wip

Author: mrlockstar

.azuredevops/pipelines/hub-infrastructure-dev.yaml

@@ -6,20 +6,6 @@ pr: none
 pool:
   name: private-pool-hub-nonlive-uks
   # vmImage: ubuntu-latest
-  steps:
-    - script: |
-        echo "=== List hosted toolcache ==="
-        ls -la /opt/hostedtoolcache || true
-
-        echo "=== List terraform cache ==="
-        ls -la /opt/hostedtoolcache/terraform || true
-
-        echo "=== Which terraform ==="
-        which terraform || true
-
-        echo "=== Terraform version ==="
-        terraform version || true
-      displayName: Inspect Terraform installation
 
 resources:
   repositories:
@@ -32,9 +18,9 @@ resources:
 variables:
   - group: NON_LIVE_hub_backend
   - name: TF_DIRECTORY
-    value: $(System.DefaultWorkingDirectory)/$(System.TeamProject)/infrastructure/terraform/hub
+    value: $(System.DefaultWorkingDirectory)/lung_cancer_screening/infrastructure/terraform/hub
   - name: TF_VERSION
-    value: 1.11.4
+    value: 1.14.3
   - name: TF_PLAN_ARTIFACT
     value: tf_plan_hub_art_NONLIVE_dev
   - name: ENVIRONMENT
@@ -50,19 +36,21 @@ stages:
       - job: init_and_plan
         displayName: Init, plan, store artifact
         steps:
-          - task: TerraformInstaller@1
-            displayName: Install Terraform $(TF_VERSION)
-            inputs:
-              terraformVersion: $(TF_VERSION)
+          - checkout: self
+          - checkout: dtos-devops-templates
           - task: Bash@3
-            displayName: 'Set TF_DIRECTORY variable'
+            displayName: 'Debug Terraform directory'
             inputs:
               targetType: 'inline'
               script: |
-                terraform --version
-
-          - checkout: self
-          - checkout: dtos-devops-templates
+                find . -type d | grep dtos-devops-templates
+                pwd
+                ls -la
+                echo "TF_DIRECTORY=$(TF_DIRECTORY)"
+                # cd $(TF_DIRECTORY)
+                ls -ltr
+                find .
+                terraform --version || true
           - template: .azuredevops/templates/steps/tf_plan.yaml@dtos-devops-templates
 
   - stage: terraform_apply

infrastructure/bootstrap/hub.bicep

@@ -217,7 +217,6 @@ module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
   }
 }
 
-
 @description('Let the GHtoADO managed identity access a subscription')
 resource readerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'reader')

infrastructure/bootstrap/modules/managedDevopsPool.bicep

@@ -12,8 +12,7 @@ param devopsSubnetName string
 param devopsSubnetAddressPrefix string
 param virtualNetworkName string
 
-// param fabricProfileSkuName string = 'Standard_D2ads_v5'
-param fabricProfileSkuName string = 'Standard_D2as_v5'
+param fabricProfileSkuName string = 'Standard_D2ads_v5'
 //param fabricProfileSkuName string = 'Standard_D2ldsv6'
 //param fabricProfileSkuName string = 'Standard_B4ms'
 

infrastructure/environments/nonlive-hub/variables.tfvars

@@ -10,3 +10,53 @@ postgres_backup_retention_days        = 7
 postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = false
 vnet_address_space                    = "10.65.0.0/16"
+
+
+regions = {
+  uksouth = {
+    address_space     = "10.65.0.0/16"
+    is_primary_region = true
+    subnets = {
+      acr = {
+        cidr_newbits = 11
+        cidr_offset  = 8
+      }
+      api-mgmt = {
+        cidr_newbits = 8
+        cidr_offset  = 6
+      }
+      app-gateway = {
+        cidr_newbits = 8
+        cidr_offset  = 5
+      }
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 2
+      }
+      virtual-desktop = {
+        cidr_newbits = 11
+        cidr_offset  = 32
+      }
+      devops = {
+        cidr_newbits               = 8
+        cidr_offset                = 9
+        delegation_name            = "Microsoft.DevOpsInfrastructure/pools" # az provider register --namespace 'Microsoft.DevOpsInfrastructure'
+        service_delegation_name    = "Microsoft.DevOpsInfrastructure/pools"
+        service_delegation_actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+      }
+      dns-resolver-in = {
+        cidr_newbits               = 12
+        cidr_offset                = 112
+        delegation_name            = "Microsoft.Network/dnsResolvers"
+        service_delegation_name    = "Microsoft.Network/dnsResolvers"
+        service_delegation_actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+      }
+      firewall = {
+        name         = "AzureFirewallSubnet"
+        cidr_newbits = 10
+        cidr_offset  = 192
+        create_nsg   = false
+      }
+    }
+  }
+}

infrastructure/terraform/hub/config.tf

@@ -0,0 +1,11 @@
+module "config" {
+  for_each = var.regions
+
+  source = "../../../../dtos-devops-templates/infrastructure/modules/shared-config"
+
+  location    = each.key
+  application = var.application
+  env         = var.environment
+  env_type    = var.env_type
+  tags        = var.tags
+}

infrastructure/terraform/hub/dns_private.tf

@@ -9,24 +9,24 @@ resource "azurerm_resource_group" "private_dns_rg" {
   Private DNS Zone Resolver
 --------------------------------------------------------------------------------------------------*/
 
