feat: DTOSS-9131 Terraform infrastructure creation

.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: f8141ab50ec0f3630044fa0f531952d2dbbd1e85
+      ref: cf5e22fe4614b7d077a22301d29883e86ac3defc
       endpoint: NHSDigital
 
 variables:
@@ -23,7 +23,7 @@ variables:
   - name: TF_DIRECTORY
     value: $(System.DefaultWorkingDirectory)/$(System.TeamProject)/infrastructure/tf-audit
   - name: TF_VERSION
-    value: 1.9.2
+    value: 1.11.4
   - name: TF_PLAN_ARTIFACT
     value: tf_plan_audit_DEV
   - name: ENVIRONMENT

.azuredevops/pipelines/cd-infrastructure-dev-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: f8141ab50ec0f3630044fa0f531952d2dbbd1e85
+      ref: cf5e22fe4614b7d077a22301d29883e86ac3defc
       endpoint: NHSDigital
 
 variables:
@@ -24,7 +24,7 @@ variables:
   - name: TF_DIRECTORY
     value: $(System.DefaultWorkingDirectory)/$(System.TeamProject)/infrastructure/tf-core
   - name: TF_VERSION
-    value: 1.9.2
+    value: 1.11.4
   - name: TF_PLAN_ARTIFACT
     value: tf_plan_core_DEV
   - name: ENVIRONMENT

.github/workflows/cicd-1-pull-request.yaml

@@ -5,9 +5,9 @@ name: "CI/CD pull request"
 on:
   push:
     branches:
-      - "**"
+      - main
   pull_request:
-    types: [opened, reopened]
+    types: [opened, reopened, synchronize]
 
 jobs:
 
@@ -103,11 +103,11 @@ jobs:
   build-image-stage: # Recommended maximum execution time is 3 minutes
     name: Image build stage
     needs: [metadata, commit-stage, test-stage]
-    uses: NHSDigital/dtos-devops-templates/.github/workflows/stage-3-build-images.yaml@main
+    uses: NHSDigital/dtos-devops-templates/.github/workflows/stage-3-build.yaml@main
     if: needs.metadata.outputs.does_pull_request_exist == 'true' || github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
-      docker_compose_file: ./compose.yaml
-      excluded_containers_csv_list: azurite,azurite-setup,sql-database,database-setup
+      docker_compose_file_csv_list: ./compose.yaml
+      excluded_containers_csv_list: azurite,azurite-setup,sql-database,database-setup,db
       environment_tag: ${{ needs.metadata.outputs.environment_tag }}
       function_app_source_code_path: src
       project_name: service-layer

compose.yaml

@@ -1,6 +1,6 @@
 services:
-  api:
-    container_name: "api"
+  svclyr-api:
+    container_name: "svclyr-api"
     build:
       context: ./src
       dockerfile: ServiceLayer.API/Dockerfile
@@ -30,8 +30,8 @@ services:
     networks:
       - backend
 
-  mesh-ingest:
-    container_name: "mesh-ingest"
+  svclyr-mesh-ingest:
+    container_name: "svclyr-mesh-ingest"
     build:
       context: ./src
       dockerfile: ServiceLayer.Mesh/Dockerfile

infrastructure/tf-audit/app_insights.tf

@@ -0,0 +1,15 @@
+module "app_insights_audit" {
+  for_each = { for key, val in var.regions : key => val if val.is_primary_region }
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/app-insights"
+
+  name             = module.regions_config[each.key].names.app-insights
+  location         = each.key
+  appinsights_type = var.app_insights.appinsights_type
+
+  log_analytics_workspace_id = module.log_analytics_workspace_audit[each.key].id
+
+  resource_group_name = azurerm_resource_group.audit[each.key].name
+  tags                = var.tags
+
+}

infrastructure/tf-audit/config.tf

@@ -0,0 +1,21 @@
+resource "azurerm_resource_group" "audit" {
+  for_each = { for key, val in var.regions : key => val if val.is_primary_region }
+
+  name     = "${module.regions_config[each.key].names.resource-group}-audit"
+  location = each.key
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+
+module "regions_config" {
+  for_each = var.regions
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/shared-config"
+
+  location    = each.key
+  application = var.application
+  env         = var.environment
+  tags        = var.tags
+}

