diff --git a/.gitignore b/.gitignore index 19dfb91..442367b 100644 --- a/.gitignore +++ b/.gitignore @@ -9,9 +9,6 @@ crash.log crash.*.log -# Ignore values files -*.tfvars - # Ignore override files as they are usually used to override resources locally and so # are not checked in override.tf @@ -31,3 +28,14 @@ terraform.rc # Other .DS_Store +todo.md + +# Ignore vim swap files +*.swp +*.swo + +# Irgnore meld diff files +*.orig +*.backup +*.rej + diff --git a/.terraform-docs.yml b/.terraform-docs.yml index 8fa328a..0c044ad 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -1,67 +1,28 @@ -content: |- - - Appvia Banner

Terraform Registry Latest Release Slack Community Contributors

- - - ## Description - - The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and manage a licensed edition of [Appvia Wayfinder](https://www.appvia.io/wayfinder) on Azure. - - ## Requirements - - To run this module, you will need the following: - 1. Product Licence Key & Instance ID. Request a free licence key from the [Appvia Portal](https://portal.appvia.io/trial?utm_source=terraform-azurerm-wayfinder). - 2. (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a `localadmin` user for initial access if no IDP details are provided. - 3. A public Azure DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates. - 4. Existing Virtual Network and Subnet: This module will deploy an AKS Cluster and so requires an existing vnet with outbound internet connectivity. - - ## Deployment - - Please see the [examples](./examples) directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the [quickstart](./examples/quickstart) example. - - ### (Optional) Connecting to an Identity Provider - - Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID). - - This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth - - The Authorized Redirect URI for the IDP Application should be set to: `https://${wayfinder_domain_name_api}/oauth/callback` - - **Note:** If you are using Azure Active Directory, you must: - 1. Set `azureTenantId` to your Azure Tenant ID (`serverUrl` is not required) - 2. Set the IDP type to `aad` - - #### Example: Generic IDP Configuration - - ```hcl - wayfinder_idp_details = { - {{ " " }}type = "generic" - {{ " " }}clientId = "IDP-APP-CLIENT-ID" - {{ " " }}clientSecret = "IDP-APP-CLIENT-SECRET" - {{ " " }}serverUrl = "https://example.okta.com" # Or "https://example.auth0.com/" - } - ``` - - #### Example: Azure AD IDP Configuration - - ```hcl - wayfinder_idp_details = { - {{ " " }}type = "aad" - {{ " " }}clientId = "IDP-APP-CLIENT-ID" - {{ " " }}clientSecret = "IDP-APP-CLIENT-SECRET" - {{ " " }}azureTenantId = "12345678-1234-1234-1234-123456789012" - } - ``` - - ## Updating Docs - - The `terraform-docs` utility is used to generate this README. Follow the below steps to update: - 1. Make changes to the `.terraform-docs.yml` file - 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) - 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` - - {{ .Inputs }} - - {{ .Outputs }} +#header-from: .header.md +settings: + anchor: true + color: true + default: true + escape: true + html: true + indent: 2 + required: true + sensitive: true + type: true + lockfile: false + +formatter: "markdown table" + +output: + file: README.md + mode: inject + +sections: + show: + - providers + - inputs + - outputs + +sort: + enabled: true + by: required diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..ea9c639 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,69 @@ +plugin "aws" { + enabled = true + version = "0.34.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + +plugin "terraform" { + enabled = true + version = "0.9.1" + source = "github.com/terraform-linters/tflint-ruleset-terraform" +} + +config { + call_module_type = "local" + force = false +} + +rule "terraform_required_providers" { + enabled = true +} + +rule "terraform_required_version" { + enabled = true +} + +rule "terraform_naming_convention" { + enabled = true + format = "snake_case" +} + +rule "terraform_typed_variables" { + enabled = true +} + +rule "terraform_unused_declarations" { + enabled = true +} + +rule "terraform_comment_syntax" { + enabled = true +} + +rule "terraform_deprecated_index" { + enabled = true +} + +rule "terraform_deprecated_interpolation" { + enabled = true +} + +rule "terraform_documented_outputs" { + enabled = true +} + +rule "terraform_documented_variables" { + enabled = true +} + +rule "terraform_module_pinned_source" { + enabled = true +} + +rule "terraform_standard_module_structure" { + enabled = true +} + +rule "terraform_workspace_remote" { + enabled = true +} diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..833ddb2 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,128 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +- Demonstrating empathy and kindness toward other people +- Being respectful of differing opinions, viewpoints, and experiences +- Giving and gracefully accepting constructive feedback +- Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +- Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +- The use of sexualized language or imagery, and sexual attention or + advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email + address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +support@appvia.io. +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/Makefile b/Makefile index