+```
+
+##### Initialise Terraform
+
+Install the required terraform version with the Terraform version manager `tfenv`:
+
+```
+$ tfenv install
+```
+
+Initialize Terraform to download the required Terraform modules and configure the remote state backend
+to use the settings you specified in the previous step.
+
+`$ terraform init -backend-config=backend.vars`
+
+##### Create a Terraform variables file
+
+Each environment will need it's own `tfvars` file.
+
+Copy the `terraform.tfvars.example` to `environment-name.tfvars` and modify the contents as required
+
+##### Create the infrastructure
+
+Now Terraform has been initialised you can create a workspace if needed:
+
+`$ terraform workspace new staging`
+
+Or to check what workspaces already exist:
+
+`$ terraform workspace list`
+
+Switch to the new or existing workspace:
+
+`$ terraform workspace select staging`
+
+Plan the changes:
+
+`$ terraform plan -var-file=staging.tfvars`
+
+Terraform will ask you to provide any variables not specified in an `*.auto.tfvars` file.
+Now you can run:
+
+`$ terraform apply -var-file=staging.tfvars`
+
+If everything looks good, answer `yes` and wait for the new infrastructure to be created.
+
+##### Azure resources
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [azurerm](#requirement\_azurerm) | >= 3.67.0 |
+| [statuscake](#requirement\_statuscake) | >= 2.1.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.5.0 |
+| [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.3 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [azure\_location](#input\_azure\_location) | Azure location in which to launch resources. | `string` | n/a | yes |
+| [cdn\_frontdoor\_custom\_domains](#input\_cdn\_frontdoor\_custom\_domains) | Azure CDN Front Door custom domains. If they are within the DNS zone (optionally created), the Validation TXT records and ALIAS/CNAME records will be created | `list(string)` | n/a | yes |
+| [cdn\_frontdoor\_enable\_rate\_limiting](#input\_cdn\_frontdoor\_enable\_rate\_limiting) | Enable CDN Front Door Rate Limiting. This will create a WAF policy, and CDN security policy. For pricing reasons, there will only be one WAF policy created. | `bool` | n/a | yes |
+| [cdn\_frontdoor\_forwarding\_protocol](#input\_cdn\_frontdoor\_forwarding\_protocol) | Azure CDN Front Door forwarding protocol | `string` | `"HttpOnly"` | no |
+| [cdn\_frontdoor\_health\_probe\_path](#input\_cdn\_frontdoor\_health\_probe\_path) | Specifies the path relative to the origin that is used to determine the health of the origin. | `string` | `"/"` | no |
+| [cdn\_frontdoor\_health\_probe\_protocol](#input\_cdn\_frontdoor\_health\_probe\_protocol) | Use Http or Https | `string` | `"Http"` | no |
+| [cdn\_frontdoor\_host\_add\_response\_headers](#input\_cdn\_frontdoor\_host\_add\_response\_headers) | List of response headers to add at the CDN Front Door `[{ "name" = "Strict-Transport-Security", "value" = "max-age=31536000" }]` | `list(map(string))` | n/a | yes |
+| [cdn\_frontdoor\_origin\_fqdn\_override](#input\_cdn\_frontdoor\_origin\_fqdn\_override) | Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN | `string` | `""` | no |
+| [cdn\_frontdoor\_origin\_host\_header\_override](#input\_cdn\_frontdoor\_origin\_host\_header\_override) | Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host\_name (`cdn_frontdoor_origin_fqdn_override`) | `string` | `""` | no |
+| [container\_apps\_allow\_ips\_inbound](#input\_container\_apps\_allow\_ips\_inbound) | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | `list(string)` | `[]` | no |
+| [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes |
+| [container\_health\_probe\_path](#input\_container\_health\_probe\_path) | Specifies the path that is used to determine the liveness of the Container | `string` | `"/"` | no |
+| [container\_health\_probe\_protocol](#input\_container\_health\_probe\_protocol) | Use HTTPS or a TCP connection for the Container liveness probe | `string` | `"tcp"` | no |
+| [container\_scale\_http\_concurrency](#input\_container\_scale\_http\_concurrency) | When the number of concurrent HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the max-replicas amount. | `number` | `10` | no |
+| [container\_secret\_environment\_variables](#input\_container\_secret\_environment\_variables) | Container secret environment variables | `map(string)` | n/a | yes |
+| [dns\_ns\_records](#input\_dns\_ns\_records) | DNS NS records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
