Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chores/add infra for register #8

Closed
wants to merge 21 commits into from
Closed

Chores/add infra for register #8

wants to merge 21 commits into from

Conversation

andreasisnes
Copy link
Collaborator

@andreasisnes andreasisnes commented Oct 1, 2024
edited
Loading

Add infrastructure for register

  • Own Postgres server for Register

  • Own Key Vault for Register (?)

  • Two user assigned identities gets created (Both must be used with workload identity for AKS, not entirely sure if you can attach more than one identity)

    • First has access to key vault, service bus and database (non-admin, not granted through terraform)
    • Latter is postgres server admin

  • Can possible add support for admin user and password. However, the password will be stored in state file, but it can be rotated for every infra deploy.

Remaining work

  • vnet peering. platform vnet and auth vnet
  • Strategy for using managed identity for postgres

Caveats

  • postgres server is not accessable from internet. Why? Once database is public, you can make it private vice versa.

Verification

  • Your code builds clean without any errors or warnings
  • Manual testing done (required)
  • Relevant automated test added (if you find this hard, leave it and we'll help out)
  • All tests run green

Documentation

  • User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

@andreasisnes andreasisnes requested a review from a team as a code owner October 1, 2024 11:15
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 1, 2024
edited
Loading

Terraform environment at21

Format and Style 🖌success

Initialization ⚙️success

Validation 🤖success

Validation Output 

Success! The configuration is valid.

Plan 📖success

Show Plan 

[Lines containing Refreshing state removed]
[Maybe further truncated see logs for complete plan output]
Acquiring state lock. This may take a few moments...
module.app_configuration.data.azurerm_client_config.current: Reading...
module.app_configuration.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD03MjQ0YzE3OS1kZTg2LTRjMDYtYTY3YS0xMTQ3N2ExNGNhMzc7b2JqZWN0SWQ9NmVhZWQyM2UtZGY3Zi00NzA4LTljOGUtYTdmMzRkZWVhZGI0O3N1YnNjcmlwdGlvbklkPTQ1MTc3YTBhLWQyN2UtNDkwZi05ZjIzLWI0NzI2ZGU4Y2NjMTt0ZW5hbnRJZD1jZDAwMjZkOC0yODNiLTRhNTUtOWJmYS1kMGVmNGE4YmEyMWM=]
module.application_gateway.data.azurerm_key_vault.cert: Reading...
module.application_gateway.data.azurerm_user_assigned_identity.cert: Reading...
module.application_gateway.data.azurerm_user_assigned_identity.cert: Read complete after 2s [id=/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgcert001at21/providers/Microsoft.ManagedIdentity/userAssignedIdentities/micert001at21]
module.key_vault.data.azurerm_client_config.current: Reading...
module.key_vault.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD03MjQ0YzE3OS1kZTg2LTRjMDYtYTY3YS0xMTQ3N2ExNGNhMzc7b2JqZWN0SWQ9NmVhZWQyM2UtZGY3Zi00NzA4LTljOGUtYTdmMzRkZWVhZGI0O3N1YnNjcmlwdGlvbklkPTQ1MTc3YTBhLWQyN2UtNDkwZi05ZjIzLWI0NzI2ZGU4Y2NjMTt0ZW5hbnRJZD1jZDAwMjZkOC0yODNiLTRhNTUtOWJmYS1kMGVmNGE4YmEyMWM=]
module.application_gateway.data.azurerm_key_vault.cert: Read complete after 3s [id=/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgcert001at21/providers/Microsoft.KeyVault/vaults/kvaltinnauthcert001at21]
module.application_gateway.data.azurerm_key_vault_certificate.cert: Reading...
module.application_gateway.data.azurerm_key_vault_certificate.cert: Read complete after 2s [id=https://kvaltinnauthcert001at21.vault.azure.net/certificates/cert/234e40b053ee46d4b512b64b334adc67]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.app_configuration.azurerm_app_configuration_key.key["Sentinel"] will be updated in-place
  ~ resource "azurerm_app_configuration_key" "key" {
        id                     = "https://appconfaltinnauth001at21.azconfig.io/kv/Sentinel?label=default"
        tags                   = {
            "environment" = "at21"
            "instance"    = "001"
            "name"        = "auth"
            "repository"  = "github.com/altinn/altinn-authorization"
            "suffix"      = "auth001at21"
        }
      ~ value                  = "2024-10-08T13:44:09Z" -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.application_gateway.azurerm_application_gateway.appgw will be updated in-place
  ~ resource "azurerm_application_gateway" "appgw" {
        id                                = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21"
        name                              = "appgwauth001at21"
        tags                              = {
            "environment" = "at21"
            "instance"    = "001"
            "name"        = "auth"
            "repository"  = "github.com/altinn/altinn-authorization"
            "suffix"      = "auth001at21"
        }
        # (7 unchanged attributes hidden)

