-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
325 lines (280 loc) · 12 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
# Providers
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "4.8.0"
}
azuread = {
source = "hashicorp/azuread"
version = "2.53.1"
}
time = {
source = "hashicorp/time"
version = "0.12.0"
}
}
backend "azurerm" {}
}
provider "azurerm" {
subscription_id = var.subscription_id
features {
}
}
provider "azuread" {
tenant_id = "fe486d5c-e2e4-4d1d-9af1-9c4f44b434b2"
}
data "azurerm_client_config" "current" {}
# Core infra
resource "azurerm_resource_group" "rg_core" {
name = "coreinfra-rg"
location = "UK South"
}
# Entra groups
resource "azuread_group" "sql_admin_group" {
display_name = format("%s - %s", "DAP Alpha - SQL Admins", upper(var.environment))
security_enabled = true
}
resource "azuread_group" "sql_reader_group" {
display_name = "DAP Alpha - SQL Readers - ${upper(var.environment)}"
security_enabled = true
}
resource "azuread_group" "sql_unrestricted_reader_group" {
display_name = "DAP Alpha - SQL Unrestricted Data Readers - ${upper(var.environment)}"
security_enabled = true
}
resource "azuread_group" "sql_writer_group" {
display_name = "DAP Alpha - SQL Writers - ${upper(var.environment)}"
security_enabled = true
}
# Infrastructure
resource "azurerm_storage_account" "sc_infra" {
name = "${var.resource_prefix}infra${var.environment}"
resource_group_name = azurerm_resource_group.rg_core.name
location = azurerm_resource_group.rg_core.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_storage_container" "sc_infra_container" {
name = "tfstate"
storage_account_name = azurerm_storage_account.sc_infra.name
}
resource "azurerm_resource_group" "rg_data" {
name = "${var.resource_prefix}-data-${var.environment}-rg"
location = "UK South"
}
resource "azurerm_resource_group" "rg_ai" {
name = "${var.resource_prefix}-ai-${var.environment}-rg"
location = "UK South"
}
# Create data lake for data rg
resource "azurerm_storage_account" "sc_datalake" {
name = "${var.resource_prefix}datastlake${var.environment}"
resource_group_name = azurerm_resource_group.rg_data.name
location = azurerm_resource_group.rg_data.location
account_tier = "Standard"
account_replication_type = "LRS"
is_hns_enabled = true # This enables DataLake Gen2.
}
resource "azurerm_storage_container" "sc_datalake_raw_container" {
name = "raw"
storage_account_name = azurerm_storage_account.sc_datalake.name
}
resource "azurerm_storage_container" "sc_datalake_processed_container" {
name = "processed"
storage_account_name = azurerm_storage_account.sc_datalake.name
}
resource "azurerm_storage_container" "sc_datalake_reporting_container" {
name = "reporting"
storage_account_name = azurerm_storage_account.sc_datalake.name
}
# ADF
resource "azurerm_data_factory" "adf_data" {
name = "${var.resource_prefix}-adf-data-${var.environment}"
resource_group_name = azurerm_resource_group.rg_data.name
location = azurerm_resource_group.rg_data.location
dynamic "github_configuration" {
for_each = var.environment == "dev" ? [1] : []
content {
account_name = "madetech"
branch_name = "main"
repository_name = "dhsc-alpha-data"
root_folder = "/data_factory"
}
}
identity {
type = "SystemAssigned"
}
managed_virtual_network_enabled = true
}
# Create MS SQL database for data rg - nwldatasql
resource "azurerm_mssql_server" "data_sql" {
name = "${var.resource_prefix}-sql-data-${var.environment}"
resource_group_name = azurerm_resource_group.rg_data.name
location = azurerm_resource_group.rg_data.location
version = "12.0"
minimum_tls_version = "1.2"
azuread_administrator {
login_username = azuread_group.sql_admin_group.display_name
object_id = azuread_group.sql_admin_group.id
azuread_authentication_only = true
}
identity {
type = "SystemAssigned"
}
}
# Create MS SQL database for data rg
resource "azurerm_mssql_database" "data_db_sql" {
name = "Analytical_Datastore"
server_id = azurerm_mssql_server.data_sql.id
sku_name = "S0"
zone_redundant = false
max_size_gb = 250
lifecycle {
prevent_destroy = true
}
}
resource "azurerm_mssql_firewall_rule" "sql_internalazure" {
name = "AllowAllWindowsAzureIps" # Azure needs this exact name for this rule
server_id = azurerm_mssql_server.data_sql.id
start_ip_address = "0.0.0.0"
end_ip_address = "0.0.0.0"
}
# Make ADF an admin of the SQL server - temporary
resource "azuread_group_member" "adf_sql_access" {
group_object_id = azuread_group.sql_admin_group.id
member_object_id = azurerm_data_factory.adf_data.identity[0].principal_id
}
resource "azurerm_role_assignment" "adf_lake_access" {
scope = azurerm_storage_account.sc_datalake.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_data_factory.adf_data.identity[0].principal_id
}
# Assign directory role to SQL server
resource "azuread_directory_role" "directory_reader" {
display_name = "Directory Readers"
}
resource "azuread_directory_role_assignment" "sql_server_directory_readers" {
principal_object_id = azurerm_mssql_server.data_sql.identity[0].principal_id
role_id = azuread_directory_role.directory_reader.template_id
}
module "acr" {
source = "./modules/acr"
acr_rg = azurerm_resource_group.rg_core.name
acr_location = var.location
resource_prefix = var.resource_prefix
