Skip to content

Commit eec07af

Browse files
author
Rado Marina
authored
Merge pull request #2 from gofireflyio/v1.0.1
INFL-10657_include-all-updates
2 parents 03449b2 + cd6ead8 commit eec07af

File tree

12 files changed

+244
-59
lines changed

12 files changed

+244
-59
lines changed

data.tf

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,15 @@
11
data "azurerm_management_group" "current" {
22
name = var.tenant_id
33
}
4+
data "azurerm_subscriptions" "current" {}
45
data "azuread_client_config" "current" {}
56
data "azuread_application_published_app_ids" "well_known" {}
67

78
resource "azuread_service_principal" "msgraph" {
89
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
910
use_existing = true
10-
}
11+
}
12+
resource "azurerm_resource_provider_registration" "current" {
13+
count = var.create_resource_provider_registration ? 1 : 0
14+
name = "microsoft.insights"
15+
}

eventdriven.tf

Lines changed: 53 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
resource "azurerm_resource_group" "current" {
2-
count = var.eventdriven ? 1 : 0
2+
count = var.eventdriven_enabled ? 1 : 0
33
location = var.location
44
name = "${var.prefix}firefly${var.suffix}"
55
tags = local.tags
66
}
77

88
resource "azurerm_storage_account" "current" {
9-
count = var.eventdriven ? 1 : 0
9+
count = var.eventdriven_enabled ? 1 : 0
1010
account_replication_type = "LRS"
1111
cross_tenant_replication_enabled = false
1212
account_tier = "Standard"
@@ -16,23 +16,8 @@ resource "azurerm_storage_account" "current" {
1616
tags = local.tags
1717
}
1818

19-
resource "azurerm_resource_provider_registration" "current" {
20-
count = var.create_resource_provider_registration && var.eventdriven ? 1 : 0
21-
name = "microsoft.insights"
22-
}
23-
24-
resource "azurerm_monitor_diagnostic_setting" "current" {
25-
count = var.eventdriven ? 1 : 0
26-
name = "${var.prefix}firefly${var.suffix}"
27-
target_resource_id = "/subscriptions/${var.subscription_id}"
28-
storage_account_id = azurerm_storage_account.current[0].id
29-
enabled_log {
30-
category = "Administrative"
31-
}
32-
}
33-
3419
resource "azurerm_eventgrid_system_topic" "current" {
35-
count = var.eventdriven ? 1 : 0
20+
count = var.eventdriven_enabled ? 1 : 0
3621
name = "${var.prefix}firefly${var.suffix}"
3722
location = var.location
3823
resource_group_name = azurerm_resource_group.current[0].name
@@ -42,7 +27,7 @@ resource "azurerm_eventgrid_system_topic" "current" {
4227
}
4328

4429
resource "azurerm_eventgrid_system_topic_event_subscription" "current" {
45-
count = var.eventdriven ? 1 : 0
30+
count = var.eventdriven_enabled ? 1 : 0
4631
name = "${var.prefix}firefly${var.suffix}"
4732
resource_group_name = azurerm_resource_group.current[0].name
4833
system_topic = azurerm_eventgrid_system_topic.current[0].name
@@ -58,3 +43,52 @@ resource "azurerm_eventgrid_system_topic_event_subscription" "current" {
5843
max_delivery_attempts = 30
5944
}
6045
}
46+
47+
resource "azurerm_role_definition" "FireflyStorageAccountBlobReader" {
48+
name = "${var.prefix}FireflyStorageAccountBlobReader-${var.subscription_id}${var.suffix}"
49+
scope = "/subscriptions/${var.subscription_id}"
50+
description = "Firefly's requested permissions"
51+
52+
permissions {
53+
data_actions = [
54+
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
55+
]
56+
}
57+
assignable_scopes = [
58+
"/subscriptions/${var.subscription_id}"
59+
]
60+
}
61+
62+
resource "azurerm_role_assignment" "FireflyStorageAccountBlobReader" {
63+
principal_id = azuread_service_principal.current.id
64+
role_definition_name = azurerm_role_definition.FireflyStorageAccountBlobReader.name
65+
scope = "/subscriptions/${var.subscription_id}"
66+
condition_version = "2.0"
67+
condition = <<-EOT
68+
(
69+
(
70+
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT
71+
SubOperationMatches{'Blob.List'})
72+
)
73+
OR
74+
(
75+
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*state'
76+
)
77+
OR
78+
(
79+
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*.tfstateenv:*'
80+
)
81+
)
82+
EOT
83+
}
84+
85+
resource "azurerm_monitor_diagnostic_setting" "current" {
86+
for_each = local.kv_filtered_subscriptions
87+
name = "${var.prefix}firefly${each.key}${var.suffix}"
88+
target_resource_id = "/subscriptions/${each.key}"
89+
storage_account_id = azurerm_storage_account.current[0].id
90+
enabled_log {
91+
category = "Administrative"
92+
}
93+
depends_on = [azurerm_storage_account.current[0]]
94+
}

