Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update azurerm to v4.3.0 & Switch to Modules #110

Merged
merged 10 commits into from
Sep 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/_terraformEnvironmentTemplate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,9 @@ jobs:
continue-on-error: false
environment: ${{ inputs.environment }}
needs: [lint]
concurrency:
group: terraform-${{ inputs.config }}-${{ inputs.environment }}
cancel-in-progress: false

env:
ARM_TENANT_ID: ${{ inputs.tenant_id }}
Expand Down Expand Up @@ -195,6 +198,9 @@ jobs:
environment: ${{ inputs.environment }}
if: github.event_name == 'push' || github.event_name == 'release'
needs: [plan]
concurrency:
group: terraform-${{ inputs.config }}-${{ inputs.environment }}
cancel-in-progress: false

env:
ARM_TENANT_ID: ${{ inputs.tenant_id }}
Expand Down
14 changes: 14 additions & 0 deletions code/infra/applicationinsights.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
module "application_insights" {
source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/applicationinsights?ref=main"
providers = {
azurerm = azurerm
}

location = var.location
resource_group_name = azurerm_resource_group.resource_group_container_app.name
tags = var.tags
application_insights_name = "${local.prefix}-appi001"
application_insights_application_type = "web"
application_insights_log_analytics_workspace_id = var.log_analytics_workspace_id
diagnostics_configurations = local.diagnostics_configurations
}
14 changes: 7 additions & 7 deletions code/infra/containerapps.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resource "azapi_resource" "container_apps_environment" {
type = "Microsoft.App/managedEnvironments@2023-08-01-preview"
type = "Microsoft.App/managedEnvironments@2024-03-01"
parent_id = azurerm_resource_group.resource_group_container_app.id
name = "${local.prefix}-cae001"
location = var.location
Expand All @@ -8,7 +8,7 @@ resource "azapi_resource" "container_apps_environment" {
body = jsonencode({
properties = {
# appInsightsConfiguration = { # Can only be set when DaprAIConnectionString is set to null
# connectionString = azurerm_application_insights.application_insights.connection_string
# connectionString = module.application_insights.application_insights_connection_string
# }
appLogsConfiguration = {
destination = "log-analytics"
Expand All @@ -17,8 +17,8 @@ resource "azapi_resource" "container_apps_environment" {
sharedKey = data.azurerm_log_analytics_workspace.log_analytics_workspace.primary_shared_key
}
}
daprAIConnectionString = azurerm_application_insights.application_insights.connection_string
daprAIInstrumentationKey = azurerm_application_insights.application_insights.instrumentation_key
daprAIConnectionString = module.application_insights.application_insights_connection_string
daprAIInstrumentationKey = module.application_insights.application_insights_instrumentation_key
daprConfiguration = {}
infrastructureResourceGroup = "${local.prefix}-cae001-rg"
kedaConfiguration = {}
Expand All @@ -38,15 +38,15 @@ resource "azapi_resource" "container_apps_environment" {
}

resource "azapi_resource" "container_apps_job" {
type = "Microsoft.App/jobs@2023-05-02-preview"
type = "Microsoft.App/jobs@2024-03-01"
parent_id = azurerm_resource_group.resource_group_container_app.id
name = "${local.prefix}-caj001"
location = var.location
tags = var.tags
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.user_assigned_identity.id
module.user_assigned_identity.user_assigned_identity_id
]
}

