chore: unify ci workflow

malhussan · malhussan · commit 7d9c0b4840aa · 2024-05-07T12:05:38.000Z
- Use a shared workflow from shared-workflows repo
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -1,25 +1,9 @@
 name: Terraform CI
-
 on:
   push:
   merge_group:
     types: [checks_requested]
 
-
 jobs:
-  validate:
-    name: Validate
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v2
-
-    - uses: hashicorp/setup-terraform@v3
-      with:
-        terraform_version: ^1.1
-
-    - run: terraform init
-
-    - run: terraform validate
-
-    - run: terraform fmt -recursive -check
+  build:
+    uses: meshcloud/shared-workflows/.github/workflows/terraform-meshplatform-modules-build-workflow.yml@main
diff --git a/README.md b/README.md
@@ -29,17 +29,22 @@ To run this module, you need the following:
 
 2. Open a cloud shell.
 
-3. Download the example `main.tf` and `outputs.tf` files.
-
-    ```powershell
-    # Downloads main.tf and outputs.tf files into ~/terraform-azure-meshplatform
-    wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/main.tf -P ~/terraform-azure-meshplatform
-    wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/outputs.tf -P ~/terraform-azure-meshplatform
+3. Create a terraform file that calls this module and produces outputs. Similar to:
+
+    ```hcl
+    module "meshplatform" {
+      source = "git::https://github.com/meshcloud/terraform-azure-meshplatform.git"
+      # FILL INPUTS
+    }
+    output "meshplatform" {
+      sensitive = true
+      value     = module.meshplatform
+    }
     ```
 
-4. Open `~/terraform-azure-meshplatform/main.tf` with a text editor. Modify the module variables and Terraform state backend settings in the file.
+    > It is highly recommended to configure a [terraform backend](https://developer.hashicorp.com/terraform/language/settings/backends/configuration), otherwise you risk losing track of your applied resources.
 
-5. Execute the module.
+4. Execute the module.
 
     ```powershell
     # Changes into ~/terraform-azure-meshplatform and applies terraform
@@ -48,7 +53,7 @@ To run this module, you need the following:
     terraform apply
     ```
 
-6. Use the information from terraform output to configure the platform in meshStack.
+5. Use the information from terraform output to configure the platform in meshStack.
 
     ```sh
     # The JSON output contains sensitive values that must not be transmitted anywhere other then the platform config screen in meshStack.
@@ -79,12 +84,12 @@ To run this module, you need the following:
 > Until <https://github.com/hashicorp/terraform-provider-azurerm/issues/15211> is resolved, MCA service principal setup can only be done manually outside of terraform.
 
