rssnyder · September 18, 2024 18:56
diff --git a/main.tf b/main.tf
 terraform {
  required_providers {
    harness = {
      source = "harness/harness"
    }
  }
 }

 variable "org_id" {
  type        = string
  default     = "default"
  description = "org to create the project under"
 }

 variable "project_id" {
  type        = string
  description = "id of the project to create"
 }

 variable "repository" {
  type        = string
  description = "repository url that will be used to store terraform of harness resources"
 }

 variable "repository_branch" {
  type        = string
  default     = "main"
  description = "default branch of the repository"
 }

 variable "repository_path" {
  type        = string
  description = "path in the repository where the terraform code is placed"
 }

 variable "provider_connector" {
  type        = string
  description = "connector for target cloud platform"
 }

 variable "repository_connector" {
  type        = string
  description = "connector for repository"
 }

 data "harness_platform_current_account" "current" {}

 # create the new project
 resource "harness_platform_project" "this" {
  org_id     = var.org_id
  identifier = var.project_id
  name       = var.project_id
 }

 # create a service account
 resource "harness_platform_service_account" "this" {
  account_id = data.harness_platform_current_account.current.id
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  identifier = harness_platform_project.this.id
  name       = harness_platform_project.this.id
  email      = "${harness_platform_project.this.id}@service.harness.io"
 }

 # with project admin permissions
 resource "harness_platform_role_assignments" "this" {
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  resource_group_identifier = "_all_project_level_resources"
  role_identifier           = "_project_admin"

  principal {
    identifier = harness_platform_service_account.this.id
    type       = "SERVICE_ACCOUNT"
  }
 }

 # generate api key and token
 resource "harness_platform_apikey" "this" {
  account_id = data.harness_platform_current_account.current.id
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  identifier  = harness_platform_project.this.id
  name        = harness_platform_project.this.id
  parent_id   = harness_platform_service_account.this.id
  apikey_type = "SERVICE_ACCOUNT"

  lifecycle {
    ignore_changes = [
      default_time_to_expire_token,
    ]
  }
 }

 resource "harness_platform_token" "this" {
  account_id = data.harness_platform_current_account.current.id
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  identifier = harness_platform_project.this.id
  name       = harness_platform_project.this.id
  parent_id  = harness_platform_apikey.this.id

  apikey_type = "SERVICE_ACCOUNT"
  apikey_id   = harness_platform_apikey.this.id
 }

 # and store as a secret
 resource "harness_platform_secret_text" "this" {
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  identifier = "project_admin"
  name       = "project_admin"

  secret_manager_identifier = "harnessSecretManager"
  value_type                = "Inline"
  value                     = harness_platform_token.this.value
 }

 # create a workspace to manage project resources and configurations
 resource "harness_platform_workspace" "this" {
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  name       = harness_platform_project.this.id
  identifier = harness_platform_project.this.id

  provisioner_type        = "opentofu"
  provisioner_version     = "1.8.0"
  cost_estimation_enabled = false

  repository        = var.repository
  repository_branch = var.repository_branch
  repository_path   = var.repository_path

  provider_connector   = var.provider_connector
  repository_connector = var.repository_connector

  # set environment variables needed to configure the harness tf provider
  environment_variable {
    key        = "HARNESS_ACCOUNT_ID"
    value      = data.harness_platform_current_account.current.id
    value_type = "string"
  }
  environment_variable {
    key        = "HARNESS_PLATFORM_API_KEY"
    value      = harness_platform_secret_text.this.id
    value_type = "secret"
  }
 }

 # create a pipeline that will apply the workspace
 resource "harness_platform_pipeline" "this" {
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  identifier  = "harness_infra"
  name        = "harness_infra"
  description = "provision resources for this project"

  yaml = <<-EOT
 pipeline:
  orgIdentifier: ${var.org_id}
  projectIdentifier: ${harness_platform_project.this.id}
  identifier: harness_infra
  name: harness_infra
  description: provision resources for this project
  tags: {}
  stages:
    - stage:
        identifier: provision
        name: provision
        type: IACM
        spec:
          platform:
            os: Linux
            arch: Amd64
          runtime:
            type: Cloud
            spec: {}
          workspace: ${harness_platform_workspace.this.id}
          execution:
            steps:
              - step:
                  type: IACMOpenTofuPlugin
                  name: init
                  identifier: init
                  spec:
                    command: init
                  timeout: 10m
              - step:
                  type: IACMOpenTofuPlugin
                  name: plan
                  identifier: plan
                  spec:
                    command: plan
                  timeout: 10m
              - step:
                  type: IACMOpenTofuPlugin
                  name: apply
                  identifier: apply
                  spec:
                    command: apply
                  timeout: 10m
 EOT
 }

