feat: dtoss 9659 deploy azure service bus into cohort manager (#1164)

* DTOSS-9659: Create a service bus queue and link up with function app

* Terraform formatting and template refs

---------

Co-authored-by: Richard Kingston <[email protected]>

Author: mrlockstar

.azuredevops/pipelines/cd-infrastructure-dev-core.yaml

@@ -13,7 +13,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 093557aee9d7ffb803106db24f51b7a5ef6f7f50
+      ref: 2041f050215b170eef2853e78e010c2a949a9bae
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-int-core.yaml

@@ -13,7 +13,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 093557aee9d7ffb803106db24f51b7a5ef6f7f50
+      ref: 2041f050215b170eef2853e78e010c2a949a9bae
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-nft-core.yaml

@@ -13,7 +13,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 093557aee9d7ffb803106db24f51b7a5ef6f7f50
+      ref: 2041f050215b170eef2853e78e010c2a949a9bae
       endpoint: NHSDigital
 
 variables:

infrastructure/tf-audit/locals.tf

@@ -4,19 +4,19 @@ locals {
     # ------------------------
     # FinOps
     # ------------------------
-    TagVersion          = "1"                       # Tag version (e.g. 1, 2, 3)
+    TagVersion        = "1"                     # Tag version (e.g. 1, 2, 3)
     Programme-Service = "DToS/Breast Screening" # Programme name (custom value)
     Product-Project   = "Cohort Manager"        # Product name (custom value)
-    Owner               = "<product owner>"       # Business owner (name or email)
-    CostCentre          = "129106"                  # Billing code (e.g. 128943)
+    Owner             = "<product owner>"       # Business owner (name or email)
+    CostCentre        = "129106"                # Billing code (e.g. 128943)
 
     # ------------------------
     # SecOps
     # ------------------------
-    data_classification = "3"                # Data level (1–5)
+    data_classification = "3"              # Data level (1–5)
     DataType            = "PII"            # Data type (None, PCD, PII, Anonymised, UserAccount, Audit)
     ProjectType         = "In-development" # Project stage (PoC, Pilot, Production)
-    PublicFacing        = "Y"                # Internet-facing (Y/N)
+    PublicFacing        = "Y"              # Internet-facing (Y/N)
 
     # ------------------------
     # TechOps

infrastructure/tf-core/environments/development.tfvars

@@ -239,6 +239,7 @@ function_apps = {
       name_suffix                  = "receive-caas-file"
       function_endpoint_name       = "ReceiveCaasFile"
       app_service_plan_key         = "DefaultPlan"
+      producer_to_service_bus      = ["dtoss-nsp"]
       db_connection_string         = "DtOsDatabaseConnectionString"
       storage_account_env_var_name = "caasfolder_STORAGE"
       app_urls = [
@@ -290,6 +291,7 @@ function_apps = {
         DemographicURI             = "https://dev-uks-durable-demographic-function.azurewebsites.net/api/DurableDemographicFunction_HttpStart/"
         GetOrchestrationStatusURL  = "https://dev-uks-durable-demographic-function.azurewebsites.net/api/GetOrchestrationStatus"
         AllowDeleteRecords         = true
+        TopicName                  = "DistributeParticipantQueue"
         UpdateQueueName            = "update-participant-queue"
         maxNumberOfChecks          = "50"
         UseNewFunctions            = "false"
@@ -1223,6 +1225,36 @@ key_vault = {
   sku_name          = "standard"
 }
 
+service_bus = {
+  distribute-participant = {
+    capacity         = 1
+    sku_tier         = "Premium"
+    max_payload_size = "100mb"
+    topics = {
+      cohort-distribution-queue = {
+        batched_operations_enabled = true
+      }
+      add-participant-queue = {
+        batched_operations_enabled = true
+      }
+      update-participant-queue = {
+        batched_operations_enabled = true
+      }
+    }
+  }
+}
+
+# service_bus_subscriptions = {
+#   subscriber_config = {
+#     event-dev-ap = {
+#       subscription_name       = "events-sub"
+#       topic_name              = "events"
+#       namespace_name          = "dtoss-nsp"
+#       subscriber_functionName = "foundryRelay"
+#     }
+#   }
+# }
+
 sqlserver = {
   sql_admin_group_name                 = "sqlsvr_cohman_dev_uks_admin"
   ad_auth_only                         = true

infrastructure/tf-core/function_app.tf

@@ -63,8 +63,52 @@ module "functionapp" {
   function_app_slots = var.function_app_slots
 