 1. Ensure you have permissions in the source AAD Tenant for granting access to the billing account used for subscription creation using the `Account Administrator` role
-1. Switch to the Tenant Directory that contains your Billing Account and follow the steps to [Register an Application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) and [Add Credentials](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-credentials). Make sure to copy down the **Directory (tenant) ID**, **Application (client) ID**, **Object ID** and the **App Secret** value that was generated. The App Secret is only visible during the creation process.
-2. You must grant the Enterprise Application permissions on the Billing Account, Billing Profile, or Invoice Section so that it can generate new subscriptions. Follow the steps in [this guide](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/understand-mca-roles#manage-billing-roles-in-the-azure-portal) to grant the necessary permissions. You must grant one of the following permissions
+2. Switch to the Tenant Directory that contains your Billing Account and follow the steps to [Register an Application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) and [Add Credentials](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-credentials). Make sure to copy down the **Directory (tenant) ID**, **Application (client) ID**, **Object ID** and the **App Secret** value that was generated. The App Secret is only visible during the creation process.
+3. You must grant the Enterprise Application permissions on the Billing Account, Billing Profile, or Invoice Section so that it can generate new subscriptions. Follow the steps in [this guide](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/understand-mca-roles#manage-billing-roles-in-the-azure-portal) to grant the necessary permissions. You must grant one of the following permissions
     - Billing Account or Billing Profile: Owner, Contributor
     - Invoice Section: Owner, Contributor, Azure Subscription Creator
-3. Write down the Billing Scope ID that looks something like this <samp>/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx</samp>
-4. Use the following information to configure the platform in meshStack
+4. Write down the Billing Scope ID that looks something like this <samp>/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx</samp>
+5. Use the following information to configure the platform in meshStack
     - Billing Scope
     - Destination Tenant ID
     - Source Tenant ID
@@ -126,6 +131,16 @@ provide the SPN with access to the function.
   ]
 ```
 
+## Contributing Guide
+
+Before opening a Pull Request, please do the following:
+
+1. Install [pre-commit](https://pre-commit.com/#install)
+
+   We use pre-commit to perform several terraform related tasks such as `terraform validate`, `terraform fmt`, and generating terraform docs with `terraform_docs`
+
+2. Execute `pre-commit install`: Hooks configured in `.pre-commit-config.yaml` will be executed automatically on commit. For manual execution, you can use `pre-commit run -a`.
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
diff --git a/default.nix b/default.nix
@@ -0,0 +1,35 @@
+{ pkgs ? import <nixpkgs> { }, system ? builtins.currentSystem }:
+
+let
+  # fake opentofu as terraform so that tools like terraform-docs pre-commit hook (which doesn't have tofu support)
+  # fall back to tofu
+  tofu_terraform =
+    pkgs.stdenv.mkDerivation {
+      name = "tofu-terraform";
+      phases = [ "installPhase" ];
+      installPhase = ''
+        mkdir -p $out/bin
+        echo '#!/usr/bin/env sh' > $out/bin/terraform
+        echo 'tofu $@' > $out/bin/terraform
+        chmod +x $out/bin/terraform
+      '';
+    };
+
+in
+
+pkgs.mkShell {
+  NIX_SHELL = "terraform-meshplatform-modules";
+  shellHook = ''
+    echo starting terraform-meshplatform-modules shell
+  '';
+
+  buildInputs = [
+    pkgs.pre-commit
+    pkgs.opentofu
+    pkgs.tflint
+    pkgs.terraform-docs
+
+    # fake tofu as terraform
+    tofu_terraform
+  ];
+}
diff --git a/modules/meshcloud-metering-service-principal/README.md b/modules/meshcloud-metering-service-principal/README.md
@@ -3,16 +3,17 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.18.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | > 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.46.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.81.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.18.0 |
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.3.0 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.46.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.81.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | 0.11.1 |
 
 ## Modules
 
@@ -22,25 +23,26 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_application.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
-| [azuread_service_principal.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
-| [azuread_application_password.application_pw](https://registry.terraform.io/providers/hashicorp/azuread/2.43.0/docs/resources/application_password) | resource |
-| [time_rotating.replicator_secret_rotation](https://registry.terraform.io/providers/hashicorp/time/0.9.1/docs/resources/rotating) | resource |
-| [azurerm_role_assignment.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azurerm/3.3.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.meshcloud_metering_cloud_inventory](https://registry.terraform.io/providers/hashicorp/azurerm/3.3.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.meshcloud_metering_cloud_inventory_role](https://registry.terraform.io/providers/hashicorp/azurerm/3.3.0/docs/resources/role_definition) | resource |
+| [azuread_application.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/resources/application) | resource |
+| [azuread_application_federated_identity_credential.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/resources/application_federated_identity_credential) | resource |
+| [azuread_application_password.application_pw](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/resources/application_password) | resource |
+| [azuread_service_principal.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/resources/service_principal) | resource |
+| [azurerm_role_assignment.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azurerm/3.81.0/docs/resources/role_assignment) | resource |
+| [time_rotating.replicator_secret_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions. | `string` | n/a | yes |
-| <a name="input_service_principal_name_suffix"></a> [service\_principal\_name\_suffix](#input\_service\_principal\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
+| <a name="input_assignment_scopes"></a> [assignment\_scopes](#input\_assignment\_scopes) | The scopes to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions. | `list(string)` | n/a | yes |
+| <a name="input_create_password"></a> [create\_password](#input\_create\_password) | Create a password for the enterprise application. | `bool` | n/a | yes |
+| <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | Service principal name. Must be unique per Entra ID. | `string` | n/a | yes |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. | `object({ issuer = string, subject = string })` | `null` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_application_client_secret"></a> [application\_client\_secret](#output\_application\_client\_secret) | Client Secret Of the Application. |
 | <a name="output_credentials"></a> [credentials](#output\_credentials) | Service Principal application id and object id |
-| <a name="output_application_client_secret"></a> [application\_client\_secret](#output\_application\_client\_secret) | Password for the Service Principal. |
 <!-- END_TF_DOCS -->
diff --git a/modules/meshcloud-sso/README.md b/modules/meshcloud-sso/README.md
@@ -3,15 +3,15 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.18.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | > 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.46.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.81.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.18.0 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.46.0 |
 
 ## Modules
 
@@ -21,22 +21,24 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_application.meshcloud_sso](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
-| [azuread_application_password.meshcloud_sso](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application_password) | resource |
-| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/application_published_app_ids) | data source |
-| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/service_principal) | data source |
+| [azuread_app_role_assignment.meshcloud_sso_user_read](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/resources/app_role_assignment) | resource |
+| [azuread_application.meshcloud_sso](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/resources/application) | resource |
+| [azuread_application_password.meshcloud_sso](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/resources/application_password) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/application_published_app_ids) | data source |
+| [azuread_application_template.enterprise_app](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/application_template) | data source |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_meshstack_redirect_uri"></a> [meshstack\_redirect\_uri](#input\_meshstack\_redirect\_uri) | Redirect URI that will be provided by meshcloud. It is individual per meshStack. | `string` | n/a | yes |
-| <a name="input_service_principal_name_suffix"></a> [service\_principal\_name\_suffix](#input\_service\_principal\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
+| <a name="input_meshstack_redirect_uri"></a> [meshstack\_redirect\_uri](#input\_meshstack\_redirect\_uri) | Redirect URI that was provided by meshcloud. It is individual per meshStack. | `string` | n/a | yes |
+| <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | Service principal name. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_app_registration"></a> [app\_registration](#output\_app\_registration) | Application registration application id and object id |
-| <a name="output_app_registration_client_secret"></a> [app\_registration\_client\_secret](#output\_app\_registration\_client\_secret) | Password for the application registration. |
+| <a name="output_application_client_secret"></a> [application\_client\_secret](#output\_application\_client\_secret) | Password for the application registration. |
+| <a name="output_credentials"></a> [credentials](#output\_credentials) | Service Principal application id and object id |
 <!-- END_TF_DOCS -->
diff --git a/modules/meshcloud-sso/module.tf b/modules/meshcloud-sso/module.tf
@@ -13,7 +13,7 @@ terraform {
 }
 //---------------------------------------------------------------------------
 // Queries Entra ID for information about well-known application IDs.
-// Retrieve details about the service principal 
+// Retrieve details about the service principal
 //---------------------------------------------------------------------------
 
 data "azuread_application_published_app_ids" "well_known" {}

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ terraform {`
`13`	`13`	`}`
`14`	`14`	`//---------------------------------------------------------------------------`
`15`	`15`	`// Queries Entra ID for information about well-known application IDs.`
`16`		`-// Retrieve details about the service principal`
	`16`	`+// Retrieve details about the service principal`
`17`	`17`	`//---------------------------------------------------------------------------`
`18`	`18`
`19`	`19`	`data "azuread_application_published_app_ids" "well_known" {}`