feature: governed pipelines

.github/workflows/end-to-end-test.yml

@@ -73,6 +73,7 @@ jobs:
           $Inputs["starter_module"] = ".test"
           $Inputs["version_control_system_access_token"] = if ($versionControlSystem -eq "github") { "${{ secrets.VCS_TOKEN_GITHUB }}" } else { "${{ secrets.VCS_TOKEN_AZURE_DEVOPS }}" }
           $Inputs["version_control_system_organization"] = "${{ vars.VCS_ORGANIZATION }}"
+          $Inputs["version_control_system_use_separate_repository_for_templates"] = "true"
           $Inputs["azure_location"] = "uksouth"
           $Inputs["azure_subscription_id"] = ""
           $Inputs["service_name"] = "alz"

bootstrap/azuredevops/data.tf

@@ -0,0 +1,2 @@
+data "azurerm_client_config" "current" {}
+data "azurerm_subscription" "current" {}

bootstrap/azuredevops/files.tf

@@ -0,0 +1,39 @@
+locals {
+  starter_module_folder_path = var.module_folder_path_relative ? ("${path.module}/${var.module_folder_path}/${var.starter_module}") : "${var.module_folder_path}/${var.starter_module}"
+  pipeline_folder_path       = var.pipeline_folder_path_relative ? ("${path.module}/${var.pipeline_folder_path}") : var.pipeline_folder_path
+}
+
+locals {
+  file_type_flags = {
+    pipeline          = "pipeline"
+    pipeline_template = "pipeline_template"
+    module            = "module"
+    additional        = "additional"
+  }
+}
+
+module "starter_module_files" {
+  source      = "./../modules/files"
+  folder_path = local.starter_module_folder_path
+  flag        = local.file_type_flags.module
+}
+
+locals {
+  pipeline_files = { for key, value in var.pipeline_files : value.target_path => {
+    path = "${local.pipeline_folder_path}/${value.file_path}"
+    flag = local.file_type_flags.pipeline
+    }
+  }
+  template_files = { for key, value in var.pipeline_template_files : value.target_path => {
+    path = "${local.pipeline_folder_path}/${value.file_path}"
+    flag = local.file_type_flags.pipeline_template
+    }
+  }
+  starter_module_repo_files = merge(module.starter_module_files.files, local.pipeline_files, local.template_files)
+  additional_repo_files = { for file in var.additional_files : basename(file) => {
+    path = file
+    flag = local.file_type_flags.additional
+    }
+  }
+  all_repo_files = merge(local.starter_module_repo_files, local.additional_repo_files)
+}

bootstrap/azuredevops/locals.tf

@@ -7,3 +7,79 @@ locals {
   plan_key  = "plan"
   apply_key = "apply"
 }
+
+locals {
+  ci_key = "ci"
+  cd_key = "cd"
+}
+
+locals {
+  managed_identities = {
+    (local.plan_key)  = local.resource_names.user_assigned_managed_identity_plan
+    (local.apply_key) = local.resource_names.user_assigned_managed_identity_apply
+  }
+
+  federated_credentials = module.azure_devops.is_authentication_scheme_workload_identity_federation ? {
+    (local.plan_key) = {
+      user_assigned_managed_identity_key = local.plan_key
+      federated_credential_subject       = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.subjects[local.plan_key] : ""
+      federated_credential_issuer        = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.issuers[local.plan_key] : ""
+      federated_credential_name          = local.resource_names.user_assigned_managed_identity_federated_credentials_plan
+    }
+    (local.apply_key) = {
+      user_assigned_managed_identity_key = local.apply_key
+      federated_credential_subject       = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.subjects[local.apply_key] : ""
+      federated_credential_issuer        = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.issuers[local.apply_key] : ""
+      federated_credential_name          = local.resource_names.user_assigned_managed_identity_federated_credentials_apply
+    }
+  } : {}
+
+  agent_container_instances = module.azure_devops.is_authentication_scheme_managed_identity ? {
+    agent_01 = {
+      container_instance_name = local.resource_names.container_instance_01
+      agent_name              = local.resource_names.agent_01
+      managed_identity_key    = local.plan_key
+      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.plan_key] : ""
+    }
+    agent_02 = {
+      container_instance_name = local.resource_names.container_instance_02
+      agent_name              = local.resource_names.agent_02
+      managed_identity_key    = local.plan_key
+      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.plan_key] : ""
+    }
+    agent_03 = {
+      container_instance_name = local.resource_names.container_instance_03
+      agent_name              = local.resource_names.agent_03
+      managed_identity_key    = local.apply_key
+      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.apply_key] : ""
+    }
+    agent_04 = {
+      container_instance_name = local.resource_names.container_instance_04
+      agent_name              = local.resource_names.agent_04
+      managed_identity_key    = local.apply_key
+      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.apply_key] : ""
+    }
+  } : {}
+}
+
+locals {
+  environments = {
+    (local.plan_key) = {
+      environment_name        = local.resource_names.version_control_system_environment_plan
+      service_connection_name = local.resource_names.version_control_system_service_connection_plan
+      service_connection_template_keys = [
+        local.ci_key,
+        local.cd_key
+      ]
+      agent_pool_name = local.resource_names.version_control_system_agent_pool_plan
+    }
+    (local.apply_key) = {
+      environment_name        = local.resource_names.version_control_system_environment_apply
+      service_connection_name = local.resource_names.version_control_system_service_connection_apply
+      service_connection_template_keys = [
+        local.cd_key
+      ]
+      agent_pool_name = local.resource_names.version_control_system_agent_pool_apply
+    }
+  }
+}

