ryan/DevOpsOpenHack
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add openhack files

Browse Source
This commit is contained in:
Ryan Peters
2022-11-03 16:41:13 -04:00
commit b2c9f7e29f
920 changed files with 118861 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
support/sqlsecretrotation/iac/terraform/deploy.sh Normal file
View File

@ -0,0 +1,94 @@
#!/bin/bash
declare LOCATION=$1
declare RESOURCES_PREFIX=$2
declare SECRET_NAME=$3
declare KEY_VAULT_RESOURCE_GROUP_NAME=$4
declare KEY_VAULT_NAME=$5
declare -r USAGE_HELP="Usage: ./deploy.sh <LOCATION> <RESOURCES_PREFIX> <SECRET_NAME> <KEY_VAULT_RESOURCE_GROUP_NAME> <KEY_VAULT_NAME>"
if [ $# -ne 5 ]; then
echo "${USAGE_HELP}"
exit 1
fi
# Check for programs
if ! [ -x "$(command -v az)" ]; then
echo "az is not installed!"
exit 1
elif ! [ -x "$(command -v terraform)" ]; then
echo "terraform is not installed!"
exit 1
fi
if [ -f "devvars.sh" ]; then
. devvars.sh
fi
export ARM_THREEPOINTZERO_BETA_RESOURCES=true
azure_login() {
_azuresp_json=$(cat azuresp.json)
export ARM_CLIENT_ID=$(echo "${_azuresp_json}" | jq -r ".clientId")
export ARM_CLIENT_SECRET=$(echo "${_azuresp_json}" | jq -r ".clientSecret")
export ARM_SUBSCRIPTION_ID=$(echo "${_azuresp_json}" | jq -r ".subscriptionId")
export ARM_TENANT_ID=$(echo "${_azuresp_json}" | jq -r ".tenantId")
az login --service-principal --username "${ARM_CLIENT_ID}" --password "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
az account set --subscription "${ARM_SUBSCRIPTION_ID}"
}
prepare_tfvars() {
echo "Generating tfvars..."
echo 'location = "'${LOCATION}'"' > terraform.tfvars
echo 'resources_prefix = "'${RESOURCES_PREFIX}'"' >> terraform.tfvars
echo 'secret_name = "'${SECRET_NAME}'"' >> terraform.tfvars
echo 'key_vault_resource_group_name = "'${KEY_VAULT_RESOURCE_GROUP_NAME}'"' >> terraform.tfvars
echo 'key_vault_name = "'${KEY_VAULT_NAME}'"' >> terraform.tfvars
terraform fmt
}
lint_terraform(){
terraform fmt -check
if [ $? -ne 0 ]; then
echo "Terraform files are not properly formatted!"
exit 1
fi
}
init_terrafrom() {
terraform init -backend-config=storage_account_name="${TFSTATE_STORAGE_ACCOUNT_NAME}" -backend-config=container_name="${TFSTATE_STORAGE_CONTAINER_NAME}" -backend-config=key="${TFSTATE_KEY_SECROT}" -backend-config=resource_group_name="${TFSTATE_RESOURCES_GROUP_NAME}"
}
init_terrafrom_local() {
terraform init -backend=false
}
validate_terraform(){
terraform validate
}
preview_terraform(){
terraform plan --detailed-exitcode
return $?
}
deploy_terraform(){
local _tfplan_exit_code=${1}
terraform apply --auto-approve
}
destroy_terraform(){
terraform destroy --auto-approve
}
prepare_tfvars
azure_login
lint_terraform
init_terrafrom
# init_terrafrom_local
validate_terraform
preview_terraform
deploy_terraform $?
# destroy_terraform

8
support/sqlsecretrotation/iac/terraform/locals.tf Normal file
View File

@ -0,0 +1,8 @@
locals {
suffix = "sqlsecrot"
resource_group_name = "${var.resources_prefix}${local.suffix}rg"
storage_account_name = "${var.resources_prefix}${local.suffix}st"
function_app_name = "${var.resources_prefix}${local.suffix}func"
app_service_plan_name = "${var.resources_prefix}${local.suffix}plan"
application_insights_name = "${var.resources_prefix}${local.suffix}appi"
}

