Test terraform

damienbod · damienbod · commit b1f28e06609c · 2026-04-01T09:43:11.000+02:00
diff --git a/iac-core/.terraform.lock.hcl b/iac-core/.terraform.lock.hcl
diff --git a/iac-core/README.md b/iac-core/README.md
@@ -0,0 +1,19 @@
+# iac-core
+
+## Prerequisites
+
+- Azure tenant with a subscription and permissions to create resources and app registrations
+- [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?WT.mc_id=MVP_344197)
+- [Terraform 1.13.3](https://developer.hashicorp.com/terraform/install?product_intent=terraform)
+
+## Deploy resources to host terraform state
+
+1. Adjust values in `iac-core\vars\dev.core.tfvars`
+1. Create resources to host terraform state by executing the following commands
+
+   ```PowerShell
+   az login -t [AZURE_TENANT_ID]
+   cd [PATH_TO_REPOSITORY]\iac-core
+   terraform init
+   terraform apply --var-file=.\vars\dev.core.tfvars
+   ```
diff --git a/iac-core/backend.tf b/iac-core/backend.tf
@@ -0,0 +1,5 @@
+terraform {
+  backend "local" {
+    path = "dev.core.tfstate"
+  }
+}
diff --git a/iac-core/main.tf b/iac-core/main.tf
@@ -0,0 +1,52 @@
+data "azurerm_client_config" "current" {}
+
+locals {
+  name_template = "${var.resource_prefix}-<service>-iac"
+}
+
+# Resource Group
+resource "azurerm_resource_group" "rg" {
+  name     = replace(local.name_template, "<service>", "rg")
+  location = var.default_location
+}
+
+resource "azuread_group" "group-rg-contributor" {
+  display_name            = format("%s-contributor", azurerm_resource_group.rg.name)
+  prevent_duplicate_names = true
+  security_enabled        = true
+  members                 = [data.azurerm_client_config.current.object_id]
+  lifecycle {
+    # apart from setting initially; do not flag changes in members and owners as state change
+    ignore_changes = [members, owners]
+  }
+}
+
+# Storage Account
+resource "azurerm_storage_account" "sa" {
+  resource_group_name             = azurerm_resource_group.rg.name
+  name                            = format("%s03", "storiac")
+  location                        = var.default_location
+  account_tier                    = "Standard"
+  account_replication_type        = "GRS"
+  shared_access_key_enabled       = false
+  default_to_oauth_authentication = true
+  min_tls_version                 = "TLS1_2"
+}
+
+# container iac-state
+resource "azurerm_storage_container" "tfstate" {
+  name               = "tfstate"
+  storage_account_id = azurerm_storage_account.sa.id
+}
+
+resource "azurerm_role_assignment" "blob-data-owner" {
+  scope                = azurerm_resource_group.rg.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = azuread_group.group-rg-contributor.object_id
+}
+
+resource "azurerm_role_assignment" "rg-contributor" {
+  scope                = azurerm_resource_group.rg.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_group.group-rg-contributor.object_id
+}
diff --git a/iac-core/outputs.tf b/iac-core/outputs.tf
@@ -0,0 +1,3 @@
+output "rg" {
+  value = azurerm_resource_group.rg.name
+}
diff --git a/iac-core/providers.tf b/iac-core/providers.tf
@@ -0,0 +1,11 @@
+provider "azurerm" {
+  environment         = "public"
+  subscription_id     = var.subscription_id
+  tenant_id           = var.tenant_id
+  storage_use_azuread = true
+  features {}
+}
+
+provider "azuread" {
+  tenant_id = var.tenant_id
+}
diff --git a/iac-core/variables.tf b/iac-core/variables.tf
@@ -0,0 +1,16 @@
+variable "tenant_id" {
+  type        = string
+  description = "Azure tenant ID"
+}
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID"
+}
+variable "resource_prefix" {
+  type        = string
+  description = "Prefix for all resources"
+}
+variable "default_location" {
+  type        = string
+  description = "Default Azure resource location"
+}
diff --git a/iac-core/vars/dev.core.tfvars b/iac-core/vars/dev.core.tfvars
@@ -0,0 +1,4 @@
+tenant_id        = "00000000-0000-0000-0000-000000000000"
+subscription_id  = "00000000-0000-0000-0000-000000000000"
+resource_prefix  = "e2e-security-web"
+default_location = "switzerlandnorth"
diff --git a/iac-core/versions.tf b/iac-core/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_version = "~> 1.13.3"
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 3.6.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.49.0"
+    }
+  }
+}
diff --git a/iac/README.md b/iac/README.md
@@ -0,0 +1,43 @@
+# iac
+
+## Prerequisites
+
+- Azure tenant with a subscription and permissions to create resources and app registrations
+- [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?WT.mc_id=MVP_344197)
+- [Terraform 1.13.3](https://developer.hashicorp.com/terraform/install?product_intent=terraform)
+
+## Deploy application resources
+
+> [!IMPORTANT]
+> To generate deployment credentials and to configure the secrets for the GitHub actions workflow, see [here](https://learn.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=openid%2Caspnetcore&WT.mc_id=MVP_344197#manually-set-up-a-github-actions-workflow).