+| [dns\_txt\_records](#input\_dns\_txt\_records) | DNS TXT records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
+| [dns\_zone\_domain\_name](#input\_dns\_zone\_domain\_name) | DNS zone domain name. If created, records will automatically be created to point to the CDN. | `string` | n/a | yes |
+| [enable\_cdn\_frontdoor](#input\_enable\_cdn\_frontdoor) | Enable Azure CDN FrontDoor. This will use the Container Apps endpoint as the origin. | `bool` | n/a | yes |
+| [enable\_container\_health\_probe](#input\_enable\_container\_health\_probe) | Enable liveness probes for the Container | `bool` | `true` | no |
+| [enable\_container\_registry](#input\_enable\_container\_registry) | Set to true to create a container registry | `bool` | n/a | yes |
+| [enable\_dns\_zone](#input\_enable\_dns\_zone) | Conditionally create a DNS zone | `bool` | n/a | yes |
+| [enable\_monitoring](#input\_enable\_monitoring) | Create an App Insights instance and notification group for the Container App | `bool` | n/a | yes |
+| [environment](#input\_environment) | Environment name. Will be used along with `project_name` as a prefix for all resources. | `string` | n/a | yes |
+| [existing\_logic\_app\_workflow](#input\_existing\_logic\_app\_workflow) | Name, and Resource Group of an existing Logic App Workflow. Leave empty to create a new Resource | object({
name : string
resource_group_name : string
})
| {
"name": "",
"resource_group_name": ""
}
| no |
+| [existing\_network\_watcher\_name](#input\_existing\_network\_watcher\_name) | Use an existing network watcher to add flow logs. | `string` | n/a | yes |
+| [existing\_network\_watcher\_resource\_group\_name](#input\_existing\_network\_watcher\_resource\_group\_name) | Existing network watcher resource group. | `string` | n/a | yes |
+| [image\_name](#input\_image\_name) | Image name | `string` | n/a | yes |
+| [image\_tag](#input\_image\_tag) | Default image tag for the primary container | `string` | `"web-latest"` | no |
+| [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that should be notified by monitoring alerts | `list(string)` | n/a | yes |
+| [monitor\_endpoint\_healthcheck](#input\_monitor\_endpoint\_healthcheck) | Specify a route that should be monitored for a 200 OK status | `string` | n/a | yes |
+| [project\_name](#input\_project\_name) | Project name. Will be used along with `environment` as a prefix for all resources. | `string` | n/a | yes |
+| [registry\_admin\_enabled](#input\_registry\_admin\_enabled) | Do you want to enable access key based authentication for your Container Registry? | `bool` | `true` | no |
+| [registry\_managed\_identity\_assign\_role](#input\_registry\_managed\_identity\_assign\_role) | Assign the 'AcrPull' Role to the Container App User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'AcrPull' Role to the identity | `bool` | `false` | no |
+| [registry\_use\_managed\_identity](#input\_registry\_use\_managed\_identity) | Create a User-Assigned Managed Identity for the Container App. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'AcrPull' Role to the identity | `bool` | `true` | no |
+| [statuscake\_api\_token](#input\_statuscake\_api\_token) | API token for StatusCake | `string` | `"00000000000000000000000000000"` | no |
+| [statuscake\_contact\_group\_email\_addresses](#input\_statuscake\_contact\_group\_email\_addresses) | List of email address that should receive notifications from StatusCake | `list(string)` | `[]` | no |
+| [statuscake\_contact\_group\_integrations](#input\_statuscake\_contact\_group\_integrations) | List of Integration IDs to connect to your Contact Group | `list(string)` | `[]` | no |
+| [statuscake\_contact\_group\_name](#input\_statuscake\_contact\_group\_name) | Name of the contact group in StatusCake | `string` | `""` | no |
+| [statuscake\_monitored\_resource\_addresses](#input\_statuscake\_monitored\_resource\_addresses) | The URLs to perform TLS checks on | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | Tags to be applied to all resources | `map(string)` | n/a | yes |
+| [virtual\_network\_address\_space](#input\_virtual\_network\_address\_space) | Virtual network address space CIDR | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+
diff --git a/terraform/backend.tf b/terraform/backend.tf
new file mode 100644
index 0000000..6602f20
--- /dev/null
+++ b/terraform/backend.tf
@@ -0,0 +1,3 @@
+terraform {
+ backend "azurerm" {}
+}
diff --git a/terraform/backend.vars.example b/terraform/backend.vars.example
