Feat/dtoss 4393 terraform modules (#5)

* Initial modules commit * renamed RBAC folder * Added Shared Config module * Added further networking modules * Pre-merge fixes
NHSDigital · Sep 26, 2024 · 2296f76 · 2296f76
1 parent 7892e92
commit 2296f76
Show file tree

Hide file tree

Showing 13 changed files with 338 additions and 4 deletions.
diff --git a/infrastructure/modules/managed-identity/variables.tf b/infrastructure/modules/managed-identity/variables.tf
@@ -1,6 +1,6 @@
 variable "resource_group_name" {
   type        = string
-  description = "The name of the resource group in which to create the VNET. Changing this forces a new resource to be created."
+  description = "The name of the resource group in which to create the Identity. Changing this forces a new resource to be created."
 }
 
 variable "location" {

diff --git a/infrastructure/modules/private-dns-zone/main.tf b/infrastructure/modules/private-dns-zone/main.tf
@@ -0,0 +1,17 @@
+resource "azurerm_private_dns_zone" "private_dns_zone" {
+
+  name                = var.name
+  resource_group_name = var.resource_group_name
+
+  tags = var.tags
+}
+
+# private dns zone vnet link
+resource "azurerm_private_dns_zone_virtual_network_link" "private_dns_zone_vnet_link" {
+  name                  = var.name
+  resource_group_name   = var.resource_group_name
+  private_dns_zone_name = azurerm_private_dns_zone.private_dns_zone.name
+  virtual_network_id    = var.vnet_id
+
+  tags = var.tags
+}
diff --git a/infrastructure/modules/private-dns-zone/output.tf b/infrastructure/modules/private-dns-zone/output.tf
@@ -0,0 +1,7 @@
+output "name" {
+  value = azurerm_private_dns_zone.private_dns_zone.name
+}
+
+output "private_dns_zone" {
+  value = azurerm_private_dns_zone.private_dns_zone
+}
diff --git a/infrastructure/modules/private-dns-zone/variables.tf b/infrastructure/modules/private-dns-zone/variables.tf
@@ -0,0 +1,20 @@
+variable "name" {
+  type        = string
+  description = "The name (in FQDN form) of the zone."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which to create the zone. Changing this forces a new resource to be created."
+}
+
+variable "vnet_id" {
+  type        = string
+  description = "The ID of the virtual network to which the zone will be linked."
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to the resource."
+  type        = map(string)
+  default     = {}
+}
diff --git a/infrastructure/modules/private-endpoint/main.tf b/infrastructure/modules/private-endpoint/main.tf
@@ -0,0 +1,19 @@
+resource "azurerm_private_endpoint" "private_endpoint" {
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.subnet_id
+
+  private_service_connection {
+    name                           = var.private_service_connection.name
+    private_connection_resource_id = var.private_service_connection.private_connection_resource_id
+    is_manual_connection           = var.private_service_connection.is_manual_connection
+  }
+
+  private_dns_zone_group {
+    name                 = var.private_dns_zone_group.name
+    private_dns_zone_ids = var.private_dns_zone_group.private_dns_zone_ids
+  }
+
+  tags = var.tags
+}
diff --git a/infrastructure/modules/private-endpoint/output.tf b/infrastructure/modules/private-endpoint/output.tf
@@ -0,0 +1,11 @@
+output "name" {
+  value = azurerm_private_endpoint.private_endpoint.name
+}
+
+output "id" {
+  value = azurerm_private_endpoint.private_endpoint.id
+}
+
+output "azurerm_private_endpoint" {
+  value = azurerm_private_endpoint.private_endpoint
+}
diff --git a/infrastructure/modules/private-endpoint/variables.tf b/infrastructure/modules/private-endpoint/variables.tf
@@ -0,0 +1,43 @@
+variable "location" {
+  description = "The location/region where the private endpoint will be created."
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the private endpoint."
+  type        = string
+}
+
+variable "private_dns_zone_group" {
+  description = "A list of private DNS zone configurations."
+  type = list(object({
+    name                 = string
+    private_dns_zone_ids = list(string)
+  }))
+}
+
+variable "private_service_connection" {
+  description = "A list of private service connection configurations."
+  type = list(object({
+    name                           = string
+    private_connection_resource_id = string
+    group_ids                      = list(string)
+    request_message                = string
+  }))
+}
+
+variable "resource_group_name" {
+  description = "The name of the resource group in which to create the private endpoint."
+  type        = string
+}
+
+variable "subnet_id" {
+  description = "The ID of the subnet within which the private endpoint will be created."
+  type        = string
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to the resource."
+  type        = map(string)
+  default     = {}
+}
diff --git a/infrastructure/modules/shared-config/output.tf b/infrastructure/modules/shared-config/output.tf
@@ -0,0 +1,111 @@
+locals {
+  names = {
+    api-management              = lower("APIM-${var.env}-${var.application}-${var.location_map[var.location]}")
+    app-insights                = upper("${var.env}-${var.location_map[var.location]}")
+    app-service-plan            = lower("ASP-${var.application}-${var.env}-${var.location_map[var.location]}")
+    app-service                 = lower("AS-${var.env}-${var.location_map[var.location]}-${var.application}")
+    availability-set            = lower("AVS-${var.env}-${var.location_map[var.location]}-${var.application}")
+    azure-container-registry    = lower("ACR${var.location_map[var.location]}${var.application}${var.env}")
