feat: restructure module GitHub Actions Terraform Setup

feat: restructure module GitHub Actions Terraform Setup

feat: restructure module GitHub Actions Terraform Setup

feat: restructure module GitHub Actions Terraform Setup

feat: restructure module GitHub Actions Terraform Setup

feat: restructure module GitHub Actions Terraform Setup

feat: restructure module GitHub Actions Terraform Setup

feat: restructure module GitHub Actions Terraform Setup

Author: florianow

modules/azure/github-actions-terraform-setup/backplane/documentation.tf

@@ -18,7 +18,7 @@ on the cloud quickly.
 The easiest way to get started with a Starter Kit is to search for "Starter Kit" in the Likvid Bank Cloud Portal
 Marketplace and let the portal help you add it to a Sandbox Subscription (or create a new one if you don't have one yet).
 
-Starter Kits will create a (private) GitHub repository for you in our [GitHub Organization](https://github.com/${var.github_org}).
+Starter Kits will create a (private) GitHub repository for you in our [GitHub Organization](https://github.com/your_github_org).
 You will find the URL for your repository in the Starter Kit building block output tab. Please review the `README.md`
 of that repository for further instructions and inspiration for working with the starter kit.
 

modules/azure/github-actions-terraform-setup/backplane/outputs.tf

@@ -1,44 +1,25 @@
-output "config_tf" {
+output "provider_config" {
   description = "Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block."
   sensitive   = true
   value       = <<EOF
-provider "github" {
-  owner = "${var.github_org}"
 
-  app_auth {
-    id              = "${var.github_app_id}"
-    installation_id = "${var.github_app_installation_id}"
+use following Environment variables to configure your Terraform AZURERM Provider:
 
-    # TODO: ensure the pem file exists on disk in the BB execution environment (with meshStack: secret file input)
-    pem_file = file("./github-app.private-key.pem")
-  }
+  ARM_TENANT_ID       = "${data.azurerm_subscription.current.tenant_id}"
+  ARM_SUBSCRIPTION_ID = "USE THE PLATFORM TENANT ID"
+  ARM_CLIENT_ID       = "${azuread_service_principal.starterkit.client_id}"
+  ARM_CLIENT_SECRET   = "${azuread_service_principal_password.starterkit.value}"
 }
 
-provider "azurerm" {
-  features {
-    resource_group {
-      prevent_deletion_if_contains_resources = false # This allows the deletion of the building block without having to separately delete the app resources
-    }
-  }
+use following Environment variables to configure your Terraform AZUREAD Provider:
 
-  resource_provider_registrations = "core"
-
-  storage_use_azuread        = true
-
-  tenant_id       = "${data.azurerm_subscription.current.tenant_id}"
-  subscription_id = var.subscription_id
-  client_id       = "${azuread_service_principal.starterkit.client_id}"
-  client_secret   = "${azuread_service_principal_password.starterkit.value}"
+  ARM_TENANT_ID       = "${data.azurerm_subscription.current.tenant_id}"
+  ARM_CLIENT_ID       = "${azuread_service_principal.starterkit.client_id}"
+  ARM_CLIENT_SECRET   = "${azuread_service_principal_password.starterkit.value}"
 }
-
-locals {
-  deploy_role_definition_id = "${azurerm_role_definition.starterkit_deploy.role_definition_id}"
+EOF
 }
 
-provider "azuread" {
-  tenant_id       = "${data.azurerm_subscription.current.tenant_id}"
-  client_id       = "${azuread_service_principal.starterkit.client_id}"
-  client_secret   = "${azuread_service_principal_password.starterkit.value}"
-}
-EOF
+output "deploy_role_definition_id" {
+  value = azurerm_role_definition.starterkit_deploy.role_definition_id
 }

modules/azure/github-actions-terraform-setup/backplane/variables.tf

@@ -14,21 +14,3 @@ variable "scope" {
   nullable    = false
   description = "Scope where the building block should be deployable, typically a Sandbox Landing Zone Management Group"
 }
-
-# unfortunately we can't set up the app via terraform right now, so we need to manually set this up
-# outside of terraform an inject result as vars
-
-variable "github_app_id" {
-  type        = number
-  description = "id of your GitHub App"
-}
-
-variable "github_app_installation_id" {
-  type        = number
-  description = "id of your GitHub App installation as it appears in URLs on GitHub.com"
-}
-
-variable "github_org" {
-  type        = string
-  description = "id of your GitHub organization as it appears in URLs on GitHub.com"
-}

modules/azure/github-actions-terraform-setup/buildingblock/README.md

@@ -0,0 +1,37 @@
+---
+name: Azure GitHub Actions Terraform Setup
+supportedPlatforms:
+  - azure
+description: |
+  Deploy directly to Azure using GitHub Actions and Terraform brought to you by meshStack
+---
+
+# Azure Key Vault
+
+This Terraform module provisions an Azure Key Vault along with necessary role assignments.
+
+
+## Requirements
+- Terraform `>= 1.0`
+- AzureRM Provider `>= 4.18.0`
+
+## Providers
+
+```hcl
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.18.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+
+<!-- END_TF_DOCS -->

modules/azure/github-actions-terraform-setup/buildingblock/main.tf

@@ -6,7 +6,7 @@ data "azuread_client_config" "current" {}
 resource "azurerm_role_assignment" "starterkit_deploy" {
   # since the role is defined on MG level, we need to prefix the subscription id here to make terraform happy and not plan replacements
   # see https://github.com/hashicorp/terraform-provider-azurerm/issues/19847#issuecomment-1407262429
-  role_definition_id = "${data.azurerm_subscription.current.id}/providers/Microsoft.Authorization/roleDefinitions/${local.deploy_role_definition_id}"
+  role_definition_id = "${data.azurerm_subscription.current.id}/providers/Microsoft.Authorization/roleDefinitions/${var.deploy_role_definition_id}"
 
   description  = "Grant permissions to deploy a starterkit building block."
   principal_id = data.azuread_client_config.current.object_id

modules/azure/github-actions-terraform-setup/buildingblock/provider.tf

@@ -0,0 +1,18 @@
+provider "github" {
+  app_auth {}
+  # using `GITHUB_APP_XXX` environment variables
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false # This allows the deletion of the building block without having to separately delete the app resources
+    }
+  }
+
+  resource_provider_registrations = "core"
+
+  storage_use_azuread = true
+}
+
+provider "azuread" {}

modules/azure/github-actions-terraform-setup/buildingblock/variables.tf

@@ -13,13 +13,17 @@ variable "project_identifier" {
 
 # this variable is supposed to be used by an injected config.tf file for configuring the azurerm provider
 # tflint-ignore: terraform_unused_declarations
-variable "subscription_id" {
-  type        = string
-  description = "The subscription id to which this building will be deployed."
-}
+# variable "subscription_id" {
+#   type        = string
+#   description = "The subscription id to which this building will be deployed."
+# }
 
 variable "location" {
   type    = string
   default = "westeurope"
 }
 
+variable "deploy_role_definition_id" {
+  type        = string
+  description = "Role definition ID to assign to the GitHub Actions App Service Managed Identity. This is used to deploy resources via Terraform."
+}