skip: update CI 213

epam · Aug 22, 2024 · bddb5a8 · bddb5a8
1 parent da4e907
commit bddb5a8
Show file tree

Hide file tree

Showing 9 changed files with 174 additions and 19 deletions.
diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml
@@ -10,7 +10,7 @@ on:
       resource_priority_list:
         type: string
         description: Priority list for resources (you can remove unnecessary resources during testing)
-        default: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
+        default: '["service-fabric"]'
         #'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
         required: true
 
@@ -24,7 +24,7 @@ env:
   AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
   AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
   AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }}
-  default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
+  default_resource_priority_list: '["service-fabric"]'
   #default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
   TF_VAR_project: ${{ secrets.TF_VAR_project }}
   TF_VAR_region: ${{ secrets.AWS_REGION }}

diff --git a/auto_policy_testing/green/service-fabric/key_vault.tf b/auto_policy_testing/green/service-fabric/key_vault.tf
@@ -0,0 +1,56 @@
+data "azurerm_client_config" "current" {}
+
+
+resource "azurerm_key_vault_certificate" "this" {
+  name         = "green-servicefabric-cert${random_integer.this.result}"
+  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
+
+  certificate_policy {
+    issuer_parameters {
+      name = "Self"
+    }
+
+    key_properties {
+      exportable = true
+      key_size   = 2048
+      key_type   = "RSA"
+      reuse_key  = true
+    }
+
+    lifetime_action {
+      action {
+        action_type = "AutoRenew"
+      }
+
+      trigger {
+        days_before_expiry = 30
+      }
+    }
+
+    secret_properties {
+      content_type = "application/x-pkcs12"
+    }
+
+    x509_certificate_properties {
+      # Server Authentication = 1.3.6.1.5.5.7.3.1
+      # Client Authentication = 1.3.6.1.5.5.7.3.2
+      extended_key_usage = ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"]
+
+      key_usage = [
+        "cRLSign",
+        "dataEncipherment",
+        "digitalSignature",
+        "keyAgreement",
+        "keyCertSign",
+        "keyEncipherment",
+      ]
+
+      # subject_alternative_names {
+      #   dns_names = ["internal.contoso.com", "domain.hello.world"]
+      # }
+
+      subject            = "CN=yourorg.com"
+      validity_in_months = 12
+    }
+  }
+}
diff --git a/auto_policy_testing/green/service-fabric/random.tf b/auto_policy_testing/green/service-fabric/random.tf
@@ -0,0 +1,4 @@
+resource "random_integer" "this" {
+  min = 1
+  max = 100
+}
diff --git a/auto_policy_testing/green/service-fabric/service_fabric_cluster.tf b/auto_policy_testing/green/service-fabric/service_fabric_cluster.tf
@@ -1,19 +1,10 @@
-data "azurerm_client_config" "current" {}
-
-resource "null_resource" "this" {
-  provisioner "local-exec" {
-    command = ""
-  }
-
-}
-
 resource "azurerm_service_fabric_cluster" "this" {
   name                = module.naming.resource_prefix.service-fabric
   location            = data.terraform_remote_state.common.outputs.location
   resource_group_name = data.terraform_remote_state.common.outputs.resource_group
   reliability_level    = "Bronze"
   upgrade_mode         = "Manual"
-  cluster_code_version = "8.2.1571.9590"
+  cluster_code_version = "10.1.2338.9590"
   vm_image             = "Windows"
   management_endpoint  = "https://example:80"
 
@@ -26,7 +17,7 @@ resource "azurerm_service_fabric_cluster" "this" {
   }
 
   certificate {
-        thumbprint = "${var.sf_cluster_cert_thumb}"
+        thumbprint = azurerm_key_vault_certificate.this.thumbprint
         x509_store_name = "My"
     }
 
