Initial terraform scripts for azure cncf subscription

Signed-off-by: Ritika Gupta <ritikagupta@microsoft.com>
kubernetes · Jul 11, 2024 · 69d1da4 · 69d1da4
1 parent f2b2e08
commit 69d1da4
Show file tree

Hide file tree

Showing 11 changed files with 333 additions and 0 deletions.
diff --git a/infra/azure/terraform/README.md b/infra/azure/terraform/README.md
@@ -0,0 +1,19 @@
+# infra/azure
+Terraform scripts and documentation for capz infrastructure that the Kubernetes community runs on Azure.
+The capz folder structure is formatted shown below:
+main.tf
+├── resource_group
+├── identities
+├── key_vault
+├── container_registry
+├── storage_account
+├── role_assignments
+├── variables
+
+# Prerequiste 
+The az-cli-prow service principal is required to be created by a tenant admin. Also to add a federated credentials for the prow ask a tenant admin or the SP admin. iam-config\param.json can be used for creating the fededrated credentials. 
+The service principal needs:
+- Contributor role access to the sub. 
+- Creation of a custom role to give write access
+- acrpush role for the registry 
+- Storage Blob Data Contributor role for Storage account
diff --git a/infra/azure/terraform/capz/container-registry/main.tf b/infra/azure/terraform/capz/container-registry/main.tf
@@ -0,0 +1,50 @@
+variable "resource_group_name" {
+  type = string
+}
+
+variable "location" {
+  type = string
+}
+
+resource "azurerm_container_registry" "capzci_registry" {
+  name                = "capzcicommunity"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  sku                 = "Standard"
+  anonymous_pull_enabled = true
+}
+
+resource "azurerm_management_lock" "registry_lock" {
+  name       = "DO-NOT_DELETE"
+  scope      = azurerm_container_registry.capzci_registry.id
+  lock_level = "CanNotDelete"
+  notes      = "Contact Capz"
+}
+
+resource "azurerm_container_registry_task" "registry_task" {
+  container_registry_id = azurerm_container_registry.capzci_registry.id
+  name                  = "midnight_capz_purge"
+  agent_setting {
+    cpu = 2
+  }
+  base_image_trigger {
+    name                        = "defaultBaseimageTriggerName"
+    type                        = "Runtime"
+    update_trigger_payload_type = "Default"
+  }
+  encoded_step {
+    task_content = "dmVyc2lvbjogdjEuMS4wCnN0ZXBzOiAKICAtIGNtZDogYWNyIHB1cmdlIC0tZmlsdGVyIGF6ZGlza3NjaGVkdWxlcmV4dGVuZGVyLWNzaTouKiAtLWZpbHRlciBhenVyZS1jbG91ZC1jb250cm9sbGVyLW1hbmFnZXI6LiogLS1maWx0ZXIgYXp1cmUtY2xvdWQtY29udHJvbGxlci1tYW5hZ2VyLWFybTouKiAtLWZpbHRlciBhenVyZS1jbG91ZC1jb250cm9sbGVyLW1hbmFnZXItYXJtNjQ6LiogLS1maWx0ZXIgYXp1cmUtY2xvdWQtbm9kZS1tYW5hZ2VyOi4qIC0tZmlsdGVyIGF6dXJlZGlzay1jc2k6LiogLS1maWx0ZXIgYXp1cmVmaWxlLWNzaTouKiAtLWZpbHRlciBjbHVzdGVyLWFwaS1henVyZS1jb250cm9sbGVyLWFtZDY0Oi4qIC0tZmlsdGVyIGNvbmZvcm1hbmNlOi4qIC0tZmlsdGVyIGt1YmUtYXBpc2VydmVyOi4qIC0tZmlsdGVyIGt1YmUtY29udHJvbGxlci1tYW5hZ2VyOi4qIC0tZmlsdGVyIGt1YmUtcHJveHk6LiogLS1maWx0ZXIga3ViZS1zY2hlZHVsZXI6LiogIC0tYWdvIDFkIC0tdW50YWdnZWQKICAgIGRpc2FibGVXb3JraW5nRGlyZWN0b3J5T3ZlcnJpZGU6IHRydWUKICAgIHRpbWVvdXQ6IDM2MDAK"
+  }
+  platform {
+    architecture = "amd64"
+    os           = "Linux"
+  }
+  timer_trigger {
+    name     = "t1"
+    schedule = "0 0 * * *"
+  }
+}
+
+output "container_registry_id" {
+  value = azurerm_container_registry.capzci_registry.id
+}
diff --git a/infra/azure/terraform/capz/identities/main.tf b/infra/azure/terraform/capz/identities/main.tf
@@ -0,0 +1,37 @@
+variable "resource_group_name" {
+  type = string
+}
+
+variable "location" {
+  type = string
+}
+
+resource "azurerm_user_assigned_identity" "cloud_provider_user_identity" {
+  name                = "cloud-provider-user-identity"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_user_assigned_identity" "domain_vm_identity" {
+  name                = "domain-vm-identity"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_user_assigned_identity" "gmsa_user_identity" {
