Skip to content

Commit 48401da

Browse files
marvinbussmarvinbuss
committed
Add infrastructure baseline
1 parent c7597ba commit 48401da

File tree

12 files changed

+850
-0
lines changed

12 files changed

+850
-0
lines changed

code/infra/data.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
data "azurerm_client_config" "current" {}
2+
3+
data "azurerm_virtual_network" "virtual_network" {
4+
name = local.virtual_network.name
5+
resource_group_name = local.virtual_network.resource_group_name
6+
}
7+
8+
data "azurerm_network_security_group" "network_security_group" {
9+
name = local.network_security_group.name
10+
resource_group_name = local.network_security_group.resource_group_name
11+
}
12+
13+
data "azurerm_route_table" "route_table" {
14+
name = local.route_table.name
15+
resource_group_name = local.route_table.resource_group_name
16+
}

code/infra/function.tf

Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,133 @@
1+
resource "azurerm_service_plan" "service_plan" {
2+
name = "${local.prefix}-asp001"
3+
location = var.location
4+
resource_group_name = azurerm_resource_group.app_rg.name
5+
tags = var.tags
6+
7+
# maximum_elastic_worker_count = 20
8+
os_type = "Linux"
9+
per_site_scaling_enabled = false
10+
sku_name = "P1v3"
11+
worker_count = 3
12+
zone_balancing_enabled = true
13+
}
14+
15+
resource "azapi_resource" "function" {
16+
type = "Microsoft.Web/sites@2022-09-01"
17+
parent_id = azurerm_resource_group.app_rg.id
18+
name = "${local.prefix}-fctn001"
19+
location = var.location
20+
tags = var.tags
21+
identity {
22+
type = "SystemAssigned"
23+
}
24+
25+
body = jsonencode({
26+
kind = "functionapp,linux"
27+
properties = {
28+
clientAffinityEnabled = false
29+
clientCertEnabled = false
30+
clientCertMode = "Required"
31+
enabled = true
32+
hostNamesDisabled = false
33+
httpsOnly = true
34+
hyperV = false
35+
isXenon = false
36+
keyVaultReferenceIdentity = "SystemAssigned"
37+
publicNetworkAccess = "Disabled"
38+
redundancyMode = "None"
39+
reserved = true
40+
scmSiteAlsoStopped = false
41+
serverFarmId = azurerm_service_plan.service_plan.id
42+
storageAccountRequired = false
43+
virtualNetworkSubnetId = azapi_resource.subnet_function.id
44+
siteConfig = {
45+
autoHealEnabled = false
46+
acrUseManagedIdentityCreds = false
47+
alwaysOn = true
48+
appSettings = [
49+
{
50+
name = "APPLICATIONINSIGHTS_CONNECTION_STRING"
51+
value = azurerm_application_insights.application_insights.connection_string
52+
},
53+
{
54+
name = "APPINSIGHTS_INSTRUMENTATIONKEY"
55+
value = azurerm_application_insights.application_insights.instrumentation_key
56+
},
57+
{
58+
name = "FUNCTIONS_EXTENSION_VERSION"
59+
value = "~4"
60+
},
61+
{
62+
name = "FUNCTIONS_WORKER_RUNTIME"
63+
value = "python"
64+
},
65+
{
66+
name = "WEBSITE_CONTENTOVERVNET"
67+
value = "1"
68+
},
69+
{
70+
name = "AzureWebJobsStorage__accountName"
71+
value = azurerm_storage_account.storage.name
72+
}
73+
]
74+
azureStorageAccounts = {}
75+
detailedErrorLoggingEnabled = true
76+
functionAppScaleLimit = 0
77+
functionsRuntimeScaleMonitoringEnabled = false
78+
ftpsState = "FtpsOnly"
79+
http20Enabled = false
80+
ipSecurityRestrictionsDefaultAction = "Deny"
81+
linuxFxVersion = "Python|3.10"
82+
localMySqlEnabled = false
83+
loadBalancing = "LeastRequests"
84+
minTlsVersion = "1.2"
85+
minimumElasticInstanceCount = 0
86+
numberOfWorkers = 1
87+
preWarmedInstanceCount = 0
88+
scmMinTlsVersion = "1.2"
89+
scmIpSecurityRestrictionsUseMain = false
90+
scmIpSecurityRestrictionsDefaultAction = "Deny"
91+
use32BitWorkerProcess = true
92+
vnetRouteAllEnabled = true
93+
vnetPrivatePortsCount = 0
94+
webSocketsEnabled = false
95+
}
96+
}
97+
})
98+
}
99+
100+
data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_function" {
101+
resource_id = azapi_resource.function.id
102+
}
103+
104+
resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_function" {
105+
name = "logAnalytics"
106+
target_resource_id = azapi_resource.function.id
107+
log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
108+
109+
dynamic "enabled_log" {
110+
iterator = entry
111+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_function.log_category_groups
112+
content {
113+
category_group = entry.value
114+
retention_policy {
115+
enabled = true
116+
days = 30
117+
}
118+
}
119+
}
120+
121+
dynamic "metric" {
122+
iterator = entry
123+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_function.metrics
124+
content {
125+
category = entry.value
126+
enabled = true
127+
retention_policy {
128+
enabled = true
129+
days = 30
130+
}
131+
}
132+
}
133+
}