new file mode 100644
index 0000000..bc23821
--- /dev/null
+++ b/terraform/backend.vars.example
@@ -0,0 +1,5 @@
+resource_group_name = ""
+storage_account_name = ""
+container_name = ""
+key = "terraform.tstate"
+subscription_id = ""
diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
new file mode 100644
index 0000000..dd00caf
--- /dev/null
+++ b/terraform/container-apps-hosting.tf
@@ -0,0 +1,48 @@
+module "azure_container_apps_hosting" {
+ source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.5.0"
+
+ environment = local.environment
+ project_name = local.project_name
+ azure_location = local.azure_location
+ tags = local.tags
+
+ virtual_network_address_space = local.virtual_network_address_space
+
+ enable_container_registry = local.enable_container_registry
+ registry_admin_enabled = local.registry_admin_enabled
+ registry_use_managed_identity = local.registry_use_managed_identity
+ registry_managed_identity_assign_role = local.registry_managed_identity_assign_role
+
+ image_name = local.image_name
+ image_tag = local.image_tag
+ container_command = local.container_command
+ container_secret_environment_variables = local.container_secret_environment_variables
+ container_scale_http_concurrency = local.container_scale_http_concurrency
+ container_health_probe_protocol = local.container_health_probe_protocol
+
+ enable_dns_zone = local.enable_dns_zone
+ dns_zone_domain_name = local.dns_zone_domain_name
+ dns_ns_records = local.dns_ns_records
+ dns_txt_records = local.dns_txt_records
+
+ enable_cdn_frontdoor = local.enable_cdn_frontdoor
+ cdn_frontdoor_forwarding_protocol = local.cdn_frontdoor_forwarding_protocol
+ cdn_frontdoor_enable_rate_limiting = local.cdn_frontdoor_enable_rate_limiting
+ cdn_frontdoor_host_add_response_headers = local.cdn_frontdoor_host_add_response_headers
+ cdn_frontdoor_custom_domains = local.cdn_frontdoor_custom_domains
+ cdn_frontdoor_origin_fqdn_override = local.cdn_frontdoor_origin_fqdn_override
+ cdn_frontdoor_origin_host_header_override = local.cdn_frontdoor_origin_host_header_override
+ container_apps_allow_ips_inbound = local.container_apps_allow_ips_inbound
+
+ enable_monitoring = local.enable_monitoring
+ monitor_email_receivers = local.monitor_email_receivers
+ container_health_probe_path = local.container_health_probe_path
+ cdn_frontdoor_health_probe_path = local.cdn_frontdoor_health_probe_path
+ monitor_endpoint_healthcheck = local.monitor_endpoint_healthcheck
+ enable_container_health_probe = local.enable_container_health_probe
+ cdn_frontdoor_health_probe_protocol = local.cdn_frontdoor_health_probe_protocol
+
+ existing_logic_app_workflow = local.existing_logic_app_workflow
+ existing_network_watcher_name = local.existing_network_watcher_name
+ existing_network_watcher_resource_group_name = local.existing_network_watcher_resource_group_name
+}
diff --git a/terraform/key-vault-tfvars-secrets.tf b/terraform/key-vault-tfvars-secrets.tf
new file mode 100644
index 0000000..019415f
--- /dev/null
+++ b/terraform/key-vault-tfvars-secrets.tf
@@ -0,0 +1,15 @@
+# module "azurerm_key_vault" {
+# source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.1"
+
+# environment = local.environment
+# project_name = local.project_name
+# existing_resource_group = module.azure_container_apps_hosting.azurerm_resource_group_default.name
+# azure_location = local.azure_location
+# key_vault_access_use_rbac_authorization = true
+# key_vault_access_users = []
+# key_vault_access_ipv4 = local.key_vault_access_ipv4
+# tfvars_filename = local.tfvars_filename
+# diagnostic_log_analytics_workspace_id = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
+# diagnostic_eventhub_name = ""
+# tags = local.tags
+# }
diff --git a/terraform/locals.tf b/terraform/locals.tf
new file mode 100644
index 0000000..98033fd
--- /dev/null
+++ b/terraform/locals.tf
@@ -0,0 +1,45 @@
+locals {
+ environment = var.environment
+ project_name = var.project_name
+ azure_location = var.azure_location
+ tags = var.tags
+ virtual_network_address_space = var.virtual_network_address_space
+ enable_container_registry = var.enable_container_registry
+ registry_admin_enabled = var.registry_admin_enabled
+ registry_use_managed_identity = var.registry_use_managed_identity
+ registry_managed_identity_assign_role = var.registry_managed_identity_assign_role
+ image_name = var.image_name
+ image_tag = var.image_tag
+ container_command = var.container_command
+ container_secret_environment_variables = var.container_secret_environment_variables
