feat: Generic-allignment from azurerm v2 (#31)

* app service allignment * sync resources with azurerm v2 * migrated internal modules
pagopa · Jan 17, 2023 · e647c3e · e647c3e
1 parent b458b6a
commit e647c3e
Show file tree

Hide file tree

Showing 14 changed files with 154 additions and 44 deletions.
diff --git a/app_service/main.tf b/app_service/main.tf
@@ -24,9 +24,10 @@ resource "azurerm_app_service" "this" {
   resource_group_name = var.resource_group_name
 
   app_service_plan_id = var.plan_type == "internal" ? azurerm_app_service_plan.this[0].id : var.plan_id
-  https_only          = true
+  https_only          = var.https_only
   #tfsec:ignore:azure-appservice-require-client-cert
-  client_cert_enabled = var.client_cert_enabled
+  client_cert_enabled     = var.client_cert_enabled
+  client_affinity_enabled = var.client_affinity_enabled
 
   app_settings = var.app_settings
 
@@ -36,7 +37,7 @@ resource "azurerm_app_service" "this" {
     app_command_line       = var.app_command_line
     min_tls_version        = "1.2"
     ftps_state             = var.ftps_state
-    vnet_route_all_enabled = var.subnet_id == null ? false : var.vnet_route_all_enabled
+    vnet_route_all_enabled = var.subnet_id == null ? false : true
 
     health_check_path = var.health_check_path != null ? var.health_check_path : null
 
@@ -51,6 +52,7 @@ resource "azurerm_app_service" "this" {
       content {
         ip_address                = null
         virtual_network_subnet_id = subnet.value
+        name                      = "rule"
       }
     }
 
@@ -61,6 +63,7 @@ resource "azurerm_app_service" "this" {
       content {
         ip_address                = ip.value
         virtual_network_subnet_id = null
+        name                      = "rule"
       }
     }
 

diff --git a/app_service/variables.tf b/app_service/variables.tf
@@ -79,6 +79,18 @@ variable "name" {
   description = "(Required) Specifies the name of the App Service. Changing this forces a new resource to be created."
 }
 
+variable "https_only" {
+  type        = bool
+  description = "(Optional) Can the App Service only be accessed via HTTPS? Defaults to true."
+  default     = true
+}
+
+variable "client_affinity_enabled" {
+  type        = bool
+  description = "(Optional) Should the App Service send session affinity cookies, which route client requests in the same session to the same instance? Defaults to false."
+  default     = false
+}
+
 variable "client_cert_enabled" {
   type        = bool
   description = "(Optional) Does the App Service require client certificates for incoming requests? Defaults to false."
@@ -145,13 +157,6 @@ variable "subnet_id" {
   default     = null
 }
 
-
-variable "vnet_route_all_enabled" {
-  type        = bool
-  description = "Should all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied?"
-  default     = true
-}
-
 variable "tags" {
   type = map(any)
 }
diff --git a/app_service_slot/main.tf b/app_service_slot/main.tf
@@ -3,9 +3,10 @@ resource "azurerm_app_service_slot" "this" {
   location            = var.location
   resource_group_name = var.resource_group_name
 
-  app_service_plan_id = var.app_service_plan_id
-  app_service_name    = var.app_service_name
-  https_only          = true
+  app_service_plan_id     = var.app_service_plan_id
+  app_service_name        = var.app_service_name
+  https_only              = var.https_only
+  client_affinity_enabled = var.client_affinity_enabled
 
   app_settings = var.app_settings
 
@@ -15,7 +16,7 @@ resource "azurerm_app_service_slot" "this" {
     app_command_line       = var.app_command_line
     min_tls_version        = "1.2"
     ftps_state             = var.ftps_state
-    vnet_route_all_enabled = var.subnet_id == null ? false : var.vnet_route_all_enabled
+    vnet_route_all_enabled = var.subnet_id == null ? false : true
 
     health_check_path = var.health_check_path != null ? var.health_check_path : null
 
@@ -30,6 +31,7 @@ resource "azurerm_app_service_slot" "this" {
       content {
         ip_address                = null
         virtual_network_subnet_id = subnet.value
+        name                      = "rule"
       }
     }
 
@@ -40,6 +42,7 @@ resource "azurerm_app_service_slot" "this" {
       content {
         ip_address                = ip.value
         virtual_network_subnet_id = null
+        name                      = "rule"
       }
     }
   }

diff --git a/app_service_slot/variables.tf b/app_service_slot/variables.tf
@@ -26,6 +26,18 @@ variable "app_service_name" {
   description = "(Required) The name of the App Service within which to create the App Service Slot. Changing this forces a new resource to be created."
 }
 