afa8f2e..2045b2f 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,4 @@ # -# Copyright (C) 2024 Appvia Ltd -# # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 @@ -14,15 +12,14 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . # -AUTHOR_EMAIL=info@appvia.io - -.PHONY: all security lint format documentation documentation-examples validate-all validate validate-examples init +.PHONY: all security lint format documentation documentation-examples validate-all validate validate-examples init examples tests default: all all: $(MAKE) init $(MAKE) validate + $(MAKE) tests $(MAKE) lint $(MAKE) security $(MAKE) format @@ -30,6 +27,7 @@ all: examples: $(MAKE) validate-examples + $(MAKE) tests $(MAKE) lint-examples $(MAKE) lint $(MAKE) security @@ -38,19 +36,36 @@ examples: documentation: @echo "--> Generating documentation" - @terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject . + @terraform-docs . $(MAKE) documentation-modules $(MAKE) documentation-examples documentation-modules: @echo "--> Generating documentation for modules" - @if [ -d modules ]; then \ - find modules -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \; ; \ - fi + @find . -type d -regex '.*/modules/[a-za-z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \ + echo "--> Generating documentation for module: $$dir"; \ + terraform-docs $$dir; \ + done; documentation-examples: - @echo "--> Generating documentation examples" - @find examples -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \; + @echo "--> Generating documentation for examples" + @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null| while read -r dir; do \ + echo "--> Generating documentation for example: $$dir"; \ + terraform-docs $$dir; \ + done; + +upgrade-terraform-providers: + @printf "%s Upgrading Terraform providers for %-24s" "-->" "." + @terraform init -upgrade >/dev/null && echo "[OK]" || echo "[FAILED]" + @$(MAKE) upgrade-terraform-example-providers + +upgrade-terraform-example-providers: + @if [ -d examples ]; then \ + find examples -type d -mindepth 1 -maxdepth 1 2>/dev/null | while read -r dir; do \ + printf "%s Upgrading Terraform providers for %-24s" "-->" "$$dir"; \ + terraform -chdir=$$dir init -upgrade >/dev/null && echo "[OK]" || echo "[FAILED]"; \ + done; \ + fi init: @echo "--> Running terraform init" @@ -58,27 +73,27 @@ init: security: @echo "--> Running Security checks" - @tfsec . + @trivy config . $(MAKE) security-modules $(MAKE) security-examples security-modules: @echo "--> Running Security checks on modules" - @if [ -d modules ]; then \ - find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \ - echo "--> Validating $$dir"; \ - tfsec $$dir; \ - done; \ - fi + @find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \ + echo "--> Validating $$dir"; \ + trivy config --format table --exit-code 1 --severity CRITICAL,HIGH --ignorefile .trivyignore $$dir; \ + done; security-examples: @echo "--> Running Security checks on examples" - @if [ -d examples ]; then \ - find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \ - echo "--> Validating $$dir"; \ - tfsec $$dir; \ - done; \ - fi + @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \ + echo "--> Validating $$dir"; \ + trivy config --format table --exit-code 1 --severity CRITICAL,HIGH --ignorefile .trivyignore $$dir; \ + done; + +tests: + @echo "--> Running Terraform Tests" + @terraform test validate: @echo "--> Running terraform validate" @@ -86,26 +101,28 @@ validate: @terraform validate $(MAKE) validate-modules $(MAKE) validate-examples + $(MAKE) validate-commits validate-modules: @echo "--> Running terraform validate on modules" - @if [ -d modules ]; then \ - find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \ - echo "--> Validating $$dir"; \ - terraform -chdir=$$dir init -backend=false; \ - terraform -chdir=$$dir validate; \ - done; \ - fi + @find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \ + echo "--> Validating Module $$dir"; \ + terraform -chdir=$$dir init -backend=false; \ + terraform -chdir=$$dir validate; \ + done; validate-examples: @echo "--> Running terraform validate on examples" - @if [ -d examples ]; then \ - find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \ - echo "--> Validating $$dir"; \ - terraform -chdir=$$dir init -backend=false; \ - terraform -chdir=$$dir validate; \ - done; \ - fi + @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \ + echo "--> Validating $$dir"; \ + terraform -chdir=$$dir init -backend=false; \ + terraform -chdir=$$dir validate; \ + done; + +validate-commits: + @echo "--> Running commitlint against the main branch" + @command -v commitlint >/dev/null 2>&1 || { echo "commitlint is not installed. Please install it by running 'npm install -g commitlint'"; exit 1; } + @git log --pretty=format:"%s" origin/main..HEAD | commitlint --from=origin/main lint: @echo "--> Running tflint" @@ -116,23 +133,19 @@ lint: lint-modules: @echo "--> Running tflint on modules" - @if [ -d modules ]; then \ - find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \ - echo "--> Linting $$dir"; \ - tflint --chdir=$$dir --init; \ - tflint --chdir=$$dir -f compact; \ - done; \ - fi + @find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \ + echo "--> Linting $$dir"; \ + tflint --chdir=$$dir --init; \ + tflint --chdir=$$dir -f compact; \ + done; lint-examples: @echo "--> Running tflint on examples" - @if [ -d examples ]; then \ - find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \ - echo "--> Linting $$dir"; \ - tflint --chdir=$$dir --init; \ - tflint --chdir=$$dir -f compact; \ - done; \ - fi + @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \ + echo "--> Linting $$dir"; \ + tflint --chdir=$$dir --init; \ + tflint --chdir=$$dir -f compact; \ + done; format: @echo "--> Running terraform fmt" @@ -140,7 +153,7 @@ format: clean: @echo "--> Cleaning up" - @find . -type d -name ".terraform" | while read -r dir; do \ + @find . -type d -name ".terraform" 2>/dev/null | while read -r dir; do \ echo "--> Removing $$dir"; \ rm -rf $$dir; \ done diff --git a/README.md b/README.md index 63cde38..ea0765d 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ - + Appvia Banner