+ container_scale_http_concurrency = var.container_scale_http_concurrency
+ container_health_probe_protocol = var.container_health_probe_protocol
+ enable_dns_zone = var.enable_dns_zone
+ dns_zone_domain_name = var.dns_zone_domain_name
+ dns_ns_records = var.dns_ns_records
+ dns_txt_records = var.dns_txt_records
+ enable_cdn_frontdoor = var.enable_cdn_frontdoor
+ container_apps_allow_ips_inbound = var.container_apps_allow_ips_inbound
+ cdn_frontdoor_enable_rate_limiting = var.cdn_frontdoor_enable_rate_limiting
+ cdn_frontdoor_host_add_response_headers = var.cdn_frontdoor_host_add_response_headers
+ cdn_frontdoor_custom_domains = var.cdn_frontdoor_custom_domains
+ cdn_frontdoor_origin_fqdn_override = var.cdn_frontdoor_origin_fqdn_override
+ cdn_frontdoor_origin_host_header_override = var.cdn_frontdoor_origin_host_header_override
+ cdn_frontdoor_forwarding_protocol = var.cdn_frontdoor_forwarding_protocol
+ # key_vault_access_ipv4 = var.key_vault_access_ipv4
+ # tfvars_filename = var.tfvars_filename
+ enable_monitoring = var.enable_monitoring
+ monitor_email_receivers = var.monitor_email_receivers
+ enable_container_health_probe = var.enable_container_health_probe
+ container_health_probe_path = var.container_health_probe_path
+ cdn_frontdoor_health_probe_path = var.cdn_frontdoor_health_probe_path
+ cdn_frontdoor_health_probe_protocol = var.cdn_frontdoor_health_probe_protocol
+ monitor_endpoint_healthcheck = var.monitor_endpoint_healthcheck
+ existing_logic_app_workflow = var.existing_logic_app_workflow
+ existing_network_watcher_name = var.existing_network_watcher_name
+ existing_network_watcher_resource_group_name = var.existing_network_watcher_resource_group_name
+ statuscake_monitored_resource_addresses = var.statuscake_monitored_resource_addresses
+ statuscake_contact_group_name = var.statuscake_contact_group_name
+ statuscake_contact_group_integrations = var.statuscake_contact_group_integrations
+ statuscake_contact_group_email_addresses = var.statuscake_contact_group_email_addresses
+}
diff --git a/terraform/providers.tf b/terraform/providers.tf
new file mode 100644
index 0000000..c06a45c
--- /dev/null
+++ b/terraform/providers.tf
@@ -0,0 +1,8 @@
+provider "azurerm" {
+ features {}
+ skip_provider_registration = true
+}
+
+provider "statuscake" {
+ api_token = var.statuscake_api_token
+}
diff --git a/terraform/statuscake-tls-monitor.tf b/terraform/statuscake-tls-monitor.tf
new file mode 100644
index 0000000..5799330
--- /dev/null
+++ b/terraform/statuscake-tls-monitor.tf
@@ -0,0 +1,11 @@
+module "statuscake-tls-monitor" {
+ source = "github.com/dfe-digital/terraform-statuscake-tls-monitor?ref=v0.1.3"
+
+ statuscake_monitored_resource_addresses = local.statuscake_monitored_resource_addresses
+ statuscake_alert_at = [ # days to alert on
+ 40, 20, 5
+ ]
+ statuscake_contact_group_name = local.statuscake_contact_group_name
+ statuscake_contact_group_integrations = local.statuscake_contact_group_integrations
+ statuscake_contact_group_email_addresses = local.statuscake_contact_group_email_addresses
+}
diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example
new file mode 100644
index 0000000..4714926
--- /dev/null
+++ b/terraform/terraform.tfvars.example
@@ -0,0 +1,15 @@
+environment = "development"
+project_name = "myproject"
+azure_location = "uksouth"
+enable_container_registry = true
+image_name = "myimage"
+enable_mssql_database = true
+mssql_server_admin_password = "S3crEt"
+mssql_database_name = "mydatabase"
+container_command = ["/bin/bash", "-c", "echo hello && sleep 86400"]
+container_environment_variables = {
+ "ASPNETCORE_ENVIRONMENT" = "production"
+}
+key_vault_access_users = [
+ "someone_example.com#EXT#@tenantname.onmicrosoft.com",
+]
diff --git a/terraform/variables.tf b/terraform/variables.tf
new file mode 100644
index 0000000..0920312
--- /dev/null
+++ b/terraform/variables.tf
@@ -0,0 +1,258 @@
+variable "environment" {
+ description = "Environment name. Will be used along with `project_name` as a prefix for all resources."
+ type = string
+}
+
+# variable "key_vault_access_ipv4" {
+# description = "List of IPv4 Addresses that are permitted to access the Key Vault"
+# type = list(string)
+# }
+
+# variable "tfvars_filename" {
+# description = "tfvars filename. This ensures that tfvars are kept up to date in Key Vault."
+# type = string
+# }
+
+variable "project_name" {
+ description = "Project name. Will be used along with `environment` as a prefix for all resources."
