 +1,109 @@ +keyvaults = { + test_client = { + name = "testkv" + resource_group_key = "aro1" + sku_name = "standard" + soft_delete_enabled = true + creation_policies = { + logged_in_user = { + # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy + # More examples in /examples/keyvault + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + } + } +} + +keyvault_access_policies_azuread_apps = { + test_client = { + test_client = { + azuread_application_key = "test_client" + secret_permissions = ["Set", "Get", "List", "Delete"] + } + } +} + +azuread_applications = { + test_client = { + useprefix = true + application_name = "aro-test" + } +} + + +azuread_service_principals = { + sp1 = { + azuread_application = { + key = "test_client" + } + + # app_role_assignment_required = true + tags = [ + "AzureRedHatOpenShift" + ] + } +} + +azuread_credential_policies = { + default_policy = { + # Length of the password + length = 250 + special = false + upper = true + number = true + # Password Expiration date + expire_in_days = 90 + rotation_key0 = { + # Odd number + days = 33 + } + rotation_key1 = { + # Even number + days = 58 + } + } +} + +azuread_credentials = { + test1 = { + type = "password" + azuread_credential_policy_key = "default_policy" + azuread_application = { + key = "test_client" + } + keyvaults = { + test_client = { + secret_prefix = "test-client" + } + } + } +} + +#complete list of built-in-roles : https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles + +role_mapping = { + built_in_role_mapping = { + networking = { + # subcription level access + vnet1 = { + "Contributor" = { + azuread_service_principals = { + keys = ["sp1"] + } + object_ids = { + keys = ["004c3094-aa2e-47f3-87aa-f82a155ada54"] + // To get the value for your tenant use the following coommand: + // az ad sp list --display-name "Azure Red Hat OpenShift RP" --query "[0].id" -o tsv + // Todo get object ID from ARO RP ID + // add capability to specify SP by name: azuread_service_principal_names = { + // # keys = [] + // cond data source to crack the names to GUID + //} + } + } + } + } + + } +} + diff --git a/examples/compute/azure_redhat_openshift/102_basic_public_cluster/vnet.tfvars b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/vnet.tfvars new file mode 100644 index 0000000000..65746d4fa8 --- /dev/null +++ b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/vnet.tfvars @@ -0,0 +1,24 @@ +vnets = { + vnet1 = { + resource_group_key = "aro1" + vnet = { + name = "aro-vnet" + address_space = ["10.1.0.0/16"] + } + subnets = { + subnet1 = { + name = "master" + cidr = ["10.1.1.0/24"] + service_endpoints = ["Microsoft.ContainerRegistry", "Microsoft.Storage"] + enforce_private_link_service_network_policies = true + enforce_private_link_endpoint_network_policies = true + } + subnet2 = { + name = "worker" + cidr = ["10.1.2.0/24"] + service_endpoints = ["Microsoft.ContainerRegistry", "Microsoft.Storage"] + } + + } + } +} \ No newline at end of file diff --git a/examples/module.tf b/examples/module.tf index f823e2e09f..bf495d4bf9 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -85,6 +85,7 @@ module "example" { } compute = { aks_clusters = var.aks_clusters + aro_clusters = var.aro_clusters availability_sets = var.availability_sets azure_container_registries = var.azure_container_registries batch_accounts = var.batch_accounts diff --git a/examples/variables.tf b/examples/variables.tf index d76ec10dd3..5b54e9ebea 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -1005,3 +1005,6 @@ variable "resource_provider_registration" { variable "static_sites" { default = {} } +variable "aro_clusters" { + default = {} +} diff --git a/locals.tf b/locals.tf index 46585fabf0..f8f4d9986e 100644 --- a/locals.tf +++ b/locals.tf @@ -69,6 +69,7 @@ locals { compute = { aks_clusters = try(var.compute.aks_clusters, {}) + aro_clusters = try(var.compute.aro_clusters, {}) availability_sets = try(var.compute.availability_sets, {}) azure_container_registries = try(var.compute.azure_container_registries, {}) bastion_hosts = try(var.compute.bastion_hosts, {}) diff --git a/main.tf b/main.tf index 138f84aaf0..90fa1bb7a1 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ terraform { } azapi = { source = "azure/azapi" - version = "~> 0.2.0" + version = "~> 1.0.0" } azurecaf = { source = "aztfmod/azurecaf" diff --git a/modules/azuread/applications/output.tf b/modules/azuread/applications/output.tf index de558f13db..72ce86ef5c 100644 --- a/modules/azuread/applications/output.tf +++ b/modules/azuread/applications/output.tf @@ -9,7 +9,8 @@ output "azuread_application" { id = azuread_application.app.id object_id = azuread_application.app.object_id application_id = azuread_application.app.application_id - name = azuread_application.app.name + #deprecated + #name = azuread_application.app.name } } diff --git a/modules/azuread/applications_v1/output.tf b/modules/azuread/applications_v1/output.tf index cd8c6a2de9..4e6c0cf15b 100644 --- a/modules/azuread/applications_v1/output.tf +++ b/modules/azuread/applications_v1/output.tf @@ -44,6 +44,7 @@ output "public_client" { output "reply_urls" { value = azuread_application.app.reply_urls } -output "type" { - value = azuread_application.app.type -} \ No newline at end of file +# deprecated +# output "type" { +# value = azuread_application.app.type +# } \ No newline at end of file diff --git a/modules/azuread/groups/output.tf b/modules/azuread/groups/output.tf index e56c371c95..387dd15056 100644 --- a/modules/azuread/groups/output.tf +++ b/modules/azuread/groups/output.tf @@ -4,11 +4,12 @@ output "id" { } -output "name" { - description = "The name of the group created." - value = azuread_group.group.name +# deprecated +# output "name" { +# description = "The name of the group created." +# value = azuread_group.group.name -} +# } output "tenant_id" { description = "The tenand_id of the group created." diff --git a/modules/compute/azure_redhat_openshift/aro.tf b/modules/compute/azure_redhat_openshift/aro.tf new file mode 100644 index 0000000000..25a489668a --- /dev/null +++ b/modules/compute/azure_redhat_openshift/aro.tf @@ -0,0 +1,57 @@ +# Implemnented as per https://docs.microsoft.com/en-us/azure/templates/microsoft.redhatopenshift/2022-04-01/openshiftclusters?pivots=deployment-language-terraform + +resource "azurecaf_name" "aro_cluster" { + name = var.settings.name + resource_type = "azurerm_redhat_openshift_cluster" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurecaf_name" "aro_domain" { + name = var.settings.cluster_profile.domain + resource_type = "azurerm_redhat_openshift_domain" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurecaf_name" "aro_res_rg" { + count = can(var.settings.cluster_profile.resource_group.name) ? 1 : 0 + name = var.settings.cluster_profile.resource_group.name + resource_type = "azurerm_resource_group" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azapi_resource" "aro" { + name = azurecaf_name.aro_cluster.result + location = var.location + parent_id = var.resource_group + type = "Microsoft.RedHatOpenShift/openShiftClusters@2022-04-01" + tags = local.tags + + body = jsonencode({ + properties = { + masterProfile = local.master_profile + workerProfiles = local.worker_profiles + servicePrincipalProfile = local.service_principal + clusterProfile = local.cluster_profile + ingressProfiles = local.ingress_profiles + apiserverProfile = local.api_server_profile + networkProfile = local.network_profile + } + }) + + timeouts { + create = "60m" + } +} + diff --git a/modules/compute/azure_redhat_openshift/locals.tf b/modules/compute/azure_redhat_openshift/locals.tf new file mode 100644 index 0000000000..3d4a3532d6 --- /dev/null +++ b/modules/compute/azure_redhat_openshift/locals.tf @@ -0,0 +1,72 @@ +locals { + + service_principal = { + clientId = can(var.settings.service_principal.client_id) ? var.settings.service_principal.client_id : data.azurerm_key_vault_secret.id[0].value + clientSecret = can(var.settings.service_principal.client_secret) ? var.settings.service_principal.client_secret : data.azurerm_key_vault_secret.password[0].value + } + + master_profile = { + vmSize = var.settings.master_profile.vm_size + diskEncryptionSetId = can(var.settings.master_profile.disk_encryption_set_id) || can(var.settings.master_profile.disk_encryption_set_key) == false ? try(var.settings.master_profile.disk_encryption_set_id, null) : var.combined_resources.disk_encryption_sets[try(var.settings.master_profile.disk_encryption_sets.lz_key, var.client_config.landingzone_key)][var.settings.master_profile.disk_encryption_set_key].id + encryptionAtHost = try(var.settings.master_profile.encryption_at_host, null) + subnetId = can(var.settings.master_profile.subnet.id) ? var.settings.master_profile.subnet.id : var.combined_resources.vnets[try(var.settings.master_profile.subnet.lz_key, var.client_config.landingzone_key)][var.settings.master_profile.subnet.vnet.key].subnets[var.settings.master_profile.subnet.key].id + } + + worker_profiles = [ + for worker_profile in var.settings.worker_profiles : { + count = tonumber(worker_profile.node_count) + diskSizeGB = tonumber(worker_profile.disk_size_gb) + diskEncryptionSetId = can(worker_profile.disk_encryption_set_id) || can(worker_profile.disk_encryption_set_key) == false ? try(worker_profile.disk_encryption_set_id, null) : var.combined_resources.disk_encryption_sets[try(worker_profile.disk_encryption_sets.lz_key, var.client_config.landingzone_key)][worker_profile.disk_encryption_set_key].id + encryptionAtHost = try(worker_profile.encryption_at_host, null) + name = worker_profile.name + vmSize = worker_profile.vm_size + subnetId = can(worker_profile.subnet.id) ? worker_profile.subnet.id : var.combined_resources.vnets[try(worker_profile.subnet.lz_key, var.client_config.landingzone_key)][worker_profile.subnet.vnet.key].subnets[worker_profile.subnet.key].id + } + ] + + cluster_profile = { + domain = azurecaf_name.aro_cluster.result + resourceGroupId = can(var.settings.cluster_profile.resource_group.id) ? var.settings.cluster_profile.resource_group.id : format("/subscriptions/%s/resourceGroups/%s", var.client_config.subscription_id, azurecaf_name.aro_res_rg[0].result) + // If we could reuse a RG, would use that logic: var.combined_resources.resource_groups[try(var.settings.cluster_profile.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.cluster_profile.resource_group.key].id + version = var.settings.cluster_profile.version + fipsValidatedModules = try(var.settings.cluster_profile.fips_validated_modules, null) + pullSecret = can(var.settings.cluster_profile.pull_secret.secret_id) ? data.azurerm_key_vault_secret.pull_secret[0].value : try(var.settings.cluster_profile.pull_secret.secret, null) + } + + api_server_profile = { + visibility = title(var.settings.api_server_profile.visibility) + } + + ingress_profiles = [ + for ingress_profile in var.settings.ingress_profiles : { + name = ingress_profile.name + visibility = title(ingress_profile.visibility) + } + ] + + network_profile = { + podCidr = var.settings.network_profile.pod_cidr + serviceCidr = var.settings.network_profile.service_cidr + } + +} + +## getting SP details from for AKV secrets in case provided +data "azurerm_key_vault_secret" "id" { + count = can(var.settings.service_principal.client_id) ? 0 : 1 + name = format("%s-client-id", var.settings.service_principal.keyvault.secret_prefix) + key_vault_id = var.combined_resources.keyvaults[try(var.settings.service_principal.keyvault.lz_key, var.client_config.landingzone_key)][var.settings.service_principal.keyvault.key].id +} + +data "azurerm_key_vault_secret" "password" { + count = can(var.settings.service_principal.client_secret) ? 