terraform stuff

Author: mrlockstar

.azuredevops/pipelines/hub-infrastructure-dev.yaml

@@ -31,7 +31,7 @@ stages:
     displayName: Terraform Plan
     condition: eq(variables['Build.Reason'], 'Manual')
     variables:
-      tfVarsFile: environments/$(ENVIRONMENT)/variables.tfvars
+      tfVarsFile: ../../environments/$(ENVIRONMENT)/variables.tfvars
     jobs:
       - job: init_and_plan
         displayName: Init, plan, store artifact

infrastructure/bootstrap/hub.bicep

@@ -28,8 +28,6 @@ param vnetAddressPrefixes array
 param enableSoftDelete bool
 
 
-// var keyVaultName = 'kv-lungcs-${envConfig}-inf'
-
 // removed when generalised
 var appShortName = 'lungcs'
 //var appShortName = 'lungal'
@@ -51,6 +49,7 @@ var storageAccountName = 'sa${appShortName}${regionShortName}state'
 var miADOtoAZname = 'mi-${appShortName}-${hubType}-adotoaz-${regionShortName}'
 var miGHtoADOname = 'mi-${appShortName}-${hubType}-ghtoado-${regionShortName}'
 
+
 // See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
 var roleID = {
   CDNContributor: 'ec156ff8-a8d1-4d15-830c-5b80698ca432'

infrastructure/environments/nonlive-hub/variables.sh

@@ -2,7 +2,6 @@ ENVIRONMENT=nonlive-hub
 ENV_CONFIG=nonlive-hub
 AZURE_SUBSCRIPTION="Lung Cancer Risk Check - Non-live hub"
 HUB_SUBSCRIPTION="Lung Cancer Risk Check - Non-live hub"
-STORAGE_ACCOUNT_RG=rg-tfstate-nonlive-hub-uks
 TERRAFORM_MODULES_REF=main
 # ENABLE_SOFT_DELETE=false
 # DOCKER_IMAGE=ghcr.io/nhsdigital/lung_cancer_screening

infrastructure/environments/nonlive-hub/variables.tfvars

@@ -1,34 +1,98 @@
+application = "hub"
+environment = "nonlive-hub"
+env_type    = "nonlive"
+
 features = {
-  front_door         = false
-  hub_and_spoke      = false
-  private_networking = false
+  private_endpoints_enabled              = true
+  private_service_connection_is_manual   = false
+  public_network_access_enabled          = true
+  log_analytics_data_export_rule_enabled = false
+}
+
+virtual_desktop_group_active = "green"
+
+projects = {
+  lung-cancer-screening = {
+    full_name  = "Lung Cancer Screening"
+    short_name = "lungcs"
+    tags = {
+      Project = "Lung Cancer Screening"
+    }
+    frontdoor_profile = {
+      sku_name = "Premium_AzureFrontDoor"
+    }
+  }
+}
+
+diagnostic_settings = {
+  metric_enabled = true
+}
+
+private_dns_zones = {
+  is_app_services_enabled                    = true
+  is_azure_sql_private_dns_zone_enabled      = true
+  is_postgres_sql_private_dns_zone_enabled   = true
+  is_storage_private_dns_zone_enabled        = true
+  is_acr_private_dns_zone_enabled            = false
+  is_app_insights_private_dns_zone_enabled   = true
+  is_apim_private_dns_zone_enabled           = false
+  is_key_vault_private_dns_zone_enabled      = true
+  is_event_hub_private_dns_zone_enabled      = false
+  is_event_grid_enabled_dns_zone_enabled     = false
+  is_container_apps_enabled_dns_zone_enabled = true
 }
-fetch_secrets_from_app_key_vault      = true
-github_mi_name                        = "mi-lungcs-hub-ghtoaz-uks"
-# key_vault_secrets_officer_groups      = ["Azure-Lung-Cancer-Screening---Dev-Owner"]
-postgres_backup_retention_days        = 7
-postgres_geo_redundant_backup_enabled = false
-protect_keyvault                      = false
-vnet_address_space                    = "10.65.0.0/16"
 
