203 lines
5.5 KiB
HCL
203 lines
5.5 KiB
HCL
terraform {
|
|
required_providers {
|
|
azurerm = {
|
|
source = "hashicorp/azurerm"
|
|
version = ">= 4.0.0"
|
|
}
|
|
|
|
azuread = {
|
|
source = "hashicorp/azuread"
|
|
version = ">= 3.0.0"
|
|
}
|
|
}
|
|
|
|
backend "local" {
|
|
path = "azure-image-chooser.tfstate"
|
|
}
|
|
}
|
|
|
|
provider "azurerm" {
|
|
features {}
|
|
|
|
subscription_id = var.subscription_id
|
|
}
|
|
|
|
data "azurerm_client_config" "current" {}
|
|
|
|
data "azuread_user" "az_lab_admin" {
|
|
user_principal_name = "az-lab-admin@lab.koszewscy.waw.pl"
|
|
}
|
|
|
|
locals {
|
|
kv_secret_name = "azure-client-secret"
|
|
app_name = "${var.project_name}-app"
|
|
}
|
|
|
|
resource "azurerm_resource_group" "rg" {
|
|
name = "rg-${var.project_name}"
|
|
location = "Poland Central"
|
|
}
|
|
|
|
resource "azurerm_log_analytics_workspace" "logaws" {
|
|
name = "${var.project_name}-logs"
|
|
location = azurerm_resource_group.rg.location
|
|
resource_group_name = azurerm_resource_group.rg.name
|
|
sku = "PerGB2018"
|
|
retention_in_days = 30
|
|
}
|
|
|
|
resource "azurerm_key_vault" "kv" {
|
|
name = "${var.project_name}-kv"
|
|
location = azurerm_resource_group.rg.location
|
|
resource_group_name = azurerm_resource_group.rg.name
|
|
sku_name = "standard"
|
|
tenant_id = data.azurerm_client_config.current.tenant_id
|
|
enable_rbac_authorization = true
|
|
}
|
|
|
|
resource "azurerm_role_assignment" "app_assignment" {
|
|
scope = azurerm_key_vault.kv.id
|
|
principal_id = azurerm_user_assigned_identity.uai.principal_id
|
|
role_definition_name = "Key Vault Secrets User"
|
|
}
|
|
|
|
resource "azurerm_role_assignment" "az_lab_admin_assignment" {
|
|
scope = azurerm_key_vault.kv.id
|
|
principal_id = data.azuread_user.az_lab_admin.object_id
|
|
role_definition_name = "Key Vault Secrets Officer"
|
|
}
|
|
|
|
resource "azurerm_key_vault_secret" "azure_client_secret" {
|
|
key_vault_id = azurerm_key_vault.kv.id
|
|
name = local.kv_secret_name
|
|
value = var.azure_client_secret
|
|
|
|
depends_on = [azurerm_role_assignment.az_lab_admin_assignment]
|
|
}
|
|
|
|
resource "azurerm_container_app_environment" "env" {
|
|
name = "${var.project_name}-env"
|
|
resource_group_name = azurerm_resource_group.rg.name
|
|
location = azurerm_resource_group.rg.location
|
|
log_analytics_workspace_id = azurerm_log_analytics_workspace.logaws.id
|
|
}
|
|
|
|
resource "azurerm_container_app" "app" {
|
|
name = local.app_name
|
|
container_app_environment_id = azurerm_container_app_environment.env.id
|
|
resource_group_name = azurerm_resource_group.rg.name
|
|
revision_mode = "Single"
|
|
|
|
secret {
|
|
name = local.kv_secret_name
|
|
key_vault_secret_id = azurerm_key_vault_secret.azure_client_secret.id
|
|
identity = azurerm_user_assigned_identity.uai.id
|
|
}
|
|
|
|
template {
|
|
container {
|
|
name = "azure-image-chooser"
|
|
image = "skdomlab.azurecr.io/azure-image-chooser:latest"
|
|
cpu = "0.25"
|
|
memory = "0.5Gi"
|
|
|
|
env {
|
|
name = "AZURE_CLIENT_ID"
|
|
value = var.azure_client_id
|
|
}
|
|
|
|
env {
|
|
name = "AZURE_TENANT_ID"
|
|
value = var.azure_tenant_id
|
|
}
|
|
|
|
env {
|
|
name = "AZURE_CLIENT_SECRET"
|
|
secret_name = local.kv_secret_name
|
|
}
|
|
|
|
env {
|
|
name = "AZURE_SUBSCRIPTION_ID"
|
|
value = var.subscription_id
|
|
}
|
|
}
|
|
}
|
|
|
|
ingress {
|
|
target_port = 8501
|
|
external_enabled = true
|
|
|
|
traffic_weight {
|
|
latest_revision = true
|
|
percentage = 100
|
|
}
|
|
}
|
|
|
|
identity {
|
|
type = "UserAssigned"
|
|
identity_ids = [azurerm_user_assigned_identity.uai.id]
|
|
}
|
|
|
|
registry {
|
|
server = "skdomlab.azurecr.io"
|
|
identity = azurerm_user_assigned_identity.uai.id
|
|
}
|
|
|
|
depends_on = [
|
|
azurerm_key_vault.kv,
|
|
azurerm_key_vault_secret.azure_client_secret,
|
|
azurerm_role_assignment.app_assignment
|
|
]
|
|
}
|
|
|
|
resource "azurerm_user_assigned_identity" "uai" {
|
|
name = "${var.project_name}-uai"
|
|
resource_group_name = azurerm_resource_group.rg.name
|
|
location = azurerm_resource_group.rg.location
|
|
}
|
|
|
|
resource "azurerm_role_assignment" "acr_pull" {
|
|
scope = data.azurerm_container_registry.acr.id
|
|
role_definition_name = "AcrPull"
|
|
principal_id = azurerm_user_assigned_identity.uai.principal_id
|
|
}
|
|
|
|
data "azurerm_container_registry" "acr" {
|
|
name = "skdomlab"
|
|
resource_group_name = "dom-lab-common"
|
|
}
|
|
|
|
data "azurerm_dns_zone" "lab_dns_zone" {
|
|
name = var.dns_zone_name
|
|
resource_group_name = var.dns_zone_resource_group_name
|
|
}
|
|
|
|
resource "azurerm_dns_txt_record" "domain_verification" {
|
|
name = "asuid.${var.project_name}"
|
|
resource_group_name = data.azurerm_dns_zone.lab_dns_zone.resource_group_name
|
|
zone_name = data.azurerm_dns_zone.lab_dns_zone.name
|
|
ttl = 300
|
|
|
|
record {
|
|
value = azurerm_container_app.app.custom_domain_verification_id
|
|
}
|
|
}
|
|
|
|
resource "azurerm_dns_cname_record" "app_record" {
|
|
name = var.project_name
|
|
zone_name = var.dns_zone_name
|
|
resource_group_name = var.dns_zone_resource_group_name
|
|
ttl = 300
|
|
|
|
record = "${local.app_name}.${azurerm_container_app_environment.env.default_domain}"
|
|
}
|
|
|
|
resource "azurerm_container_app_custom_domain" "custom_domain" {
|
|
name = trimsuffix(trimprefix(azurerm_dns_txt_record.domain_verification.fqdn, "asuid."), ".")
|
|
container_app_id = azurerm_container_app.app.id
|
|
|
|
lifecycle {
|
|
ignore_changes = [ certificate_binding_type, container_app_environment_certificate_id ]
|
|
}
|
|
}
|