+> There are currently two GitHub environments set up for this repository: `dev` and `dev-iac`.
+> For each environment, a separate federated credential is set up in the Entra app which got created while generating deployment credentials.
+> Furthermore the service principal of the Entra app is a member of the Entra group `e2e-security-web-rg-iac-contributor` and the following Microsoft Graph application permissions got added
+>
+> - `Application.ReadWrite.All`
+> - `Domain.Read.All`
+> - `Group.ReadWrite.All`
+>
+> Finally, the service principal was assigned ...
+>
+> - ... the `Contributor` role at the subscription level
+> - ... the `Owner` role for the resource group of the application
+
+> [!NOTE]
+> The application resources are created via GitHub actions workflow. The following steps are only required, if you want to create the resources manually.
+
+1. Adjust values in `iac\vars\dev.app.tfvars`
+1. Adjust values in `iac\backend\dev.backend.tfvars`
+1. Create application resources using the following commands
+
+   ```PowerShell
+   az login -t [AZURE_TENANT_ID]
+   cd [PATH_TO_REPOSITORY]\iac
+   terraform init --backend-config=backend\dev.backend.tfvars
+   terraform apply --var-file=.\vars\dev.app.tfvars --state=dev.app.tfstate
+   ```
+
+## Useful links
+
+- [Set up a GitHub Actions workflow manually](https://learn.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=openid%2Caspnetcore&WT.mc_id=MVP_344197#set-up-a-github-actions-workflow-manually)
+- [Authenticating using a Service Principal and OpenID Connect](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_oidc)
diff --git a/iac/backend.tf b/iac/backend.tf
@@ -0,0 +1,4 @@
+terraform {
+  backend "azurerm" {
+  }
+}
diff --git a/iac/backend/dev.backend.tfvars b/iac/backend/dev.backend.tfvars
@@ -0,0 +1,7 @@
+tenant_id            = "00000000-0000-0000-0000-000000000000"
+subscription_id      = "00000000-0000-0000-0000-000000000000"
+resource_group_name  = "e2e-security-web-rg-iac"
+storage_account_name = "storiac03"
+container_name       = "tfstate"
+key                  = "e2e-security-web.tfstate"
+use_azuread_auth     = "true"
diff --git a/iac/icon-192.png b/iac/icon-192.png
diff --git a/iac/main-appsrv.tf b/iac/main-appsrv.tf
@@ -0,0 +1,84 @@
+# Azure App Service Plan and App Service
+resource "azurerm_service_plan" "appplan" {
+  name                = replace(local.name_template, "<service>", "applan")
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = var.default_location
+  os_type             = "Linux"
+  sku_name            = var.app_sku_name
+  worker_count        = var.app_worker_count
+}
+
+resource "azurerm_linux_web_app" "appsrv" {
+  name                = replace(local.name_template, "<service>", "appsrv")
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = var.default_location
+  service_plan_id     = azurerm_service_plan.appplan.id
+  https_only          = true
+  site_config {
+    application_stack {
+      dotnet_version = "10.0"
+    }
+    http2_enabled = true
+    always_on     = false
+  }
+  identity {
+    type = "SystemAssigned"
+  }
+  app_settings = merge(
+    {
+      "WEBSITE_RUN_FROM_PACKAGE"       = "1"
+      "MicrosoftEntraID__Domain"       = data.azuread_domains.aad_domains.domains[0].domain_name
+      "MicrosoftEntraID__TenantId"     = var.tenant_id
+      "MicrosoftEntraID__ClientId"     = azuread_application.aadapp.client_id
+      "MicrosoftEntraID__ClientSecret" = azuread_application_password.aadapppwd.value
+    }
+  )
+}
+
+# Azure App Service custom domain and SSL certificate
+
+## Azure DNS CNAME entry for custom domain
+# resource "azurerm_dns_txt_record" "domain-verification" {
+#   name                = "asuid.api.domain.com"
+#   zone_name           = var.azure_dns_zone
+#   resource_group_name = var.azure_resource_group_name
+#   ttl                 = 300
+#   record {
+#     value = azurerm_linux_web_app.appsrv.custom_domain_verification_id
+#   }
+# }
+
+# resource "azurerm_dns_cname_record" "cname-record" {
+#   name                = "domain.com"
+#   zone_name           = azurerm_dns_zone.dns-zone.name
+#   resource_group_name = var.azure_resource_group_name
+#   ttl                 = 300
+#   record              = azurerm_linux_web_app.appsrv.default_hostname
+#   depends_on = [azurerm_dns_txt_record.domain-verification]
+# }
+
+resource "azurerm_app_service_custom_hostname_binding" "appsrv-hostname-binding" {
