fix: DTOSS-8428 letsencrypt certificate module supports multiple DNS domains (#142)

* fix: letsencrypt cert module supports multiple DNS domains

* fix endless RBAC role redeploys for SQL logs storage account

Author: patrickmoore-nc

infrastructure/modules/app-service-plan/autoscale.tf

@@ -1,4 +1,3 @@
-
 resource "azurerm_monitor_autoscale_setting" "asp_autoscale" {
   name                = "${var.name}-autoscale"
   resource_group_name = var.resource_group_name

infrastructure/modules/app-service-plan/certificate.tf

@@ -0,0 +1,11 @@
+resource "azurerm_app_service_certificate" "wildcard" {
+  count = var.wildcard_ssl_cert_key_vault_secret_id != null ? 1 : 0
+
+  name                = var.wildcard_ssl_cert_name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  app_service_plan_id = azurerm_service_plan.appserviceplan.id
+  key_vault_secret_id = var.wildcard_ssl_cert_key_vault_secret_id
+  key_vault_id        = var.wildcard_ssl_cert_key_vault_id
+}

infrastructure/modules/app-service-plan/main.tf

@@ -1,5 +1,4 @@
 resource "azurerm_service_plan" "appserviceplan" {
-
   name                = var.name
   resource_group_name = var.resource_group_name
   location            = var.location
@@ -21,10 +20,6 @@ resource "azurerm_app_service_virtual_network_swift_connection" "appservice_vnet
   subnet_id      = var.vnet_integration_subnet_id
 }
 
-/* --------------------------------------------------------------------------------------------------
-  Diagnostic Settings
--------------------------------------------------------------------------------------------------- */
-
 module "diagnostic-settings" {
   source = "../diagnostic-settings"
 
@@ -33,6 +28,4 @@ module "diagnostic-settings" {
   log_analytics_workspace_id = var.log_analytics_workspace_id
   #enabled_log                = var.enabled_log
   metric = var.monitor_diagnostic_setting_appserviceplan_metrics
-
 }
-

infrastructure/modules/app-service-plan/output.tf

@@ -1,4 +1,3 @@
-
 output "app_service_plan_name" {
   value = azurerm_service_plan.appserviceplan.name
 }
@@ -7,3 +6,6 @@ output "app_service_plan_id" {
   value = azurerm_service_plan.appserviceplan.id
 }
 
+output "wildcard_ssl_cert_id" {
+  value = var.wildcard_ssl_cert_key_vault_secret_id != null ? azurerm_app_service_certificate.wildcard[0].id : null
+}

infrastructure/modules/app-service-plan/variables.tf

@@ -35,6 +35,12 @@ variable "sku_name" {
   default     = "B1"
 }
 
+variable "tags" {
+  type        = map(string)
+  description = "Resource tags to be applied throughout the deployment."
+  default     = {}
+}
+
 variable "vnet_integration_enabled" {
   type        = bool
   description = "Indicates whether the App Service Plan is integrated with a VNET."
@@ -47,18 +53,32 @@ variable "vnet_integration_subnet_id" {
   default     = ""
 }
 
-variable "tags" {
-  type        = map(string)
-  description = "Resource tags to be applied throughout the deployment."
-  default     = {}
+variable "wildcard_ssl_cert_key_vault_secret_id" {
+  type        = string
+  description = "Wildcard SSL certificate Key Vault secret id, for App Service Custom Domain binding."
+  default     = null
 }
 
+variable "wildcard_ssl_cert_key_vault_id" {
+  type        = string
+  description = "Wildcard SSL certificate Key Vault id, needed if the Key Vault is in a different subscription."
+  default     = null
+}
+
+variable "wildcard_ssl_cert_name" {
+  type        = string
+  description = "Wildcard SSL certificate name, for Custom Domain binding."
+  default     = null
+}
+
+
 ## autoscale rule ##
 
 variable "metric" {
   type    = string
   default = "MemoryPercentage"
 }
+
 variable "capacity_min" {
   type    = string
   default = "1"

…modules/lets-encrypt-certificate/data.tf …odules/lets-encrypt-certificates/data.tfinfrastructure/modules/lets-encrypt-certificate/data.tf renamed to infrastructure/modules/lets-encrypt-certificates/data.tf infrastructure/modules/lets-encrypt-certificate/data.tf renamed to infrastructure/modules/lets-encrypt-certificates/data.tf