infrastructure/tf-audit/data.tf

@@ -0,0 +1,12 @@
+data "azurerm_client_config" "current" {}
+
+data "terraform_remote_state" "hub" {
+  backend = "azurerm"
+  config = {
+    subscription_id      = var.HUB_SUBSCRIPTION_ID
+    storage_account_name = var.HUB_BACKEND_AZURE_STORAGE_ACCOUNT_NAME
+    container_name       = var.HUB_BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME
+    key                  = var.HUB_BACKEND_AZURE_STORAGE_ACCOUNT_KEY
+    resource_group_name  = var.HUB_BACKEND_AZURE_RESOURCE_GROUP_NAME
+  }
+}

infrastructure/tf-audit/diagnostic_settings_audit.tf

@@ -0,0 +1,33 @@
+locals {
+  #APPSERVICEPLAN
+  monitor_diagnostic_setting_appserviceplan_metrics = ["AllMetrics"]
+
+  #FUNCTIONAPP
+  monitor_diagnostic_setting_function_app_enabled_logs = ["AppServiceAuthenticationLogs", "FunctionAppLogs"]
+  monitor_diagnostic_setting_function_app_metrics      = ["AllMetrics"]
+
+  # KEYVAULT
+  monitor_diagnostic_setting_keyvault_enabled_logs = ["AuditEvent", "AzurePolicyEvaluationDetails"]
+  monitor_diagnostic_setting_keyvault_metrics      = ["AllMetrics"]
+
+  # LOG ANALYTICS WORKSPACE
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = ["SummaryLogs", "Audit"]
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = ["AllMetrics"]
+
+  #SQL SERVER AND DATABASE
+  monitor_diagnostic_setting_database_enabled_logs   = ["SQLSecurityAuditEvents", "SQLInsights", "QueryStoreWaitStatistics", "Errors", "DatabaseWaitStatistics", "Timeouts"]
+  monitor_diagnostic_setting_database_metrics        = ["Basic", "InstanceAndAppAdvanced", "WorkloadManagement"]
+  monitor_diagnostic_setting_sql_server_enabled_logs = ["SQLSecurityAuditEvents"]
+  monitor_diagnostic_setting_sql_server_metrics      = ["Basic", "InstanceAndAppAdvanced", "WorkloadManagement"]
+
+  #STORAGE ACCOUNT
+  monitor_diagnostic_setting_storage_account_enabled_logs = ["StorageWrite", "StorageRead", "StorageDelete"]
+  monitor_diagnostic_setting_storage_account_metrics      = ["Capacity", "Transaction"]
+
+  #SUBNET
+  monitor_diagnostic_setting_network_security_group_enabled_logs = ["NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter"]
+
+  #VNET
+  monitor_diagnostic_setting_vnet_enabled_logs = ["VMProtectionAlerts"]
+  monitor_diagnostic_setting_vnet_metrics      = ["AllMetrics"]
+}

infrastructure/tf-audit/environments/development.tfvars

@@ -0,0 +1,54 @@
+application           = "svclyr"
+application_full_name = "service-layer"
+environment           = "DEV"
+
+features = {
+  private_endpoints_enabled              = true
+  private_service_connection_is_manual   = false
+  log_analytics_data_export_rule_enabled = false
+  public_network_access_enabled          = false
+}
+
+tags = {
+  Project = "Service-Layer"
+}
+
+regions = {
+  uksouth = {
+    is_primary_region = true
+    address_space     = "10.135.0.0/16"
+    connect_peering   = true
+    subnets = {
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 1
+      }
+    }
+  }
+}
+
+app_insights = {
+  appinsights_type = "web"
+}
+
+law = {
+  law_sku            = "PerGB2018"
+  retention_days     = 30
+  export_enabled     = false
+  export_table_names = ["Alert"]
+}
+
+storage_accounts = {
+  sqllogs = {
+    name_suffix                   = "sqllogs"
+    account_tier                  = "Standard"
+    replication_type              = "LRS"
+    public_network_access_enabled = false
+    containers = {
+      vulnerability-assessment = {
+        container_name        = "vulnerability-assessment"
+        container_access_type = "private"
+      }
+    }
+  }
+}