bootstrap/azuredevops/main.tf

@@ -1,6 +1,3 @@
-data "azurerm_client_config" "current" {}
-data "azurerm_subscription" "current" {}
-
 module "resource_names" {
   source           = "./../modules/resource_names"
   azure_location   = var.azure_location
@@ -10,53 +7,6 @@ module "resource_names" {
   resource_names   = var.resource_names
 }
 
-locals {
-  managed_identities = {
-    (local.plan_key)  = local.resource_names.user_assigned_managed_identity_plan
-    (local.apply_key) = local.resource_names.user_assigned_managed_identity_apply
-  }
-
-  federated_credentials = module.azure_devops.is_authentication_scheme_workload_identity_federation ? {
-    (local.plan_key) = {
-      federated_credential_subject = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.subjects[local.plan_key] : ""
-      federated_credential_issuer  = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.issuers[local.plan_key] : ""
-      federated_credential_name    = local.resource_names.user_assigned_managed_identity_federated_credentials_plan
-    }
-    (local.apply_key) = {
-      federated_credential_subject = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.subjects[local.apply_key] : ""
-      federated_credential_issuer  = module.azure_devops.is_authentication_scheme_workload_identity_federation ? module.azure_devops.issuers[local.apply_key] : ""
-      federated_credential_name    = local.resource_names.user_assigned_managed_identity_federated_credentials_apply
-    }
-  } : {}
-
-  agent_container_instances = module.azure_devops.is_authentication_scheme_managed_identity ? {
-    agent_01 = {
-      container_instance_name = local.resource_names.container_instance_01
-      agent_name              = local.resource_names.agent_01
-      managed_identity_key    = local.plan_key
-      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.plan_key] : ""
-    }
-    agent_02 = {
-      container_instance_name = local.resource_names.container_instance_02
-      agent_name              = local.resource_names.agent_02
-      managed_identity_key    = local.plan_key
-      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.plan_key] : ""
-    }
-    agent_03 = {
-      container_instance_name = local.resource_names.container_instance_03
-      agent_name              = local.resource_names.agent_03
-      managed_identity_key    = local.apply_key
-      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.apply_key] : ""
-    }
-    agent_04 = {
-      container_instance_name = local.resource_names.container_instance_04
-      agent_name              = local.resource_names.agent_04
-      managed_identity_key    = local.apply_key
-      agent_pool_name         = module.azure_devops.is_authentication_scheme_managed_identity ? module.azure_devops.agent_pool_names[local.apply_key] : ""
-    }
-  } : {}
-}
-
 module "azure" {
   source                             = "./../modules/azure"
   create_agents_resource_group       = module.azure_devops.is_authentication_scheme_managed_identity
@@ -78,49 +28,6 @@ module "azure" {
   root_management_group_display_name = var.root_management_group_display_name
 }
 
