feat: DTOSS-9131 Terraform infrastructure creation (#30)

Author: patrickmoore-nc

.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: f8141ab50ec0f3630044fa0f531952d2dbbd1e85
+      ref: cf5e22fe4614b7d077a22301d29883e86ac3defc
       endpoint: NHSDigital
 
 variables:
@@ -23,7 +23,7 @@ variables:
   - name: TF_DIRECTORY
     value: $(System.DefaultWorkingDirectory)/$(System.TeamProject)/infrastructure/tf-audit
   - name: TF_VERSION
-    value: 1.9.2
+    value: 1.11.4
   - name: TF_PLAN_ARTIFACT
     value: tf_plan_audit_DEV
   - name: ENVIRONMENT

.azuredevops/pipelines/cd-infrastructure-dev-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: f8141ab50ec0f3630044fa0f531952d2dbbd1e85
+      ref: cf5e22fe4614b7d077a22301d29883e86ac3defc
       endpoint: NHSDigital
 
 variables:
@@ -24,7 +24,7 @@ variables:
   - name: TF_DIRECTORY
     value: $(System.DefaultWorkingDirectory)/$(System.TeamProject)/infrastructure/tf-core
   - name: TF_VERSION
-    value: 1.9.2
+    value: 1.11.4
   - name: TF_PLAN_ARTIFACT
     value: tf_plan_core_DEV
   - name: ENVIRONMENT

.github/workflows/cicd-1-pull-request.yaml

@@ -5,9 +5,9 @@ name: "CI/CD pull request"
 on:
   push:
     branches:
-      - "**"
+      - main
   pull_request:
-    types: [opened, reopened]
+    types: [opened, reopened, synchronize]
 
 jobs:
 
@@ -103,11 +103,11 @@ jobs:
   build-image-stage: # Recommended maximum execution time is 3 minutes
     name: Image build stage
     needs: [metadata, commit-stage, test-stage]
-    uses: NHSDigital/dtos-devops-templates/.github/workflows/stage-3-build-images.yaml@main
+    uses: NHSDigital/dtos-devops-templates/.github/workflows/stage-3-build.yaml@main
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
-      docker_compose_file: ./compose.yaml
-      excluded_containers_csv_list: azurite,azurite-setup,sql-database,database-setup
+      docker_compose_file_csv_list: ./compose.yaml
+      excluded_containers_csv_list: azurite,azurite-setup,sql-database,database-setup,db
       environment_tag: ${{ needs.metadata.outputs.environment_tag }}
       function_app_source_code_path: src
       project_name: service-layer

compose.yaml

@@ -1,6 +1,6 @@
 services:
-  api:
-    container_name: "api"
+  svclyr-api:
+    container_name: "svclyr-api"
     build:
       context: ./src
       dockerfile: ServiceLayer.API/Dockerfile
@@ -30,8 +30,8 @@ services:
     networks:
       - backend
 
-  mesh-ingest:
-    container_name: "mesh-ingest"
+  svclyr-mesh-ingest:
+    container_name: "svclyr-mesh-ingest"
     build:
       context: ./src
       dockerfile: ServiceLayer.Mesh/Dockerfile

infrastructure/tf-audit/app_insights.tf

@@ -0,0 +1,15 @@
+module "app_insights_audit" {
+  for_each = { for key, val in var.regions : key => val if val.is_primary_region }
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/app-insights"
+
+  name             = module.regions_config[each.key].names.app-insights
+  location         = each.key
+  appinsights_type = var.app_insights.appinsights_type
+
+  log_analytics_workspace_id = module.log_analytics_workspace_audit[each.key].id
+
+  resource_group_name = azurerm_resource_group.audit[each.key].name
+  tags                = var.tags
+
+}

infrastructure/tf-audit/config.tf

@@ -0,0 +1,21 @@
+resource "azurerm_resource_group" "audit" {
+  for_each = { for key, val in var.regions : key => val if val.is_primary_region }
+
+  name     = "${module.regions_config[each.key].names.resource-group}-audit"
+  location = each.key
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+
+module "regions_config" {
+  for_each = var.regions
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/shared-config"
+
+  location    = each.key
+  application = var.application
+  env         = var.environment
+  tags        = var.tags
+}

infrastructure/tf-audit/data.tf

@@ -0,0 +1,12 @@
+data "azurerm_client_config" "current" {}
+
+data "terraform_remote_state" "hub" {
+  backend = "azurerm"
+  config = {
+    subscription_id      = var.HUB_SUBSCRIPTION_ID
+    storage_account_name = var.HUB_BACKEND_AZURE_STORAGE_ACCOUNT_NAME
+    container_name       = var.HUB_BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME
+    key                  = var.HUB_BACKEND_AZURE_STORAGE_ACCOUNT_KEY
+    resource_group_name  = var.HUB_BACKEND_AZURE_RESOURCE_GROUP_NAME
+  }
+}