-module "private_dns_resolver" {
-  for_each = var.regions
+# module "private_dns_resolver" {
+#   for_each = var.regions
 
-  source = "../../dtos-devops-templates/infrastructure/modules/private-dns-zone-resolver"
+#   source = "../../../../dtos-devops-templates/infrastructure/modules/private-dns-zone-resolver"
 
-  name                = "${module.config[each.key].names.resource-application}-private-dns-zone-resolver"
-  resource_group_name = azurerm_resource_group.private_dns_rg[each.key].name
-  location            = each.key
-  vnet_id             = module.vnets_hub[each.key].vnet.id
+#   name                = "${module.config[each.key].names.resource-application}-private-dns-zone-resolver"
+#   resource_group_name = azurerm_resource_group.private_dns_rg[each.key].name
+#   location            = each.key
+#   vnet_id             = module.vnets_hub[each.key].vnet.id
 
-  inbound_endpoint_config = {
-    name                         = "private-dns-resolver-inbound-endpoint"
-    private_ip_allocation_method = "Dynamic"
-    subnet_id                    = module.subnets_hub["${module.config[each.key].names.subnet}-dns-resolver-in"].id
-  }
+#   inbound_endpoint_config = {
+#     name                         = "private-dns-resolver-inbound-endpoint"
+#     private_ip_allocation_method = "Dynamic"
+#     subnet_id                    = module.subnets_hub["${module.config[each.key].names.subnet}-dns-resolver-in"].id
+#   }
 
-  tags = var.tags
-}
+#   tags = var.tags
+# }
 
 /*--------------------------------------------------------------------------------------------------
   Private DNS zones
@@ -66,57 +66,57 @@ locals {
   private_dns_zones_map = { for obj in local.private_dns_zones_obj_list : "${obj.region}-${obj.description}" => obj }
 }
 
-module "private_dns_zones" {
-  for_each = local.private_dns_zones_map
+# module "private_dns_zones" {
+#   for_each = local.private_dns_zones_map
 
-  source = "../../dtos-devops-templates/infrastructure/modules/private-dns-zone"
+#   source = "../../../../dtos-devops-templates/infrastructure/modules/private-dns-zone"
 
-  name                = each.value.name
-  resource_group_name = azurerm_resource_group.private_dns_rg[each.value.region].name
-  vnet_id             = module.vnets_hub[each.value.region].vnet.id
+#   name                = each.value.name
+#   resource_group_name = azurerm_resource_group.private_dns_rg[each.value.region].name
+#   vnet_id             = module.vnets_hub[each.value.region].vnet.id
 
-  tags = var.tags
-}
+#   tags = var.tags
+# }
 
 /*--------------------------------------------------------------------------------------------------
   Private DNS A Records for APIM and Application Gateway
 --------------------------------------------------------------------------------------------------*/
 
-locals {
-  apim_private_custom_domains      = ["gateway", "portal", "scm"]
-  appgw_private_listener_hostnames = ["api"]
-
-  private_dns_a_records_obj_list = flatten([
-    for region in keys(var.regions) : [
-      [
-        for hostname in local.apim_private_custom_domains : {
-          region  = region
-          name    = hostname
-          records = module.api-management[region].private_ip_addresses
-        }
-      ],
-      [
-        for hostname in local.appgw_private_listener_hostnames : {
-          region  = region
-          name    = hostname
-          records = [local.appgw_config[region].frontend_ip_configuration.private.private_ip_address]
-        }
-      ]
-    ]
-  ])
-  private_dns_a_records_map = { for obj in local.private_dns_a_records_obj_list : "${obj.region}-${obj.name}" => obj }
-}
-
-module "private-dns-a-records" {
-  for_each = local.private_dns_a_records_map
-
-  source = "../../dtos-devops-templates/infrastructure/modules/private-dns-a-record"
-
-  name                = each.value.name
-  resource_group_name = resource.azurerm_resource_group.private_dns_rg[each.value.region].name
-  zone_name           = var.dns_zone_name_private.nationalscreening
-  ttl                 = 300
-  records             = each.value.records
-
-  tags = var.tags
-}
+# locals {
+#   apim_private_custom_domains      = ["gateway", "portal", "scm"]
+#   appgw_private_listener_hostnames = ["api"]
+
+#   private_dns_a_records_obj_list = flatten([
+#     for region in keys(var.regions) : [
+#       [
+#         for hostname in local.apim_private_custom_domains : {
+#           region  = region
+#           name    = hostname
+#           records = module.api-management[region].private_ip_addresses
+#         }
+#       ],
+#       [
+#         for hostname in local.appgw_private_listener_hostnames : {
+#           region  = region
+#           name    = hostname
+#           records = [local.appgw_config[region].frontend_ip_configuration.private.private_ip_address]
+#         }
+#       ]
+#     ]
+#   ])
+#   private_dns_a_records_map = { for obj in local.private_dns_a_records_obj_list : "${obj.region}-${obj.name}" => obj }
+# }
+
+# module "private-dns-a-records" {
+#   for_each = local.private_dns_a_records_map
+
+#   source = "../../../../dtos-devops-templates/infrastructure/modules/private-dns-a-record"
+
+#   name                = each.value.name
+#   resource_group_name = resource.azurerm_resource_group.private_dns_rg[each.value.region].name
+#   zone_name           = var.dns_zone_name_private.nationalscreening
+#   ttl                 = 300
+#   records             = each.value.records
+
+#   tags = var.tags
+# }

