-
Notifications
You must be signed in to change notification settings - Fork 69
/
azuredeploy.tf
164 lines (137 loc) · 5.71 KB
/
azuredeploy.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
provider "azuread" {
version = "~> 0.6"
}
provider "azurerm" {
version = "~> 1.34"
}
provider "random" {
version = "~> 2.2"
}
variable "location" {
# eastus support AAD authentication, which at the time of writing this is in preview.
# see: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-role-based-access-control
description = "Azure datacenter to deploy to."
default = "eastus"
}
variable "eventhub_name_prefix" {
description = "Input your unique Azure Service Bus Namespace name"
default = "azureehtests"
}
variable "resource_group_name_prefix" {
description = "Resource group to provision test infrastructure in."
default = "eventhub-go-tests"
}
variable "azure_client_secret" {
description = "(Optional) piped in from env var so .env will be updated if there is an existing client secret"
default = "foo"
}
# Data resources used to get SubID and Tennant Info
data "azurerm_client_config" "current" {
}
resource "random_string" "name" {
length = 8
upper = false
special = false
number = false
}
# Create resource group for all of the things
resource "azurerm_resource_group" "test" {
name = "${var.resource_group_name_prefix}-${random_string.name.result}"
location = var.location
}
# Create an Event Hub namespace for testing
resource "azurerm_eventhub_namespace" "test" {
name = "${var.eventhub_name_prefix}-${random_string.name.result}"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
sku = "standard"
}
resource "azurerm_storage_account" "test" {
name = "${var.eventhub_name_prefix}${random_string.name.result}"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
account_replication_type = "LRS"
account_tier = "Standard"
}
# Generate a random secret fo the service principal
resource "random_string" "secret" {
count = data.azurerm_client_config.current.service_principal_application_id == "" ? 1 : 0
length = 32
upper = true
special = true
number = true
}
// Application for AAD authentication
resource "azuread_application" "test" {
count = data.azurerm_client_config.current.service_principal_application_id == "" ? 1 : 0
name = "eventhubstest"
homepage = "https://eventhubstest-${random_string.name.result}"
identifier_uris = ["https://eventhubstest-${random_string.name.result}"]
reply_urls = ["https://eventhubstest-${random_string.name.result}"]
available_to_other_tenants = false
oauth2_allow_implicit_flow = true
}
# Create a service principal, which represents a linkage between the AAD application and the password
resource "azuread_service_principal" "test" {
count = data.azurerm_client_config.current.service_principal_application_id == "" ? 1 : 0
application_id = azuread_application.test[0].application_id
}
# Create a new service principal password which will be the AZURE_CLIENT_SECRET env var
resource "azuread_service_principal_password" "test" {
count = data.azurerm_client_config.current.service_principal_application_id == "" ? 1 : 0
service_principal_id = azuread_service_principal.test[0].id
value = random_string.secret[0].result
end_date = "2030-01-01T01:02:03Z"
}
# This provides the new AAD application the rights to managed the resource group
resource "azurerm_role_assignment" "service_principal_rg" {
scope = "subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.test.name}"
role_definition_name = "Owner"
principal_id = data.azurerm_client_config.current.service_principal_application_id == "" ? azuread_service_principal.test[0].id : data.azurerm_client_config.current.service_principal_object_id
}
# This provides the new AAD application the rights to managed, send and receive from the Event Hubs instance
resource "azurerm_role_assignment" "service_principal_eh" {
scope = "subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.test.name}/providers/Microsoft.EventHub/namespaces/${azurerm_eventhub_namespace.test.name}"
role_definition_name = "Azure Event Hubs Data Owner"
principal_id = data.azurerm_client_config.current.service_principal_application_id == "" ? azuread_service_principal.test[0].id : data.azurerm_client_config.current.service_principal_object_id
depends_on = [azurerm_eventhub_namespace.test]
}
output "TEST_EVENTHUB_RESOURCE_GROUP" {
value = azurerm_resource_group.test.name
}
output "EVENTHUB_CONNECTION_STRING" {
value = "Endpoint=sb://${azurerm_eventhub_namespace.test.name}.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=${azurerm_eventhub_namespace.test.default_primary_key}"
sensitive = true
}
output "EVENTHUB_NAMESPACE" {
value = azurerm_eventhub_namespace.test.name
}
output "AZURE_SUBSCRIPTION_ID" {
value = data.azurerm_client_config.current.subscription_id
}
output "TEST_EVENTHUB_LOCATION" {
value = var.location
}
output "AZURE_TENANT_ID" {
value = data.azurerm_client_config.current.tenant_id
}
output "AZURE_CLIENT_ID" {
value = compact(
concat(
azuread_application.test.*.application_id,
[data.azurerm_client_config.current.client_id]
)
)[0]
}
output "AZURE_CLIENT_SECRET" {
value = compact(
concat(
azuread_service_principal_password.test.*.value,
[var.azure_client_secret]
)
)[0]
sensitive = true
}
output "STORAGE_ACCOUNT_NAME" {
value = azurerm_storage_account.test.name
}