Split out Firewall / Nexus / Gitea (#1365)

* WIP: doesn't work yet * Make temporary changes to the makefile * Fixes to firewall submodule * Update Makefile * move firewall name to locals * Init porter bundles for Gitea and Nexus * Add parameters to the new porter bundles * Revert "Convert data inputs into variable inputs for modules in Terraform (#1154)" This reverts commit c3e2cb7. * WIP: moving variables around for Gitea * Update Gitea module to consume variables from data * Fix several problems in firewall module * Changes to Gitea terraform (fix state container, add az login for local-exec) * Initial Nexus porter configuration * Add Sonatype-Nexus bundle * Uncomment firewall lock, fix local-exec command * Fix comments * fmt * Gitea, Nexus: Move variable inputs to data and locals * change path to nexus.properties * temporarily remove arm_client_id * fmt * remove unused arguments * fmt * Use key_vault_reference_identity_id in Terraform * Remove unused variables * Deploy Firewall, Gitea and Nexus as part of the main build * Add deploying of shared services to tre-deploy command * Add uninstall back * WIP: working transfer of state for Firewall * WIP: fiddling with more states * WIP: fix removal of terraform state * Add import script for Gitea * fixup tre-start/stop make target naming * strip '-' from string in storage account name * removed state_remove for gitea + nexus * removed state_remove for gitea + nexus * local modifications of import/remove state scripts * fw / gitea / nexus deploy from local via tf functional * gitignore * bumped gitea version * tf linting * PR updates * vars for ci * added check_dependencies to login in CI * check for non-existing RG and skipping import state if we're in a fresh CI * removed lock from remove/import scripts * remove/import state for gitea * gitea and nexus state moved * nexus + gitea state moved, apart from storage share * fixed storage import * PR snags * override * kv uri * new secret import style * secret * secret * state list * state list * remove state fix * remove state special chars * importing random_password to prevent KV updating * moved make target out of default path * supress risky log output * unwound gitea/nexus state moving debacle Co-authored-by: Tanya Borisova <[email protected]> Co-authored-by: Ross Smith <[email protected]> Co-authored-by: Stuart Leeks <[email protected]>
microsoft · Feb 25, 2022 · ce3ddb9 · ce3ddb9
1 parent c2742f6
commit ce3ddb9
Show file tree

Hide file tree

Showing 45 changed files with 846 additions and 169 deletions.
diff --git a/.gitignore b/.gitignore
@@ -155,7 +155,7 @@ override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
-templates/core/tre_output.json
+tre_output.json
 
 # generated backend files
 *_backend.tf

diff --git a/Makefile b/Makefile
@@ -16,6 +16,13 @@ build-and-push-api: build-api-image push-api-image
 build-and-push-resource-processor: build-resource-processor-vm-porter-image push-resource-processor-vm-porter-image
 build-and-push-gitea: build-gitea-image push-gitea-image
 build-and-push-guacamole: build-guacamole-image push-guacamole-image
+tre-deploy: deploy-core deploy-shared-services tre-start
+deploy-shared-services: firewall-install gitea-install nexus-install
+
+# to move your environment from the single 'core' deployment (which includes the firewall)
+# toward the shared services model, where it is split out - run the following make target before a tre-deploy
+# This will remove + import the resource state into a shared service
+migrate-firewall-state: prepare-tf-state
 
 bootstrap:
 	$(call target_title, "Bootstrap Terraform") \
@@ -97,7 +104,44 @@ push-gitea-image:
 push-guacamole-image:
 	$(call push_image,"guac-server","./templates/workspace_services/guacamole/version.txt")
 
-tre-deploy: tre-start
+# # These targets are for a graceful migration of Firewall
+# # from terraform state in Core to a Shared Service.
+# # See https://github.com/microsoft/AzureTRE/issues/1177
+prepare-tf-state:
+	$(call target_title, "Preparing terraform state") \
+	&& . ./devops/scripts/check_dependencies.sh nodocker \
+	&& . ./devops/scripts/load_env.sh ./templates/core/.env \
+	&& . ./devops/scripts/load_env.sh ./devops/.env \
+	&& . ./devops/scripts/load_terraform_env.sh ./devops/.env \
+	&& . ./devops/scripts/load_terraform_env.sh ./templates/core/.env \
+	&& pushd ./templates/core/terraform > /dev/null && ../../shared_services/firewall/terraform/remove_state.sh && popd > /dev/null \
+	&& pushd ./templates/shared_services/firewall/terraform > /dev/null && ./import_state.sh && popd > /dev/null
+
+
+terraform-shared-service-deploy:
+	$(call target_title, "Deploying ${DIR} with Terraform") \
+	&& . ./devops/scripts/check_dependencies.sh \
+	&& . ./devops/scripts/load_env.sh ./templates/core/.env \
+	&& . ./devops/scripts/load_env.sh ./devops/.env \
+	&& . ./devops/scripts/load_terraform_env.sh ./devops/.env \
+	&& . ./devops/scripts/load_terraform_env.sh ./templates/core/.env \
+	&& cd ${DIR} && ../../deploy_from_local.sh
+
+firewall-install:
+	$(call target_title, "Installing Firewall") \
+  && make SHARED_SERVICE_KEY=shared-service-firewall terraform-shared-service-deploy DIR=./templates/shared_services/firewall/terraform
+
+gitea-install:
+	$(call target_title, "Installing Gitea") \
+	&& make SHARED_SERVICE_KEY=shared-service-gitea terraform-shared-service-deploy DIR=./templates/shared_services/gitea/terraform
+
+nexus-install:
+	$(call target_title, "Installing Nexus") \
+	&& make SHARED_SERVICE_KEY=shared-service-sonatype-nexus TF_VAR_nexus_properties_path=../nexus.properties terraform-shared-service-deploy DIR=./templates/shared_services/sonatype-nexus/terraform
+
+# / End migration targets
+
+deploy-core:
 	$(call target_title, "Deploying TRE") \
 	&& . ./devops/scripts/check_dependencies.sh nodocker \
 	&& . ./devops/scripts/load_env.sh ./templates/core/.env \
@@ -117,19 +161,19 @@ letsencrypt:
 	&& . ./devops/scripts/load_env.sh ./templates/core/tre.env \
 	&& ./templates/core/terraform/scripts/letsencrypt.sh
 
