Terraform (#6)

* Add gitignore for terraform

* Initial terraform commit

* Started Terraforming resources to run the script in the cloud

* Started Terraforming resources to run the script in the cloud

* Add Terraform for Azure Function

.gitignore

@@ -0,0 +1,9 @@
+### Terraform
+.terraformrc*
+terraform.rc*
+*.tfstate*
+*.tfvars*
+!terraform.tfvars.example
+.terraform/
+backend.vars
+/terraform/Brewfile.lock.json

azure-function/.funcignore

@@ -7,4 +7,7 @@ __blobstorage__
 __queuestorage__
 local.settings.json
 test
-tsconfig.json
+tsconfig.json
+terraform
+docker-compose.yml
+README.md

azure-function/terraform/.gitignore

@@ -0,0 +1,9 @@
+### Terraform
+.terraformrc*
+terraform.rc*
+*.tfstate*
+*.tfvars*
+!terraform.tfvars.example
+.terraform/
+backend.vars
+/terraform/Brewfile.lock.json

azure-function/terraform/.terraform-docs.yml

@@ -0,0 +1,26 @@
+---
+formatter: "markdown table"
+version: "~> 0.16"
+settings:
+  anchor: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true
+sort:
+  enabled: true
+  by: name
+output:
+  file: README.md
+  mode: inject
+  template: |-
+        <!-- BEGIN_TF_DOCS -->
+        {{ .Content }}
+        <!-- END_TF_DOCS -->

azure-function/terraform/.terraform-version

@@ -0,0 +1 @@
+1.7.3

azure-function/terraform/Brewfile

@@ -0,0 +1,7 @@
+brew "tfenv"
+brew "terraform-docs"
+brew "tfsec"
+brew "az"
+brew "coreutils"
+brew "jq"
+brew "tflint"

azure-function/terraform/README.md

@@ -0,0 +1,72 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.7.3 |
+| <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | >= 1.12.1 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | >= 2.37.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.87.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.47.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.93.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_application_insights.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource |
+| [azurerm_key_vault.function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
+| [azurerm_key_vault_secret.secret_app_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_linux_function_app.app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app) | resource |
+| [azurerm_log_analytics_workspace.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
+| [azurerm_log_analytics_workspace.insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
+| [azurerm_monitor_diagnostic_setting.logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
+| [azurerm_private_dns_a_record.key_vault_private_link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
+| [azurerm_private_dns_a_record.storage_blob_private_link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
+| [azurerm_private_dns_zone.keyvault_dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
+| [azurerm_private_dns_zone.storage_blob_dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
+| [azurerm_private_dns_zone_virtual_network_link.key_vault_private_link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
+| [azurerm_private_dns_zone_virtual_network_link.storage_blob_private_link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
+| [azurerm_private_endpoint.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
+| [azurerm_private_endpoint.storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
+| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_service_plan.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | resource |
+| [azurerm_storage_account.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
+| [azurerm_storage_account_network_rules.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules) | resource |
+| [azurerm_subnet.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_subnet.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_subnet.storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_user_assigned_identity.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_virtual_network.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
+| [azuread_user.key_vault_access](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/user) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_resource_group.existing_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_azure_location"></a> [azure\_location](#input\_azure\_location) | Azure location in which to launch resources. | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name. Will be used along with `project_name` as a prefix for all resources. | `string` | n/a | yes |
+| <a name="input_existing_resource_group"></a> [existing\_resource\_group](#input\_existing\_resource\_group) | Conditionally launch resources into an existing resource group. Specifying this will NOT create a resource group. | `string` | `""` | no |
+| <a name="input_function_app_node_version"></a> [function\_app\_node\_version](#input\_function\_app\_node\_version) | Which version of Node JS to run the Function on | `number` | `18` | no |
+| <a name="input_function_app_settings"></a> [function\_app\_settings](#input\_function\_app\_settings) | n/a | `map(string)` | `{}` | no |
+| <a name="input_key_vault_access_ipv4"></a> [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
+| <a name="input_key_vault_access_users"></a> [key\_vault\_access\_users](#input\_key\_vault\_access\_users) | List of users that require access to the Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform | `list(string)` | n/a | yes |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name. Will be used along with `environment` as a prefix for all resources. | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to all resources | `map(string)` | `{}` | no |
+| <a name="input_tfvars_filename"></a> [tfvars\_filename](#input\_tfvars\_filename) | tfvars filename. This file is uploaded and stored encrupted within Key Vault, to ensure that the latest tfvars are stored in a shared place. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

azure-function/terraform/app-insights.tf

@@ -0,0 +1,9 @@
+resource "azurerm_application_insights" "default" {
+  name                = "${local.resource_prefix}-insights"
+  location            = local.resource_group.location
+  resource_group_name = local.resource_group.name
+  application_type    = "web"
+  workspace_id        = azurerm_log_analytics_workspace.insights.id
+  retention_in_days   = 365
+  tags                = local.tags
+}

azure-function/terraform/backend.tf

@@ -0,0 +1,3 @@
+terraform {
+  backend "azurerm" {}
+}

azure-function/terraform/backend.vars.example

@@ -0,0 +1,5 @@
+subscription_id      = "<subscription_id>"
+resource_group_name  = "<resource_group_name>"
+storage_account_name = "<storage_account_name>"
+container_name       = "<container_name>"
+key                  = "terraform.tstate"

