Privatelinks (#1469)

* Privatelinks

* Privatelinks

* Privatelinks

* Privatelinks

* Privatelinks

* Privatelinks

* radix-id-gitrunner

* updates

* Update terraform/subscriptions/s940/globals/common/main.tf

Co-authored-by: Richard Hagen <[email protected]>

* Update terraform/subscriptions/s940/c2/common/main.tf

Co-authored-by: Richard Hagen <[email protected]>

* Update terraform/subscriptions/s940/prod/common/main.tf

Co-authored-by: Richard Hagen <[email protected]>

* Update terraform/subscriptions/s941/dev/common/main.tf

Co-authored-by: Richard Hagen <[email protected]>

* Update terraform/subscriptions/s941/globals/common/main.tf

Co-authored-by: Richard Hagen <[email protected]>

* Update terraform/subscriptions/s941/playground/common/main.tf

Co-authored-by: Richard Hagen <[email protected]>

* updates

---------

Co-authored-by: Automatic Update <[email protected]>
Co-authored-by: Richard Hagen <[email protected]>

scripts/aks/c2.env

@@ -14,7 +14,7 @@ fi
 #######################################################################################
 ### AKS
 ###
-: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
+: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
 
 ARM_BOOTSTRAP_COUNT="1"
 ARM_DISK_SIZE="1023"

scripts/aks/development.env

@@ -16,7 +16,7 @@ fi
 #######################################################################################
 ### AKS
 ###
-: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
+: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
 ARM_BOOTSTRAP_COUNT="1"
 ARM_DISK_SIZE="1023"
 ARM_VM_SIZE="Standard_B4ps_v2"

scripts/aks/playground.env

@@ -14,7 +14,7 @@ fi
 #######################################################################################
 ### AKS
 ###
-: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
+: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
 ARM_BOOTSTRAP_COUNT="1"
 ARM_DISK_SIZE="1023"
 ARM_VM_SIZE="Standard_B8ps_v2"

scripts/aks/production.env

@@ -14,7 +14,7 @@ fi
 #######################################################################################
 ### AKS
 ###
-: ${KUBERNETES_VERSION:="1.29.2"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
+: ${KUBERNETES_VERSION:="1.29.8"} #Usage of Kubernetes version with parameters. If KUBERNETES_VERSION is passed as argument, it will be used and not be overwritten by entered current value.
 ARM_BOOTSTRAP_COUNT="1"
 ARM_DISK_SIZE="1023"
 ARM_VM_SIZE="Standard_E16ps_v5"

scripts/migrate.sh

@@ -687,6 +687,7 @@ WEB_COMPONENT="web"
 
 # Update replyUrls for those radix apps that require AD authentication
 printf "\nWaiting for web-console ingress to be ready so we can add replyUrl to web console aad app..."
+printf "\nIf this takes to long, you can try to restart the radix operator (kubectl rollout restart deployment radix-operator) in another console window"
 while [[ "$(kubectl get ingress $AUTH_PROXY_COMPONENT --namespace $WEB_CONSOLE_NAMESPACE 2>&1)" == *"Error"* ]]; do
     printf "."
     sleep 5

terraform/subscriptions/modules/storageaccount_global/output.tf

@@ -0,0 +1,4 @@
+output "id" {
+  description = "storageaccountid"
+  value       = azurerm_storage_account.storageaccount.id
+}

terraform/subscriptions/s940/c2/common/main.tf

@@ -143,6 +143,38 @@ module "radix-id-acr-workflows" {
   }
 }
 
+module "radix_id_gitrunner" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-gitrunner-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    privatelink-contributor = {
+      role     = "Radix Privatelink rbac-${module.config.subscription_shortname}"
+      scope_id = "/subscriptions/${module.config.subscription}"
+    }
+    blob_contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = "${module.config.backend.terraform_storage_id}"
+    }
+    storage_blob_contributor = {
+      role     = "Storage Blob Data Contributor" # Needed to read blobdata
+      scope_id = "${module.config.backend.terraform_storage_id}"
+    }
+    vnet_contributor = {
+      role     = "Contributor"
+      scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
+    }
+  }
+  federated_credentials = {
+    radix-id-gitrunner = {
+      name    = "radix-id-gitrunner-${module.config.environment}"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix:environment:${module.config.environment}"
+    },
+  }
+}
+
 module "radix-cr-cicd" {
   source       = "../../../modules/app_registration"
   display_name = "radix-cr-cicd-${module.config.environment}"

