Skip to content

Commit

Permalink
Set Azure subscription ID when applying Terraform files
Browse files Browse the repository at this point in the history
Signed-off-by: Daniel Weiße <[email protected]>
  • Loading branch information
daniel-weisse committed Aug 28, 2024
1 parent 5579578 commit 6930f5e
Show file tree
Hide file tree
Showing 27 changed files with 103 additions and 10 deletions.
4 changes: 4 additions & 0 deletions .github/actions/constellation_iam_create/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ inputs:
#
# Azure specific inputs
#
azureSubscriptionID:
description: "Azure subscription ID to deploy Constellation in."
required: true
azureRegion:
description: "Azure region to deploy Constellation in."
required: false
Expand Down Expand Up @@ -77,6 +80,7 @@ runs:
if: inputs.cloudProvider == 'azure'
run: |
constellation iam create azure \
--subscriptionID="${{ inputs.azureSubscriptionID }}" \
--region="${{ inputs.azureRegion }}" \
--resourceGroup="${{ inputs.namePrefix }}-rg" \
--servicePrincipal="${{ inputs.namePrefix }}-sp" \
Expand Down
4 changes: 4 additions & 0 deletions .github/actions/e2e_test/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ inputs:
description: "AWS OpenSearch User to upload the benchmark results."
awsOpenSearchPwd:
description: "AWS OpenSearch Password to upload the benchmark results."
azureSubscriptionID:
description: "Azure subscription ID to deploy Constellation in."
required: true
azureClusterCreateCredentials:
description: "Azure credentials authorized to create a Constellation cluster."
required: true
Expand Down Expand Up @@ -249,6 +252,7 @@ runs:
attestationVariant: ${{ inputs.attestationVariant }}
namePrefix: ${{ steps.create-prefix.outputs.prefix }}
awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
azureSubscriptionID: ${{ inputs.azureSubscriptionID }}
azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region }}
gcpProjectID: ${{ inputs.gcpProject }}
gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/e2e-test-daily.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ jobs:
gcpIAMCreateServiceAccount: "[email protected]"
kubernetesVersion: ${{ matrix.kubernetesVersion }}
test: ${{ matrix.test }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/e2e-test-provider-example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,19 @@ jobs:
cat >> _override.tf <<EOF
locals {
instance_type = "Standard_DC4es_v5"
subscription_id = "$(az account show --query id --output tsv)"
}
EOF
cat _override.tf
- name: Create Azure SEV-SNP Terraform overrides
if: inputs.attestationVariant == 'azure-sev-snp'
working-directory: ${{ github.workspace }}/cluster
shell: bash
run: |
cat >> _override.tf <<EOF
locals {
subscription_id = "$(az account show --query id --output tsv)"
}
EOF
cat _override.tf
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/e2e-test-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,7 @@ jobs:
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
test: ${{ matrix.test }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/e2e-test-weekly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,7 @@ jobs:
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
test: ${{ matrix.test }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/e2e-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,7 @@ jobs:
osImage: ${{ needs.find-latest-image.outputs.image }}
cliVersion: ${{ inputs.cliVersion }}
isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/e2e-upgrade.yml
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,7 @@ jobs:
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
test: "upgrade"
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-windows.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ jobs:
$rgName = "e2e-win-${{ github.run_id }}-${{ github.run_attempt }}-$uid"
"rgName=$($rgName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
.\constellation.exe config generate azure -t "workflow=${{ github.run_id }}"
.\constellation.exe iam create azure --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
.\constellation.exe iam create azure --subscriptionID=${{ secrets.AZURE_SUBSCRIPTION_ID }} --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
- name: Login to Azure (Cluster service principal)
uses: ./.github/actions/login_azure
Expand Down
2 changes: 2 additions & 0 deletions cli/internal/cloudcmd/iam.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ type GCPIAMConfig struct {

// AzureIAMConfig holds the necessary values for Azure IAM configuration.
type AzureIAMConfig struct {
SubscriptionID string
Location string
ServicePrincipal string
ResourceGroup string
Expand Down Expand Up @@ -167,6 +168,7 @@ func (c *IAMCreator) createAzure(ctx context.Context, cl tfIAMClient, opts *IAMC
defer rollbackOnError(c.out, &retErr, &rollbackerTerraform{client: cl}, opts.TFLogLevel)

vars := terraform.AzureIAMVariables{
SubscriptionID: opts.Azure.SubscriptionID,
Location: opts.Azure.Location,
ResourceGroup: opts.Azure.ResourceGroup,
ServicePrincipal: opts.Azure.ServicePrincipal,
Expand Down
2 changes: 2 additions & 0 deletions cli/internal/cloudcmd/tfvars.go
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC
}
}
vars := &terraform.AzureClusterVariables{
SubscriptionID: conf.Provider.Azure.SubscriptionID,
Name: conf.Name,
NodeGroups: nodeGroups,
Location: conf.Provider.Azure.Location,
Expand Down Expand Up @@ -191,6 +192,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC

func azureTerraformIAMVars(conf *config.Config, oldVars terraform.AzureIAMVariables) *terraform.AzureIAMVariables {
return &terraform.AzureIAMVariables{
SubscriptionID: conf.Provider.Azure.SubscriptionID,
Location: conf.Provider.Azure.Location,
ServicePrincipal: oldVars.ServicePrincipal,
ResourceGroup: conf.Provider.Azure.ResourceGroup,
Expand Down
15 changes: 15 additions & 0 deletions cli/internal/cmd/iamcreateazure.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ SPDX-License-Identifier: AGPL-3.0-only
package cmd

import (
"errors"
"fmt"
"os"

