feat: restructure module GitHub Actions Terraform Setup

florianow · florianow · commit 66e6327690db · 2025-07-03T15:52:53.000+02:00
diff --git a/modules/azure/github-actions-terraform-setup/backplane/outputs.tf b/modules/azure/github-actions-terraform-setup/backplane/outputs.tf
@@ -1,44 +1,25 @@
-output "config_tf" {
+output "provider_config" {
   description = "Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block."
   sensitive   = true
   value       = <<EOF
-provider "github" {
-  owner = "${var.github_org}"
 
-  app_auth {
-    id              = "${var.github_app_id}"
-    installation_id = "${var.github_app_installation_id}"
+use following Environment variables to configure your Terraform AZURERM Provider:
 
-    # TODO: ensure the pem file exists on disk in the BB execution environment (with meshStack: secret file input)
-    pem_file = file("./github-app.private-key.pem")
-  }
+  ARM_TENANT_ID       = "${data.azurerm_subscription.current.tenant_id}"
+  ARM_SUBSCRIPTION_ID = "USE THE PLATFORM TENANT ID"
+  ARM_CLIENT_ID       = "${azuread_service_principal.starterkit.client_id}"
+  ARM_CLIENT_SECRET   = "${azuread_service_principal_password.starterkit.value}"
 }
 
-provider "azurerm" {
-  features {
-    resource_group {
-      prevent_deletion_if_contains_resources = false # This allows the deletion of the building block without having to separately delete the app resources
-    }
-  }
+use following Environment variables to configure your Terraform AZUREAD Provider:
 
-  resource_provider_registrations = "core"
-
-  storage_use_azuread        = true
-
-  tenant_id       = "${data.azurerm_subscription.current.tenant_id}"
-  subscription_id = var.subscription_id
-  client_id       = "${azuread_service_principal.starterkit.client_id}"
-  client_secret   = "${azuread_service_principal_password.starterkit.value}"
+  ARM_TENANT_ID       = "${data.azurerm_subscription.current.tenant_id}"
+  ARM_CLIENT_ID       = "${azuread_service_principal.starterkit.client_id}"
+  ARM_CLIENT_SECRET   = "${azuread_service_principal_password.starterkit.value}"
 }
-
-locals {
-  deploy_role_definition_id = "${azurerm_role_definition.starterkit_deploy.role_definition_id}"
+EOF
 }
 
-provider "azuread" {
-  tenant_id       = "${data.azurerm_subscription.current.tenant_id}"
-  client_id       = "${azuread_service_principal.starterkit.client_id}"
-  client_secret   = "${azuread_service_principal_password.starterkit.value}"
-}
-EOF
+output "deploy_role_definition_id" {
+  value = azurerm_role_definition.starterkit_deploy.role_definition_id
 }
diff --git a/modules/azure/github-actions-terraform-setup/buildingblock/README.md b/modules/azure/github-actions-terraform-setup/buildingblock/README.md
@@ -0,0 +1,37 @@
+---
+name: Azure GitHub Actions Terraform Setup
+supportedPlatforms:
+  - azure
+description: |
+  Deploy directly to Azure using GitHub Actions and Terraform brought to you by meshStack
+---
+
+# Azure Key Vault
+
+This Terraform module provisions an Azure Key Vault along with necessary role assignments.
+
+
+## Requirements
+- Terraform `>= 1.0`
+- AzureRM Provider `>= 4.18.0`
+
+## Providers
+
+```hcl
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.18.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+
+<!-- END_TF_DOCS -->
diff --git a/modules/azure/github-actions-terraform-setup/buildingblock/main.tf b/modules/azure/github-actions-terraform-setup/buildingblock/main.tf
@@ -6,7 +6,7 @@ data "azuread_client_config" "current" {}
 resource "azurerm_role_assignment" "starterkit_deploy" {
   # since the role is defined on MG level, we need to prefix the subscription id here to make terraform happy and not plan replacements
   # see https://github.com/hashicorp/terraform-provider-azurerm/issues/19847#issuecomment-1407262429
-  role_definition_id = "${data.azurerm_subscription.current.id}/providers/Microsoft.Authorization/roleDefinitions/${local.deploy_role_definition_id}"
+  role_definition_id = "${data.azurerm_subscription.current.id}/providers/Microsoft.Authorization/roleDefinitions/${var.deploy_role_definition_id}"
 
   description  = "Grant permissions to deploy a starterkit building block."
   principal_id = data.azuread_client_config.current.object_id
diff --git a/modules/azure/github-actions-terraform-setup/buildingblock/provider.tf b/modules/azure/github-actions-terraform-setup/buildingblock/provider.tf
@@ -0,0 +1,18 @@
+provider "github" {
+  app_auth {}
+  # using `GITHUB_APP_XXX` environment variables
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false # This allows the deletion of the building block without having to separately delete the app resources
+    }
+  }
+
+  resource_provider_registrations = "core"
+
+  storage_use_azuread = true
+}
+
+provider "azuread" {}
diff --git a/modules/azure/github-actions-terraform-setup/buildingblock/variables.tf b/modules/azure/github-actions-terraform-setup/buildingblock/variables.tf
@@ -23,3 +23,7 @@ variable "location" {
   default = "westeurope"
 }
 
+variable "deploy_role_definition_id" {
+  type        = string
+  description = "Role definition ID to assign to the GitHub Actions App Service Managed Identity. This is used to deploy resources via Terraform."
+}

Original file line number	Diff line number	Diff line change
`@@ -23,3 +23,7 @@ variable "location" {`
`23`	`23`	`default = "westeurope"`
`24`	`24`	`}`
`25`	`25`
	`26`	`+variable "deploy_role_definition_id" {`
	`27`	`+ type = string`
	`28`	`+ description = "Role definition ID to assign to the GitHub Actions App Service Managed Identity. This is used to deploy resources via Terraform."`
	`29`	`+}`