DTOSS-9226: Create Permissions for Foundry Function App (#183)

* DTOSS-9226: Create Permissions for Foundry Function App

* Adding in an example to the module

Author: mrlockstar

infrastructure/modules/service-bus-subscription/README.md

@@ -0,0 +1,4 @@
+# service-bus
+
+## Terraform documentation
+For the list of inputs, outputs, resources... check the [terraform module documentation](tfdocs.md).

infrastructure/modules/service-bus-subscription/example/example.tfvars

@@ -0,0 +1,30 @@
+regions = {
+  uksouth = {
+    is_primary_region = true
+    address_space     = "10.113.0.0/16"
+    connect_peering   = false
+    subnets           = {}
+  }
+}
+
+service_bus_subscriptions = {
+  subscriber_config = {
+    event-dev-ap = {
+      subscription_name       = "events-sub"
+      topic_name              = "events"
+      namespace_name          = "dtoss-nsp"
+      subscriber_functionName = "foundryRelay"
+    }
+  }
+}
+
+service_bus = {
+  dtoss-nsp = {
+    capacity         = 1
+    sku_tier         = "Premium"
+    max_payload_size = "100mb"
+    topics = {
+      events = {}
+    }
+  }
+}

infrastructure/modules/service-bus-subscription/example/main.tf

@@ -0,0 +1,33 @@
+module "service_bus_subscription" {
+  for_each = local.service_bus_subscriptions_map
+
+  source = "../../../../../dtos-devops-templates/infrastructure/modules/service-bus-subscription"
+
+  subscription_name         = each.value.service_bus_subscription_key
+  max_delivery_count        = 10
+  topic_id                  = values(module.azure_service_bus["${each.value.namespace_name}-${each.value.region}"].topic_ids)[0]
+  namespace_name            = "${each.value.namespace_name}-${each.value.region}"
+  service_bus_namespace_id  = module.azure_service_bus["${each.value.namespace_name}-${each.value.region}"].namespace_id
+  function_app_principal_id = module.functionapp["${each.value.subscriber_functionName}-${each.value.region}"].function_app_sami_id
+
+}
+
+locals {
+
+  service_bus_subscriptions_object_list = flatten([
+    for region in keys(var.regions) : [
+      for service_bus_subscription_key, service_bus_subscription_details in var.service_bus_subscriptions.subscriber_config : merge(
+        {
+          region                       = region                       # 1st iterator
+          service_bus_subscription_key = service_bus_subscription_key # 2nd iterator
+        },
+        service_bus_subscription_details # the rest of the key/value pairs for a specific service_bus
+      )
+    ]
+  ])
+
+  # ...then project the list of objects into a map with unique keys (combining the iterators), for consumption by a for_each meta argument
+  service_bus_subscriptions_map = {
+    for object in local.service_bus_subscriptions_object_list : "${object.service_bus_subscription_key}-${object.region}" => object
+  }
+}

infrastructure/modules/service-bus-subscription/example/variables.tf

@@ -0,0 +1,28 @@
+variable "service_bus_subscriptions" {
+  description = "Configuration for event grid subscriptions"
+  type = object({
+    subscriber_config = map(object({
+      subscription_name       = string
+      namespace_name          = optional(string)
+      topic_name              = string
+      subscriber_functionName = string
+    }))
+  })
+}
+
+variable "regions" {
+  type = map(object({
+    address_space     = optional(string)
+    is_primary_region = bool
+    connect_peering   = optional(bool, false)
+    subnets = optional(map(object({
+      cidr_newbits               = string
+      cidr_offset                = string
+      create_nsg                 = optional(bool, true) # defaults to true
+      name                       = optional(string)     # Optional name override
+      delegation_name            = optional(string)
+      service_delegation_name    = optional(string)
+      service_delegation_actions = optional(list(string))
+    })))
+  }))
+}

infrastructure/modules/service-bus-subscription/main.tf

@@ -0,0 +1,13 @@
+resource "azurerm_servicebus_subscription" "this" {
+  name                 = var.subscription_name
+  topic_id             = var.topic_id
+  max_delivery_count   = var.max_delivery_count
+  lock_duration        = "PT5M"  # ISO 8601 duration
+
+}
+
+resource "azurerm_role_assignment" "sb_role" {
+  scope                = var.service_bus_namespace_id
+  role_definition_name = "Azure Service Bus Data Receiver"  # or "Azure Service Bus Data Owner" if you want full control
+  principal_id         = var.function_app_principal_id
+}

