Merge pull request #1 from jenkins-infra/terraform-003
Merge support for provisioning Azure resources via Terraform
This commit is contained in:
commit
29eb911716
|
@ -3,3 +3,5 @@
|
||||||
*.tfstate.backup
|
*.tfstate.backup
|
||||||
*.html
|
*.html
|
||||||
.ruby-*
|
.ruby-*
|
||||||
|
*.sw*
|
||||||
|
.*.json
|
||||||
|
|
|
@ -0,0 +1,97 @@
|
||||||
|
= Azure tooling setup
|
||||||
|
|
||||||
|
This document is meant to outline how you can set up your local environment for
|
||||||
|
hacking on the Azure tooling for the Jenkins project infrastructure.
|
||||||
|
|
||||||
|
|
||||||
|
All examples below for setting up Azure resources are done with the
|
||||||
|
link:https://github.com/azure/azure-cli[azure-cli].
|
||||||
|
|
||||||
|
|
||||||
|
== Setting up Terraform
|
||||||
|
|
||||||
|
link:http://terraform.io[Terraform]
|
||||||
|
can be used via the
|
||||||
|
link:https://www.terraform.io/docs/providers/azurerm/index.html[AzureRM provider]
|
||||||
|
which comes built in with recent versions of Terraform.
|
||||||
|
|
||||||
|
In order to authenticate against Azure, you must create some Azure Active
|
||||||
|
Directory and other related authentication and authorization objects.
|
||||||
|
|
||||||
|
|
||||||
|
*Generate an authentication token*
|
||||||
|
|
||||||
|
[source]
|
||||||
|
----
|
||||||
|
openssl rand -base64 24
|
||||||
|
----
|
||||||
|
|
||||||
|
This will be needed later, so don't lose it!
|
||||||
|
|
||||||
|
|
||||||
|
*Creating an OAuth Application*
|
||||||
|
|
||||||
|
[source]
|
||||||
|
----
|
||||||
|
az ad app create --display-name jenkins-terraform \
|
||||||
|
--homepage http://example.com/jenkins-terraform \
|
||||||
|
--identifier-uris http://example.com/jenkins-terraform \
|
||||||
|
--password $GENERATED_TOKEN
|
||||||
|
----
|
||||||
|
|
||||||
|
|
||||||
|
We can then retrieve the Application's ID via:
|
||||||
|
|
||||||
|
[source]
|
||||||
|
----
|
||||||
|
az ad app list -o tsv --query "[?displayName=='jenkins-terraform'].appId"`
|
||||||
|
----
|
||||||
|
|
||||||
|
|
||||||
|
Since permissions cannot be directly granted to an application, we must create a
|
||||||
|
Service Principle associated with the application and grant permissions to that.
|
||||||
|
|
||||||
|
*Creating a Service Principle*
|
||||||
|
|
||||||
|
[source]
|
||||||
|
----
|
||||||
|
az ad sp create --id $(az ad app list -o tsv --query "[?displayName=='jenkins-terraform'].appId"`)
|
||||||
|
----
|
||||||
|
|
||||||
|
|
||||||
|
Once a Service Principle exists, we can grant the permissions on it:
|
||||||
|
|
||||||
|
|
||||||
|
[source]
|
||||||
|
----
|
||||||
|
az role assignment create --assignee http://example.com/jenkins-terraform \
|
||||||
|
--role Owner \
|
||||||
|
--scope /subscriptions/be53081d-a3a2-499c-b355-8f5c3d4126e5
|
||||||
|
----
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
=== Creating the variables file
|
||||||
|
|
||||||
|
|
||||||
|
Create `.azure-terraform.json` in the root directory of this repository
|
||||||
|
containing:
|
||||||
|
|
||||||
|
[source, json]
|
||||||
|
----
|
||||||
|
{
|
||||||
|
"prefix" : "yourusername",
|
||||||
|
"subscription_id" : "",
|
||||||
|
"client_id" : "",
|
||||||
|
"client_secret" : "",
|
||||||
|
"tenant_id" : ""
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
Where (assuming your subscription is named "Pay-As-You-Go"):
|
||||||
|
|
||||||
|
* `prefix` is your username, or some unique token to avoid namespace collisions in Azure
|
||||||
|
* `subscription_id` is the output of: `az account list -o tsv --query "[?name=='Pay-As-You-Go'].id"`
|
||||||
|
* `client_id` is the output of: `az ad app list -o tsv --query "[?displayName=='jenkins-terraform'].appId"`
|
||||||
|
* `client_secret` is the `$GENERATED_TOKEN` you created with `openssl` previously
|
||||||
|
* `tenant_id` is the output of: `az account list -o tsv --query "[?name=='Pay-As-You-Go'].tenantId"`
|
|
@ -0,0 +1,9 @@
|
||||||
|
|
||||||
|
|
||||||
|
terraform:
|
||||||
|
$(MAKE) -C plans
|
||||||
|
|
||||||
|
deploy: terraform
|
||||||
|
$(MAKE) -C plans apply
|
||||||
|
|
||||||
|
.PHONY: terraform deploy
|
|
@ -0,0 +1,16 @@
|
||||||
|
|
||||||
|
VARFILE=../.azure-terraform.json
|
||||||
|
TERRAFORM=terraform
|
||||||
|
|
||||||
|
|
||||||
|
plan: validate
|
||||||
|
$(TERRAFORM) plan --var-file=$(VARFILE) .
