-
Notifications
You must be signed in to change notification settings - Fork 28
/
cert.ci.jenkins.io.tf
157 lines (143 loc) · 8.35 KB
/
cert.ci.jenkins.io.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
module "cert_ci_jenkins_io" {
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-controller"
providers = {
azurerm = azurerm
azurerm.dns = azurerm
azuread = azuread
}
service_fqdn = data.azurerm_dns_zone.cert_ci_jenkins_io.name
location = data.azurerm_resource_group.cert_ci_jenkins_io.location
admin_username = local.admin_username
admin_ssh_publickey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDpxwvySus2OWViWfJ02XMYr+Qa/uPADhjt/4el2SmEf7NlJXzq5vc8imcw8YxQZKwuuKJhonlTYTpk1Cjka4bJKWNOSQ8+Kx0O2ZnNjKn3ZETWJB90bZXHVqbrNHDtu6lN6S/yRW9Q+6fuDbHBW0MXWI8Lsv+bU5v8Zll6m62rc00/I/IT9c1TX1qjCtjf5XHMFw7nVxQiTX2Zf5UKG3RI7mkCMDIvx2H9kXdzM8jtYwATZPHKHuLzffARmvy1FpNPVuLLEGYE3hljP82rll1WZbbl1ZrhjzbFUUYO4fsA7AOQHWhHiVLvtnreB269JOl/ZkHgk37zcdwJMkqKpqoEbjP9z8PURf5uMA7TiDGcpgcFMzoaFk1ueqoHM2JaM2AZQAkPhbUfT7MSOFYRx91OEg5pg5N17zNeaBM6fyxl3v7mkxSOTkKlzjAXPRyo7XsosUVQ4qb4DfsAAJ0Rynts2olRQLEzJku0ZxbbXotuoppI8HivRl7PoTsAASJRpc="
controller_network_name = data.azurerm_virtual_network.cert_ci_jenkins_io.name
controller_network_rg_name = data.azurerm_resource_group.cert_ci_jenkins_io.name
controller_subnet_name = data.azurerm_subnet.cert_ci_jenkins_io_controller.name
controller_data_disk_size_gb = 128
controller_vm_size = "Standard_D2as_v5"
default_tags = local.default_tags
jenkins_infra_ips = {
ldap_ipv4 = azurerm_public_ip.ldap_jenkins_io_ipv4.ip_address
puppet_ipv4 = azurerm_public_ip.puppet_jenkins_io.ip_address
privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes
}
controller_service_principal_ids = [
data.azuread_service_principal.terraform_production.object_id,
]
controller_service_principal_end_date = "2025-02-02T00:00:00Z"
controller_packer_rg_ids = [
azurerm_resource_group.packer_images["prod"].id
]
agent_ip_prefixes = concat(
data.azurerm_subnet.cert_ci_jenkins_io_ephemeral_agents.address_prefixes,
data.azurerm_subnet.cert_ci_jenkins_io_sponsorship_ephemeral_agents.address_prefixes,
)
}
module "cert_ci_jenkins_io_azurevm_agents" {
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-azurevm-agents"
# Same RG as the controller to avoid accidental deletion when managing VMs for agents
service_fqdn = module.cert_ci_jenkins_io.service_fqdn
service_short_stripped_name = module.cert_ci_jenkins_io.service_short_stripped_name
ephemeral_agents_network_rg_name = data.azurerm_subnet.cert_ci_jenkins_io_ephemeral_agents.resource_group_name
ephemeral_agents_network_name = data.azurerm_subnet.cert_ci_jenkins_io_ephemeral_agents.virtual_network_name
ephemeral_agents_subnet_name = data.azurerm_subnet.cert_ci_jenkins_io_ephemeral_agents.name
controller_rg_name = module.cert_ci_jenkins_io.controller_resourcegroup_name
controller_ips = compact([module.cert_ci_jenkins_io.controller_public_ipv4])
controller_service_principal_id = module.cert_ci_jenkins_io.controller_service_principal_id
default_tags = local.default_tags
jenkins_infra_ips = {
privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes
}
}
## Sponsorship subscription specific resources for controller
resource "azurerm_resource_group" "cert_ci_jenkins_io_controller_jenkins_sponsorship" {
provider = azurerm.jenkins-sponsorship
name = module.cert_ci_jenkins_io.controller_resourcegroup_name # Same name on both subscriptions
location = var.location
tags = local.default_tags
}
# Required to allow controller to check for subnets inside the sponsorship network
resource "azurerm_role_definition" "cert_ci_jenkins_io_controller_vnet_sponsorship_reader" {
provider = azurerm.jenkins-sponsorship
name = "Read-cert-ci-jenkins-io-sponsorship-VNET"
