GithubHelp home page GithubHelp logo

caf-demo-lz's Introduction

CAF Demo Azure Landing Zone

Intro

This repo contains the terraform code to implement an Azure Landing Zone. The modules are developmed using the Microsoft Cloud Adoption Framework for Azure. To get more details follow the link: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/

This code is based on the terraform-azurerm-caf module: https://github.com/aztfmod/terraform-azurerm-caf

Development workspace requirements

  • Terraform
  • Visual Studio Code
  • Git Client
  • Azure CLI

Architecture

Devoteam CAF Terraform Module

See details: Lucid Chart

Resources naming convention

The naming convention of this project is based on the Cloud Adoption Framework for Azure - Terraform module, using the "azurecaf_name" resource, to configure a standard naming convention across the landing zones. See the documentation here.

Setup the Remote State

  • Create the service principal

  • Create the storage account to the remote state

  • Add the secrets values to the pipeline

  • Configure the Landing Zones .tfbackend files with the remote state backend configuration

To create a service principal with the necessary privileges, use these commands, first to create and give the Contributor role on the subscription:

az ad sp create-for-rbac --name "iaac-tf-sp" --role "Contributor" --scopes "/subscriptions/$subscriptionID"

The result:

{
  "appId": "00000000-0000-0000-0000-000000000000",
  "displayName": "iaac-tf-sp",
  "password": "00000000000000000000000000000000",
  "tenant": "00000000-0000-0000-0000-000000000000"
}

PS: The 0s are to obfuscate the result.

Create the resource group
az group create --location $LOCATION --name $RESOURCE_GROUP_NAME
Create the storage account
az storage account create --name $ACCOUNT_NAME --resource-group $RESOURCE_GROUP_NAME --location $LOCATION
Create the container
az storage container create --name $ACCOUNT_NAME --account-name $ACCOUNT_NAME --resource-group $RESOURCE_GROUP_NAME

Setup the Landing Zone

Global Settings

The Global Settings are used to define the naming convention and global settings to create an standard across all the landing zones.

global_settings = {
  passthrough = false /* */
  inherit_tags = false /* */
  random_length = 0 /* The number of random characters attached to the resource name */
  prefix = "caf" /* The prefix used to name all resources */
  default_region = "region1" /* The Default Region Key */
  regions = {
    region1 = "westeurope" /* The Primary Region */
    region2 = "northeurope" /* The Secondary Region */
  }
}

Configure the Landing Zone

landingzone = {
  backend_type = "azurerm"
  key          = "connectivity"
  environment  = "production"
  tfstates = {
    /* Why ? - */
    current = {      
      storage_account_name = "uzexstconnctivityeoui"
      container_name       = "tfstate"
      resource_group_name  = "uzex-rg-caf-connectivity-syhw"
      key                  = "caf_connectivity.tfstate"      
    }
  }
}

The Terraform Pipelines

The Continuous Deployment workflow

CI/CD Workflow

The Pipelines are configured to run when a Pull Request is openend, and when the Merge is Approved to Main. The firts one to plan and validate and the second one to apply the changes.

Environment variables

To configure the ARM provider the service principal, tenant and subscription is necessary, and to use it on the pipeline the secrets on GitHub Action are needed:

Secrets

The Environment variables in the pipeline:

env:
  ARM_CLIENT_ID: ${{ secrets.AZURE_ARM_CLIENT_ID }}
  ARM_CLIENT_SECRET: ${{ secrets.AZURE_ARM_SECRET }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_LZ_NPROD_SUBSCRIPTION_ID }}
  ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
  AZURE_AD_SP_OBJECT_ID: ${{ secrets.AZURE_AD_SP_OBJECT_ID }}

Pipeline

The Terraform pipeline will plan and apply the infrastruture using CI/CD principles, the code of the Connectivity Landing Zone Pipeline demo is:

name: 'Connectivity Landing Zone'
on:
  push:      
    branches:
      - main
    paths:
      - '**/landingzones/core/connectivity/*.*' 
  pull_request:
    paths:
      - '**/landingzones/core/connectivity/*.*' 

permissions:
  contents: read
  pull-requests: write

env:
  ARM_CLIENT_ID: ${{ secrets.AZURE_ARM_CLIENT_ID }}
  ARM_CLIENT_SECRET: ${{ secrets.AZURE_ARM_SECRET }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_LZ_CONN_SUBSCRIPTION_ID }}
  ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
  AZURE_AD_SP_OBJECT_ID: ${{ secrets.AZURE_AD_SP_OBJECT_ID }}  

jobs:
  terraform:
    name: 'Terraform - Connectivity Landing Zone'
    runs-on: ubuntu-latest
    environment: non production      
    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
    defaults:
      run:
        shell: bash

    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v3

    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v1
      with:
        cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

    # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
    - name: Terraform Format
      id: fmt
      run: terraform fmt -check
      working-directory: './src/devoteam-modules/dvt-caf-landingzones'

    - name: Terraform Init
      id: init
      run: terraform init -backend-config "../../landingzones/core/connectivity/connectivity.tfbackend" 
      working-directory: './src/devoteam-modules/dvt-caf-landingzones'

    # Generates an execution plan for Terraform
    - name: Terraform Plan
      id: plan
      run: |
        terraform plan -no-color -var-file "../../landingzones/global-settings.tfvars"  \
         -var-file "../../landingzones/core/connectivity/landingzone.tfvars" \
         -var-file "../../landingzones/core/connectivity/network_security.tfvars" \
         -var 'logged_aad_app_objectId=${{ env.AZURE_AD_SP_OBJECT_ID }}'  
      working-directory: './src/devoteam-modules/dvt-caf-landingzones'
      continue-on-error: true
      
    - name: Update Pull Request
      uses: actions/github-script@v6
      if: github.event_name == 'pull_request'
      env:
        PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          const output = `#### Terraform Format and Style  - \`${{ steps.fmt.outcome }}\`
          #### Terraform Initialization - \`${{ steps.init.outcome }}\`
          #### Terraform Plan - \`${{ steps.plan.outcome }}\`          

          <details><summary>Show Plan</summary>

          \`\`\`\n
          ${process.env.PLAN}
          \`\`\`

          </details>

          *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

          github.rest.issues.createComment({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: output
          })

    - name: Terraform Apply
      id: apply
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      run: |
        terraform apply -var-file "../../landingzones/global-settings.tfvars" \
        -var-file "../../landingzones/core/connectivity/landingzone.tfvars" \
        -var-file "../../landingzones/core/connectivity/network_security.tfvars" \
        -var 'logged_aad_app_objectId=${{ env.AZURE_AD_SP_OBJECT_ID }}' -auto-approve      
      working-directory: './src/devoteam-modules/dvt-caf-landingzones'

caf-demo-lz's People

Contributors

rafaelherik avatar vanroon avatar parsifal-m avatar

Watchers

avatar Gopal Ramachandran avatar Albert Tanure avatar Anand Lahoti avatar

Forkers

gielscharff-bt ravicheetiralatl

caf-demo-lz's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.