Terraform Registry Latest Release Slack Community Contributors

+ + ## Description The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and manage a licensed edition of [Appvia Wayfinder](https://www.appvia.io/wayfinder) on Azure. @@ -12,6 +14,7 @@ The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and ## Requirements To run this module, you will need the following: + 1. Product Licence Key & Instance ID. Request a free licence key from the [Appvia Portal](https://portal.appvia.io/trial?utm_source=terraform-azurerm-wayfinder). 2. (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a `localadmin` user for initial access if no IDP details are provided. 3. A public Azure DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates. @@ -30,6 +33,7 @@ This configuration is optional within Terraform, and can also be setup within th The Authorized Redirect URI for the IDP Application should be set to: `https://${wayfinder_domain_name_api}/oauth/callback` **Note:** If you are using Azure Active Directory, you must: + 1. Set `azureTenantId` to your Azure Tenant ID (`serverUrl` is not required) 2. Set the IDP type to `aad` @@ -58,38 +62,57 @@ wayfinder_idp_details = { ## Updating Docs The `terraform-docs` utility is used to generate this README. Follow the below steps to update: + 1. Make changes to the `.terraform-docs.yml` file 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` + +## Providers + +| Name | Version | +|------|---------| +| [azuread](#provider\_azuread) | >= 2.53.0 | +| [azurerm](#provider\_azurerm) | >=3.51.0, < 4.0 | +| [helm](#provider\_helm) | >= 2.9.0 | +| [kubectl](#provider\_kubectl) | >= 2.0 | +| [random](#provider\_random) | >= 3.5 | +| [time](#provider\_time) | >= 0.9.0 | + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [adcs](#input\_adcs) | ADCS variables required when using ADCS Issuer with Cert Manager | 
object({
    url                       = string
    username                  = string
    ca_bundle                 = string
    certificate_template_name = string
  })
| `null` | no | +| [aks\_vnet\_subnet\_id](#input\_aks\_vnet\_subnet\_id) | The ID of the subnet in which to deploy the Kubernetes Cluster. | `string` | n/a | yes | +| [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes | +| [dns\_zone\_id](#input\_dns\_zone\_id) | The ID of the Azure DNS Zone to use. | `string` | n/a | yes | +| [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the Azure DNS zone to use. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes | +| [user\_assigned\_identity](#input\_user\_assigned\_identity) | MSI id for AKS to run as | `string` | n/a | yes | +| [wayfinder\_domain\_name\_api](#input\_wayfinder\_domain\_name\_api) | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com) | `string` | n/a | yes | +| [wayfinder\_domain\_name\_ui](#input\_wayfinder\_domain\_name\_ui) | The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com) | `string` | n/a | yes | +| [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes | +| [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder | `string` | n/a | yes | +| [adcs](#input\_adcs) | ADCS variables required when using ADCS Issuer with Cert Manager | 
object({
    url                       = string
    username                  = string
    ca_bundle                 = string
    certificate_template_name = string
  })
| `null` | no | | [adcs\_password](#input\_adcs\_password) | ADCS password required when using ADCS Issuer with Cert Manager | `string` | `""` | no | | [aks\_agents\_size](#input\_aks\_agents\_size) | The default size of the agents pool. | `string` | `"Standard_D2s_v3"` | no | -| [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the API server. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the API server. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [aks\_enable\_host\_encryption](#input\_aks\_enable\_host\_encryption) | Whether to enable host encryption. | `bool` | `false` | no | -| [aks\_maintenance\_window](#input\_aks\_maintenance\_window) | Maintenance configuration of the managed cluster. | 
object({
    allowed = list(object({
      day   = string
      hours = set(number)
    })),
    not_allowed = list(object({
      end   = string
      start = string
    })),
  })
| 
{
  "allowed": [
    {
      "day": "Sunday",
      "hours": [
        22,
        23
      ]
    }
  ],
  "not_allowed": []
}
| no | +| [aks\_maintenance\_window](#input\_aks\_maintenance\_window) | Maintenance configuration of the managed cluster. | 
object({
    allowed = list(object({
      day   = string
      hours = set(number)