      + backend_address_pool {
          + fqdns        = [
              + "bootstrapper.api.auth.at21.altinn.cloud",
            ]
          + id           = (known after apply)
          + ip_addresses = []
          + name         = "backend_address_pool_container_app_api_bootstrapper"
        }

      - backend_http_settings {
          - cookie_based_affinity               = "Disabled" -> null
          - id                                  = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_api_accesspackages" -> null
          - name                                = "backend_http_settings_container_app_api_accesspackages" -> null
          - pick_host_name_from_backend_address = true -> null
          - port                                = 80 -> null
          - probe_id                            = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages" -> null
          - probe_name                          = "probe_container_app_api_accesspackages" -> null
          - protocol                            = "Http" -> null
          - request_timeout                     = 30 -> null
          - trusted_root_certificate_names      = [] -> null
        }
      - backend_http_settings {
          - cookie_based_affinity               = "Disabled" -> null
          - id                                  = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_frontend_index" -> null
          - name                                = "backend_http_settings_container_app_frontend_index" -> null
          - pick_host_name_from_backend_address = true -> null
          - port                                = 80 -> null
          - probe_id                            = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index" -> null
          - probe_name                          = "probe_container_app_frontend_index" -> null
          - protocol                            = "Http" -> null
          - request_timeout                     = 30 -> null
          - trusted_root_certificate_names      = [] -> null
        }
      - backend_http_settings {
          - cookie_based_affinity               = "Disabled" -> null
          - id                                  = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_index" -> null
          - name                                = "backend_http_settings_container_app_index" -> null
          - pick_host_name_from_backend_address = true -> null
          - port                                = 80 -> null
          - probe_id                            = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index" -> null
          - probe_name                          = "probe_container_app_index" -> null
          - protocol                            = "Http" -> null
          - request_timeout                     = 30 -> null
          - trusted_root_certificate_names      = [] -> null
        }
      + backend_http_settings {
          + cookie_based_affinity               = "Disabled"
          + id                                  = (known after apply)
          + name                                = "backend_http_settings_container_app_api_bootstrapper"
          + pick_host_name_from_backend_address = true
          + port                                = 80
          + probe_id                            = (known after apply)
          + probe_name                          = "probe_container_app_api_bootstrapper"
          + protocol                            = "Http"
          + request_timeout                     = 30
          + trusted_root_certificate_names      = []
        }
      + backend_http_settings {
          + cookie_based_affinity               = "Disabled"
          + id                                  = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_api_accesspackages"
          + name                                = "backend_http_settings_container_app_api_accesspackages"
          + pick_host_name_from_backend_address = true
          + port                                = 80
          + probe_id                            = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages"
          + probe_name                          = "probe_container_app_api_accesspackages"
          + protocol                            = "Http"
          + request_timeout                     = 30
          + trusted_root_certificate_names      = []
        }
      + backend_http_settings {
          + cookie_based_affinity               = "Disabled"
          + id                                  = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_frontend_index"
          + name                                = "backend_http_settings_container_app_frontend_index"
          + pick_host_name_from_backend_address = true
          + port                                = 80
          + probe_id                            = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index"
          + probe_name                          = "probe_container_app_frontend_index"
          + protocol                            = "Http"
          + request_timeout                     = 30
          + trusted_root_certificate_names      = []
        }
      + backend_http_settings {
          + cookie_based_affinity               = "Disabled"
          + id                                  = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_index"
          + name                                = "backend_http_settings_container_app_index"
          + pick_host_name_from_backend_address = true
          + port                                = 80
          + probe_id                            = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index"
          + probe_name                          = "probe_container_app_index"
          + protocol                            = "Http"
          + request_timeout                     = 30
          + trusted_root_certificate_names      = []
        }

      - probe {
          - id                                        = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages" -> null
          - interval                                  = 30 -> null
          - minimum_servers                           = 0 -> null
          - name                                      = "probe_container_app_api_accesspackages" -> null
          - path                                      = "/healthz" -> null
          - pick_host_name_from_backend_http_settings = true -> null
          - port                                      = 0 -> null
          - protocol                                  = "Http" -> null
          - timeout                                   = 30 -> null
          - unhealthy_threshold                       = 3 -> null

          - match {
              - status_code = [
                  - "200",
                ] -> null
            }
        }
      - probe {
          - id                                        = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index" -> null
          - interval                                  = 30 -> null
          - minimum_servers                           = 0 -> null
          - name                                      = "probe_container_app_frontend_index" -> null
          - path                                      = "/healthz" -> null
          - pick_host_name_from_backend_http_settings = true -> null
          - port                                      = 0 -> null
          - protocol                                  = "Http" -> null
          - timeout                                   = 30 -> null
          - unhealthy_threshold                       = 3 -> null

          - match {
              - status_code = [
                  - "200",
                ] -> null
            }
        }
      - probe {
          - id                                        = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index" -> null
          - interval                                  = 30 -> null
          - minimum_servers                           = 0 -> null
          - name                                      = "probe_container_app_index" -> null
          - path                                      = "/" -> null
          - pick_host_name_from_backend_http_settings = true -> null
          - port                                      = 0 -> null
          - protocol                                  = "Http" -> null
          - timeout                                   = 30 -> null
          - unhealthy_threshold                       = 3 -> null

