Merge pull request humanitec-architecture#12 from htc-demo-00-azure/c…

…luster-issuer

feat: output aks_cluster_issuer_url

Makefile

@@ -8,6 +8,8 @@ docs:
 	terraform-docs --lockfile=false ./modules/base
 	terraform-docs --config docs/.terraform-docs.yaml .
 	terraform-docs --config docs/.terraform-docs-example.yaml .
+	terraform-docs --config docs/.terraform-docs.yaml ./examples/with-backstage
+	terraform-docs --config docs/.terraform-docs-example.yaml ./examples/with-backstage
 
 # Format all terraform files
 fmt:

README.md

@@ -216,6 +216,12 @@ Once you are finished with the reference architecture, you can remove all provis
 | location | Azure region to deploy into | `string` | n/a | yes |
 | subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes |
 | vm\_size | The Azure VM instances type to use as "Agents" (aka Kubernetes Nodes) in AKS | `string` | `"Standard_D2_v2"` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| aks\_cluster\_issuer\_url | Issuer URL for the OpenID Connect discovery endpoint |
 <!-- END_TF_DOCS -->
 
 ## Learn more

examples/with-backstage/README.md

@@ -85,52 +85,49 @@ Once you are finished with the reference architecture, you can remove all provis
 | Name | Version |
 |------|---------|
 | terraform | >= 1.3.0 |
-| Azure | ~> 5.17 |
+| azapi | ~> 1.11 |
+| azuread | ~> 2.47 |
+| azurerm | ~> 3.87 |
 | github | ~> 5.38 |
+| helm | ~> 2.12 |
 | humanitec | ~> 1.0 |
+| kubernetes | ~> 2.25 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| Azure | ~> 5.17 |
+| azurerm | ~> 3.87 |
 | github | ~> 5.38 |
 | humanitec | ~> 1.0 |
 
 ### Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| backstage\_ecr | terraform-Azure-modules/ecr/Azure | ~> 1.6 |
-| backstage\_iam\_policy\_ecr\_create\_repository | git::<https://github.com/humanitec-architecture/resource-packs-Azure.git//humanitec-resource-defs/iam-policy/ecr-create-repository> | n/a |
-| backstage\_iam\_role\_service\_account | git::<https://github.com/humanitec-architecture/resource-packs-Azure.git//humanitec-resource-defs/iam-role/service-account> | n/a |
-| backstage\_k8s\_service\_account | git::<https://github.com/humanitec-architecture/resource-packs-Azure.git//humanitec-resource-defs/k8s/service-account> | n/a |
-| backstage\_mysql | git::<https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/mysql/basic> | n/a |
-| backstage\_postgres | git::<https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/postgres/basic> | n/a |
-| backstage\_workload | git::<https://github.com/humanitec-architecture/resource-packs-Azure.git//humanitec-resource-defs/workload/service-account> | n/a |
+| backstage\_mysql | git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/mysql/basic | main |
+| backstage\_postgres | git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/postgres/basic | main |
 | base | ../../modules/base | n/a |
-| iam\_github\_oidc\_provider | terraform-Azure-modules/iam/Azure//modules/iam-github-oidc-provider | ~> 5.30 |
-| iam\_github\_oidc\_role | terraform-Azure-modules/iam/Azure//modules/iam-github-oidc-role | ~> 5.30 |
 
 ### Resources
 
 | Name | Type |
 |------|------|
-| [Azure_iam_policy.ecr_push_policy](https://registry.terraform.io/providers/hashicorp/Azure/latest/docs/resources/iam_policy) | resource |
+| [azurerm_federated_identity_credential.github_oidc_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_role_assignment.github_oidc_identity_acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_user_assigned_identity.github_oidc_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
 | [github_actions_organization_secret.backstage_humanitec_token](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
-| [github_actions_organization_variable.backstage_Azure_region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
-| [github_actions_organization_variable.backstage_Azure_role_arn](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_azure_acr_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_azure_client_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_azure_subscription_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_azure_tenant_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.backstage_cloud_provider](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.backstage_humanitec_org_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_repository_oidc_subject_claim_customization_template.backstage](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_repository_oidc_subject_claim_customization_template) | resource |
 | [github_repository.backstage](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
 | [humanitec_application.backstage](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
-| [humanitec_resource_definition_criteria.backstage_iam_policy_ecr_create_repository](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.backstage_iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.backstage_k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.backstage_mysql](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.backstage_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.backstage_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_value.Azure_default_region](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_cloud_provider](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_github_app_client_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_github_app_client_secret](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
@@ -145,12 +142,16 @@ Once you are finished with the reference architecture, you can remove all provis
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| Azure\_account\_id | Azure Account (ID) to use | `string` | n/a | yes |
-| Azure\_region | Azure region | `string` | n/a | yes |
 | github\_org\_id | GitHub org id | `string` | n/a | yes |
 | humanitec\_ci\_service\_user\_token | Humanitec CI Service User Token | `string` | n/a | yes |
 | humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
-| disk\_size | Disk size in GB to use for EKS nodes | `number` | `20` | no |
-| instance\_types | List of EC2 instances types to use for EKS nodes | `list(string)` | <pre>[<br>  "t3.large"<br>]</pre> | no |
-| resource\_packs\_Azure\_rev | Revision of the resource-packs-Azure repository to use | `string` | `"refs/heads/main"` | no |
+| location | Azure region to deploy into | `string` | n/a | yes |
+| subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes |
+| vm\_size | The Azure VM instances type to use as "Agents" (aka Kubernetes Nodes) in AKS | `string` | `"Standard_D2_v2"` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| aks\_cluster\_issuer\_url | Issuer URL for the OpenID Connect discovery endpoint |
 <!-- END_TF_DOCS -->