    })),
    not_allowed = list(object({
      end   = string
      start = string
    })),
  })
| 
{
  "allowed": [
    {
      "day": "Sunday",
      "hours": [
        22,
        23
      ]
    }
  ],
  "not_allowed": []
}
| no | | [aks\_rbac\_aad\_admin\_group\_object\_ids](#input\_aks\_rbac\_aad\_admin\_group\_object\_ids) | List of object IDs of the Azure AD groups that will be set as cluster admin. | `list(string)` | `[]` | no | | [aks\_sku\_tier](#input\_aks\_sku\_tier) | The SKU tier for this Kubernetes Cluster. | `string` | `"Standard"` | no | -| [aks\_vnet\_subnet\_id](#input\_aks\_vnet\_subnet\_id) | The ID of the subnet in which to deploy the Kubernetes Cluster. | `string` | n/a | yes | | [cert\_manager\_keyvault\_cert\_name](#input\_cert\_manager\_keyvault\_cert\_name) | Keyvault certificate name to use for cert-manager. Required if cluster issuer is keyvault | `string` | `null` | no | | [cert\_manager\_keyvault\_name](#input\_cert\_manager\_keyvault\_name) | Keyvault name to use for cert-manager. Required if cluster issuer is keyvault | `string` | `null` | no | | [cluster\_nodepool\_version](#input\_cluster\_nodepool\_version) | The Kubernetes version to use for the AKS cluster Nodepools. | `string` | `"1.30"` | no | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the AKS cluster. | `string` | `"1.30"` | no | | [clusterissuer](#input\_clusterissuer) | Cluster Issuer name to use for certs | `string` | `"letsencrypt-prod"` | no | -| [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes | -| [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | 
object({
    azurerm_role_definition         = optional(string, "180s")
    kubectl_manifest_cloud_identity = optional(string, "30s")
  })
| `{}` | no | +| [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | 
object({
    azurerm_role_definition         = optional(string, "180s")
    kubectl_manifest_cloud_identity = optional(string, "30s")
  })
| `{}` | no | | [create\_localadmin\_user](#input\_create\_localadmin\_user) | Whether to create a localadmin user for access to the Wayfinder Portal and API | `bool` | `true` | no | -| [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | 
object({
    azurerm_role_definition         = optional(string, "0s")
    kubectl_manifest_cloud_identity = optional(string, "60s")
  })
| `{}` | no | +| [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | 
object({
    azurerm_role_definition         = optional(string, "0s")
    kubectl_manifest_cloud_identity = optional(string, "60s")
  })
| `{}` | no | | [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for AKS and the Wayfinder ingress controller | `bool` | `false` | no | | [disable\_local\_login](#input\_disable\_local\_login) | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | `bool` | `false` | no | | [dns\_provider](#input\_dns\_provider) | DNS provider for External DNS | `string` | `"azure"` | no | | [dns\_resource\_group\_id](#input\_dns\_resource\_group\_id) | The ID of the resource group where the DNS Zone exists, if different to Wayfinder's resource group. | `string` | `""` | no | -| [dns\_zone\_id](#input\_dns\_zone\_id) | The ID of the Azure DNS Zone to use. | `string` | n/a | yes | -| [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the Azure DNS zone to use. | `string` | n/a | yes | | [enable\_cross\_tenant\_access](#input\_enable\_cross\_tenant\_access) | Whether to enable cross-tenant access for Wayfinder. Will create a suitable Enterprise Application with federated credential for Wayfinder to use. | `bool` | `false` | no | | [enable\_k8s\_resources](#input\_enable\_k8s\_resources) | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments) | `bool` | `true` | no | | [enable\_wf\_cloudaccess](#input\_enable\_wf\_cloudaccess) | Whether to configure CloudIdentity and admin CloudAccessConfig resources in Wayfinder once installed (requires enable\_k8s\_resources) | `bool` | `true` | no | @@ -100,16 +123,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [location](#input\_location) | The Azure region to use. | `string` | `"uksouth"` | no | | [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | Private DNS zone to use for private clusters | `string` | `null` | no | | [private\_link\_resourcegroup](#input\_private\_link\_resourcegroup) | The name of the resource group in which to create central private link resources for each AKS cluster. | `string` | `""` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes | | [tags](#input\_tags) | A mapping of tags to assign to resources. | `map(string)` | `{}` | no | -| [user\_assigned\_identity](#input\_user\_assigned\_identity) | MSI id for AKS to run as | `string` | n/a | yes | | [venafi\_apikey](#input\_venafi\_apikey) | Venafi API key - required if using Venafi cluster issuer | `string` | `""` | no | | [venafi\_zone](#input\_venafi\_zone) | Venafi zone - required if using Venafi cluster issuer | `string` | `""` | no | -| [wayfinder\_domain\_name\_api](#input\_wayfinder\_domain\_name\_api) | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com) | `string` | n/a | yes | -| [wayfinder\_domain\_name\_ui](#input\_wayfinder\_domain\_name\_ui) | The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com) | `string` | n/a | yes | -| [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO | 
object({
    type          = string
    clientId      = optional(string)
