init further azure devops services

Author: younGihan

modules/azuredevops/pipeline/backplane/README.md

@@ -0,0 +1,55 @@
+# Azure DevOps Pipeline Backplane
+
+This module provisions the infrastructure required to support the Azure DevOps Pipeline building block.
+
+## What It Provisions
+
+- **Azure AD Service Principal**: For pipeline management automation
+- **Azure Key Vault**: Stores Azure DevOps Personal Access Token (PAT)
+- **Custom Role Definition**: Minimal permissions for reading Key Vault secrets
+- **Role Assignment**: Grants the service principal access to Key Vault
+
+## Prerequisites
+
+- Azure subscription with permissions to create:
+  - Azure AD applications and service principals
+  - Key Vault instances
+  - Custom role definitions and assignments
+- Azure DevOps organization with Administrator access
+- Azure DevOps PAT with `Build (Read & Execute)` scope
+
+## Usage
+
+```hcl
+module "azuredevops_pipeline_backplane" {
+  source = "./backplane"
+
+  azure_devops_organization_url = "https://dev.azure.com/myorg"
+  service_principal_name        = "azuredevops-pipeline-terraform"
+  key_vault_name                = "kv-azdo-pipeline-prod"
+  resource_group_name           = "rg-azdo-pipeline-prod"
+  location                      = "West Europe"
+  scope                         = "/subscriptions/00000000-0000-0000-0000-000000000000"
+}
+```
+
+## Post-Deployment Steps
+
+1. Create an Azure DevOps PAT with `Build (Read & Execute)` scope
+2. Store the PAT in the provisioned Key Vault:
+   ```bash
+   az keyvault secret set --vault-name <key_vault_name> --name azdo-pat --value <your_pat>
+   ```
+
+## Outputs
+
+- `service_principal_client_id` - For authentication
+- `key_vault_name` - Where to store the PAT
+- `key_vault_uri` - For programmatic access
+- `azure_devops_organization_url` - Organization URL passed through
+
+## Security Considerations
+
+- Service principal has read-only access to Key Vault secrets
+- PAT should be rotated regularly (recommended: every 90 days)
+- Use separate backplane instances for different environments

modules/azuredevops/pipeline/backplane/main.tf

@@ -0,0 +1,69 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_subscription" "current" {}
+
+resource "azuread_application" "azure_devops" {
+  display_name = var.service_principal_name
+  description  = "Service principal for managing Azure DevOps pipelines"
+}
+
+resource "azuread_service_principal" "azure_devops" {
+  client_id = azuread_application.azure_devops.client_id
+}
+
+resource "azurerm_resource_group" "devops" {
+  name     = var.resource_group_name
+  location = var.location
+}
+
+resource "azurerm_key_vault" "devops" {
+  name                = var.key_vault_name
+  location            = azurerm_resource_group.devops.location
+  resource_group_name = azurerm_resource_group.devops.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "standard"
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+
+    secret_permissions = [
+      "Get",
+      "List",
+      "Set",
+      "Delete",
+      "Recover",
+      "Backup",
+      "Restore"
+    ]
+  }
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = azuread_service_principal.azure_devops.object_id
+
+    secret_permissions = [
+      "Get",
+      "List"
+    ]
+  }
+}
+
+resource "azurerm_role_definition" "azure_devops_manager" {
+  name        = "${var.service_principal_name}-manager"
+  description = "Allows management of Azure DevOps pipelines"
+  scope       = var.scope
+
+  permissions {
+    actions = [
+      "Microsoft.KeyVault/vaults/secrets/read",
+      "Microsoft.Resources/subscriptions/resourceGroups/read"
+    ]
+  }
+}
+
+resource "azurerm_role_assignment" "azure_devops_manager" {
+  scope              = var.scope
+  role_definition_id = azurerm_role_definition.azure_devops_manager.role_definition_resource_id
+  principal_id       = azuread_service_principal.azure_devops.object_id
+}

modules/azuredevops/pipeline/backplane/outputs.tf

@@ -0,0 +1,34 @@
+output "service_principal_client_id" {
+  description = "Client ID of the Azure DevOps service principal"
+  value       = azuread_service_principal.azure_devops.client_id
+}
+
+output "service_principal_object_id" {
+  description = "Object ID of the Azure DevOps service principal"
+  value       = azuread_service_principal.azure_devops.object_id
+}
+
+output "key_vault_id" {
+  description = "ID of the Key Vault for storing Azure DevOps PAT"
+  value       = azurerm_key_vault.devops.id
+}
+
+output "key_vault_name" {
+  description = "Name of the Key Vault for storing Azure DevOps PAT"
+  value       = azurerm_key_vault.devops.name
+}
+
+output "key_vault_uri" {
+  description = "URI of the Key Vault for storing Azure DevOps PAT"
+  value       = azurerm_key_vault.devops.vault_uri
+}
+
+output "resource_group_name" {
+  description = "Name of the resource group containing the Key Vault"
+  value       = azurerm_resource_group.devops.name
+}
+
+output "azure_devops_organization_url" {
+  description = "Azure DevOps organization URL"
+  value       = var.azure_devops_organization_url
+}

modules/azuredevops/pipeline/backplane/variables.tf

@@ -0,0 +1,31 @@
+variable "azure_devops_organization_url" {
+  description = "Azure DevOps organization URL (e.g., https://dev.azure.com/myorg)"
+  type        = string
+}
+
+variable "service_principal_name" {
+  description = "Name for the Azure DevOps service principal"
+  type        = string
+  default     = "azure-devops-terraform"
+}
+
+variable "key_vault_name" {
+  description = "Name of the Key Vault to store the Azure DevOps PAT"
+  type        = string
+}
+
+variable "resource_group_name" {
+  description = "Resource group name for the Key Vault"
+  type        = string
+}
+
+variable "location" {
+  description = "Azure region for resources"
+  type        = string
+  default     = "West Europe"
+}
+
+variable "scope" {
+  description = "Azure scope for role definitions (subscription or management group)"
+  type        = string
+}

modules/azuredevops/pipeline/backplane/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.116.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.53.1"
+    }
+  }
+}