infrastructure/tf-audit/diagnostic_settings_audit.tf

@@ -0,0 +1,33 @@
+locals {
+  #APPSERVICEPLAN
+  monitor_diagnostic_setting_appserviceplan_metrics = ["AllMetrics"]
+
+  #FUNCTIONAPP
+  monitor_diagnostic_setting_function_app_enabled_logs = ["AppServiceAuthenticationLogs", "FunctionAppLogs"]
+  monitor_diagnostic_setting_function_app_metrics      = ["AllMetrics"]
+
+  # KEYVAULT
+  monitor_diagnostic_setting_keyvault_enabled_logs = ["AuditEvent", "AzurePolicyEvaluationDetails"]
+  monitor_diagnostic_setting_keyvault_metrics      = ["AllMetrics"]
+
+  # LOG ANALYTICS WORKSPACE
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = ["SummaryLogs", "Audit"]
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = ["AllMetrics"]
+
+  #SQL SERVER AND DATABASE
+  monitor_diagnostic_setting_database_enabled_logs   = ["SQLSecurityAuditEvents", "SQLInsights", "QueryStoreWaitStatistics", "Errors", "DatabaseWaitStatistics", "Timeouts"]
+  monitor_diagnostic_setting_database_metrics        = ["Basic", "InstanceAndAppAdvanced", "WorkloadManagement"]
+  monitor_diagnostic_setting_sql_server_enabled_logs = ["SQLSecurityAuditEvents"]
+  monitor_diagnostic_setting_sql_server_metrics      = ["Basic", "InstanceAndAppAdvanced", "WorkloadManagement"]
+
+  #STORAGE ACCOUNT
+  monitor_diagnostic_setting_storage_account_enabled_logs = ["StorageWrite", "StorageRead", "StorageDelete"]
+  monitor_diagnostic_setting_storage_account_metrics      = ["Capacity", "Transaction"]
+
+  #SUBNET
+  monitor_diagnostic_setting_network_security_group_enabled_logs = ["NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter"]
+
+  #VNET
+  monitor_diagnostic_setting_vnet_enabled_logs = ["VMProtectionAlerts"]
+  monitor_diagnostic_setting_vnet_metrics      = ["AllMetrics"]
+}

infrastructure/tf-audit/environments/development.tfvars

@@ -0,0 +1,54 @@
+application           = "svclyr"
+application_full_name = "service-layer"
+environment           = "DEV"
+
+features = {
+  private_endpoints_enabled              = true
+  private_service_connection_is_manual   = false
+  log_analytics_data_export_rule_enabled = false
+  public_network_access_enabled          = false
+}
+
+tags = {
+  Project = "Service-Layer"
+}
+
+regions = {
+  uksouth = {
+    is_primary_region = true
+    address_space     = "10.135.0.0/16"
+    connect_peering   = true
+    subnets = {
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 1
+      }
+    }
+  }
+}
+
+app_insights = {
+  appinsights_type = "web"
+}
+
+law = {
+  law_sku            = "PerGB2018"
+  retention_days     = 30
+  export_enabled     = false
+  export_table_names = ["Alert"]
+}
+
+storage_accounts = {
+  sqllogs = {
+    name_suffix                   = "sqllogs"
+    account_tier                  = "Standard"
+    replication_type              = "LRS"
+    public_network_access_enabled = false
+    containers = {
+      vulnerability-assessment = {
+        container_name        = "vulnerability-assessment"
+        container_access_type = "private"
+      }
+    }
+  }
+}

infrastructure/tf-audit/environments/integration.tfvars

@@ -0,0 +1,54 @@
+application           = "svclyr"
+application_full_name = "service-layer"
+environment           = "INT"
+
+features = {
+  private_endpoints_enabled              = true
+  private_service_connection_is_manual   = false
+  log_analytics_data_export_rule_enabled = false
+  public_network_access_enabled          = false
+}
+
+tags = {
+  Project = "Service-Layer"
+}
+
+regions = {
+  uksouth = {
+    is_primary_region = true
+    address_space     = "10.139.0.0/16"
+    connect_peering   = true
+    subnets = {
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 1
+      }
+    }
+  }
+}
+
+app_insights = {
+  appinsights_type = "web"
+}
+
+law = {
+  law_sku            = "PerGB2018"
+  retention_days     = 30
+  export_enabled     = false
+  export_table_names = ["Alert"]
+}
+
+storage_accounts = {
+  sqllogs = {
+    name_suffix                   = "sqllogs"
+    account_tier                  = "Standard"
+    replication_type              = "LRS"
+    public_network_access_enabled = false
+    containers = {
+      vulnerability-assessment = {
+        container_name        = "vulnerability-assessment"
+        container_access_type = "private"
+      }
+    }
+  }
+}