diff --git a/.github/workflows/altinncr-deploy.yml b/.github/workflows/altinncr-deploy.yml new file mode 100644 index 00000000..a1a96e1f --- /dev/null +++ b/.github/workflows/altinncr-deploy.yml @@ -0,0 +1,86 @@ +name: altinncr.azurecr.io deploy + +on: + push: + branches: + - main + paths: + - .github/workflows/altinncr-deploy.yml + - actions/terraform/apply/** + - actions/terraform/plan/** + - infrastructure/adminservices-prod/altinncr/** + pull_request: + branches: + - main + paths: + - .github/workflows/altinncr-deploy.yml + - actions/terraform/apply/** + - actions/terraform/plan/** + - infrastructure/adminservices-prod/altinncr/** + workflow_dispatch: + inputs: + log_level: + required: true + description: Terraform Log Level + default: INFO + type: choice + options: + - TRACE + - DEBUG + - INFO + - WARN + - ERROR + +env: + ENVIRONMENT: prod + TF_STATE_NAME: altinncr.tfstate + TF_PROJECT: ./infrastructure/adminservices-prod/altinncr + ARM_CLIENT_ID: ${{ vars.TF_AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: 1ce8e9af-c2d6-44e7-9c5e-099a308056fe + +permissions: + id-token: write + contents: write + pull-requests: write + +jobs: + plan: + name: Plan + environment: reader + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Terraform Plan + uses: altinn/altinn-platform/actions/terraform/plan@main + with: + working_directory: ${{ env.TF_PROJECT }} + oidc_type: environment + oidc_value: ${{ env.ENVIRONMENT }} + arm_client_id: ${{ env.ARM_CLIENT_ID }} + arm_subscription_id: ${{ env.ARM_SUBSCRIPTION_ID }} + tf_state_name: ${{ env.TF_STATE_NAME }} + gh_token: ${{ secrets.GITHUB_TOKEN }} + tf_version: latest + + deploy: + name: Deploy + environment: prod + if: github.ref == 'refs/heads/main' + needs: plan + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Terraform Apply + uses: altinn/altinn-platform/actions/terraform/apply@main + with: + working_directory: ${{ env.TF_PROJECT }} + oidc_type: environment + oidc_value: ${{ env.ENVIRONMENT }} + arm_client_id: ${{ env.ARM_CLIENT_ID }} + arm_subscription_id: ${{ env.ARM_SUBSCRIPTION_ID }} + tf_state_name: ${{ env.TF_STATE_NAME }} + tf_version: latest diff --git a/infrastructure/adminservices-prod/altinncr/acr.tf b/infrastructure/adminservices-prod/altinncr/acr.tf new file mode 100644 index 00000000..89c6ee31 --- /dev/null +++ b/infrastructure/adminservices-prod/altinncr/acr.tf @@ -0,0 +1,19 @@ +resource "azurerm_resource_group" "acr" { + location = "norwayeast" + name = "acr" +} +resource "azurerm_container_registry" "acr" { + name = var.acrname + resource_group_name = azurerm_resource_group.acr.name + location = azurerm_resource_group.acr.location + sku = "Standard" +} + +resource "azurerm_container_registry_cache_rule" "cache_rule" { + for_each = { for rule in var.cache_rules : rule.name => rule } + name = each.value.name + container_registry_id = azurerm_container_registry.acr.id + target_repo = each.value.target_repo + source_repo = each.value.source_repo + credential_set_id = each.value.credential_set_id != null ? "${azurerm_container_registry.acr.id}${each.value.credential_set_id}" : null +} diff --git a/infrastructure/adminservices-prod/altinncr/data.tf b/infrastructure/adminservices-prod/altinncr/data.tf new file mode 100644 index 00000000..cee07df2 --- /dev/null +++ b/infrastructure/adminservices-prod/altinncr/data.tf @@ -0,0 +1 @@ +data "azurerm_client_config" "current" {} diff --git a/infrastructure/adminservices-prod/altinncr/kv.tf b/infrastructure/adminservices-prod/altinncr/kv.tf new file mode 100644 index 00000000..74299a1a --- /dev/null +++ b/infrastructure/adminservices-prod/altinncr/kv.tf @@ -0,0 +1,7 @@ +resource "azurerm_key_vault" "kv" { + name = var.acrname + location = azurerm_resource_group.acr.location + resource_group_name = azurerm_resource_group.acr.name + sku_name = "standard" + tenant_id = data.azurerm_client_config.current.tenant_id +} diff --git a/infrastructure/adminservices-prod/altinncr/providers.tf b/infrastructure/adminservices-prod/altinncr/providers.tf new file mode 100644 index 00000000..9f86f297 --- /dev/null +++ b/infrastructure/adminservices-prod/altinncr/providers.tf @@ -0,0 +1,22 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 4.0" + } + } + backend "azurerm" { + use_azuread_auth = true + } +} + +provider "azurerm" { + subscription_id = var.subscription_id + features {} + resource_providers_to_register = [ + "Microsoft.Monitor", + "Microsoft.AlertsManagement", + "Microsoft.Dashboard", + "Microsoft.KubernetesConfiguration" + ] +} diff --git a/infrastructure/adminservices-prod/altinncr/terraform.tfvars b/infrastructure/adminservices-prod/altinncr/terraform.tfvars new file mode 100644 index 00000000..ac23e8b5 --- /dev/null +++ b/infrastructure/adminservices-prod/altinncr/terraform.tfvars @@ -0,0 +1,41 @@ +subscription_id = "a6e9ee7d-2b65-41e1-adfb-0c8c23515cf9" +acr_rgname = "acr" +acrname = "altinncr" +cache_rules = [ + { + name = "traefik" + target_repo = "traefik" + source_repo = "docker.io/library/traefik" + credential_set_id = "/credentialSets/dockerhub" + }, + { + name = "browserless" + target_repo = "browserless/chrome" + source_repo = "docker.io/browserless/chrome" + credential_set_id = "/credentialSets/dockerhub" + }, + { + name = "alpine" + target_repo = "alpine/*" + source_repo = "docker.io/alpine/*" + credential_set_id = "/credentialSets/dockerhub" + }, + { + name = "linkerd" + target_repo = "linkerd/*" + source_repo = "ghcr.io/linkerd/*" + credential_set_id = null + }, + { + name = "grafana" + target_repo = "grafana/*" + source_repo = "docker.io/grafana/*" + credential_set_id = "/credentialSets/dockerhub" + }, + { + name = "altinn-platform" + target_repo = "altinn-platform/*" + source_repo = "ghcr.io/altinn-platform/*" + credential_set_id = null + } +] diff --git a/infrastructure/adminservices-prod/altinncr/variables.tf b/infrastructure/adminservices-prod/altinncr/variables.tf new file mode 100644 index 00000000..f20dbeee --- /dev/null +++ b/infrastructure/adminservices-prod/altinncr/variables.tf @@ -0,0 +1,19 @@ +variable "subscription_id" { + type = string +} +variable "acr_rgname" { + type = string + description = "Name acr resource group" +} +variable "acrname" { + type = string + description = "Name on container registry" +} +variable "cache_rules" { + type = list(object({ + name = string + target_repo = string + source_repo = string + credential_set_id = string + })) +}