          - match {
              - status_code = [
                  - "200",
                ] -> null
            }
        }
      + probe {
          + id                                        = (known after apply)
          + interval                                  = 30
          + minimum_servers                           = 0
          + name                                      = "probe_container_app_api_bootstrapper"
          + path                                      = "/healthz"
          + pick_host_name_from_backend_http_settings = true
          + protocol                                  = "Http"
          + timeout                                   = 30
          + unhealthy_threshold                       = 3

          + match {
              + status_code = [
                  + "200",
                ]
            }
        }
      + probe {
          + id                                        = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages"
          + interval                                  = 30
          + minimum_servers                           = 0
          + name                                      = "probe_container_app_api_accesspackages"
          + path                                      = "/healthz"
          + pick_host_name_from_backend_http_settings = true
          + protocol                                  = "Http"
          + timeout                                   = 30
          + unhealthy_threshold                       = 3

          + match {
              + status_code = [
                  + "200",
                ]
            }
        }
      + probe {
          + id                                        = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index"
          + interval                                  = 30
          + minimum_servers                           = 0
          + name                                      = "probe_container_app_frontend_index"
          + path                                      = "/healthz"
          + pick_host_name_from_backend_http_settings = true
          + protocol                                  = "Http"
          + timeout                                   = 30
          + unhealthy_threshold                       = 3

          + match {
              + status_code = [
                  + "200",
                ]
            }
        }
      + probe {
          + id                                        = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index"
          + interval                                  = 30
          + minimum_servers                           = 0
          + name                                      = "probe_container_app_index"
          + path                                      = "/"
          + pick_host_name_from_backend_http_settings = true
          + protocol                                  = "Http"
          + timeout                                   = 30
          + unhealthy_threshold                       = 3

          + match {
              + status_code = [
                  + "200",
                ]
            }
        }

      ~ url_path_map {
            id                                 = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/urlPathMaps/url_path_map_container_app_api"
            name                               = "url_path_map_container_app_api"
            # (4 unchanged attributes hidden)

          + path_rule {
              + backend_address_pool_name  = "backend_address_pool_container_app_api_bootstrapper"
              + backend_http_settings_name = "backend_http_settings_container_app_api_bootstrapper"
              + name                       = "path_rule_container_app_api_bootstrapper"
              + paths                      = [
                  + "/bootstrapper/*",
                  + "/bootstrapper",
                ]
            }

            # (1 unchanged block hidden)
        }

        # (16 unchanged blocks hidden)
    }

  # module.key_vault.azurerm_role_assignment.key_vault_administrator["app"] must be replaced
-/+ resource "azurerm_role_assignment" "key_vault_administrator" {
      ~ id                               = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.KeyVault/vaults/kvaltinnauth001at21/providers/Microsoft.Authorization/roleAssignments/35f90372-ee1f-888a-634f-37f6cf26d9ee" -> (known after apply)
      ~ name                             = "35f90372-ee1f-888a-634f-37f6cf26d9ee" -> (known after apply)
      ~ principal_id                     = "1e93d640-decc-493d-bb8b-1eb715ff1a95" -> "app" # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483" -> (known after apply)
      + skip_service_principal_aad_check = (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.key_vault.azurerm_role_assignment.key_vault_administrator["current"] must be replaced
-/+ resource "azurerm_role_assignment" "key_vault_administrator" {
      ~ id                               = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.KeyVault/vaults/kvaltinnauth001at21/providers/Microsoft.Authorization/roleAssignments/f825c6b5-7c3e-6359-434f-355bb2e0e31d" -> (known after apply)
      ~ name                             = "f825c6b5-7c3e-6359-434f-355bb2e0e31d" -> (known after apply)
      ~ principal_id                     = "6eaed23e-df7f-4708-9c8e-a7f34deeadb4" -> "current" # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483" -> (known after apply)
      + skip_service_principal_aad_check = (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 2 to add, 2 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan.out

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan.out"
Releasing state lock. This may take a few moments...
Context Values
Pusher @andreasisnes
Action workflow_dispatch
Working Directory infra/deploy/auth
State File github.com/altinn/altinn-authorization-tmp/environments/at21/auth.tfstate
Plan File github.com_altinn_altinn-authorization-tmp_environments_at21_auth.tfstate.tfplan

@andreasisnes andreasisnes force-pushed the chores/add-infra-for-register branch from d7adb10 to 3d7cbb9 Compare October 7, 2024 11:23
@allinox allinox removed the request for review from a team October 8, 2024 09:15
@andreasisnes andreasisnes marked this pull request as draft October 8, 2024 12:49
@andreasisnes andreasisnes deleted the chores/add-infra-for-register branch November 14, 2024 09:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Alxandr Alxandr Alxandr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andreasisnes @Alxandr