terraform stuff

Author: mrlockstar

.azuredevops/pipelines/hub-infrastructure-dev.yaml

@@ -31,7 +31,7 @@ stages:
     displayName: Terraform Plan
     condition: eq(variables['Build.Reason'], 'Manual')
     variables:
-      tfVarsFile: environments/$(ENVIRONMENT)/variables.tfvars
+      tfVarsFile: ../../environments/$(ENVIRONMENT)/variables.tfvars
     jobs:
       - job: init_and_plan
         displayName: Init, plan, store artifact

infrastructure/bootstrap/hub.bicep

@@ -49,6 +49,7 @@ var storageAccountName = 'sa${appShortName}${regionShortName}state'
 var miADOtoAZname = 'mi-${appShortName}-${hubType}-adotoaz-${regionShortName}'
 var miGHtoADOname = 'mi-${appShortName}-${hubType}-ghtoado-${regionShortName}'
 
+
 // See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
 var roleID = {
   CDNContributor: 'ec156ff8-a8d1-4d15-830c-5b80698ca432'

infrastructure/environments/nonlive-hub/variables.tfvars

@@ -9,6 +9,8 @@ features = {
   log_analytics_data_export_rule_enabled = false
 }
 
+virtual_desktop_group_active = "green"
+
 projects = {
   lung-cancer-screening = {
     full_name  = "Lung Cancer Screening"
@@ -22,6 +24,25 @@ projects = {
   }
 }
 
+diagnostic_settings = {
+  metric_enabled = true
+}
+
+private_dns_zones = {
+  is_app_services_enabled                    = true
+  is_azure_sql_private_dns_zone_enabled      = true
+  is_postgres_sql_private_dns_zone_enabled   = true
+  is_storage_private_dns_zone_enabled        = true
+  is_acr_private_dns_zone_enabled            = false
+  is_app_insights_private_dns_zone_enabled   = true
+  is_apim_private_dns_zone_enabled           = false
+  is_key_vault_private_dns_zone_enabled      = true
+  is_event_hub_private_dns_zone_enabled      = false
+  is_event_grid_enabled_dns_zone_enabled     = false
+  is_container_apps_enabled_dns_zone_enabled = true
+}
+
+
 avd_vm_count                 = 1
 avd_maximum_sessions_allowed = 1 # per session host
 avd_vm_size                  = "Standard_D4as_v5"
@@ -68,4 +89,31 @@ regions = {
       }
     }
   }
+    ukwest = {
+    address_space     = "10.65.0.0/16"
+    is_primary_region = true
+    subnets = {
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 2
+      }
+      virtual-desktop = {
+        cidr_newbits = 11
+        cidr_offset  = 32
+      }
+      dns-resolver-in = {
+        cidr_newbits               = 12
+        cidr_offset                = 112
+        delegation_name            = "Microsoft.Network/dnsResolvers"
+        service_delegation_name    = "Microsoft.Network/dnsResolvers"
+        service_delegation_actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+      }
+      firewall = {
+        name         = "AzureFirewallSubnet"
+        cidr_newbits = 10
+        cidr_offset  = 192
+        create_nsg   = false
+      }
+    }
+  }
 }

infrastructure/terraform/hub/baseline.tf

@@ -0,0 +1,37 @@
+resource "azurerm_resource_group" "rg_base" {
+  for_each = var.regions
+
+  name     = module.config[each.key].names.resource-group
+  location = each.key
+}
+
+resource "azurerm_resource_group" "rg_project" {
+  # create a resource group for every project for every region:
+  for_each = local.projects_map
+
+  name     = "${module.config[each.value.region_key].names.resource-group}-${each.value.short_name}"
+  location = each.value.region_key
+  tags     = length(each.value.tags) > 0 ? each.value.tags : var.tags
+}
+
+locals {
+
+  # Create a flat list of projects with region keys for consumption in a for_each meta argument
+  projects_flatlist = flatten([
+    for region_key, region_val in var.regions : [
+      for project_key, project_val in var.projects : {
+        key               = "${project_key}-${region_key}"
+        region_key        = region_key
+        is_primary_region = region_val.is_primary_region
+        project_key       = project_key
+        full_name         = project_val.full_name
+        short_name        = project_val.short_name
+        acr               = project_val.acr
+        tags              = project_val.tags
+      }
+    ]
+  ])
+
+  # Project the above list into a map with unique keys for consumption in a for_each meta argument
+  projects_map = { for project in local.projects_flatlist : project.key => project }
+}

