feat: include more examples with different use cases

malhussan · malhussan · commit c9ed4cc6f6d6 · 2022-02-23T16:52:36.000+01:00
diff --git a/README.md b/README.md
@@ -152,13 +152,13 @@ module "meshplatform" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions that the SPP needs | `list(string)` | `[]` | no |
-| <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the customer needs | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
+| <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions the SPP needs. | `list(string)` | `[]` | no |
+| <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the replicator SPP needs. | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
 | <a name="input_idplookup_enabled"></a> [idplookup\_enabled](#input\_idplookup\_enabled) | Whether to create idplookup SPP or not. | `bool` | `true` | no |
 | <a name="input_kraken_enabled"></a> [kraken\_enabled](#input\_kraken\_enabled) | Whether to create kraken SPP or not. | `bool` | `true` | no |
 | <a name="input_mgmt_group_name"></a> [mgmt\_group\_name](#input\_mgmt\_group\_name) | The name or UUID of the Management Group. | `string` | n/a | yes |
 | <a name="input_replicator_enabled"></a> [replicator\_enabled](#input\_replicator\_enabled) | Whether to create replicator SPP or not. | `bool` | `true` | no |
-| <a name="input_spp_name_suffix"></a> [spp\_name\_suffix](#input\_spp\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
+| <a name="input_spp_name_suffix"></a> [spp\_name\_suffix](#input\_spp\_name\_suffix) | Service principal name suffix. Make sure this is unique. | `string` | n/a | yes |
 | <a name="input_subscriptions"></a> [subscriptions](#input\_subscriptions) | The scope to which UAMI blueprint service principal role assignment is applied. | `list(any)` | `[]` | no |
 
 ## Outputs
diff --git a/examples/azure-integration-with-additional-resource-access/main.tf b/examples/azure-integration-with-additional-resource-access/main.tf
@@ -0,0 +1,34 @@
+# It is recommended to setup a backend to store the terraform state file
+# Removing the backend leads to terraform state output stored in the local filesystem.
+# See https://www.terraform.io/language/settings/backends for more details
+terraform {
+  backend "gcs" {
+    prefix = "meshplatforms/azure"
+    bucket = "my-terraform-states"
+  }
+}
+
+module "meshplatform" {
+  source = "git@github.com:meshcloud/terraform-azure-meshplatform.git"
+
+  spp_name_suffix = "<UNIQUE_NAME>"
+  mgmt_group_name = "<MANAGEMENT_GROUP_NAME>|<MANAGEMENT_GROUP_UUID>"
+
+  additional_required_resource_accesses = [
+    # The block below configures replicator access 
+    # to the app with id `fe81736c-99c6-4fca-8cc2-2818a2365451` with the appRole with id `e29066a1-ecb1-4a8e-af2d-1627fae35711`
+    #
+    # This example configures access to an azure function
+    {
+      resource_app_id = "fe81736c-99c6-4fca-8cc2-2818a2365451" # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#resource_app_id
+      resource_accesses = [
+        # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#resource_access
+        {
+          id   = "e29066a1-ecb1-4a8e-af2d-1627fae35711"
+          type = "Role"
+        },
+      ]
+    },
+  ]
+
+}
diff --git a/examples/azure-integration-with-additional-resource-access/outputs.tf b/examples/azure-integration-with-additional-resource-access/outputs.tf
@@ -0,0 +1,33 @@
+
+output "replicator_spp" {
+  description = "Replicator Service Principal."
+  value       = module.meshplatform.replicator_spp
+}
+
+output "replicator_spp_password" {
+  description = "Password for Replicator Service Principal."
+  value       = module.meshplatform.replicator_spp_password
+  sensitive   = true
+}
+
+output "kraken_spp" {
+  description = "Kraken Service Principal."
+  value       = module.meshplatform.kraken_spp
+}
+
+output "kraken_spp_password" {
+  description = "Password for Kraken Service Principal."
+  value       = module.meshplatform.kraken_spp_password
+  sensitive   = true
+}
+
+output "uami_blueprint_user_principal" {
+  description = "UAMI Blueprint Assignment Service Principal."
+  value       = module.meshplatform.uami_blueprint_user_principal
+}
+
+output "uami_blueprint_user_principal_password" {
+  description = "Password for UAMI Blueprint Assignment Service Principal."
+  value       = module.meshplatform.uami_blueprint_user_principal_password
+  sensitive   = true
+}
diff --git a/examples/azure-integration-with-uami-blueprint-user-principal/main.tf b/examples/azure-integration-with-uami-blueprint-user-principal/main.tf
@@ -0,0 +1,18 @@
+# It is recommended to setup a backend to store the terraform state file
+# Removing the backend leads to terraform state output stored in the local filesystem.
+# See https://www.terraform.io/language/settings/backends for more details
+terraform {
+  backend "gcs" {
+    prefix = "meshplatforms/azure"
+    bucket = "my-terraform-states"
+  }
+}
+
+module "meshplatform" {
+  source = "git@github.com:meshcloud/terraform-azure-meshplatform.git"
+
+  spp_name_suffix = "<UNIQUE_NAME>"
+  mgmt_group_name = "<MANAGEMENT_GROUP_NAME>|<MANAGEMENT_GROUP_UUID>"
+
+  subscriptions = ["<SUBSCRIPTION_ID>"]
+}
diff --git a/examples/azure-integration-with-uami-blueprint-user-principal/outputs.tf b/examples/azure-integration-with-uami-blueprint-user-principal/outputs.tf
@@ -0,0 +1,32 @@
+output "replicator_spp" {
+  description = "Replicator Service Principal."
+  value       = module.meshplatform.replicator_spp
+}
+
+output "replicator_spp_password" {
+  description = "Password for Replicator Service Principal."
+  value       = module.meshplatform.replicator_spp_password
+  sensitive   = true
+}
+
+output "kraken_spp" {
+  description = "Kraken Service Principal."
+  value       = module.meshplatform.kraken_spp
+}
+
+output "kraken_spp_password" {
+  description = "Password for Kraken Service Principal."
+  value       = module.meshplatform.kraken_spp_password
+  sensitive   = true
+}
+
+output "uami_blueprint_user_principal" {
+  description = "UAMI Blueprint Assignment Service Principal."
+  value       = module.meshplatform.uami_blueprint_user_principal
+}
+
+output "uami_blueprint_user_principal_password" {
+  description = "Password for UAMI Blueprint Assignment Service Principal."
+  value       = module.meshplatform.uami_blueprint_user_principal_password
+  sensitive   = true
+}
diff --git a/examples/basic-azure-integration/main.tf b/examples/basic-azure-integration/main.tf
@@ -11,6 +11,7 @@ terraform {
 module "meshplatform" {
   source = "git@github.com:meshcloud/terraform-azure-meshplatform.git"
 
