From 33ab084bc468ddf1abdf11b697eb9f2fdfec1a3b Mon Sep 17 00:00:00 2001 From: Henrik Simonsen Knutsen <46495473+hknutsen@users.noreply.github.com> Date: Thu, 5 Dec 2024 11:21:04 +0100 Subject: [PATCH] docs: refer to standalone Terraform Backend repository --- docs/usage-examples.md | 2 +- scripts/terraform-backend/README.md | 61 --------------- scripts/terraform-backend/main.bicep | 110 --------------------------- 3 files changed, 1 insertion(+), 172 deletions(-) delete mode 100644 scripts/terraform-backend/README.md delete mode 100644 scripts/terraform-backend/main.bicep diff --git a/docs/usage-examples.md b/docs/usage-examples.md index e80799f0..10b24ab1 100644 --- a/docs/usage-examples.md +++ b/docs/usage-examples.md @@ -26,7 +26,7 @@ jobs: Prerequisites: - [Configure Azure credentials](../scripts/oidc/README.md) -- [Configure Terraform backend](../scripts/terraform-backend/README.md) +- [Configure Terraform backend](https://github.com/equinor/terraform-backend) - Configure GitHub secret `ENCRYPTION_PASSWORD` with a randomly generated password (used to encrypt the uploaded artifact, as it may contain sensitive infrastructure configuration) Supported Terraform providers: diff --git a/scripts/terraform-backend/README.md b/scripts/terraform-backend/README.md deleted file mode 100644 index 225b13fa..00000000 --- a/scripts/terraform-backend/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# Create Terraform backend - -This directory contains a Bicep template that will create an Azure Storage account that can be used to store Terraform state files. - -## Prerequisites - -- Install [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli). - -## Usage - -### Create Azure Storage account - -1. Login to Azure: - - ```console - az login - ``` - -1. Set active subscription: - - ```console - az account set --name - ``` - -1. Create a resource group: - - ```console - az group create --name tfstate --location northeurope - ``` - - Requires Azure role `Contributor` at the subscription scope. - -1. Deploy the Bicep template to the resource group: - - ```console - az deployment group create --name terraform-backend --resource-group tfstate --template-file main.bicep --parameters storageAccountName= - ``` - - Requires Azure role `Owner` at the resource group scope. - -### Configure Terraform backend - -1. In your Terraform configuration file, add the following backend configuration: - - ```terraform - terraform { - backend "azurerm" { - resource_group_name = "tfstate" - storage_account_name = "" - container_name = "tfstate" - key = "terraform.tfstate" - use_azuread_auth = true - } - } - ``` - -## References - -- [Store Terraform state in Azure Storage](https://learn.microsoft.com/en-us/azure/developer/terraform/store-state-in-azure-storage?tabs=azure-cli) -- [Security recommendations for Azure Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations) -- [Terraform backend configuration for Azure Storage](https://www.terraform.io/language/settings/backends/azurerm) diff --git a/scripts/terraform-backend/main.bicep b/scripts/terraform-backend/main.bicep deleted file mode 100644 index 7e37db9d..00000000 --- a/scripts/terraform-backend/main.bicep +++ /dev/null @@ -1,110 +0,0 @@ -@description('The name of the Storage account to create.') -param storageAccountName string - -@description('An array of IP addresses or IP ranges that should be allowed to bypass the firewall of the Terraform backend. If empty, the firewall will be disabled.') -param ipRules array = [] - -@description('An array of object IDs of user, group or service principals that should have access to the Terraform backend.') -param principalIds array = [] - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = { - name: storageAccountName - location: resourceGroup().location - sku: { - name: 'Standard_GRS' - } - kind: 'StorageV2' - properties: { - accessTier: 'Hot' - supportsHttpsTrafficOnly: true - minimumTlsVersion: 'TLS1_2' - allowBlobPublicAccess: false - allowSharedKeyAccess: false - allowCrossTenantReplication: false - networkAcls: { - defaultAction: length(ipRules) == 0 ? 'Allow' : 'Deny' - virtualNetworkRules: [] - ipRules: [ - for ipRule in ipRules: { - value: ipRule - action: 'Allow' - } - ] - } - } - - resource blobService 'blobServices' = { - name: 'default' - properties: { - deleteRetentionPolicy: { - allowPermanentDelete: false - enabled: true - days: 30 - } - containerDeleteRetentionPolicy: { - enabled: true - days: 30 - } - isVersioningEnabled: true - changeFeed: { - enabled: true - } - } - - resource container 'containers' = { - name: 'tfstate' - } - } - - resource managementPolicy 'managementPolicies' = { - name: 'default' - properties: { - policy: { - rules: [ - { - name: 'Delete old tfstate versions' - enabled: true - type: 'Lifecycle' - definition: { - actions: { - version: { - delete: { - daysAfterCreationGreaterThan: 30 - } - } - } - filters: { - blobTypes: [ - 'blockBlob' - ] - } - } - } - ] - } - } - } -} - -var roleDefinitionId = 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ - for principalId in principalIds: { - name: guid(storageAccount.id, principalId, roleDefinitionId) - scope: storageAccount - properties: { - principalId: principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) - } - } -] - -resource lock 'Microsoft.Authorization/locks@2020-05-01' = { - name: 'Terraform' - scope: storageAccount - dependsOn: [storageAccount::blobService, storageAccount::managementPolicy, roleAssignment] // Lock must be created last - properties: { - level: 'ReadOnly' - notes: 'Prevent changes to Terraform backend configuration' - } -}