-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathinit-azurebackend-blob.sh
204 lines (178 loc) · 6.27 KB
/
init-azurebackend-blob.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#!/bin/bash
#
# Author : Nathanael Frappart
#
# script to run before first terraform deployment
# this script will provision:
# - a resource group
# - a storage account
# - create a blob for terraform state file
# - a keyvault to store the blob key
# then, it will generate the terraform_login.sh script to use to securely connect your terminal to your subscription (ARM environment variables)
####################
# Connect to Azure #
####################
# login to azure
echo ""
echo "###################################################"
echo "# You will be rediected to Azure login page in 5s #"
echo "###################################################"
sleep 5
az login --output none
# list all subscriptions
echo "..."
echo "### Available susbscription list: ###"
az account list --output table
########################
# Set script variables #
########################
# input Subscription id
echo "..."
echo "### Enter subscription ID: ###"
read SUBSCRIPTION_ID
# select subscription for the session
az account set -s $SUBSCRIPTION_ID
SUBSCRIPTION_NAME=$(az account show --query "name" -o tsv)
echo ""
echo "### session is set to subscription named '$SUBSCRIPTION_NAME' ###"
# set variables for resources names
echo "..."
echo "### Now we'll define the names for resources to be created ###"
echo "..."
echo "First, enter your company name (***alphanumerical lowercase only***):"
read COMPANY
COMPANY=${COMPANY//[^[:alnum:]]/}
COMPANY=${COMPANY,,}
echo "..."
echo "### Name for Resource Group ###"
echo "(default is rg-terraform-<YourCompany>): ###"
read RESOURCE_GROUP_NAME
if [ "$RESOURCE_GROUP_NAME" = "" ]; then
RESOURCE_GROUP_NAME=rg-terraform-$COMPANY
fi
echo "..."
az account list-locations -o table --query "[*].{Location:name,Name:displayName}"
echo "..."
echo "### Location for Resource Group ###"
echo "type the desired location (default is 'westeurope'):"
read RESOURCE_GROUP_LOCATION
# check if location is valid
read -r -a LOCATIONS_LIST <<< $(az account list-locations --query "[*].name" -o tsv)
LOCATION_DEFAULT="westeurope"
if [ "$RESOURCE_GROUP_LOCATION" = "" ]; then
RESOURCE_GROUP_LOCATION=$LOCATION_DEFAULT #if the input location value doesn't match, it is set to default value
fi
STORAGE_ACCOUNT_NAME=tfstate$COMPANY #$SERIAL
CONTAINER_NAME=tfstate
SERVICE_PRINCIPAL_NAME=sp-terraform-$COMPANY
##########################
# Resources provisioning #
##########################
# create service principal with contributor role for terraform
echo "..."
echo "### Creating Service Principal in Azure AD for Terraform ###"
#read -r -a SP_TERRAFORM <<< $(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --query "[appId,password]" -o tsv) #replace -A with -a to run in bash instead of zsh
mapfile -t SP_TERRAFORM< <(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role Contributor --query "[appId,password]" -o tsv)
SP_TERRAFORM_ID=${SP_TERRAFORM[0]}
SP_TERRAFORM_SECRET=${SP_TERRAFORM[1]}
# create resource group
echo "..."
echo "### Creating resource group ###"
az group create \
-l $RESOURCE_GROUP_LOCATION \
-n $RESOURCE_GROUP_NAME \
-o none
# create storage account
echo "..."
echo "### Creating storage account ###"
az storage account create \
--name $STORAGE_ACCOUNT_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--sku Standard_LRS \
--encryption-services blob \
--location $RESOURCE_GROUP_LOCATION \
-o none
# get storage account key
echo "..."
echo "### Retrieving storage account key ###"
STORAGE_ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query [0].value -o tsv)
# create container for blob
echo "..."
echo "### Creating blob container ###"
az storage container create \
--account-name $STORAGE_ACCOUNT_NAME \
--name terraform \
--account-key $STORAGE_ACCOUNT_KEY \
-o none
# create keyvault to store secret
# - blob key
# - service principal client secret
echo "..."
echo "### Creating Keyvault 'kv-terraform-<companyname>' for terraform necessary secrets ###"
echo "(keyvault name might be truncated if length exceed 24 characters)"
KV_NAME=kv-terraform-$COMPANY
KV_NAME=${KV_NAME:0:24}
az keyvault create \
--name $KV_NAME \
--location $RESOURCE_GROUP_LOCATION \
--resource-group $RESOURCE_GROUP_NAME \
-o none
# add permission for sp to keyvault
echo "### Add permission for SP to keyvault ###"
az keyvault set-policy \
--name $KV_NAME \
--object-id $SP_TERRAFORM_ID \
--secret-permissions backup delete get list purge recover restore set \
--key-permissions backup create decrypt delete encrypt get import list purge recover restore sign unwrapKey update verify wrapKey \
--certificate-permissions backup create delete deleteissuers get getissuers import list listissuers managecontacts manageissuers purge recover restore setissuers update \
-o none
# register blob key to keyvault
echo "### Save blob key in keyvault secret ###"
az keyvault secret set \
--name "$STORAGE_ACCOUNT_NAME-key" \
--vault-name $KV_NAME \
--value $STORAGE_ACCOUNT_KEY \
-o none
# register service principal secret to keyvault
echo "### Save SP Client Secret in keyvault secret ###"
az keyvault secret set \
--name $SERVICE_PRINCIPAL_NAME-secret \
--vault-name $KV_NAME \
--value $SP_TERRAFORM_SECRET \
-o none
# register service principal id to keyvault
echo "### Save SP Client ID in keyvault secret ###"
az keyvault secret set \
--name $SERVICE_PRINCIPAL_NAME-id \
--vault-name $KV_NAME \
--value $SP_TERRAFORM_ID \
-o none
# terraform provider file template
echo "..."
echo "..."
echo "### The folowing text has been copied to a main.tf file to setup your backend"
echo "### Then run terraform init to initialize backend ###"
echo "
provider "\""azurerm"\"" {
features {}
}
terraform {
required_providers {
azurerm = {}
}
backend "\""azurerm"\"" {
storage_account_name = "\""$STORAGE_ACCOUNT_NAME"\""
container_name = "\""terraform"\""
key = "\""terraform.tfstate"\""
}
}
" > main.tf
cat main.tf
sleep 5
echo "..."
echo "..."
echo "### The script will now launch terraform_login.sh and go through authentication again ###"
echo "### after that, run 'terraform init' to initialise your backend ###"
sleep 5
# launch terraform login script
source terraform_login.sh