-  spp_name_suffix = "UNIQUE_NAME"
-  mgmt_group_name = "MANAGEMENT_GROUP_NAME|MANAGEMENT_GROUP_UUID"
+  spp_name_suffix = "<UNIQUE_NAME>"
+  mgmt_group_name = "<MANAGEMENT_GROUP_NAME>|<MANAGEMENT_GROUP_UUID>"
+
 }
diff --git a/examples/basic-azure-integration/outputs.tf b/examples/basic-azure-integration/outputs.tf
@@ -1,4 +1,3 @@
-
 output "replicator_spp" {
   description = "Replicator Service Principal."
   value       = module.meshplatform.replicator_spp
diff --git a/main.tf b/main.tf
@@ -31,8 +31,8 @@ module "replicator_spp" {
   spp_name_suffix = var.spp_name_suffix
   scope           = data.azurerm_management_group.root.id
 
-  additional_required_resource_accesses = []
-  additional_permissions                = []
+  additional_required_resource_accesses = var.additional_required_resource_accesses
+  additional_permissions                = var.additional_permissions
 }
 
 module "kraken_spp" {
diff --git a/modules/meshcloud-idp-lookup-spp/README.md b/modules/meshcloud-idp-lookup-spp/README.md
@@ -29,7 +29,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions | `string` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions. | `string` | n/a | yes |
 | <a name="input_spp_name_suffix"></a> [spp\_name\_suffix](#input\_spp\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
 
 ## Outputs
diff --git a/modules/meshcloud-idp-lookup-spp/variables.tf b/modules/meshcloud-idp-lookup-spp/variables.tf
@@ -5,5 +5,5 @@ variable "spp_name_suffix" {
 
 variable "scope" {
   type        = string
-  description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions"
+  description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions."
 }
diff --git a/modules/meshcloud-kraken-spp/README.md b/modules/meshcloud-kraken-spp/README.md
@@ -33,7 +33,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions | `string` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions. | `string` | n/a | yes |
 | <a name="input_spp_name_suffix"></a> [spp\_name\_suffix](#input\_spp\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
 
 ## Outputs
diff --git a/modules/meshcloud-kraken-spp/variables.tf b/modules/meshcloud-kraken-spp/variables.tf
@@ -5,5 +5,5 @@ variable "spp_name_suffix" {
 
 variable "scope" {
   type        = string
-  description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions"
+  description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions."
 }
diff --git a/modules/meshcloud-replicator-spp/README.md b/modules/meshcloud-replicator-spp/README.md
@@ -32,9 +32,9 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions that the SPP needs | `list(string)` | `[]` | no |
-| <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the customer needs | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
-| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions | `string` | n/a | yes |
+| <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions the SPP needs. | `list(string)` | `[]` | no |
+| <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the SPP needs. | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
+| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions. | `string` | n/a | yes |
 | <a name="input_spp_name_suffix"></a> [spp\_name\_suffix](#input\_spp\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
 
