Note
This repository is publicly accessible as part of our open-source initiative. We welcome contributions from the community alongside our organization's primary development efforts.
This module provisions all essential infrastructure components within an Azure tenant to enable secure, automated management using Terraform and GitHub. It sets up a GitHub private runner, a Terraform state storage account, and other key resources necessary for fully automated Terraform deployments. The module is designed to adhere to security best practices throughout the process.
The IaC Launchpad is a collection of essential Azure resources required for managing Terraform deployments via Cloudeteer GitHub Actions. The term “Launchpad” draws an analogy to rocket science, emphasizing the foundational role it plays.
This example demonstrates how to deploy the Launchpad in a default scenario.
The two variables, runner_github_pat
and runner_github_repo
, should be set at runtime during deployment using the environment variables TF_VAR_runner_github_pat
and TF_VAR_runner_github_repo
.
variable "my_runner_github_pat" {
type = string
}
variable "my_runner_github_repo" {
type = string
}
resource "azurerm_resource_group" "example" {
location = "germanywestcentral"
name = "rg-example-dev-gwc-01"
}
module "example" {
source = "cloudeteer/launchpad/azurerm"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
runner_github_pat = var.my_runner_github_pat
runner_github_repo = var.my_runner_github_repo
virtual_network_address_space = ["10.0.0.0/16"]
subnet_address_prefixes = ["10.0.2.0/24"]
management_group_names = ["mg-example"]
}
The following providers are used by this module:
The following resources are used by this module:
- azurerm_federated_identity_credential.this (resource)
- azurerm_key_vault.this (resource)
- azurerm_key_vault_secret.virtual_machine_scale_set_admin_password (resource)
- azurerm_linux_virtual_machine_scale_set.this (resource)
- azurerm_management_lock.storage_account_lock (resource)
- azurerm_network_security_group.this (resource)
- azurerm_private_endpoint.key_vault (resource)
- azurerm_private_endpoint.storage_account (resource)
- azurerm_role_assignment.key_vault_admin_current_user (resource)
- azurerm_role_assignment.management_group_owner (resource)
- azurerm_role_assignment.resource_specific (resource)
- azurerm_role_assignment.storage_account_blob_owner_current_user (resource)
- azurerm_role_assignment.subscription_owner (resource)
- azurerm_storage_account.this (resource)
- azurerm_storage_container.this (resource)
- azurerm_subnet.this (resource)
- azurerm_subnet_network_security_group_association.this (resource)
- azurerm_user_assigned_identity.this (resource)
- azurerm_virtual_network.this (resource)
- random_password.virtual_machine_scale_set_admin_password (resource)
- random_string.kvlaunchpadprd_suffix (resource)
- random_string.stlaunchpadprd_suffix (resource)
- azurerm_client_config.current (data source)
- azurerm_management_group.managed_by_launchpad (data source)
- azurerm_subscription.managed_by_launchpad (data source)
The following input variables are required:
Description: The geographic location where the resources will be deployed. This is must be a region name supported by Azure.
Type: string
Description: The name of the resource group in which the virtual machine should exist. Changing this forces a new resource to be created.
Type: string
Description: GitHub PAT that will be used to register GitHub Action Runner tokens
Type: string
Description: Specify the GitHub repository owner and name seperated by /
to register the action runner. e.g. cloudeteer/squad-customer
Type: string
Description: A list of IP address prefixes (CIDR blocks) to be assigned to the subnet. Each entry in the list represents a CIDR block used to define the address space of the subnet within the virtual network.
Type: list(string)
Description: A list of IP address ranges to be assigned to the virtual network (VNet). Each entry in the list represents a CIDR block used to define the address space of the VNet.
Type: list(string)
The following input variables are optional (have default values):
Description: Is used for initiating the module itself for the first time. For more information please go here https://github.com/cloudeteer/terraform-azurerm-launchpad/blob/main/INSTALL.md
Type: bool
Default: false
Description: Set the Azure Principal ID which will be given access to the storage account and key vault.
