feat: remote state

README.md

@@ -11,6 +11,7 @@ A collection of Azure resources ready to be used with [Humanitec](https://humani
 The following resources are included:
 
 * [azure-blob/basic](./humanitec-resource-defs/azure-blob/basic): Basic Azure Storage Blob Container.
+  * This example also show-cases how to configure a [Terraform Backend](https://developer.humanitec.com/integration-and-extensions/drivers/generic-drivers/terraform/).
 * [azure-blob/delegator](./humanitec-resource-defs/azure-blob/delegator): Echo Azure Storage Blob Container output and co-provision role definition.
 * [azure-federated-identity/basic](./humanitec-resource-defs/azure-federated-identity/basic): Basic Azure Federated Identity for bounding K8s Service Account with Azure Managed Entity.
 * [azure-managed-identity/basic](./humanitec-resource-defs/azure-managed-identity/basic): Basic Azure managed identity.

examples/blob-storage/README.md

@@ -28,6 +28,7 @@ The workload service account will automatically be assigned the necessary Azure
 | azuread | ~> 2.47 |
 | azurerm | ~> 3.91 |
 | humanitec | ~> 1.0 |
+| random | ~> 3.6 |
 
 ## Providers
 
@@ -36,6 +37,7 @@ The workload service account will automatically be assigned the necessary Azure
 | azuread | ~> 2.47 |
 | azurerm | ~> 3.91 |
 | humanitec | ~> 1.0 |
+| random | ~> 3.6 |
 
 ## Modules
 
@@ -60,6 +62,8 @@ The workload service account will automatically be assigned the necessary Azure
 | [azuread_service_principal.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
 | [azuread_service_principal_password.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
 | [azurerm_role_assignment.resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_storage_account.tfstate](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.tfstate](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
 | [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
 | [humanitec_resource_definition_criteria.blob_storage](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
@@ -72,6 +76,7 @@ The workload service account will automatically be assigned the necessary Azure
 | [humanitec_resource_definition_criteria.role_definition_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.role_definition_reader](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [random_string.storage_account_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 
 ## Inputs

examples/blob-storage/main.tf

@@ -17,7 +17,7 @@ resource "azuread_service_principal_password" "humanitec_provisioner" {
 
 resource "azurerm_role_assignment" "resource_group" {
   scope                = data.azurerm_resource_group.main.id
-  role_definition_name = "Contributor"
+  role_definition_name = "Owner"
   principal_id         = azuread_service_principal.humanitec_provisioner.object_id
 }
 
@@ -32,6 +32,11 @@ resource "humanitec_resource_account" "humanitec_provisioner" {
     "password" : azuread_service_principal_password.humanitec_provisioner.value,
     "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
   })
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    azurerm_role_assignment.resource_group
+  ]
 }
 
 # Example application and resource definition criteria
@@ -64,6 +69,7 @@ module "blob_storage" {
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
   append_logs_to_error     = true
+  terraform_state          = local.terraform_state
   driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
   resource_group_name      = var.resource_group_name
@@ -78,6 +84,8 @@ resource "humanitec_resource_definition_criteria" "blob_storage" {
   resource_definition_id = module.blob_storage.id
   app_id                 = humanitec_application.example.id
   class                  = local.blob_storage_basic_class
+
+  force_delete = true
 }
 
 // Admin shared
@@ -95,6 +103,8 @@ resource "humanitec_resource_definition_criteria" "blob_storage_admin" {
   resource_definition_id = module.blob_storage_admin.id
   app_id                 = humanitec_application.example.id
   class                  = local.blob_storage_admin_class
+
+  force_delete = true
 }
 
 module "role_definition_admin" {
@@ -110,6 +120,8 @@ resource "humanitec_resource_definition_criteria" "role_definition_admin" {
   resource_definition_id = module.role_definition_admin.id
   app_id                 = humanitec_application.example.id
   class                  = local.blob_storage_admin_policy_class
+
+  force_delete = true
 }
 
 // Reader shared
@@ -127,6 +139,8 @@ resource "humanitec_resource_definition_criteria" "blob_storage_reader" {
   resource_definition_id = module.blob_storage_reader.id
   app_id                 = humanitec_application.example.id
   class                  = local.blob_storage_reader_class
+
+  force_delete = true
 }
 
 module "role_definition_reader" {
@@ -142,6 +156,8 @@ resource "humanitec_resource_definition_criteria" "role_definition_reader" {
   resource_definition_id = module.role_definition_reader.id
   app_id                 = humanitec_application.example.id
   class                  = local.blob_storage_reader_policy_class
+
+  force_delete = true
 }
 
