Skip to content

Latest commit

 

History

History
143 lines (127 loc) · 18.4 KB

terraform-configuration.md

File metadata and controls

143 lines (127 loc) · 18.4 KB

Terraform Module Configuration

All of our infrastructure is managed as IaC via Terraform.

We use two external modules to create the majority of the resources required:

Detailed Overview

File Information
backend.tf
client_config.tf Retrieves data for currently executing user
container_app-assign-identity.tf Runs Bash script that assigns the created identity from user-assigned-identity.tf to the Container App
key-vault.tf Creates an Azure KeyVault, any necessary keys, and dummy values for all of our secrets
keyvault-add-vnet-restriction.tf Runs Bash script Adds service endpoint to the subnet, and allows access through the same subnet
locals.tf Terraform locals
main-hosting.tf Main script, using terraform-azurerm-container-apps-hosting, that creates the majority of our infrastructure
providers.tf Manages the provider for our own code
user-assigned-identity.tf Creates an Azure Identity to be assigned to the Container App
variables.tf Terraform inputs
versions.tf Minimum versions of Terraform modules etc.
waf.tf Uses terraform-azurerm-front-door-app-gateway-waf to setup Azure Front Door CDN + WAF policies

Requirements

Name Version
terraform >= 1.5.0
azapi = 1.15.0
azurerm = 4.4.0
null = 3.2.3
random = 3.6.3

Providers

Name Version
azurerm 4.4.0
null 3.2.3
random 3.6.3

Modules

Name Source Version
main_hosting github.com/DFE-Digital/terraform-azurerm-container-apps-hosting 93096d1
waf github.com/dfe-digital/terraform-azurerm-front-door-app-gateway-waf f0ca7eb

Resources

Name Type
azurerm_key_vault.vault resource
azurerm_key_vault_access_policy.vault_access_policy_mi resource
azurerm_key_vault_access_policy.vault_access_policy_tf resource
azurerm_key_vault_key.data_protection_key resource
azurerm_key_vault_secret.api_key resource
azurerm_key_vault_secret.csp_connect_src resource
azurerm_key_vault_secret.csp_default_src resource
azurerm_key_vault_secret.csp_frame_src resource
azurerm_key_vault_secret.csp_img_src resource
azurerm_key_vault_secret.vault_secret_contentful_deliveryapikey resource
azurerm_key_vault_secret.vault_secret_contentful_environment resource
azurerm_key_vault_secret.vault_secret_contentful_previewapikey resource
azurerm_key_vault_secret.vault_secret_contentful_spaceid resource
azurerm_key_vault_secret.vault_secret_database_connectionstring resource
azurerm_private_dns_zone.database resource
azurerm_private_dns_zone.keyvault resource
azurerm_private_dns_zone.redis resource
azurerm_private_dns_zone_virtual_network_link.database_default resource
azurerm_private_dns_zone_virtual_network_link.keyvault_to_defaultvnet resource
azurerm_private_dns_zone_virtual_network_link.redis_default resource
azurerm_private_endpoint.database resource
azurerm_private_endpoint.keyvault resource
azurerm_private_endpoint.redis resource
azurerm_redis_cache.redis resource
azurerm_servicebus_namespace.service_bus resource
azurerm_servicebus_queue.contentful_queue resource
azurerm_servicebus_queue_authorization_rule.azurefunction resource
azurerm_storage_account.costing_storage resource
azurerm_storage_container.blobforcost resource
azurerm_subnet.keyvault resource
azurerm_subnet_route_table_association.keyvault resource
azurerm_user_assigned_identity.user_assigned_identity resource
null_resource.upsert_contentful_webhook resource
random_password.api_key_value resource
azurerm_cdn_frontdoor_endpoint.app data source
azurerm_client_config.current data source
azurerm_mssql_server.database data source
azurerm_route_table.default data source

