-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
81 lines (64 loc) · 2.66 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# This null_resource is required otherwise Terraform would try to read the resource group data and/or the storage
# account even if they were not created yet.
resource "null_resource" "dependencies" {
triggers = var.dependency_ids
}
data "azurerm_resource_group" "node_resource_group" {
count = local.use_managed_identity ? 1 : 0
name = var.metrics_storage.managed_identity_node_rg_name
depends_on = [
resource.null_resource.dependencies
]
}
data "azurerm_storage_container" "container" {
count = local.use_managed_identity ? 1 : 0
name = var.metrics_storage.container
storage_account_name = var.metrics_storage.storage_account
depends_on = [
resource.null_resource.dependencies
]
}
resource "azurerm_user_assigned_identity" "thanos" {
count = local.use_managed_identity ? 1 : 0
name = "thanos"
resource_group_name = data.azurerm_resource_group.node_resource_group[0].name
location = data.azurerm_resource_group.node_resource_group[0].location
}
resource "azurerm_role_assignment" "storage_contributor" {
count = local.use_managed_identity ? 1 : 0
scope = data.azurerm_storage_container.container[0].resource_manager_id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_user_assigned_identity.thanos[0].principal_id
}
resource "azurerm_federated_identity_credential" "thanos" {
for_each = toset(local.use_managed_identity ? [
"bucketweb",
"storegateway",
"compactor",
] : [])
name = "thanos-${each.key}"
resource_group_name = data.azurerm_resource_group.node_resource_group[0].name
audience = ["api://AzureADTokenExchange"]
issuer = var.metrics_storage.managed_identity_oidc_issuer_url
parent_id = azurerm_user_assigned_identity.thanos[0].id
subject = "system:serviceaccount:thanos:thanos-${each.key}"
}
module "thanos" {
source = "../"
cluster_name = var.cluster_name
base_domain = var.base_domain
subdomain = var.subdomain
argocd_project = var.argocd_project
argocd_labels = var.argocd_labels
destination_cluster = var.destination_cluster
target_revision = var.target_revision
cluster_issuer = var.cluster_issuer
deep_merge_append_list = var.deep_merge_append_list
enable_service_monitor = var.enable_service_monitor
app_autosync = var.app_autosync
dependency_ids = var.dependency_ids
enable_network_policies = var.enable_network_policies
resources = var.resources
thanos = var.thanos
helm_values = concat(local.helm_values, var.helm_values)
}