Merge pull request #67 from XenitAB/feature/group-vars

Make group settings variables

modules/azure/aks-global/README.md

@@ -26,13 +26,17 @@ This module is used to create resources that are used by AKS clusters.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | aks\_authorized\_ips | Authorized IPs to access AKS API | `list(string)` | n/a | yes |
+| aks\_group\_name\_prefix | Prefix for AKS Azure AD groups | `string` | `"aks"` | no |
+| azure\_ad\_group\_prefix | Prefix for Azure AD Groupss | `string` | `"az"` | no |
 | core\_name | The name for the core infrastructure | `string` | n/a | yes |
 | dns\_zone | The DNS Zone to create | `string` | n/a | yes |
 | environment | The environment name to use for the deploy | `string` | n/a | yes |
+| group\_name\_separator | Separator for group names | `string` | `"-"` | no |
 | location\_short | The Azure region short name. | `string` | n/a | yes |
 | name | The name to use for the deploy | `string` | n/a | yes |
 | namespaces | The namespaces that should be created in Kubernetes. | <pre>list(<br>    object({<br>      name                    = string<br>      delegate_resource_group = bool<br>      flux = object({<br>        enabled = bool<br>        repo    = string<br>      })<br>    })<br>  )</pre> | n/a | yes |
 | public\_ip\_prefix\_configuration | Configuration for public ip prefix | <pre>object({<br>    count         = number<br>    prefix_length = number<br>  })</pre> | <pre>{<br>  "count": 2,<br>  "prefix_length": 30<br>}</pre> | no |
+| service\_principal\_name\_prefix | Prefix for service principals | `string` | `"sp"` | no |
 | subscription\_name | The commonName for the subscription | `string` | n/a | yes |
 | unique\_suffix | Unique suffix that is used in globally unique resources names | `string` | `""` | no |
 

modules/azure/aks-global/aad-group.tf

@@ -1,31 +1,31 @@
 resource "azuread_group" "view" {
   for_each = { for ns in var.namespaces : ns.name => ns }
-  name     = "${local.aks_group_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.value.name}${local.group_name_separator}view"
+  name     = "${var.aks_group_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.value.name}${var.group_name_separator}view"
   #description             = "Members of this group will have view access to the ${each.value.name} namespace."
   prevent_duplicate_names = true
 }
 
 resource "azuread_group" "edit" {
   for_each = { for ns in var.namespaces : ns.name => ns }
-  name     = "${local.aks_group_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.value.name}${local.group_name_separator}edit"
+  name     = "${var.aks_group_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.value.name}${var.group_name_separator}edit"
   #description             = "Members of this group will have edit access to the ${each.value.name} namespace."
   prevent_duplicate_names = true
 }
 
 resource "azuread_group" "cluster_admin" {
-  name = "${local.aks_group_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}clusteradmin"
+  name = "${var.aks_group_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}clusteradmin"
   #description             = "Members of this group will have cluster admin access to the cluster."
   prevent_duplicate_names = true
 }
 
 resource "azuread_group" "cluster_view" {
-  name = "${local.aks_group_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}clusterview"
+  name = "${var.aks_group_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}clusterview"
   #description             = "Members of this group will have cluster viewer access to the cluster."
   prevent_duplicate_names = true
 }
 
 resource "azuread_group" "aks_managed_identity" {
-  name = "${local.aks_group_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}aksmsi"
+  name = "${var.aks_group_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}aksmsi"
   #description             = "The AKS cluster Managed Identity (MSI) will be members of this group to get access to different resources."
   prevent_duplicate_names = true
 }

modules/azure/aks-global/delegate-aks-rg.tf

@@ -5,7 +5,7 @@ data "azuread_group" "resource_group_owner" {
     ns.name => ns
     if ns.delegate_resource_group == true
   }
-  name = "${local.azure_ad_group_prefix}${local.group_name_separator}rg${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.key}${local.group_name_separator}owner"
+  name = "${var.azure_ad_group_prefix}${var.group_name_separator}rg${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.key}${var.group_name_separator}owner"
 }
 