-locals {
-  starter_module_path = abspath("${path.module}/${var.template_folder_path}/${var.starter_module}")
-  ci_cd_module_path   = abspath("${path.module}/${var.template_folder_path}/${var.ci_cd_module}")
-}
-
-module "starter_module_files" {
-  source      = "./../modules/files"
-  folder_path = local.starter_module_path
-  flag        = "module"
-}
-
-module "ci_cd_module_files" {
-  source      = "./../modules/files"
-  folder_path = local.ci_cd_module_path
-  exclusions  = [".github"]
-  flag        = "cicd"
-}
-
-locals {
-  starter_module_repo_files = merge(module.starter_module_files.files, module.ci_cd_module_files.files)
-  additional_repo_files = { for file in var.additional_files : basename(file) => {
-    path = file
-    flag = "additional"
-    }
-  }
-  all_repo_files = merge(local.starter_module_repo_files, local.additional_repo_files)
-}
-
-locals {
-  environments = {
-    (local.plan_key) = {
-      environment_name        = local.resource_names.version_control_system_environment_plan
-      service_connection_name = local.resource_names.version_control_system_service_connection_plan
-      agent_pool_name         = local.resource_names.version_control_system_agent_pool_plan
-    }
-    (local.apply_key) = {
-      environment_name        = local.resource_names.version_control_system_environment_apply
-      service_connection_name = local.resource_names.version_control_system_service_connection_apply
-      agent_pool_name         = local.resource_names.version_control_system_agent_pool_apply
-    }
-  }
-}
-
 module "azure_devops" {
   source                                       = "./../modules/azure_devops"
   use_legacy_organization_url                  = var.azure_devops_use_organisation_legacy_url
@@ -132,12 +39,14 @@ module "azure_devops" {
   managed_identity_client_ids                  = module.azure.user_assigned_managed_identity_client_ids
   repository_name                              = local.resource_names.version_control_system_repository
   repository_files                             = local.all_repo_files
+  use_template_repository                      = var.version_control_system_use_separate_repository_for_templates
+  repository_name_templates                    = local.resource_names.version_control_system_repository_templates
   variable_group_name                          = local.resource_names.version_control_system_variable_group
   azure_tenant_id                              = data.azurerm_client_config.current.tenant_id
   azure_subscription_id                        = data.azurerm_client_config.current.subscription_id
   azure_subscription_name                      = data.azurerm_subscription.current.display_name
-  pipeline_ci_file                             = var.ci_file_path
-  pipeline_cd_file                             = var.cd_file_path
+  pipelines                                    = var.pipeline_files
+  pipeline_templates                           = var.pipeline_template_files
   backend_azure_resource_group_name            = local.resource_names.resource_group_state
   backend_azure_storage_account_name           = local.resource_names.storage_account
   backend_azure_storage_account_container_name = local.resource_names.storage_container

bootstrap/azuredevops/terraform.tfvars

@@ -1,9 +1,3 @@
-# Version Control System Variables
-template_folder_path = "../../templates"
-ci_cd_module         = ".ci_cd"
-ci_file_path         = ".azuredevops/ci.yaml"
-cd_file_path         = ".azuredevops/cd.yaml"
-
 # Azure Variables
 agent_container_image = "jaredfholgate/azure-devops-agent:0.0.3"
 
@@ -27,6 +21,7 @@ resource_names = {
   agent_03                                                   = "agent-{{service_name}}-{{environment_name}}-{{postfix_number_plus_2}}"
   agent_04                                                   = "agent-{{service_name}}-{{environment_name}}-{{postfix_number_plus_3}}"
   version_control_system_repository                          = "{{service_name}}-{{environment_name}}"
+  version_control_system_repository_templates                = "{{service_name}}-{{environment_name}}-templates"
   version_control_system_service_connection_plan             = "sc-{{service_name}}-{{environment_name}}-plan"
   version_control_system_service_connection_apply            = "sc-{{service_name}}-{{environment_name}}-apply"
   version_control_system_environment_plan                    = "{{service_name}}-{{environment_name}}-plan"
@@ -36,3 +31,59 @@ resource_names = {
   version_control_system_agent_pool_apply                    = "{{service_name}}-{{environment_name}}-apply"
   version_control_system_group                               = "{{service_name}}-{{environment_name}}-approvers"
 }
+
+# Version Control System Variables
+module_folder_path   = "../../templates"
+pipeline_folder_path = "../../templates/ci_cd"
+
+pipeline_files = {
+  ci = {
+    pipeline_name = "01 Azure Landing Zone Continuous Integration"
+    file_path     = "azuredevops/ci.yaml"
+    target_path   = ".pipelines/ci.yaml"
+    environment_keys = [
+      "plan"
+    ]
+    service_connection_keys = [
+      "plan"
+    ]
+    agent_pool_keys = [
+      "plan"
+    ]
+  }
+  cd = {
+    pipeline_name = "02 Azure Landing Zone Continuous Delivery"
+    file_path     = "azuredevops/cd.yaml"
+    target_path   = ".pipelines/cd.yaml"
+    environment_keys = [
+      "plan",
+      "apply"
+    ]
+    service_connection_keys = [
+      "plan",
+      "apply"
+    ]
+    agent_pool_keys = [
+      "plan",
+      "apply"
+    ]
+  }
+}
+pipeline_template_files = {
+  plan = {
+    file_path   = "azuredevops/templates/plan.yaml"
+    target_path = "plan.yaml"
+  }
+  apply = {
+    file_path   = "azuredevops/templates/apply.yaml"
+    target_path = "apply.yaml"
+  }
+  ci = {
+    file_path   = "azuredevops/templates/ci.yaml"
+    target_path = "ci.yaml"
+  }
+  cd = {
+    file_path   = "azuredevops/templates/cd.yaml"
+    target_path = "cd.yaml"
+  }
+}