+    connection                  = upper("CON-${var.env}-${var.location_map[var.location]}-${var.application}")
+    custom-image                = upper("IMAGE-${var.env}-${var.location_map[var.location]}")
+    dns-zone                    = "${lower(var.application)}.${lower(var.env)}.net"
+    docker-dtr                  = upper("DTR-${var.env}-${var.location_map[var.location]}-${var.application}")
+    docker-manager              = upper("UCP-${var.env}-${var.location_map[var.location]}-${var.application}")
+    docker-worker               = upper("LWK-${var.env}-${var.location_map[var.location]}-${var.application}")
+    docker-worker-windows       = upper("WWK-${var.env}-${var.location_map[var.location]}-${var.application}")
+    docker-worker-windows-nb    = upper("WWK${var.env}${var.location_map[var.location]}${var.application}")
+    external-load-balancer      = upper("ELB-${var.env}-${var.location_map[var.location]}-${var.application}")
+    event-grid-topic            = lower("EVGT-${var.env}-${var.location_map[var.location]}")
+    function-app                = lower("${var.env}-${var.location_map[var.location]}")
+    internal-load-balancer      = upper("ILB-${var.env}-${var.location_map[var.location]}-${var.application}")
+    key-vault                   = upper("KV-${var.application}-${var.env}-${var.location_map[var.location]}")
+    kubernetes-service          = lower("AKS-${var.env}-${var.location_map[var.location]}-${var.application}")
+    load-balancer               = upper("LB-${var.env}-${var.location_map[var.location]}-${var.application}")
+    local-network-gateway       = upper("LNG-${var.env}-${var.location_map[var.location]}-${var.application}")
+    log-analytics-workspace     = upper("${var.env}-${var.location_map[var.location]}")
+    logic-app                   = lower("LA-${var.env}-${var.location_map[var.location]}-${var.application}")
+    network-interface           = upper("${var.env}-${var.location_map[var.location]}-${var.application}")
+    network-security-group      = upper("NSG-${var.env}-${var.location_map[var.location]}-${var.application}")
+    private-ssh-key             = lower("ssh-pri-${var.env}${var.location_map[var.location]}${var.application}")
+    public-ip-address           = upper("PIP-${var.env}-${var.location_map[var.location]}-${var.application}")
+    public-ip-dns               = lower("${var.env}${var.location_map[var.location]}${var.application}")
+    public-ssh-key              = lower("ssh-pub-${var.env}${var.location_map[var.location]}${var.application}")
+    redis-cache                 = lower("RC-${var.location_map[var.location]}-${var.env}-${var.application}")
+    resource-group              = lower("RG-${var.application}-${var.env}-${var.location_map[var.location]}")
+    resource-application        = upper("${var.env}-${var.location_map[var.location]}-${var.application}")
+    route-table                 = upper("RT-${var.env}-${var.location_map[var.location]}-${var.application}")
+    service-bus                 = lower("SB-${var.location_map[var.location]}-${var.env}-${var.application}")
+    service-principal           = upper("SP-${var.env}-${var.application}")
+    sql-server                  = lower("SQLSVR-${var.application}-${var.env}-${var.location_map[var.location]}")
+    sql-server-db               = lower("SQLDB-${var.application}-${var.env}-${var.location_map[var.location]}")
+    sql-server-managed-instance = lower("SQLMI-${var.env}-${var.location_map[var.location]}-${var.application}")
+    stack-dns-suffix            = "${lower(var.env)}${lower(var.application)}"
+    storage-account             = substr(lower("ST${var.application}${var.env}${var.location_map[var.location]}"), 0, 24)
+    storage-alerts              = lower("STALERT${var.env}${var.location_map[var.location]}${var.application}")
+    storage-boot-diags          = lower("STDIAG${var.env}${var.location_map[var.location]}${var.application}")
+    storage-flow-logs           = lower("STFLOW${var.env}${var.location_map[var.location]}${var.application}")
+    storage-shared-state        = lower("STSTATE${var.env}${var.location_map[var.location]}${var.application}")
+    subnet                      = upper("SN-${var.env}-${var.location_map[var.location]}-${var.application}")
+    virtual-machine             = upper("${var.env}-${var.application}")
+    win-virtual-machine         = upper("${var.env}-${var.application}")
+    virtual-network             = upper("VNET-${var.env}-${var.location_map[var.location]}-${var.application}")
+    vnet-gateway                = upper("GWY-${var.env}-${var.location_map[var.location]}-${var.application}")
+  }
+
+}
+
+output "names" {
+  description = "Return list of calculated standard names for the deployment."
+  value = {
+    api-management              = local.names.api-management
+    app-insights                = local.names.app-insights
+    app-service-plan            = local.names.app-service-plan
+    app-service                 = local.names.app-service
+    availability-set            = local.names.availability-set
+    azure-container-registry    = local.names.azure-container-registry
+    connection                  = local.names.connection
+    custom-image                = local.names.custom-image
+    dns-zone                    = local.names.dns-zone
+    docker-dtr                  = local.names.docker-dtr
+    docker-manager              = local.names.docker-manager
+    docker-worker               = local.names.docker-worker
+    docker-worker-windows       = local.names.docker-worker-windows
+    docker-worker-windows-nb    = local.names.docker-worker-windows-nb
+    external-load-balancer      = local.names.external-load-balancer