 # Add data source for the Azure AD Group for resource group contributor
@@ -15,7 +15,7 @@ data "azuread_group" "resource_group_contributor" {
     ns.name => ns
     if ns.delegate_resource_group == true
   }
-  name = "${local.azure_ad_group_prefix}${local.group_name_separator}rg${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.key}${local.group_name_separator}contributor"
+  name = "${var.azure_ad_group_prefix}${var.group_name_separator}rg${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.key}${var.group_name_separator}contributor"
 }
 
 # Add data source for the Azure AD Group for resource group reader
@@ -25,7 +25,7 @@ data "azuread_group" "resource_group_reader" {
     ns.name => ns
     if ns.delegate_resource_group == true
   }
-  name = "${local.azure_ad_group_prefix}${local.group_name_separator}rg${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.key}${local.group_name_separator}reader"
+  name = "${var.azure_ad_group_prefix}${var.group_name_separator}rg${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.key}${var.group_name_separator}reader"
 }
 
 resource "azuread_group_member" "resource_group_owner" {

modules/azure/aks-global/helm-operator.tf

@@ -1,5 +1,5 @@
 resource "azuread_application" "helm_operator" {
-  name = "${local.service_principal_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${var.name}${local.group_name_separator}helmoperator"
+  name = "${var.service_principal_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${var.name}${var.group_name_separator}helmoperator"
 }
 
 resource "azuread_service_principal" "helm_operator" {

modules/azure/aks-global/locals.tf

@@ -1,10 +1,6 @@
 locals {
-  service_principal_name_prefix = "sp"
-  group_name_separator          = "-"
-  azure_ad_group_prefix         = "az"
-  aks_group_name_prefix         = "aks"
-  aks_public_ip_prefix_ids      = [for prefix in azurerm_public_ip_prefix.aks : prefix.id]
-  aks_public_ip_prefix_ips      = [for prefix in azurerm_public_ip_prefix.aks : prefix.ip_prefix]
+  aks_public_ip_prefix_ids = [for prefix in azurerm_public_ip_prefix.aks : prefix.id]
+  aks_public_ip_prefix_ips = [for prefix in azurerm_public_ip_prefix.aks : prefix.ip_prefix]
   aad_pod_identity = {
     for k, v in azurerm_user_assigned_identity.aad_pod_identity :
     k => { id = v.id, client_id = v.client_id }

modules/azure/aks-global/variables.tf

@@ -64,3 +64,27 @@ variable "unique_suffix" {
   type        = string
   default     = ""
 }
+
+variable "group_name_separator" {
+  description = "Separator for group names"
+  type        = string
+  default     = "-"
+}
+
+variable "azure_ad_group_prefix" {
+  description = "Prefix for Azure AD Groupss"
+  type        = string
+  default     = "az"
+}
+
+variable "service_principal_name_prefix" {
+  description = "Prefix for service principals"
+  type        = string
+  default     = "sp"
+}
+
+variable "aks_group_name_prefix" {
+  description = "Prefix for AKS Azure AD groups"
+  type        = string
+  default     = "aks"
+}

modules/azure/core/README.md

@@ -21,7 +21,9 @@ This module is used to create core resources like virtual network for the subscr
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| azure\_ad\_group\_prefix | Prefix for Azure AD Groupss | `string` | `"az"` | no |
 | environment | The environment name to use for the deploy | `string` | n/a | yes |
+| group\_name\_separator | Separator for group names | `string` | `"-"` | no |
 | name | The commonName to use for the deploy | `string` | n/a | yes |
 | peering\_config | Peering configuration | <pre>map(list(object({<br>    name                         = string<br>    remote_virtual_network_id    = string<br>    allow_forwarded_traffic      = bool<br>    use_remote_gateways          = bool<br>    allow_virtual_network_access = bool<br>  })))</pre> | `{}` | no |
 | regions | The Azure Regions to configure | <pre>list(object({<br>    location       = string<br>    location_short = string<br>  }))</pre> | n/a | yes |