Expand Down Expand Up @@ -86,7 +86,7 @@ resource "azapi_resource" "container_apps_job" {
}
secrets = [
{
identity = azurerm_user_assigned_identity.user_assigned_identity.id
identity = module.user_assigned_identity.user_assigned_identity_id
keyVaultUrl = azurerm_key_vault_secret.key_vault_secret_github_pat.versionless_id
name = "personal-access-token"
value = var.github_personal_access_token
Expand Down
92 changes: 18 additions & 74 deletions code/infra/keyvault.tf
Original file line number Diff line number Diff line change
@@ -1,87 +1,31 @@
resource "azurerm_key_vault" "key_vault" {
name = "${local.prefix}-kv001"
location = var.location
resource_group_name = azurerm_resource_group.resource_group_container_app.name
tags = var.tags

access_policy = []
enable_rbac_authorization = true
enabled_for_deployment = false
enabled_for_disk_encryption = false
enabled_for_template_deployment = false
network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = []
virtual_network_subnet_ids = []
module "key_vault" {
source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/keyvault?ref=main"
providers = {
azurerm = azurerm
time = time
}
public_network_access_enabled = false
purge_protection_enabled = true
sku_name = "premium"
soft_delete_retention_days = 7
tenant_id = data.azurerm_client_config.current.tenant_id
}

data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" {
resource_id = azurerm_key_vault.key_vault.id
}

resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_key_vault" {
name = "logAnalytics"
target_resource_id = azurerm_key_vault.key_vault.id
log_analytics_workspace_id = var.log_analytics_workspace_id

dynamic "enabled_log" {
iterator = entry
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.log_category_groups
content {
category_group = entry.value
}
}

dynamic "metric" {
iterator = entry
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.metrics
content {
category = entry.value
enabled = true
}
}
location = var.location
resource_group_name = azurerm_resource_group.resource_group_container_app.name
tags = var.tags
key_vault_name = "${local.prefix}-kv001"
key_vault_sku_name = "standard"
key_vault_soft_delete_retention_days = 7
diagnostics_configurations = local.diagnostics_configurations
subnet_id = azapi_resource.subnet_private_endpoints.id
connectivity_delay_in_seconds = var.connectivity_delay_in_seconds
private_dns_zone_id_vault = var.private_dns_zone_id_vault
}

resource "azurerm_key_vault_secret" "key_vault_secret_github_pat" {
name = "github-pat"
key_vault_id = azurerm_key_vault.key_vault.id
key_vault_id = module.key_vault.key_vault_id

content_type = "text/plain"
value = var.github_personal_access_token

depends_on = [
azurerm_role_assignment.current_role_assignment_key_vault_secrets_officer
azurerm_role_assignment.current_role_assignment_key_vault_secrets_officer,
module.key_vault.key_vault_setup_completed,
]
}

resource "azurerm_private_endpoint" "key_vault_private_endpoint" {
name = "${azurerm_key_vault.key_vault.name}-pe"
location = var.location
resource_group_name = azurerm_key_vault.key_vault.resource_group_name
tags = var.tags

custom_network_interface_name = "${azurerm_key_vault.key_vault.name}-nic"
private_service_connection {
name = "${azurerm_key_vault.key_vault.name}-pe"
is_manual_connection = false
private_connection_resource_id = azurerm_key_vault.key_vault.id
subresource_names = ["vault"]
}
subnet_id = azapi_resource.subnet_private_endpoints.id
dynamic "private_dns_zone_group" {
for_each = var.private_dns_zone_id_key_vault == "" ? [] : [1]
content {
name = "${azurerm_key_vault.key_vault.name}-arecord"
private_dns_zone_ids = [
var.private_dns_zone_id_key_vault
]
}
}
}
25 changes: 22 additions & 3 deletions code/infra/locals.tf
Original file line number Diff line number Diff line change
@@ -1,24 +1,43 @@
locals {
# General locals
prefix = "${lower(var.prefix)}-${var.environment}"
github_labels = "aca"
resource_providers_to_register = [
"Microsoft.Authorization",
"Microsoft.App",
"Microsoft.Insights",
"Microsoft.KeyVault",
"Microsoft.ManagedIdentity",
"Microsoft.Network",
"Microsoft.Resources",
]