 # and a trigger to run on prs and pushes to main
 resource "harness_platform_triggers" "pr" {
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  identifier = "pr"
  name       = "pr"
  target_id  = harness_platform_pipeline.this.id
  yaml       = <<-EOT
 trigger:
  orgIdentifier: ${var.org_id}
  projectIdentifier: ${harness_platform_project.this.id}
  name: pr
  identifier: pr
  enabled: true
  encryptedWebhookSecretIdentifier: ""
  description: ""
  tags: {}
  stagesToExecute: []
  pipelineIdentifier: ${harness_platform_pipeline.this.id}
  source:
    type: Webhook
    spec:
      type: Github
      spec:
        type: PullRequest
        spec:
          connectorRef: ${var.repository_connector}
          autoAbortPreviousExecutions: false
          payloadConditions:
            - key: targetBranch
              operator: Equals
              value: ${var.repository_branch}
          headerConditions: []
          repoName: ${var.repository}
          actions:
            - Edit
            - Open
            - Reopen
            - Synchronize
 EOT
 }

 resource "harness_platform_triggers" "push" {
  org_id     = var.org_id
  project_id = harness_platform_project.this.id

  identifier = "push"
  name       = "push"
  target_id  = harness_platform_pipeline.this.id
  yaml       = <<-EOT
 trigger:
  orgIdentifier: ${var.org_id}
  projectIdentifier: ${harness_platform_project.this.id}
  name: push
  identifier: push
  enabled: true
  encryptedWebhookSecretIdentifier: ""
  description: ""
  tags: {}
  stagesToExecute: []
  pipelineIdentifier: ${harness_platform_pipeline.this.id}
  source:
    type: Webhook
    spec:
      type: Github
      spec:
        type: Push
        spec:
          connectorRef: ${var.repository_connector}
          autoAbortPreviousExecutions: false
          payloadConditions:
            - key: targetBranch
              operator: Equals
              value: ${var.repository_branch}
          headerConditions: []
          repoName: ${var.repository}
          actions: []
 EOT
 }
	terraform {
	required_providers {
	harness = {
	source = "harness/harness"
	}
	}
	}

	variable "org_id" {
	type = string
	default = "default"
	description = "org to create the project under"
	}

	variable "project_id" {
	type = string
	description = "id of the project to create"
	}

	variable "repository" {
	type = string
	description = "repository url that will be used to store terraform of harness resources"
	}

	variable "repository_branch" {
	type = string
	default = "main"
	description = "default branch of the repository"
	}

	variable "repository_path" {
	type = string
	description = "path in the repository where the terraform code is placed"
	}

	variable "provider_connector" {
	type = string
	description = "connector for target cloud platform"
	}

	variable "repository_connector" {
	type = string
	description = "connector for repository"
	}

	data "harness_platform_current_account" "current" {}

	# create the new project
	resource "harness_platform_project" "this" {
	org_id = var.org_id
	identifier = var.project_id
	name = var.project_id
	}

	# create a service account
	resource "harness_platform_service_account" "this" {
	account_id = data.harness_platform_current_account.current.id
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	identifier = harness_platform_project.this.id
	name = harness_platform_project.this.id
	email = "${harness_platform_project.this.id}@service.harness.io"
	}

	# with project admin permissions
	resource "harness_platform_role_assignments" "this" {
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	resource_group_identifier = "_all_project_level_resources"
	role_identifier = "_project_admin"

	principal {
	identifier = harness_platform_service_account.this.id
	type = "SERVICE_ACCOUNT"
	}
	}

	# generate api key and token
	resource "harness_platform_apikey" "this" {
	account_id = data.harness_platform_current_account.current.id
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	identifier = harness_platform_project.this.id
	name = harness_platform_project.this.id
	parent_id = harness_platform_service_account.this.id
	apikey_type = "SERVICE_ACCOUNT"

	lifecycle {
	ignore_changes = [
	default_time_to_expire_token,
	]
	}
	}

	resource "harness_platform_token" "this" {
	account_id = data.harness_platform_current_account.current.id
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	identifier = harness_platform_project.this.id
	name = harness_platform_project.this.id
	parent_id = harness_platform_apikey.this.id

	apikey_type = "SERVICE_ACCOUNT"
	apikey_id = harness_platform_apikey.this.id
	}

	# and store as a secret
	resource "harness_platform_secret_text" "this" {
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	identifier = "project_admin"
	name = "project_admin"

	secret_manager_identifier = "harnessSecretManager"
	value_type = "Inline"
	value = harness_platform_token.this.value
	}