examples/with-backstage/outputs.tf

@@ -0,0 +1,23 @@
+# output "aks_cluster_issuer_url" {
+#   description = "Issuer URL for the OpenID Connect discovery endpoint"
+#   value       = module.base.aks_oidc_issuer_url
+# }
+#
+# output "user_assigned_identity" {
+#   value = azurerm_user_assigned_identity.operator
+# }
+# output "tenant_id" {
+#   value = data.azurerm_subscription.current.tenant_id
+# }
+#
+# output "client_id" {
+#   value = azuread_service_principal.humanitec_orchestrator_vault.client_id
+# }
+# output "secret_value" {
+#   value = nonsensitive(azuread_service_principal_password.humanitec_orchestrator_vault.value)
+# }
+#
+# output "humanitec_orchestrator_application" {
+#   value = azuread_application.humanitec_orchestrator
+# }
+#

examples/with-backstage/poc-humanitec-storage.tf

@@ -0,0 +1,36 @@
+resource "azurerm_storage_account" "storage_account_humanitec" {
+  name                     = "humanitecplatformprod"
+  resource_group_name      = module.base.az_resource_group_name
+  location                 = module.base.az_resource_group_location
+  account_tier             = "Standard" # Adjust tier and replication type as needed
+  account_replication_type = "LRS"
+}
+
+# Create Storage Container
+resource "azurerm_storage_container" "shared_container" {
+  name                 = "shared"
+  storage_account_name = azurerm_storage_account.storage_account_humanitec.name
+}
+
+
+resource "humanitec_resource_definition" "shared-storage" {
+  driver_type = "humanitec/echo"
+  id          = "shared-storage"
+  name        = "shared-storage"
+  type        = "azure-blob"
+
+  driver_inputs = {
+    values_string = jsonencode({
+      "account"   = azurerm_storage_account.storage_account_humanitec.name,
+      "container" = azurerm_storage_container.shared_container.name,
+      "location"  = module.base.az_resource_group_location
+    })
+  }
+
+}
+
+
+resource "humanitec_resource_definition_criteria" "shared-storage" {
+  resource_definition_id = humanitec_resource_definition.shared-storage.id
+}
+