code/infra/keyvault.tf

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
resource "azurerm_key_vault" "key_vault" {
2+
name = "${local.prefix}-vault001"
3+
location = var.location
4+
resource_group_name = azurerm_resource_group.app_rg.name
5+
tags = var.tags
6+
7+
access_policy = []
8+
enable_rbac_authorization = true
9+
enabled_for_deployment = false
10+
enabled_for_disk_encryption = false
11+
enabled_for_template_deployment = false
12+
network_acls {
13+
bypass = "AzureServices"
14+
default_action = "Deny"
15+
ip_rules = []
16+
virtual_network_subnet_ids = []
17+
}
18+
public_network_access_enabled = false
19+
purge_protection_enabled = true
20+
sku_name = "standard"
21+
soft_delete_retention_days = 7
22+
tenant_id = data.azurerm_client_config.current.tenant_id
23+
}
24+
25+
data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" {
26+
resource_id = azurerm_key_vault.key_vault.id
27+
}
28+
29+
resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_key_vault" {
30+
name = "logAnalytics"
31+
target_resource_id = azurerm_key_vault.key_vault.id
32+
log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
33+
34+
dynamic "enabled_log" {
35+
iterator = entry
36+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.log_category_groups
37+
content {
38+
category_group = entry.value
39+
retention_policy {
40+
enabled = true
41+
days = 30
42+
}
43+
}
44+
}
45+
46+
dynamic "metric" {
47+
iterator = entry
48+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.metrics
49+
content {
50+
category = entry.value
51+
enabled = true
52+
retention_policy {
53+
enabled = true
54+
days = 30
55+
}
56+
}
57+
}
58+
}
59+
60+
resource "azurerm_private_endpoint" "key_vault_private_endpoint" {
61+
name = "${azurerm_key_vault.key_vault.name}-pe"
62+
location = var.location
63+
resource_group_name = azurerm_key_vault.key_vault.resource_group_name
64+
tags = var.tags
65+
66+
custom_network_interface_name = "${azurerm_key_vault.key_vault.name}-nic"
67+
private_service_connection {
68+
name = "${azurerm_key_vault.key_vault.name}-pe"
69+
is_manual_connection = false
70+
private_connection_resource_id = azurerm_key_vault.key_vault.id
71+
subresource_names = ["vault"]
72+
}
73+
subnet_id = azapi_resource.subnet_services.id
74+
private_dns_zone_group {
75+
name = "${azurerm_key_vault.key_vault.name}-arecord"
76+
private_dns_zone_ids = [
77+
var.private_dns_zone_id_key_vault
78+
]
79+
}
80+
}