132
support/sqlsecretrotation/iac/terraform/main.tf Normal file
View File

@ -0,0 +1,132 @@
data "azurerm_key_vault" "key_vault" {
name = var.key_vault_name
resource_group_name = var.key_vault_resource_group_name
}
resource "azurerm_resource_group" "resource_group" {
name = local.resource_group_name
location = var.location
lifecycle {
ignore_changes = [
tags
]
}
}
resource "azurerm_storage_account" "storage_account" {
name = local.storage_account_name
location = azurerm_resource_group.resource_group.location
resource_group_name = azurerm_resource_group.resource_group.name
account_tier = "Standard"
account_replication_type = "LRS"
min_tls_version = "TLS1_2"
enable_https_traffic_only = true
lifecycle {
ignore_changes = [
tags
]
}
}
resource "azurerm_application_insights" "application_insights" {
name = local.application_insights_name
location = azurerm_resource_group.resource_group.location
resource_group_name = azurerm_resource_group.resource_group.name
application_type = "web"
}
resource "azurerm_app_service_plan" "app_service_plan" {
name = local.app_service_plan_name
location = azurerm_resource_group.resource_group.location
resource_group_name = azurerm_resource_group.resource_group.name
kind = "FunctionApp"
sku {
tier = "Dynamic"
size = "Y1"
}
lifecycle {
ignore_changes = [
tags,
kind
]
}
}
resource "azurerm_function_app" "function_app" {
name = local.function_app_name
location = azurerm_resource_group.resource_group.location
resource_group_name = azurerm_resource_group.resource_group.name
app_service_plan_id = azurerm_app_service_plan.app_service_plan.id
storage_account_name = azurerm_storage_account.storage_account.name
storage_account_access_key = azurerm_storage_account.storage_account.primary_access_key
version = "~3"
https_only = true
app_settings = {
"APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.application_insights.instrumentation_key
"FUNCTIONS_WORKER_RUNTIME" = "dotnet"
}
identity {
type = "SystemAssigned"
}
site_config {
ftps_state = "Disabled"
dotnet_framework_version = "v4.0"
use_32_bit_worker_process = false
}
lifecycle {
ignore_changes = [
tags,
# app_settings["WEBSITE_ENABLE_SYNC_UPDATE_SITE"],
# app_settings["WEBSITE_RUN_FROM_PACKAGE"],
# app_settings["APPINSIGHTS_INSTRUMENTATIONKEY"],
# app_settings["FUNCTIONS_WORKER_RUNTIME"]
]
}
}
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_source_control
# resource "azurerm_app_service_source_control" "app_service_source_control" {
# app_id = azurerm_function_app.function_app.id
# repo_url = "https://github.com/Azure-Samples/KeyVault-Rotation-SQLPassword-Csharp.git"
# branch = "main"
# manual_integration = true
# # scm_type = "ExternalGit"
# }
resource "azurerm_key_vault_access_policy" "key_vault_access_policy_function_app" {
key_vault_id = data.azurerm_key_vault.key_vault.id
tenant_id = azurerm_function_app.function_app.identity[0].tenant_id
object_id = azurerm_function_app.function_app.identity[0].principal_id
secret_permissions = [
"Get", "List", "Set"
]
}
# resource "azurerm_eventgrid_event_subscription" "eventgrid_event_subscription" {
# name = "${data.azurerm_key_vault.key_vault.name}-${var.secret_name}-${azurerm_function_app.function_app.name}"
# scope = data.azurerm_key_vault.key_vault.id
# azure_function_endpoint {
# function_id = "${azurerm_function_app.function_app.id}/functions/AKVSQLRotation"
# max_events_per_batch = 1
# preferred_batch_size_in_kilobytes = 64
# }
# subject_filter {
# subject_begins_with = var.secret_name
# subject_ends_with = var.secret_name
# }
# included_event_types = [
# "Microsoft.KeyVault.SecretNearExpiry"
# ]
# }

16
support/sqlsecretrotation/iac/terraform/providers.tf Normal file
View File

@ -0,0 +1,16 @@
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.94.0"
}
}
backend "azurerm" {
}
}
data "azurerm_client_config" "current" {}
provider "azurerm" {
features {}
}

24
support/sqlsecretrotation/iac/terraform/variables.tf Normal file
View File

@ -0,0 +1,24 @@
variable "key_vault_resource_group_name" {
description = ""
type = string
}
variable "key_vault_name" {
description = ""
type = string
}
variable "resources_prefix" {
description = ""
type = string
}
variable "location" {
description = ""
type = string
}
variable "secret_name" {
description = ""
type = string
}