Merge branch 'main' into feat/DTOSS-7388-Integrate-Post-Deployment-Test-Results-With-Slack

Author: micjustus-nc

infrastructure/modules/app-service-plan/tfdocs.md

@@ -246,17 +246,17 @@ Type: `string`
 
 Default: `null`
 
-### <a name="input_wildcard_ssl_cert_key_vault_secret_id"></a> [wildcard\_ssl\_cert\_key\_vault\_secret\_id](#input\_wildcard\_ssl\_cert\_key\_vault\_secret\_id)
+### <a name="input_wildcard_ssl_cert_name"></a> [wildcard\_ssl\_cert\_name](#input\_wildcard\_ssl\_cert\_name)
 
-Description: Wildcard SSL certificate Key Vault secret id, for App Service Custom Domain binding.
+Description: Wildcard SSL certificate name as it will appear in the App Service binding, for Custom Domain binding.
 
 Type: `string`
 
 Default: `null`
 
-### <a name="input_wildcard_ssl_cert_name"></a> [wildcard\_ssl\_cert\_name](#input\_wildcard\_ssl\_cert\_name)
+### <a name="input_wildcard_ssl_cert_pfx_blob_key_vault_secret_name"></a> [wildcard\_ssl\_cert\_pfx\_blob\_key\_vault\_secret\_name](#input\_wildcard\_ssl\_cert\_pfx\_blob\_key\_vault\_secret\_name)
 
-Description: Wildcard SSL certificate name, for Custom Domain binding.
+Description: Wildcard SSL certificate pfx blob Key Vault secret name, for Custom Domain binding.
 
 Type: `string`
 
@@ -293,3 +293,4 @@ The following resources are used by this module:
 - [azurerm_app_service_virtual_network_swift_connection.appservice_vnet_swift_connection](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_virtual_network_swift_connection) (resource)
 - [azurerm_monitor_autoscale_setting.asp_autoscale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) (resource)
 - [azurerm_service_plan.appserviceplan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) (resource)
+- [azurerm_key_vault_secret.pfx_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) (data source)

infrastructure/modules/container-app-environment/README.md

@@ -12,10 +12,37 @@ For the list of inputs, outputs, resources... check the [terraform module docume
 ```hcl
 module "container-app-environment" {
   source = "../../../dtos-devops-templates/infrastructure/modules/container-app-environment"
+  providers = {
+    azurerm     = azurerm
+    azurerm.dns = azurerm
+  }
 
   name                       = "manage-breast-screening-${var.environment}"
   resource_group_name        = azurerm_resource_group.this.name
-  log_analytics_workspace_id = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id
+  log_analytics_workspace_id = module.log_analytics_workspace_audit.id
   vnet_integration_subnet_id = module.container_app_subnet.id
+  private_dns_zone_rg_name   = var.private_dns_zone_rg_name
+}
+```
+
+If the private DNS zone is located in a different subscription, for instance in a hub and spoke architecture, the provider of that subscription must be provided:
+
+```hcl
+provider "azurerm" {
+  alias           = "hub"
+  subscription_id = var.hub_subscription_id
+
+  features {}
+}
+
+module "container-app-environment" {
+  source = "../../../dtos-devops-templates/infrastructure/modules/container-app-environment"
+  providers = {
+    azurerm     = azurerm
+    azurerm.dns = azurerm.hub
+  }
+
+  name                       = "manage-breast-screening-${var.environment}"
+  ...
 }
 ```

infrastructure/modules/container-app-environment/main.tf

@@ -5,4 +5,31 @@ resource "azurerm_container_app_environment" "main" {
   log_analytics_workspace_id     = var.log_analytics_workspace_id
   infrastructure_subnet_id       = var.vnet_integration_subnet_id
   internal_load_balancer_enabled = true
+  zone_redundancy_enabled        = var.zone_redundancy_enabled
+}
+
+module "apex-record" {
+  source = "../private-dns-a-record"
+  providers = {
+    azurerm = azurerm.dns
+  }
+
+  name                = local.dns_record
+  resource_group_name = var.private_dns_zone_rg_name
+  zone_name           = "azurecontainerapps.io"
+  ttl                 = 60
+  records             = [azurerm_container_app_environment.main.static_ip_address]
+}
+
+module "wildcard-record" {
+  source = "../private-dns-a-record"
+  providers = {
+    azurerm = azurerm.dns
+  }
+
+  name                = "*.${local.dns_record}"
+  resource_group_name = var.private_dns_zone_rg_name
+  zone_name           = "azurecontainerapps.io"
+  ttl                 = 60
+  records             = [azurerm_container_app_environment.main.static_ip_address]
 }

infrastructure/modules/container-app-environment/output.tf

@@ -1,7 +1,9 @@
 output "id" {
+  description = "Container app environment ID"
   value = azurerm_container_app_environment.main.id
 }
 
 output "default_domain" {
+  description = "Default internal DNS domain. Should be registered in the private DNS zone."
   value = azurerm_container_app_environment.main.default_domain
 }

infrastructure/modules/container-app-environment/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source = "hashicorp/azurerm"
+      configuration_aliases = [ azurerm.dns ]
+    }
+  }
+}

infrastructure/modules/container-app-environment/tfdocs.md

@@ -16,6 +16,12 @@ Description: Name of the container app environment.
 
