updated the code with required fields

alpha-p-2 · alpha-p-2 · commit 2e7abeaf8807 · 2023-08-23T18:47:59.000+05:30
diff --git a/example/complete/azure/README.md b/example/complete/azure/README.md
@@ -0,0 +1,42 @@
+## Mongodb Example
+![squareops_avatar]
+
+[squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png
+
+### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey.
+<br>
+This example will be very useful for users who are new to a module and want to quickly learn how to use it. By reviewing the examples, users can gain a better understanding of how the module works, what features it supports, and how to customize it to their specific needs.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.70.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_azure"></a> [azure](#module\_azure) | squareops/mongodb/kubernetes//provider/azure | n/a |
+| <a name="module_mongodb"></a> [mongodb](#module\_mongodb) | squareops/mongodb/kubernetes | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_kubernetes_cluster.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_mongodb_credential"></a> [mongodb\_credential](#output\_mongodb\_credential) | MongoDB credentials used for accessing the MongoDB database. |
+| <a name="output_mongodb_endpoints"></a> [mongodb\_endpoints](#output\_mongodb\_endpoints) | MongoDB endpoints in the Kubernetes cluster. |
diff --git a/example/complete/azure/main.tf b/example/complete/azure/main.tf
@@ -16,26 +16,27 @@ locals {
     metric_exporter_password = "nvAHhm1uGQNYWVw6ZyAH"
   }
 
-  azure_storage_account_name = "skaftest"
-  azure_container_name       = "mongodb-backup-conatiner"
+  azure_storage_account_name = ""
+  azure_container_name       = ""
 }
 
 module "azure" {
-  source                             = "../../../provider/azure"
-  resource_group_name                = "prod-skaf-rg"
-  resource_group_location            = "eastus"
+  source                             = "squareops/mongodb/kubernetes//provider/azure"
+  resource_group_name                = ""
+  resource_group_location            = ""
   name                               = local.name
   environment                        = local.environment
   mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled
   mongodb_custom_credentials_config  = local.mongodb_custom_credentials_config
   store_password_to_secret_manager   = local.store_password_to_secret_manager
+  storage_account_name               = local.azure_storage_account_name
 }
 
