features/943

.github/workflows/infrastructure-template.yaml

@@ -0,0 +1,69 @@
+name: Infrastructure
+
+on:
+  workflow_call:
+    inputs:
+      tf_should_apply:
+        default: false
+        type: boolean
+        description: Specifies if terraform should apply plan
+
+      environment:
+        type: string
+        description: GitHub environment
+        required: true
+
+env:
+  TF_STATE_NAME: infrastructure.tfstate
+  WORKING_DIR: ./infrastructure/shared
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Terraform Set TFVARS
+        run: echo "TF_VARS_FILE=$(echo ${{ inputs.environment }} | tr '[:upper:]' '[:lower:]').tfvars" >> $GITHUB_ENV
+
+      - name: Terraform Initialize
+        uses: altinn/altinn-platform/actions/terraform/plan@main
+        with:
+          working_directory: ${{ env.WORKING_DIR }}
+          oidc_type: environment
+          oidc_value: ${{ inputs.environment }}
+
+          arm_client_id: ${{ vars.ARM_CLIENT_ID }}
+          arm_subscription_id: ${{ vars.ARM_SUBSCRIPTION_ID }}
+
+          tf_state_name: ${{ env.TF_STATE_NAME }}
+          tf_args: -var environment=${{ inputs.environment }} -var-file=${{ env.TF_VARS_FILE }}
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+
+  apply:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    if: inputs.tf_should_apply
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Terraform Initialize
+        uses: altinn/altinn-platform/actions/terraform/plan@main
+        with:
+          working_directory: ${{ env.WORKING_DIR }}
+          oidc_type: environment
+          oidc_value: ${{ inputs.environment }}
+
+          arm_client_id: ${{ vars.ARM_CLIENT_ID }}
+          arm_subscription_id: ${{ vars.ARM_SUBSCRIPTION_ID }}
+
+          tf_args: -var environment=${{ inputs.environment }} -var-file=${{ env.TF_VARS_FILE }}
+          tf_state_name: ${{ env.TF_STATE_NAME }}

.github/workflows/infrastructure.yaml

@@ -0,0 +1,58 @@
+name: Infrastructure
+
+on:
+  push:
+  release:
+    types:
+      - released
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  ci:
+    name: Continous Integration
+    secrets: inherit
+    strategy:
+      fail-fast: false
+      matrix:
+        environment: [AT21, AT22, AT23, AT24]
+    uses: ./.github/workflows/infrastructure-template.yaml
+    with:
+      environment: ${{ matrix.environment }}
+
+  at:
+    name: AT
+    secrets: inherit
+    needs: ci
+    if: github.event_name == 'release'
+    strategy:
+      fail-fast: false
+      matrix:
+        environment: [AT21, AT22, AT23, AT24]
+    uses: ./.github/workflows/infrastructure-template.yaml
+    with:
+      environment: ${{ matrix.environment }}
+      tf_should_apply: true
+
+  tt02:
+    name: TT02
+    if: github.event_name == 'release'
+    needs: at
+    secrets: inherit
+    uses: ./.github/workflows/infrastructure-template.yaml
+    with:
+      environment: TT02
+      tf_should_apply: true
+
+  prod:
+    name: PROD
+    if: github.event_name == 'release'
+    needs: tt02
+    secrets: inherit
+    uses: ./.github/workflows/infrastructure-template.yaml
+    with:
+      environment: PROD
+      tf_should_apply: true

.gitignore

@@ -11,6 +11,38 @@ nupkg/
 # Visual Studio 2015
 .vs/
 
+### Terraform
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
 # Rider
 .idea
 

infrastructure/modules/dns/main.tf

@@ -0,0 +1,34 @@
+locals {
+  # https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder
+  zones = tomap({
+    service_bus          = "privatelink.servicebus.windows.net"
+    storage_account_blob = "privatelink.blob.core.windows.net"
+    postgres             = "privatelink.postgres.database.azure.com"
+    key_vault            = "privatelink.vaultcore.azure.net"
+    app_configuration    = "privatelink.azconfig.io"
+  })
+}
+
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone
+resource "azurerm_private_dns_zone" "dns" {
+  name                = each.value
+  resource_group_name = data.azurerm_resource_group.rg.name
+
+  for_each = local.zones
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link
+resource "azurerm_private_dns_zone_virtual_network_link" "dns" {
+  name                  = each.key
+  private_dns_zone_name = azurerm_private_dns_zone.dns[each.key].name
+
+  virtual_network_id   = var.vnet_id
+  resource_group_name  = data.azurerm_resource_group.rg.name
+  registration_enabled = false
+
+  for_each = local.zones
+}

infrastructure/modules/dns/outputs.tf

@@ -0,0 +1,10 @@
+output "zones" {
+  value = { for key, value in local.zones : key =>
+    {
+      id   = azurerm_private_dns_zone.dns[key].id
+      name = value
+    }
+  }
+
+  description = "Map of all private link DNS zones. The keys are the resource type name. e.g service_bus. Value contains the fields 'id' which is the ARM reference and name the domain"
+}

