Paul K space : IaC Management Subscription

Created by Paul Kelleher, last modified on May 08, 2023

updates via IaC azure_practice_management_iac_poc

IN PRODUCTION management subscription

  • clone the repository and make updates to resources here
  • PR and Merge toi apply changes
    • Management Subscription, Remote State Backend
    • Management Networking
    • EA Subscriptions in either continohq or squad0
      • Enable/Disable Budget
      • Create Subscription Owner SP
      • Create Subscription GH Repo with linked SP
    • Vend Additional Service Principals or Users and assign roles

Changes merged into main and applied are validated and delivered into appropriate resource allocations

  • DevTest deliver into Squad0 Tenant

  • Production deliver into continoHQ Tenant

Where contino users will be automatically added and removed depending on whether they have any resources under squad0

Azure Practice2.0 is intended to be managed via IaC methods only - manually touchy at your own risk

A central management subscription and associated resources are essential for the delivery of a robust IaC platform - we provide backend resource for deployment of Landing Zones and custom application landing zones to be developed

Management Subscription

mgmt_azure_practice_automation subscription - simple EA subscription

When we deliver an automated service, this common platform will maintain state and is intended to be the central point so we have a single focus point to manage engineering deployment with the following components

  • backend Terraform storage
  • centralised logging
  • management network
  • service principal vending

Subscription

mgmt_azure_practice_automation

Control Plane

The control plane is used by IaC resources to cohesively work together - to include management tooling and a home for automation etc

  • backend storage
  • secret management

and when additional components are added, there will be resources such. as

  • azure automation accounts for scheduled processing
  • monitoring for automations
  • reporting for automation resources created

Resource Group

control_plane group containing al remote backend resources for terraform

Storage Account

storage account

Storage Containers

container for each backend type

KeyVault+

TBC

Delivery

Delivering the Management Subscription and Components via Terraform

Preparation

To deliver the resources here, you will need appropriate permission on your Portal account to create an EA Subscription via the primary billing account

The initial steps, which have been completed in delivering the practice management are as below

git clone git@github.com:contino/azure_practice_management_iac_poc.git

Management Subscription

cd azure_practice_management_iac_poc/mgmtsub
terraform init
terraform apply -auto-aprove

this code will

  • create the subscription

  • pre-populate and create provider.tf files for this module and other modules setting the new subscription target

as such this step is a standalone manual one off

provider "azurerm" {
 features {}
 skip_provider_registration = false
 storage_use_azuread = true

 subscription_id = "2425180b-d8a9-491c-94f0-f6d9b4e035be" 
}
module
module "ea_subscription" {
  source="../../subscription/"

  billing_account           = "87561154"
  enrollment_account        = "311200"
  user_email                = "paul.kelleher@contino.io"
  subscription_display_name = "mgmt_azure_practice_automation"
  containers                = ["mgmtsub", "mgmtcp", "mgmtnet", "mgmtsvcs"]

}

output "subscription_id" {
  value = module.ea_subscription.subscription_id
}


resource "local_file" "mgmt" {
  filename = "../mgmtcp/provisioner.tf"
  content  = <<EOT
provider "azurerm" {
 features {}
 skip_provider_registration = false
 storage_use_azuread = true

 subscription_id = "${module.ea_subscription.subscription_id}" 
}
EOT

depends_on = [ module.ea_subscription ]
}
portal

Management Control Plane

from the initial subscription setup, this deployment will run against the n ew subscription to create resources

cd azure_practice_management_iac_poc/mgmtcp
terraform init
terraform apply -auto-aprove

this code will

  • create the Terraform remote backend storage components

  • pre-populate backend.tf files for each section so we can

    • import the subscription and control plane backend

    • use the backend for future deployments

terraform {
          backend "azurerm" {
            subscription_id      = "2425180b-d8a9-491c-94f0-f6d9b4e035be"
            resource_group_name  = "mgmt-rg"
            storage_account_name = "mgmtstwa6k"
            container_name       = "mgmtcp"
            key                  = "dev.tfstate"
          }
        }
module
module "control_plane" {
  source="../../control_plane"

  resource_group_name   = module.naming.resource_group.name
  location              = module.metadata.location
  storage_account_name  = module.naming.storage_account.name_unique
  containers            = ["mgmtsub", "mgmtcp", "mgmtnet", "mgmtsvcs"]

}
portal

Remote Backend migration

With the infrastructure now in place for a remote backend, and our previous stages pre-populating new backend.tf files for us, we can now re-init the backends to transfer the state up to azure

az cli commands
cd ../mgmtsub
terraform init -migrate-state   

Initializing the backend...
Do you want to copy existing state to the new backend?
  Pre-existing state was found while migrating the previous "local" backend to the
  newly configured "azurerm" backend. No existing state was found in the newly
  configured "azurerm" backend. Do you want to copy this state to the new "azurerm"
  backend? Enter "yes" to copy and "no" to start with an empty state.

  Enter a value: yes

cd ../mgmtcp
terraform init -migrate-state   

Initializing the backend...
Do you want to copy existing state to the new backend?
  Pre-existing state was found while migrating the previous "local" backend to the
  newly configured "azurerm" backend. No existing state was found in the newly
  configured "azurerm" backend. Do you want to copy this state to the new "azurerm"
  backend? Enter "yes" to copy and "no" to start with an empty state.

  Enter a value: yes

for the initial push, the aim was to get MVP working so I had a framework for deploying Azure EA Subs via automation - so next steps will be added on priority

Management Networking

Attachments:

automation-purple.png (image/png)
automation-blue.png (image/png)
Screenshot 2023-05-02 at 02.31.02.png (image/png)
Screenshot 2023-05-02 at 02.31.13.png (image/png)
Screenshot 2023-05-02 at 02.31.24.png (image/png)
Screenshot 2023-05-02 at 02.33.27.png (image/png)