+  name                = "gmsa-user-identity"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+output "cloud_provider_user_identity_id" {
+  value = azurerm_user_assigned_identity.cloud_provider_user_identity.principal_id
+}
+
+output "domain_vm_identity_id" {
+  value = azurerm_user_assigned_identity.domain_vm_identity.principal_id
+}
+
+output "gmsa_user_identity_id" {
+  value = azurerm_user_assigned_identity.gmsa_user_identity.principal_id
+}
diff --git a/infra/azure/terraform/capz/key-vault/main.tf b/infra/azure/terraform/capz/key-vault/main.tf
@@ -0,0 +1,49 @@
+variable "resource_group_name" {
+  type = string
+}
+
+variable "location" {
+  type = string
+}
+
+variable "tenant_id" {
+  type = string
+}
+
+variable "identities" {
+  type = object({
+    cloud_provider_user_identity_id = string
+    domain_vm_identity_id           = string
+    gmsa_user_identity_id           = string
+  })
+}
+
+resource "azurerm_key_vault" "capz_ci_gmsa" {
+  name                = "capz-ci-gmsa-community"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  tenant_id           = var.tenant_id
+  sku_name            = "standard"
+}
+
+resource "azurerm_key_vault_access_policy" "access_policy_domain_vm_identity" {
+  key_vault_id = azurerm_key_vault.capz_ci_gmsa.id
+  tenant_id    = var.tenant_id
+  object_id    = var.identities.domain_vm_identity_id
+  secret_permissions = [
+    "Set"
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "access_policy_gmsa_user_identity" {
+  key_vault_id = azurerm_key_vault.capz_ci_gmsa.id
+  tenant_id    = var.tenant_id
+  object_id    = var.identities.gmsa_user_identity_id
+  secret_permissions = [
+    "Get"
+  ]
+}
+
+output "key_vault_id" {
+  value = azurerm_key_vault.capz_ci_gmsa.id
+}
diff --git a/infra/azure/terraform/capz/main.tf b/infra/azure/terraform/capz/main.tf
@@ -0,0 +1,63 @@
+provider "azurerm" {
+  features {}
+}
+
+# Data source to get the current client configuration
+data "azurerm_client_config" "current" {}
+
+# Import other files
+module "resource_group" {
+  source = "./resource-group"
+}
+
+# Import identities module
+module "identities" {
+  source              = "./identities"
+  resource_group_name = module.resource_group.name
+  location            = module.resource_group.location
+  depends_on = [module.resource_group]
+}
+
+# Import key vault module
+module "key_vault" {
+  source              = "./key-vault"
+  resource_group_name = module.resource_group.name
+  location            = module.resource_group.location
+  tenant_id           = data.azurerm_client_config.current.tenant_id  
+  identities = {
+    cloud_provider_user_identity_id = module.identities.cloud_provider_user_identity_id
+    domain_vm_identity_id           = module.identities.domain_vm_identity_id
+    gmsa_user_identity_id           = module.identities.gmsa_user_identity_id
+  }
+  depends_on = [module.resource_group]
+}
+
+# Import container registry module
+module "container_registry" {
+  source              = "./container-registry"
+  resource_group_name = module.resource_group.name
+  location            = module.resource_group.location
+  depends_on = [module.resource_group]
+}
+
+# Import storage account module
+module "storage_account" {
+  source              = "./storage-account"
+  resource_group_name = module.resource_group.name
+  location            = module.resource_group.location
+  depends_on = [module.resource_group]
+}
+
+# Import role assignments module
+module "role_assignments" {
+  source                   = "./role-assignments"
+  resource_group_name      = module.resource_group.name
+  container_registry_scope = module.container_registry.container_registry_id
+  storage_account_scope    = module.storage_account.storage_account_id
+  subscription_id          = data.azurerm_client_config.current.subscription_id 
+  depends_on = [
+    module.resource_group,
+    module.storage_account,
+    module.container_registry
+  ]
