From bddb5a8d52b5b1b85102bb1c143b77a9f3f50626 Mon Sep 17 00:00:00 2001 From: vit-corp Date: Fri, 23 Aug 2024 02:30:01 +0300 Subject: [PATCH] skip: update CI 213 --- .github/workflows/auto-test.yml | 4 +- .../green/service-fabric/key_vault.tf | 56 +++++++++++++++++++ .../green/service-fabric/random.tf | 4 ++ .../service-fabric/service_fabric_cluster.tf | 15 ++--- .../red/common_resources/key_vault.tf | 37 ++++++++++++ .../red/common_resources/outputs.tf | 4 ++ .../red/service-fabric/key_vault.tf | 56 +++++++++++++++++++ .../red/service-fabric/random.tf | 4 ++ .../service-fabric/service_fabric_cluster.tf | 13 +++-- 9 files changed, 174 insertions(+), 19 deletions(-) create mode 100644 auto_policy_testing/green/service-fabric/key_vault.tf create mode 100644 auto_policy_testing/green/service-fabric/random.tf create mode 100644 auto_policy_testing/red/common_resources/key_vault.tf create mode 100644 auto_policy_testing/red/service-fabric/key_vault.tf create mode 100644 auto_policy_testing/red/service-fabric/random.tf diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index 03b7ed51..3e989723 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -10,7 +10,7 @@ on: resource_priority_list: type: string description: Priority list for resources (you can remove unnecessary resources during testing) - default: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default: '["service-fabric"]' #'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' required: true @@ -24,7 +24,7 @@ env: AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }} - default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default_resource_priority_list: '["service-fabric"]' #default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' TF_VAR_project: ${{ secrets.TF_VAR_project }} TF_VAR_region: ${{ secrets.AWS_REGION }} diff --git a/auto_policy_testing/green/service-fabric/key_vault.tf b/auto_policy_testing/green/service-fabric/key_vault.tf new file mode 100644 index 00000000..dbdc85d6 --- /dev/null +++ b/auto_policy_testing/green/service-fabric/key_vault.tf @@ -0,0 +1,56 @@ +data "azurerm_client_config" "current" {} + + +resource "azurerm_key_vault_certificate" "this" { + name = "green-servicefabric-cert${random_integer.this.result}" + key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = true + } + + lifetime_action { + action { + action_type = "AutoRenew" + } + + trigger { + days_before_expiry = 30 + } + } + + secret_properties { + content_type = "application/x-pkcs12" + } + + x509_certificate_properties { + # Server Authentication = 1.3.6.1.5.5.7.3.1 + # Client Authentication = 1.3.6.1.5.5.7.3.2 + extended_key_usage = ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"] + + key_usage = [ + "cRLSign", + "dataEncipherment", + "digitalSignature", + "keyAgreement", + "keyCertSign", + "keyEncipherment", + ] + + # subject_alternative_names { + # dns_names = ["internal.contoso.com", "domain.hello.world"] + # } + + subject = "CN=yourorg.com" + validity_in_months = 12 + } + } +} \ No newline at end of file diff --git a/auto_policy_testing/green/service-fabric/random.tf b/auto_policy_testing/green/service-fabric/random.tf new file mode 100644 index 00000000..321b54ef --- /dev/null +++ b/auto_policy_testing/green/service-fabric/random.tf @@ -0,0 +1,4 @@ +resource "random_integer" "this" { + min = 1 + max = 100 +} \ No newline at end of file diff --git a/auto_policy_testing/green/service-fabric/service_fabric_cluster.tf b/auto_policy_testing/green/service-fabric/service_fabric_cluster.tf index 7f212831..674a1d06 100644 --- a/auto_policy_testing/green/service-fabric/service_fabric_cluster.tf +++ b/auto_policy_testing/green/service-fabric/service_fabric_cluster.tf @@ -1,19 +1,10 @@ -data "azurerm_client_config" "current" {} - -resource "null_resource" "this" { - provisioner "local-exec" { - command = "" - } - -} - resource "azurerm_service_fabric_cluster" "this" { name = module.naming.resource_prefix.service-fabric location = data.terraform_remote_state.common.outputs.location resource_group_name = data.terraform_remote_state.common.outputs.resource_group reliability_level = "Bronze" upgrade_mode = "Manual" - cluster_code_version = "8.2.1571.9590" + cluster_code_version = "10.1.2338.9590" vm_image = "Windows" management_endpoint = "https://example:80" @@ -26,7 +17,7 @@ resource "azurerm_service_fabric_cluster" "this" { } certificate { - thumbprint = "${var.sf_cluster_cert_thumb}" + thumbprint = azurerm_key_vault_certificate.this.thumbprint x509_store_name = "My" } @@ -44,4 +35,6 @@ resource "azurerm_service_fabric_cluster" "this" { } tags = module.naming.default_tags + + depends_on = [ azurerm_key_vault_certificate.this ] } \ No newline at end of file diff --git a/auto_policy_testing/red/common_resources/key_vault.tf b/auto_policy_testing/red/common_resources/key_vault.tf new file mode 100644 index 00000000..76d431bf --- /dev/null +++ b/auto_policy_testing/red/common_resources/key_vault.tf @@ -0,0 +1,37 @@ +resource "azurerm_key_vault" "this" { + name = "${module.naming.resource_prefix.keyvault}common${random_integer.this.result}" + location = azurerm_resource_group.this.location + resource_group_name = azurerm_resource_group.this.