infrastructure/modules/service-bus-subscription/tfdocs.md

@@ -0,0 +1,69 @@
+# Module documentation
+
+## Required Inputs
+
+The following input variables are required:
+
+### <a name="input_function_app_principal_id"></a> [function\_app\_principal\_id](#input\_function\_app\_principal\_id)
+
+Description: The principal ID (object ID) of the Function App's managed identity.
+
+Type: `string`
+
+### <a name="input_namespace_name"></a> [namespace\_name](#input\_namespace\_name)
+
+Description: The name of the Service Bus namespace.
+
+Type: `string`
+
+### <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)
+
+Description: The name of the resource group containing the Service Bus namespace.
+
+Type: `string`
+
+### <a name="input_service_bus_namespace_id"></a> [service\_bus\_namespace\_id](#input\_service\_bus\_namespace\_id)
+
+Description: The ID of the Service Bus namespace resource for role assignment scope.
+
+Type: `string`
+
+### <a name="input_subscription_name"></a> [subscription\_name](#input\_subscription\_name)
+
+Description: The name of the Service Bus subscription.
+
+Type: `string`
+
+### <a name="input_topic_name"></a> [topic\_name](#input\_topic\_name)
+
+Description: The name of the Service Bus topic.
+
+Type: `string`
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### <a name="input_max_delivery_count"></a> [max\_delivery\_count](#input\_max\_delivery\_count)
+
+Description: The maximum delivery count of a message before it is dead-lettered.
+
+Type: `number`
+
+Default: `10`
+
+### <a name="input_tags"></a> [tags](#input\_tags)
+
+Description: A map of tags to assign to the subscription.
+
+Type: `map(string)`
+
+Default: `{}`
+
+
+## Resources
+
+The following resources are used by this module:
+
+- [azurerm_role_assignment.sb_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
+- [azurerm_servicebus_subscription.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/servicebus_subscription) (resource)

infrastructure/modules/service-bus-subscription/variables.tf

@@ -0,0 +1,60 @@
+variable "subscription_name" {
+  description = "The name of the Service Bus subscription."
+  type        = string
+
+  validation {
+    condition     = length(var.subscription_name) > 0 && length(var.subscription_name) <= 50
+    error_message = "subscription_name must be between 1 and 50 characters."
+  }
+}
+
+variable "topic_id" {
+  description = "The name of the Service Bus topic."
+  type        = string
+
+  # validation {
+  #   condition     = length(var.topic_name) > 0 && length(var.topic_name) <= 50
+  #   error_message = "topic_name must be between 1 and 50 characters."
+  # }
+}
+
+variable "namespace_name" {
+  description = "The name of the Service Bus namespace."
+  type        = string
+
+  validation {
+    condition     = length(var.namespace_name) > 0 && length(var.namespace_name) <= 50
+    error_message = "namespace_name must be between 1 and 50 characters."
+  }
+}
+
+variable "max_delivery_count" {
+  description = "The maximum delivery count of a message before it is dead-lettered."
+  type        = number
+  default     = 10
+
+  validation {
+    condition     = var.max_delivery_count > 0 && var.max_delivery_count <= 100
+    error_message = "max_delivery_count must be between 1 and 100."
+  }
+}
+
+variable "service_bus_namespace_id" {
+  description = "The ID of the Service Bus namespace resource for role assignment scope."
+  type        = string
+
+  validation {
+    condition     = can(regex("^/subscriptions/.+/resourceGroups/.+/providers/Microsoft.ServiceBus/namespaces/.+$", var.service_bus_namespace_id))
+    error_message = "service_bus_namespace_id must be a valid Azure Service Bus namespace resource ID."
+  }
+}
+
+variable "function_app_principal_id" {
+  description = "The principal ID (object ID) of the Function App's managed identity."
+  type        = string
+
+  validation {
+    condition     = length(var.function_app_principal_id) == 36 || length(var.function_app_principal_id) == 32
+    error_message = "function_app_principal_id should be a valid GUID string."
+  }
+}

infrastructure/modules/service-bus/output.tf

@@ -6,3 +6,11 @@ output "servicebus_connection_string" {
 output "namespace_id" {
   value = azurerm_servicebus_namespace.this.id
 }
+
+output "namespace_name" {
+  value = azurerm_servicebus_namespace.this.name
+}
+
+output "topic_ids" {
+  value = { for k, topic in azurerm_servicebus_topic.this : k => topic.id }
+}