 module "mongodb" {
   source                  = "squareops/mongodb/kubernetes"
-  cluster_name            = "prod-skaf-aks"
-  resource_group_name     = "prod-skaf-rg"
-  resource_group_location = "eastus"
+  cluster_name            = ""
+  resource_group_name     = ""
+  resource_group_location = ""
   mongodb_config = {
     name                             = local.name
     values_yaml                      = file("./helm/values.yaml")
@@ -48,10 +49,10 @@ module "mongodb" {
   }
   mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled
   mongodb_custom_credentials_config  = local.mongodb_custom_credentials_config
-  root_password           = local.mongodb_custom_credentials_enabled ? "" : module.azure.root_password
-  metric_exporter_pasword = local.mongodb_custom_credentials_enabled ? "" : module.azure.metric_exporter_pasword
-  bucket_provider_type    = "azure"
-  mongodb_backup_enabled  = false
+  root_password                      = local.mongodb_custom_credentials_enabled ? "" : module.azure.root_password
+  metric_exporter_pasword            = local.mongodb_custom_credentials_enabled ? "" : module.azure.metric_exporter_pasword
+  bucket_provider_type               = "azure"
+  mongodb_backup_enabled             = false
   mongodb_backup_config = {
     bucket_uri                 = "https://${local.azure_storage_account_name}.blob.core.windows.net/${local.azure_container_name}"
     azure_storage_account_name = local.azure_storage_account_name
diff --git a/provider/azure/README.md b/provider/azure/README.md
@@ -0,0 +1,62 @@
+# Azure Mongodb Kubernetes Module
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_key_vault.mongo-secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
+| [azurerm_key_vault_secret.mongo-secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_role_assignment.pod_identity_assignment_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.secretadmin_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.secretadmin_restore](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.service_account_token_creator_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.service_account_token_creator_restore](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_user_assigned_identity.mongo_backup_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.mongo_restore_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.pod_identity_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [random_password.mongodb_exporter_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [random_password.mongodb_root_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_azure_uai_backup_name"></a> [azure\_uai\_backup\_name](#input\_azure\_uai\_backup\_name) | Azure User Assigned Identity name for backup | `string` | `"mongo-backup"` | no |
+| <a name="input_azure_uai_pod_identity_backup_name"></a> [azure\_uai\_pod\_identity\_backup\_name](#input\_azure\_uai\_pod\_identity\_backup\_name) | Azure User Assigned Identity name for pod identity backup | `string` | `"pod-identity-backup"` | no |
+| <a name="input_azure_uai_pod_identity_restore_name"></a> [azure\_uai\_pod\_identity\_restore\_name](#input\_azure\_uai\_pod\_identity\_restore\_name) | Azure User Assigned Identity name for pod identity restore | `string` | `"pod-identity-restore"` | no |
+| <a name="input_azure_uai_restore_name"></a> [azure\_uai\_restore\_name](#input\_azure\_uai\_restore\_name) | Azure User Assigned Identity name for restore | `string` | `"mongo-restore"` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment in which the infrastructure is being deployed (e.g., production, staging, development) | `string` | `"test"` | no |
+| <a name="input_mongodb_config"></a> [mongodb\_config](#input\_mongodb\_config) | Specify the configuration settings for Mongodb, including the name, environment, storage options, replication settings, and custom YAML values. | `any` | <pre>{<br>  "architecture": "",<br>  "environment": "",<br>  "name": "",<br>  "replica_count": 2,<br>  "storage_class_name": "",<br>  "store_password_to_secret_manager": true,<br>  "values_yaml": "",<br>  "volume_size": ""<br>}</pre> | no |
+| <a name="input_mongodb_custom_credentials_config"></a> [mongodb\_custom\_credentials\_config](#input\_mongodb\_custom\_credentials\_config) | Specify the configuration settings for Mongodb to pass custom credentials during creation. | `any` | <pre>{<br>  "metric_exporter_password": "",<br>  "metric_exporter_user": "",<br>  "root_password": "",<br>  "root_user": ""<br>}</pre> | no |
+| <a name="input_mongodb_custom_credentials_enabled"></a> [mongodb\_custom\_credentials\_enabled](#input\_mongodb\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for MongoDB database. | `bool` | `false` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name of all the resources | `string` | `""` | no |
+| <a name="input_resource_group_location"></a> [resource\_group\_location](#input\_resource\_group\_location) | Azure region | `string` | `"East US"` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Azure Resource Group name | `string` | `""` | no |
+| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Azure storage account name | `string` | `""` | no |
+| <a name="input_store_password_to_secret_manager"></a> [store\_password\_to\_secret\_manager](#input\_store\_password\_to\_secret\_manager) | Specifies whether to store the credentials in GCP secret manager. | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_az_account_backup"></a> [az\_account\_backup](#output\_az\_account\_backup) | Azure User Assigned Identity for backup |
+| <a name="output_az_account_restore"></a> [az\_account\_restore](#output\_az\_account\_restore) | Azure User Assigned Identity for restore |
+| <a name="output_metric_exporter_pasword"></a> [metric\_exporter\_pasword](#output\_metric\_exporter\_pasword) | mongodb\_exporter user's password of MongoDB |
+| <a name="output_root_password"></a> [root\_password](#output\_root\_password) | Root user's password of MongoDB |
diff --git a/provider/azure/main.tf b/provider/azure/main.tf
@@ -4,37 +4,31 @@ data "azurerm_subscription" "current" {}
 