 Type: `string`
 
+### <a name="input_private_dns_zone_rg_name"></a> [private\_dns\_zone\_rg\_name](#input\_private\_dns\_zone\_rg\_name)
+
+Description: Name of the hub resource group where the private DNS zone is located.
+
+Type: `string`
+
 ### <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)
 
 Description: Name of the resource group to create the container app environment in.
@@ -28,17 +34,43 @@ Description: ID of the subnet for the container app environment. Must be at leas
 
 Type: `string`
 
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### <a name="input_zone_redundancy_enabled"></a> [zone\_redundancy\_enabled](#input\_zone\_redundancy\_enabled)
+
+Description: Enable availability zone redundancy for the container app environment. Should be set to true in production.
+
+Type: `bool`
+
+Default: `false`
+## Modules
+
+The following Modules are called:
+
+### <a name="module_apex-record"></a> [apex-record](#module\_apex-record)
+
+Source: ../private-dns-a-record
+
+Version:
+
+### <a name="module_wildcard-record"></a> [wildcard-record](#module\_wildcard-record)
+
+Source: ../private-dns-a-record
+
+Version:
 ## Outputs
 
 The following outputs are exported:
 
 ### <a name="output_default_domain"></a> [default\_domain](#output\_default\_domain)
 
-Description: n/a
+Description: Default internal DNS domain. Should be registered in the private DNS zone.
 
 ### <a name="output_id"></a> [id](#output\_id)
 
-Description: n/a
+Description: Container app environment ID
 ## Resources
 
 The following resources are used by this module:

infrastructure/modules/container-app-environment/variables.tf

@@ -17,3 +17,22 @@ variable "vnet_integration_subnet_id" {
   type        = string
   description = "ID of the subnet for the container app environment. Must be at least /23"
 }
+
+variable "private_dns_zone_rg_name" {
+  type = string
+  description = "Name of the hub resource group where the private DNS zone is located."
+}
+
+variable "zone_redundancy_enabled" {
+  type        = bool
+  description = "Enable availability zone redundancy for the container app environment. Should be set to true in production."
+  default     = false
+}
+
+locals {
+  dns_record = replace(
+    azurerm_container_app_environment.main.default_domain,
+    ".azurecontainerapps.io",
+    ""
+  )
+}

infrastructure/modules/container-app/README.md

@@ -6,8 +6,8 @@ Deploy an [Azure container app](https://learn.microsoft.com/en-us/azure/containe
 For the list of inputs, outputs, resources... check the [terraform module documentation](tfdocs.md).
 
 ## Usage
+Create the common container app environment:
 ```hcl
-# Create the common container app environment
 module "container-app-environment" {
   source = "../../../dtos-devops-templates/infrastructure/modules/container-app-environment"
 
@@ -16,31 +16,55 @@ module "container-app-environment" {
   log_analytics_workspace_id = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id
   vnet_integration_subnet_id = module.container_app_subnet.id
 }
+```
 
-# Create a webapp for a container listening on port 8000
-# The webapp will be available on internal URL https://<name>.<container app environment default domain>
+Create a webapp for a container listening on port 8000. The webapp will be available on internal URL `https://<name>.<container app environment default domain>`:
+```hcl
 module "webapp" {
-  source                       = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
-  name                         = "manage-breast-screening-web-${var.environment}"
-  container_app_environment_id = module.container-app-environment.id
-  resource_group_name          = azurerm_resource_group.this.name
-  app_key_vault_name           = module.app-key-vault.name # All secrets in the app key vault are mapped securely as environment variables
-  docker_image                 = var.docker_image # Docker image and unique tag
-  # Map of non secret environment variables
+  source                           = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
+  name                             = "manage-breast-screening-web-${var.environment}"
+  container_app_environment_id     = module.container-app-environment.id
+  resource_group_name              = azurerm_resource_group.this.name
+  docker_image                    = var.docker_image
   environment_variables = {
     "ALLOWED_HOSTS" = "manage-breast-screening-web-${var.environment}.${module.container-app-environment.default_domain}"
   }
   is_web_app = true
   http_port  = 8000
 }
+```
 
-# Create a background worker (no ingress)
+Create a background worker (no ingress):
+```hcl
 module "worker" {
-  source                       = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
-  name                         = "manage-breast-screening-worker-${var.environment}"
-  container_app_environment_id = module.container-app-environment.id
-  resource_group_name          = azurerm_resource_group.this.name
-  app_key_vault_name           = module.app-key-vault.name
-  docker_image                 = var.docker_image_worker
+  source                           = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
+  name                             = "manage-breast-screening-worker-${var.environment}"
+  container_app_environment_id     = module.container-app-environment.id
+  resource_group_name              = azurerm_resource_group.this.name
+  docker_image                     = var.docker_image_worker
 }
 ```
+
+## Key vault secrets
+The container app can be mapped to an Azure key vault. All secrets are fetched and provided as secret environment variables to the app. The values are updated when terraform runs, or automatically within 30 min.
+
+A secret name in key vault must use hyphens: `SECRET-KEY`. It is automatically mapped as an environment variable with underscore: `SECRET_KEY`.
+
+**Warning:** The module cannot read from key vault if doesn't exist yet:
+1. For each environment, create first via terraform:
+    - key vault with the [key-vault module](../key-vault/)
+    - container-app with `app_key_vault_id` from above and `fetch_secrets_from_app_key_vault` set to `false` (default)
+1. Add the secrets to the key vault manually
+1. Set `fetch_secrets_from_app_key_vault` set to `true` and run terraform to populate the app secret environment variables
+
+Example:
+```hcl
+module "worker" {
+  source                           = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
+  ...
+  app_key_vault_id                 = module.app-key-vault.key_vault_id
+  fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
+}
+
+# Set fetch_secrets_from_app_key_vault to true in tfvars once the key vault is populated with secrets
+```

