From 16225b04fbd806ef6ecdc831b1775f6877fa1e08 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 8 Mar 2024 13:20:15 +0100 Subject: [PATCH 1/3] Create MI for Github workflow in Vulnaribility Scanner --- .../modules/userassignedidentity/main.tf | 13 +++++- .../modules/userassignedidentity/output.tf | 5 +++ .../modules/userassignedidentity/variables.tf | 11 ++++- .../s941/dev/vulnerability-scanner/main.tf | 43 +++++++++++++++++-- .../dev/vulnerability-scanner/variables.tf | 5 +++ 5 files changed, 72 insertions(+), 5 deletions(-) diff --git a/terraform/subscriptions/modules/userassignedidentity/main.tf b/terraform/subscriptions/modules/userassignedidentity/main.tf index 6be8b1c90..8ff93b514 100644 --- a/terraform/subscriptions/modules/userassignedidentity/main.tf +++ b/terraform/subscriptions/modules/userassignedidentity/main.tf @@ -9,4 +9,15 @@ resource "azurerm_role_assignment" "this" { scope = each.value.scope_id role_definition_name = each.value.role principal_id = azurerm_user_assigned_identity.userassignedidentity.principal_id -} \ No newline at end of file +} + +resource "azurerm_federated_identity_credential" "this" { + for_each = var.federated_credentials + + audience = ["api://AzureADTokenExchange"] + issuer = each.value.issuer + name = each.value.name + parent_id = azurerm_user_assigned_identity.userassignedidentity.id + resource_group_name = var.resource_group_name + subject = each.value.subject +} diff --git a/terraform/subscriptions/modules/userassignedidentity/output.tf b/terraform/subscriptions/modules/userassignedidentity/output.tf index 7ce404307..4e9c8a201 100644 --- a/terraform/subscriptions/modules/userassignedidentity/output.tf +++ b/terraform/subscriptions/modules/userassignedidentity/output.tf @@ -2,3 +2,8 @@ output "data" { description = "userassignedidentity" value = azurerm_user_assigned_identity.userassignedidentity } + +output "client-id" { + description = "userassignedidentity" + value = azurerm_user_assigned_identity.userassignedidentity.client_id +} diff --git a/terraform/subscriptions/modules/userassignedidentity/variables.tf b/terraform/subscriptions/modules/userassignedidentity/variables.tf index 7d11e7275..5e1810f3a 100644 --- a/terraform/subscriptions/modules/userassignedidentity/variables.tf +++ b/terraform/subscriptions/modules/userassignedidentity/variables.tf @@ -19,4 +19,13 @@ variable "roleassignments" { scope_id = string })) default = {} -} \ No newline at end of file +} + +variable "federated_credentials" { + type = map(object({ + name = string + issuer = string + subject = string + })) + default = {} +} diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 520878844..fb0bc63b2 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -8,10 +8,9 @@ module "config" { source = "../../../modules/config" } -# TODO: Migrate keys to radix-keyv-dev when ready data "azurerm_key_vault" "keyvault" { - name = "radix-vault-dev" # module.config.key_vault_name - resource_group_name = "common" # module.config.common_resource_group + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { @@ -50,6 +49,44 @@ module "mssql-database" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + acr = { + role = "AcrPush" + scope_id = data.azurerm_container_registry.acr.id + } + } + federated_credentials = { + github-main = { + name = "gh-radix-vulnerability-scan-acr-main-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/main" + } + github-release = { + name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + github-pr = { + name = "gh-radix-vulnerability-scan-acr-pr-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:pull_request" + } + } +} + output "mi-client-id" { value = module.mssql-database.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf index be69aaf32..c2b911fb0 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf @@ -12,3 +12,8 @@ variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" } + +variable "acr_name" { + type = string + default = "radixdev" +} From 3383450130195b672ec9e45c1929cc1688aa6e6a Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 8 Mar 2024 14:25:20 +0100 Subject: [PATCH 2/3] set role to contributor for github action step --- .../subscriptions/s941/dev/vulnerability-scanner/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index fb0bc63b2..2f8f7c2e4 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -60,10 +60,10 @@ module "github-workload-id" { resource_group_name = module.resourcegroup.data.name location = module.resourcegroup.data.location roleassignments = { - acr = { - role = "AcrPush" + contributor = { + role = "Contributor" # Needed to open firewall scope_id = data.azurerm_container_registry.acr.id - } + }, } federated_credentials = { github-main = { From 6475857358316f8f12fc0900d445b01662280ca1 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 8 Mar 2024 15:48:43 +0100 Subject: [PATCH 3/3] update other envs --- .../s940/c2/vulnerability-scanner/main.tf | 28 +++++++++++++++ .../c2/vulnerability-scanner/variables.tf | 5 +++ .../s940/prod/vulnerability-scanner/main.tf | 