+ type = string
+}
+
+variable "azure_location" {
+ description = "Azure location in which to launch resources."
+ type = string
+}
+
+variable "tags" {
+ description = "Tags to be applied to all resources"
+ type = map(string)
+}
+
+variable "virtual_network_address_space" {
+ description = "Virtual network address space CIDR"
+ type = string
+}
+
+variable "enable_container_registry" {
+ description = "Set to true to create a container registry"
+ type = bool
+}
+
+variable "image_name" {
+ description = "Image name"
+ type = string
+}
+
+variable "registry_admin_enabled" {
+ description = "Do you want to enable access key based authentication for your Container Registry?"
+ type = bool
+ default = true
+}
+
+variable "registry_use_managed_identity" {
+ description = "Create a User-Assigned Managed Identity for the Container App. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'AcrPull' Role to the identity"
+ type = bool
+ default = true
+}
+
+variable "registry_managed_identity_assign_role" {
+ description = "Assign the 'AcrPull' Role to the Container App User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'AcrPull' Role to the identity"
+ type = bool
+ default = false
+}
+
+variable "container_command" {
+ description = "Container command"
+ type = list(any)
+}
+
+variable "container_health_probe_protocol" {
+ description = "Use HTTPS or a TCP connection for the Container liveness probe"
+ type = string
+ default = "tcp"
+}
+
+variable "container_secret_environment_variables" {
+ description = "Container secret environment variables"
+ type = map(string)
+ sensitive = true
+}
+
+variable "container_scale_http_concurrency" {
+ description = "When the number of concurrent HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the max-replicas amount."
+ type = number
+ default = 10
+}
+
+variable "enable_cdn_frontdoor" {
+ description = "Enable Azure CDN FrontDoor. This will use the Container Apps endpoint as the origin."
+ type = bool
+}
+
+variable "cdn_frontdoor_origin_fqdn_override" {
+ description = "Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN"
+ type = string
+ default = ""
+}
+
+variable "cdn_frontdoor_origin_host_header_override" {
+ description = "Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host_name (`cdn_frontdoor_origin_fqdn_override`)"
+ type = string
+ default = ""
+ nullable = true
+}
+
+variable "cdn_frontdoor_enable_rate_limiting" {
+ description = "Enable CDN Front Door Rate Limiting. This will create a WAF policy, and CDN security policy. For pricing reasons, there will only be one WAF policy created."
+ type = bool
+}
+
+variable "cdn_frontdoor_host_add_response_headers" {
+ description = "List of response headers to add at the CDN Front Door `[{ \"name\" = \"Strict-Transport-Security\", \"value\" = \"max-age=31536000\" }]`"
+ type = list(map(string))
+}
+
+variable "enable_monitoring" {
+ description = "Create an App Insights instance and notification group for the Container App"
+ type = bool
+}
+
+variable "monitor_email_receivers" {
+ description = "A list of email addresses that should be notified by monitoring alerts"
+ type = list(string)
+}
+
+variable "existing_logic_app_workflow" {
+ description = "Name, and Resource Group of an existing Logic App Workflow. Leave empty to create a new Resource"
+ type = object({
+ name : string
+ resource_group_name : string
+ })
+ default = {
+ name = ""
+ resource_group_name = ""
+ }
+}
+
+variable "container_health_probe_path" {
+ description = "Specifies the path that is used to determine the liveness of the Container"
+ type = string
+ default = "/"
+}
+
+variable "cdn_frontdoor_health_probe_path" {
+ description = "Specifies the path relative to the origin that is used to determine the health of the origin."
+ type = string
+ default = "/"
+}
+
+variable "cdn_frontdoor_custom_domains" {
+ description = "Azure CDN Front Door custom domains. If they are within the DNS zone (optionally created), the Validation TXT records and ALIAS/CNAME records will be created"
+ type = list(string)
+}
+
+variable "monitor_endpoint_healthcheck" {
+ description = "Specify a route that should be monitored for a 200 OK status"
+ type = string
+}
+
+variable "existing_network_watcher_name" {
+ description = "Use an existing network watcher to add flow logs."
+ type = string
+}
+
+variable "existing_network_watcher_resource_group_name" {
+ description = "Existing network watcher resource group."
+ type = string
+}
+
+variable "container_apps_allow_ips_inbound" {
+ description = "Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs"
+ type = list(string)
+ default = []
+}
+
+variable "enable_dns_zone" {
+ description = "Conditionally create a DNS zone"
+ type = bool
+}
+
+variable "cdn_frontdoor_forwarding_protocol" {
+ description = "Azure CDN Front Door forwarding protocol"
+ type = string
+ default = "HttpOnly"
+}
+
+variable "dns_zone_domain_name" {
+ description = "DNS zone domain name. If created, records will automatically be created to point to the CDN."