# Resource locals
virtual_network = {
resource_group_name = split("/", var.vnet_id)[4]
name = split("/", var.vnet_id)[8]
}

network_security_group = {
resource_group_name = split("/", var.nsg_id)[4]
name = split("/", var.nsg_id)[8]
}

route_table = {
resource_group_name = split("/", var.route_table_id)[4]
name = split("/", var.route_table_id)[8]
}

log_analytics_workspace = {
resource_group_name = split("/", var.log_analytics_workspace_id)[4]
name = split("/", var.log_analytics_workspace_id)[8]
}

# Logging locals
diagnostics_configurations = [
{
log_analytics_workspace_id = var.log_analytics_workspace_id
storage_account_id = ""
}
]

# CMK locals
customer_managed_key = null
}
44 changes: 0 additions & 44 deletions code/infra/logging.tf

This file was deleted.

8 changes: 4 additions & 4 deletions code/infra/network.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
resource "azapi_resource" "subnet_container_app" {
type = "Microsoft.Network/virtualNetworks/subnets@2022-07-01"
name = "ContainerAppSubnet"
type = "Microsoft.Network/virtualNetworks/subnets@2024-01-01"
name = "ConAppEnvironmentSubnet"
parent_id = data.azurerm_virtual_network.virtual_network.id

body = jsonencode({
Expand Down Expand Up @@ -30,8 +30,8 @@ resource "azapi_resource" "subnet_container_app" {
}

resource "azapi_resource" "subnet_private_endpoints" {
type = "Microsoft.Network/virtualNetworks/subnets@2022-07-01"
name = "CAPrivateEndpointSubnet"
type = "Microsoft.Network/virtualNetworks/subnets@2024-01-01"
name = "ConAppPrivateEndpointSubnet"
parent_id = data.azurerm_virtual_network.virtual_network.id

body = jsonencode({
Expand Down
11 changes: 6 additions & 5 deletions code/infra/providers.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
provider "azurerm" {
disable_correlation_request_id = false
environment = "public"
skip_provider_registration = false
storage_use_azuread = true
# use_oidc = true
disable_correlation_request_id = false
environment = "public"
resource_provider_registrations = "none"
resource_providers_to_register = local.resource_providers_to_register
storage_use_azuread = true
# use_oidc = true

features {
key_vault {
Expand Down
6 changes: 3 additions & 3 deletions code/infra/roleassignments.tf
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
resource "azurerm_role_assignment" "current_role_assignment_key_vault_secrets_officer" {
scope = azurerm_key_vault.key_vault.id
scope = module.key_vault.key_vault_id
role_definition_name = "Key Vault Secrets Officer"
principal_id = data.azurerm_client_config.current.object_id
}

# User Assigned Identity
resource "azurerm_role_assignment" "uai_role_assignment_key_vault_secrets_user" {
scope = azurerm_key_vault.key_vault.id
scope = module.key_vault.key_vault_id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.user_assigned_identity.principal_id
principal_id = module.user_assigned_identity.user_assigned_identity_principal_id
}
6 changes: 5 additions & 1 deletion code/infra/terraform.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,16 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.116.0"
version = "4.3.0"
}
azapi = {
source = "azure/azapi"
version = "1.15.0"
}
time = {
source = "hashicorp/time"
version = "0.12.1"
}
}

backend "azurerm" {
Expand Down
16 changes: 11 additions & 5 deletions code/infra/userassignedidentity.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
resource "azurerm_user_assigned_identity" "user_assigned_identity" {
name = "${local.prefix}-uai001"
location = var.location
resource_group_name = azurerm_resource_group.resource_group_container_app.name
tags = var.tags
module "user_assigned_identity" {
source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/userassignedidentity?ref=main"
providers = {
azurerm = azurerm
}

location = var.location
resource_group_name = azurerm_resource_group.resource_group_container_app.name
tags = var.tags
user_assigned_identity_name = "${local.prefix}-uai001"
user_assigned_identity_federated_identity_credentials = {}
}
Loading