+variable "https_only" {
+  type        = bool
+  description = "(Optional) Can the App Service only be accessed via HTTPS? Defaults to true."
+  default     = true
+}
+
+variable "client_affinity_enabled" {
+  type        = bool
+  description = "(Optional) Should the App Service send session affinity cookies, which route client requests in the same session to the same instance? Defaults to false."
+  default     = false
+}
+
 ## App service slot
 
 variable "name" {
@@ -93,12 +105,6 @@ variable "subnet_id" {
   default     = null
 }
 
-variable "vnet_route_all_enabled" {
-  type        = bool
-  description = "Should all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied?"
-  default     = true
-}
-
 variable "tags" {
   type = map(any)
 }
diff --git a/cdn/main.tf b/cdn/main.tf
@@ -3,7 +3,7 @@
  **/
 module "cdn_storage_account" {
 
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v3.5.1"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v3.7.0"
 
   name                            = replace("${var.prefix}-${var.name}-sa", "-", "")
   account_kind                    = var.storage_account_kind

diff --git a/eventhub/variables.tf b/eventhub/variables.tf
@@ -7,7 +7,7 @@ variable "location" {
   type = string
 }
 
-// Resource Group 
+// Resource Group
 variable "resource_group_name" {
   type = string
 }

diff --git a/function_app/main.tf b/function_app/main.tf
@@ -1,12 +1,12 @@
 #tfsec:ignore:azure-storage-default-action-deny
 module "storage_account" {
-  source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v2.7.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v3.7.0"
 
   name                       = coalesce(var.storage_account_name, format("%sst", replace(var.name, "-", "")))
-  account_kind               = "StorageV2"
+  account_kind               = var.storage_account_info.account_kind
   account_tier               = var.storage_account_info.account_tier
   account_replication_type   = var.storage_account_info.account_replication_type
-  access_tier                = var.storage_account_info.access_tier
+  access_tier                = var.storage_account_info.account_kind != "Storage" ? var.storage_account_info.access_tier : null
   resource_group_name        = var.resource_group_name
   location                   = var.location
   advanced_threat_protection = var.storage_account_info.advanced_threat_protection_enable
@@ -18,13 +18,13 @@ module "storage_account" {
 module "storage_account_durable_function" {
   count = var.internal_storage.enable ? 1 : 0
 
-  source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v2.7.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v3.7.0"
 
   name                       = coalesce(var.storage_account_durable_name, format("%ssdt", replace(var.name, "-", "")))
-  account_kind               = "StorageV2"
+  account_kind               = var.storage_account_info.account_kind
   account_tier               = var.storage_account_info.account_tier
   account_replication_type   = var.storage_account_info.account_replication_type
-  access_tier                = var.storage_account_info.access_tier
+  access_tier                = var.storage_account_info.account_kind != "Storage" ? var.storage_account_info.access_tier : null
   resource_group_name        = var.resource_group_name
   location                   = var.location
   advanced_threat_protection = false
@@ -60,7 +60,7 @@ resource "azurerm_storage_container" "internal_container" {
 
 module "storage_account_durable_function_management_policy" {
   count  = length(local.internal_containers) == 0 ? 0 : 1
-  source = "git::https://github.com/pagopa/azurerm.git//storage_management_policy?ref=v2.7.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_management_policy?ref=v3.7.0"
 
   storage_account_id = module.storage_account_durable_function[0].id
 
@@ -222,6 +222,7 @@ resource "azurerm_function_app" "this" {
       content {
         ip_address                = ip.value.ip_address
         virtual_network_subnet_id = ip.value.virtual_network_subnet_id
+        name                      = "rule"
       }
     }
 
@@ -263,6 +264,13 @@ resource "azurerm_function_app" "this" {
 
   enable_builtin_logging = false
 
+  dynamic "identity" {
+    for_each = var.system_identity_enabled ? [1] : []
+    content {
+      type = "SystemAssigned"
+    }
+  }
+
   tags = var.tags
 }
 