examples/with-backstage/poc-humanitec-vault-confidential.tf

@@ -0,0 +1,174 @@
+#
+# Connect humanitec with condifdential secrets stored in Azure Key Vault
+# Humanitec Orchestrator should not have access to the vault in any ways, just the kubernetes operator should but as RO
+# 
+
+resource "azurerm_key_vault" "humanitec_poc_confidential" {
+  name                = var.vault_name_confidential
+  location            = module.base.az_resource_group_location
+  resource_group_name = data.azurerm_resource_group.main.name
+
+  tenant_id = data.azurerm_subscription.current.tenant_id
+
+  sku_name                   = "premium"
+  soft_delete_retention_days = 7
+  enable_rbac_authorization  = true
+
+}
+
+# Create a role assignment for the current user
+resource "azurerm_role_assignment" "self-confidential" {
+  scope                = azurerm_key_vault.humanitec_poc_confidential.id
+  principal_id         = data.azurerm_client_config.current.object_id
+  role_definition_name = "Key Vault Administrator"
+}
+
+
+#
+# Humanitec Operator should have RO access to the confidential vault
+#
+
+# Asign a role to the managed identity used by Humanitec Operator
+resource "azurerm_role_assignment" "vault-confidential-confidential-ro" {
+  scope                = azurerm_key_vault.humanitec_poc_confidential.id
+  role_definition_name = data.azurerm_role_definition.kv-secret-ro.name
+  principal_id         = azurerm_user_assigned_identity.operator.principal_id
+}
+
+
+# Register the secret store confidential with the Operator 
+
+resource "kubernetes_manifest" "register_operator_secret_store_confidential" {
+  manifest = {
+    apiVersion = "humanitec.io/v1alpha1"
+    kind       = "SecretStore"
+    metadata = {
+      name      = var.secret_store_confidential_id
+      namespace = var.humanitec_operator_namespace
+      labels = {
+        "app.humanitec.io/default-store" = "false"
+      }
+    }
+    spec = {
+      azurekv = {
+        url      = azurerm_key_vault.humanitec_poc_confidential.vault_uri
+        tenantID = data.azurerm_client_config.current.tenant_id
+        auth : {}
+      }
+    }
+  }
+  depends_on = [helm_release.humanitec_operator]
+
+}
+
+
+#
+# TODO: Ask Humanitec SME does the orchestrator need to have access to the vault even as RO?
+# If we are just using references only the k8s should have access the Humanitec Orchestrator shouldn't 
+
+resource "azurerm_role_assignment" "humanitec_orchestrator_vault_confidential" {
+  count = var.enable_orchestrator_access_confidential ? 1 : 0
+
+  scope                = azurerm_key_vault.humanitec_poc_confidential.id
+  role_definition_name = data.azurerm_role_definition.kv-secret-ro.name
+  principal_id         = azuread_service_principal.humanitec_orchestrator_vault.id
+
+  depends_on = [azurerm_key_vault.humanitec_poc_confidential]
+}
+
+# Register the secret store with the Platform Orchestrator
+
+resource "humanitec_secretstore" "humanitec_orchestrator_officer_confidential" {
+  id = "azurepoc-confidential"
+  # primary = true
+  azurekv = {
+    url       = azurerm_key_vault.humanitec_poc_confidential.vault_uri
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    auth = {
+      client_id     = azuread_service_principal.humanitec_orchestrator_vault.client_id
+      client_secret = azuread_service_principal_password.humanitec_orchestrator_vault.value
+    }
+  }
+
+  depends_on = [azurerm_key_vault.humanitec_poc_confidential]
+}
+
+# create secret in the vault
+resource "azurerm_key_vault_secret" "master_secret_confidential" {
+  name         = "master-secret"
+  value        = "secret-password-confidential-001"
+  key_vault_id = azurerm_key_vault.humanitec_poc_confidential.id
+}
+
+
+resource "azurerm_key_vault_secret" "mysql_username_confidential" {
+  name         = "central-mysql-username"
+  value        = "username-central-confidential-azure"
+  key_vault_id = azurerm_key_vault.humanitec_poc_confidential.id
+}
+
+resource "azurerm_key_vault_secret" "mysql_password_confidential" {
+  name         = "central-mysql-password"
+  value        = "password-central-confidential-azure"
+  key_vault_id = azurerm_key_vault.humanitec_poc_confidential.id
+}
+
+# Create a resource in humanitec this should be used only in production
+resource "humanitec_resource_definition" "mysql-confidential" {
+  id          = "mysql-confidential"
+  name        = "central-confidential"
+  type        = "mysql"
+  driver_type = "humanitec/echo"
+
+  driver_inputs = {
+    values_string = jsonencode({
+      name = "central-db1"
+      host = "central.mysql.database.confidential.myapp.thoughtworks.com"
+      user = azurerm_key_vault_secret.mysql_username_confidential.name
+      port = 3306
+    })
+    secret_refs = jsonencode({
+      username = {
+        store = humanitec_secretstore.humanitec_orchestrator_officer_confidential.id
+        ref   = azurerm_key_vault_secret.mysql_username_confidential.name
+      }
+      password = {
+        store = humanitec_secretstore.humanitec_orchestrator_officer_confidential.id
+        ref   = azurerm_key_vault_secret.mysql_password_confidential.name
+      }
+    })
+  }
+
+  depends_on = [humanitec_secretstore.humanitec_orchestrator_officer_confidential]
+
+}
+
+resource "humanitec_resource_definition_criteria" "mysql-confidential" {
+  resource_definition_id = humanitec_resource_definition.mysql-confidential.id
+  env_type               = "production"
+  env_id                 = "production"
+}
+
+#
+# Create shared secret in the vault
+#
+resource "azurerm_key_vault_secret" "client_api_token_confidential" {
+  name         = "client-api-token"
+  value        = uuid()
+  key_vault_id = azurerm_key_vault.humanitec_poc_confidential.id
+}
+
+
+# Create reference to the secret stored in kv
+# resource "humanitec_value" "poc_shared_secret_confidential" {
+#   app_id      = humanitec_application.demo_app.id
+#   key         = "client-api-token"
+#   description = "client api token - shared secret created in Terraform "
+#   is_secret   = true
+#   secret_ref = {
+#     store = humanitec_secretstore.humanitec_orchestration_officer_confidential.id
+#     ref   = azurerm_key_vault_secret.client_api_token_confidential.name
+#   }
+# }
+
+