 // Workload based
@@ -155,6 +171,8 @@ module "workload" {
 resource "humanitec_resource_definition_criteria" "workload" {
   resource_definition_id = module.workload.id
   app_id                 = humanitec_application.example.id
+
+  force_delete = true
 }
 
 module "k8s_service_account" {
@@ -166,6 +184,8 @@ module "k8s_service_account" {
 resource "humanitec_resource_definition_criteria" "k8s_service_account" {
   resource_definition_id = module.k8s_service_account.id
   app_id                 = humanitec_application.example.id
+
+  force_delete = true
 }
 
 module "federated_identity" {
@@ -174,6 +194,7 @@ module "federated_identity" {
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
   append_logs_to_error     = true
+  terraform_state          = local.terraform_state
   driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
 
@@ -189,6 +210,8 @@ module "federated_identity" {
 resource "humanitec_resource_definition_criteria" "federated_identity" {
   resource_definition_id = module.federated_identity.id
   app_id                 = humanitec_application.example.id
+
+  force_delete = true
 }
 
 module "managed_identity" {
@@ -197,6 +220,7 @@ module "managed_identity" {
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
   append_logs_to_error     = true
+  terraform_state          = local.terraform_state
   driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
 
@@ -207,6 +231,8 @@ module "managed_identity" {
 resource "humanitec_resource_definition_criteria" "managed_identity" {
   resource_definition_id = module.managed_identity.id
   app_id                 = humanitec_application.example.id
+
+  force_delete = true
 }
 
 module "role_assignment" {
@@ -215,6 +241,7 @@ module "role_assignment" {
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
   append_logs_to_error     = true
+  terraform_state          = local.terraform_state
   driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
 
@@ -227,4 +254,6 @@ module "role_assignment" {
 resource "humanitec_resource_definition_criteria" "role_assignment" {
   resource_definition_id = module.role_assignment.id
   app_id                 = humanitec_application.example.id
+
+  force_delete = true
 }

examples/blob-storage/providers.tf

@@ -12,6 +12,10 @@ terraform {
       source  = "humanitec/humanitec"
       version = "~> 1.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6"
+    }
   }
 
   required_version = ">= 1.3.0"

examples/blob-storage/state.tf

@@ -0,0 +1,33 @@
+# Resources required for the terraform backend
+# More details https://developer.humanitec.com/integration-and-extensions/drivers/generic-drivers/terraform/
+
+resource "random_string" "storage_account_suffix" {
+  length  = 12
+  special = false
+  upper   = false
+}
+
+resource "azurerm_storage_account" "tfstate" {
+  name                            = "humrp${random_string.storage_account_suffix.result}tfstate"
+  resource_group_name             = data.azurerm_resource_group.main.name
+  location                        = data.azurerm_resource_group.main.location
+  account_tier                    = "Standard"
+  account_replication_type        = "ZRS"
+  allow_nested_items_to_be_public = false
+}
+
+resource "azurerm_storage_container" "tfstate" {
+  name                  = var.name
+  storage_account_name  = azurerm_storage_account.tfstate.name
+  container_access_type = "private"
+}
+
+locals {
+  terraform_state = {
+    subscription_id      = var.subscription_id
+    resource_group_name  = data.azurerm_resource_group.main.name
+    storage_account_name = azurerm_storage_account.tfstate.name
+    container_name       = azurerm_storage_container.tfstate.name
+    # key_prefix is set by the respective resource definition
+  }
+}

examples/dns/main.tf

@@ -32,6 +32,11 @@ resource "humanitec_resource_account" "humanitec_provisioner" {
     "password" : azuread_service_principal_password.humanitec_provisioner.value,
     "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
   })
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    azurerm_role_assignment.resource_group
+  ]
 }
 
 # Example application and resource definition criteria

examples/mysql/main.tf

@@ -32,6 +32,11 @@ resource "humanitec_resource_account" "humanitec_provisioner" {
     "password" : azuread_service_principal_password.humanitec_provisioner.value,
     "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
   })
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    azurerm_role_assignment.resource_group
+  ]
 }
 
 # Example application and resource definition criteria

examples/postgres/main.tf

@@ -42,6 +42,12 @@ resource "humanitec_resource_account" "humanitec_provisioner" {
     "password" : azuread_service_principal_password.humanitec_provisioner.value,
     "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
   })
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    azurerm_role_assignment.resource_group_resource,
+    azurerm_role_assignment.resource_group_workload
+  ]
 }
 