Inputs

Name Description Type Default Required
az_app_kestrel_endpoint Endpoint for Kestrel setup string n/a yes
az_container_port What port the container app is bound to number 8080 no
az_sql_admin_password Password for the admin listed in the 'az_sql_azuread_admin_username' variable string n/a yes
az_sql_azuread_admin_objectid Object ID for the admin listed in the 'az_sql_azuread_admin_username' variable string n/a yes
az_sql_azuread_admin_username Username/email/service principal name/etc of the Azure AD account to use as admin for the SQL Server string n/a yes
az_sql_max_pool_size Maximum number of possible connections per SQL connection string usage number 100 no
az_sql_sku What SKU/plan to use for the SQL DB string "Basic" no
az_tag_environment Environment tag to be applied to all resources string n/a yes
az_tag_product Product tag to be applied to all resources string n/a yes
azure_location Recourse location string n/a yes
cdn_create_custom_domain A flag to create the A and TXT records for the container app as part of setting up the cdn bool false no
cdn_frontdoor_host_add_response_headers List of response headers to add at the CDN Front Door [{ "Name" = "Strict-Transport-Security", "value" = "max-age=31536000" }] list(map(string)) [] no
cdn_frontdoor_url_path_redirects List of url path redirects to add at the CDN Front Door [{ "redirect_type": "PermanentRedirect", "destination_path": "/example", "destination_hostname": "www.example.uk", "operator": "Equals", "match_values": ["/example"] }] 
list(object({
    redirect_type        = string
    redirect_protocol    = optional(string)
    destination_path     = optional(string)
    destination_hostname = optional(string)
    destination_fragment = optional(string)
    query_string         = optional(string)
    operator             = string
    match_values         = optional(list(string))
    transforms           = optional(list(string))
  }))
 [] no
container_app_blob_storage_public_access_enabled Enable app blob storage public access bool false no
container_app_http_concurrency Scale up at this number of HTTP requests number 10 no
container_app_max_replicas Maximum replicas for the container app number 2 no
container_app_min_replicas Minimum replicas for the container app number 1 no
container_app_storage_account_shared_access_key_enabled Enable shared access key bool false no
container_environment Container app environment - set to ASPNETCORE_ENVIRONMENT in the app environment variables string "" no
container_environment_variables Additional environment variables to set on the Azure Container App map(string) {} no
contentful_management_token Contentful management token string null no
contentful_upsert_webhook Whether to create/update the webhook or not bool false no
contentful_webhook_endpoint Endpoint for Contentful webhook string "/api/cms/webhook" no
contentful_webhook_name Prefix for the Contentful webhook name string "Plan Tech Webhook" no
environment Environment name, used along with project_name as a prefix for all resources string n/a yes
image_tag Image tag string n/a yes
key_ops The permitted JSON web key operations of the key to be created. list(string) 
[
  "decrypt",
  "encrypt",
  "sign",
  "unwrapKey",
  "verify",
  "wrapKey"
]
 no
key_size The size in bits of the key to be created. number 2048 no
key_type The JsonWebKeyType of the key to be created. string "RSA" no
msi_id The Managed Service Identity ID. If this value isn't null (the default), 'data.azurerm_client_config.current.object_id' will be set to this value. string null no
project_name project name, used along with environment as a prefix for all resources string n/a yes
redis_capacity Redis cache capacity (0-6 for C and 1-5 for P) number 0 no
redis_family Redis cache family (C for basic/standard, P for premium) string "C" no
redis_sku_name SKU for Redis cache (Basic, Standard or Premium) string "Standard" no
redis_tls_version Minimum TLS version for Redis string "1.2" no
registry_password Container registry password string n/a yes
registry_server Container registry server string n/a yes
registry_username Container registry username string n/a yes
storage_account_expiration_period The SAS expiration period in format of DD.HH:MM:SS string "00.01:00:00" no
storage_account_public_access_enabled Enable public network access bool false no

Outputs

No outputs.