-tre-stop:
-	$(call target_title, "Stopping TRE") \
+tre-start:
+	$(call target_title, "Starting TRE") \
 	&& . ./devops/scripts/check_dependencies.sh azfirewall \
 	&& . ./devops/scripts/load_env.sh ./templates/core/.env \
 	&& . ./devops/scripts/load_env.sh ./devops/.env \
-	&& ./devops/scripts/control_tre.sh stop
+	&& ./devops/scripts/control_tre.sh start
 
-tre-start:
-	$(call target_title, "Starting TRE") \
+tre-stop:
+	$(call target_title, "Stopping TRE") \
 	&& . ./devops/scripts/check_dependencies.sh azfirewall \
 	&& . ./devops/scripts/load_env.sh ./templates/core/.env \
 	&& . ./devops/scripts/load_env.sh ./devops/.env \
-	&& ./devops/scripts/control_tre.sh start
+	&& ./devops/scripts/control_tre.sh stop
 
 tre-destroy:
 	$(call target_title, "Destroying TRE") \

diff --git a/templates/core/terraform/firewall/output.tf b/templates/core/terraform/firewall/output.tf
diff --git a/templates/core/terraform/firewall/variables.tf b/templates/core/terraform/firewall/variables.tf
diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf
@@ -88,68 +88,6 @@ module "resource_processor_vmss_porter" {
 
   depends_on = [
     module.azure_monitor,
-    azurerm_key_vault.kv,
-    module.firewall
-  ]
-}
-
-module "firewall" {
-  source                     = "./firewall"
-  tre_id                     = var.tre_id
-  location                   = var.location
-  resource_group_name        = azurerm_resource_group.core.name
-  log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id
-  stateful_resources_locked  = var.stateful_resources_locked
-
-  shared_subnet = {
-    id               = module.network.shared_subnet_id
-    address_prefixes = module.network.shared_subnet_address_prefixes
-  }
-  firewall_subnet = {
-    id               = module.network.azure_firewall_subnet_id
-    address_prefixes = module.network.azure_firewall_subnet_address_prefixes
-  }
-  resource_processor_subnet = {
-    id               = module.network.resource_processor_subnet_id
-    address_prefixes = module.network.resource_processor_subnet_address_prefixes
-  }
-  web_app_subnet = {
-    id               = module.network.web_app_subnet_id
-    address_prefixes = module.network.web_app_subnet_address_prefixes
-  }
-  depends_on = [
-    module.network
-  ]
-}
-
-module "gitea" {
-  count                    = var.deploy_gitea == true ? 1 : 0
-  source                   = "../../shared_services/gitea/terraform"
-  tre_id                   = var.tre_id
-  location                 = var.location
-  acr_name                 = data.azurerm_container_registry.mgmt_acr.name
-  mgmt_resource_group_name = var.mgmt_resource_group_name
-
-  depends_on = [
-    module.firewall,
-    module.network,
-    azurerm_app_service_plan.core,
-    azurerm_key_vault.kv,
-    azurerm_storage_account.stg
-  ]
-}
-
-module "nexus" {
-  count    = var.deploy_nexus == true ? 1 : 0
-  source   = "../../shared_services/sonatype-nexus/terraform"
-  tre_id   = var.tre_id
-  location = var.location
-
-  depends_on = [
-    module.firewall,
-    module.network,
-    azurerm_app_service_plan.core,
-    azurerm_key_vault.kv,
-    azurerm_storage_account.stg
+    azurerm_key_vault.kv
   ]
 }
diff --git a/templates/core/terraform/network/output.tf b/templates/core/terraform/network/output.tf
@@ -10,34 +10,18 @@ output "azure_firewall_subnet_id" {
   value = azurerm_subnet.azure_firewall.id
 }
 
