generated from pagopa-archive/template-devops-azure
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* updated modules to v5.5.0 * added legacy service principal for tls cert * added data for subscription and tenant id * removed new federated tls service connection * terraform lock updated * pre-commit fixs
- Loading branch information
1 parent
fb1b179
commit c313a03
Showing
11 changed files
with
301 additions
and
183 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
117 changes: 117 additions & 0 deletions
117
azure-devops/externals/03_service_connection_tls_certificate_legacy.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| # | ||
| # ⛩ Service connection 2 🔐 KV@DEV 🟢 | ||
| # | ||
| #tfsec:ignore:GEN003 | ||
| module "DEV-TLS-CERT-EXTERNALS-SERVICE-CONN" { | ||
| depends_on = [data.azuredevops_project.project] | ||
| source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_azurerm_limited?ref=v5.5.0" | ||
| providers = { | ||
| azurerm = azurerm.dev | ||
| } | ||
|
|
||
| project_id = data.azuredevops_project.project.id | ||
| #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| renew_token = local.tlscert_renew_token | ||
| name = "${local.prefix}-d-tls-cert-externals-kv-policy" | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| subscription_id = data.azurerm_subscriptions.dev.subscriptions[0].subscription_id | ||
| subscription_name = var.dev_subscription_name | ||
|
|
||
| credential_subcription = var.dev_subscription_name | ||
| credential_key_vault_name = local.dev_key_vault_name | ||
| credential_key_vault_resource_group = local.dev_key_vault_resource_group | ||
| } | ||
|
|
||
| data "azurerm_key_vault" "kv_dev" { | ||
| provider = azurerm.dev | ||
| name = local.dev_key_vault_name | ||
| resource_group_name = local.dev_key_vault_resource_group | ||
| } | ||
|
|
||
| resource "azurerm_key_vault_access_policy" "DEV-TLS-CERT-EXTERNALS-SERVICE-CONN_kv_dev" { | ||
| provider = azurerm.dev | ||
|
|
||
| key_vault_id = data.azurerm_key_vault.kv_dev.id | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| object_id = module.DEV-TLS-CERT-EXTERNALS-SERVICE-CONN.service_principal_object_id | ||
|
|
||
| certificate_permissions = ["Get", "Import"] | ||
| } | ||
|
|
||
| # | ||
| # ⛩ Service connection 2 🔐 KV@UAT 🟨 | ||
| # | ||
| #tfsec:ignore:GEN003 | ||
| module "UAT-TLS-CERT-EXTERNALS-SERVICE-CONN" { | ||
| depends_on = [data.azuredevops_project.project] | ||
| source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_azurerm_limited?ref=v5.5.0" | ||
| providers = { | ||
| azurerm = azurerm.uat | ||
| } | ||
|
|
||
| project_id = data.azuredevops_project.project.id | ||
| #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| renew_token = local.tlscert_renew_token | ||
| name = "${local.prefix}-u-tls-cert-externals-kv-policy" | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| subscription_id = data.azurerm_subscriptions.uat.subscriptions[0].subscription_id | ||
| subscription_name = var.uat_subscription_name | ||
|
|
||
| credential_subcription = var.uat_subscription_name | ||
| credential_key_vault_name = local.uat_key_vault_name | ||
| credential_key_vault_resource_group = local.uat_key_vault_resource_group | ||
| } | ||
|
|
||
| data "azurerm_key_vault" "kv_uat" { | ||
| provider = azurerm.uat | ||
| name = local.uat_key_vault_name | ||
| resource_group_name = local.uat_key_vault_resource_group | ||
| } | ||
|
|
||
| resource "azurerm_key_vault_access_policy" "UAT-TLS-CERT-EXTERNALS-SERVICE-CONN_kv_uat" { | ||
| provider = azurerm.uat | ||