infrastructure/terraform/hub/dns_public.tf

@@ -2,24 +2,24 @@
   Application Gateway Public DNS A Records
 --------------------------------------------------------------------------------------------------*/
 
-locals {
-  appgw_public_listener_hostnames = [
-    for listener in local.appgw_config[local.primary_region].http_listener :
-    listener.host_name if listener.frontend_ip_configuration_key == "public"
-  ]
-}
+# locals {
+#   appgw_public_listener_hostnames = [
+#     for listener in local.appgw_config[local.primary_region].http_listener :
+#     listener.host_name if listener.frontend_ip_configuration_key == "public"
+#   ]
+# }
 
-module "appgw-dns-a-records" {
-  # No region loop since public DNS is global. Traffic Manager will be required if an additional region is added.
-  for_each = toset(local.appgw_public_listener_hostnames)
+# module "appgw-dns-a-records" {
+#   # No region loop since public DNS is global. Traffic Manager will be required if an additional region is added.
+#   for_each = toset(local.appgw_public_listener_hostnames)
 
-  source = "../../dtos-devops-templates/infrastructure/modules/dns-a-record"
+#   source = "../../../../dtos-devops-templates/infrastructure/modules/dns-a-record"
 
-  name                = split(".", each.key)[0]
-  resource_group_name = var.dns_zone_rg_name_public
-  zone_name           = replace(each.key, "${split(".", each.key)[0]}.", "")
-  ttl                 = 300
-  target_resource_id  = module.application-gateway-pip[local.primary_region].id
+#   name                = split(".", each.key)[0]
+#   resource_group_name = var.dns_zone_rg_name_public
+#   zone_name           = replace(each.key, "${split(".", each.key)[0]}.", "")
+#   ttl                 = 300
+#   target_resource_id  = module.application-gateway-pip[local.primary_region].id
 
-  tags = var.tags
-}
+#   tags = var.tags
+# }

infrastructure/terraform/hub/firewall.tf

@@ -1,7 +1,7 @@
 module "firewall" {
   for_each = var.regions
 
-  source = "../../dtos-devops-templates/infrastructure/modules/firewall"
+  source = "../../../../dtos-devops-templates/infrastructure/modules/firewall"
 
   firewall_name       = module.config[each.key].names.firewall
   resource_group_name = azurerm_resource_group.rg_hub[each.key].name
@@ -33,7 +33,7 @@ module "firewall" {
 module "public_ip" {
   for_each = local.public_ips_map
 
-  source = "../../dtos-devops-templates/infrastructure/modules/public-ip"
+  source = "../../../../dtos-devops-templates/infrastructure/modules/public-ip"
 
   name                = "${module.config[each.value.region_key].names.public-ip-address}-${each.value.name_suffix}"
   resource_group_name = azurerm_resource_group.rg_hub[each.value.region_key].name

infrastructure/terraform/hub/networking_hub.tf

@@ -0,0 +1,6 @@
+resource "azurerm_resource_group" "rg_hub" {
+  for_each = var.regions
+
+  name     = "${module.config[each.key].names.resource-group}-${var.application}-networking"
+  location = each.key
+}

infrastructure/terraform/hub/outputs.tf

@@ -2,25 +2,6 @@ output "azure_monitor_private_link_scope_name" {
   value = azurerm_monitor_private_link_scope.ampls.name
 }
 
-output "certificates" {
-  value     = module.acme_certificate
-  sensitive = true
-}
-
-output "event_grid_topic" {
-  value = module.event_grid_topic
-}
-
-# Output the Event Hub Id for Log Analytics Data Exports so it can be used as a reference
-# by the Log Analytics workspace modules in Audit and Hub services
-output "eventhub_law_export_id" {
-  value = { for k, v in module.eventhub_law_export : k => v.id }
-}
-
-output "event_hubs" {
-  value = { for k, v in module.eventhub_law_export : k => v.event_hubs }
-}
-
 # Output the Firewall details so they can be used in the spoke networks
 output "firewall_policy_id" {
   value = { for k, v in module.firewall : k => v.firewall_policy_id }
@@ -74,6 +55,6 @@ output "storage" {
   sensitive = true
 }
 
-output "vnets_hub" {
-  value = module.vnets_hub
-}
+# output "vnets_hub" {
+#   value = module.vnets_hub
+# }