Merge pull request #5 from PerfectThymeTech/marvinbuss/create_iac

Create IaC

.github/workflows/_terraformEnvironmentTemplate.yml

@@ -12,15 +12,19 @@ on:
         required: true
         type: string
         description: "Specifies the working directory."
+      subscription_id:
+        required: true
+        type: string
+        description: "Specifies the Azure subscription id."
+      terraform_version:
+        required: true
+        type: string
+        description: "Specifies the terraform version."
       export_terraform_outputs:
         required: false
         type: boolean
         default: false
         description: "Specifies whether terraform outputs should be exported."
-      subscription_id:
-        required: true
-        type: string
-        description: "Specifies the Azure subscription id."
     secrets:
       TENANT_ID:
         required: true
@@ -39,11 +43,19 @@ on:
 jobs:
   lint:
     name: Terraform Lint
-    runs-on: [self-hosted]
+    runs-on: [ubuntu-latest]
     continue-on-error: false
     needs: []
 
     steps:
+      # Setup Terraform
+      - name: Setup Terraform
+        id: terraform_setup
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: true
+
       # Check Out Repository
       - name: Check Out Repository
         id: checkout_repository
@@ -71,6 +83,21 @@ jobs:
       ARM_USE_OIDC: false
 
     steps:
+      # Setup Node
+      - name: Setup Node
+        id: node_setup
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      # Setup Terraform
+      - name: Setup Terraform
+        id: terraform_setup
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: true
+
       # Check Out Repository
       - name: Check Out Repository
         id: checkout_repository
@@ -115,6 +142,21 @@ jobs:
       ARM_USE_OIDC: false
 
     steps:
+      # Setup Node
+      - name: Setup Node
+        id: node_setup
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      # Setup Terraform
+      - name: Setup Terraform
+        id: terraform_setup
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: true
+
       # Check Out Repository
       - name: Check Out Repository
         id: checkout_repository

.github/workflows/deployment.yml

@@ -4,32 +4,26 @@ on:
     branches:
       - main
     paths:
-      - "**.tf"
-      - "**.yml"
-      - "**.yaml"
-      - "!.github/workflows/**"
-      - "!.pre-commit-config.yaml"
-      - "!.terraform-docs.yml"
+      - "code/terraform/**"
+      - ".github/workflows/deployment"
 
   pull_request:
     branches:
       - main
     paths:
-      - "**.tf"
-      - "**.yml"
-      - "**.yaml"
-      - "!.github/workflows/**"
-      - "!.pre-commit-config.yaml"
-      - "!.terraform-docs.yml"
+      - "code/terraform/**"
+      - ".github/workflows/deployment"
 
 jobs:
   terraform:
     uses: ./.github/workflows/_terraformEnvironmentTemplate.yml
     name: "Terraform Deployment"
     with:
       environment: "dev"
-      working_directory: "./tests/e2e"
+      working_directory: "./code/terraform"
       subscription_id: "8f171ff9-2b5b-4f0f-aed5-7fa360a1d094"
+      terraform_version: "1.5.6"
+      export_terraform_outputs: false
     secrets:
       TENANT_ID: ${{ secrets.TENANT_ID }}
       CLIENT_ID: ${{ secrets.CLIENT_ID }}

code/terraform/applicationinsights.tf

@@ -0,0 +1,44 @@
+resource "azurerm_application_insights" "application_insights" {
+  name                = "${local.prefix}-ai001"
+  location            = var.location
+  resource_group_name = data.azurerm_resource_group.resource_group.name
+  tags                = var.tags
+
+  application_type                      = "web"
+  daily_data_cap_notifications_disabled = false
+  disable_ip_masking                    = false
+  force_customer_storage_for_profiler   = false
+  internet_ingestion_enabled            = true
+  internet_query_enabled                = true
+  local_authentication_disabled         = false # Can be switched once AAD auth is supported
+  retention_in_days                     = 90
+  sampling_percentage                   = 100
+  workspace_id                          = azurerm_log_analytics_workspace.log_analytics_workspace.id
+}
+
+data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" {
+  resource_id = azurerm_application_insights.application_insights.id
+}
+
+resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" {
+  name                       = "logAnalytics"
+  target_resource_id         = azurerm_application_insights.application_insights.id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+
+  dynamic "enabled_log" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups
+    content {
+      category_group = entry.value
+    }
+  }
+
+  dynamic "metric" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics
+    content {
+      category = entry.value
+      enabled  = true
+    }
+  }
+}