 
+avd_vm_count                 = 1
+avd_maximum_sessions_allowed = 1 # per session host
+avd_vm_size                  = "Standard_D4as_v5"
+avd_users_group_name         = "DToS-hub-dev-uks-hub-virtual-desktop-User-Login"
+avd_admins_group_name        = "DToS-hub-dev-uks-hub-virtual-desktop-User-ADMIN-Login"
+
+avd_source_image_from_gallery = {
+  image_name      = "gi_wvd"
+  gallery_name    = "rg_hub_dev_uks_compute_gallery"
+  gallery_rg_name = "rg-hub-dev-uks-hub-virtual-desktop"
+}
+
+law = {
+  export_enabled = false
+  law_sku        = "PerGB2018"
+  retention_days = 30
+}
+
 regions = {
   uksouth = {
     address_space     = "10.65.0.0/16"
     is_primary_region = true
     subnets = {
-      acr = {
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 2
+      }
+      virtual-desktop = {
         cidr_newbits = 11
-        cidr_offset  = 8
+        cidr_offset  = 32
       }
-      api-mgmt = {
-        cidr_newbits = 8
-        cidr_offset  = 6
+      dns-resolver-in = {
+        cidr_newbits               = 12
+        cidr_offset                = 112
+        delegation_name            = "Microsoft.Network/dnsResolvers"
+        service_delegation_name    = "Microsoft.Network/dnsResolvers"
+        service_delegation_actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
       }
-      app-gateway = {
-        cidr_newbits = 8
-        cidr_offset  = 5
+      firewall = {
+        name         = "AzureFirewallSubnet"
+        cidr_newbits = 10
+        cidr_offset  = 192
+        create_nsg   = false
       }
+    }
+  }
+    ukwest = {
+    address_space     = "10.65.0.0/16"
+    is_primary_region = true
+    subnets = {
       pep = {
         cidr_newbits = 8
         cidr_offset  = 2
@@ -37,13 +101,6 @@ regions = {
         cidr_newbits = 11
         cidr_offset  = 32
       }
-      devops = {
-        cidr_newbits               = 8
-        cidr_offset                = 9
-        delegation_name            = "Microsoft.DevOpsInfrastructure/pools" # az provider register --namespace 'Microsoft.DevOpsInfrastructure'
-        service_delegation_name    = "Microsoft.DevOpsInfrastructure/pools"
-        service_delegation_actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
-      }
       dns-resolver-in = {
         cidr_newbits               = 12
         cidr_offset                = 112

infrastructure/terraform/hub/azure_monitor_private_link_scope.tf

@@ -0,0 +1,41 @@
+# This is a global resource, but it can have regional private endpoints
+resource "azurerm_monitor_private_link_scope" "ampls" {
+  name                = module.config[local.primary_region].names.private-link-scope
+  resource_group_name = azurerm_resource_group.rg_private_endpoints[local.primary_region].name
+
+  ingestion_access_mode = "PrivateOnly"
+  query_access_mode     = "Open"
+
+  tags = var.tags
+}
+
+module "private_endpoint_ampls" {
+  for_each = var.features.private_endpoints_enabled ? var.regions : {}
+
+  source = "../../../../dtos-devops-templates/infrastructure/modules/private-endpoint"
+
+  name                = module.config[each.key].names.private-link-scope-private-endpoint
+  resource_group_name = azurerm_resource_group.rg_private_endpoints[each.key].name
+  location            = each.key
+  subnet_id           = module.subnets_hub["${module.config[each.key].names.subnet}-pep"].id
+
+  private_dns_zone_group = {
+    name = "${module.config[each.key].names.private-link-scope-private-endpoint}-zone-group"
+    private_dns_zone_ids = [
+      module.private_dns_zones["${each.key}-app_insights"].id,
+      module.private_dns_zones["${each.key}-automation"].id,
+      module.private_dns_zones["${each.key}-operations_data_store"].id,
+      module.private_dns_zones["${each.key}-operations_management_suite"].id,
+      module.private_dns_zones["${each.key}-storage_blob"].id
+    ]
+  }
+
+  private_service_connection = {
+    name                           = "${module.config[each.key].names.private-link-scope-private-endpoint}-connection"
+    private_connection_resource_id = azurerm_monitor_private_link_scope.ampls.id
+    subresource_names              = ["azuremonitor"]
+    is_manual_connection           = var.features.private_service_connection_is_manual
+  }
+
+  tags = var.tags
+}

infrastructure/terraform/hub/baseline.tf

@@ -0,0 +1,37 @@
+resource "azurerm_resource_group" "rg_base" {
+  for_each = var.regions
+
+  name     = module.config[each.key].names.resource-group
+  location = each.key
+}
+
+resource "azurerm_resource_group" "rg_project" {
+  # create a resource group for every project for every region:
+  for_each = local.projects_map
+
+  name     = "${module.config[each.value.region_key].names.resource-group}-${each.value.short_name}"
+  location = each.value.region_key
+  tags     = length(each.value.tags) > 0 ? each.value.tags : var.tags
+}
+
+locals {
+
+  # Create a flat list of projects with region keys for consumption in a for_each meta argument
+  projects_flatlist = flatten([
+    for region_key, region_val in var.regions : [
+      for project_key, project_val in var.projects : {
+        key               = "${project_key}-${region_key}"
+        region_key        = region_key
+        is_primary_region = region_val.is_primary_region
+        project_key       = project_key
+        full_name         = project_val.full_name
+        short_name        = project_val.short_name
+        acr               = project_val.acr
+        tags              = project_val.tags
+      }
+    ]
+  ])
+
+  # Project the above list into a map with unique keys for consumption in a for_each meta argument
+  projects_map = { for project in local.projects_flatlist : project.key => project }
+}

