-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add azure vendor access module (#51)
* add azure vendor access module * add ci test * fix terraform version * update docs * use app reg instead of managed identity * sep to two modules * add docs * support dns zone ids * remove unused vars * update roles * add subs level permission for role assignment * fix * use uami * fix ci and docs
- Loading branch information
Showing
16 changed files
with
957 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
# Copyright 2023 StreamNative, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
provider "azurerm" { | ||
features { | ||
|
||
} | ||
} | ||
|
||
provider "azuread" { | ||
|
||
} | ||
|
||
module "azure-sn-cloud-manager" { | ||
source = "../../modules/azure/sn-cloud-manager" | ||
|
||
resource_group_location = "westus2" | ||
streamnative_org_id = "streamnative" | ||
} | ||
|
||
|
||
module "azure-managed-cloud" { | ||
source = "../../modules/azure/vendor-access" | ||
|
||
resource_group_name = "azure-westus2-aks-test" | ||
resource_group_location = "westus2" | ||
|
||
streamnative_org_id = "streamnative" | ||
sn_automation_client_id = module.azure-sn-cloud-manager.sn_automation_client_id | ||
sn_support_client_id = module.azure-sn-cloud-manager.sn_support_client_id | ||
sn_automation_principal_id = module.azure-sn-cloud-manager.sn_automation_principal_id | ||
sn_support_principal_id = module.azure-sn-cloud-manager.sn_support_principal_id | ||
|
||
depends_on = [module.azure-sn-cloud-manager] | ||
} | ||
|
||
|
||
output "additional_roles" { | ||
value = module.azure-managed-cloud.additional_roles | ||
description = "The additional roles created by this module" | ||
} | ||
|
||
output "resource_group_name" { | ||
value = module.azure-managed-cloud.resource_group_name | ||
description = "The name of the resource group where the AKS cluster will be created" | ||
} | ||
|
||
output "streamnative_org_id" { | ||
value = module.azure-managed-cloud.streamnative_org_id | ||
description = "An external ID that correspond to your Organization within StreamNative Cloud, used for all managed identities created by the module. This will be the organization ID in the StreamNative console, e.g. \"o-xhopj\"." | ||
} | ||
|
||
output "sn_support_principal_id" { | ||
value = module.azure-managed-cloud.sn_support_principal_id | ||
description = "The principal ID of the sn support service principal for StreamNative Cloud support access" | ||
} | ||
|
||
output "sn_automation_principal_id" { | ||
value = module.azure-managed-cloud.sn_automation_principal_id | ||
description = "The principal ID of the sn support service principal for StreamNative Cloud support access" | ||
} | ||
|
||
output "sn_automation_client_id" { | ||
value = module.azure-managed-cloud.sn_automation_client_id | ||
description = "The client ID of the sn automation service principal for StreamNative Cloud automation" | ||
} | ||
|
||
output "sn_support_client_id" { | ||
value = module.azure-managed-cloud.sn_support_client_id | ||
description = "The client ID of the sn support service principal for StreamNative Cloud support access" | ||
} | ||
|
||
output "subscription_id" { | ||
value = module.azure-managed-cloud.subscription_id | ||
description = "The subscription ID of the AKS cluster" | ||
} | ||
|
||
output "tenant_id" { | ||
value = module.azure-managed-cloud.tenant_id | ||
description = "The tenant ID of the AKS cluster" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
<!-- | ||
~ Copyright 2023 StreamNative, Inc. | ||
~ | ||
~ Licensed under the Apache License, Version 2.0 (the "License"); | ||
~ you may not use this file except in compliance with the License. | ||
~ You may obtain a copy of the License at | ||
~ | ||
~ http://www.apache.org/licenses/LICENSE-2.0 | ||
~ | ||
~ Unless required by applicable law or agreed to in writing, software | ||
~ distributed under the License is distributed on an "AS IS" BASIS, | ||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
~ See the License for the specific language governing permissions and | ||
~ limitations under the License. | ||
--> | ||
|
||
# StreamNative Managed Cloud on Azure | ||
|
||
This repository contains Terraform modules for the management of StreamNative's vendor access to Azure. | ||
|
||
There are two modules in this repository: | ||
|
||
- [modules/azure/sn-cloud-manager](modules/azure/sn-cloud-manager): This module creates Microsoft Entra Application Registrations and related service principals within your Azure subscription & Microsoft Entra ID. These resources give StreamNative access only for the provisioning and management of StreamNative's Managed Cloud offering. | ||