+ type = string
+}
+
+variable "dns_ns_records" {
+ description = "DNS NS records to add to the DNS Zone"
+ type = map(
+ object({
+ ttl : optional(number, 300),
+ records : list(string)
+ })
+ )
+}
+
+variable "dns_txt_records" {
+ description = "DNS TXT records to add to the DNS Zone"
+ type = map(
+ object({
+ ttl : optional(number, 300),
+ records : list(string)
+ })
+ )
+}
+
+variable "enable_container_health_probe" {
+ description = "Enable liveness probes for the Container"
+ type = bool
+ default = true
+}
+
+variable "cdn_frontdoor_health_probe_protocol" {
+ description = "Use Http or Https"
+ type = string
+ default = "Http"
+}
+
+variable "image_tag" {
+ description = "Default image tag for the primary container"
+ type = string
+ default = "web-latest"
+}
+
+variable "statuscake_api_token" {
+ description = "API token for StatusCake"
+ type = string
+ sensitive = true
+ default = "00000000000000000000000000000"
+}
+
+variable "statuscake_contact_group_name" {
+ description = "Name of the contact group in StatusCake"
+ type = string
+ default = ""
+}
+
+variable "statuscake_contact_group_integrations" {
+ description = "List of Integration IDs to connect to your Contact Group"
+ type = list(string)
+ default = []
+}
+
+variable "statuscake_monitored_resource_addresses" {
+ description = "The URLs to perform TLS checks on"
+ type = list(string)
+ default = []
+}
+
+variable "statuscake_contact_group_email_addresses" {
+ description = "List of email address that should receive notifications from StatusCake"
+ type = list(string)
+ default = []
+}
diff --git a/terraform/versions.tf b/terraform/versions.tf
new file mode 100644
index 0000000..d098126
--- /dev/null
+++ b/terraform/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+ required_version = ">= 1.5.7"
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = ">= 3.67.0"
+ }
+ statuscake = {
+ source = "StatusCakeDev/statuscake"
+ version = ">= 2.1.0"
+ }
+ }
+}
From 6768a2fc88806dbc675c4a710c0acfb471f79bdd Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Mon, 18 Mar 2024 11:20:42 +0000
Subject: [PATCH 2/3] Use shared workflow for deployment
---
.github/workflows/build-and-push-image.yml | 125 ++++-----------------
1 file changed, 23 insertions(+), 102 deletions(-)
diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
index d4d4a7f..9e48c74 100644
--- a/.github/workflows/build-and-push-image.yml
+++ b/.github/workflows/build-and-push-image.yml
@@ -2,8 +2,7 @@ name: Deploy to environment
on:
push:
- branches:
- - main
+ branches: [ main ]
workflow_dispatch:
inputs:
environment:
@@ -14,10 +13,6 @@ on:
concurrency:
group: ${{ github.workflow }}-${{ github.event.inputs.environment }}
-env:
- DOCKER_IMAGE: identifiersapi-app
- NODE_VERSION: 18
-
jobs:
set-env:
name: Determine environment
@@ -25,57 +20,26 @@ jobs:
outputs:
environment: ${{ steps.var.outputs.environment }}
branch: ${{ steps.var.outputs.branch }}
- release: ${{ steps.var.outputs.release }}
- checked-out-sha: ${{ steps.var.outputs.checked-out-sha }}
+ release: ${{steps.var.outputs.release}}
steps:
- - uses: actions/checkout@v4
- with:
- ref: ${{ github.ref }}
+ - name: Get branch name for push/dispatch event
+ run: |
+ GIT_REF=${{ github.ref_name }}
+ echo "branch_ref=${GIT_REF}" >> $GITHUB_ENV
- id: var
run: |
- GIT_REF=${{ github.ref }}
+ GIT_REF=${{ env.branch_ref }}
GIT_BRANCH=${GIT_REF##*/}
INPUT=${{ github.event.inputs.environment }}
ENVIRONMENT=${INPUT:-"development"}
RELEASE=${ENVIRONMENT,,}-`date +%Y-%m-%d`.${{ github.run_number }}
- CHECKED_OUT_SHA="$(git log -1 '--format=format:%H')"
echo "environment=${ENVIRONMENT,,}" >> $GITHUB_OUTPUT
echo "branch=$GIT_BRANCH" >> $GITHUB_OUTPUT
- echo "release=${RELEASE}" >> $GITHUB_OUTPUT
- echo "checked-out-sha=${CHECKED_OUT_SHA}" >> $GITHUB_OUTPUT
-
- build-and-push-image:
- name: Build and push to ACR
- needs: set-env
- runs-on: ubuntu-22.04
- environment: ${{ needs.set-env.outputs.environment }}
- steps:
- - uses: actions/checkout@v4
- with:
- ref: ${{ github.ref }}
-
- - name: Azure Container Registry login
- uses: docker/login-action@v3
- with:
- username: ${{ secrets.AZURE_ACR_CLIENTID }}
- password: ${{ secrets.AZURE_ACR_SECRET }}
- registry: ${{ secrets.AZURE_ACR_URL }}
-
- - name: Build and push docker image
- uses: docker/build-push-action@v5
- with:
- context: .