| key_vault_id = data.azurerm_key_vault.kv_uat.id | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| object_id = module.UAT-TLS-CERT-EXTERNALS-SERVICE-CONN.service_principal_object_id | ||
|
|
||
| certificate_permissions = ["Get", "Import"] | ||
| } | ||
|
|
||
| # | ||
| # ⛩ Service connection 2 🔐 KV@PROD 🛑 | ||
| # | ||
| #tfsec:ignore:GEN003 | ||
| module "PROD-TLS-CERT-EXTERNALS-SERVICE-CONN" { | ||
| depends_on = [data.azuredevops_project.project] | ||
| source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_azurerm_limited?ref=v5.5.0" | ||
| providers = { | ||
| azurerm = azurerm.prod | ||
| } | ||
|
|
||
| project_id = data.azuredevops_project.project.id | ||
| #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| renew_token = local.tlscert_renew_token | ||
| name = "${local.prefix}-p-tls-cert-externals-kv-policy" | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| subscription_id = data.azurerm_subscriptions.prod.subscriptions[0].subscription_id | ||
| subscription_name = var.prod_subscription_name | ||
|
|
||
| credential_subcription = var.prod_subscription_name | ||
| credential_key_vault_name = local.prod_key_vault_name | ||
| credential_key_vault_resource_group = local.prod_key_vault_resource_group | ||
| } | ||
|
|
||
| data "azurerm_key_vault" "kv_prod" { | ||
| provider = azurerm.prod | ||
| name = local.prod_key_vault_name | ||
| resource_group_name = local.prod_key_vault_resource_group | ||
| } | ||
|
|
||
| resource "azurerm_key_vault_access_policy" "PROD-TLS-CERT-EXTERNALS-SERVICE-CONN_kv_prod" { | ||
| provider = azurerm.prod | ||
| key_vault_id = data.azurerm_key_vault.kv_prod.id | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| object_id = module.PROD-TLS-CERT-EXTERNALS-SERVICE-CONN.service_principal_object_id | ||
|
|
||
| certificate_permissions = ["Get", "Import"] | ||
| } |
224 changes: 112 additions & 112 deletions
224
azure-devops/externals/03_service_connections_tls_certificate.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,113 +1,113 @@ | ||
| ## | ||
| ## ⛩ Service connection 2 🔐 KV@DEV 🟢 | ||
| ## | ||
| ##tfsec:ignore:GEN003 | ||
| #module "DEV-EXTERNALS-TLS-CERT-SERVICE-CONN" { | ||
| # depends_on = [data.azuredevops_project.project] | ||
| # source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v5.5.0" | ||
| # providers = { | ||
| # azurerm = azurerm.dev | ||
| # } | ||
| # | ||
| # ⛩ Service connection 2 🔐 KV@DEV 🟢 | ||
| # | ||
| #tfsec:ignore:GEN003 | ||
| module "DEV-EXTERNALS-TLS-CERT-SERVICE-CONN" { | ||
| depends_on = [data.azuredevops_project.project] | ||
| source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v4.2.1" | ||
| providers = { | ||
| azurerm = azurerm.dev | ||
| } | ||
|
|
||
| project_id = data.azuredevops_project.project.id | ||
| #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| name = "${local.prefix}-${local.domain}-d-azdo-EXTERNALS-TLS-CERT-kv-policy" | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| subscription_id = data.azurerm_subscriptions.dev.subscriptions[0].subscription_id | ||
| subscription_name = var.dev_subscription_name | ||
|
|
||
| location = var.location | ||
| resource_group_name = local.dev_key_vault_resource_group | ||
|
|
||
| } | ||
|
|
||
| data "azurerm_key_vault" "kv_dev" { | ||
| provider = azurerm.dev | ||
| name = local.dev_key_vault_name | ||
| resource_group_name = local.dev_key_vault_resource_group | ||
| } | ||
|
|
||
| resource "azurerm_key_vault_access_policy" "DEV-EXTERNALS-TLS-CERT-SERVICE-CONN_kv_dev" { | ||
| provider = azurerm.dev | ||
|
|
||
| key_vault_id = data.azurerm_key_vault.kv_dev.id | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| object_id = module.DEV-EXTERNALS-TLS-CERT-SERVICE-CONN.service_principal_object_id | ||
