Test

_override.tf.sample

@@ -1,5 +1,5 @@
-# To deploy this project from a local machine, first remove
-# the `.sample` extension from this file before running the
+# To deploy this project from a local machine (without a Terraform backend),
+# first remove the `.sample` extension from this file before running the
 # `terraform init` command.
 #
 # For details see:

backends/backend.hcl.sample

@@ -1,6 +1,6 @@
 storage_account_name="STORAGE_ACCOUNT_NAME"
 container_name="STORAGE_CONTAINER_NAME"
 key="FILENAME.tfstate"
-# To authenticate to the Storage account, pick and uncomment one of the options below:
-# sas_token="?sv=2019-12-12…" # or account key
-# access_key="…" # or SAS token
+# To authenticate to the Storage account, pick and uncomment *one* of the options below:
+# sas_token="?sv=2019-12-12…" # use SAS token
+# access_key="…" # use Storage Account Access Key

environments/README.md

@@ -0,0 +1,14 @@
+# Environments Configuration (Optional)
+
+Define specific variables per environment. Currently used for Azure Resource tags, e.g. `env=dev` vs `env=prod`.
+
+These custom tags are merged into defaults defined in [`/variables.tf`](./../variables.tf)
+
+### Usage example
+
+These values need to be explicitly specified via `-var-file` flag.
+
+```
+terraform plan -var-file=environments/dev.tfvars
+terraform apply -var-file=environments/dev.tfvars
+```

environments/dev.tfvars

@@ -0,0 +1,6 @@
+custom_tags = {
+  demo-version = "v0.5.0"
+  env          = "dev"
+  devops-org   = "julie-msft"
+  github       = "azure/devops-governance"
+}

environments/prod.tfvars

@@ -0,0 +1,6 @@
+custom_tags = {
+  demo-version = "v0.5.0"
+  env          = "production"
+  devops-org   = "julie-msft"
+  github       = "azure/devops-governance"
+}

main.tf

@@ -1,6 +1,6 @@
-# ------
-# Config
-# ------
+# ========
+#  Config
+# ========
 
 data "azurerm_client_config" "current" {}
 
@@ -16,11 +16,12 @@ locals {
   suffix                    = random_string.suffix.result
   application_owners_ids    = length(var.application_owners_ids) == 0 ? [data.azurerm_client_config.current.object_id] : var.application_owners_ids
   superadmins_aad_object_id = var.superadmins_aad_object_id == "" ? data.azurerm_client_config.current.object_id : var.superadmins_aad_object_id # Default to current ARM client
+  tags                      = merge(var.default_tags, var.custom_tags)
 }
 
-# ---------------
-# Azure AD Groups
-# ---------------
+# =================
+#  Azure AD Groups
+# =================
 
 resource "azuread_group" "groups" {
   for_each                = var.groups
@@ -29,22 +30,24 @@ resource "azuread_group" "groups" {
   security_enabled        = true
 }
 
-# ------------------
-# Service Principals
-# ------------------
+# ====================
+#  Service Principals
+# ====================
 
 # TODO: document use for CI only. Apps should use diff. SP per PILP
 
 module "service_principals" {
-  for_each = var.environments
-  source   = "./modules/service-principal"
-  name     = "${each.value.team}-${each.value.env}-${local.suffix}-ci-sp"
-  owners   = local.application_owners_ids
+  for_each    = var.environments
+  source      = "./modules/service-principal"
+  name        = "${each.value.team}-${each.value.env}-${local.suffix}-ci-sp"
+  owners_list = local.application_owners_ids
 }
 
-# ------------------------------
-# Resource Groups ("Workspaces")
-# ------------------------------
+# ==============================
+#  ARM Resources ("Workspaces")
+# ==============================
+
+# Resource Group, Storage Account, and Key Vault
 
 module "arm_environments" {
   for_each             = var.environments
@@ -54,19 +57,25 @@ module "arm_environments" {
   admins_group_id      = azuread_group.groups["${each.value.team}_admins"].id
   superadmins_group_id = local.superadmins_aad_object_id
   service_principal_id = module.service_principals["${each.value.team}_${each.value.env}"].principal_id
+  tags                 = local.tags
+  depends_on = [
+    azuread_group.groups,
+    module.service_principals
+  ]
 }
 