 data "azurerm_subscription" "primary" {}
 
-resource "azurerm_role_definition" "blob_storage_access" {
-  name        = "BlobStorageAccess"
-  description = "Role definition for accessing Azure Blob Storage"
-  scope       = "/subscriptions/${data.azurerm_subscription.current.subscription_id}"
-
-  permissions {
-    actions = [
-      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/write",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
-    ]
-
-    not_actions = []
-  }
-
-  assignable_scopes = [
-    "/subscriptions/${data.azurerm_subscription.current.subscription_id}",
-  ]
-}
-
-resource "azurerm_user_assigned_identity" "mongo_backup_identity" {
-  name                = format("%s-%s-%s", var.environment, var.name, "backup-identity")
-  location            = var.resource_group_location  # Specify the appropriate location
-  resource_group_name = var.resource_group_name
-}
-
-resource "azurerm_role_assignment" "blob_storage_access_assignment" {
-  principal_id   = azurerm_user_assigned_identity.mongo_backup_identity.principal_id
-  role_definition_name = azurerm_role_definition.blob_storage_access.name
-  scope          = "/subscriptions/${data.azurerm_subscription.current.subscription_id}"
-}
+# resource "azurerm_role_definition" "blob_storage_access" {
+#   name        = "BlobStorageAccess"
+#   description = "Role definition for accessing Azure Blob Storage"
+#   scope       = "/subscriptions/${data.azurerm_subscription.current.subscription_id}"
+
+#   permissions {
+#     actions = [
+#       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+#       "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+#       "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+#     ]
+
+#     not_actions = []
+#   }
+
+#   assignable_scopes = [
+#     "/subscriptions/${data.azurerm_subscription.current.subscription_id}",
+#   ]
+# }
+
+# resource "azurerm_role_assignment" "blob_storage_access_assignment" {
+#   principal_id   = azurerm_user_assigned_identity.mongo_backup_identity.principal_id
+#   role_definition_name = azurerm_role_definition.blob_storage_access.name
+#   scope          = "/subscriptions/${data.azurerm_subscription.current.subscription_id}"
+# }
 
 resource "random_password" "mongodb_root_password" {
   count   = var.mongodb_custom_credentials_enabled ? 0 : 1
@@ -49,7 +43,7 @@ resource "random_password" "mongodb_exporter_password" {
 }
 
 resource "azurerm_key_vault" "mongo-secret" {
-  count     = var.store_password_to_secret_manager ? 1 : 0
+  count                       = var.store_password_to_secret_manager ? 1 : 0
   name                        = format("%s-%s-%s", var.environment, var.name, "mongodb")
   resource_group_name         = var.resource_group_name
   location                    = var.resource_group_location
@@ -77,7 +71,7 @@ resource "azurerm_key_vault" "mongo-secret" {
 
 resource "azurerm_key_vault_secret" "mongo-secret" {
   depends_on = [azurerm_key_vault.mongo-secret[0]]
-  name = format("%s-%s-%s", var.environment, var.name, "secret")
+  name       = format("%s-%s-%s", var.environment, var.name, "secret")
   value = var.mongodb_custom_credentials_enabled ? jsonencode(
     {
       "root_user" : "${var.mongodb_custom_credentials_config.root_user}",
@@ -95,74 +89,57 @@ resource "azurerm_key_vault_secret" "mongo-secret" {
   key_vault_id = azurerm_key_vault.mongo-secret[0].id
 }
 
-resource "azurerm_user_assigned_identity" "mongo_backup" {
-  name                = "mongo-backup"
+# Create a service principal for mongo backup
+resource "azurerm_user_assigned_identity" "mongo_backup_identity" {
+  name                = format("%s-%s-%s", var.environment, var.name, "mongo_backup_identity")
   resource_group_name = var.resource_group_name
   location            = var.resource_group_location
 }
 
-resource "azurerm_key_vault_access_policy" "secretadmin_backup" {
-  key_vault_id = azurerm_key_vault.mongo-secret[0].id
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  object_id    = azurerm_user_assigned_identity.mongo_backup.principal_id
-
-  secret_permissions = [
-    "Get",
-    "List",
-    "Delete",
-  ]
-}
-
-resource "azurerm_user_assigned_identity" "pod_identity_backup" {
-  name                = format("%s-%s-%s", var.environment, var.name, "pod-identity-backup")
-  resource_group_name = var.resource_group_name
-  location            = var.resource_group_location
+# Grant the storage blob contributor role to the backup service principal
+resource "azurerm_role_assignment" "secretadmin_backup" {
+  principal_id         = azurerm_user_assigned_identity.mongo_backup_identity.principal_id
+  role_definition_name = "Storage Blob Data Contributor"
+  scope                = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}"
 }
 