 ## Outputs
diff --git a/modules/meshcloud-replicator-spp/module.tf b/modules/meshcloud-replicator-spp/module.tf
@@ -84,23 +84,6 @@ resource "azuread_application" "meshcloud_replicator" {
     }
   }
 
-  # These configure additional required_resource_accesses that can be specified by the caller of the module
-  # They are useful if replicator needs resource access specifically scoped to a meshstack implementation (e.g. accessing an azure function)
-  # Example usage:
-  #
-  # additional_required_resource_accesses = [
-  #   
-  #   {
-  #     resource_app_id = "fe81736c-99c6-4fca-8cc2-2818a2365451"
-  #     resource_accesses = [
-  #       {
-  #         id   = "e29066a1-ecb1-4a8e-af2d-1627fae35711" # Access (SPP-Access)
-  #         type = "Role"
-  #       },
-  #     ]
-  #   },
-  # ]
-
   dynamic "required_resource_access" {
     for_each = var.additional_required_resource_accesses
 
diff --git a/modules/meshcloud-replicator-spp/variables.tf b/modules/meshcloud-replicator-spp/variables.tf
@@ -5,17 +5,17 @@ variable "spp_name_suffix" {
 
 variable "scope" {
   type        = string
-  description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions"
+  description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions."
 }
 
 variable "additional_required_resource_accesses" {
   type        = list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))
   default     = []
-  description = "Additional AAD-Level Resource Accesses the customer needs"
+  description = "Additional AAD-Level Resource Accesses the SPP needs."
 }
 
 variable "additional_permissions" {
   type        = list(string)
   default     = []
-  description = "Additional Subscription-Level Permissions that the SPP needs"
+  description = "Additional Subscription-Level Permissions the SPP needs."
 }
diff --git a/variables.tf b/variables.tf
@@ -1,6 +1,6 @@
 variable "spp_name_suffix" {
   type        = string
-  description = "Service principal name suffix."
+  description = "Service principal name suffix. Make sure this is unique."
 }
 
 variable "mgmt_group_name" {
@@ -31,16 +31,19 @@ variable "idplookup_enabled" {
   description = "Whether to create idplookup SPP or not."
 }
 
+# additional_required_resource_accesses are useful if replicator needs 
+# resource access specifically scoped to a meshstack implementation (e.g. accessing an azure function)
+# For an example usage, see https://github.com/meshcloud/terraform-azure-meshplatform/tree/main/examples/azure-integration-with-additional-resource-access
 variable "additional_required_resource_accesses" {
   type        = list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))
   default     = []
-  description = "Additional AAD-Level Resource Accesses the customer needs"
+  description = "Additional AAD-Level Resource Accesses the replicator SPP needs."
 }
 
 variable "additional_permissions" {
   type        = list(string)
   default     = []
-  description = "Additional Subscription-Level Permissions that the SPP needs"
+  description = "Additional Subscription-Level Permissions the SPP needs."
 }
 
 variable "subscriptions" {

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ terraform {`
`11`	`11`	`module "meshplatform" {`
`12`	`12`	`source = "git@github.com:meshcloud/terraform-azure-meshplatform.git"`
`13`	`13`
`14`		`- spp_name_suffix = "UNIQUE_NAME"`
`15`		`- mgmt_group_name = "MANAGEMENT_GROUP_NAME\|MANAGEMENT_GROUP_UUID"`
	`14`	`+ spp_name_suffix = "<UNIQUE_NAME>"`
	`15`	`+ mgmt_group_name = "<MANAGEMENT_GROUP_NAME>\|<MANAGEMENT_GROUP_UUID>"`
	`16`	`+`
`16`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-`
`2`	`1`	`output "replicator_spp" {`
`3`	`2`	`description = "Replicator Service Principal."`
`4`	`3`	`value = module.meshplatform.replicator_spp`
Original file line number	Diff line number	Diff line change
`@@ -31,8 +31,8 @@ module "replicator_spp" {`
`31`	`31`	`spp_name_suffix = var.spp_name_suffix`
`32`	`32`	`scope = data.azurerm_management_group.root.id`
`33`	`33`
`34`		`- additional_required_resource_accesses = []`
`35`		`- additional_permissions = []`
	`34`	`+ additional_required_resource_accesses = var.additional_required_resource_accesses`
	`35`	`+ additional_permissions = var.additional_permissions`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`module "kraken_spp" {`
Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,5 @@ variable "spp_name_suffix" {`
`5`	`5`
`6`	`6`	`variable "scope" {`
`7`	`7`	`type = string`
`8`		`- description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions"`
	`8`	`+ description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions."`
`9`	`9`	`}`