integration.tf

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
data "http" "firefly_login" {
2+
count = var.firefly_secret_key != "" ? 1 : 0
3+
url = "${var.firefly_endpoint}/account/access_keys/login"
4+
method = "POST"
5+
request_headers = {
6+
Content-Type = "application/json"
7+
}
8+
request_body = jsonencode({ "accessKey" = var.firefly_access_key, "secretKey" = var.firefly_secret_key })
9+
}
10+
11+
locals {
12+
response_obj = try(jsondecode(data.http.firefly_login[0].response_body), {})
13+
token = lookup(local.response_obj, "access_token", "error")
14+
}
15+
16+
// Multi
17+
module "firefly_integrate" {
18+
for_each = local.kv_filtered_subscriptions
19+
firefly_endpoint = "https://api-eu.stag.firefly.ai/api"
20+
source = "../modules/firefly_azure_integration"
21+
#firefly_token = local.token
22+
firefly_token = local.token
23+
subscription_id = each.key
24+
subscription_name = each.value
25+
tenant_id = var.tenant_id
26+
application_id = azuread_service_principal.current.client_id
27+
client_secret = azuread_service_principal_password.current.value
28+
directory_domain = "firefly"
29+
eventdriven_enabled = var.eventdriven_enabled
30+
iac_auto_discovery_disabled = true
31+
}

locals.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
locals {
2+
filtered_subscriptions = [for subscription in data.azurerm_subscriptions.current.subscriptions : subscription if !contains(keys(subscription.tags), "disable_firefly_discovery") && subscription.state == "Enabled"]
3+
kv_filtered_subscriptions = var.trigger_integrations && length(local.filtered_subscriptions) > 0 ? { for subscription in local.filtered_subscriptions : subscription.subscription_id => subscription.display_name } : {}
4+
25
tags = merge(var.tags, {
36
"firefly" = "true"
47
})
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
locals {
2+
version = "0.1.0"
3+
}
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
data "http" "firefly_aws_integration_request" {
2+
url = "${var.firefly_endpoint}/integrations/azure/"
3+
method = "POST"
4+
request_headers = {
5+
Content-Type = "application/json"
6+
Authorization = "Bearer ${var.firefly_token}"
7+
}
8+
retry {
9+
attempts = 3
10+
max_delay_ms = 5000
11+
min_delay_ms = 5000
12+
}
13+
request_body = jsonencode(
14+
{
15+
"name"= var.subscription_name,
16+
"subscriptionId"= var.subscription_id,
17+
"tenantId"= var.tenant_id,
18+
"applicationId"= var.application_id,
19+
"clientSecret"= var.client_secret,
20+
"directoryDomain" = var.directory_domain,
21+
"isProd" = var.is_prod,
22+
"isEventDriven" = var.eventdriven_enabled,
23+
"isIacAutoDiscoveryDisabled" = var.iac_auto_discovery_disabled
24+
}
25+
)
26+
}
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
terraform {
2+
required_providers {
3+
http = {
4+
source = "hashicorp/http"
5+
version = "3.4.2"
6+
}
7+
}
8+
}
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
variable "subscription_name" {
2+
type = string
3+
description = "subscription_name"
4+
}
5+
6+
variable "firefly_token" {
7+
type = string
8+
description = "Token returned as result of login request, if provided firefly_access_key and firefly_secret_key are ignored"
9+
}
10+
11+
variable "subscription_id" {
12+
type = string
13+
description = "subscription id"
14+
}
15+
16+
17+
variable "firefly_endpoint" {
18+
type = string
19+
description = "The Firefly endpoint to register account management"
20+
default = "https://prodapi.gofirefly.io/api"
21+
}
22+
23+
variable "is_prod" {
24+
type = bool
25+
default = false
26+
description = "Is Production?"
27+
}
28+
29+
variable "tenant_id" {
30+
type = string
31+
}
32+
33+
variable "application_id" {
34+
type = string
35+
}
36+
37+
variable "client_secret" {
38+
type = string
39+
}
40+
41+
variable "directory_domain" {
42+
type = string
43+
}
44+
45+
variable "eventdriven_enabled" {
46+
type = bool
47+
default = true
48+
}
49+
50+
variable "iac_auto_discovery_disabled" {
51+
type = bool
52+
default = false
53+
}

outputs.tf

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
output "sp_firefly_client_id" {
2-
value = azuread_service_principal.current.client_id
1+
output "filtered_subscriptions" {
2+
value = local.kv_filtered_subscriptions
33
}
44