-output "azure_firewall_subnet_address_prefixes" {
-  value = azurerm_subnet.azure_firewall.address_prefixes
-}
-
 output "app_gw_subnet_id" {
   value = azurerm_subnet.app_gw.id
 }
 
-output "app_gw_subnet_address_prefixes" {
-  value = azurerm_subnet.app_gw.address_prefixes
-}
-
 output "web_app_subnet_id" {
   value = azurerm_subnet.web_app.id
 }
 
-output "web_app_subnet_address_prefixes" {
-  value = azurerm_subnet.web_app.address_prefixes
-}
-
 output "shared_subnet_id" {
   value = azurerm_subnet.shared.id
 }
 
-output "shared_subnet_address_prefixes" {
-  value = azurerm_subnet.shared.address_prefixes
-}
-
 output "private_dns_zone_azurewebsites_id" {
   value = azurerm_private_dns_zone.azurewebsites.id
 }
@@ -50,10 +34,6 @@ output "resource_processor_subnet_id" {
   value = azurerm_subnet.resource_processor.id
 }
 
-output "resource_processor_subnet_address_prefixes" {
-  value = azurerm_subnet.resource_processor.address_prefixes
-}
-
 output "azure_monitor_dns_zone_id" {
   value = azurerm_private_dns_zone.azure_monitor.id
 }

diff --git a/templates/shared_services/deploy_from_local.sh b/templates/shared_services/deploy_from_local.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# This script exists to support the migration from the firewall into a shared service bundle, that can be deployed from a dev workstation.
+
+set -e
+
+PLAN_FILE="tfplan$$"
+LOG_FILE="tmp$$.log"
+
+LOC="$(dirname -- "$(readlink -f "${BASH_SOURCE}")")"
+
+${LOC}/../../devops/scripts/terraform_wrapper.sh \
+  -g $TF_VAR_mgmt_resource_group_name \
+  -s $TF_VAR_mgmt_storage_account_name \
+  -n $TF_VAR_terraform_state_container_name \
+  -k ${TRE_ID}-${SHARED_SERVICE_KEY} \
+  -l ${LOG_FILE} \
+  -c "terraform plan -out ${PLAN_FILE} && \
+  terraform apply -input=false -auto-approve ${PLAN_FILE} && \
+  terraform output -json > ../tre_output.json"
+
diff --git a/templates/shared_services/firewall/.dockerignore b/templates/shared_services/firewall/.dockerignore
@@ -0,0 +1,4 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Put files here that you don't want copied into your bundle's invocation image
+.gitignore
+Dockerfile.tmpl
diff --git a/templates/shared_services/firewall/.gitignore b/templates/shared_services/firewall/.gitignore
@@ -0,0 +1,2 @@
+.cnab/
+.terraform*
diff --git a/templates/shared_services/firewall/Dockerfile.tmpl b/templates/shared_services/firewall/Dockerfile.tmpl
@@ -0,0 +1,32 @@
+FROM debian:stretch-slim
+
+ARG BUNDLE_DIR
+
+RUN apt-get update && apt-get install -y ca-certificates
+
+# Install Azure CLI (neeeded for import_state.sh)
+RUN apt-get update \
+    && apt-get install -y ca-certificates jq curl apt-transport-https lsb-release gnupg \
+    && curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null \
+    && AZ_REPO=$(lsb_release -cs) \
+    && echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list \
+    && apt-get update && apt-get -y install azure-cli
+
+# To be able to use `az network firewall` commands
+RUN az config set extension.use_dynamic_install=yes_without_prompt
+
+# This is a template Dockerfile for the bundle's invocation image
+# You can customize it to use different base images, install tools and copy configuration files.
+#
+# Porter will use it as a template and append lines to it for the mixins
+# and to set the CMD appropriately for the CNAB specification.
+#
+# Add the following line to porter.yaml to instruct Porter to use this template
+# dockerfile: Dockerfile.tmpl
+
+# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
+# another location in this file. If you remove that line, the mixins generated content is appended to this file.
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY . $BUNDLE_DIR
diff --git a/templates/shared_services/firewall/azure.json b/templates/shared_services/firewall/azure.json
@@ -0,0 +1,32 @@
+{
+  "schemaVersion": "1.0.0-DRAFT+b6c701f",
+  "name": "azure",
+  "created": "2021-06-03T11:31:05.7314113Z",
+  "modified": "2021-06-03T11:31:05.7314113Z",
+  "credentials": [
+    {
+      "name": "azure_client_id",
+      "source": {
+        "env": "ARM_CLIENT_ID"
+      }
+    },
+    {
+      "name": "azure_client_secret",
+      "source": {
+        "env": "ARM_CLIENT_SECRET"
+      }
+    },
+    {
+      "name": "azure_subscription_id",
+      "source": {
+        "env": "ARM_SUBSCRIPTION_ID"
+      }
+    },
+    {
+      "name": "azure_tenant_id",
+      "source": {
+        "env": "ARM_TENANT_ID"
+      }
+    }
+  ]
+}