Set up Terraform

terraform/.terraform-docs.yml

@@ -0,0 +1,26 @@
+---
+formatter: "markdown table"
+version: "~> 0.16"
+settings:
+  anchor: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true
+sort:
+  enabled: true
+  by: name
+output:
+  file: README.md
+  mode: inject
+  template: |-
+        <!-- BEGIN_TF_DOCS -->
+        {{ .Content }}
+        <!-- END_TF_DOCS -->

terraform/.terraform-version

@@ -0,0 +1 @@
+1.8.4

terraform/README.md

@@ -0,0 +1,54 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.1 |
+| <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | >=1.13.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.51.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azapi"></a> [azapi](#provider\_azapi) | 1.13.1 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.103.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.4.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azapi_update_resource.patch_logs](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/update_resource) | resource |
+| [azurerm_container_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_group) | resource |
+| [azurerm_log_analytics_workspace.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
+| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_route_table.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) | resource |
+| [azurerm_subnet.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_subnet_route_table_association.container_apps_infra_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource |
+| [azurerm_user_assigned_identity.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_virtual_network.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name | `string` | n/a | yes |
+| <a name="input_key_vault_access_ipv4"></a> [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
+| <a name="input_registry_password"></a> [registry\_password](#input\_registry\_password) | Password for authenticating to the Container Registry | `string` | `""` | no |
+| <a name="input_registry_server"></a> [registry\_server](#input\_registry\_server) | Hostname of the Container Registry | `string` | n/a | yes |
+| <a name="input_registry_username"></a> [registry\_username](#input\_registry\_username) | Username for authenticating to the Container Registry | `string` | `""` | no |
+| <a name="input_slack_webhook_url"></a> [slack\_webhook\_url](#input\_slack\_webhook\_url) | A Slack Webhook URL that the script can route messages to | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to assign to the resources | `map(string)` | `{}` | no |
+| <a name="input_tfvars_filename"></a> [tfvars\_filename](#input\_tfvars\_filename) | tfvars filename. This file is uploaded and stored encrypted within Key Vault, to ensure that the latest tfvars are stored in a shared place. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

terraform/backend.tf

@@ -0,0 +1,3 @@
+terraform {
+  backend "azurerm" {}
+}

terraform/backend.vars.example

@@ -0,0 +1,5 @@
+subscription_id      = ""
+resource_group_name  = ""
+storage_account_name = ""
+container_name       = ""
+key                  = "terraform.tstate"

terraform/data.tf

@@ -0,0 +1 @@
+data "azurerm_subscription" "current" {}

terraform/key-vault-tfvars-secrets.tf

@@ -0,0 +1,15 @@
+module "azurerm_key_vault" {
+  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.1"
+
+  environment                             = local.environment
+  project_name                            = "afdcdv"
+  existing_resource_group                 = azurerm_resource_group.default.name
+  azure_location                          = local.region
+  key_vault_access_use_rbac_authorization = true
+  key_vault_access_users                  = []
+  key_vault_access_ipv4                   = local.key_vault_access_ipv4
+  tfvars_filename                         = local.tfvars_filename
+  enable_diagnostic_setting               = false
+  enable_diagnostic_storage_account       = false
+  tags                                    = local.tags
+}

terraform/locals.tf

@@ -0,0 +1,20 @@
+locals {
+  region                             = "westeurope"
+  environment                        = var.environment
+  project_name                       = "rsd-kvscanner"
+  resource_prefix                    = "${local.environment}${local.project_name}"
+  registry_server                    = var.registry_server
+  registry_username                  = var.registry_username
+  registry_password                  = var.registry_password
+  registry_image_name                = "rsd-kv-secret-scanner"
+  registry_image_tag                 = "latest"
+  job_cpu                            = 0.5
+  job_memory                         = 1
+  virtual_network_address_space      = "172.16.0.0/12"
+  virtual_network_address_space_mask = element(split("/", local.virtual_network_address_space), 1)
+  container_apps_infra_subnet_cidr   = cidrsubnet(local.virtual_network_address_space, 21 - local.virtual_network_address_space_mask, 0)
+  key_vault_access_ipv4              = var.key_vault_access_ipv4
+  tfvars_filename                    = var.tfvars_filename
+  slack_webhook_url                  = var.slack_webhook_url
+  tags                               = var.tags
+}

terraform/providers.tf

@@ -0,0 +1,7 @@
+provider "azurerm" {
+  features {}
+  skip_provider_registration = true
+}
+
+provider "azapi" {
+}