infrastructure/tf-audit/environments/integration.tfvars

@@ -0,0 +1,54 @@
+application           = "svclyr"
+application_full_name = "service-layer"
+environment           = "INT"
+
+features = {
+  private_endpoints_enabled              = true
+  private_service_connection_is_manual   = false
+  log_analytics_data_export_rule_enabled = false
+  public_network_access_enabled          = false
+}
+
+tags = {
+  Project = "Service-Layer"
+}
+
+regions = {
+  uksouth = {
+    is_primary_region = true
+    address_space     = "10.139.0.0/16"
+    connect_peering   = true
+    subnets = {
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 1
+      }
+    }
+  }
+}
+
+app_insights = {
+  appinsights_type = "web"
+}
+
+law = {
+  law_sku            = "PerGB2018"
+  retention_days     = 30
+  export_enabled     = false
+  export_table_names = ["Alert"]
+}
+
+storage_accounts = {
+  sqllogs = {
+    name_suffix                   = "sqllogs"
+    account_tier                  = "Standard"
+    replication_type              = "LRS"
+    public_network_access_enabled = false
+    containers = {
+      vulnerability-assessment = {
+        container_name        = "vulnerability-assessment"
+        container_access_type = "private"
+      }
+    }
+  }
+}

infrastructure/tf-audit/environments/nft.tfvars

@@ -0,0 +1,54 @@
+application           = "svclyr"
+application_full_name = "service-layer"
+environment           = "NFT"
+
+features = {
+  private_endpoints_enabled              = true
+  private_service_connection_is_manual   = false
+  log_analytics_data_export_rule_enabled = false
+  public_network_access_enabled          = false
+}
+
+tags = {
+  Project = "Service-Layer"
+}
+
+regions = {
+  uksouth = {
+    is_primary_region = true
+    address_space     = "10.137.0.0/16"
+    connect_peering   = true
+    subnets = {
+      pep = {
+        cidr_newbits = 8
+        cidr_offset  = 1
+      }
+    }
+  }
+}
+
+app_insights = {
+  appinsights_type = "web"
+}
+
+law = {
+  law_sku            = "PerGB2018"
+  retention_days     = 30
+  export_enabled     = false
+  export_table_names = ["Alert"]
+}
+
+storage_accounts = {
+  sqllogs = {
+    name_suffix                   = "sqllogs"
+    account_tier                  = "Standard"
+    replication_type              = "LRS"
+    public_network_access_enabled = false
+    containers = {
+      vulnerability-assessment = {
+        container_name        = "vulnerability-assessment"
+        container_access_type = "private"
+      }
+    }
+  }
+}

infrastructure/tf-audit/log_analytics_workspace.tf

@@ -0,0 +1,57 @@
+module "log_analytics_workspace_audit" {
+  for_each = var.regions
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/log-analytics-workspace"
+
+  name     = module.regions_config[each.key].names.log-analytics-workspace
+  location = each.key
+
+  law_sku        = var.law.law_sku
+  retention_days = var.law.retention_days
+
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = local.monitor_diagnostic_setting_log_analytics_workspace_enabled_logs
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = local.monitor_diagnostic_setting_log_analytics_workspace_metrics
+
+  resource_group_name = azurerm_resource_group.audit[each.key].name
+
+  tags = var.tags
+}
+
+# Add a data export rule to forward logs to the Event Hub in the Hub subscription
+module "log_analytics_data_export_rule" {
+  for_each = var.features.log_analytics_data_export_rule_enabled ? var.regions : {}
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/log-analytics-data-export-rule"
+
+  name                    = "${module.regions_config[each.key].names.log-analytics-workspace}-export-rule"
+  resource_group_name     = azurerm_resource_group.audit[each.key].name
+  workspace_resource_id   = module.log_analytics_workspace_audit[each.key].id
+  destination_resource_id = data.terraform_remote_state.hub.outputs.event_hubs["dtos-hub-${each.key}"]["${var.application_full_name}-${lower(var.environment)}"].id
+  table_names             = var.law.export_table_names
+  enabled                 = var.law.export_enabled
+}
+
+/*--------------------------------------------------------------------------------------------------
+  RBAC Assignments
+--------------------------------------------------------------------------------------------------*/
+/*
+For sending events to the Event Hub:
+* Azure Event Hubs Data Sender: Grants permissions to send events to the Event Hub.  
+* For receiving events from the Event Hub:
+
+For receiving events from the Event Hub (i.e. remote resource):
+* Azure Event Hubs Data Receiver: Grants permissions to receive events from the Event Hub.
+*/
+# module "rbac_assignments" {
+#   for_each = var.regions
+
+#   source = "../../../dtos-devops-templates/infrastructure/modules/rbac-assignment"
+
+#   principal_id         = module.log_analytics_workspace_audit[each.key].0.principal_id
+#   role_definition_name = "Azure Event Hubs Data Sender"
+#   scope                = data.terraform_remote_state.hub.outputs.eventhub_law_export_id["dtos-hub-${each.key}"]
+# }
+
+output "log_analytics_workspace_audit" {
+  value = module.log_analytics_workspace_audit
+}