- file: Dockerfile
- build-args: COMMIT_SHA=${{ needs.set-env.outputs.checked-out-sha }}
- tags: |
- ${{ secrets.AZURE_ACR_URL }}/${{ env.DOCKER_IMAGE }}:${{ needs.set-env.outputs.branch }}
- ${{ secrets.AZURE_ACR_URL }}/${{ env.DOCKER_IMAGE }}:${{ needs.set-env.outputs.release }}
- ${{ secrets.AZURE_ACR_URL }}/${{ env.DOCKER_IMAGE }}:sha-${{ needs.set-env.outputs.checked-out-sha }}
- ${{ secrets.AZURE_ACR_URL }}/${{ env.DOCKER_IMAGE }}:latest
- push: true
+ echo "release=${RELEASE,,}" >> $GITHUB_OUTPUT
create-tag:
+ if: needs.set-env.outputs.environment == 'production'
name: Tag and release
needs: set-env
runs-on: ubuntu-22.04
@@ -96,11 +60,9 @@ jobs:
script: |
try {
await github.rest.repos.createRelease({
- draft: ${{ needs.set-env.outputs.environment == 'test' }},
generate_release_notes: true,
name: "${{ needs.set-env.outputs.release }}",
owner: context.repo.owner,
- prerelease: ${{ needs.set-env.outputs.environment == 'test' }},
repo: context.repo.repo,
tag_name: "${{ needs.set-env.outputs.release }}",
});
@@ -109,58 +71,17 @@ jobs:
}
deploy-image:
- name: Deploy to ${{ needs.set-env.outputs.environment }}
- needs: [ build-and-push-image, set-env ]
- runs-on: ubuntu-22.04
- environment: ${{ needs.set-env.outputs.environment }}
- steps:
- - name: Azure login with ACA credentials
- uses: azure/login@v2
- with:
- creds: ${{ secrets.AZURE_ACA_CREDENTIALS }}
-
- - name: Update Azure Container Apps Revision
- uses: azure/CLI@v2
- id: azure
- with:
- azcliversion: 2.45.0
- inlineScript: |
- az config set extension.use_dynamic_install=yes_without_prompt
- az containerapp update \
- --name ${{ secrets.AZURE_ACA_NAME }} \
- --resource-group ${{ secrets.AZURE_ACA_RESOURCE_GROUP }} \
- --image ${{ secrets.AZURE_ACR_URL }}/${{ env.DOCKER_IMAGE }}:${{ needs.set-env.outputs.release }} \
- --output none
-
- cypress-tests:
- name: Run Cypress Tests
- if: needs.set-env.outputs.environment == 'test' || needs.set-env.outputs.environment == 'development'
- needs: [ deploy-image, set-env ]
- runs-on: ubuntu-22.04
- environment: ${{ needs.set-env.outputs.environment }}
- defaults:
- run:
- working-directory: CypressTests
- steps:
- - name: Checkout code
- uses: actions/checkout@v4
- with:
- ref: ${{ github.ref }}
-
- - name: Setup node.js
- uses: actions/setup-node@v4
- with:
- node-version: ${{ env.NODE_VERSION }}
-
- - name: Npm install
- run: npm install
-
- - name: Run cypress
- run: npm run cy:run -- --env apiKey="${{ secrets.IDENTIFIERS_API_KEY }}",url="${{ secrets.IDENTIFIERS_API_BASE_URL }}"
-
- - name: Upload screenshots
- if: ${{ failure() }}
- uses: actions/upload-artifact@v4
- with:
- name: screenshots-${{ needs.set-env.outputs.environment }}
- path: screenshots
+ name: Deploy to environment
+ needs: [ set-env ]
+ uses: DFE-Digital/deploy-azure-container-apps-action/.github/workflows/build-push-deploy.yml@main
+ with:
+ docker-image-name: 'identapi-app'
+ docker-build-file-name: 'docker/Dockerfile'
+ environment: ${{ needs.set-env.outputs.environment }}
+ secrets:
+ azure-acr-client-id: ${{ secrets.AZURE_ACR_CLIENTID }}
+ azure-acr-secret: ${{ secrets.AZURE_ACR_SECRET }}
+ azure-acr-url: ${{ secrets.AZURE_ACR_URL }}
+ azure-aca-credentials: ${{ secrets.AZURE_ACA_CREDENTIALS }}
+ azure-aca-name: ${{ secrets.AZURE_ACA_NAME }}
+ azure-aca-resource-group: ${{ secrets.AZURE_ACA_RESOURCE_GROUP }}
From 7e69a7f100d35951d6a34fad08c5470154e31def Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Mon, 18 Mar 2024 11:29:00 +0000
Subject: [PATCH 3/3] Terraform format
---