@@ -1,5 +1,7 @@
 data "azurerm_dns_zone" "lookup" {
-  name                = var.dns_zone_name
+  for_each = var.dns_zone_names
+
+  name                = each.value
   resource_group_name = var.dns_zone_resource_group_name
 }
 

…modules/lets-encrypt-certificate/main.tf …odules/lets-encrypt-certificates/main.tfinfrastructure/modules/lets-encrypt-certificate/main.tf renamed to infrastructure/modules/lets-encrypt-certificates/main.tf infrastructure/modules/lets-encrypt-certificate/main.tf renamed to infrastructure/modules/lets-encrypt-certificates/main.tf

@@ -5,7 +5,9 @@ resource "local_file" "certbot_ini_file" {
   content         = <<EOT
 dns_azure_use_cli_credentials = true
 dns_azure_environment = "AzurePublicCloud"
-dns_azure_zone1 = ${var.dns_zone_name}:${data.azurerm_dns_zone.lookup.id}
+%{for name, zone in var.dns_zone_names~}
+dns_azure_zone${index(keys(var.dns_zone_names), name) + 1} = ${zone}:${data.azurerm_dns_zone.lookup[name].id}
+%{endfor~}
 EOT
 }
 

…dules/lets-encrypt-certificate/output.tf …ules/lets-encrypt-certificates/output.tfinfrastructure/modules/lets-encrypt-certificate/output.tf renamed to infrastructure/modules/lets-encrypt-certificates/output.tf infrastructure/modules/lets-encrypt-certificate/output.tf renamed to infrastructure/modules/lets-encrypt-certificates/output.tf

@@ -74,7 +74,7 @@ if [[ ${#kv_names[@]} -eq 0 || -z "${email}" || -z "${subscription_id_target}" |
 fi
 
 # Temporary until version 4 is actually working with library josepy 2.0.0
-pip3 install 'certbot==2.11.1' certbot-dns-azure
+pip3 install 'certbot==3.3.0' certbot-dns-azure
 #pip3 install certbot certbot-dns-azure
 
 mkdir -p .terraform/certbot
@@ -84,7 +84,7 @@ echo "Attempting retrieval of stored certificate creation state..."
 az account set --subscription "${subscription_id_hub}"
 az storage blob download --account-name "${storage_account_name}" --container-name "${container_name}" --name "${environment}.zip" --file "./certbot_state.zip" --auth-mode login || true # continue on failure
 if [[ -e ./certbot_state.zip ]]; then
-    unzip -o ./certbot_state.zip
+    unzip -oq ./certbot_state.zip
     rm ./certbot_state.zip
     # reset canonical paths in renewal conf files to match the local environment
     sed -i "s#agent_workdir#${agent_workdir}#g" certbot/config/renewal/*.conf
@@ -136,7 +136,7 @@ done
 echo "Persisting certificate creation state to Azure Storage Account..."
 # reset canonical paths in renewal conf files to something predictable
 sed -i "s#${agent_workdir}#agent_workdir#g" certbot/config/renewal/*.conf
-zip -ry certbot_state.zip certbot/config certbot/logs
+zip -ryq certbot_state.zip certbot/config certbot/logs
 az account set --subscription "${subscription_id_hub}"
 az storage blob upload --account-name "${storage_account_name}" --container-name "${container_name}" --file "./certbot_state.zip" --name "${environment}.zip" --overwrite --auth-mode login
 

…s-encrypt-certificate/scripts/certbot.sh …-encrypt-certificates/scripts/certbot.shinfrastructure/modules/lets-encrypt-certificate/scripts/certbot.sh renamed to infrastructure/modules/lets-encrypt-certificates/scripts/certbot.sh infrastructure/modules/lets-encrypt-certificate/scripts/certbot.sh renamed to infrastructure/modules/lets-encrypt-certificates/scripts/certbot.sh

@@ -3,8 +3,9 @@ variable "certificates" {
   type        = map(string)
 }
 
-variable "dns_zone_name" {
-  type = string
+variable "dns_zone_names" {
+  type        = map(string)
+  description = "Map of zone identifiers to their full private DNS zone names"
 }
 
 variable "dns_zone_resource_group_name" {