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "premium" + soft_delete_retention_days = 7 + purge_protection_enabled = true + enabled_for_disk_encryption = true + + tags = module.naming.default_tags +} + +resource "azurerm_key_vault_access_policy" "client" { + key_vault_id = azurerm_key_vault.this.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy", "SetRotationPolicy"] + secret_permissions = ["Get"] + certificate_permissions = [ + "Create", + "Delete", + "DeleteIssuers", + "Get", + "GetIssuers", + "Import", + "List", + "ListIssuers", + "ManageContacts", + "ManageIssuers", + "SetIssuers", + "Update", + "Purge", + ] +} + diff --git a/auto_policy_testing/red/common_resources/outputs.tf b/auto_policy_testing/red/common_resources/outputs.tf index 3854a687..621784d7 100644 --- a/auto_policy_testing/red/common_resources/outputs.tf +++ b/auto_policy_testing/red/common_resources/outputs.tf @@ -42,4 +42,8 @@ output "workspace_key" { output "workspace_id" { value = azurerm_log_analytics_workspace.this.workspace_id +} + +output "key_vault_id" { + value = azurerm_key_vault.this.id } \ No newline at end of file diff --git a/auto_policy_testing/red/service-fabric/key_vault.tf b/auto_policy_testing/red/service-fabric/key_vault.tf new file mode 100644 index 00000000..ca66f2b0 --- /dev/null +++ b/auto_policy_testing/red/service-fabric/key_vault.tf @@ -0,0 +1,56 @@ +data "azurerm_client_config" "current" {} + + +resource "azurerm_key_vault_certificate" "this" { + name = "red-servicefabric-cert${random_integer.this.result}" + key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = true + } + + lifetime_action { + action { + action_type = "AutoRenew" + } + + trigger { + days_before_expiry = 30 + } + } + + secret_properties { + content_type = "application/x-pkcs12" + } + + x509_certificate_properties { + # Server Authentication = 1.3.6.1.5.5.7.3.1 + # Client Authentication = 1.3.6.1.5.5.7.3.2 + extended_key_usage = ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"] + + key_usage = [ + "cRLSign", + "dataEncipherment", + "digitalSignature", + "keyAgreement", + "keyCertSign", + "keyEncipherment", + ] + + # subject_alternative_names { + # dns_names = ["internal.contoso.com", "domain.hello.world"] + # } + + subject = "CN=yourorg.com" + validity_in_months = 12 + } + } +} \ No newline at end of file diff --git a/auto_policy_testing/red/service-fabric/random.tf b/auto_policy_testing/red/service-fabric/random.tf new file mode 100644 index 00000000..321b54ef --- /dev/null +++ b/auto_policy_testing/red/service-fabric/random.tf @@ -0,0 +1,4 @@ +resource "random_integer" "this" { + min = 1 + max = 100 +} \ No newline at end of file diff --git a/auto_policy_testing/red/service-fabric/service_fabric_cluster.tf b/auto_policy_testing/red/service-fabric/service_fabric_cluster.tf index 96b26e3f..65fe82a1 100644 --- a/auto_policy_testing/red/service-fabric/service_fabric_cluster.tf +++ b/auto_policy_testing/red/service-fabric/service_fabric_cluster.tf @@ -1,12 +1,10 @@ -data "azurerm_client_config" "current" {} - resource "azurerm_service_fabric_cluster" "this" { name = module.naming.resource_prefix.service-fabric location = data.terraform_remote_state.common.outputs.location resource_group_name = data.terraform_remote_state.common.outputs.resource_group reliability_level = "Bronze" upgrade_mode = "Manual" - cluster_code_version = "8.2.1571.9590" + cluster_code_version = "10.1.2338.9590" vm_image = "Windows" management_endpoint = "https://example:80" @@ -18,9 +16,12 @@ resource "azurerm_service_fabric_cluster" "this" { http_endpoint_port = 80 } - fabric_settings { - name = "Security" - } + certificate { + thumbprint = azurerm_key_vault_certificate.this.thumbprint + x509_store_name = "My" + } tags = module.naming.default_tags + + depends_on = [ azurerm_key_vault_certificate.this ] } \ No newline at end of file