scope = data.azurerm_virtual_network.cert_ci_jenkins_io_sponsorship.id
permissions {
actions = ["Microsoft.Network/virtualNetworks/read"]
}
}
resource "azurerm_role_assignment" "cert_controller_vnet_reader" {
provider = azurerm.jenkins-sponsorship
scope = data.azurerm_virtual_network.cert_ci_jenkins_io_sponsorship.id
role_definition_id = azurerm_role_definition.cert_ci_jenkins_io_controller_vnet_sponsorship_reader.role_definition_resource_id
principal_id = module.cert_ci_jenkins_io.controller_service_principal_id
}
module "cert_ci_jenkins_io_azurevm_agents_jenkins_sponsorship" {
providers = {
azurerm = azurerm.jenkins-sponsorship
}
source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-azurevm-agents"
service_fqdn = module.cert_ci_jenkins_io.service_fqdn
service_short_stripped_name = module.cert_ci_jenkins_io.service_short_stripped_name
ephemeral_agents_network_rg_name = data.azurerm_subnet.cert_ci_jenkins_io_sponsorship_ephemeral_agents.resource_group_name
ephemeral_agents_network_name = data.azurerm_subnet.cert_ci_jenkins_io_sponsorship_ephemeral_agents.virtual_network_name
ephemeral_agents_subnet_name = data.azurerm_subnet.cert_ci_jenkins_io_sponsorship_ephemeral_agents.name
controller_rg_name = azurerm_resource_group.cert_ci_jenkins_io_controller_jenkins_sponsorship.name
controller_ips = compact([module.cert_ci_jenkins_io.controller_public_ipv4])
controller_service_principal_id = module.cert_ci_jenkins_io.controller_service_principal_id
default_tags = local.default_tags
storage_account_name = "certciagentssub" # Max 24 chars
jenkins_infra_ips = {
privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes
}
}
## Service DNS records
resource "azurerm_dns_a_record" "cert_ci_jenkins_io_controller" {
name = "controller"
zone_name = data.azurerm_dns_zone.cert_ci_jenkins_io.name
resource_group_name = data.azurerm_dns_zone.cert_ci_jenkins_io.resource_group_name
ttl = 60
records = [module.cert_ci_jenkins_io.controller_private_ipv4]
}
resource "azurerm_dns_a_record" "cert_ci_jenkins_io" {
name = "@" # Child zone: no CNAME possible!
zone_name = data.azurerm_dns_zone.cert_ci_jenkins_io.name
resource_group_name = data.azurerm_dns_zone.cert_ci_jenkins_io.resource_group_name
ttl = 60
records = [module.cert_ci_jenkins_io.controller_private_ipv4]
}
## Allow access to/from ACR endpoint
resource "azurerm_network_security_rule" "allow_out_https_from_cert_ephemeral_agents_to_acr" {
provider = azurerm.jenkins-sponsorship
name = "allow-out-https-from-ephemeral-agents-to-acr"
priority = 4050
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefixes = data.azurerm_subnet.cert_ci_jenkins_io_sponsorship_ephemeral_agents.address_prefixes
destination_address_prefixes = distinct(
flatten(
[for rs in azurerm_private_endpoint.dockerhub_mirror["certcijenkinsio"].private_dns_zone_configs.*.record_sets : rs.*.ip_addresses]
)
)
resource_group_name = azurerm_resource_group.cert_ci_jenkins_io_controller_jenkins_sponsorship.name
network_security_group_name = module.cert_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
}
resource "azurerm_network_security_rule" "allow_in_https_from_cert_ephemeral_agents_to_acr" {
provider = azurerm.jenkins-sponsorship
name = "allow-in-https-from-ephemeral-agents-to-acr"
priority = 4050
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefixes = data.azurerm_subnet.cert_ci_jenkins_io_sponsorship_ephemeral_agents.address_prefixes
destination_address_prefixes = distinct(
flatten(
[for rs in azurerm_private_endpoint.dockerhub_mirror["certcijenkinsio"].private_dns_zone_configs.*.record_sets : rs.*.ip_addresses]
)
)
resource_group_name = azurerm_resource_group.cert_ci_jenkins_io_controller_jenkins_sponsorship.name
network_security_group_name = module.cert_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
}