 # Example application and resource definition criteria
@@ -72,12 +78,6 @@ module "postgres_instance" {
   virtual_network_name         = var.virtual_network_name
   subnet_name                  = var.subnet_name
   workload_resource_group_name = data.azurerm_resource_group.workload.name
-
-  depends_on = [
-    # Otherwise the account looses permissions before the resources are deleted
-    azurerm_role_assignment.resource_group_resource,
-    azurerm_role_assignment.resource_group_workload
-  ]
 }
 
 resource "humanitec_resource_definition_criteria" "postgres_instance" {
@@ -99,12 +99,6 @@ module "postgres" {
   driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
   instance_resource        = "postgres-instance.${local.postgres_instance_class}#${local.postgres_instance_res_id}"
-
-  depends_on = [
-    # Otherwise the account looses permissions before the resources are deleted
-    azurerm_role_assignment.resource_group_resource,
-    azurerm_role_assignment.resource_group_workload
-  ]
 }
 
 resource "humanitec_resource_definition_criteria" "postgres" {

examples/redis/main.tf

@@ -32,6 +32,11 @@ resource "humanitec_resource_account" "humanitec_provisioner" {
     "password" : azuread_service_principal_password.humanitec_provisioner.value,
     "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
   })
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    azurerm_role_assignment.resource_group_workload
+  ]
 }
 
 # Example application and resource definition criteria

examples/service-bus/main.tf

@@ -17,7 +17,7 @@ resource "azuread_service_principal_password" "humanitec_provisioner" {
 
 resource "azurerm_role_assignment" "resource_group_workload" {
   scope                = data.azurerm_resource_group.main.id
-  role_definition_name = "Contributor"
+  role_definition_name = "Owner"
   principal_id         = azuread_service_principal.humanitec_provisioner.object_id
 }
 
@@ -32,6 +32,11 @@ resource "humanitec_resource_account" "humanitec_provisioner" {
     "password" : azuread_service_principal_password.humanitec_provisioner.value,
     "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
   })
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    azurerm_role_assignment.resource_group_workload
+  ]
 }
 
 # Example application and resource definition criteria

humanitec-resource-defs/azure-blob/basic/README.md

@@ -34,6 +34,7 @@
 | prefix | Specifies the prefix used in default name for created resources. | `string` | `"hum-rp-blob-storage-ex-"` | no |
 | resource\_packs\_azure\_rev | Azure Resource Pack git branch. | `string` | `"refs/heads/main"` | no |
 | resource\_packs\_azure\_url | Azure Resource Pack git url. | `string` | `"https://github.com/humanitec-architecture/resource-packs-azure.git"` | no |
+| terraform\_state | Use terraform remote state. | <pre>object({<br>    subscription_id      = string<br>    resource_group_name  = string<br>    storage_account_name = string<br>    container_name       = string<br>    key_prefix           = optional(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 

humanitec-resource-defs/azure-blob/basic/main.tf

@@ -1,7 +1,27 @@
+locals {
+  def_id         = "${var.prefix}azure-blob-storage-basic"
+  remote_backend = <<EOT
+terraform {
+  required_version = ">= 1.0.0"
+
+  %{if var.terraform_state != null}backend "azurerm" {
+    subscription_id       = "${var.terraform_state.subscription_id}"
+    resource_group_name   = "${var.terraform_state.resource_group_name}"
+    storage_account_name  = "${var.terraform_state.storage_account_name}"
+    container_name        = "${var.terraform_state.container_name}"
+    key                   = "${coalesce(var.terraform_state.key_prefix, local.def_id)}/$${context.app.id}/$${context.env.id}/$${context.res.id}.tfstate"
+  }%{endif}
+}
+EOT
+  files = var.terraform_state != null ? {
+    "backend.tf" = local.remote_backend
+  } : {}
+}
+
 resource "humanitec_resource_definition" "main" {
   driver_type = "humanitec/terraform"
-  id          = "${var.prefix}azure-blob-storage-basic"
-  name        = "${var.prefix}azure-blob-storage-basic"
+  id          = local.def_id
+  name        = local.def_id
   type        = "azure-blob"
 
   driver_account = var.driver_account
@@ -23,6 +43,8 @@ resource "humanitec_resource_definition" "main" {
         }
       }
 
+      files = local.files
+
       variables = {
         res_id = "$${context.res.id}"
         app_id = "$${context.app.id}"

humanitec-resource-defs/azure-blob/basic/terraform.tfvars.example

@@ -33,4 +33,7 @@ resource_packs_azure_rev = "refs/heads/main"
 resource_packs_azure_url = "https://github.com/humanitec-architecture/resource-packs-azure.git"
 
 # The Subscription ID which should be used.
-subscription_id = ""
+subscription_id = ""
+
+# Use terraform remote state.
+terraform_state = ""

humanitec-resource-defs/azure-blob/basic/variables.tf

@@ -65,3 +65,15 @@ variable "container_access_type" {
   type        = string
   default     = "private"
 }
+
+variable "terraform_state" {
+  description = "Use terraform remote state."
+  type = object({
+    subscription_id      = string
+    resource_group_name  = string
+    storage_account_name = string
+    container_name       = string
+    key_prefix           = optional(string)
+  })
+  default = null
+}