Bring Azure into line with AWS for cloudaccess variables

appvia · Nov 6, 2023 · 2d959f9 · 2d959f9
1 parent 7d24d54
commit 2d959f9
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -84,6 +84,8 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_dns_zone_name"></a> [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the Azure DNS zone to use. | `string` | n/a | yes |
 | <a name="input_enable_k8s_resources"></a> [enable\_k8s\_resources](#input\_enable\_k8s\_resources) | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments) | `bool` | `true` | no |
 | <a name="input_enable_wf_cloudaccess"></a> [enable\_wf\_cloudaccess](#input\_enable\_wf\_cloudaccess) | Whether to configure CloudIdentity and admin CloudAccessConfig resources in Wayfinder once installed (requires enable\_k8s\_resources) | `bool` | `true` | no |
+| <a name="input_enable_wf_costestimates"></a> [enable\_wf\_costestimates](#input\_enable\_wf\_costestimates) | Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `true` | no |
+| <a name="input_enable_wf_dnszonemanager"></a> [enable\_wf\_dnszonemanager](#input\_enable\_wf\_dnszonemanager) | Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment in which the resources are deployed. | `string` | `"production"` | no |
 | <a name="input_location"></a> [location](#input\_location) | The Azure region to use. | `string` | `"uksouth"` | no |
 | <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | Private DNS zone to use for private clusters | `string` | `null` | no |

diff --git a/examples/complete/keyvault.tf b/examples/complete/keyvault.tf
@@ -12,7 +12,7 @@ resource "azurerm_key_vault" "kv" {
   purge_protection_enabled      = true
   enable_rbac_authorization     = true
   public_network_access_enabled = false
-  
+
   network_acls {
     default_action = "Deny"
     bypass         = "AzureServices"
@@ -22,10 +22,10 @@ resource "azurerm_key_vault" "kv" {
 }
 
 resource "azurerm_role_assignment" "kv" {
-  count               = var.clusterissuer == "keyvault" && var.cert_manager_keyvault_name == null ? 1 : 0
-  scope               = azurerm_key_vault.kv[0].id
+  count                = var.clusterissuer == "keyvault" && var.cert_manager_keyvault_name == null ? 1 : 0
+  scope                = azurerm_key_vault.kv[0].id
   role_definition_name = "Key Vault Administrator"
-  principal_id        = data.azurerm_client_config.current.object_id
+  principal_id         = data.azurerm_client_config.current.object_id
 }
 
 resource "azurerm_private_endpoint" "kv" {
@@ -44,8 +44,8 @@ resource "azurerm_private_endpoint" "kv" {
   }
 
   private_dns_zone_group {
-    name                           = azurerm_key_vault.kv[0].name
-    private_dns_zone_ids            = [replace(var.private_dns_zone_id, "/[^\\/]*$/", "privatelink.vaultcore.azure.net")]
+    name                 = azurerm_key_vault.kv[0].name
+    private_dns_zone_ids = [replace(var.private_dns_zone_id, "/[^\\/]*$/", "privatelink.vaultcore.azure.net")]
   }
 
   tags = var.tags
@@ -85,7 +85,7 @@ resource "azurerm_key_vault_certificate" "root" {
     contents = "${tls_self_signed_cert.root[0].cert_pem}${tls_private_key.root[0].private_key_pem_pkcs8}"
   }
 
-  depends_on = [ azurerm_private_endpoint.kv, azurerm_role_assignment.kv ]
+  depends_on = [azurerm_private_endpoint.kv, azurerm_role_assignment.kv]
 }
 
 resource "tls_private_key" "signing" {
@@ -129,5 +129,5 @@ resource "azurerm_key_vault_certificate" "signing" {
     contents = "${tls_locally_signed_cert.signing[0].cert_pem}${tls_private_key.signing[0].private_key_pem_pkcs8}"
   }
 