modules/azure/core/delegate-service-endpoint-join.tf

@@ -18,7 +18,7 @@ resource "azurerm_role_definition" "service_endpoint_join" {
 }
 
 data "azuread_group" "service_endpoint_join" {
-  name = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}serviceEndpointJoin"
+  name = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}serviceEndpointJoin"
 }
 
 resource "azurerm_role_assignment" "service_endpoint_join" {

modules/azure/core/locals.tf

@@ -30,7 +30,4 @@ locals {
       }
     ]
   ])
-
-  group_name_separator = "-"
-  aad_group_prefix     = "az"
 }

modules/azure/core/variables.tf

@@ -45,3 +45,15 @@ variable "peering_config" {
   })))
   default = {}
 }
+
+variable "group_name_separator" {
+  description = "Separator for group names"
+  type        = string
+  default     = "-"
+}
+
+variable "azure_ad_group_prefix" {
+  description = "Prefix for Azure AD Groupss"
+  type        = string
+  default     = "az"
+}

modules/azure/governance/README.md

@@ -23,11 +23,15 @@ This module is used to create resource groups, service principals, Azure AD grou
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| aks\_group\_name\_prefix | Prefix for AKS Azure AD groups | `string` | `"aks"` | no |
+| azure\_ad\_group\_prefix | Prefix for Azure AD Groupss | `string` | `"az"` | no |
 | core\_name | The commonName for the core infra | `string` | n/a | yes |
 | environment | The environment name to use for the deploy | `string` | n/a | yes |
+| group\_name\_separator | Separator for group names | `string` | `"-"` | no |
 | owner\_service\_principal\_name | The name of the service principal that will be used to run terraform and is owner of the subsciptions | `string` | n/a | yes |
 | regions | The Azure Regions to configure | <pre>list(object({<br>    location       = string<br>    location_short = string<br>  }))</pre> | n/a | yes |
 | resource\_group\_configs | Resource group configuration | <pre>list(<br>    object({<br>      common_name                = string<br>      delegate_aks               = bool # Delegate aks permissions<br>      delegate_key_vault         = bool # Delegate KeyVault creation<br>      delegate_service_endpoint  = bool # Delegate Service Endpoint permissions<br>      delegate_service_principal = bool # Delegate Service Principal<br>      tags                       = map(string)<br>    })<br>  )</pre> | n/a | yes |
+| service\_principal\_name\_prefix | Prefix for service principals | `string` | `"sp"` | no |
 | subscription\_name | The commonName for the subscription | `string` | n/a | yes |
 | unique\_suffix | Unique suffix that is used in globally unique resources names | `string` | `""` | no |
 

modules/azure/governance/aad-group-rg.tf

@@ -5,7 +5,7 @@ resource "azuread_group" "rg_owner" {
     rg.common_name => rg
   }
 
-  name                    = "${local.aad_group_prefix}${local.group_name_separator}rg${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.value.common_name}${local.group_name_separator}owner"
+  name                    = "${var.azure_ad_group_prefix}${var.group_name_separator}rg${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.value.common_name}${var.group_name_separator}owner"
   prevent_duplicate_names = true
 }
 
@@ -27,7 +27,7 @@ resource "azuread_group" "rg_contributor" {
     rg.common_name => rg
   }
 
-  name                    = "${local.aad_group_prefix}${local.group_name_separator}rg${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.value.common_name}${local.group_name_separator}contributor"
+  name                    = "${var.azure_ad_group_prefix}${var.group_name_separator}rg${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.value.common_name}${var.group_name_separator}contributor"
   prevent_duplicate_names = true
 }
 
@@ -49,7 +49,7 @@ resource "azuread_group" "rg_reader" {
     rg.common_name => rg
   }
 