|
|
||
| certificate_permissions = ["Get", "Import"] | ||
| } | ||
|
|
||
| # | ||
| # ⛩ Service connection 2 🔐 KV@UAT 🟨 | ||
| # | ||
| #tfsec:ignore:GEN003 | ||
| module "UAT-EXTERNALS-TLS-CERT-SERVICE-CONN" { | ||
| depends_on = [data.azuredevops_project.project] | ||
| source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v4.2.1" | ||
| providers = { | ||
| azurerm = azurerm.uat | ||
| } | ||
|
|
||
| project_id = data.azuredevops_project.project.id | ||
| #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| name = "${local.prefix}-${local.domain}-u-azdo-EXTERNALS-TLS-CERT-kv-policy" | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| subscription_id = data.azurerm_subscriptions.uat.subscriptions[0].subscription_id | ||
| subscription_name = var.uat_subscription_name | ||
|
|
||
|
|
||
| location = var.location | ||
| resource_group_name = local.uat_key_vault_resource_group | ||
| } | ||
|
|
||
| data "azurerm_key_vault" "kv_uat" { | ||
| provider = azurerm.uat | ||
| name = local.uat_key_vault_name | ||
| resource_group_name = local.uat_key_vault_resource_group | ||
| } | ||
|
|
||
| resource "azurerm_key_vault_access_policy" "UAT-EXTERNALS-TLS-CERT-SERVICE-CONN_kv_uat" { | ||
| provider = azurerm.uat | ||
| key_vault_id = data.azurerm_key_vault.kv_uat.id | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| object_id = module.UAT-EXTERNALS-TLS-CERT-SERVICE-CONN.service_principal_object_id | ||
|
|
||
| certificate_permissions = ["Get", "Import"] | ||
| } | ||
|
|
||
| # | ||
| # ⛩ Service connection 2 🔐 KV@PROD 🛑 | ||
| # | ||
| #tfsec:ignore:GEN003 | ||
| module "PROD-EXTERNALS-TLS-CERT-SERVICE-CONN" { | ||
| depends_on = [data.azuredevops_project.project] | ||
| source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v4.2.1" | ||
| providers = { | ||
| azurerm = azurerm.prod | ||
| } | ||
|
|
||
| project_id = data.azuredevops_project.project.id | ||
| #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| name = "${local.prefix}-${local.domain}-p-azdo-EXTERNALS-TLS-CERT-kv-policy" | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| subscription_id = data.azurerm_subscriptions.prod.subscriptions[0].subscription_id | ||
| subscription_name = var.prod_subscription_name | ||
|
|
||
| location = var.location | ||
| resource_group_name = local.prod_key_vault_resource_group | ||
| } | ||
|
|
||
| data "azurerm_key_vault" "kv_prod" { | ||
| provider = azurerm.prod | ||
| name = local.prod_key_vault_name | ||
| resource_group_name = local.prod_key_vault_resource_group | ||
| } | ||
|
|
||
| resource "azurerm_key_vault_access_policy" "PROD-EXTERNALS-TLS-CERT-SERVICE-CONN_kv_prod" { | ||
| provider = azurerm.prod | ||
| key_vault_id = data.azurerm_key_vault.kv_prod.id | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| object_id = module.PROD-EXTERNALS-TLS-CERT-SERVICE-CONN.service_principal_object_id | ||
|
|
||
| certificate_permissions = ["Get", "Import"] | ||
| } | ||
| # project_id = data.azuredevops_project.project.id | ||
| # #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| # name = "${local.prefix}-${local.domain}-d-azdo-EXTERNALS-TLS-CERT-kv-policy" | ||
| # tenant_id = data.azurerm_client_config.current.tenant_id | ||
| # subscription_id = data.azurerm_subscriptions.dev.subscriptions[0].subscription_id | ||
| # subscription_name = var.dev_subscription_name | ||
| # | ||
| # location = var.location | ||
| # resource_group_name = local.dev_key_vault_resource_group | ||
| # | ||
| #} | ||
| # | ||
| #data "azurerm_key_vault" "kv_dev" { | ||
| # provider = azurerm.dev | ||
