Skip to content

Infrastructure Bootstrapping

Overview

The terraform-bootstrap terraform module is used to create, update and maintain the foundational Azure resources that make it possible to subsequently provision the necessary infrastructure to support the REG-1 microservices - see Infrastructure Provisioning.

These include:

  • 1 Azure Resource Group per environment named rg-terraform-${var.environment}-001 which resides in the UK South region.
  • 1 Azure Storage Account named streg1tfstate${var.environment_short}001 with 2 Azure Storage Account Containers per environment named bootstrap and tfstate.
  • 1 Azure Active Directory Application per <microservice-infra> GitHub repository named aad-sp-${each.value.repository_name}-${var.environment_short} and 1 Service Principal for each Active Direction Application. Each Active Direction Application has access to the following roles by default, but this can be extended by updating the list of role_ids within the map of ${var.repo_resource_access}.

Note

${var.environment} - can be one of development, nonproduction or production.
${var.environment_short} - can be one of dev, np or pr.
<microservice-infra> - can be one of audit-infra, user-infra, etc.

Change the active subscription

This is the only terraform module which does not use our azure-microservices-workflows GitHub Actions workflows and therefore we must emulate our pipeline and release our changes in a controlled way by apply our changes to the Development environment first followed by the Non Production and Production environments.

You must configure your local environment using the Azure CLI to target the appropriate Azure subscription before executing the terraform commands: 

az account set --subscription "reg1-<environment>-001"

First Terraform Run

Give that this terraform module creates its own terraform state backend i.e., the storage account container named bootstrap, we must comment out the terraform backend block in the providers.tf file on the first terraform run to avoid a chicken-and-egg situation and address the terraform bootstrap scenario.

# terraform {
#   backend "azurerm" {}
# }

We can then proceed to create the Azure resources either by running the following terraform commands: 

az login
terraform init -upgrade
terraform plan -var-file=tfvars/common.tfvars -var-file=tfvars/<environment>.tfvars
terraform apply -var-file=tfvars/common.tfvars -var-file=tfvars/<environment>.tfvars

Or by invoking the available make targets available in the Makefile: 

az login
make plan env=<environment>
make apply env=<environment>

Second Terraform Run

Once we have successfully created the Azure resources in the terraform-bootstrap terraform module, we can un-comment the terraform backend block from the providers.tf file and re-run the following terraform commands to push and store the state file in the bootstrap storage account container as terraform.tfstate.

terraform {
  backend "azurerm" {}
}

Once again, we can proceed to create new or reconcile the existing Azure resources either by running the following terraform commands: 

az login
terraform init -upgrade \
  -backend-config='resource_group_name=rg-terraform-<environment>-001' \
  -backend-config='storage_account_name=streg1tfstate<environment_short>001' \
  -backend-config='container_name=bootstrap' -backend-config='key=terraform.tfstate'

terraform plan -var-file=tfvars/common.tfvars -var-file=tfvars/<environment>.tfvars
terraform apply -var-file=tfvars/common.tfvars -var-file=tfvars/<environment>.tfvars

Or by invoking the available make targets available in the Makefile: 

az login
make plan env=<environment>
make apply env=<environment>

Note

This is the only terraform module which does not use our azure-microservices-workflows GitHub Actions workflows and therefore must be executed locally using the commands above.

Additionally, we should only run the terraform commands or make targets documented in the Second Terraform Run section for all future terraform runs.