   tags = var.tags
+
+  depends_on = [
+    module.azure_service_bus
+  ]
+}
+
+
+locals {
+  # Filter fa_config to only include those with producer_to_service_bus
+  service_bus_function_app_map = {
+    for app_key, app_value in var.function_apps.fa_config :
+    app_key => app_value
+    if contains(keys(app_value), "producer_to_service_bus")
+  }
+
+  # There are multiple maps
+  # We cannot nest for loops inside a map, so first iterate all permutations as a list of objects...
+  unified_service_bus_object_list = flatten([
+    for service_bus_key, service_bus_value in local.azure_service_bus_map : [
+      for function_key, function_values in local.service_bus_function_app_map : merge({
+        service_bus_key   = service_bus_key # 1st iterator
+        function_key      = function_key    # 2nd iterator
+        service_bus_value = service_bus_value
+      }, function_values) # the block of key/value pairs for a specific collection
+      if contains(keys(function_values), "producer_to_service_bus")
+      && (function_values.producer_to_service_bus != null ? length(function_values.producer_to_service_bus) > 0 : false)
+    ]
+  ])
+  # ...then project them into a map with unique keys (combining the iterators), for consumption by a for_each meta argument
+  unified_service_bus_object_map = {
+    for item in local.unified_service_bus_object_list :
+    "${item.service_bus_key}-${item.function_key}" => item
+  }
+}
+
+# Use the merged map in your resources
+resource "azurerm_role_assignment" "function_send_to_topic" {
+  for_each = local.unified_service_bus_object_map
+
+  principal_id         = module.functionapp["${each.value.function_key}-${each.value.service_bus_value.region}"].function_app_sami_id
+  role_definition_name = "Azure Service Bus Data Sender"
+  scope                = module.azure_service_bus[each.value.service_bus_key].namespace_id
+
 }
 
+
 locals {
   app_settings_common = {
     DOCKER_ENABLE_CI                    = var.function_apps.docker_CI_enable
@@ -104,6 +148,10 @@ locals {
               )
             },
 
+            {
+              for key, obj in local.unified_service_bus_object_map : "SERVICE_BUS_NAMESPACE" => "${module.azure_service_bus[obj.service_bus_key].namespace_name}.servicebus.windows.net"
+            },
+
             # Dynamic reference to Key Vault
             length(config.key_vault_url) > 0 ? {
               (config.key_vault_url) = module.key_vault[region].key_vault_url

infrastructure/tf-core/locals.tf

@@ -14,7 +14,7 @@ locals {
     # ------------------------
     # SecOps
     # ------------------------
-    data_classification = "3"                # Data level (1–5)
+    data_classification = "3"              # Data level (1–5)
     DataType            = "PII"            # Data type (None, PCD, PII, Anonymised, UserAccount, Audit)
     ProjectType         = "In-development" # Project stage (PoC, Pilot, Production)
     PublicFacing        = "Y"              # Internet-facing (Y/N)

infrastructure/tf-core/service_bus_subscriptions.tf

@@ -0,0 +1,33 @@
+# module "service_bus_subscriptions" {
+#   for_each = local.service_bus_subscriptions_map
+
+#   source = "../../../dtos-devops-templates/infrastructure/modules/service-bus-subscription"
+
+#   subscription_name         = each.value.service_bus_subscription_key
+#   max_delivery_count        = 10
+#   topic_id                  = values(module.azure_service_bus["${each.value.namespace_name}-${each.value.region}"].topic_ids)[0]
+#   namespace_name            = "${each.value.namespace_name}-${each.value.region}"
+#   service_bus_namespace_id  = module.azure_service_bus["${each.value.namespace_name}-${each.value.region}"].namespace_id
+#   function_app_principal_id = module.functionapp["${each.value.subscriber_functionName}-${each.value.region}"].function_app_sami_id
+
+# }
+
+# locals {
+
+#   service_bus_subscriptions_object_list = flatten([
+#     for region in keys(var.regions) : [
+#       for service_bus_subscription_key, service_bus_subscription_details in var.service_bus_subscriptions.subscriber_config : merge(
+#         {
+#           region                       = region                       # 1st iterator
+#           service_bus_subscription_key = service_bus_subscription_key # 2nd iterator
+#         },
+#         service_bus_subscription_details # the rest of the key/value pairs for a specific service_bus
+#       )
+#     ]
+#   ])
+
+#   # ...then project the list of objects into a map with unique keys (combining the iterators), for consumption by a for_each meta argument
+#   service_bus_subscriptions_map = {
+#     for object in local.service_bus_subscriptions_object_list : "${object.service_bus_subscription_key}-${object.region}" => object
+#   }
+# }

