From ddcfdc5d33d4a0ac82384f3dcecc70bf1b3032fe Mon Sep 17 00:00:00 2001
From: ma_cloud_arch79 <94049389+matteoalongi@users.noreply.github.com>
Date: Mon, 20 Feb 2023 18:48:16 +0100
Subject: [PATCH] feat: Add tls checker (#69)

add tls checker
---
 tls_checker/main.tf                     | 63 ++++++++++++++++++
 tls_checker/templates/tls-cert.yaml.tpl | 42 ++++++++++++
 tls_checker/variables.tf                | 87 +++++++++++++++++++++++++
 tls_checker/versions.tf                 | 14 ++++
 4 files changed, 206 insertions(+)
 create mode 100644 tls_checker/main.tf
 create mode 100644 tls_checker/templates/tls-cert.yaml.tpl
 create mode 100644 tls_checker/variables.tf
 create mode 100644 tls_checker/versions.tf

diff --git a/tls_checker/main.tf b/tls_checker/main.tf
new file mode 100644
index 00000000..c7165815
--- /dev/null
+++ b/tls_checker/main.tf
@@ -0,0 +1,63 @@
+resource "helm_release" "helm_this" {
+
+  count = var.helm_chart_present ? 1 : 0
+
+  name       = local.helm_chart_name
+  chart      = "microservice-chart"
+  repository = "https://pagopa.github.io/aks-microservice-chart-blueprint"
+  version    = var.helm_chart_version
+  namespace  = var.namespace
+
+  values = [
+    "${templatefile("${path.module}/templates/tls-cert.yaml.tpl",
+      {
+        namespace                      = var.namespace
+        image_name                     = var.helm_chart_image_name
+        image_tag                      = var.helm_chart_image_tag
+        website_site_name              = var.https_endpoint
+        time_trigger                   = var.time_trigger
+        function_name                  = var.https_endpoint
+        region                         = var.location_string
+        expiration_delta_in_days       = var.expiration_delta_in_days
+        host                           = var.https_endpoint
+        appinsights_instrumentationkey = var.application_insights_connection_string
+    })}",
+  ]
+}
+
+resource "azurerm_monitor_metric_alert" "alert_this" {
+  name                = local.alert_name
+  resource_group_name = var.application_insights_resource_group
+  scopes              = [var.application_insights_id]
+  description         = "Whenever the average availabilityresults/availabilitypercentage is less than 50%"
+  severity            = 0
+  frequency           = "PT5M"
+  auto_mitigate       = false
+  enabled             = var.alert_enabled
+
+  criteria {
+    metric_namespace = "microsoft.insights/components"
+    metric_name      = "availabilityResults/availabilityPercentage"
+    aggregation      = "Average"
+    operator         = "LessThan"
+    threshold        = 50
+
+    dimension {
+      name     = "availabilityResult/name"
+      operator = "Include"
+      values   = [var.https_endpoint]
+    }
+  }
+
+  dynamic "action" {
+    for_each = var.application_insights_action_group_ids
+
+    content {
+      action_group_id = action.value
+    }
+  }
+
+  depends_on = [
+    helm_release.helm_this[0]
+  ]
+}
diff --git a/tls_checker/templates/tls-cert.yaml.tpl b/tls_checker/templates/tls-cert.yaml.tpl
new file mode 100644
index 00000000..6b7fe0a0
--- /dev/null
+++ b/tls_checker/templates/tls-cert.yaml.tpl
@@ -0,0 +1,42 @@
+namespace: '${namespace}'
+
+image:
+  repository: '${image_name}'
+  tag: '${image_tag}'
+
+ingress:
+  create: false
+
+service:
+  create: false
+
+resources:
+  requests:
+    memory: '96Mi'
+    cpu: '10m'
+  limits:
+    memory: '128Mi'
+    cpu: '50m'
+
+envConfig:
+  WEBSITE_SITE_NAME: '${website_site_name}'
+  FUNCTION_WORKER_RUNTIME: 'dotnet'
+  TIME_TRIGGER: '${time_trigger}'
+  FunctionName: '${function_name}'
+  Region: '${region}'
+  ExpirationDeltaInDays: '${expiration_delta_in_days}'
+  Host: 'https://${host}'
+  AzureWebJobsStorage: "UseDevelopmentStorage=true"
+  APPINSIGHTS_INSTRUMENTATIONKEY: '${appinsights_instrumentationkey}'
+
+sidecars:
+  - name: azurite
+    securityContext:
+      allowPrivilegeEscalation: false
+    image: mcr.microsoft.com/azure-storage/azurite:3.18.0@sha256:fbd99a4aa4259827081ff9e5cd133a531f20fa2d1d010891fd474d5798f15d7a
+    ports:
+      - containerPort: 10000
+    resources:
+      limits:
+        memory: 100Mi
+        cpu: 20m
diff --git a/tls_checker/variables.tf b/tls_checker/variables.tf
new file mode 100644
index 00000000..7ee5caa8
--- /dev/null
+++ b/tls_checker/variables.tf
@@ -0,0 +1,87 @@
+variable "https_endpoint" {
+  type        = string
+  description = "Https endpoint to check"
+}
+
+variable "namespace" {
+  type        = string
+  description = "(Required) Namespace where the helm chart will be installed"
+}
+
+variable "location_string" {
+  type        = string
+  description = "(Required) Location string"
+}
+
+variable "helm_chart_version" {
+  type        = string
+  description = "Helm chart version for the tls checker application"
+}
+
+variable "helm_chart_image_name" {
+  type        = string
+  description = "Docker image name"
+}
+
+variable "helm_chart_image_tag" {
+  type        = string
+  description = "Docker image tag"
+}
+
+variable "time_trigger" {
+  type        = string
+  description = "cron trigger pattern"
+  default     = "*/1 * * * *"
+}
+
+variable "expiration_delta_in_days" {
+  type        = string
+  default     = "7"
+  description = "(Optional)"
+}
+
+variable "application_insights_connection_string" {
+  type        = string
+  description = "(Required) Application Insights connection string"
+}
+
+variable "application_insights_resource_group" {
+  type        = string
+  description = "(Required) Application Insights resource group"
+}
+
+variable "application_insights_id" {
+  type        = string
+  description = "(Required) Application Insights id"
+}
+
+variable "application_insights_action_group_ids" {
+  type        = list(string)
+  description = "(Required) Application insights action group ids"
+}
+
+variable "alert_name" {
+  type        = string
+  description = "(Optional) Alert name"
+  default     = null
+}
+
+variable "alert_enabled" {
+  type        = bool
+  description = "(Optional) Is this alert enabled?"
+  default     = true
+}
+
+variable "helm_chart_present" {
+  type        = bool
+  description = "Is this helm chart present?"
+  default     = true
+}
+
+
+locals {
+  alert_name                = var.alert_name != null ? lower(replace("${var.alert_name}", "/\\W/", "-")) : lower(replace("${var.https_endpoint}", "/\\W/", "-"))
+  alert_name_sha256_limited = substr(sha256(var.alert_name), 0, 5)
+  # all this work is mandatory to avoid helm name limit of 53 chars
+  helm_chart_name = "${lower(substr(replace("chckr-${var.alert_name}", "/\\W/", "-"), 0, 47))}${local.alert_name_sha256_limited}"
+}
diff --git a/tls_checker/versions.tf b/tls_checker/versions.tf
new file mode 100644
index 00000000..879df9ec
--- /dev/null
+++ b/tls_checker/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.30.0, <= 3.43.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "<= 2.7.1"
+    }
+  }
+}