NOTE: This is only required when init
is set to true
.
Type: string
Default: null
Description: Set the IP Address of your current public IP in order to access the new created resources. For more information please go here https://github.com/cloudeteer/terraform-azurerm-launchpad/blob/main/INSTALL.md
Type: string
Default: null
Description: A list of ID´s of DNS Zones in order to add the Private Endpoint of the Keyvault into your DNS Zones.
Type: list(string)
Default: []
Description: A list of Subnet IDs that are allowed to access the Key Vault used by the Launchpad.
Type: list(string)
Default: []
Description: A list of management group in order the Launchpad gets Owner-permission in these management-groups.
Type: list(string)
Default: []
Description: The base name applied to all resources created by this module.
Type: string
Default: "launchpad"
Description: An optional suffix appended to the base name for all resources created by this module.
NOTE: This suffix is not applied to resources that use a randomly generated suffix (e.g., Key Vault and Storage Account).
Type: string
Default: null
Description: The CPU architecture to run the GitHub actions runner. Can be x64
or arm64
.
Type: string
Default: "arm64"
Description: Specify the number of instances of a GitHub Action runner to install on a single virtual machine instance.
Type: string
Default: "5"
Description: List of Github environments used by federal identity.
Type: map(string)
Default:
{
"prod-azure": "prod-azure",
"prod-azure-plan": "prod-azure (plan)"
}
Description: Set the value of this variable to true
if you want to allocate a public IP address to each instance within the Virtual Machine Scale Set. Enabling this option may be necessary to establish internet access when a direct connection to a HUB is currently unavailable.
Type: bool
Default: false
Description: An unprivileged user to run the Runner application. If this user does not exist on the system, a new user will be created.
Type: string
Default: "actions-runner"
Description: Set a specific GitHub action runner version (without the v
in the version string) or use latest
.
Type: string
Default: "latest"
Description: Set the amount of VM´s in the Virtual Machine Sscale Set (VMSS). (Default '1')
Type: string
Default: 1
Description: The list of Service endpoints to associate with the subnet. Possible values include: Microsoft.AzureActiveDirectory
, Microsoft.AzureCosmosDB
, Microsoft.ContainerRegistry
, Microsoft.EventHub
, Microsoft.KeyVault
, Microsoft.ServiceBus
, Microsoft.Sql
, Microsoft.Storage
, Microsoft.Storage
.Global and Microsoft.Web
.
NOTE: In order to use Microsoft.Storage.Global
service endpoint (which allows access to virtual networks in other regions), you must enable the AllowGlobalTagsForStorage
feature in your subscription. This is currently a preview feature, please see the official documentation for more information.
Type: list(string)
Default:
[
"Microsoft.KeyVault",
"Microsoft.Storage"
]
Description: A list of subscription IDs, which the Launchpad will manage.Each must be exactly 36 characters long.
Type: list(string)
Default: []
Description: A mapping of tags which should be assigned to all resources in this module.
Type: map(string)
Default: {}
The following outputs are exported:
Description: The client ID of the Azure user identity assigned to the Launchpad.
Description: The storage account name used by the Launchpad for the Terraform state backend.
Description: The tenant ID of the Azure user identity assigned to the Launchpad
Description: The private IP address of the private endpoint used by the Key Vault.
Description: The ID of the Azure Network Security Group (NSG) associated with the Launchpad.
Description: The name of the Azure Network Security Group (NSG) associated with the Launchpad.
Description: The ID of the subnet within the Virtual Network, associated with the Launchpad production environment.
Description: The name of the subnet within the Virtual Network, associated with the Launchpad production environment.
Description: The ID of the Azure Virtual Network (VNet) associated with the Launchpad.
Description: The name of the Azure Virtual Network (VNet) associated with the Launchpad.