infrastructure/modules/dns/variables.tf

@@ -0,0 +1,17 @@
+variable "metadata" {
+  type = object({
+    name         = string
+    environment  = string
+    instance     = string
+    suffix       = string
+    default_tags = map(string)
+  })
+}
+
+variable "resource_group_name" {
+  type = string
+}
+
+variable "vnet_id" {
+  type = string
+}

infrastructure/modules/key_vault/main.tf

@@ -0,0 +1,66 @@
+data "azurerm_client_config" "current" {}
+
+# https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security
+data "azurerm_role_definition" "key_vault_administrator" {
+  role_definition_id = "00482a5a-887f-4fb3-b363-3b7fe8e74483"
+}
+
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
+
+resource "random_string" "key_vault_name_prefix" {
+  length  = 4
+  lower   = true
+  numeric = false
+  upper   = false
+  special = false
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault
+resource "azurerm_key_vault" "key_vault" {
+  name                      = "kv${random_string.key_vault_name_prefix.result}${var.metadata.suffix}"
+  resource_group_name       = data.azurerm_resource_group.rg.name
+  tenant_id                 = data.azurerm_client_config.current.tenant_id
+  sku_name                  = "standard"
+  location                  = data.azurerm_resource_group.rg.location
+  enable_rbac_authorization = true
+  purge_protection_enabled  = true
+
+  soft_delete_retention_days    = 30
+  public_network_access_enabled = true
+
+  network_acls {
+    bypass         = "AzureServices"
+    default_action = "Allow"
+  }
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+resource "azurerm_role_assignment" "key_vault_administrator" {
+  scope                = azurerm_key_vault.key_vault.id
+  principal_id         = data.azurerm_client_config.current.object_id
+  role_definition_name = data.azurerm_role_definition.key_vault_administrator.name
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint
+resource "azurerm_private_endpoint" "key_vault" {
+  name                          = "pe${azurerm_key_vault.key_vault.name}"
+  location                      = data.azurerm_resource_group.rg.location
+  resource_group_name           = data.azurerm_resource_group.rg.name
+  subnet_id                     = var.subnet_id
+  custom_network_interface_name = "nic${azurerm_key_vault.key_vault.name}"
+
+  private_service_connection {
+    name                           = azurerm_key_vault.key_vault.name
+    private_connection_resource_id = azurerm_key_vault.key_vault.id
+    is_manual_connection           = false
+    subresource_names              = ["vault"]
+  }
+
+  private_dns_zone_group {
+    name                 = azurerm_key_vault.key_vault.name
+    private_dns_zone_ids = var.dns_zones
+  }
+}
+

infrastructure/modules/key_vault/outputs.tf

@@ -0,0 +1,4 @@
+output "id" {
+  value       = azurerm_key_vault.key_vault.id
+  description = "value"
+}

infrastructure/modules/key_vault/variables.tf

@@ -0,0 +1,21 @@
+variable "metadata" {
+  type = object({
+    name         = string
+    environment  = string
+    instance     = string
+    suffix       = string
+    default_tags = map(string)
+  })
+}
+
+variable "resource_group_name" {
+  type = string
+}
+
+variable "subnet_id" {
+  type = string
+}
+
+variable "dns_zones" {
+  type = list(string)
+}

infrastructure/modules/nat_gateway/main.tf

@@ -0,0 +1,35 @@
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway
+resource "azurerm_nat_gateway" "nat_gateway" {
+  name                    = "natgw${var.metadata.suffix}"
+  resource_group_name     = data.azurerm_resource_group.rg.name
+  location                = data.azurerm_resource_group.rg.location
+  sku_name                = "Standard"
+  idle_timeout_in_minutes = 4
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip
+resource "azurerm_public_ip" "nat_gateway" {
+  name                = "pipegress${var.metadata.suffix}"
+  resource_group_name = data.azurerm_resource_group.rg.name
+  location            = data.azurerm_resource_group.rg.location
+  sku                 = "Standard"
+  allocation_method   = "Static"
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway_public_ip_association
+resource "azurerm_nat_gateway_public_ip_association" "nat_gateway" {
+  nat_gateway_id       = azurerm_nat_gateway.nat_gateway.id
+  public_ip_address_id = azurerm_public_ip.nat_gateway.id
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association
+resource "azurerm_subnet_nat_gateway_association" "nat_gateway" {
+  nat_gateway_id = azurerm_nat_gateway.nat_gateway.id
+  subnet_id      = each.value.id
+
+  for_each = var.subnets
+}

infrastructure/modules/nat_gateway/outputs.tf

@@ -0,0 +1,3 @@
+output "ip" {
+  value = azurerm_public_ip.nat_gateway.ip_address
+}

infrastructure/modules/nat_gateway/variables.tf

@@ -0,0 +1,20 @@
+variable "metadata" {
+  type = object({
+    name         = string
+    environment  = string
+    instance     = string
+    suffix       = string
+    default_tags = map(string)
+  })
+}
+
+variable "resource_group_name" {
+  type = string
+}
+
+variable "subnets" {
+  type = map(object({
+    id   = string
+    name = string
+  }))
+}