+    event-grid-topic            = local.names.event-grid-topic
+    function-app                = local.names.function-app
+    internal-load-balancer      = local.names.internal-load-balancer
+    key-vault                   = local.names.key-vault
+    kubernetes-service          = local.names.kubernetes-service
+    load-balancer               = local.names.load-balancer
+    local-network-gateway       = local.names.local-network-gateway
+    log-analytics-workspace     = local.names.log-analytics-workspace
+    logic-app                   = local.names.logic-app
+    network-interface           = local.names.network-interface
+    network-security-group      = local.names.network-security-group
+    private-ssh-key             = local.names.private-ssh-key
+    public-ip-address           = local.names.public-ip-address
+    public-ip-dns               = local.names.public-ip-dns
+    public-ssh-key              = local.names.public-ssh-key
+    redis-cache                 = local.names.redis-cache
+    resource-group              = local.names.resource-group
+    resource-application        = local.names.resource-application
+    route-table                 = local.names.route-table
+    service-bus                 = local.names.service-bus
+    service-principal           = local.names.service-principal
+    sql-server                  = local.names.sql-server
+    sql-server-db               = local.names.sql-server-db
+    sql-server-managed-instance = local.names.sql-server-managed-instance
+    stack-dns-suffix            = local.names.stack-dns-suffix
+    storage-account             = local.names.storage-account
+    storage-alerts              = local.names.storage-alerts
+    storage-boot-diags          = local.names.storage-boot-diags
+    storage-flow-logs           = local.names.storage-flow-logs
+    storage-shared-state        = local.names.storage-shared-state
+    subnet                      = local.names.subnet
+    virtual-machine             = local.names.virtual-machine
+    win-virtual-machine         = local.names.win-virtual-machine
+    virtual-network             = local.names.virtual-network
+    vnet-gateway                = local.names.vnet-gateway
+  }
+}
diff --git a/infrastructure/modules/shared-config/variables.tf b/infrastructure/modules/shared-config/variables.tf
@@ -0,0 +1,95 @@
+variable "env" {
+  description = "Environment acronym for deployment"
+}
+
+variable "location" {
+  description = "Location for the deployment"
+}
+
+variable "location_map" {
+  description = "Azure location map used for naming abberviations"
+  type        = map(string)
+  default = {
+    "Australia Central 2"  = "CAU2",
+    "Australia Central"    = "CAU",
+    "Australia East"       = "EAU",
+    "Australia Southeast"  = "SEAU",
+    "australiacentral"     = "CAU",
+    "australiacentral2"    = "CAU2",
+    "australiaeast"        = "EAU",
+    "australiasoutheast"   = "SEAU",
+    "Brazil South"         = "SBR",
+    "brazilsouth"          = "SBR",
+    "Canada Central"       = "CAC",
+    "Canada East"          = "ECA",
+    "canadacentral"        = "CAC",
+    "canadaeast"           = "ECA",
+    "Central India"        = "CIN",
+    "Central US"           = "CUS",
+    "centralindia"         = "CIN",
+    "centralus"            = "CUS",
+    "East Asia"            = "EAA",
+    "East US 2"            = "EUS2",
+    "East US"              = "EUS",
+    "eastasia"             = "EAA",
+    "eastus"               = "EUS",
+    "eastus2"              = "EUS2",
+    "France Central"       = "CFR",
+    "France South"         = "SFR",
+    "francecentral"        = "CFR",
+    "francesouth"          = "SFR",
+    "Germany North"        = "NGE",
+    "Germany West Central" = "WCGE",
+    "germanynorth"         = "NGE",
+    "germanywestcentral"   = "WCGE",
+    "Japan East"           = "EJA",
+    "Japan West"           = "WJA",
+    "japaneast"            = "EJA",
+    "japanwest"            = "WJA",
+    "Korea Central"        = "CKO",
+    "Korea South"          = "SKO",
+    "koreacentral"         = "CKO",
+    "koreasouth"           = "SKO",
+    "North Central US"     = "NCUS",
+    "North Europe"         = "NEU",
+    "northcentralus"       = "NCUS",
+    "northeurope"          = "NEU",
+    "South Africa North"   = "NSA",
+    "South Africa West"    = "WSA",
+    "South Central US"     = "SCUS",
+    "South India"          = "SIN",
+    "southafricanorth"     = "NSA",
+    "southafricawest"      = "WSA",
+    "southcentralus"       = "SCUS",
+    "Southeast Asia"       = "SEA",
+    "southeastasia"        = "SEA",
+    "southindia"           = "SIN",
+    "UAE Central"          = "CUA",
+    "UAE North"            = "NUA",
+    "uaecentral"           = "CUA",
+    "uaenorth"             = "NUA",
+    "UK South"             = "UKS",
+    "UK West"              = "WUK",
+    "uksouth"              = "UKS",
+    "ukwest"               = "WUK",
+    "West Central US"      = "WCUS",
+    "West Europe"          = "WEU",
+    "West India"           = "WIN",
+    "West US 2"            = "WUS2",
+    "West US"              = "WUS",
+    "westcentralus"        = "WCUS",
+    "westeurope"           = "WEU",
+    "westindia"            = "WIN",
+    "westus"               = "WUS",
+    "westus2"              = "WUS2"
+  }
+}
+
+variable "application" {
+  description = "Unique identifier for the deployment"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Default tags for the deployment"
+}
diff --git a/infrastructure/modules/subnet/main.tf b/infrastructure/modules/subnet/main.tf
@@ -23,6 +23,8 @@ resource "azurerm_subnet" "subnet" {
 