- [modules/azure/vendor-access](modules/azure/vendor-access): This module creates an Azure Resource Group within your Azure subscription. The module also helps to configure the role assignments for the StreamNative Managed Cloud service principals created by `sn-cloud-manager` module. | ||
|
||
## Quickstart | ||
|
||
### Pre-requisites | ||
To use this module you must have [Terraform installed](https://learn.hashicorp.com/tutorials/terraform/install-cli) and be [familiar](https://developer.hashicorp.com/terraform/tutorials/azure-get-started) with its usage for Azure. It is recommended to securely store the Terraform configuration you create in source control, as well as use [Terraform's Remote State](https://www.terraform.io/language/state/remote) for storing the `*.tfstate` file. | ||
|
||
### Using `sn-cloud-manager` module | ||
|
||
For each Microsoft Entra ID, you will need to run this module once to create the `automation` and `support` Application Registrations and related service principals. Below is an example of how to use this module: | ||
|
||
```hcl | ||
provider "azurerm" { | ||
features { | ||
} | ||
} | ||
provider "azuread" {} | ||
module "azure-sn-cloud-manager" { | ||
source = "github.com/streamnative/terraform-managed-cloud//modules/azure/sn-cloud-manager?ref=master" | ||
resource_group_location = "westus2" | ||
streamnative_org_id = "o-12345" | ||
} | ||
``` | ||
|
||
### Using `vendor-access` module | ||
|
||
For each AKS cluster, you will need to run this module once to create the Azure Resource Group and configure the role assignments for the StreamNative Managed Cloud service principals. Below is an example of how to use this module: | ||
|
||
```hcl | ||
provider "azurerm" { | ||
features { | ||
} | ||
} | ||
provider "azuread" {} | ||
module "azure-managed-cloud" { | ||
source = "github.com/streamnative/terraform-managed-cloud//modules/azure/vendor-access?ref=master" | ||
resource_group_name = "azure-westus2-aks-test" | ||
resource_group_location = "westus2" | ||
streamnative_org_id = "o-12345" | ||
} | ||
``` | ||
|
||
### Using `sn-cloud-manager` and `vendor-access` modules together | ||
|
||
Below is an example of how to use both modules together: | ||
|
||
```hcl | ||
provider "azurerm" { | ||
features { | ||
} | ||
} | ||
provider "azuread" {} | ||
module "azure-sn-cloud-manager" { | ||
source = "github.com/streamnative/terraform-managed-cloud//modules/azure/sn-cloud-manager?ref=master" | ||
resource_group_location = "westus2" | ||
streamnative_org_id = "o-12345" | ||
} | ||
module "azure-managed-cloud" { | ||
source = "github.com/streamnative/terraform-managed-cloud//modules/azure/vendor-access?ref=master" | ||
resource_group_name = "azure-westus2-aks-test" | ||
resource_group_location = "westus2" | ||
streamnative_org_id = "o-12345" | ||
depends_on = [ | ||
module.azure-sn-cloud-manager | ||
] | ||
} | ||
``` | ||
|
||
To run the example, execute the following commands: | ||
|
||
```shell | ||
terraform init | ||
terraform plan | ||
terraform apply | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
<!-- | ||
~ Copyright 2023 StreamNative, Inc. | ||
~ | ||
~ Licensed under the Apache License, Version 2.0 (the "License"); | ||
~ you may not use this file except in compliance with the License. | ||
~ You may obtain a copy of the License at | ||
~ | ||
~ http://www.apache.org/licenses/LICENSE-2.0 | ||
~ | ||
~ Unless required by applicable law or agreed to in writing, software | ||
~ distributed under the License is distributed on an "AS IS" BASIS, | ||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
~ See the License for the specific language governing permissions and | ||
~ limitations under the License. | ||
--> | ||
|
||
# StreamNative Cloud - Azure Cloud Manger Module | ||
|
||
This Terraform module creates Microsoft Entra Application Registrations and related service principals within your Azure subscription & Microsoft Entra ID. These resources give StreamNative access only for the provisioning and management of StreamNative's Managed Cloud offering. | ||
|
||
For more information about StreamNative and our managed offerings for Apache Pulsar, visit our [website](https://streamnative.io/streamnativecloud/). | ||
|
||
## Module Overview | ||
|
||
This module creates the following resources: | ||
|
||
- Microsoft Entra Application Registration `automation` for StreamNative Managed Cloud resources | ||