infrastructure/terraform/hub/data.tf

@@ -0,0 +1,39 @@
+data "azurerm_client_config" "current" {}
+
+data "azuread_group" "avd_users" {
+  display_name = var.avd_users_group_name
+}
+
+data "azuread_group" "avd_admins" {
+  display_name = var.avd_admins_group_name
+}
+
+data "azuread_group" "avd_platform_users" {
+  display_name = "DToS-platform-team-Dev"
+}
+
+# This client id is the same for all Azure customers - it is not a secret.
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_certificate
+data "azuread_service_principal" "MicrosoftAzureAppService" {
+  client_id = "abfa0a7c-a6b6-4736-8310-5855508787cd"
+}
+
+data "azuread_service_principal" "MicrosoftAzureFrontDoorCdn" {
+  client_id = "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
+}
+
+# data "azurerm_key_vault_secret" "object-id" {
+#   for_each     = var.regions
+#   name         = "dtos-apim-object-id"
+#   key_vault_id = module.key_vault[each.key].key_vault_id
+
+#   depends_on = [azurerm_key_vault_access_policy.terraform-mi]
+# }
+
+# data "azurerm_key_vault_secret" "secret" {
+#   for_each     = var.regions
+#   name         = "dtos-apim-secret"
+#   key_vault_id = module.key_vault[each.key].key_vault_id
+
+#   depends_on = [azurerm_key_vault_access_policy.terraform-mi]
+# }

infrastructure/terraform/hub/dns_private.tf

@@ -5,37 +5,43 @@ resource "azurerm_resource_group" "private_dns_rg" {
   location = each.key
 }
 
+data "azurerm_virtual_network" "this" {
+  name                = var.vnet_name
+  resource_group_name = var.vnet_resource_group
+}
+
+
 /*--------------------------------------------------------------------------------------------------
   Private DNS Zone Resolver
 --------------------------------------------------------------------------------------------------*/
 
-# module "private_dns_resolver" {
-#   for_each = var.regions
+module "private_dns_resolver" {
+  for_each = var.regions
 
-#   source = "../../../../dtos-devops-templates/infrastructure/modules/private-dns-zone-resolver"
+  source = "../../../../dtos-devops-templates/infrastructure/modules/private-dns-zone-resolver"
 
-#   name                = "${module.config[each.key].names.resource-application}-private-dns-zone-resolver"
-#   resource_group_name = azurerm_resource_group.private_dns_rg[each.key].name
-#   location            = each.key
-#   vnet_id             = module.vnets_hub[each.key].vnet.id
+  name                = "${module.config[each.key].names.resource-application}-private-dns-zone-resolver"
+  resource_group_name = azurerm_resource_group.private_dns_rg[each.key].name
+  location            = each.key
+  vnet_id             = data.azurerm_virtual_network.this.id
 
-#   inbound_endpoint_config = {
-#     name                         = "private-dns-resolver-inbound-endpoint"
-#     private_ip_allocation_method = "Dynamic"
-#     subnet_id                    = module.subnets_hub["${module.config[each.key].names.subnet}-dns-resolver-in"].id
-#   }
+  inbound_endpoint_config = {
+    name                         = "private-dns-resolver-inbound-endpoint"
+    private_ip_allocation_method = "Dynamic"
+    subnet_id                    = module.subnets_hub["${module.config[each.key].names.subnet}-dns-resolver-in"].id
+  }
 
-#   tags = var.tags
-# }
+  tags = var.tags
+}
 
 /*--------------------------------------------------------------------------------------------------
   Private DNS zones
 --------------------------------------------------------------------------------------------------*/
 
 locals {
   private_dns_zones = {
-    national_screening          = var.dns_zone_name_private.nationalscreening
-    screening                   = var.dns_zone_name_private.screening
+    # national_screening          = var.dns_zone_name_private.nationalscreening
+    # screening                   = var.dns_zone_name_private.screening
     container_registry          = "privatelink.azurecr.io"
     app_insights                = var.private_dns_zones.is_app_insights_private_dns_zone_enabled ? "privatelink.monitor.azure.com" : null
     automation                  = var.private_dns_zones.is_app_insights_private_dns_zone_enabled ? "privatelink.agentsvc.azure-automation.net" : null
@@ -66,17 +72,17 @@ locals {
   private_dns_zones_map = { for obj in local.private_dns_zones_obj_list : "${obj.region}-${obj.description}" => obj }
 }
 
-# module "private_dns_zones" {
-#   for_each = local.private_dns_zones_map
+module "private_dns_zones" {
+  for_each = local.private_dns_zones_map
 
-#   source = "../../../../dtos-devops-templates/infrastructure/modules/private-dns-zone"
+  source = "../../../../dtos-devops-templates/infrastructure/modules/private-dns-zone"
 
-#   name                = each.value.name
-#   resource_group_name = azurerm_resource_group.private_dns_rg[each.value.region].name
-#   vnet_id             = module.vnets_hub[each.value.region].vnet.id
+  name                = each.value.name
+  resource_group_name = azurerm_resource_group.private_dns_rg[each.value.region].name
+  vnet_id             = data.azurerm_virtual_network.this.id
 
-#   tags = var.tags
-# }
+  tags = var.tags
+}
 
 /*--------------------------------------------------------------------------------------------------
   Private DNS A Records for APIM and Application Gateway