azure-function/terraform/data.tf

@@ -0,0 +1,5 @@
+data "azurerm_resource_group" "existing_resource_group" {
+  count = local.existing_resource_group == "" ? 0 : 1
+
+  name = local.existing_resource_group
+}

azure-function/terraform/function-app.tf

@@ -0,0 +1,52 @@
+resource "azurerm_service_plan" "default" {
+  name                = "${local.resource_prefix}-serviceplan"
+  resource_group_name = local.resource_group.name
+  location            = local.resource_group.location
+  os_type             = local.service_plan_os
+  sku_name            = local.service_plan_sku
+
+  tags = local.tags
+}
+
+resource "azurerm_linux_function_app" "app" {
+  name                = "${local.resource_prefix}-func"
+  resource_group_name = local.resource_group.name
+  location            = local.resource_group.location
+
+  storage_account_name       = azurerm_storage_account.default.name
+  storage_account_access_key = azurerm_storage_account.default.primary_access_key
+  service_plan_id            = azurerm_service_plan.default.id
+
+  ftp_publish_basic_authentication_enabled       = false
+  webdeploy_publish_basic_authentication_enabled = true
+
+  https_only = true
+
+  app_settings = local.function_app_settings
+
+  site_config {
+    always_on                              = true
+    application_insights_connection_string = azurerm_application_insights.default.connection_string
+    application_insights_key               = azurerm_application_insights.default.instrumentation_key
+    app_scale_limit                        = 1
+    http2_enabled                          = true
+
+    application_stack {
+      node_version = local.function_app_node_version
+    }
+  }
+
+  identity {
+    type = "UserAssigned"
+    identity_ids = [
+      azurerm_user_assigned_identity.default.id
+    ]
+  }
+
+  key_vault_reference_identity_id = azurerm_user_assigned_identity.default.id
+  virtual_network_subnet_id       = azurerm_subnet.default.id
+  tags = merge(local.tags, {
+    "hidden-link: /app-insights-instrumentation-key" : azurerm_application_insights.default.instrumentation_key,
+    "hidden-link: /app-insights-resource-id" : azurerm_application_insights.default.id,
+  })
+}

azure-function/terraform/identity.tf

@@ -0,0 +1,6 @@
+resource "azurerm_user_assigned_identity" "default" {
+  location            = local.resource_group.location
+  name                = "${local.resource_prefix}-uami"
+  resource_group_name = local.resource_group.name
+  tags                = local.tags
+}

azure-function/terraform/key-vault-tfvars-secrets.tf

@@ -0,0 +1,14 @@
+module "azurerm_key_vault" {
+  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.0"
+
+  environment                             = local.environment
+  project_name                            = "kvscanner"
+  existing_resource_group                 = local.resource_group.name
+  enable_log_analytics_workspace          = true
+  azure_location                          = local.azure_location
+  key_vault_access_use_rbac_authorization = false
+  key_vault_access_users                  = local.key_vault_access_users
+  key_vault_access_ipv4                   = local.key_vault_access_ipv4
+  tfvars_filename                         = local.tfvars_filename
+  tags                                    = local.tags
+}

azure-function/terraform/locals.tf

@@ -0,0 +1,25 @@
+locals {
+  # Global options
+  environment     = var.environment
+  project_name    = var.project_name
+  resource_prefix = "${local.environment}${local.project_name}"
+  azure_location  = var.azure_location
+  tags            = var.tags
+
+  # Resource Group
+  existing_resource_group = var.existing_resource_group
+  resource_group          = local.existing_resource_group == "" ? azurerm_resource_group.default[0] : data.azurerm_resource_group.existing_resource_group[0]
+
+  # Web App Service Plan
+  service_plan_os  = "Linux"
+  service_plan_sku = "B1"
+
+  # Function App
+  function_app_settings     = var.function_app_settings
+  function_app_node_version = var.function_app_node_version
+
+  # Key Vault
+  key_vault_access_users = toset(var.key_vault_access_users)
+  key_vault_access_ipv4  = var.key_vault_access_ipv4
+  tfvars_filename        = var.tfvars_filename
+}

azure-function/terraform/logging.tf

@@ -0,0 +1,27 @@
+resource "azurerm_log_analytics_workspace" "default" {
+  name                = "${local.resource_prefix}-logs"
+  resource_group_name = local.resource_group.name
+  location            = local.resource_group.location
+  sku                 = "PerGB2018"
+  retention_in_days   = 30
+  tags                = local.tags
+}
+
+resource "azurerm_monitor_diagnostic_setting" "logs" {
+  name                       = "${local.resource_prefix}-diagnostics"
+  target_resource_id         = azurerm_linux_function_app.app.id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.default.id
+
+  enabled_log {
+    category = "FunctionAppLogs"
+  }
+}
+
+resource "azurerm_log_analytics_workspace" "insights" {
+  name                = "${local.resource_prefix}-insights"
+  resource_group_name = local.resource_group.name
+  location            = local.resource_group.location
+  sku                 = "PerGB2018"
+  retention_in_days   = 365
+  tags                = local.tags
+}

azure-function/terraform/providers.tf

@@ -0,0 +1,8 @@
+provider "azurerm" {
+  features {}
+  skip_provider_registration = true
+}
+
+provider "azapi" {
+
+}

azure-function/terraform/resource-group.tf

@@ -0,0 +1,7 @@
+resource "azurerm_resource_group" "default" {
+  count = local.existing_resource_group == "" ? 1 : 0
+
+  name     = local.resource_prefix
+  location = local.azure_location
+  tags     = local.tags
+}