Skip to content

cloudeteer/terraform-azurerm-launchpad

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Note

This repository is publicly accessible as part of our open-source initiative. We welcome contributions from the community alongside our organization's primary development efforts.


terraform-azurerm-launchpad

SemVer

This module provisions all essential infrastructure components within an Azure tenant to enable secure, automated management using Terraform and GitHub. It sets up a GitHub private runner, a Terraform state storage account, and other key resources necessary for fully automated Terraform deployments. The module is designed to adhere to security best practices throughout the process.

Design

The IaC Launchpad is a collection of essential Azure resources required for managing Terraform deployments via Cloudeteer GitHub Actions. The term “Launchpad” draws an analogy to rocket science, emphasizing the foundational role it plays.

Launchpad Design

Usage

This example demonstrates how to deploy the Launchpad in a default scenario.

The two variables, runner_github_pat and runner_github_repo, should be set at runtime during deployment using the environment variables TF_VAR_runner_github_pat and TF_VAR_runner_github_repo.

variable "my_runner_github_pat" {
  type = string
}
variable "my_runner_github_repo" {
  type = string
}

resource "azurerm_resource_group" "example" {
  location = "germanywestcentral"
  name     = "rg-example-dev-gwc-01"
}

module "example" {
  source = "cloudeteer/launchpad/azurerm"

  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  runner_github_pat  = var.my_runner_github_pat
  runner_github_repo = var.my_runner_github_repo

  virtual_network_address_space = ["10.0.0.0/16"]
  subnet_address_prefixes       = ["10.0.2.0/24"]
  management_group_names        = ["mg-example"]
}

Providers

The following providers are used by this module:

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

Description: The geographic location where the resources will be deployed. This is must be a region name supported by Azure.

Type: string

Description: The name of the resource group in which the virtual machine should exist. Changing this forces a new resource to be created.

Type: string

Description: GitHub PAT that will be used to register GitHub Action Runner tokens

Type: string

Description: Specify the GitHub repository owner and name seperated by / to register the action runner. e.g. cloudeteer/squad-customer

Type: string

Description: A list of IP address prefixes (CIDR blocks) to be assigned to the subnet. Each entry in the list represents a CIDR block used to define the address space of the subnet within the virtual network.

Type: list(string)

Description: A list of IP address ranges to be assigned to the virtual network (VNet). Each entry in the list represents a CIDR block used to define the address space of the VNet.

Type: list(string)

Optional Inputs

The following input variables are optional (have default values):

Description: Is used for initiating the module itself for the first time. For more information please go here https://github.com/cloudeteer/terraform-azurerm-launchpad/blob/main/INSTALL.md

Type: bool

Default: false

Description: Set the Azure Principal ID which will be given access to the storage account and key vault. NOTE: This is only required when init is set to true.

Type: string

Default: null

Description: Set the IP Address of your current public IP in order to access the new created resources. For more information please go here https://github.com/cloudeteer/terraform-azurerm-launchpad/blob/main/INSTALL.md

Type: string

Default: null

Description: A list of ID´s of DNS Zones in order to add the Private Endpoint of the Keyvault into your DNS Zones.

Type: list(string)

Default: []

Description: A list of Subnet IDs that are allowed to access the Key Vault used by the Launchpad.

Type: list(string)

Default: []

Description: A list of management group in order the Launchpad gets Owner-permission in these management-groups.

Type: list(string)

Default: []

Description: The base name applied to all resources created by this module.

Type: string

Default: "launchpad"

Description: An optional suffix appended to the base name for all resources created by this module.

NOTE: This suffix is not applied to resources that use a randomly generated suffix (e.g., Key Vault and Storage Account).

Type: string

Default: null

Description: The CPU architecture to run the GitHub actions runner. Can be x64 or arm64.

Type: string

Default: "arm64"

Description: Specify the number of instances of a GitHub Action runner to install on a single virtual machine instance.

Type: string

Default: "5"

Description: List of Github environments used by federal identity.

Type: map(string)

Default:

{
  "prod-azure": "prod-azure",
  "prod-azure-plan": "prod-azure (plan)"
}

Description: Set the value of this variable to true if you want to allocate a public IP address to each instance within the Virtual Machine Scale Set. Enabling this option may be necessary to establish internet access when a direct connection to a HUB is currently unavailable.

Type: bool

Default: false

Description: An unprivileged user to run the Runner application. If this user does not exist on the system, a new user will be created.

Type: string

Default: "actions-runner"

Description: Set a specific GitHub action runner version (without the v in the version string) or use latest.

Type: string

Default: "latest"

Description: Set the amount of VM´s in the Virtual Machine Sscale Set (VMSS). (Default '1')

Type: string

Default: 1

Description: The list of Service endpoints to associate with the subnet. Possible values include: Microsoft.AzureActiveDirectory, Microsoft.AzureCosmosDB, Microsoft.ContainerRegistry, Microsoft.EventHub, Microsoft.KeyVault, Microsoft.ServiceBus, Microsoft.Sql, Microsoft.Storage, Microsoft.Storage.Global and Microsoft.Web.

NOTE: In order to use Microsoft.Storage.Global service endpoint (which allows access to virtual networks in other regions), you must enable the AllowGlobalTagsForStorage feature in your subscription. This is currently a preview feature, please see the official documentation for more information.

Type: list(string)

Default:

[
  "Microsoft.KeyVault",
  "Microsoft.Storage"
]

Description: A list of subscription IDs, which the Launchpad will manage.Each must be exactly 36 characters long.

Type: list(string)

Default: []

Description: A mapping of tags which should be assigned to all resources in this module.

Type: map(string)

Default: {}

Outputs

The following outputs are exported:

Description: The client ID of the Azure user identity assigned to the Launchpad.

Description: The storage account name used by the Launchpad for the Terraform state backend.

Description: The tenant ID of the Azure user identity assigned to the Launchpad

Description: The private IP address of the private endpoint used by the Key Vault.

Description: The ID of the Azure Network Security Group (NSG) associated with the Launchpad.

Description: The name of the Azure Network Security Group (NSG) associated with the Launchpad.

Description: The ID of the subnet within the Virtual Network, associated with the Launchpad production environment.

Description: The name of the subnet within the Virtual Network, associated with the Launchpad production environment.

Description: The ID of the Azure Virtual Network (VNet) associated with the Launchpad.

Description: The name of the Azure Virtual Network (VNet) associated with the Launchpad.