terraform/subscriptions/s940/c2/config.yaml

@@ -8,4 +8,4 @@ backend:
   subscription_id:       "ded7ca41-37c8-4085-862f-b11d21ab341a"
   tenant_id:             "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
   ip_key_vault_id:       "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-c2/providers/Microsoft.KeyVault/vaults/radix-keyv-c2"
-
+  terraform_storage_id:  "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/s940-tfstate/providers/Microsoft.Storage/storageAccounts/s940radixinfra"

terraform/subscriptions/s940/globals/common/main.tf

@@ -1,3 +1,11 @@
+module "resourcegroups" {
+  for_each = toset(["common", "monitoring"])
+
+  source   = "../../../modules/resourcegroups"
+  name     = each.value
+  location = module.config.location
+}
+
 data "azurerm_subscription" "main" {
   subscription_id = module.config.subscription
 }
@@ -35,6 +43,37 @@ module "storageaccount" {
   log_analytics_id         = module.config.backend.log_analytics_workspace_id
 }
 
+resource "azurerm_role_definition" "privatelink_role" {
+  name        = "Radix Privatelink rbac-${module.config.environment}"
+  scope       = "/subscriptions/${module.config.subscription}"
+  description = "The role to manage Private Endpoints"
+
+  permissions {
+    actions = [
+      "Microsoft.Resources/deployments/*",
+      "Microsoft.Resources/subscriptions/resourceGroups/read",
+
+      "Microsoft.Network/privateEndpoints/read",
+      "Microsoft.Network/privateEndpoints/write",
+      "Microsoft.Network/privateEndpoints/delete",
+
+      "Microsoft.Network/virtualNetworks/read",
+      "Microsoft.Network/virtualNetworks/subnets/read",
+      "Microsoft.Network/virtualNetworks/subnets/write",
+      "Microsoft.Network/virtualNetworks/subnets/join/action",
+
+      // Persmissions to create Private DNS Zone entry:
+      "Microsoft.Network/privateDnsZones/join/action",
+      "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
+      "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
+      "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete",
+    ]
+  }
+  assignable_scopes = [
+    data.azurerm_subscription.main.id
+  ]
+}
+
 output "environment" {
   value = module.config.environment
 }

terraform/subscriptions/s940/globals/config.yaml

@@ -8,4 +8,4 @@ backend:
   subscription_id:       "ded7ca41-37c8-4085-862f-b11d21ab341a"
   tenant_id:             "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
   ip_key_vault_id:       "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.KeyVault/vaults/radix-keyv-platform"
-  log_analytics_workspace_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.OperationalInsights/workspaces/radix-logs-platform"
+  log_analytics_workspace_id: "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.OperationalInsights/workspaces/radix-logs-platform"

terraform/subscriptions/s940/prod/common/main.tf

@@ -141,6 +141,38 @@ module "radix-id-acr-workflows" {
   }
 }
 
+module "radix_id_gitrunner" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-gitrunner-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    privatelink-contributor = {
+      role     = "Radix Privatelink rbac-${module.config.subscription_shortname}"
+      scope_id = "/subscriptions/${module.config.subscription}"
+    }
+    blob_contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = "${module.config.backend.terraform_storage_id}"
+    }
+    storage_blob_contributor = {
+      role     = "Storage Blob Data Contributor" # Needed to read blobdata
+      scope_id = "${module.config.backend.terraform_storage_id}"
+    }
+    vnet_contributor = {
+      role     = "Contributor"
+      scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
+    }
+  }
+  federated_credentials = {
+    radix-id-gitrunner = {
+      name    = "radix-id-gitrunner-${module.config.environment}"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix:environment:${module.config.environment}"
+    },
+  }
+}
+
 module "radix-cr-cicd" {
   source       = "../../../modules/app_registration"
   display_name = "radix-cr-cicd-${module.config.environment}"

terraform/subscriptions/s940/prod/config.yaml

@@ -8,4 +8,5 @@ backend:
   subscription_id:       "ded7ca41-37c8-4085-862f-b11d21ab341a"
   tenant_id:             "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
   ip_key_vault_id:       "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/common-platform/providers/Microsoft.KeyVault/vaults/radix-keyv-platform"
+  terraform_storage_id:  "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/s940-tfstate/providers/Microsoft.Storage/storageAccounts/s940radixinfra"
 