    clientSecret  = optional(string)
    serverUrl     = optional(string)
    azureTenantId = optional(string)
  })
| 
{
  "azureTenantId": "",
  "clientId": null,
  "clientSecret": null,
  "serverUrl": "",
  "type": "none"
}
| no | -| [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes | -| [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder | `string` | n/a | yes | +| [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO | 
object({
    type          = string
    clientId      = optional(string)
    clientSecret  = optional(string)
    serverUrl     = optional(string)
    azureTenantId = optional(string)
  })
| 
{
  "azureTenantId": "",
  "clientId": null,
  "clientSecret": null,
  "serverUrl": "",
  "type": "none"
}
| no | | [wayfinder\_release\_channel](#input\_wayfinder\_release\_channel) | The release channel to use for Wayfinder | `string` | `"wayfinder-releases"` | no | | [wayfinder\_version](#input\_wayfinder\_version) | The version to use for Wayfinder | `string` | `"v2.8.6"` | no | @@ -130,4 +147,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [wayfinder\_cross\_tenant\_identity\_client\_id](#output\_wayfinder\_cross\_tenant\_identity\_client\_id) | The client ID for the cross-tenant identity. | | [wayfinder\_instance\_id](#output\_wayfinder\_instance\_id) | The unique identifier for the Wayfinder instance. | | [wayfinder\_ui\_url](#output\_wayfinder\_ui\_url) | The URL for the Wayfinder UI. | - \ No newline at end of file + + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..862d78d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Security Policy + +## Reporting a Vulnerability + +Please contact security@appvia.io on discovery of a vulnerability or security issue. diff --git a/examples/complete/.terraform-docs.yml b/examples/complete/.terraform-docs.yml deleted file mode 100644 index 4dd28c2..0000000 --- a/examples/complete/.terraform-docs.yml +++ /dev/null @@ -1,21 +0,0 @@ -content: |- - # Example: Complete (includes pre-configured Wayfinder SSO) - - ## Deployment - - 1. Create a Resource Group for Wayfinder to be installed within. - 2. Create a DNS Zone in Azure and ensure the domain is delegated to the Azure DNS nameservers. - 3. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values. - 4. Run `terraform init -upgrade` - 5. Run `terraform apply` - - ## Updating Docs - - The `terraform-docs` utility is used to generate this README. Follow the below steps to update: - 1. Make changes to the `.terraform-docs.yml` file - 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) - 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` - - {{ .Inputs }} - - {{ .Outputs }} diff --git a/examples/complete/README.md b/examples/complete/README.md index 25466ee..822193a 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,4 +1,3 @@ - # Example: Complete (includes pre-configured Wayfinder SSO) ## Deployment @@ -12,40 +11,50 @@ ## Updating Docs The `terraform-docs` utility is used to generate this README. Follow the below steps to update: + 1. Make changes to the `.terraform-docs.yml` file 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | ~> 3.84 | +| [random](#provider\_random) | ~> 3.5 | +| [tls](#provider\_tls) | n/a | + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [aks\_rbac\_aad\_admin\_groups](#input\_aks\_rbac\_aad\_admin\_groups) | Map of Azure AD Groups and their Object IDs that will be set as cluster admin. | `map(string)` | n/a | yes | +| [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes | +| [dns\_resource\_group\_name](#input\_dns\_resource\_group\_name) | The name of the resource group where the DNS Zone exists. | `string` | n/a | yes | +| [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the DNS zone to use for wayfinder. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes | +| [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO. | 
object({
    type          = string
    clientId      = string
    clientSecret  = string
    serverUrl     = optional(string)
    azureTenantId = optional(string)
  })
| n/a | yes | +| [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes | +| [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder. | `string` | n/a | yes | +| [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [aks\_vnet\_subnet\_id](#input\_aks\_vnet\_subnet\_id) | The ID of the subnet in which to deploy the Kubernetes Cluster. | `string` | `null` | no | | [ca\_org\_name](#input\_ca\_org\_name) | The organisation name to use for the CA. Required if using keyvault cluster issuer. | `string` | `null` | no | | [cert\_manager\_keyvault\_cert\_name](#input\_cert\_manager\_keyvault\_cert\_name) | Keyvault certificate name to use for cert-manager. | `string` | `null` | no | | [cert\_manager\_keyvault\_name](#input\_cert\_manager\_keyvault\_name) | Keyvault name to use for cert-manager. | `string` | `null` | no | | [clusterissuer](#input\_clusterissuer) | Cluster Issuer name to use for certs | `string` | `"letsencrypt-prod"` | no | -| [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes | | [create\_localadmin\_user](#input\_create\_localadmin\_user) | Whether to create a localadmin user for access to the Wayfinder Portal and API. | `bool` | `false` | no | | [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for AKS and the Wayfinder ingress controller. | `bool` | `false` | no | | [disable\_local\_login](#input\_disable\_local\_login) | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | `bool` | `false` | no | | [dns\_provider](#input\_dns\_provider) | DNS provider for External DNS | `string` | `"azure"` | no | -| [dns\_resource\_group\_name](#input\_dns\_resource\_group\_name) | The name of the resource group where the DNS Zone exists. | `string` | n/a | yes | -| [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the DNS zone to use for wayfinder. | `string` | n/a | yes | | [enable\_k8s\_resources](#input\_enable\_k8s\_resources) | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). | `bool` | `true` | no | | [environment](#input\_environment) | The environment in which the resources are deployed. | `string` | `"production"` | no | | [location](#input\_location) | The Azure region in which to create the resources. | `string` | `"uksouth"` | no | | [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | Private DNS zone to use for private clusters | `string` | `null` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes | | [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `{}` | no | | [user\_assigned\_identity](#input\_user\_assigned\_identity) | MSI id for AKS to run as | `string` | `null` | no | | [venafi\_apikey](#input\_venafi\_apikey) | Venafi API key - required if using Venafi cluster issuer | `string` | `""` | no | | [venafi\_zone](#input\_venafi\_zone) | Venafi zone - required if using Venafi cluster issuer | `string` | `""` | no | -| [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO. | 
object({
    type          = string
    clientId      = string
    clientSecret  = string
    serverUrl     = optional(string)
    azureTenantId = optional(string)
  })
| n/a | yes | -| [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes | -| [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder. | `string` | n/a | yes | ## Outputs @@ -55,4 +64,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [wayfinder\_api\_url](#output\_wayfinder\_api\_url) | The URL for the Wayfinder API | | [wayfinder\_instance\_id](#output\_wayfinder\_instance\_id) | The unique identifier for the Wayfinder instance | | [wayfinder\_ui\_url](#output\_wayfinder\_ui\_url) | The URL for the Wayfinder UI | - \ No newline at end of file + + diff --git a/examples/quickstart/.terraform-docs.yml b/examples/quickstart/.terraform-docs.yml deleted file mode 100644 index 8573b97..0000000 --- a/examples/quickstart/.terraform-docs.yml +++ /dev/null @@ -1,27 +0,0 @@ -content: |- - # Example: Quickstart - - **Notes:** - * Wayfinder will start up with an initial local administrator user (not configured to use an IDP). - * Any sensitive values (e.g. licence key) are passed directly as a variable to the module. - - This example should be used for product testing and evaluation only. For a more production-ready deployment, please see the [complete example](../complete). - - ## Deployment - - 1. Create a Resource Group for Wayfinder to be installed within. - 2. Create a DNS Zone in Azure and ensure the domain is delegated to the Azure DNS nameservers. - 3. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values. - 4. Run `terraform init -upgrade` - 5. Run `terraform apply` - - ## Updating Docs - - The `terraform-docs` utility is used to generate this README. Follow the below steps to update: - 1. Make changes to the `.terraform-docs.yml` file - 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) - 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` - - {{ .Inputs }} - - {{ .Outputs }} diff --git a/examples/quickstart/README.md b/examples/quickstart/README.md index d20912e..de236dd 100644 --- a/examples/quickstart/README.md +++ b/examples/quickstart/README.md @@ -1,9 +1,9 @@ - # Example: Quickstart **Notes:** -* Wayfinder will start up with an initial local administrator user (not configured to use an IDP). -* Any sensitive values (e.g. licence key) are passed directly as a variable to the module. + +- Wayfinder will start up with an initial local administrator user (not configured to use an IDP). +- Any sensitive values (e.g. licence key) are passed directly as a variable to the module. This example should be used for product testing and evaluation only. For a more production-ready deployment, please see the [complete example](../complete). @@ -18,28 +18,36 @@ This example should be used for product testing and evaluation only. For a more ## Updating Docs The `terraform-docs` utility is used to generate this README. Follow the below steps to update: + 1. Make changes to the `.terraform-docs.yml` file 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | ~> 3.84 | + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [aks\_rbac\_aad\_admin\_groups](#input\_aks\_rbac\_aad\_admin\_groups) | Map of Azure AD Groups and their Object IDs that will be set as cluster admin. | `map(string)` | n/a | yes | | [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes | -| [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for AKS and the Wayfinder ingress controller. | `bool` | `false` | no | | [dns\_resource\_group\_name](#input\_dns\_resource\_group\_name) | The name of the resource group where the DNS Zone exists. | `string` | n/a | yes | | [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the DNS zone to use for wayfinder. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes | +| [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes | +| [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder. | `string` | n/a | yes | +| [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for AKS and the Wayfinder ingress controller. | `bool` | `false` | no | | [enable\_k8s\_resources](#input\_enable\_k8s\_resources) | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). | `bool` | `true` | no | | [environment](#input\_environment) | The environment in which the resources are deployed. | `string` | `"production"` | no | | [location](#input\_location) | The Azure region in which to create the resources. | `string` | `"uksouth"` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes | | [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `{}` | no | | [user\_assigned\_identity](#input\_user\_assigned\_identity) | MSI id for AKS to run as | `string` | `null` | no | -| [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes | -| [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder. | `string` | n/a | yes | ## Outputs @@ -51,4 +59,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [wayfinder\_api\_url](#output\_wayfinder\_api\_url) | The URL for the Wayfinder API | | [wayfinder\_instance\_id](#output\_wayfinder\_instance\_id) | The unique identifier for the Wayfinder instance | | [wayfinder\_ui\_url](#output\_wayfinder\_ui\_url) | The URL for the Wayfinder UI | - \ No newline at end of file + + diff --git a/modules/cloudaccess/.terraform-docs.yml b/modules/cloudaccess/.terraform-docs.yml deleted file mode 100644 index 6559290..0000000 --- a/modules/cloudaccess/.terraform-docs.yml +++ /dev/null @@ -1,23 +0,0 @@ -content: |- - # Terraform Module: Cloud Access for Wayfinder on Azure - - This Terraform Module can be used to associate Roles to Wayfinder's Azure Identity, for creating resources within an Azure Subscription. - - **Notes:** - * You must set `var.wayfinder_identity_azure_principal_id` to the Azure Principal ID of the Wayfinder Identity. - * `var.resource_suffix` is an optional suffix to use on created objects. We recommend using workspace key + stage if you wish to have multiple workspaces sharing the same AWS account, allowing independent roles to be provisioned for each. - - ## Deployment - - Please see the [examples](./examples) directory to see how to deploy this module. - - {{ .Inputs }} - - {{ .Outputs }} - - ## Updating Docs - - The `terraform-docs` utility is used to generate this README. Follow the below steps to update: - 1. Make changes to the `.terraform-docs.yml` file - 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) - 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` diff --git a/modules/cloudaccess/README.md b/modules/cloudaccess/README.md index bdab843..49e6165 100644 --- a/modules/cloudaccess/README.md +++ b/modules/cloudaccess/README.md @@ -1,22 +1,30 @@ - # Terraform Module: Cloud Access for Wayfinder on Azure This Terraform Module can be used to associate Roles to Wayfinder's Azure Identity, for creating resources within an Azure Subscription. **Notes:** -* You must set `var.wayfinder_identity_azure_principal_id` to the Azure Principal ID of the Wayfinder Identity. -* `var.resource_suffix` is an optional suffix to use on created objects. We recommend using workspace key + stage if you wish to have multiple workspaces sharing the same AWS account, allowing independent roles to be provisioned for each. + +- You must set `var.wayfinder_identity_azure_principal_id` to the Azure Principal ID of the Wayfinder Identity. +- `var.resource_suffix` is an optional suffix to use on created objects. We recommend using workspace key + stage if you wish to have multiple workspaces sharing the same AWS account, allowing independent roles to be provisioned for each. ## Deployment Please see the [examples](./examples) directory to see how to deploy this module. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | >=3.74.0 | +| [time](#provider\_time) | >= 0.9.0 | + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | 
object({
    azurerm_role_definition = optional(string, "30s")
  })
| `{}` | no | -| [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | 
object({
    azurerm_role_definition = optional(string, "0s")
  })
| `{}` | no | +| [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | 
object({
    azurerm_role_definition = optional(string, "30s")
  })
| `{}` | no | +| [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | 
object({
    azurerm_role_definition = optional(string, "0s")
  })
| `{}` | no | | [enable\_cloud\_info](#input\_enable\_cloud\_info) | Whether to create the Cloud Info IAM Role | `bool` | `false` | no | | [enable\_cluster\_manager](#input\_enable\_cluster\_manager) | Whether to create the Cluster Manager IAM Role | `bool` | `false` | no | | [enable\_dns\_zone\_manager](#input\_enable\_dns\_zone\_manager) | Whether to create the DNS Zone Manager IAM Role | `bool` | `false` | no | @@ -39,11 +47,5 @@ Please see the [examples](./examples) directory to see how to deploy this module |------|-------------| | [managed\_identity\_client\_id](#output\_managed\_identity\_client\_id) | The client ID of the created managed identity to use as spec.azure.clientID in your cloud access configuration | | [managed\_identity\_tenant\_id](#output\_managed\_identity\_tenant\_id) | The tenant ID in which the managed identity exists, to use as spec.azure.tenantID in your cloud