Merge pull request #51 from meshcloud/feature/github-actions-terraform-data

Feature/GitHub actions terraform data

Author: florianow

modules/azure/github-actions-terraform-setup/backplane/outputs.tf

@@ -12,6 +12,7 @@ ARM_CLIENT_SECRET   = "${azuread_service_principal_password.starterkit.value}"
 
 # The Role definition ID to assign to the GitHub Actions App Service Managed Identity. This is used to deploy resources via Terraform.
 
+role_definition_display_name = "${azuread_service_principal.starterkit.display_name}-deploy"
 var.deploy_role_definition_id = "${azurerm_role_definition.starterkit_deploy.role_definition_id}"
 
 EOF

modules/azure/github-actions-terraform-setup/buildingblock/README.md

@@ -9,7 +9,11 @@ description: |
 # Azure GitHub Actions Terraform Setup
 
 ## Structure of this Kit module
-This kit module consists of three components, each enabling the deployment of the next. It serves as the foundational building block — a Terraform module that defines an instance of the starter kit for a specific application team. This includes setting up a GitHub repository and a GitHub Actions pipeline.
+This kit module consists of four components, each enabling the deployment of the next. It serves as the foundational building block — a Terraform module that defines an instance of the starter kit for a specific application team.
+This includes setting up a GitHub repository and configuring a GitHub Actions pipeline.
+
+For the deployment of a role_assignment required by the GitHub pipeline, we use a helper or pre-executed building block. This step is performed before the main building block is executed. The challenge is that the login context must be refreshed —
+a separate login is required to run the automation correctly. This preliminary building block is located in the buildingblock/pre_role_assignment directory.
 
 For more information, refer to the backplane documentation of the [Azure GitHub Actions Terraform Setup Module](https://github.com/meshcloud/meshstack-hub/modules/azure/github-actions-terraform-setup/backplane/README.md).
 
@@ -40,7 +44,6 @@ No modules.
 | [azurerm_role_assignment.ghactions_app](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.ghactions_register](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.project_admins_blobs](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.starterkit_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/role_assignment) | resource |
 | [azurerm_role_definition.ghactions](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/role_definition) | resource |
 | [azurerm_role_definition.ghactions_register](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/role_definition) | resource |
 | [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/storage_account) | resource |

modules/azure/github-actions-terraform-setup/buildingblock/logo.png

@@ -1,26 +1,12 @@
 # note: this building block is expected to be executed with pre configured output by the "backplane" module in the
 # parent dir, this needs to provided in the BB execution enviornment
+#
+# additionaly:
+# there is pre_role_assignemnt Building Block which is expected to be executed before this BB
 
 data "azurerm_subscription" "current" {}
 data "azuread_client_config" "current" {}
 
-# note: it's important that all other azure resources transitively depend on this role assignment or else they will fail
-resource "azurerm_role_assignment" "starterkit_deploy" {
-  # since the role is defined on MG level, we need to prefix the subscription id here to make terraform happy and not plan replacements
-  # see https://github.com/hashicorp/terraform-provider-azurerm/issues/19847#issuecomment-1407262429
-  role_definition_id = "${data.azurerm_subscription.current.id}/providers/Microsoft.Authorization/roleDefinitions/${var.deploy_role_definition_id}"
-
-  description  = "Grant permissions to deploy a starterkit building block."
-  principal_id = data.azuread_client_config.current.object_id
-  scope        = data.azurerm_subscription.current.id
-}
-
-resource "time_sleep" "wait" {
-  depends_on = [azurerm_role_assignment.starterkit_deploy]
-
-  create_duration = "2m"
-}
-
 #
 # configure developer access
 #

modules/azure/github-actions-terraform-setup/buildingblock/main.tf

@@ -0,0 +1,54 @@
+---
+name: Role Assignments for GitHub Actions Terraform Setup
+supportedPlatforms:
+  - azure
+description: |
+  Helper building block used to assign the necessary Azure roles
+---
+
+# Role Assignments for GitHub Actions Terraform Setup
+
+This Terraform module is a helper building block used to assign the necessary Azure roles to the GitHub Actions pipeline **before** the main starter kit
+module is executed.
+
+## Purpose
+
+The GitHub Actions pipeline requires specific permissions to deploy resources. Since these permissions must exist prior to running the main automation,
+this module ensures that the correct `role_assignment` is created in advance.
+
+## Usage Context
+
+Due to changes in the access context after assigning roles, the automation must **re-authenticate** with a fresh login before proceeding with the main building block.
+This module should therefore be executed as a separate step at the beginning of the deployment flow.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 3.0.2 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.4.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_assignment.starterkit_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/resources/role_assignment) | resource |
+| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/client_config) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.4.0/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_deploy_role_definition_id"></a> [deploy\_role\_definition\_id](#input\_deploy\_role\_definition\_id) | Role definition ID to assign to the GitHub Actions App Service Managed Identity. This is used to deploy resources via Terraform. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

modules/azure/github-actions-terraform-setup/buildingblock/pre_role_assignment/README.md

@@ -0,0 +1,16 @@
+# note: this building block is expected to be executed with pre configured output by the "backplane" module in the
+# parent dir, this needs to provided in the BB execution enviornment
+
+data "azurerm_subscription" "current" {}
+data "azuread_client_config" "current" {}
+
+# note: it's important that all other azure resources transitively depend on this role assignment or else they will fail
+resource "azurerm_role_assignment" "starterkit_deploy" {
+  # since the role is defined on MG level, we need to prefix the subscription id here to make terraform happy and not plan replacements
+  # see https://github.com/hashicorp/terraform-provider-azurerm/issues/19847#issuecomment-1407262429
+  role_definition_id = "${data.azurerm_subscription.current.id}/providers/Microsoft.Authorization/roleDefinitions/${var.deploy_role_definition_id}"
+
+  description  = "Grant permissions to deploy a starterkit building block."
+  principal_id = data.azuread_client_config.current.object_id
+  scope        = data.azurerm_subscription.current.id
+}

modules/azure/github-actions-terraform-setup/buildingblock/pre_role_assignment/logo.png

@@ -0,0 +1 @@
+

modules/azure/github-actions-terraform-setup/buildingblock/pre_role_assignment/main.tf

@@ -0,0 +1,13 @@
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false # This allows the deletion of the building block without having to separately delete the app resources
+    }
+  }
+
+  resource_provider_registrations = "extended"
+
+  storage_use_azuread = true
+}
+
+provider "azuread" {}

modules/azure/github-actions-terraform-setup/buildingblock/pre_role_assignment/outputs.tf

@@ -0,0 +1,4 @@
+variable "deploy_role_definition_id" {
+  type        = string
+  description = "Role definition ID to assign to the GitHub Actions App Service Managed Identity. This is used to deploy resources via Terraform."
+}