"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
Expand All @@ -26,6 +28,8 @@ func newIAMCreateAzureCmd() *cobra.Command {
RunE: runIAMCreateAzure,
}

cmd.Flags().String("subscriptionID", "", "subscription ID of the Azure account (required)")
must(cobra.MarkFlagRequired(cmd.Flags(), "subscriptionID"))
cmd.Flags().String("resourceGroup", "", "name prefix of the two resource groups your cluster / IAM resources will be created in (required)")
must(cobra.MarkFlagRequired(cmd.Flags(), "resourceGroup"))
cmd.Flags().String("region", "", "region the resources will be created in, e.g., westus (required)")
Expand All @@ -45,13 +49,22 @@ func runIAMCreateAzure(cmd *cobra.Command, _ []string) error {

// azureIAMCreateFlags contains the parsed flags of the iam create azure command.
type azureIAMCreateFlags struct {
subscriptionID string
region string
resourceGroup string
servicePrincipal string
}

func (f *azureIAMCreateFlags) parse(flags *pflag.FlagSet) error {
var err error
f.subscriptionID, err = flags.GetString("subscriptionID")
if err != nil {
return fmt.Errorf("getting 'subscriptionID' flag: %w", err)
}
if f.subscriptionID == "" && os.Getenv("ARM_SUBSCRIPTION_ID") == "" {
return errors.New("either flag 'subscriptionID' or environment variable 'ARM_SUBSCRIPTION_ID' must be set")
}

f.region, err = flags.GetString("region")
if err != nil {
return fmt.Errorf("getting 'region' flag: %w", err)
Expand All @@ -75,6 +88,7 @@ type azureIAMCreator struct {
func (c *azureIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
return &cloudcmd.IAMConfigOptions{
Azure: cloudcmd.AzureIAMConfig{
SubscriptionID: c.flags.subscriptionID,
Location: c.flags.region,
ResourceGroup: c.flags.resourceGroup,
ServicePrincipal: c.flags.servicePrincipal,
Expand All @@ -83,6 +97,7 @@ func (c *azureIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
}

func (c *azureIAMCreator) printConfirmValues(cmd *cobra.Command) {
cmd.Printf("Subscription ID:\t%s\n", c.flags.subscriptionID)
cmd.Printf("Region:\t\t\t%s\n", c.flags.region)
cmd.Printf("Resource Group:\t\t%s\n", c.flags.resourceGroup)
cmd.Printf("Service Principal:\t%s\n\n", c.flags.servicePrincipal)
Expand Down
6 changes: 5 additions & 1 deletion cli/internal/terraform/variables.go
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ type GCPNodeGroup struct {
DiskType string `hcl:"disk_type" cty:"disk_type"`
}

// GCPIAMVariables is user configuration for creating the IAM confioguration with Terraform on GCP.
// GCPIAMVariables is user configuration for creating the IAM configuration with Terraform on GCP.
type GCPIAMVariables struct {
// Project is the ID of the GCP project to use.
Project string `hcl:"project_id" cty:"project_id"`
Expand All @@ -193,6 +193,8 @@ func (v *GCPIAMVariables) String() string {

// AzureClusterVariables is user configuration for creating a cluster with Terraform on Azure.
type AzureClusterVariables struct {
// SubscriptionID is the Azure subscription ID to use.
SubscriptionID string `hcl:"subscription_id" cty:"subscription_id"`
// Name of the cluster.
Name string `hcl:"name" cty:"name"`
// ImageID is the ID of the Azure image to use.
Expand Down Expand Up @@ -254,6 +256,8 @@ type AzureNodeGroup struct {

// AzureIAMVariables is user configuration for creating the IAM configuration with Terraform on Microsoft Azure.
type AzureIAMVariables struct {
// SubscriptionID is the Azure subscription ID to use.
SubscriptionID string `hcl:"subscription_id,optional" cty:"subscription_id"` // TODO(v2.18): remove optional tag. This is only required for migration from var files that dont have the value yet.
// Location is the Azure location to use. (e.g. westus)
Location string `hcl:"location" cty:"location"`
// ServicePrincipal is the name of the service principal to use.
Expand Down
10 changes: 7 additions & 3 deletions cli/internal/terraform/variables_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,8 @@ service_account_id = "my-service-account"

func TestAzureClusterVariables(t *testing.T) {
vars := AzureClusterVariables{
Name: "cluster-name",
SubscriptionID: "01234567-cdef-0123-4567-89abcdef0123",
Name: "cluster-name",
NodeGroups: map[string]AzureNodeGroup{
constants.ControlPlaneDefault: {
Role: "ControlPlane",
Expand All @@ -207,7 +208,8 @@ func TestAzureClusterVariables(t *testing.T) {
}