-  name                    = "${local.aad_group_prefix}${local.group_name_separator}rg${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.value.common_name}${local.group_name_separator}reader"
+  name                    = "${var.azure_ad_group_prefix}${var.group_name_separator}rg${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.value.common_name}${var.group_name_separator}reader"
   prevent_duplicate_names = true
 }
 

modules/azure/governance/aad-group-sub-delegation.tf

@@ -1,6 +1,6 @@
 # Example: az-sub-<subName>-all-owner
 data "azuread_group" "all_owner" {
-  name = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}all${local.group_name_separator}owner"
+  name = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}all${var.group_name_separator}owner"
 }
 
 resource "azuread_group_member" "sub_all_owner" {
@@ -10,7 +10,7 @@ resource "azuread_group_member" "sub_all_owner" {
 
 # Example: az-sub-<subName>-all-contributor
 data "azuread_group" "all_contributor" {
-  name = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}all${local.group_name_separator}contributor"
+  name = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}all${var.group_name_separator}contributor"
 }
 
 resource "azuread_group_member" "sub_all_contributor" {
@@ -20,7 +20,7 @@ resource "azuread_group_member" "sub_all_contributor" {
 
 # Example: az-sub-<subName>-all-reader
 data "azuread_group" "all_reader" {
-  name = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}all${local.group_name_separator}reader"
+  name = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}all${var.group_name_separator}reader"
 }
 
 resource "azuread_group_member" "sub_all_reader" {

modules/azure/governance/aad-group-sub.tf

@@ -1,6 +1,6 @@
 # AAD Group for Subscription Owners
 resource "azuread_group" "sub_owner" {
-  name                    = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}owner"
+  name                    = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}owner"
   prevent_duplicate_names = true
 }
 
@@ -12,7 +12,7 @@ resource "azurerm_role_assignment" "sub_owner" {
 
 # AAD Group for Subscription Contributors
 resource "azuread_group" "sub_contributor" {
-  name                    = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}contributor"
+  name                    = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}contributor"
   prevent_duplicate_names = true
 }
 
@@ -24,7 +24,7 @@ resource "azurerm_role_assignment" "sub_contributor" {
 
 # AAD Group for Subscription Readers
 resource "azuread_group" "sub_reader" {
-  name                    = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}reader"
+  name                    = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}reader"
   prevent_duplicate_names = true
 }
 

modules/azure/governance/delegate-acr.tf

@@ -1,10 +1,10 @@
 resource "azuread_group" "acr_push" {
-  name                    = "${local.aks_group_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}acrpush"
+  name                    = "${var.aks_group_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}acrpush"
   prevent_duplicate_names = true
 }
 
 resource "azuread_group" "acr_pull" {
-  name                    = "${local.aks_group_name_prefix}${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}acrpull"
+  name                    = "${var.aks_group_name_prefix}${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}acrpull"
   prevent_duplicate_names = true
 }
 

modules/azure/governance/delegate-kv-sp.tf

@@ -5,7 +5,7 @@ resource "azuread_application" "delegate_kv_aad" {
     if rg.delegate_key_vault == true
   }
 
-  name = "${local.sp_name_prefix}${local.group_name_separator}rg${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}${each.key}${local.group_name_separator}kvreader"
+  name = "${var.service_principal_name_prefix}${var.group_name_separator}rg${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}${each.key}${var.group_name_separator}kvreader"
 }
 
 resource "azuread_service_principal" "delegate_kv_aad" {

modules/azure/governance/delegate-se.tf

@@ -1,5 +1,5 @@
 resource "azuread_group" "service_endpoint_join" {
-  name                    = "${local.aad_group_prefix}${local.group_name_separator}sub${local.group_name_separator}${var.subscription_name}${local.group_name_separator}${var.environment}${local.group_name_separator}serviceEndpointJoin"
+  name                    = "${var.azure_ad_group_prefix}${var.group_name_separator}sub${var.group_name_separator}${var.subscription_name}${var.group_name_separator}${var.environment}${var.group_name_separator}serviceEndpointJoin"
   prevent_duplicate_names = true
 }