@@ -44,4 +35,6 @@ resource "azurerm_service_fabric_cluster" "this" {
   }
 
   tags = module.naming.default_tags
+
+  depends_on = [ azurerm_key_vault_certificate.this ]
 }
diff --git a/auto_policy_testing/red/common_resources/key_vault.tf b/auto_policy_testing/red/common_resources/key_vault.tf
@@ -0,0 +1,37 @@
+resource "azurerm_key_vault" "this" {
+  name                       = "${module.naming.resource_prefix.keyvault}common${random_integer.this.result}"
+  location                   = azurerm_resource_group.this.location
+  resource_group_name        = azurerm_resource_group.this.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = "premium"
+  soft_delete_retention_days = 7
+  purge_protection_enabled   = true
+  enabled_for_disk_encryption = true
+
+  tags = module.naming.default_tags
+}
+
+resource "azurerm_key_vault_access_policy" "client" {
+  key_vault_id       = azurerm_key_vault.this.id
+  tenant_id          = data.azurerm_client_config.current.tenant_id
+  object_id          = data.azurerm_client_config.current.object_id
+
+  key_permissions    = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy", "SetRotationPolicy"]
+  secret_permissions = ["Get"]
+  certificate_permissions = [
+      "Create",
+      "Delete",
+      "DeleteIssuers",
+      "Get",
+      "GetIssuers",
+      "Import",
+      "List",
+      "ListIssuers",
+      "ManageContacts",
+      "ManageIssuers",
+      "SetIssuers",
+      "Update",
+      "Purge",
+    ]
+}
+
diff --git a/auto_policy_testing/red/common_resources/outputs.tf b/auto_policy_testing/red/common_resources/outputs.tf
@@ -42,4 +42,8 @@ output "workspace_key" {
 
 output "workspace_id" {
     value =   azurerm_log_analytics_workspace.this.workspace_id
+}
+
+output "key_vault_id" {
+    value =   azurerm_key_vault.this.id
 }
diff --git a/auto_policy_testing/red/service-fabric/key_vault.tf b/auto_policy_testing/red/service-fabric/key_vault.tf
@@ -0,0 +1,56 @@
+data "azurerm_client_config" "current" {}
+
+
+resource "azurerm_key_vault_certificate" "this" {
+  name         = "red-servicefabric-cert${random_integer.this.result}"
+  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
+
+  certificate_policy {
+    issuer_parameters {
+      name = "Self"
+    }
+
+    key_properties {
+      exportable = true
+      key_size   = 2048
+      key_type   = "RSA"
+      reuse_key  = true
+    }
+
+    lifetime_action {
+      action {
+        action_type = "AutoRenew"
+      }
+
+      trigger {
+        days_before_expiry = 30
+      }
+    }
+
+    secret_properties {
+      content_type = "application/x-pkcs12"
+    }
+
+    x509_certificate_properties {
+      # Server Authentication = 1.3.6.1.5.5.7.3.1
+      # Client Authentication = 1.3.6.1.5.5.7.3.2
+      extended_key_usage = ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"]
+
+      key_usage = [
+        "cRLSign",
+        "dataEncipherment",
+        "digitalSignature",
+        "keyAgreement",
+        "keyCertSign",
+        "keyEncipherment",
+      ]
+
+      # subject_alternative_names {
+      #   dns_names = ["internal.contoso.com", "domain.hello.world"]
+      # }
+
+      subject            = "CN=yourorg.com"
+      validity_in_months = 12
+    }
+  }
+}
diff --git a/auto_policy_testing/red/service-fabric/random.tf b/auto_policy_testing/red/service-fabric/random.tf
@@ -0,0 +1,4 @@
+resource "random_integer" "this" {
+  min = 1
+  max = 100
+}
diff --git a/auto_policy_testing/red/service-fabric/service_fabric_cluster.tf b/auto_policy_testing/red/service-fabric/service_fabric_cluster.tf
@@ -1,12 +1,10 @@
-data "azurerm_client_config" "current" {}
-
 resource "azurerm_service_fabric_cluster" "this" {
   name                = module.naming.resource_prefix.service-fabric
   location            = data.terraform_remote_state.common.outputs.location
   resource_group_name = data.terraform_remote_state.common.outputs.resource_group
   reliability_level    = "Bronze"
   upgrade_mode         = "Manual"
-  cluster_code_version = "8.2.1571.9590"
+  cluster_code_version = "10.1.2338.9590"
   vm_image             = "Windows"
   management_endpoint  = "https://example:80"
 
@@ -18,9 +16,12 @@ resource "azurerm_service_fabric_cluster" "this" {
     http_endpoint_port   = 80
   }
 
-  fabric_settings {
-    name = "Security"
-  }
+  certificate {
+        thumbprint = azurerm_key_vault_certificate.this.thumbprint
+        x509_store_name = "My"
+    }
 
   tags = module.naming.default_tags
+
+  depends_on = [ azurerm_key_vault_certificate.this ]
 }