0 : 1 + name = format("%s-client-secret", var.settings.service_principal.keyvault.secret_prefix) + key_vault_id = var.combined_resources.keyvaults[try(var.settings.service_principal.keyvault.lz_key, var.client_config.landingzone_key)][var.settings.service_principal.keyvault.key].id +} + +## direct pull secret with secret_id literals +data "azurerm_key_vault_secret" "pull_secret" { + count = can(var.settings.cluster_profile.pull_secret.secret_id) ? 1 : 0 + name = var.settings.cluster_profile.pull_secret.secret_name + key_vault_id = var.settings.cluster_profile.pull_secret.secret_id +} \ No newline at end of file diff --git a/modules/compute/azure_redhat_openshift/main.tf b/modules/compute/azure_redhat_openshift/main.tf new file mode 100644 index 0000000000..cb6f049c40 --- /dev/null +++ b/modules/compute/azure_redhat_openshift/main.tf @@ -0,0 +1,19 @@ +terraform { + # required_version = ">= 1.0" + required_providers { + azapi = { + source = "Azure/azapi" + } + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} + +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) +} + diff --git a/modules/compute/azure_redhat_openshift/outputs.tf b/modules/compute/azure_redhat_openshift/outputs.tf new file mode 100644 index 0000000000..69486bc178 --- /dev/null +++ b/modules/compute/azure_redhat_openshift/outputs.tf @@ -0,0 +1,9 @@ +output "name" { + value = azapi_resource.aro.name + description = "Specifies the name of the managed environment." +} + +output "id" { + value = azapi_resource.aro.id + description = "Specifies the resource id of the managed environment." +} diff --git a/modules/compute/azure_redhat_openshift/variables.tf b/modules/compute/azure_redhat_openshift/variables.tf new file mode 100644 index 0000000000..d6ade0d55b --- /dev/null +++ b/modules/compute/azure_redhat_openshift/variables.tf @@ -0,0 +1,25 @@ +variable "resource_group" { + description = "(Required) The resource id of the resource group in which to create the resource. Changing this forces a new resource to be created." + type = string +} +variable "resource_group_name" {} + +variable "location" { + description = "(Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "base_tags" {} +variable "client_config" {} +variable "diagnostic_profiles" {} +variable "combined_diagnostics" {} +variable "combined_resources" { + description = "Provide a map of combined resources for environment_variables_from_resources" + default = {} +} +variable "global_settings" {} +variable "settings" {} +variable "dynamic_keyvault_secrets" { + description = "Provide credenrials for private image registries" + default = {} +} diff --git a/modules/messaging/eventgrid/eventgrid_event_subscription/output.tf b/modules/messaging/eventgrid/eventgrid_event_subscription/output.tf index 779b340ab7..5394580fd6 100755 --- a/modules/messaging/eventgrid/eventgrid_event_subscription/output.tf +++ b/modules/messaging/eventgrid/eventgrid_event_subscription/output.tf @@ -2,7 +2,8 @@ output "id" { value = azurerm_eventgrid_event_subscription.eges.id description = "The ID of the EventGrid Event Subscription." } -output "topic_name" { - value = azurerm_eventgrid_event_subscription.eges.topic_name - description = " Specifies the name of the topic to associate with the event subscription." -} +# deprecated +# output "topic_name" { +# value = azurerm_eventgrid_event_subscription.eges.topic_name +# description = " Specifies the name of the topic to associate with the event subscription." +# } diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index 16387b526c..86c5c75f2a 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.2.5-2208.0208 + image: aztfmod/rover:1.3.1-2210.0303 user: vscode