wip

Author: mrlockstar

.azuredevops/pipelines/hub-infrastructure-dev.yaml

@@ -31,7 +31,6 @@ resources:
 
 variables:
   - group: NON_LIVE_hub_backend
-  # - group: DEV_hub_config
   - name: TF_DIRECTORY
     value: $(System.DefaultWorkingDirectory)/$(System.TeamProject)/infrastructure/terraform/hub
   - name: TF_VERSION
@@ -51,10 +50,10 @@ stages:
       - job: init_and_plan
         displayName: Init, plan, store artifact
         steps:
-          # - task: TerraformInstaller@1
-          #   displayName: Install Terraform $(TF_VERSION)
-          #   inputs:
-          #     terraformVersion: $(TF_VERSION)
+          - task: TerraformInstaller@1
+            displayName: Install Terraform $(TF_VERSION)
+            inputs:
+              terraformVersion: $(TF_VERSION)
 
           - checkout: self
           - checkout: dtos-devops-templates

.gitleaksignore

@@ -22,6 +22,7 @@ infrastructure/bootstrap/hub.bicep:generic-api-key:57
 infrastructure/bootstrap/hub.bicep:generic-api-key:58
 infrastructure/bootstrap/hub.bicep:generic-api-key:59
 infrastructure/bootstrap/hub.bicep:generic-api-key:60
+infrastructure/bootstrap/hub.bicep:generic-api-key:61
 infrastructure/bootstrap/main.bicep:generic-api-key:29
 infrastructure/bootstrap/main.bicep:generic-api-key:30
 infrastructure/bootstrap/main.bicep:generic-api-key:31

infrastructure/bootstrap/hub.bicep

@@ -59,6 +59,7 @@ var roleID = {
   rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
   reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
   contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+  storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
 }
 
 
@@ -182,7 +183,7 @@ resource CDNContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-
   }
 }
 
-@description('Let the managed identity configure terraform')
+@description('Let the managed identity deploy terraform on the subscription')
 resource TerraformContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'TerraformContributor')
   properties: {
@@ -192,6 +193,16 @@ resource TerraformContributorAssignment 'Microsoft.Authorization/roleAssignments
   }
 }
 
+@description('Let the managed identity strore blobs in storage account')
+resource StorageAccountBlobContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'StorageAccountBlobContributorAssignment')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.storageBlobDataContributor)
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} Storage Account Blob Contributor access to subscription'
+  }
+}
+
 @description('Create the managed identity assumed by Github actions to trigger Azure devops pipelines')
 module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
   scope: managedIdentityRG

infrastructure/environments/nonlive-hub/variables.tfvars

@@ -1,11 +1,10 @@
-deploy_database_as_container = false
 features = {
   front_door         = false
   hub_and_spoke      = false
   private_networking = false
 }
 fetch_secrets_from_app_key_vault      = true
-github_mi_name                        = "mi-lungal-hub-ghtoaz-uks"
+github_mi_name                        = "mi-lungcs-hub-ghtoaz-uks"
 # key_vault_secrets_officer_groups      = ["Azure-Lung-Cancer-Screening---Dev-Owner"]
 postgres_backup_retention_days        = 7
 postgres_geo_redundant_backup_enabled = false