Merge branch 'main' into managed_identity

Author: jacdavi

m365/README.adoc

@@ -90,6 +90,7 @@ Optional::
 `app_multi_tenant` (bool) [default=False]::: If true, the app will be able to be installed in multiple tenants. By default, it is only available in this tenant
 `vnet` (object) [default=None]::: Configuration for the vnet, including the address space, ACI subnet, and a list of allowed IP ranges. All strings in CIDR format
 `firewall` (object) [default=None]::: Configuration for an Azure Firewall; if not null, traffic will be routed through this firewall
+`tags` (map(string)) [default={}]::: Tags to apply to all resources created. Application is done via policies
 `serial_number` (string) [default=01]::: Increment by 1 when re-provisioning with the same resource group name
 `image_path` (string) [default=./cisa_logo.png]::: Path to image used for app logo. Displayed in Azure console on installed tenants
 Advanced::

m365/terraform/env/example/main.tf

@@ -14,5 +14,5 @@ module "scuba_connect" {
   container_registry           = var.container_registry
   input_storage_container_url  = var.input_storage_container_url
   output_storage_container_url = var.output_storage_container_url
+  tags                         = var.tags
 }
-

m365/terraform/env/example/variables.tf

@@ -61,6 +61,12 @@ variable "firewall" {
   description = "Configuration for an Azure Firewall; if not null, traffic will be routed through this firewall"
 }
 
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to all resources created. Application is done via policies"
+  default     = {}
+}
+
 variable "serial_number" {
   default     = "01"
   type        = string
@@ -111,7 +117,7 @@ variable "container_registry" {
     username = string
     password = string
   })
-  default = null
+  default     = null
   description = "Credentials for logging into registry with container image"
 }
 

m365/terraform/main.tf

@@ -2,6 +2,10 @@
 resource "azurerm_resource_group" "rg" {
   name     = "${var.resource_group_name}-${var.serial_number}"
   location = var.location
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 data "azuread_client_config" "current" {}
@@ -21,6 +25,7 @@ resource "azurerm_log_analytics_workspace" "monitor_law" {
   lifecycle {
     ignore_changes = [tags]
   }
+  depends_on = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }
 
 module "networking" {
@@ -31,6 +36,7 @@ module "networking" {
   resource_prefix     = local.name
   firewall            = var.firewall
   vnet                = var.vnet
+  depends_on          = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }
 
 # Creates the app registration, or reads an existing one, which is used by the ScubaGear container
@@ -46,6 +52,7 @@ module "app" {
   allowed_access_ips  = try(var.vnet.allowed_access_ip_list, null)
   aci_subnet_id       = try(module.networking[0].aci_subnet_id, null)
   app_multi_tenant    = var.app_multi_tenant
+  depends_on          = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }
 
 module "container" {
@@ -65,4 +72,5 @@ module "container" {
   log_analytics_workspace      = azurerm_log_analytics_workspace.monitor_law
   container_memory_gb          = var.container_memory_gb
   cert_info                    = module.app.cert_info
+  depends_on                   = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }

m365/terraform/tagging.tf

@@ -0,0 +1,37 @@
+data "azurerm_policy_definition_built_in" "tagging_policy" {
+  display_name = "Add a tag to resources"
+}
+
+# Tagging policy for all resources in the main resource group
+resource "azurerm_resource_group_policy_assignment" "tagging_assignments" {
+  for_each             = var.tags
+  name                 = "add-tags-${azurerm_resource_group.rg.name}-${each.key}"
+  resource_group_id    = azurerm_resource_group.rg.id
+  policy_definition_id = data.azurerm_policy_definition_built_in.tagging_policy.id
+
+  parameters = jsonencode({
+    tagName  = { value = each.key },
+    tagValue = { value = each.value }
+  })
+
+  identity {
+    type = "SystemAssigned"
+  }
+  location = var.location
+}
+
+resource "azurerm_role_assignment" "tag_contributor" {
+  for_each = var.tags
+  scope                = azurerm_resource_group.rg.id
+  role_definition_name = "Tag Contributor"
+  principal_id         = azurerm_resource_group_policy_assignment.tagging_assignments[each.key].identity[0].principal_id
+}
+
+resource "azurerm_resource_group_policy_remediation" "remediation" {
+  for_each = var.tags
+  name                 = "add-tags-policy-remediation-${each.key}"
+  resource_group_id    = azurerm_resource_group.rg.id
+  policy_assignment_id = azurerm_resource_group_policy_assignment.tagging_assignments[each.key].id
+  resource_discovery_mode = "ReEvaluateCompliance"
+  depends_on = [ azurerm_role_assignment.tag_contributor, module.app, module.container, module.networking ]
+}

m365/terraform/variables.tf

@@ -61,6 +61,12 @@ variable "firewall" {
   description = "Configuration for an Azure Firewall; if not null, traffic will be routed through this firewall"
 }
 
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to all resources created. Application is done via policies"
+  default     = {}
+}
+
 variable "serial_number" {
   default     = "01"
   type        = string
@@ -111,7 +117,7 @@ variable "container_registry" {
     username = string
     password = string
   })
-  default = null
+  default     = null
   description = "Credentials for logging into registry with container image"
 }