terraform/subscriptions/s940/prod/virtualnetwork/main.tf

@@ -2,12 +2,6 @@ module "config" {
   source = "../../../modules/config"
 }
 
-data "github_repository_file" "this" {
-  repository = "equinor/radix"
-  branch     = "main"
-  file       = "privatelinks/${module.config.environment}.yaml"
-}
-
 module "resourcegroups" {
   source   = "../../../modules/resourcegroups"
   name     = module.config.vnet_resource_group
@@ -103,16 +97,3 @@ output "public_ip_prefix_ids" {
     ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
   }
 }
-
-module "private_endpoints" {
-  source              = "../../../modules/private-endpoints"
-  for_each            = yamldecode(data.github_repository_file.this.content)
-  server_name         = each.key
-  subresourcename     = each.value.subresourcename
-  resource_id         = each.value.resource_id
-  vnet_resource_group = module.resourcegroups.data.name
-  customdnszone       = lookup(each.value, "customdnszone", "")
-  customname          = lookup(each.value, "customname", "")
-  location            = module.config.location
-  depends_on          = [data.github_repository_file.this]
-}

terraform/subscriptions/s941/dev/common/github.tf

@@ -38,7 +38,6 @@ resource "azuread_application_federated_identity_credential" "github-operator-fe
   audiences      = ["api://AzureADTokenExchange"]
   issuer         = "https://token.actions.githubusercontent.com"
   subject        = "repo:equinor/radix-platform:environment:s941"
-
   timeouts {}
 }
 
@@ -49,6 +48,5 @@ resource "azuread_application_federated_identity_credential" "github-operator-fe
   audiences      = ["api://AzureADTokenExchange"]
   issuer         = "https://token.actions.githubusercontent.com"
   subject        = "repo:equinor/radix-platform:environment:operations"
-
   timeouts {}
 }

terraform/subscriptions/s941/dev/common/main.tf

@@ -136,6 +136,38 @@ module "radix-id-acr-workflows" {
   }
 }
 
+module "radix_id_gitrunner" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-gitrunner-${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+  location            = module.config.location
+  roleassignments = {
+    privatelink-contributor = {
+      role     = "Radix Privatelink rbac-${module.config.subscription_shortname}"
+      scope_id = "/subscriptions/${module.config.subscription}"
+    }
+    blob_contributor = {
+      role     = "Contributor" # Needed to open firewall
+      scope_id = "${module.config.backend.terraform_storage_id}"
+    }
+    storage_blob_contributor = {
+      role     = "Storage Blob Data Contributor" # Needed to read blobdata
+      scope_id = "${module.config.backend.terraform_storage_id}"
+    }
+    vnet_contributor = {
+      role     = "Contributor"
+      scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
+    }
+  }
+  federated_credentials = {
+    radix-id-gitrunner = {
+      name    = "radix-id-gitrunner-${module.config.environment}"
+      issuer  = "https://token.actions.githubusercontent.com"
+      subject = "repo:equinor/radix:environment:${module.config.environment}"
+    },
+  }
+}
+
 module "radix-cr-cicd" {
   source       = "../../../modules/app_registration"
   display_name = "radix-cr-cicd-${module.config.environment}"

terraform/subscriptions/s941/dev/config.yaml

@@ -9,3 +9,4 @@ backend:
   subscription_id:       "16ede44b-1f74-40a5-b428-46cca9a5741b"
   tenant_id:             "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
   ip_key_vault_id:       "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/common-dev/providers/Microsoft.KeyVault/vaults/radix-keyv-dev"
+  terraform_storage_id:  "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/s941-tfstate/providers/Microsoft.Storage/storageAccounts/s941radixinfra"

terraform/subscriptions/s941/dev/virtualnetwork/main.tf

@@ -2,12 +2,6 @@ module "config" {
   source = "../../../modules/config"
 }
 
-data "github_repository_file" "this" {
-  repository = "equinor/radix"
-  branch     = "main"
-  file       = "privatelinks/${module.config.environment}.yaml"
-}
-
 module "resourcegroups" {
   source   = "../../../modules/resourcegroups"
   name     = module.config.vnet_resource_group
@@ -61,16 +55,3 @@ output "public_ip_prefix_ids" {
     ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
   }
 }
-
-module "private_endpoints" {
-  source              = "../../../modules/private-endpoints"
-  for_each            = yamldecode(data.github_repository_file.this.content)
-  server_name         = each.key
-  subresourcename     = each.value.subresourcename
-  resource_id         = each.value.resource_id
-  vnet_resource_group = module.resourcegroups.data.name
-  customdnszone       = lookup(each.value, "customdnszone", "")
-  customname          = lookup(each.value, "customname", "")
-  location            = module.config.location
-  depends_on          = [data.github_repository_file.this]
-}