code/terraform/containerregistry.tf

@@ -0,0 +1,89 @@
+resource "azurerm_container_registry" "container_registry" {
+  name                = replace("${local.prefix}-acr001", "-", "")
+  location            = var.location
+  resource_group_name = data.azurerm_resource_group.resource_group.name
+  tags                = var.tags
+  identity {
+    type = "SystemAssigned"
+  }
+
+  admin_enabled              = true
+  anonymous_pull_enabled     = false
+  data_endpoint_enabled      = false
+  export_policy_enabled      = true
+  network_rule_bypass_option = "AzureServices"
+  network_rule_set = [
+    {
+      default_action  = "Deny"
+      ip_rule         = []
+      virtual_network = []
+    }
+  ]
+  public_network_access_enabled = false
+  quarantine_policy_enabled     = true
+  retention_policy = [
+    {
+      days    = 7
+      enabled = true
+    }
+  ]
+  sku = "Premium"
+  trust_policy = [
+    {
+      enabled = false
+    }
+  ]
+  zone_redundancy_enabled = true
+}
+
+data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_container_registry" {
+  resource_id = azurerm_container_registry.container_registry.id
+}
+
+resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_container_registry" {
+  name                       = "logAnalytics"
+  target_resource_id         = azurerm_container_registry.container_registry.id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+
+  dynamic "enabled_log" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_container_registry.log_category_groups
+    content {
+      category_group = entry.value
+    }
+  }
+
+  dynamic "metric" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_container_registry.metrics
+    content {
+      category = entry.value
+      enabled  = true
+    }
+  }
+}
+
+resource "azurerm_private_endpoint" "container_registry_private_endpoint" {
+  name                = "${azurerm_container_registry.container_registry.name}-pe"
+  location            = var.location
+  resource_group_name = azurerm_container_registry.container_registry.resource_group_name
+  tags                = var.tags
+
+  custom_network_interface_name = "${azurerm_container_registry.container_registry.name}-nic"
+  private_service_connection {
+    name                           = "${azurerm_container_registry.container_registry.name}-pe"
+    is_manual_connection           = false
+    private_connection_resource_id = azurerm_container_registry.container_registry.id
+    subresource_names              = ["registry"]
+  }
+  subnet_id = data.azurerm_subnet.subnet.id
+  dynamic "private_dns_zone_group" {
+    for_each = var.private_dns_zone_id_container_registry == "" ? [] : [1]
+    content {
+      name = "${azurerm_container_registry.container_registry.name}-arecord"
+      private_dns_zone_ids = [
+        var.private_dns_zone_id_container_registry
+      ]
+    }
+  }
+}

code/terraform/data.tf

@@ -0,0 +1,11 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_resource_group" "resource_group" {
+  name = var.resource_group_name
+}
+
+data "azurerm_subnet" "subnet" {
+  name                 = local.subnet.name
+  virtual_network_name = local.subnet.virtual_network_name
+  resource_group_name  = local.subnet.resource_group_name
+}

code/terraform/keyvault.tf

@@ -0,0 +1,75 @@
+resource "azurerm_key_vault" "key_vault" {
+  name                = "${local.prefix}-kv001"
+  location            = var.location
+  resource_group_name = data.azurerm_resource_group.resource_group.name
+  tags                = var.tags
+
+  access_policy                   = []
+  enable_rbac_authorization       = true
+  enabled_for_deployment          = false
+  enabled_for_disk_encryption     = false
+  enabled_for_template_deployment = false
+  network_acls {
+    bypass                     = "AzureServices"
+    default_action             = "Deny"
+    ip_rules                   = []
+    virtual_network_subnet_ids = []
+  }
+  public_network_access_enabled = false
+  purge_protection_enabled      = true
+  sku_name                      = "premium"
+  soft_delete_retention_days    = 7
+  tenant_id                     = data.azurerm_client_config.current.tenant_id
+}
+
+data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" {
+  resource_id = azurerm_key_vault.key_vault.id
+}
+
+resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_key_vault" {
+  name                       = "logAnalytics"
+  target_resource_id         = azurerm_key_vault.key_vault.id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+
+  dynamic "enabled_log" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.log_category_groups
+    content {
+      category_group = entry.value
+    }
+  }
+
+  dynamic "metric" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.metrics
+    content {
+      category = entry.value
+      enabled  = true
+    }
+  }
+}
+
+resource "azurerm_private_endpoint" "key_vault_private_endpoint" {
+  name                = "${azurerm_key_vault.key_vault.name}-pe"
+  location            = var.location
+  resource_group_name = azurerm_key_vault.key_vault.resource_group_name
+  tags                = var.tags
+
+  custom_network_interface_name = "${azurerm_key_vault.key_vault.name}-nic"
+  private_service_connection {
+    name                           = "${azurerm_key_vault.key_vault.name}-pe"
+    is_manual_connection           = false
+    private_connection_resource_id = azurerm_key_vault.key_vault.id
+    subresource_names              = ["vault"]
+  }
+  subnet_id = data.azurerm_subnet.subnet.id
+  dynamic "private_dns_zone_group" {
+    for_each = var.private_dns_zone_id_key_vault == "" ? [] : [1]
+    content {
+      name = "${azurerm_key_vault.key_vault.name}-arecord"
+      private_dns_zone_ids = [
+        var.private_dns_zone_id_key_vault
+      ]
+    }
+  }
+}

code/terraform/locals.tf

@@ -0,0 +1,9 @@
+locals {
+  prefix = "${lower(var.prefix)}-${var.environment}"
+
+  subnet = {
+    resource_group_name  = split("/", var.subnet_id)[4]
+    virtual_network_name = split("/", var.subnet_id)[8]
+    name                 = split("/", var.subnet_id)[10]
+  }
+}