5-
output "sp_firefly_client_secret" {
6-
value = azuread_service_principal_password.current.value
5+
output "firefly_service_principal_id" {
6+
value = azuread_service_principal.current.id
77
}
88

99
output "firefly_tenant_id" {
@@ -12,4 +12,8 @@ output "firefly_tenant_id" {
1212

1313
output "firefly_subscription_id" {
1414
value = var.subscription_id
15-
}
15+
}
16+
17+
# output "firefly_storage_account_id" {
18+
# value = azurerm_storage_account.current[0].id
19+
# }

permission.tf

Lines changed: 14 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
1+
locals {
2+
management_group_id = var.management_group_id != "" ? "/providers/Microsoft.Management/managementGroups/${var.management_group_id}" : data.azurerm_management_group.current.id
3+
scope = var.eventdriven_auto_discover != "" ? local.management_group_id : "/subscriptions/${var.subscription_id}"
4+
}
5+
16
resource "azuread_application_registration" "current" {
2-
display_name = "${var.prefix}firefly-${var.subscription_id}${var.suffix}"
7+
display_name = "${var.prefix}firefly${var.suffix}"
38
}
49

510
resource "azuread_service_principal" "current" {
@@ -14,30 +19,30 @@ resource "azuread_service_principal_password" "current" {
1419
resource "azurerm_role_assignment" "BillingReader" {
1520
principal_id = azuread_service_principal.current.object_id
1621
role_definition_name = "Billing Reader"
17-
scope = "/subscriptions/${var.subscription_id}"
22+
scope = local.scope
1823
}
1924

2025
resource "azurerm_role_assignment" "Reader" {
2126
principal_id = azuread_service_principal.current.object_id
2227
role_definition_name = "Reader"
23-
scope = "/subscriptions/${var.subscription_id}"
28+
scope = local.scope
2429
}
2530

2631
resource "azurerm_role_assignment" "AppConfigurationDataReader" {
2732
principal_id = azuread_service_principal.current.object_id
2833
role_definition_name = "App Configuration Data Reader"
29-
scope = "/subscriptions/${var.subscription_id}"
34+
scope = local.scope
3035
}
3136

3237
resource "azurerm_role_assignment" "SecurityReader" {
3338
principal_id = azuread_service_principal.current.object_id
3439
role_definition_name = "Security Reader"
35-
scope = "/subscriptions/${var.subscription_id}"
40+
scope = local.scope
3641
}
3742

3843
resource "azurerm_role_definition" "Firefly" {
39-
name = "${var.prefix}Firefly-${var.subscription_id}${var.suffix}"
40-
scope = "/subscriptions/${var.subscription_id}"
44+
name = "${var.prefix}Firefly${var.suffix}"
45+
scope = local.scope
4146
description = "Firefly's requested permissions"
4247

4348
permissions {
@@ -55,37 +60,16 @@ resource "azurerm_role_definition" "Firefly" {
5560
"Microsoft.Authorization/roleAssignments/read",
5661
"Microsoft.OperationalInsights/workspaces/sharedkeys/action"
5762
]
58-
data_actions = [
59-
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
60-
]
6163
}
62-
6364
assignable_scopes = [
64-
"/subscriptions/${var.subscription_id}"
65+
local.scope
6566
]
6667
}
6768

6869
resource "azurerm_role_assignment" "Firefly" {
6970
principal_id = azuread_service_principal.current.object_id
7071
role_definition_name = azurerm_role_definition.Firefly.name
71-
scope = "/subscriptions/${var.subscription_id}"
72-
condition_version = "2.0"
73-
condition = <<-EOT
74-
(
75-
(
76-
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT
77-
SubOperationMatches{'Blob.List'})
78-
)
79-
OR
80-
(
81-
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*state'
82-
)
83-
OR
84-
(
85-
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*.tfstateenv:*'
86-
)
87-
)
88-
EOT
72+
scope = local.scope
8973
}
9074

9175
resource "azuread_service_principal_delegated_permission_grant" "current" {

0 commit comments

Comments
 (0)