-resource "azurerm_key_vault_access_policy" "pod_identity_backup" {
-  key_vault_id = azurerm_key_vault.mongo-secret[0].id
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  object_id    = azurerm_user_assigned_identity.pod_identity_backup.principal_id
-
-  secret_permissions = [
-    "Get",
-    "List",
-    "Delete",
-  ]
+# Grant the "Managed Identity Token Creator" role to the backup service principal
+resource "azurerm_role_assignment" "service_account_token_creator_backup" {
+  principal_id         = azurerm_user_assigned_identity.mongo_backup_identity.principal_id
+  role_definition_name = "Role Based Access Control Administrator (Preview)"
+  scope                = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg"
 }
 
-resource "azurerm_user_assigned_identity" "mongo_restore" {
-  name                = format("%s-%s-%s", var.environment, var.name, "mongo-restore")
+# Create a service principal for mongo restore
+resource "azurerm_user_assigned_identity" "mongo_restore_identity" {
+  name                = format("%s-%s-%s", var.environment, var.name, "mongo_restore_identity")
   resource_group_name = var.resource_group_name
   location            = var.resource_group_location
 }
 
-resource "azurerm_key_vault_access_policy" "secretadmin_restore" {
-  key_vault_id = azurerm_key_vault.mongo-secret[0].id
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  object_id    = azurerm_user_assigned_identity.mongo_restore.principal_id
-
-  secret_permissions = [
-    "Get",
-    "List",
-    "Delete",
-  ]
+# Grant the storage blob contributor role to the restore service principal
+resource "azurerm_role_assignment" "secretadmin_restore" {
+  principal_id         = azurerm_user_assigned_identity.mongo_restore_identity.principal_id
+  role_definition_name = "Storage Blob Data Contributor"
+  scope                = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}"
+}
+
+# Grant the "Managed Identity Token Creator" role to the restore service principal
+resource "azurerm_role_assignment" "service_account_token_creator_restore" {
+  principal_id         = azurerm_user_assigned_identity.mongo_restore_identity.principal_id
+  role_definition_name = "Role Based Access Control Administrator (Preview)"
+  scope                = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg"
 }
 
-resource "azurerm_user_assigned_identity" "pod_identity_restore" {
-  name                = format("%s-%s-%s", var.environment, var.name, "pod-identity-restore")
+# Configure workload identity for mongo backup
+resource "azurerm_user_assigned_identity" "pod_identity_backup" {
+  name                = format("%s-%s-%s", var.environment, var.name, "pod_identity_backup")
   resource_group_name = var.resource_group_name
   location            = var.resource_group_location
 }
 
-resource "azurerm_key_vault_access_policy" "pod_identity_restore" {
-  key_vault_id = azurerm_key_vault.mongo-secret[0].id
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  object_id    = azurerm_user_assigned_identity.pod_identity_restore.principal_id
-
-  secret_permissions = [
-    "Get",
-    "List",
-    "Delete",
-  ]
+resource "azurerm_role_assignment" "pod_identity_assignment_backup" {
+  principal_id         = azurerm_user_assigned_identity.pod_identity_backup.principal_id
+  role_definition_name = "Managed Identity Operator"
+  scope                = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/${var.resource_group_name}"
 }
diff --git a/provider/azure/outputs.tf b/provider/azure/outputs.tf
@@ -4,7 +4,7 @@ output "az_account_backup" {
 }
 
 output "az_account_restore" {
-  value       = azurerm_user_assigned_identity.mongo_backup_identity.client_id
+  value       = azurerm_user_assigned_identity.mongo_restore_identity.client_id
   description = "Azure User Assigned Identity for restore"
 }
 
diff --git a/provider/azure/variables.tf b/provider/azure/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ output "az_account_backup" {`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`output "az_account_restore" {`
`7`		`- value = azurerm_user_assigned_identity.mongo_backup_identity.client_id`
	`7`	`+ value = azurerm_user_assigned_identity.mongo_restore_identity.client_id`
`8`	`8`	`description = "Azure User Assigned Identity for restore"`
`9`	`9`	`}`
`10`	`10`