28 +++++++++++++++ .../prod/vulnerability-scanner/variables.tf | 5 +++ .../s941/dev/vulnerability-scanner/main.tf | 20 +++-------- .../dev/vulnerability-scanner/variables.tf | 5 --- .../playground/vulnerability-scanner/main.tf | 34 ++++++++++++++++--- .../vulnerability-scanner/variables.tf | 5 +++ 8 files changed, 105 insertions(+), 25 deletions(-) diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index c6e11f4c9..bcd3e0ddd 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -46,6 +46,34 @@ module "mssql-database" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common-westeurope" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + contributor = { + role = "Contributor" # Needed to open firewall + scope_id = data.azurerm_container_registry.acr.id + }, + } + federated_credentials = { + github-release = { + name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + output "mi-client-id" { value = module.mssql-database.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf index 56b4edea4..b07ee0d97 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf @@ -7,3 +7,8 @@ variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" } + +variable "acr_name" { + type = string + default = "radixc2prod" +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index ec7dbe761..22bf0da05 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -47,6 +47,34 @@ module "mssql-database-platform" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + contributor = { + role = "Contributor" # Needed to open firewall + scope_id = data.azurerm_container_registry.acr.id + }, + } + federated_credentials = { + github-release = { + name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + output "mi-client-id" { value = module.mssql-database-platform.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf index 058e077ea..b723a9700 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf @@ -7,3 +7,8 @@ variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" } + +variable "acr_name" { + type = string + default = "radixprod" +} diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 2f8f7c2e4..3095d4746 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -1,13 +1,11 @@ +module "config" { + source = "../../../modules/config" +} module "resourcegroup" { source = "../../../modules/resourcegroups" - name = "${var.resourse_group_name}-${module.config.environment}" + name = "vulnerability-scan-${module.config.environment}" location = module.config.location } - -module "config" { - source = "../../../modules/config" -} - data "azurerm_key_vault" "keyvault" { name = module.config.key_vault_name resource_group_name = module.config.common_resource_group @@ -71,16 +69,6 @@ module "github-workload-id" { issuer = "https://token.actions.githubusercontent.com" subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/main" } - github-release = { - name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" - issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" - } - github-pr = { - name = "gh-radix-vulnerability-scan-acr-pr-${module.config.environment}" - issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-vulnerability-scanner:pull_request" - } } } diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf index c2b911fb0..8ce61486b 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf @@ -3,11 +3,6 @@ variable "admin-adgroup" { default = "Radix SQL server admin - dev" } -variable "resourse_group_name" { - type = string - default = "vulnerability-scan" -} - variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index e8774ac4e..3cee166a8 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -1,4 +1,3 @@ - module "config" { source = "../../../modules/config" } @@ -7,7 +6,6 @@ module "resourcegroup" { name = "vulnerability-scan-${module.config.environment}" location = module.config.location } - data "azurerm_key_vault" "keyvault" { name = module.config.key_vault_name resource_group_name = module.config.common_resource_group @@ -21,10 +19,10 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" - managed_identity_server_name = "radix-id-vulnerability-scan-server-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_server_name = "radix-id-vulnerability-scan-server-${module.config.environment}" audit_storageaccount_name = module.config.log_storageaccount_name admin_adgroup = var.admin-adgroup administrator_login = "radix" @@ -48,6 +46,34 @@ module "mssql-database" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + contributor = { + role = "Contributor" # Needed to open firewall + scope_id = data.azurerm_container_registry.acr.id + }, + } + federated_credentials = { + github-release = { + name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + output "mi-client-id" { value = module.mssql-database.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf index e42cc4785..fae7b3be5 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf @@ -7,3 +7,8 @@ variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" } + +variable "acr_name" { + type = string + default = "radixdev" +}