infrastructure/terraform/hub/dns_private.tf

@@ -40,8 +40,8 @@ module "private_dns_resolver" {
 
 locals {
   private_dns_zones = {
-    national_screening          = var.dns_zone_name_private.nationalscreening
-    screening                   = var.dns_zone_name_private.screening
+    # national_screening          = var.dns_zone_name_private.nationalscreening
+    # screening                   = var.dns_zone_name_private.screening
     container_registry          = "privatelink.azurecr.io"
     app_insights                = var.private_dns_zones.is_app_insights_private_dns_zone_enabled ? "privatelink.monitor.azure.com" : null
     automation                  = var.private_dns_zones.is_app_insights_private_dns_zone_enabled ? "privatelink.agentsvc.azure-automation.net" : null
@@ -79,7 +79,7 @@ module "private_dns_zones" {
 
   name                = each.value.name
   resource_group_name = azurerm_resource_group.private_dns_rg[each.value.region].name
-  vnet_id             = data.azurerm_virtual_network.hub[0].id
+  vnet_id             = data.azurerm_virtual_network.this.id
 
   tags = var.tags
 }

infrastructure/terraform/hub/outputs.tf

@@ -30,9 +30,9 @@ output "private_endpoint_rg_name" {
   value = { for k, v in azurerm_resource_group.rg_private_endpoints : k => v.name }
 }
 
-output "public_dns_zone_rg_name" {
-  value = var.dns_zone_rg_name_public
-}
+# output "public_dns_zone_rg_name" {
+#   value = var.dns_zone_rg_name_public
+# }
 
 output "subnets_hub" {
   value = module.subnets_hub

infrastructure/terraform/hub/variables.tf

@@ -4,10 +4,10 @@ variable "AVD_SOURCE_IMAGE_ID" {
   default     = null
 }
 
-variable "HUB_BACKEND_AZURE_STORAGE_ACCOUNT_NAME" {
-  description = "Storage account for certbot state"
-  type        = string
-}
+# variable "HUB_BACKEND_AZURE_STORAGE_ACCOUNT_NAME" {
+#   description = "Storage account for certbot state"
+#   type        = string
+# }
 
 variable "GITHUB_ORG_DATABASE_ID" {
   description = "GitHub Organization Database ID, specified via TF_VAR env var"
@@ -21,10 +21,10 @@ variable "TARGET_SUBSCRIPTION_ID" {
 }
 
 
-variable "WAF_POLICY_ID_APIM_GATEWAY" {
-  description = "ID of the WAF policy which will be bound to the Application Gateway listener for APIM Gateway"
-  type        = string
-}
+# variable "WAF_POLICY_ID_APIM_GATEWAY" {
+#   description = "ID of the WAF policy which will be bound to the Application Gateway listener for APIM Gateway"
+#   type        = string
+# }
 
 variable "regions" {
   type = map(object({
@@ -48,10 +48,10 @@ variable "application" {
   default     = "hub"
 }
 
-variable "attached_environments" {
-  description = "Configuration of the Log Analytics Workspace"
-  type        = list(string)
-}
+# variable "attached_environments" {
+#   description = "Configuration of the Log Analytics Workspace"
+#   type        = list(string)
+# }
 
 variable "avd_users_group_name" {
   description = "Entra ID group containing AVD users"
@@ -106,19 +106,19 @@ variable "diagnostic_settings" {
   })
 }
 
-variable "dns_zone_name_private" {
-  type        = map(string)
-  description = "Map of zone identifiers to their full private DNS zone names"
-}
+# variable "dns_zone_name_private" {
+#   type        = map(string)
+#   description = "Map of zone identifiers to their full private DNS zone names"
+# }
 
-variable "dns_zone_name_public" {
-  type        = map(string)
-  description = "Map of zone identifiers to their full public DNS zone names"
-}
+# variable "dns_zone_name_public" {
+#   type        = map(string)
+#   description = "Map of zone identifiers to their full public DNS zone names"
+# }
 
-variable "dns_zone_rg_name_public" {
-  type = string
-}
+# variable "dns_zone_rg_name_public" {
+#   type = string
+# }
 
 variable "environment" {
   description = "Environment code for deployments"
@@ -156,15 +156,15 @@ variable "firewall_config" {
   default = {}
 }
 
-variable "key_vault" {
-  description = "Configuration for the key vault"
-  type = object({
-    disk_encryption   = optional(bool, true)
-    soft_del_ret_days = optional(number, 7)
-    purge_prot        = optional(bool, false)
-    sku_name          = optional(string, "standard")
-  })
-}
+# variable "key_vault" {
+#   description = "Configuration for the key vault"
+#   type = object({
+#     disk_encryption   = optional(bool, true)
+#     soft_del_ret_days = optional(number, 7)
+#     purge_prot        = optional(bool, false)
+#     sku_name          = optional(string, "standard")
+#   })
+# }
 
 variable "law" {
   description = "Configuration of the Log Analytics Workspace"