- Service Principal for `automation` Application Registration | ||
- Access configuration for `automation` Application Registration | ||
- Microsoft Entra Application Registration `support` for StreamNative Managed Cloud resources | ||
- Service Principal for `support` Application Registration | ||
- Access configuration for `support` Application Registration | ||
|
||
## Usage | ||
|
||
To use this module you must have [Terraform installed](https://learn.hashicorp.com/tutorials/terraform/install-cli) and be [familiar](https://developer.hashicorp.com/terraform/tutorials/azure-get-started) with its usage for Azure. It is recommended to securely store the Terraform configuration you create in source control, as well as use [Terraform's Remote State](https://www.terraform.io/language/state/remote) for storing the `*.tfstate` file. | ||
|
||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.3.0 | | ||
| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | < 3.0 | | ||
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | < 4.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.83.0 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [azurerm_federated_identity_credential.sn_automation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | | ||
| [azurerm_federated_identity_credential.sn_support](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | | ||
| [azurerm_resource_group.manager](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | ||
| [azurerm_role_assignment.subscription_rbac_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [azurerm_user_assigned_identity.sn_automation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | | ||
| [azurerm_user_assigned_identity.sn_support](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | | ||
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_additional_tags"></a> [additional\_tags](#input\_additional\_tags) | Additional tags to be added to the resources created by this module. | `map(any)` | `{}` | no | | ||
| <a name="input_resource_group_location"></a> [resource\_group\_location](#input\_resource\_group\_location) | The location of the resource group where the cloud manager IAMs will be created | `string` | n/a | yes | | ||
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group where the cloud manager IAMs will be created | `string` | `""` | no | | ||
| <a name="input_streamnative_automation_gsa_ids"></a> [streamnative\_automation\_gsa\_ids](#input\_streamnative\_automation\_gsa\_ids) | The GSAs will be used to provisioning StreamnNative cloud. | `map(string)` | <pre>{<br> "cloud_manager_sncloud_test_iam_gserviceaccount_com": "103687585001802233900",<br> "cloud_support_general_sncloud_test_iam_gserviceaccount_com": "103182365501883681520",<br> "pool_automation_sncloud_test_iam_gserviceaccount_com": "101134291802756860252"<br>}</pre> | no | | ||
| <a name="input_streamnative_org_id"></a> [streamnative\_org\_id](#input\_streamnative\_org\_id) | Your Organization ID within StreamNative Cloud, used for all resources created by the module. This will be the organization ID in the StreamNative console, e.g. "o-xhopj". | `string` | n/a | yes | | ||
| <a name="input_streamnative_support_access_gsa_ids"></a> [streamnative\_support\_access\_gsa\_ids](#input\_streamnative\_support\_access\_gsa\_ids) | The GSA will be used by StreamnNative support team. | `map(string)` | <pre>{<br> "cloud_support_general_sncloud_test_iam_gserviceaccount_com": "103182365501883681520"<br>}</pre> | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_resource_group_name"></a> [resource\_group\_name](#output\_resource\_group\_name) | The name of the resource group where the cloud manager IAMs will be created | | ||
| <a name="output_sn_automation_client_id"></a> [sn\_automation\_client\_id](#output\_sn\_automation\_client\_id) | The client ID of the sn automation service principal for StreamNative Cloud automation | | ||
| <a name="output_sn_automation_principal_id"></a> [sn\_automation\_principal\_id](#output\_sn\_automation\_principal\_id) | The principal ID of the sn automation service principal for StreamNative Cloud automation | | ||
| <a name="output_sn_support_client_id"></a> [sn\_support\_client\_id](#output\_sn\_support\_client\_id) | The client ID of the sn support service principal for StreamNative Cloud support access | | ||
| <a name="output_sn_support_principal_id"></a> [sn\_support\_principal\_id](#output\_sn\_support\_principal\_id) | The principal ID of the sn support service principal for StreamNative Cloud support access | |
Oops, something went wrong.