access configuration | + -## Updating Docs - -The `terraform-docs` utility is used to generate this README. Follow the below steps to update: -1. Make changes to the `.terraform-docs.yml` file -2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) -3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` - \ No newline at end of file diff --git a/modules/cloudaccess/examples/complete/.terraform.lock.hcl b/modules/cloudaccess/examples/complete/.terraform.lock.hcl new file mode 100644 index 0000000..460a48c --- /dev/null +++ b/modules/cloudaccess/examples/complete/.terraform.lock.hcl @@ -0,0 +1,42 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "4.6.0" + constraints = ">= 3.74.0" + hashes = [ + "h1:dnb4t07g8JX1xNSW5Rsx9VTriKKst0bsquJNmvtqEN0=", + "zh:13107f35a7060efa62570e3482285003092ead0afa0fa9fa1b0dda4f70080cb9", + "zh:22703b9f318adbda7e75d50e76b345651cbf371bce227566a8b8532c9c4f0880", + "zh:601d1eb1c056e4de649561764056e3dc21b837d104d15fee31f9aaaacb292046", + "zh:6572232f9b0d20b149e8b5cf161fada6d8122ee1fea732c2f1e9402fe4d3375f", + "zh:6c19ab78c6cf7eb04b8db978daa611db04598fd490c90b85889d08726da1d095", + "zh:7f6eae5fa14def221422fdd34ea122ea0263d0c3c67eb0fd7870d664d7d7a360", + "zh:8530912ffcc8a92dd5c186ecd08a9c2f1282838a3ad5a71786c2866402c71da7", + "zh:a6b110c6cff0ed8c1a8969bd86583db1d5b4f3100f89ce0a0e0350b1ad8cd47b", + "zh:bd67b5d92e06bc44b166f4cabab189de5cc06506333283ac88b4ce21707b8c6b", + "zh:c472fdcafbca86a0a5b515378409d0bbddff6a6abb0bd0ecf438c610944b1e98", + "zh:ca4bb3797ddf20062995134211b50e313242c8a81aa5da63cc51a47e42f494c4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.12.1" + constraints = ">= 0.9.0" + hashes = [ + "h1:JzYsPugN8Fb7C4NlfLoFu7BBPuRVT2/fCOdCaxshveI=", + "zh:090023137df8effe8804e81c65f636dadf8f9d35b79c3afff282d39367ba44b2", + "zh:26f1e458358ba55f6558613f1427dcfa6ae2be5119b722d0b3adb27cd001efea", + "zh:272ccc73a03384b72b964918c7afeb22c2e6be22460d92b150aaf28f29a7d511", + "zh:438b8c74f5ed62fe921bd1078abe628a6675e44912933100ea4fa26863e340e9", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:85c8bd8eefc4afc33445de2ee7fbf33a7807bc34eb3734b8eefa4e98e4cddf38", + "zh:98bbe309c9ff5b2352de6a047e0ec6c7e3764b4ed3dfd370839c4be2fbfff869", + "zh:9c7bf8c56da1b124e0e2f3210a1915e778bab2be924481af684695b52672891e", + "zh:d2200f7f6ab8ecb8373cda796b864ad4867f5c255cff9d3b032f666e4c78f625", + "zh:d8c7926feaddfdc08d5ebb41b03445166df8c125417b28d64712dccd9feef136", + "zh:e2412a192fc340c61b373d6c20c9d805d7d3dee6c720c34db23c2a8ff0abd71b", + "zh:e6ac6bba391afe728a099df344dbd6481425b06d61697522017b8f7a59957d44", + ] +} diff --git a/modules/cloudaccess/examples/complete/README.md b/modules/cloudaccess/examples/complete/README.md new file mode 100644 index 0000000..7d1f109 --- /dev/null +++ b/modules/cloudaccess/examples/complete/README.md @@ -0,0 +1,31 @@ + +## Providers + +No providers. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [region](#input\_region) | The region used for created resources (where required) | `string` | n/a | yes | +| [enable\_cloud\_info](#input\_enable\_cloud\_info) | Whether to create the Cloud Info IAM Role | `bool` | `false` | no | +| [enable\_cluster\_manager](#input\_enable\_cluster\_manager) | Whether to create the Cluster Manager IAM Role | `bool` | `true` | no | +| [enable\_dns\_zone\_manager](#input\_enable\_dns\_zone\_manager) | Whether to create the DNS Zone Manager IAM Role | `bool` | `true` | no | +| [enable\_network\_manager](#input\_enable\_network\_manager) | Whether to create the Network Manager IAM Role | `bool` | `true` | no | +| [enable\_peering\_acceptor](#input\_enable\_peering\_acceptor) | Whether to create the Peering Acceptor IAM Role | `bool` | `false` | no | +| [from\_aws](#input\_from\_aws) | Whether Wayfinder is running on AWS. | `bool` | `false` | no | +| [from\_azure](#input\_from\_azure) | Whether Wayfinder is running on Azure. | `bool` | `true` | no | +| [from\_gcp](#input\_from\_gcp) | Whether Wayfinder is running on GCP. | `bool` | `false` | no | +| [resource\_suffix](#input\_resource\_suffix) | Suffix to apply to all generated resources. We recommend using workspace key + stage. | `string` | `""` | no | +| [wayfinder\_identity\_aws\_issuer](#input\_wayfinder\_identity\_aws\_issuer) | Issuer URL to trust to verify Wayfinder's AWS identity. Populate when Wayfinder is running on AWS with IRSA. | `string` | `""` | no | +| [wayfinder\_identity\_aws\_subject](#input\_wayfinder\_identity\_aws\_subject) | Subject to trust to verify Wayfinder's AWS identity. Populate when Wayfinder is running on AWS with IRSA. | `string` | `""` | no | +| [wayfinder\_identity\_azure\_principal\_id](#input\_wayfinder\_identity\_azure\_principal\_id) | Principal ID of Wayfinder's Azure AD managed identity to give access to. Populate when Wayfinder is running on Azure with AzureAD Workload Identity or when using a credential-based Azure identity. | `string` | `""` | no | +| [wayfinder\_identity\_gcp\_service\_account\_id](#input\_wayfinder\_identity\_gcp\_service\_account\_id) | Numerical ID of Wayfinder's GCP service account to give access to. Populate when Wayfinder is running on GCP with Workload Identity. | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [managed\_identity\_client\_id](#output\_managed\_identity\_client\_id) | n/a | +| [managed\_identity\_tenant\_id](#output\_managed\_identity\_tenant\_id) | n/a | + \ No newline at end of file