code/infra/locals.tf

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
locals {
2+
prefix = "${lower(var.prefix)}-${var.environment}"
3+
4+
virtual_network = {
5+
resource_group_name = split("/", var.vnet_id)[4]
6+
name = split("/", var.vnet_id)[8]
7+
}
8+
9+
network_security_group = {
10+
resource_group_name = split("/", var.nsg_id)[4]
11+
name = split("/", var.nsg_id)[8]
12+
}
13+
14+
route_table = {
15+
resource_group_name = split("/", var.route_table_id)[4]
16+
name = split("/", var.route_table_id)[8]
17+
}
18+
}

code/infra/logging.tf

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
resource "azurerm_application_insights" "application_insights" {
2+
name = "${local.prefix}-appi001"
3+
location = var.location
4+
resource_group_name = azurerm_resource_group.logging_rg.name
5+
tags = var.tags
6+
7+
application_type = "other"
8+
daily_data_cap_notifications_disabled = false
9+
disable_ip_masking = false
10+
force_customer_storage_for_profiler = false
11+
internet_ingestion_enabled = true
12+
internet_query_enabled = true
13+
local_authentication_disabled = true
14+
retention_in_days = 90
15+
sampling_percentage = 100
16+
workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
17+
}
18+
19+
data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" {
20+
resource_id = azurerm_application_insights.application_insights.id
21+
}
22+
23+
resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" {
24+
name = "logAnalytics"
25+
target_resource_id = azurerm_application_insights.application_insights.id
26+
log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
27+
28+
dynamic "enabled_log" {
29+
iterator = entry
30+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups
31+
content {
32+
category_group = entry.value
33+
retention_policy {
34+
enabled = true
35+
days = 30
36+
}
37+
}
38+
}
39+
40+
dynamic "metric" {
41+
iterator = entry
42+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics
43+
content {
44+
category = entry.value
45+
enabled = true
46+
retention_policy {
47+
enabled = true
48+
days = 30
49+
}
50+
}
51+
}
52+
}
53+
54+
resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
55+
name = "${local.prefix}-log001"
56+
location = var.location
57+
resource_group_name = azurerm_resource_group.logging_rg.name
58+
tags = var.tags
59+
60+
allow_resource_only_permissions = true
61+
cmk_for_query_forced = false
62+
daily_quota_gb = -1
63+
internet_ingestion_enabled = true
64+
internet_query_enabled = true
65+
local_authentication_disabled = true
66+
retention_in_days = 30
67+
sku = "PerGB2018"
68+
}
69+
70+
data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_log_analytics_workspace" {
71+
resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
72+
}
73+
74+
resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_log_analytics_workspace" {
75+
name = "logAnalytics"
76+
target_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
77+
log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
78+
79+
dynamic "enabled_log" {
80+
iterator = entry
81+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_log_analytics_workspace.log_category_groups
82+
content {
83+
category_group = entry.value
84+
retention_policy {
85+
enabled = true
86+
days = 30
87+
}
88+
}
89+
}
90+
91+
dynamic "metric" {
92+
iterator = entry
93+
for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_log_analytics_workspace.metrics
94+
content {
95+
category = entry.value
96+
enabled = true
97+
retention_policy {
98+
enabled = true
99+
days = 30
100+
}
101+
}
102+
}
103+
}

code/infra/main.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
resource "azurerm_resource_group" "app_rg" {
2+
name = "${local.prefix}-app-rg"
3+
location = var.location
4+
tags = var.tags
5+
}
6+
7+
resource "azurerm_resource_group" "logging_rg" {
8+
name = "${local.prefix}-logging-rg"
9+
location = var.location
10+
tags = var.tags
11+
}

0 commit comments

Comments
 (0)