use key vault for monitoring email address

Author: mrlockstar

infrastructure/environments/preprod/variables.tfvars

@@ -12,5 +12,4 @@ vnet_address_space                    = "10.10.0.0/16"
 nhs_notify_api_message_batch_url      = "https://int.api.service.nhs.uk/comms/v1/message-batches"
 seed_demo_data                        = false
 allowed_paths                         = ["/notifications/message-status/create"]
-enable_monitoring                     = true
-monitoring_email_address              = "[email protected]"
+enable_alerting                       = true

infrastructure/environments/review/variables.tfvars

@@ -7,6 +7,7 @@ postgres_backup_retention_days        = 7
 postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = false
 vnet_address_space                    = "10.142.0.0/16"
-deploy_database_as_container          = true
+deploy_database_as_container          = false
 seed_demo_data                        = true
+enable_alerting                       = false
 nhs_notify_api_message_batch_url      = "https://int.api.service.nhs.uk/comms/v1/message-batches"

infrastructure/modules/container-apps/main.tf

@@ -22,8 +22,8 @@ module "webapp" {
   container_app_environment_id     = var.container_app_environment_id
   resource_group_name              = azurerm_resource_group.main.name
   fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
-  infra_key_vault_name             = "kv-${var.app_short_name}-${var.env_config}-inf"
-  infra_key_vault_rg               = "rg-${var.app_short_name}-${var.env_config}-infra"
+  infra_key_vault_name             = var.infra_key_vault_name
+  infra_key_vault_rg               = var.infra_key_vault_rg
   enable_auth                      = var.enable_auth
   app_key_vault_id                 = var.app_key_vault_id
   docker_image                     = var.docker_image

infrastructure/modules/container-apps/postgres.tf

@@ -46,8 +46,8 @@ module "postgres" {
   }
 
   # alerts
-  action_group_id   = var.action_group_id
-  enable_monitoring = var.enable_monitoring
+  action_group_id = var.action_group_id
+  enable_monitoring = var.enable_alerting
 
 
   databases = {

infrastructure/modules/container-apps/variables.tf

@@ -144,7 +144,7 @@ variable "use_apex_domain" {
   type        = bool
 }
 
-variable "enable_monitoring" {
+variable "enable_alerting" {
   description = "Whether monitoring and alerting is enabled for the PostgreSQL Flexible Server."
   type        = bool
 }
@@ -165,6 +165,15 @@ variable "action_group_id" {
   description = "ID of the action group to notify."
 }
 
+variable "infra_key_vault_name" {
+  description = "Name of the infra key vault"
+  type        = string
+}
+
+variable "infra_key_vault_rg" {
+  description = "Name of the infra key vault resource group"
+  type        = string
+}
 
 locals {
   resource_group_name = "rg-${var.app_short_name}-${var.environment}-container-app-uks"

infrastructure/modules/infra/data.tf

@@ -0,0 +1,11 @@
+data "azurerm_key_vault" "infra" {
+  provider = azurerm.hub
+
+  name                = var.infra_key_vault_name
+  resource_group_name = var.infra_key_vault_rg
+}
+
+data "azurerm_key_vault_secret" "infra" {
+  name         = "monitoring-email-address"
+  key_vault_id = data.azurerm_key_vault.infra.id
+}

infrastructure/modules/infra/monitor_action_group.tf

@@ -8,7 +8,7 @@ module "monitor_action_group" {
   email_receiver = {
     email = {
       name          = "email"
-      email_address = var.monitoring_email_address
+      email_address = data.azurerm_key_vault_secret.infra.value
     }
   }
 }

infrastructure/modules/infra/variables.tf

@@ -33,8 +33,13 @@ variable "protect_keyvault" {
   type        = bool
 }
 
-variable "monitoring_email_address" {
-  description = "monitoring email address"
+variable "infra_key_vault_name" {
+  description = "Name of the infra key vault"
+  type        = string
+}
+
+variable "infra_key_vault_rg" {
+  description = "Name of the infra key vault resource group"
   type        = string
 }
 

infrastructure/terraform/main.tf

@@ -8,14 +8,15 @@ module "infra" {
     azurerm.hub = azurerm.hub
   }
 
-  monitoring_email_address = var.monitoring_email_address
-  region                   = local.region
-  resource_group_name      = local.resource_group_name
-  app_short_name           = var.app_short_name
-  environment              = var.env_config
-  hub                      = var.hub
-  protect_keyvault         = var.protect_keyvault
-  vnet_address_space       = var.vnet_address_space
+  region               = local.region
+  resource_group_name  = local.resource_group_name
+  infra_key_vault_name = local.infra_key_vault_name
+  infra_key_vault_rg   = local.infra_key_vault_rg
+  app_short_name       = var.app_short_name
+  environment          = var.env_config
+  hub                  = var.hub
+  protect_keyvault     = var.protect_keyvault
+  vnet_address_space   = var.vnet_address_space
 }
 
 module "shared_config" {
@@ -39,7 +40,7 @@ module "container-apps" {
   region                                = local.region
   action_group_id                       = var.deploy_infra ? module.infra[0].monitor_action_group_id : data.azurerm_monitor_action_group.main[0].id
   alert_window_size                     = var.alert_window_size
-  enable_monitoring                     = var.enable_monitoring
+  enable_alerting                       = var.enable_alerting
   app_key_vault_id                      = var.deploy_infra ? module.infra[0].app_key_vault_id : data.azurerm_key_vault.app_key_vault[0].id
   app_short_name                        = var.app_short_name
   allowed_paths                         = var.allowed_paths
@@ -65,4 +66,6 @@ module "container-apps" {
   main_subnet_id                        = var.deploy_infra ? module.infra[0].main_subnet_id : data.azurerm_subnet.main[0].id
   seed_demo_data                        = var.seed_demo_data
   use_apex_domain                       = var.use_apex_domain
+  infra_key_vault_name                  = local.infra_key_vault_name
+  infra_key_vault_rg                    = local.infra_key_vault_rg
 }

infrastructure/terraform/variables.tf

@@ -141,20 +141,17 @@ variable "alert_window_size" {
   description = "The period of time that is used to monitor alert activity e.g. PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H. The interval between checks is adjusted accordingly."
 }
 
-variable "enable_monitoring" {
+variable "enable_alerting" {
   description = "Whether monitoring and alerting is enabled for the PostgreSQL Flexible Server."
   type        = bool
   default     = false
 }
 
-variable "monitoring_email_address" {
-  description = "monitoring email address"
-  type        = string
-  default     = null
-}
 
 locals {
   region = "uksouth"
 
-  resource_group_name = "rg-${var.app_short_name}-${var.env_config}-uks"
+  resource_group_name  = "rg-${var.app_short_name}-${var.env_config}-uks"
+  infra_key_vault_name = "kv-${var.app_short_name}-${var.env_config}-inf"
+  infra_key_vault_rg   = "rg-${var.app_short_name}-${var.env_config}-infra"
 }