-# ------------
-# Azure DevOps
-# ------------
+# ==============
+#  Azure DevOps
+# ==============
 
 # The following section Bootstraps:
 # - Projects: Team silos and shared projects
 # - Security Group Assignments: like Role Assignments in ARM
 # - Service Connections: service principal credentials created in code above
 
-# Projects
-# --------
+# ==============
+#  ADO Projects
+# ==============
 
 # Team Projects
 
@@ -120,8 +129,9 @@ resource "azuredevops_project" "collaboration" {
   }
 }
 
-# Security Group Assignments
-# --------------------------
+# ================================
+#  ADO Security Group Assignments
+# ================================
 
 # Teams Silo Projects -  Security Group Assignments
 
@@ -191,8 +201,9 @@ module "ado_collaboration_permissions_veggies" {
   ]
 }
 
-# Service Connections
-# -------------------
+# =========================
+#  ADO Service Connections
+# =========================
 
 module "service_connections" {
   for_each                 = module.arm_environments
@@ -203,6 +214,7 @@ module "service_connections" {
 
   depends_on = [
     azuread_group.groups,
+    azuredevops_project.team_projects,
     module.arm_environments,
     module.service_principals
   ]

modules/azure-devops-permissions/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azuredevops = {
       source  = "microsoft/azuredevops"
-      version = ">=0.1.0"
+      version = ">=0.2.0"
     }
   }
 }

modules/azure-devops-service-connection/main.tf

@@ -26,6 +26,7 @@ resource "azuredevops_serviceendpoint_azurerm" "workspace_endpoint" {
   azurerm_spn_tenantid      = data.azurerm_client_config.current.tenant_id
   azurerm_subscription_id   = data.azurerm_client_config.current.subscription_id
   azurerm_subscription_name = data.azurerm_subscription.current.display_name
+
   credentials {
     serviceprincipalid  = var.service_principal_id
     serviceprincipalkey = var.service_principal_secret

modules/azure-devops-service-connection/provider.tf

@@ -2,11 +2,11 @@ terraform {
   required_providers {
     azuredevops = {
       source  = "microsoft/azuredevops"
-      version = ">=0.1.0"
-    }
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = ">= 2.50.0"
+      version = ">=0.2.0"
     }
+    # azurerm = {
+    #   source  = "hashicorp/azurerm"
+    #   version = ">= 2.50.0"
+    # }
   }
 }

modules/azure-resources/main.tf

@@ -18,7 +18,6 @@ resource "azurerm_storage_account" "storage" {
   location                 = azurerm_resource_group.workspace.location
   account_tier             = "Standard"
   account_replication_type = "LRS"
-  allow_blob_public_access = false
   tags                     = var.tags
 }
 
@@ -39,15 +38,6 @@ resource "azurerm_key_vault" "kv" {
   enable_rbac_authorization   = true
 }
 
-# ------------------
-# Service Principals
-# ------------------
-
-# module "workspace_sp" {
-#   source = "./../service-principal"
-#   name   = "${local.name}-sp"
-# }
-
 # -----------------------
 # RBAC - Role Assignments
 # -----------------------
@@ -109,4 +99,4 @@ resource "azurerm_role_assignment" "kv_team_devs" {
 # }
 
 # Why does it take up to 10 minutes for Key Vault RBAC to propagate?
-# See https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#known-limits-and-performance
+# See https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#known-limits-and-performance

modules/azure-resources/variables.tf

@@ -49,12 +49,6 @@ variable "client_object_id" {
 variable "tags" {
   description = "Tags to apply to Azure Resources"
   type        = map(string)
-  default = {
-    demo   = "governance"
-    devops = "true"
-    oss    = "terraform"
-    public = "true"
-  }
 }
 
 data "azurerm_client_config" "current" {}