terraform/locals.tf | 54 ++++++++++++++++++++++-----------------------
1 file changed, 27 insertions(+), 27 deletions(-)
diff --git a/terraform/locals.tf b/terraform/locals.tf
index 98033fd..5daeddc 100644
--- a/terraform/locals.tf
+++ b/terraform/locals.tf
@@ -1,31 +1,31 @@
locals {
- environment = var.environment
- project_name = var.project_name
- azure_location = var.azure_location
- tags = var.tags
- virtual_network_address_space = var.virtual_network_address_space
- enable_container_registry = var.enable_container_registry
- registry_admin_enabled = var.registry_admin_enabled
- registry_use_managed_identity = var.registry_use_managed_identity
- registry_managed_identity_assign_role = var.registry_managed_identity_assign_role
- image_name = var.image_name
- image_tag = var.image_tag
- container_command = var.container_command
- container_secret_environment_variables = var.container_secret_environment_variables
- container_scale_http_concurrency = var.container_scale_http_concurrency
- container_health_probe_protocol = var.container_health_probe_protocol
- enable_dns_zone = var.enable_dns_zone
- dns_zone_domain_name = var.dns_zone_domain_name
- dns_ns_records = var.dns_ns_records
- dns_txt_records = var.dns_txt_records
- enable_cdn_frontdoor = var.enable_cdn_frontdoor
- container_apps_allow_ips_inbound = var.container_apps_allow_ips_inbound
- cdn_frontdoor_enable_rate_limiting = var.cdn_frontdoor_enable_rate_limiting
- cdn_frontdoor_host_add_response_headers = var.cdn_frontdoor_host_add_response_headers
- cdn_frontdoor_custom_domains = var.cdn_frontdoor_custom_domains
- cdn_frontdoor_origin_fqdn_override = var.cdn_frontdoor_origin_fqdn_override
- cdn_frontdoor_origin_host_header_override = var.cdn_frontdoor_origin_host_header_override
- cdn_frontdoor_forwarding_protocol = var.cdn_frontdoor_forwarding_protocol
+ environment = var.environment
+ project_name = var.project_name
+ azure_location = var.azure_location
+ tags = var.tags
+ virtual_network_address_space = var.virtual_network_address_space
+ enable_container_registry = var.enable_container_registry
+ registry_admin_enabled = var.registry_admin_enabled
+ registry_use_managed_identity = var.registry_use_managed_identity
+ registry_managed_identity_assign_role = var.registry_managed_identity_assign_role
+ image_name = var.image_name
+ image_tag = var.image_tag
+ container_command = var.container_command
+ container_secret_environment_variables = var.container_secret_environment_variables
+ container_scale_http_concurrency = var.container_scale_http_concurrency
+ container_health_probe_protocol = var.container_health_probe_protocol
+ enable_dns_zone = var.enable_dns_zone
+ dns_zone_domain_name = var.dns_zone_domain_name
+ dns_ns_records = var.dns_ns_records
+ dns_txt_records = var.dns_txt_records
+ enable_cdn_frontdoor = var.enable_cdn_frontdoor
+ container_apps_allow_ips_inbound = var.container_apps_allow_ips_inbound
+ cdn_frontdoor_enable_rate_limiting = var.cdn_frontdoor_enable_rate_limiting
+ cdn_frontdoor_host_add_response_headers = var.cdn_frontdoor_host_add_response_headers
+ cdn_frontdoor_custom_domains = var.cdn_frontdoor_custom_domains
+ cdn_frontdoor_origin_fqdn_override = var.cdn_frontdoor_origin_fqdn_override
+ cdn_frontdoor_origin_host_header_override = var.cdn_frontdoor_origin_host_header_override
+ cdn_frontdoor_forwarding_protocol = var.cdn_frontdoor_forwarding_protocol
# key_vault_access_ipv4 = var.key_vault_access_ipv4
# tfvars_filename = var.tfvars_filename
enable_monitoring = var.enable_monitoring