| # name = local.dev_key_vault_name | ||
| # resource_group_name = local.dev_key_vault_resource_group | ||
| #} | ||
| # | ||
| #resource "azurerm_key_vault_access_policy" "DEV-EXTERNALS-TLS-CERT-SERVICE-CONN_kv_dev" { | ||
| # provider = azurerm.dev | ||
| # | ||
| # key_vault_id = data.azurerm_key_vault.kv_dev.id | ||
| # tenant_id = data.azurerm_client_config.current.tenant_id | ||
| # object_id = module.DEV-EXTERNALS-TLS-CERT-SERVICE-CONN.service_principal_object_id | ||
| # | ||
| # certificate_permissions = ["Get", "Import"] | ||
| #} | ||
| # | ||
| ## | ||
| ## ⛩ Service connection 2 🔐 KV@UAT 🟨 | ||
| ## | ||
| ##tfsec:ignore:GEN003 | ||
| #module "UAT-EXTERNALS-TLS-CERT-SERVICE-CONN" { | ||
| # depends_on = [data.azuredevops_project.project] | ||
| # source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v5.5.0" | ||
| # providers = { | ||
| # azurerm = azurerm.uat | ||
| # } | ||
| # | ||
| # project_id = data.azuredevops_project.project.id | ||
| # #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| # name = "${local.prefix}-${local.domain}-u-azdo-EXTERNALS-TLS-CERT-kv-policy" | ||
| # tenant_id = data.azurerm_client_config.current.tenant_id | ||
| # subscription_id = data.azurerm_subscriptions.uat.subscriptions[0].subscription_id | ||
| # subscription_name = var.uat_subscription_name | ||
| # | ||
| # | ||
| # location = var.location | ||
| # resource_group_name = local.uat_key_vault_resource_group | ||
| #} | ||
| # | ||
| #data "azurerm_key_vault" "kv_uat" { | ||
| # provider = azurerm.uat | ||
| # name = local.uat_key_vault_name | ||
| # resource_group_name = local.uat_key_vault_resource_group | ||
| #} | ||
| # | ||
| #resource "azurerm_key_vault_access_policy" "UAT-EXTERNALS-TLS-CERT-SERVICE-CONN_kv_uat" { | ||
| # provider = azurerm.uat | ||
| # key_vault_id = data.azurerm_key_vault.kv_uat.id | ||
| # tenant_id = data.azurerm_client_config.current.tenant_id | ||
| # object_id = module.UAT-EXTERNALS-TLS-CERT-SERVICE-CONN.service_principal_object_id | ||
| # | ||
| # certificate_permissions = ["Get", "Import"] | ||
| #} | ||
| # | ||
| ## | ||
| ## ⛩ Service connection 2 🔐 KV@PROD 🛑 | ||
| ## | ||
| ##tfsec:ignore:GEN003 | ||
| #module "PROD-EXTERNALS-TLS-CERT-SERVICE-CONN" { | ||
| # depends_on = [data.azuredevops_project.project] | ||
| # source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v5.5.0" | ||
| # providers = { | ||
| # azurerm = azurerm.prod | ||
| # } | ||
| # | ||
| # project_id = data.azuredevops_project.project.id | ||
| # #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| # name = "${local.prefix}-${local.domain}-p-azdo-EXTERNALS-TLS-CERT-kv-policy" | ||
| # tenant_id = data.azurerm_client_config.current.tenant_id | ||
| # subscription_id = data.azurerm_subscriptions.prod.subscriptions[0].subscription_id | ||
| # subscription_name = var.prod_subscription_name | ||
| # | ||
| # location = var.location | ||
| # resource_group_name = local.prod_key_vault_resource_group | ||
| #} | ||
| # | ||
| #data "azurerm_key_vault" "kv_prod" { | ||
| # provider = azurerm.prod | ||
| # name = local.prod_key_vault_name | ||
| # resource_group_name = local.prod_key_vault_resource_group | ||
| #} | ||
| # | ||
| #resource "azurerm_key_vault_access_policy" "PROD-EXTERNALS-TLS-CERT-SERVICE-CONN_kv_prod" { | ||
| # provider = azurerm.prod | ||
| # key_vault_id = data.azurerm_key_vault.kv_prod.id | ||
| # tenant_id = data.azurerm_client_config.current.tenant_id | ||
| # object_id = module.PROD-EXTERNALS-TLS-CERT-SERVICE-CONN.service_principal_object_id | ||
| # | ||
| # certificate_permissions = ["Get", "Import"] | ||
| #} |
Oops, something went wrong.