+}
diff --git a/infra/azure/terraform/capz/main.tfplan b/infra/azure/terraform/capz/main.tfplan
diff --git a/infra/azure/terraform/capz/resource-group/main.tf b/infra/azure/terraform/capz/resource-group/main.tf
@@ -0,0 +1,16 @@
+# Resource group for CAPZ CI resources
+resource "azurerm_resource_group" "capz_ci" {
+  location = var.location
+  name     = var.resource_group_name
+  tags = {
+    DO-NOT-DELETE = "contact capz"
+  }
+}
+
+output "name" {
+  value = azurerm_resource_group.capz_ci.name
+}
+
+output "location" {
+  value = azurerm_resource_group.capz_ci.location
+}
diff --git a/infra/azure/terraform/capz/resource-group/variables.tf b/infra/azure/terraform/capz/resource-group/variables.tf
@@ -0,0 +1,11 @@
+variable "location" {
+  type        = string
+  default     = "eastus"
+  description = "Location of the resource group."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The name of the resource group"
+  default     = "capz-ci"
+}
diff --git a/infra/azure/terraform/capz/role-assignments/main.tf b/infra/azure/terraform/capz/role-assignments/main.tf
@@ -0,0 +1,59 @@
+variable "resource_group_name" {
+  type = string
+}
+
+variable "container_registry_scope" {
+  type = string
+}
+
+variable "storage_account_scope" {
+  type = string
+}
+
+variable "subscription_id" {
+  type = string
+}
+
+data "azuread_service_principal" "az_service_principal" {
+  object_id = "8eb97873-17bb-46a5-aed9-1967d83ca7ca"
+}
+
+resource "azurerm_role_assignment" "rg_contributor" {
+  principal_id         = data.azuread_service_principal.az_service_principal.id
+  role_definition_name = "Contributor"
+  scope                = "/subscriptions/${var.subscription_id}"
+}
+
+resource "azurerm_role_assignment" "storage_blob_data_contributor" {
+  principal_id         = data.azuread_service_principal.az_service_principal.id
+  role_definition_name = "Storage Blob Data Contributor"
+  scope                = var.storage_account_scope
+}
+
+resource "azurerm_role_assignment" "acr_pull" {
+  principal_id         = data.azuread_service_principal.az_service_principal.id
+  role_definition_name = "AcrPull"
+  scope                = var.container_registry_scope
+}
+
+resource "azurerm_role_definition" "custom_role" {
+  name               = "WriteAccessOnly"
+  scope              = "/subscriptions/${var.subscription_id}"
+
+  permissions {
+    actions     = [
+      "Microsoft.Authorization/roleAssignments/write"
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    "/subscriptions/${var.subscription_id}"
+  ]
+}
+
+resource "azurerm_role_assignment" "sp_custom_role_assignment" {
+  principal_id         = data.azuread_service_principal.az_service_principal.id
+  role_definition_name = azurerm_role_definition.custom_role.name
+  scope                = "/subscriptions/${var.subscription_id}"
+}
diff --git a/infra/azure/terraform/capz/storage-account/main.tf b/infra/azure/terraform/capz/storage-account/main.tf
@@ -0,0 +1,21 @@
+variable "resource_group_name" {
+  type = string
+}
+
+variable "location" {
+  type = string
+}
+
+resource "azurerm_storage_account" "k8sprowstorage" {
+  name                             = "k8sprowstoragecomm"
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  account_tier                     = "Standard"
+  min_tls_version                  = "TLS1_0"
+  account_replication_type         = "RAGRS"
+  cross_tenant_replication_enabled = true
+}
+
+output "storage_account_id" {
+  value = azurerm_storage_account.k8sprowstorage.id
+}
diff --git a/infra/azure/terraform/iam-config/param.json b/infra/azure/terraform/iam-config/param.json
@@ -0,0 +1,8 @@
+{
+    "name": "prow-identity-credential",
+    "issuer": "https://container.googleapis.com/v1/projects/k8s-infra-prow-build/locations/us-central1/clusters/prow-build",
+    "subject": "system:serviceaccount:test-pods:prowjob-default-sa",
+    "audiences": [
+        "api://AzureADTokenExchange"
+    ]
+}