environment = var.environment
}
module "app_registrations" {
source = "./modules/app_registrations"
resource_prefix = var.resource_prefix
environment = var.environment
}
module "functions" {
source = "./modules/functions"
environment = var.environment
location = var.location
resource_prefix = var.resource_prefix
sql_readers_group_id = azuread_group.sql_reader_group.id
tenant_id = data.azurerm_client_config.current.tenant_id
function_sp_client_id = module.app_registrations.function_sp_client_id
function_sp_secret_display_name = module.app_registrations.function_sp_secret_display_name
app_registration_function_id = module.app_registrations.app_registration_function_id
app_registration_app_client_id = module.app_registrations.app_registration_app_client_id
}
module "app_service" {
source = "./modules/app-service"
environment = var.environment
location = var.location
dap_acr_id = module.acr.acr_id
dap_acr_registry_url = module.acr.registry_url
docker_image = var.docker_frontend_image
resource_prefix = var.resource_prefix
tenant_id = data.azurerm_client_config.current.tenant_id
function_app_url = module.functions.function_base_url
app_sp_client_id = module.app_registrations.app_sp_client_id
app_sp_secret_display_name = module.app_registrations.app_sp_secret_display_name
function_sp_client_id = module.app_registrations.function_sp_client_id
app_registration_app_id = module.app_registrations.app_registration_app_id
app_registration_function_app_id = module.app_registrations.app_registration_function_app_id
}
module "key_vault" {
source = "./modules/key_vault"
environment = var.environment
resource_prefix = var.resource_prefix
resource_group_name = azurerm_resource_group.rg_core.name
location = var.location
tenant_id = data.azurerm_client_config.current.tenant_id
adf_object_id = azurerm_data_factory.adf_data.identity[0].principal_id
}
module "datalake" {
source = "./modules/datalake"
environment = var.environment
resource_prefix = var.resource_prefix
resource_group_name = azurerm_resource_group.rg_data.name
location = azurerm_resource_group.rg_data.location
data_factory_identity_id = azurerm_data_factory.adf_data.identity[0].principal_id
}
module "databricks_workspace" {
source = "./modules/databricks_workspace_data"
environment = var.environment
resource_prefix = var.resource_prefix
resource_group_name = azurerm_resource_group.rg_data.name
location = azurerm_resource_group.rg_data.location
data_factory_identity_id = azurerm_data_factory.adf_data.identity[0].principal_id
}
module "databricks_cluster" {
source = "./modules/databricks_data"
environment = var.environment
resource_prefix = var.resource_prefix
resource_group_name = azurerm_resource_group.rg_data.name
workspace_url = module.databricks_workspace.workspace_url
azure_msi_flag = var.azure_msi_flag
workspace_id = module.databricks_workspace.workspace_id
storage_account_name = azurerm_storage_account.sc_datalake.name # Alpha lake
string_value = azurerm_storage_account.sc_datalake.primary_access_key # Alpha lake
drop_storage_account_name = module.datalake.drop_storage_account_name
drop_primary_access_key = module.datalake.drop_primary_access_key
bronze_storage_account_name = module.datalake.bronze_storage_account_name
bronze_primary_access_key = module.datalake.bronze_primary_access_key
silver_storage_account_name = module.datalake.silver_storage_account_name
silver_primary_access_key = module.datalake.silver_primary_access_key
gold_storage_account_name = module.datalake.gold_storage_account_name
gold_primary_access_key = module.datalake.gold_primary_access_key
}
module "databricks_workspace_ai" {
source = "./modules/databricks_workspace_ai"
environment = var.environment
resource_prefix = var.resource_prefix
resource_group_name = azurerm_resource_group.rg_ai.name
location = azurerm_resource_group.rg_ai.location
data_factory_identity_id = azurerm_data_factory.adf_data.identity[0].principal_id
}
module "databricks_cluster_ai" {
source = "./modules/databricks_ai"
environment = var.environment
resource_prefix = var.resource_prefix
resource_group_name = azurerm_resource_group.rg_ai.name
workspace_url = module.databricks_workspace_ai.workspace_url
azure_msi_flag = var.azure_msi_flag
workspace_id = module.databricks_workspace_ai.workspace_id
storage_account_name = azurerm_storage_account.sc_datalake.name # Alpha lake
string_value = azurerm_storage_account.sc_datalake.primary_access_key # Alpha lake
drop_storage_account_name = module.datalake.drop_storage_account_name
drop_primary_access_key = module.datalake.drop_primary_access_key
bronze_storage_account_name = module.datalake.bronze_storage_account_name
bronze_primary_access_key = module.datalake.bronze_primary_access_key
silver_storage_account_name = module.datalake.silver_storage_account_name
silver_primary_access_key = module.datalake.silver_primary_access_key
gold_storage_account_name = module.datalake.gold_storage_account_name
gold_primary_access_key = module.datalake.gold_primary_access_key
}
# OpenAI resources
module "openai" {
source = "./modules/openai"
environment = var.environment
resource_prefix = var.resource_prefix
resource_group_name = azurerm_resource_group.rg_ai.name
# fix location for security
location = "UK South"
}