|
||||||
|
|
||||||
|
validate:
|
||||||
|
$(TERRAFORM) validate *.tf
|
||||||
|
|
||||||
|
apply: validate
|
||||||
|
$(TERRAFORM) apply --var-file=$(VARFILE) .
|
||||||
|
|
||||||
|
|
||||||
|
.PHONY: validate plan apply
|
|
@ -0,0 +1,8 @@
|
||||||
|
# Configure the terraform provider for the infrastructure
|
||||||
|
|
||||||
|
provider "azurerm" {
|
||||||
|
subscription_id = "${var.subscription_id}"
|
||||||
|
client_id = "${var.client_id}"
|
||||||
|
client_secret = "${var.client_secret}"
|
||||||
|
tenant_id = "${var.tenant_id}"
|
||||||
|
}
|
|
@ -0,0 +1,197 @@
|
||||||
|
#
|
||||||
|
# This terraform plan defines the resources necessary to host the Jenkins
|
||||||
|
# project's core releases via Azure Blob Storage
|
||||||
|
#
|
||||||
|
# These resources were originally created manually via the Azure Portal, but
|
||||||
|
# this plan represents the enforcement of those resources.
|
||||||
|
|
||||||
|
resource "azurerm_resource_group" "releases" {
|
||||||
|
name = "${var.prefix}jenkinsinfra-releases"
|
||||||
|
location = "East US 2"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_storage_account" "releases" {
|
||||||
|
name = "${var.prefix}jenkinsreleases"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
location = "East US 2"
|
||||||
|
account_type = "Standard_GRS"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
##
|
||||||
|
## Defining containers for the various types of Jenkisn releases. This could
|
||||||
|
## probably be "looped" in some form or fashion using Terraform, but there are few
|
||||||
|
## enough resources which need to be defined that it would be more difficult to
|
||||||
|
## maintain and read if it were made more complex than the copy-pasta below.
|
||||||
|
##
|
||||||
|
|
||||||
|
# Containers for the .war file releases:
|
||||||
|
########################################
|
||||||
|
resource "azurerm_storage_container" "war" {
|
||||||
|
name = "war"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "war-stable" {
|
||||||
|
name = "war-stable"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "war-stable-rc" {
|
||||||
|
name = "war-stable-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "war-rc" {
|
||||||
|
name = "war-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
########################################
|
||||||
|
|
||||||
|
# Containers for Red Hat rpm releases:
|
||||||
|
######################################
|
||||||
|
resource "azurerm_storage_container" "redhat" {
|
||||||
|
name = "redhat"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "redhat-stable" {
|
||||||
|
name = "redhat-stable"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "redhat-stable-rc" {
|
||||||
|
name = "redhat-stable-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "redhat-rc" {
|
||||||
|
name = "redhat-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
######################################
|
||||||
|
|
||||||
|
# Containers for openSUSE rpm releases:
|
||||||
|
#######################################
|
||||||
|
resource "azurerm_storage_container" "opensuse" {
|
||||||
|
name = "opensuse"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "opensuse-stable" {
|
||||||
|
name = "opensuse-stable"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "opensuse-stable-rc" {
|
||||||
|
name = "opensuse-stable-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "opensuse-rc" {
|
||||||
|
name = "opensuse-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
#######################################
|
||||||
|
|
||||||
|
|
||||||
|
# Container for Debian (.dpkg) releases:
|
||||||
|
########################################
|
||||||
|
resource "azurerm_storage_container" "debian" {
|
||||||
|
name = "debian"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "debian-stable" {
|
||||||
|
name = "debian-stable"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "debian-stable-rc" {
|
||||||
|
name = "debian-stable-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "debian-rc" {
|
||||||
|
name = "debian-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
########################################
|
||||||
|
|
||||||
|
|
||||||
|
# Container for Windows (.zip) releases:
|
||||||
|
########################################
|
||||||
|
resource "azurerm_storage_container" "windows" {
|
||||||
|
name = "windows"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "windows-stable" {
|
||||||
|
name = "windows-stable"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "windows-stable-rc" {
|
||||||
|
name = "windows-stable-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "windows-rc" {
|
||||||
|
name = "windows-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
########################################
|
||||||
|
|
||||||
|
|
||||||
|
# Container for Mac OS X (.pkg) releases:
|
||||||
|
#########################################
|
||||||
|
resource "azurerm_storage_container" "osx" {
|
||||||
|
name = "osx"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "osx-stable" {
|
||||||
|
name = "osx-stable"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "osx-stable-rc" {
|
||||||
|
name = "osx-stable-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
resource "azurerm_storage_container" "osx-rc" {
|
||||||
|
name = "osx-rc"
|
||||||
|
resource_group_name = "${azurerm_resource_group.releases.name}"
|
||||||
|
storage_account_name = "${azurerm_storage_account.releases.name}"
|
||||||
|
container_access_type = "container"
|
||||||
|
}
|
||||||
|
#########################################
|
|
@ -0,0 +1,5 @@
|
||||||
|
variable "subscription_id" {}
|
||||||
|
variable "client_id" {}
|
||||||
|
variable "client_secret" {}
|
||||||
|
variable "tenant_id" {}
|
||||||
|
variable "prefix" {}
|
Loading…
Reference in New Issue