	# create a workspace to manage project resources and configurations
	resource "harness_platform_workspace" "this" {
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	name = harness_platform_project.this.id
	identifier = harness_platform_project.this.id

	provisioner_type = "opentofu"
	provisioner_version = "1.8.0"
	cost_estimation_enabled = false

	repository = var.repository
	repository_branch = var.repository_branch
	repository_path = var.repository_path

	provider_connector = var.provider_connector
	repository_connector = var.repository_connector

	# set environment variables needed to configure the harness tf provider
	environment_variable {
	key = "HARNESS_ACCOUNT_ID"
	value = data.harness_platform_current_account.current.id
	value_type = "string"
	}
	environment_variable {
	key = "HARNESS_PLATFORM_API_KEY"
	value = harness_platform_secret_text.this.id
	value_type = "secret"
	}
	}

	# create a pipeline that will apply the workspace
	resource "harness_platform_pipeline" "this" {
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	identifier = "harness_infra"
	name = "harness_infra"
	description = "provision resources for this project"

	yaml = <<-EOT
	pipeline:
	orgIdentifier: ${var.org_id}
	projectIdentifier: ${harness_platform_project.this.id}
	identifier: harness_infra
	name: harness_infra
	description: provision resources for this project
	tags: {}
	stages:
	- stage:
	identifier: provision
	name: provision
	type: IACM
	spec:
	platform:
	os: Linux
	arch: Amd64
	runtime:
	type: Cloud
	spec: {}
	workspace: ${harness_platform_workspace.this.id}
	execution:
	steps:
	- step:
	type: IACMOpenTofuPlugin
	name: init
	identifier: init
	spec:
	command: init
	timeout: 10m
	- step:
	type: IACMOpenTofuPlugin
	name: plan
	identifier: plan
	spec:
	command: plan
	timeout: 10m
	- step:
	type: IACMOpenTofuPlugin
	name: apply
	identifier: apply
	spec:
	command: apply
	timeout: 10m
	EOT
	}

	# and a trigger to run on prs and pushes to main
	resource "harness_platform_triggers" "pr" {
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	identifier = "pr"
	name = "pr"
	target_id = harness_platform_pipeline.this.id
	yaml = <<-EOT
	trigger:
	orgIdentifier: ${var.org_id}
	projectIdentifier: ${harness_platform_project.this.id}
	name: pr
	identifier: pr
	enabled: true
	encryptedWebhookSecretIdentifier: ""
	description: ""
	tags: {}
	stagesToExecute: []
	pipelineIdentifier: ${harness_platform_pipeline.this.id}
	source:
	type: Webhook
	spec:
	type: Github
	spec:
	type: PullRequest
	spec:
	connectorRef: ${var.repository_connector}
	autoAbortPreviousExecutions: false
	payloadConditions:
	- key: targetBranch
	operator: Equals
	value: ${var.repository_branch}
	headerConditions: []
	repoName: ${var.repository}
	actions:
	- Edit
	- Open
	- Reopen
	- Synchronize
	EOT
	}

	resource "harness_platform_triggers" "push" {
	org_id = var.org_id
	project_id = harness_platform_project.this.id

	identifier = "push"
	name = "push"
	target_id = harness_platform_pipeline.this.id
	yaml = <<-EOT
	trigger:
	orgIdentifier: ${var.org_id}
	projectIdentifier: ${harness_platform_project.this.id}
	name: push
	identifier: push
	enabled: true
	encryptedWebhookSecretIdentifier: ""
	description: ""
	tags: {}
	stagesToExecute: []
	pipelineIdentifier: ${harness_platform_pipeline.this.id}
	source:
	type: Webhook
	spec:
	type: Github
	spec:
	type: Push
	spec:
	connectorRef: ${var.repository_connector}
	autoAbortPreviousExecutions: false
	payloadConditions:
	- key: targetBranch
	operator: Equals
	value: ${var.repository_branch}
	headerConditions: []
	repoName: ${var.repository}
	actions: []
	EOT
	}