 
 module "nsg" {
+  count = var.create_nsg ? 1 : 0
+
   source = "../../modules/network-security-group"
 
   name                = var.network_security_group_name
@@ -34,6 +36,9 @@ module "nsg" {
 }
 
 resource "azurerm_subnet_network_security_group_association" "subnet_nsg_association" {
+  count                     = var.create_nsg ? 1 : 0
+
   subnet_id                 = azurerm_subnet.subnet.id
-  network_security_group_id = module.nsg.id
+  # Count in module "nsg" results in a list of 0 or 1 elements, so we need to use a list index in the below
+  network_security_group_id = module.nsg[0].id
 }
diff --git a/infrastructure/modules/subnet/variables.tf b/infrastructure/modules/subnet/variables.tf
@@ -3,6 +3,12 @@ variable "address_prefixes" {
   description = "The address prefixes for the subnet."
 }
 
+variable "create_nsg" {
+  type        = bool
+  default     = true
+  description = "Indicates whether a network security group should be created. (Some subnets such as those for VNEt Gateways cannot have NSGs)"
+}
+
 variable "delegation_name" {
   type        = string
   default     = ""

diff --git a/infrastructure/modules/vnet/main.tf b/infrastructure/modules/vnet/main.tf
@@ -1,6 +1,6 @@
 resource "azurerm_virtual_network" "vnet" {
   name                = var.name
   resource_group_name = var.resource_group_name
-  address_space       = var.vnet_address_space
+  address_space       = [var.vnet_address_space]
   location            = var.location
 }
diff --git a/infrastructure/modules/vnet/variables.tf b/infrastructure/modules/vnet/variables.tf
@@ -14,7 +14,7 @@ variable "location" {
 }
 
 variable "vnet_address_space" {
-  type = list(string)
+  type = string
 }
 
 variable "tags" {