@@ -277,6 +285,39 @@ data "azurerm_function_app_host_keys" "this" {
 
 # Manages an App Service Virtual Network Association
 resource "azurerm_app_service_virtual_network_swift_connection" "this" {
+  count = var.vnet_integration ? 1 : 0
+
   app_service_id = azurerm_function_app.this.id
   subnet_id      = var.subnet_id
 }
+
+
+
+resource "azurerm_monitor_metric_alert" "function_app_health_check" {
+  count = var.enable_healthcheck ? 1 : 0
+
+  name                = "[${var.domain != null ? "${var.domain} | " : ""}${azurerm_function_app.this.name}] Health Check Failed"
+  resource_group_name = var.resource_group_name
+  scopes              = [azurerm_function_app.this.id]
+  description         = "Function availability is under threshold level. Runbook: -"
+  severity            = 1
+  frequency           = "PT5M"
+  auto_mitigate       = false
+  enabled             = true
+
+  criteria {
+    metric_namespace = "Microsoft.Web/sites"
+    metric_name      = "HealthCheckStatus"
+    aggregation      = "Average"
+    operator         = "LessThan"
+    threshold        = var.healthcheck_threshold
+  }
+
+  dynamic "action" {
+    for_each = var.action
+    content {
+      action_group_id    = action.value["action_group_id"]
+      webhook_properties = action.value["webhook_properties"]
+    }
+  }
+}
diff --git a/function_app/outputs.tf b/function_app/outputs.tf
@@ -59,4 +59,9 @@ output "storage_account_internal_function" {
   } : null
   sensitive   = true
   description = "Storage account used by the function for internal operations."
-}
+}
+
+output "system_identity_principal" {
+  value       = var.system_identity_enabled ? azurerm_function_app.this.identity[0].principal_id : null
+  description = "Service Principal of the System Identity generated by Azure."
+}
diff --git a/function_app/variables.tf b/function_app/variables.tf
@@ -7,6 +7,12 @@ variable "name" {
   description = "(Required) Specifies the name of the Function App. Changing this forces a new resource to be created."
 }
 
+variable "domain" {
+  type        = string
+  description = "Specifies the domain of the Function App."
+  default     = null
+}
+
 variable "storage_account_name" {
   type        = string
   description = "Storage account name. If null it will be 'computed'"
@@ -37,15 +43,17 @@ variable "runtime_version" {
 
 variable "storage_account_info" {
   type = object({
+    account_kind                      = string # Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Changing this forces a new resource to be created. Defaults to Storage.
     account_tier                      = string # Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid.
     account_replication_type          = string # Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS.
     access_tier                       = string # Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot.
     advanced_threat_protection_enable = bool
   })
 
   default = {
+    account_kind                      = "StorageV2"
     account_tier                      = "Standard"
-    account_replication_type          = "LRS"
+    account_replication_type          = "ZRS"
     access_tier                       = "Hot"
     advanced_threat_protection_enable = true
   }
@@ -95,8 +103,7 @@ variable "use_32_bit_worker_process" {
 
 variable "linux_fx_version" {
   type        = string
-  description = "(Optional) Linux App Framework and version for the AppService, e.g. DOCKER|(golang:latest)."
-  default     = null
+  description = "(Required) Linux App Framework and version for the AppService, e.g. DOCKER|(golang:latest). Use null if function app is on windows"
 }
 
 variable "application_insights_instrumentation_key" {
@@ -141,12 +148,17 @@ variable "cors" {
   default = null
 }
 
-
 variable "subnet_id" {
   type        = string
   description = "The ID of the subnet the app service will be associated to (the subnet must have a service_delegation configured for Microsoft.Web/serverFarms)"
 }
 
+variable "vnet_integration" {
+  type        = bool
+  description = "(optional) Enable vnet integration. Wheter it's true the subnet_id should not be null."
+  default     = true
+}
+
 variable "internal_storage" {
   type = object({
     enable                     = bool
@@ -192,3 +204,36 @@ variable "export_keys" {
 variable "tags" {
   type = map(any)
 }
+
+variable "system_identity_enabled" {
+  type        = bool
+  description = "Enable the System Identity and create relative Service Principal."
+  default     = false
+}
+
+# -------------------
+# Alerts variables
+# -------------------
+
+variable "enable_healthcheck" {
+  type        = bool
+  description = "Enable the healthcheck alert. Default is true"
+  default     = true
+}
+
+variable "healthcheck_threshold" {
+  type        = number
+  description = "The healthcheck threshold. If metric average is under this value, the alert will be triggered. Default is 50"
+  default     = 50
+}
+
+variable "action" {
+  description = "The ID of the Action Group and optional map of custom string properties to include with the post webhook operation."
+  type = set(object(
+    {
+      action_group_id    = string
+      webhook_properties = map(string)
+    }
+  ))
+  default = []
+}
diff --git a/function_app_slot/main.tf b/function_app_slot/main.tf
@@ -33,6 +33,7 @@ resource "azurerm_function_app_slot" "this" {
       content {
         ip_address                = ip.value.ip_address
         virtual_network_subnet_id = ip.value.virtual_network_subnet_id
+        name                      = "rule"
       }
     }
 
@@ -85,6 +86,8 @@ data "azurerm_function_app_host_keys" "this" {
 }
 
 resource "azurerm_app_service_slot_virtual_network_swift_connection" "this" {
+  count = var.vnet_integration ? 1 : 0
+
   slot_name      = azurerm_function_app_slot.this.name
   app_service_id = var.function_app_id
   subnet_id      = var.subnet_id

diff --git a/function_app_slot/outputs.tf b/function_app_slot/outputs.tf
@@ -23,4 +23,4 @@ output "default_key" {
 output "master_key" {
   value     = var.export_keys ? data.azurerm_function_app_host_keys.this[0].master_key : null
   sensitive = true
-}
+}