feat: dtoss-4393 New Function App module - still requires PEP (#6)

* New Function App module - still requires PEP * Format code changes
NHSDigital · Sep 30, 2024 · fa87791 · fa87791
1 parent e125d92
commit fa87791
Show file tree

Hide file tree

Showing 3 changed files with 162 additions and 0 deletions.
diff --git a/infrastructure/modules/function-app/main.tf b/infrastructure/modules/function-app/main.tf
@@ -0,0 +1,46 @@
+resource "azurerm_linux_function_app" "function_app" {
+
+  name                = var.function_app_name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  service_plan_id     = var.asp_id
+
+  app_settings = var.app_settings
+
+  https_only = var.https_only
+
+  # Commented out as does not seem compatible with the current version of the azurerm provider
+  # cors {
+  #   allowed_origins     = var.cors_allowed_origins # List of allowed origins
+  #   support_credentials = false
+  # }
+
+  identity {
+    type         = "SystemAssigned, UserAssigned"
+    identity_ids = var.assigned_identity_ids
+  }
+
+  site_config {
+    application_insights_connection_string        = var.ai_connstring
+    container_registry_use_managed_identity       = var.cont_registry_use_mi
+    container_registry_managed_identity_client_id = var.acr_mi_client_id
+    ftps_state                                    = var.ftps_state
+    minimum_tls_version                           = var.minimum_tls_version
+
+
+    application_stack {
+      docker {
+        registry_url = var.acr_login_server
+        image_name   = var.image_name
+        image_tag    = var.image_tag
+      }
+    }
+
+    use_32_bit_worker = var.worker_32bit
+  }
+
+  storage_account_name       = var.sa_name
+  storage_account_access_key = var.sa_prm_key
+
+  tags = var.tags
+}
diff --git a/infrastructure/modules/function-app/output.tf b/infrastructure/modules/function-app/output.tf
@@ -0,0 +1,9 @@
+output "name" {
+  description = "The name of the Linux Function App."
+  value       = azurerm_linux_function_app.function_app.name
+}
+
+output "function_app_sami_id" {
+  description = "The Principal ID of the System Assigned Managed Service Identity that is configured on this Linux Function App."
+  value       = azurerm_linux_function_app.function_app.identity.0.principal_id
+}
diff --git a/infrastructure/modules/function-app/variables.tf b/infrastructure/modules/function-app/variables.tf
@@ -0,0 +1,107 @@
+variable "function_app_name" {
+  description = "Name of the Function App"
+}
+
+variable "location" {
+  type        = string
+  description = "The location/region where the Function App is created."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which to create the Function App. Changing this forces a new resource to be created."
+}
+
+variable "ai_connstring" {
+  type        = string
+  description = "The App Insights connection string."
+}
+
+variable "acr_login_server" {
+  type        = string
+  description = "The login server for the Azure Container Registry."
+}
+
+variable "acr_mi_client_id" {
+  description = "The Managed Identity Id for the Azure Container Registry."
+}
+
+variable "app_settings" {
+  description = "Map of values for the app settings"
+  default     = {}
+}
+
+variable "asp_id" {
+  type        = string
+  description = "The ID of the AppServicePlan."
+}
+
+variable "assigned_identity_ids" {
+  type        = list(string)
+  description = "The list of User Assigned Identity IDs to assign to the Function App."
+}
+
+variable "cont_registry_use_mi" {
+  description = "Should connections for Azure Container Registry use Managed Identity."
+}
+
+variable "cors_allowed_origins" {
+  type    = list(string)
+  default = [""]
+}
+
+variable "ftps_state" {
+  type        = string
+  description = "Enable FTPS enforcement for enhanced security. Allowed values = AllAllowed (i.e. FTP & FTPS), FtpsOnly and Disabled (i.e. no FTP/FTPS access). Defaults to AllAllowed."
+  default     = "Disabled"
+
+  validation {
+    condition     = contains(["AllAllowed", "FtpsOnly", "Disabled"], var.ftps_state)
+    error_message = "ftps_state must be one of AllAllowed, FtpsOnly or Disabled."
+  }
+}
+
+variable "https_only" {
+  type        = bool
+  description = "Can the Function App only be accessed via HTTPS? Defaults to false."
+  default     = true
+}
+
+variable "image_name" {
+  description = "Name of the docker image"
+}
+
+variable "image_tag" {
+  description = "Tag of the docker image"
+}
+
+variable "minimum_tls_version" {
+  type    = string
+  default = "1.2" # Possible versions: TLS1.0", "TLS1.1", "TLS1.2
+
+  validation {
+    condition     = contains(["1.0", "1.1", "1.2"], var.minimum_tls_version)
+    error_message = "Minimum_tls_version must be one of 1.0, 1.1 or 1.2."
+  }
+}
+
+variable "sa_name" {
+  type        = string
+  description = "The name of the Storage Account."
+}
+
+variable "sa_prm_key" {
+  type        = string
+  description = "The Storage Account Primary Access Key."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Resource tags to be applied throughout the deployment."
+  default     = {}
+}
+
+variable "worker_32bit" {
+  type        = bool
+  description = "Should the Windows Function App use a 32-bit worker process. Defaults to true"
+}