-  depends_on = [ azurerm_private_endpoint.kv, azurerm_role_assignment.kv ]
+  depends_on = [azurerm_private_endpoint.kv, azurerm_role_assignment.kv]
 }
diff --git a/modules/cloudaccess/README.md b/modules/cloudaccess/README.md
@@ -51,9 +51,9 @@ No modules.
 | <a name="input_create_duration_delay"></a> [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | <pre>object({<br>    azurerm_role_definition = optional(string, "30s")<br>  })</pre> | `{}` | no |
 | <a name="input_destroy_duration_delay"></a> [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | <pre>object({<br>    azurerm_role_definition = optional(string, "0s")<br>  })</pre> | `{}` | no |
 | <a name="input_enable_cloud_info"></a> [enable\_cloud\_info](#input\_enable\_cloud\_info) | Whether to create the Cloud Info IAM Role | `bool` | `false` | no |
-| <a name="input_enable_cluster_manager"></a> [enable\_cluster\_manager](#input\_enable\_cluster\_manager) | Whether to create the Cluster Manager IAM Role | `bool` | `true` | no |
-| <a name="input_enable_dns_zone_manager"></a> [enable\_dns\_zone\_manager](#input\_enable\_dns\_zone\_manager) | Whether to create the DNS Zone Manager IAM Role | `bool` | `true` | no |
-| <a name="input_enable_network_manager"></a> [enable\_network\_manager](#input\_enable\_network\_manager) | Whether to create the Network Manager IAM Role | `bool` | `true` | no |
+| <a name="input_enable_cluster_manager"></a> [enable\_cluster\_manager](#input\_enable\_cluster\_manager) | Whether to create the Cluster Manager IAM Role | `bool` | `false` | no |
+| <a name="input_enable_dns_zone_manager"></a> [enable\_dns\_zone\_manager](#input\_enable\_dns\_zone\_manager) | Whether to create the DNS Zone Manager IAM Role | `bool` | `false` | no |
+| <a name="input_enable_network_manager"></a> [enable\_network\_manager](#input\_enable\_network\_manager) | Whether to create the Network Manager IAM Role | `bool` | `false` | no |
 | <a name="input_from_aws"></a> [from\_aws](#input\_from\_aws) | Whether Wayfinder is running on AWS. | `bool` | `false` | no |
 | <a name="input_from_azure"></a> [from\_azure](#input\_from\_azure) | Whether Wayfinder is running on Azure. | `bool` | `true` | no |
 | <a name="input_from_gcp"></a> [from\_gcp](#input\_from\_gcp) | Whether Wayfinder is running on GCP. | `bool` | `false` | no |

diff --git a/modules/cloudaccess/variables.tf b/modules/cloudaccess/variables.tf
@@ -53,19 +53,19 @@ variable "region" {
 }
 
 variable "enable_cluster_manager" {
-  default     = true
+  default     = false
   description = "Whether to create the Cluster Manager IAM Role"
   type        = bool
 }
 
 variable "enable_dns_zone_manager" {
-  default     = true
+  default     = false
   description = "Whether to create the DNS Zone Manager IAM Role"
   type        = bool
 }
 
 variable "enable_network_manager" {
-  default     = true
+  default     = false
   description = "Whether to create the Network Manager IAM Role"
   type        = bool
 }

diff --git a/variables.tf b/variables.tf
@@ -175,6 +175,18 @@ variable "enable_wf_cloudaccess" {
   default     = true
 }
 
+variable "enable_wf_costestimates" {
+  description = "Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess)"
+  type        = bool
+  default     = true
+}
+
+variable "enable_wf_dnszonemanager" {
+  description = "Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess)"
+  type        = bool
+  default     = false
+}
+
 variable "environment" {
   description = "The environment in which the resources are deployed."
   type        = string

diff --git a/wayfinder-cloudaccess.tf b/wayfinder-cloudaccess.tf
@@ -8,10 +8,8 @@ module "wayfinder_azure_cloudaccess" {
   create_duration_delay                 = { azurerm_role_definition = var.create_duration_delay.azurerm_role_definition }
   destroy_duration_delay                = { azurerm_role_definition = var.destroy_duration_delay.azurerm_role_definition }
 
-  enable_dns_zone_manager = true
-  enable_cloud_info       = true
-  enable_cluster_manager  = false
-  enable_network_manager  = false
+  enable_dns_zone_manager = var.enable_wf_dnszonemanager
+  enable_cloud_info       = var.enable_wf_costestimates
 }
 
 resource "kubectl_manifest" "wayfinder_cloud_identity_main" {
@@ -28,7 +26,7 @@ resource "kubectl_manifest" "wayfinder_cloud_identity_main" {
 }
 
 resource "kubectl_manifest" "wayfinder_azure_cloudinfo_cloudaccessconfig" {
-  count      = var.enable_k8s_resources && var.enable_wf_cloudaccess ? 1 : 0
+  count      = var.enable_k8s_resources && var.enable_wf_cloudaccess && var.enable_wf_costestimates ? 1 : 0
   depends_on = [time_sleep.after_kubectl_manifest_cloud_identity]
 
   yaml_body = templatefile("${path.module}/manifests/wayfinder-azure-cloudinfo-cloudaccessconfig.yml.tpl", {
@@ -40,7 +38,7 @@ resource "kubectl_manifest" "wayfinder_azure_cloudinfo_cloudaccessconfig" {
 }
 
 resource "kubectl_manifest" "wayfinder_azure_dnszonemanagement_cloudaccessconfig" {
-  count      = var.enable_k8s_resources && var.enable_wf_cloudaccess ? 1 : 0
+  count      = var.enable_k8s_resources && var.enable_wf_cloudaccess && var.enable_wf_dnszonemanager ? 1 : 0
   depends_on = [time_sleep.after_kubectl_manifest_cloud_identity]
 
   yaml_body = templatefile("${path.module}/manifests/wayfinder-azure-dnszonemanagement-cloudaccessconfig.yml.tpl", {