terraform/terraform.tf

@@ -0,0 +1,129 @@
+resource "azurerm_resource_group" "default" {
+  name     = local.resource_prefix
+  location = local.region
+
+  tags = local.tags
+}
+
+resource "azurerm_log_analytics_workspace" "default" {
+  name                = "${local.resource_prefix}-logs"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 30
+
+  tags = local.tags
+}
+
+resource "azurerm_container_group" "default" {
+  name                = "${local.resource_prefix}-job"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  ip_address_type     = "Private"
+  os_type             = "Linux"
+
+  container {
+    name     = "${local.resource_prefix}-containerjob"
+    image    = "${local.registry_server}/${local.registry_image_name}:${local.registry_image_tag}"
+    cpu      = local.job_cpu
+    memory   = local.job_memory
+    commands = ["/bin/bash", "-c", "./docker-entrypoint.sh"]
+
+    ports { # bogus
+      port     = 65530
+      protocol = "TCP"
+    }
+
+    environment_variables = {
+      "AZ_SUBSCRIPTION_SCOPE" = data.azurerm_subscription.current.display_name
+      "SLACK_WEBHOOK_URL"     = local.slack_webhook_url
+    }
+  }
+
+  image_registry_credential {
+    server                    = local.registry_server
+    user_assigned_identity_id = azurerm_user_assigned_identity.default.id
+  }
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.default.id]
+  }
+
+  exposed_port   = []
+  restart_policy = "Never"
+  subnet_ids     = [azurerm_subnet.default.id]
+
+  tags = local.tags
+}
+
+# necessary because of: https://github.com/Azure/azure-rest-api-specs/issues/9768
+resource "azapi_update_resource" "patch_logs" {
+  type        = "Microsoft.ContainerInstance/containerGroups@2023-05-01"
+  resource_id = azurerm_container_group.default.id
+
+  body = jsonencode({
+    properties = {
+      diagnostics : {
+        logAnalytics : {
+          "logType" : "ContainerInstanceLogs",
+          "workspaceId" : azurerm_log_analytics_workspace.default.workspace_id,
+          "workspaceKey" : azurerm_log_analytics_workspace.default.primary_shared_key
+        }
+      },
+      imageRegistryCredentials : [
+        {
+          "server" : local.registry_server,
+          "user_assigned_identity_id" : azurerm_user_assigned_identity.default.id
+        }
+      ]
+    }
+  })
+}
+
+resource "azurerm_virtual_network" "default" {
+  name                = "${local.resource_prefix}default"
+  address_space       = [local.virtual_network_address_space]
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  tags = local.tags
+}
+
+resource "azurerm_route_table" "default" {
+  name                          = "${local.resource_prefix}default"
+  location                      = azurerm_resource_group.default.location
+  resource_group_name           = azurerm_resource_group.default.name
+  disable_bgp_route_propagation = false
+
+  tags = local.tags
+}
+
+resource "azurerm_subnet" "default" {
+  name                 = "${local.resource_prefix}containerappsinfra"
+  virtual_network_name = azurerm_virtual_network.default.name
+  resource_group_name  = azurerm_resource_group.default.name
+  address_prefixes     = [local.container_apps_infra_subnet_cidr]
+
+  delegation {
+    name = "delegation"
+
+    service_delegation {
+      name    = "Microsoft.ContainerInstance/containerGroups"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    }
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "container_apps_infra_subnet" {
+  subnet_id      = azurerm_subnet.default.id
+  route_table_id = azurerm_route_table.default.id
+}
+
+resource "azurerm_user_assigned_identity" "default" {
+  location            = azurerm_resource_group.default.location
+  name                = "${local.resource_prefix}-uami-containerjob"
+  resource_group_name = azurerm_resource_group.default.name
+
+  tags = local.tags
+}

terraform/variables.tf

@@ -0,0 +1,37 @@
+variable "registry_server" {
+  description = "Hostname of the Container Registry"
+  type        = string
+}
+variable "registry_username" {
+  description = "Username for authenticating to the Container Registry"
+  type        = string
+  default     = ""
+}
+variable "registry_password" {
+  description = "Password for authenticating to the Container Registry"
+  type        = string
+  default     = ""
+}
+variable "tags" {
+  description = "Tags to assign to the resources"
+  type        = map(string)
+  default     = {}
+}
+variable "environment" {
+  description = "Environment name"
+  type        = string
+}
+variable "key_vault_access_ipv4" {
+  description = "List of IPv4 Addresses that are permitted to access the Key Vault"
+  type        = list(string)
+}
+variable "tfvars_filename" {
+  description = "tfvars filename. This file is uploaded and stored encrypted within Key Vault, to ensure that the latest tfvars are stored in a shared place."
+  type        = string
+}
+variable "slack_webhook_url" {
+  description = "A Slack Webhook URL that the script can route messages to"
+  sensitive   = true
+  type        = string
+  default     = ""
+}