Merge branch 'main' into PPHA-714-Script-to-get-submitted-eligible-participants

Author: stephhou

core

@@ -133,3 +133,16 @@ Add the infrastructure secrets to the _inf_ key vault `kv-lungcs-[environment]-i
 
 - assign yourself "Key Vault Secrets User" to application key vault to run the terraform code from the CLI inside the AVD when first trying to deploy the application.
 - assign yourself "Data Blob Reader" to State file storage account to run the terraform code from the CLI inside the AVD when first trying to deploy the application.
+
+## Connect to Postgres Database
+
+- Add your user as a member to the respective Entra ID group:
+  - `postgres_lungcs_[environment]_uks_admin`
+- Log into the correct ADV for your environment type (either nonlive or live)
+- Run the following commands on the CLI to log into the database: -
+  - `export PGPASSWORD="$(az account get-access-token --resource https://ossrdbms-aad.database.windows.net --query accessToken --output tsv)"`
+  - `psql "host=postgres-lungcs-[environment]-uks.postgres.database.azure.com \
+      port=5432 \
+      dbname=[database] \
+      user=postgres_lungcs_[environment]_uks_admin \
+      sslmode=require"`

docs/infrastructure/create-environment.md

@@ -0,0 +1,35 @@
+resource "azurerm_monitor_scheduled_query_rules_alert_v2" "five_hundred_error_alert" {
+  count = var.enable_alerting ? 1 : 0
+
+  auto_mitigation_enabled          = false
+  description                      = "An alert triggered by 500 errors logged in code"
+  enabled                          = var.enable_alerting
+  evaluation_frequency             = "PT5M"
+  location                         = var.region
+  name                             = "${var.app_short_name}-500-error-alert"
+  resource_group_name              = azurerm_resource_group.main.name
+  scopes                           = [var.action_group_id]
+  severity                         = 2
+  skip_query_validation            = false
+  window_duration                  = "PT5M"
+  workspace_alerts_storage_enabled = false
+
+  action {
+    action_groups = [var.action_group_id]
+  }
+
+  criteria {
+    operator                = "GreaterThan"
+    query                   = <<-QUERY
+      ContainerAppConsoleLogs_CL
+      | where Log contains "[ERROR]"
+      QUERY
+    threshold               = 0
+    time_aggregation_method = "Count"
+
+    failing_periods {
+      minimum_failing_periods_to_trigger_alert = 1
+      number_of_evaluation_periods             = 1
+    }
+  }
+}

infrastructure/modules/container-apps/alerts.tf

@@ -1,3 +1,16 @@
+locals {
+  scheduled_jobs = {
+    collect_metrics = {
+      cron_expression = "0 */6 * * *"
+      environment_variables = {
+        ENVIRONMENT = var.environment
+      }
+      job_short_name     = "rs"
+      job_container_args = "request_summary"
+    }
+  }
+}
+
 module "db_setup" {
   source = "../dtos-devops-templates/infrastructure/modules/container-app-job"
 
@@ -25,3 +38,54 @@ module "db_setup" {
   ]
 
 }
+
+module "scheduled_jobs" {
+  source = "../dtos-devops-templates/infrastructure/modules/container-app-job"
+
+  for_each = local.scheduled_jobs
+
+  name                         = "${var.app_short_name}-${each.value.job_short_name}-${var.environment}"
+  container_app_environment_id = var.container_app_environment_id
+  resource_group_name          = azurerm_resource_group.main.name
+
+  fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
+  app_key_vault_id                 = var.app_key_vault_id
+
+  container_command = ["/bin/sh", "-c"]
+  container_args = [
+    "python manage.py ${each.value.job_container_args}"
+  ]
+
+  docker_image        = var.docker_image
+  replica_retry_limit = 0
+  user_assigned_identity_ids = flatten([
+    [module.azure_blob_storage_identity.id],
+    var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id]
+  ])
+
+  environment_variables = merge(
+    local.common_env,
+    {
+      "STORAGE_ACCOUNT_NAME" = module.storage.storage_account_name,
+      "BLOB_MI_CLIENT_ID"    = module.azure_blob_storage_identity.client_id,
+    },
+    each.value.environment_variables,
+    var.deploy_database_as_container ? local.container_db_env : local.azure_db_env
+  )
+  secret_variables = merge(
+    { SLACK_WEBHOOK_URL = var.slack_webhook_url },
+    var.deploy_database_as_container ? { DATABASE_PASSWORD = resource.random_password.admin_password[0].result } : {}
+  )
+
+  # alerts
+  action_group_id            = var.action_group_id
+  enable_alerting            = var.enable_alerting
+  log_analytics_workspace_id = var.log_analytics_workspace_audit_id
+
+  # Ensure RBAC role assignments are created before the job definition finalizes
+  depends_on = [
+    module.blob_storage_role_assignment,
+  ]
+
+  cron_expression = each.value.cron_expression
+}