infrastructure/modules/container-app/data.tf

@@ -1,12 +1,10 @@
-data "azurerm_key_vault" "app" {
-  count = var.app_key_vault_name != null ? 1 : 0
+data "azurerm_key_vault_secrets" "app" {
+  count      = var.fetch_secrets_from_app_key_vault ? 1 : 0
+  depends_on = [module.key_vault_reader_role]
 
-  name                = var.app_key_vault_name
-  resource_group_name = var.resource_group_name
+  key_vault_id = var.app_key_vault_id
 }
 
-data "azurerm_key_vault_secrets" "app" {
-  count = var.app_key_vault_name != null ? 1 : 0
-
-  key_vault_id = data.azurerm_key_vault.app[0].id
+data "azurerm_resource_group" "main" {
+  name = var.resource_group_name
 }

infrastructure/modules/container-app/main.tf

@@ -1,21 +1,40 @@
+module "container_app_identity" {
+  source              = "../managed-identity"
+  resource_group_name = var.resource_group_name
+  location            = data.azurerm_resource_group.main.location
+  uai_name            = "${var.name}-identity"
+}
+
+# Allow the container app to read secrets from keyvaults in the resource groups
+module "key_vault_reader_role" {
+  count = var.fetch_secrets_from_app_key_vault ? 1 : 0
+
+  source = "../rbac-assignment"
+
+  scope                = data.azurerm_resource_group.main.id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = module.container_app_identity.principal_id
+}
+
 resource "azurerm_container_app" "main" {
   name                         = var.name
   container_app_environment_id = var.container_app_environment_id
   resource_group_name          = var.resource_group_name
   revision_mode                = "Single"
 
   identity {
-    type = "SystemAssigned"
+    type         = "UserAssigned"
+    identity_ids = [module.container_app_identity.id]
   }
 
   dynamic "secret" {
-    for_each = var.app_key_vault_name != null ? data.azurerm_key_vault_secrets.app[0].secrets : []
+    for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
 
     content {
       # KV secrets are uppercase and hyphen separated
       # app container secrets are lowercase and hyphen separated
-      name = lower(secret.value.name)
-      identity = "System"
+      name                = lower(secret.value.name)
+      identity            = module.container_app_identity.id
       key_vault_secret_id = secret.value.id
     }
   }
@@ -36,7 +55,7 @@ resource "azurerm_container_app" "main" {
       }
 
       dynamic "env" {
-        for_each = var.app_key_vault_name != null ? data.azurerm_key_vault_secrets.app[0].secrets : []
+        for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
         content {
           # Env vars are uppercase and underscore separated
           name = upper(replace(env.value.name, "-", "_"))
@@ -63,19 +82,3 @@ resource "azurerm_container_app" "main" {
     }
   }
 }
-
-# resource "azurerm_role_assignment" "key_vault_reader" {
-#   count                = var.app_key_vault_name != null ? 1 : 0
-
-#   scope                = data.azurerm_key_vault.app[0].id
-#   role_definition_name = "Key Vault Secrets User"
-#   principal_id         = azurerm_container_app.main.identity[0].principal_id
-# }
-
-module "key_vault_reader_role" {
-  source = "../rbac-assignment"
-
-  scope                = data.azurerm_key_vault.app[0].id
-  role_definition_name = "Key Vault Secrets User"
-  principal_id         = azurerm_container_app.main.identity[0].principal_id
-}