+  count               = var.custom_domain_name != "" ? 1 : 0
+  hostname            = var.custom_domain_name
+  app_service_name    = azurerm_linux_web_app.appsrv.name
+  resource_group_name = azurerm_resource_group.rg.name
+  // depends_on = [azurerm_dns_cname_record.cname-record]
+
+  # Ignore ssl_state and thumbprint as they are managed using
+  # azurerm_app_service_certificate_binding.example
+  lifecycle {
+    ignore_changes = [ssl_state, thumbprint]
+  }
+}
+
+resource "azurerm_app_service_managed_certificate" "appsrv_cert" {
+  count                      = var.custom_domain_name != "" ? 1 : 0
+  custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.appsrv-hostname-binding.0.id
+}
+
+resource "azurerm_app_service_certificate_binding" "appsrv_cert_bind" {
+  count               = var.custom_domain_name != "" ? 1 : 0
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.appsrv-hostname-binding.0.id
+  certificate_id      = azurerm_app_service_managed_certificate.appsrv_cert.0.id
+  ssl_state           = "SniEnabled"
+}
diff --git a/iac/main-entraid.tf b/iac/main-entraid.tf
@@ -0,0 +1,41 @@
+locals {
+  dev_redirect_uris    = ["https://localhost:5001/signin-oidc", "https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signin-oidc"]
+  nondev_redirect_uris = var.custom_domain_name != "" ? ["https://${var.custom_domain_name}/signin-oidc", "https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signin-oidc"] : ["https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signin-oidc"]
+}
+
+resource "azuread_application" "aadapp" {
+  display_name     = format("%s Application %s", var.resource_prefix, var.stage)
+  identifier_uris  = []
+  sign_in_audience = "AzureADMyOrg"
+  logo_image       = filebase64("icon-192.png")
+  web {
+    redirect_uris = var.stage == "dev" ? local.dev_redirect_uris : local.nondev_redirect_uris
+    logout_url    = var.custom_domain_name != "" ? "https://${var.custom_domain_name}/signout-callback-oidc" : "https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signout-callback-oidc"
+  }
+  api {
+    requested_access_token_version = 2
+  }
+  required_resource_access {
+    resource_app_id = "00000003-0000-0000-c000-000000000000"
+    resource_access {
+      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" // User.Read
+      type = "Scope"
+    }
+  }
+}
+
+resource "time_rotating" "example" {
+  rotation_days = 7
+}
+
+resource "azuread_application_password" "aadapppwd" {
+  display_name   = "apppwd"
+  application_id = azuread_application.aadapp.id
+  rotate_when_changed = {
+    rotation = time_rotating.example.id
+  }
+}
+
+resource "azuread_service_principal" "aadapp-sp" {
+  client_id = azuread_application.aadapp.client_id
+}
diff --git a/iac/main.tf b/iac/main.tf
@@ -0,0 +1,38 @@
+data "azurerm_client_config" "current" {}
+
+data "azuread_domains" "aad_domains" {
+  only_initial = true
+}
+
+locals {
+  name_template       = "${var.resource_prefix}-<service>-${var.stage}"
+  name_template_short = "${var.resource_prefix_short}<service>${var.stage}"
+}
+
+# Resource Group
+resource "azurerm_resource_group" "rg" {
+  name     = replace(local.name_template, "<service>", "rg")
+  location = var.default_location
+}
+
+resource "azuread_group" "group-rg-contributor" {
+  display_name            = format("%s-contributor", azurerm_resource_group.rg.name)
+  description             = "Entra ID group which grants contributor access to the resource group"
+  prevent_duplicate_names = true
+  security_enabled        = true
+  members                 = [data.azurerm_client_config.current.object_id]
+  lifecycle {
+    # apart from setting initially; do not flag changes in members and owners as state change
+    ignore_changes = [members, owners]
+  }
+}
+
+resource "azurerm_role_assignment" "rg-contributor" {
+  scope                = azurerm_resource_group.rg.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_group.group-rg-contributor.object_id
+}
+
+output "rg_name" {
+  value = azurerm_resource_group.rg.name
+}
diff --git a/iac/providers.tf b/iac/providers.tf
diff --git a/iac/variables.tf b/iac/variables.tf
diff --git a/iac/vars/dev.app.tfvars b/iac/vars/dev.app.tfvars
diff --git a/iac/versions.tf b/iac/versions.tf

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+output "rg" {`
	`2`	`+ value = azurerm_resource_group.rg.name`
	`3`	`+}`