[Module Proposal]: `avm-ptn-cicd-bootstrap` (tf)

[luke-taylor]

Check for previous/existing GitHub issues/module proposals

• [X] I have checked for previous/existing GitHub issues/module proposals.

Check this module doesn't already exist in the module indexes

• [X] I have checked for that this module doesn't already exist in the module indexes; or I'm proposing the module to be migrated from CARML/TFVM.

Bicep or Terraform?

Terraform

Module Classification?

Pattern Module

Module Name

avm-ptn-cicd-bootstrap

Module Details

This module will deploy the required Azure resources in order to facilitate the Continuous Integration and Continuous Delivery of an IaC deployment. The following resources will be deployed.

• Agents for self-hosted (e.g. ACI, VMSS, VM.)
• Storage Accounts for Terraform state.
• Principals for authentication (e.g. Managed Identities, SPNs.)
• Role Assignments for principals.

This module will be an abstraction of the necessary Azure resources from https://github.com/Azure/alz-terraform-accelerator

Do you want to be the owner of this module?

Yes

Module Owner's GitHub Username (handle)

luke-taylor

(Optional) Secondary Module Owner's GitHub Username (handle)

No response

[luke-taylor]

CC: @matt-FFFFFF, @jaredfholgate

[jaredfholgate]

@luke-taylor I'm wondering if the title should be more specific to the Terraform use case. This module will create identities, permissions, storage account and optional networking specific to Terraform CI / CD. So perhaps it should be avm-ptn-cicd-terraform or similar?

[luke-taylor]

@luke-taylor I'm wondering if the title should be more specific to the Terraform use case. This module will create identities, permissions, storage account and optional networking specific to Terraform CI / CD. So perhaps it should be avm-ptn-cicd-terraform or similar?

I thought that, but if we made the storage account deployment optional, what would stop this being used for a Bicep deployment too?

[jaredfholgate]

Good point. Is it still IaC specific or could it be used for other types of deployment? For example we have the segregation of plan and apply in read and write identities. I guess that could be used for Bicep and ARM, but is it relevant to deploying application code for example? Again could be made optional?

[mbilalamjad]

@luke-taylor thank you for the module proposal

Per the AVM module classification for pattern module, could you please confirm that the publication of the pattern architecture to the Azure architecture center or other official documentation is being worked on?

Also, per the Pattern Module nonfunctional requirement PMNFR2, are there any resource modules that need to be created for the pattern module, if yes than I would suggest that as a good starting point especially if the pattern architecture is in process of being published.

[matt-FFFFFF]

Hi @mbilalamjad

This is a sensible pattern that will provide value for users so I think we should allow this to go ahead.

As for resource modules I think we have the required ones for azure.

[matt-FFFFFF]

@luke-taylor can we come up with a more specific name? Then we are good to go

[luke-taylor]

@matt-FFFFFF I am happy with avm-ptn-cicd-bootstrap

[matt-FFFFFF]

@matt-FFFFFF I am happy with avm-ptn-cicd-bootstrap

@mbilalamjad this is ready to go now

[PmeshramPM]

Followed it up with @luke-taylor and he will start the development. Removing the "needs attention" label

[PmeshramPM]

Hi @luke-taylor

Thanks for requesting/proposing to be an AVM module owner!

We just want to confirm you agree to the below pages that define what module ownership means:

• Team Definitions & RACI
• Shared Specification (Bicep & Terraform)
• Module Support

Any questions or clarifications needed, let us know!

If you agree, please just reply to this issue with the exact sentence below (as this helps with our automation 👍):

"I CONFIRM I WISH TO OWN THIS AVM MODULE AND UNDERSTAND THE REQUIREMENTS AND DEFINITION OF A MODULE OWNER"

Thanks,

The AVM Core Team

RR

[luke-taylor]

I CONFIRM I WISH TO OWN THIS AVM MODULE AND UNDERSTAND THE REQUIREMENTS AND DEFINITION OF A MODULE OWNER

[PmeshramPM]

Hi @luke-taylor,

Thanks for confirming that you wish to own this AVM module and understand the related requirements and responsibilities!

Before starting development, please ensure ALL the following requirements are met.

Please use the following values explicitly as provided in the module index page:

• For your module:
  • ModuleName - for naming your module
  • TelemetryIdPrefix - for your module's telemetry
• For your module's repository:
  • Repo name and folder path are defined in RepoURL
  • Create GitHub teams for module owners and contributors and grant them permissions as outlined here.
  • Grant permissions for the AVM core team and PG teams on your GitHub repo as described here.

Check if this module exists in the other IaC language. If so, collaborate with the other owner for consistency. 👍

You can now start the development of this module! ✅ Happy coding! 🎉

Please respond to this comment and request a review from the AVM core team once your module is ready to be published! Please include a link pointing to your PR, once available. 🙏

Any further questions or clarifications needed, let us know!

Thanks,

The AVM Core Team

[kewalaka]

there's some interesting pre-work in this space, I'll call out a few initiatives that might be worth looking at:

https://github.com/microsoft/symphony

& John Folberth's ones, which is what I used as the basis for the commercial ones I'm unable to share:

https://github.com/JFolberth/TheYAMLPipelineOne

[mbilalamjad]

Request @luke-taylor to share an update here

[luke-taylor]

Update: Module development still in progress.

cc: @mbilalamjad

[luke-taylor]

Please add the "long term" label here.

[feskehau]

Trying to sort things out.

We have the accelerator-bootstrap-modules (https://github.com/Azure/accelerator-bootstrap-modules) module that solves the exact same issue as this module is proposing to solve. But this module, (cicd-bootstrap), will provision azure infrastructure using the cicd-agents-and-runners module, and setup the repos (GitHub and devops) itself? I guess then that accelerator-bootstrap-modules will be decommissioned?

[jaredfholgate]

@feskehau The intention is that the accelerator bootstrap modules will leverage this AVM module. That won't go away. This module will extract out a re-usable pattern that can be leveraged outside the confines of the accelerator. Same goes for the CI / CD agents module: https://github.com/Azure/Azure-Verified-Modules/issues/520

The accelerator will compose these together along with some other bits rather than re-implementing.

It hasn't happened yet only because of time constraints on Luke and I.

[kewalaka]

interested in helping here. Is the intention for this to include the VCS elements too? Taking ADO as an example I was thinking a res module for an ADO project with submodules for repos, service connections, var groups etc would be a good building block to start on?

[jaredfholgate]

interested in helping here. Is the intention for this to include the VCS elements too? Taking ADO as an example I was thinking a res module for an ADO project with submodules for repos, service connections, var groups etc would be a good building block to start on?

Working on this next week. The eventual solution will includes modules for VCS with GitHub and Azure DevOps. This one will probably just be the Azure resources for now. I'll propose the others next week as part of our end to end Application landing zone accelerator.

The VCS modules have to be separate due to the Terraform core limitation of the providers needing settings even if not used. I.e. even if we had a variable to select ADO or GitHub it would fail for the one you don't choose due to this.