infrastructure/tf-core/service_bus_topic.tf

@@ -0,0 +1,47 @@
+module "azure_service_bus" {
+  for_each = local.azure_service_bus_map
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/service-bus"
+
+  servicebus_topic_map = each.value.topics
+  # The namespace defaults to the object key unless a namespace is specified, then it overwrites it.
+  servicebus_namespace_name = coalesce(each.value.namespace_name, each.key)
+  resource_group_name       = azurerm_resource_group.core[each.value.region].name
+  location                  = each.value.region
+  capacity                  = each.value.capacity
+  sku_tier                  = each.value.sku_tier
+
+  # Private Endpoint Configuration if enabled
+  private_endpoint_properties = var.features.private_endpoints_enabled ? {
+    # This should be changed to service bus see https://github.com/NHSDigital/dtos-hub/blob/b9455d3a9c29f8837d75bcc3c67a111c2a49831d/infrastructure/dns_private.tf#L53
+    # and https://github.com/NHSDigital/dtos-hub/blob/b9455d3a9c29f8837d75bcc3c67a111c2a49831d/infrastructure/dns_private.tf#L49
+    private_dns_zone_ids                 = [data.terraform_remote_state.hub.outputs.private_dns_zones["${each.value.region}-event_hub"].id]
+    private_endpoint_enabled             = var.features.private_endpoints_enabled
+    private_endpoint_subnet_id           = module.subnets["${module.regions_config[each.value.region].names.subnet}-pep"].id
+    private_endpoint_resource_group_name = azurerm_resource_group.rg_private_endpoints[each.value.region].name
+    private_service_connection_is_manual = var.features.private_service_connection_is_manual
+  } : null
+
+  tags = var.tags
+}
+
+locals {
+
+  azure_service_bus_object_list = flatten([
+    for region in keys(var.regions) : [
+      for service_bus_key, service_bus_details in var.service_bus : merge(
+        {
+          region          = region
+          service_bus_key = service_bus_key
+        },
+        service_bus_details
+      )
+    ]
+  ])
+
+  # ...then project the list of objects into a map with unique keys (combining the iterators), for consumption by a for_each meta argument
+  azure_service_bus_map = {
+    for object in local.azure_service_bus_object_list : "${object.service_bus_key}-${object.region}" => object
+  }
+}
+

infrastructure/tf-core/variables.tf

@@ -237,8 +237,9 @@ variable "function_apps" {
           env_var_name   = string
           container_name = string
       })), [])
-      db_connection_string = optional(string, "")
-      key_vault_url        = optional(string, "")
+      db_connection_string    = optional(string, "")
+      producer_to_service_bus = optional(list(string), [])
+      key_vault_url           = optional(string, "")
       app_urls = optional(list(object({
         env_var_name     = string
         function_app_key = string
@@ -455,6 +456,43 @@ variable "sqlserver" {
   })
 }
 
+variable "service_bus" {
+  description = "Configuration for Service Bus namespaces and their topics"
+  type = map(object({
+    namespace_name   = optional(string)
+    capacity         = number
+    sku_tier         = string
+    max_payload_size = string
+    topics = map(object({
+      auto_delete_on_idle                     = optional(string, "P10675199DT2H48M5.4775807S")
+      batched_operations_enabled              = optional(bool, false)
+      default_message_ttl                     = optional(string, "P10675199DT2H48M5.4775807S")
+      duplicate_detection_history_time_window = optional(string)
+      partitioning_enabled                    = optional(bool, false)
+      max_message_size_in_kilobytes           = optional(number, 1024)
+      max_size_in_megabytes                   = optional(number, 5120)
+      requires_duplicate_detection            = optional(bool, false)
+      support_ordering                        = optional(bool)
+      status                                  = optional(string, "Active")
+      topic_name                              = optional(string)
+    }))
+  }))
+}
+
+# variable "service_bus_subscriptions" {
+#   description = "Configuration for service bus subscriptions"
+#   type = object({
+#     subscriber_config = map(object({
+#       subscription_name       = string
+#       namespace_name          = optional(string)
+#       topic_name              = string
+#       subscriber_functionName = string
+#     }))
+#   })
+#   default = {}
+# }
+
+
 variable "storage_accounts" {
   description = "Configuration for the Storage Account, currently used for Function Apps"
   type = map(object({