// test that the variables are correctly rendered
want := `name = "cluster-name"
want := `subscription_id = "01234567-cdef-0123-4567-89abcdef0123"
name = "cluster-name"
image_id = "image-0123456789abcdef"
create_maa = true
debug = true
Expand Down Expand Up @@ -241,13 +243,15 @@ additional_tags = null

func TestAzureIAMVariables(t *testing.T) {
vars := AzureIAMVariables{
SubscriptionID: "01234567-cdef-0123-4567-89abcdef0123",
Location: "eu-central-1",
ServicePrincipal: "my-service-principal",
ResourceGroup: "my-resource-group",
}

// test that the variables are correctly rendered
want := `location = "eu-central-1"
want := `subscription_id = "01234567-cdef-0123-4567-89abcdef0123"
location = "eu-central-1"
service_principal_name = "my-service-principal"
resource_group_name = "my-resource-group"
`
Expand Down
6 changes: 5 additions & 1 deletion dev-docs/howto/vpn/on-prem-terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ terraform {

provider "azurerm" {
features {}
subscription_id = var.subscription_id
# This enables all resource providers.
# In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
resource_provider_registrations = "all"
}

locals {
Expand Down Expand Up @@ -103,7 +107,7 @@ resource "azurerm_route_table" "route_table" {
name = "vpn-routes"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
disable_bgp_route_propagation = false
bgp_route_propagation_enabled = false

dynamic "route" {
for_each = var.remote_ts
Expand Down
6 changes: 6 additions & 0 deletions dev-docs/howto/vpn/on-prem-terraform/variables.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
variable "subscription_id" {
type = string
description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
default = ""
}

variable "resource_group_location" {
type = string
default = "westeurope"
Expand Down
3 changes: 3 additions & 0 deletions dev-docs/miniconstellation/azure-terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ terraform {
provider "azurerm" {
use_oidc = true
features {}
# This enables all resource providers.
# In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
resource_provider_registrations = "all"
}

provider "tls" {}
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/getting-started/first-steps.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ If you encounter any problem with the following steps, make sure to use the [lat
<TabItem value="azure" label="Azure">

```bash
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
```

This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in.
Expand Down
1 change: 1 addition & 0 deletions docs/docs/reference/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -655,6 +655,7 @@ constellation iam create azure [flags]
--region string region the resources will be created in, e.g., westus (required)
--resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required)
--servicePrincipal string name of the service principal that will be created (required)
--subscriptionID string subscription ID of the Azure account (required)
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/workflows/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml`
You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).

```bash
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest
constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest
```

This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`.
Expand Down
3 changes: 3 additions & 0 deletions e2e/miniconstellation/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ terraform {
provider "azurerm" {
use_oidc = true
features {}
# This enables all resource providers.
# In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
resource_provider_registrations = "all"
}

provider "tls" {}
Expand Down
2 changes: 2 additions & 0 deletions terraform-provider-constellation/examples/full/azure/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ locals {
control_plane_count = 3
worker_count = 2
instance_type = "Standard_DC4as_v5"
subscription_id = "00000000-0000-0000-0000-000000000000"

master_secret = random_bytes.master_secret.hex
master_secret_salt = random_bytes.master_secret_salt.hex
Expand All @@ -43,6 +44,7 @@ resource "random_bytes" "measurement_salt" {
module "azure_iam" {
// replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/azure"
subscription_id = local.subscription_id
location = local.location
service_principal_name = "${local.name}-sp"
resource_group_name = "${local.name}-rg"
Expand Down
8 changes: 6 additions & 2 deletions terraform/infrastructure/azure/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ provider "azurerm" {
prevent_deletion_if_contains_resources = false
}
}
subscription_id = var.subscription_id
# This enables all resource providers.
# In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
resource_provider_registrations = "all"
}

locals {
Expand Down Expand Up @@ -266,8 +270,8 @@ module "scale_set_group" {
marketplace_image = var.marketplace_image

# We still depend on the backends, since we are not sure if the VMs inside the VMSS have been
# "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not
# our Constellation update).
# "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not
# our Constellation update).
# TODO(@3u13r): Remove this dependency after v2.18.0 has been released.
depends_on = [module.loadbalancer_backend_worker, azurerm_lb_backend_address_pool.all]
}
Expand Down
1 change: 1 addition & 0 deletions terraform/infrastructure/azure/modules/scale_set/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
provision_vm_agent = false
vtpm_enabled = true
disable_password_authentication = false
extension_operations_enabled = false
upgrade_mode = "Manual"
secure_boot_enabled = var.secure_boot
# specify the image id only if a non-marketplace image is used
Expand Down
6 changes: 6 additions & 0 deletions terraform/infrastructure/azure/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ variable "internal_load_balancer" {

# Azure-specific variables

variable "subscription_id" {
type = string
description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
default = ""
}

variable "location" {
type = string
description = "Azure location to deploy the cluster in."
Expand Down
Loading

0 comments on commit 6930f5e

Please sign in to comment.