infrastructure/modules/container-apps/jobs.tf

@@ -196,6 +196,11 @@ variable "infra_key_vault_rg" {
   type        = string
 }
 
+variable "slack_webhook_url" {
+  description = "slack_webhook_url is the URL used to send alerts to Slack. It should be stored as a secret in the infra key vault with the name 'slack-webhook-url'."
+  type        = string
+}
+
 locals {
   resource_group_name = "rg-${var.app_short_name}-${var.environment}-container-app-uks"
 

infrastructure/modules/container-apps/variables.tf

@@ -0,0 +1,24 @@
+module "logic_app_slack_alert" {
+  count = var.enable_alerting ? 1 : 0
+
+  source = "../dtos-devops-templates/infrastructure/modules/logic-app-slack-alert"
+
+  name                = "logic-${var.app_short_name}-${var.environment}-slack-alerts"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.region
+  slack_webhook_url   = var.slack_webhook_url
+}
+
+resource "azurerm_monitor_action_group" "slack" {
+  count = var.enable_alerting ? 1 : 0
+
+  name                = "ag-slack-${var.app_short_name}-${var.environment}-uks"
+  resource_group_name = azurerm_resource_group.main.name
+  short_name          = "slack"
+
+  webhook_receiver {
+    name                    = "logic-app-slack"
+    service_uri             = module.logic_app_slack_alert[0].trigger_callback_url
+    use_common_alert_schema = true
+  }
+}

infrastructure/modules/infra/logic_app.tf

@@ -73,6 +73,11 @@ variable "enable_alerting" {
   type        = bool
 }
 
+variable "slack_webhook_url" {
+  description = "slack_webhook_url is the URL used to send alerts to Slack. It should be stored as a secret in the infra key vault with the name 'slack-webhook-url'."
+  type        = string
+}
+
 locals {
   hub_vnet_rg_name = "rg-hub-${var.hub}-uks-bootstrap"
   hub_vnet_name    = "vnet-hub-${var.hub}-uks"

infrastructure/modules/infra/variables.tf

@@ -49,3 +49,17 @@ data "azurerm_application_insights" "app_insights" {
   name                = "appi-${var.env_config}-uks-${var.app_short_name}"
   resource_group_name = local.resource_group_name
 }
+
+data "azurerm_key_vault" "infra" {
+  provider = azurerm.hub
+
+  name                = local.infra_key_vault_name
+  resource_group_name = local.infra_key_vault_rg
+}
+
+data "azurerm_key_vault_secret" "slack_webhook_url" {
+  name         = "slack-webhook-url"
+  key_vault_id = data.azurerm_key_vault.infra.id
+}
+
+# git-sha-a85180497c23d742b5f92262b3b43069e44a4110

infrastructure/terraform/spoke/data.tf

@@ -22,6 +22,7 @@ module "infra" {
   vnet_address_space               = var.vnet_address_space
   cae_zone_redundancy_enabled      = var.cae_zone_redundancy_enabled
   enable_alerting                  = var.enable_alerting
+  slack_webhook_url                = data.azurerm_key_vault_secret.slack_webhook_url.value
 }
 
 module "container-apps" {
@@ -69,4 +70,5 @@ module "container-apps" {
   use_apex_domain                       = var.use_apex_domain
   container_memory                      = var.container_memory
   min_replicas                          = var.min_replicas
+  slack_webhook_url                     = data.azurerm_key_vault_secret.slack_webhook_url.value
 }