diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 222e0551..85e99fff 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,4 +3,4 @@ # More details are here: https://help.github.com/articles/about-codeowners/ # Default owners for everything in the repository -* @recognizegroup/team-technology @tom-reinders +* @tom-reinders diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5b3f08c9..837d694f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,543 +11,129 @@ updates: schedule: interval: "daily" - # Workaround till https://github.com/dependabot/dependabot-core/issues/2178 is fixed - package-ecosystem: "terraform" - directory: "/modules/azure/analysis_services" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/key_vault_managed_identity" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/log_analytics" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/office365" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/office365_set" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/service_bus_managed_identity" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/storage_blob" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/storage_blob_managed_identity" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_connectors/storage_table" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_api" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_api_operation_policy" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_api_simple" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_certificate" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_custom_domains" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_custom_domains_simple" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_groups" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_logging" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_named_values" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/api_management_permissions" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/application_insights" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/application_insights_smart_detection_rule" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/application_insights_workbook" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/application_performance_workbook" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/application_role_assignment" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/container_registery" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/data_factory" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/data_factory_blob_to_blob" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/data_factory_http_to_blob" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/data_lake_filesystem" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/data_lake_storage" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/databricks_cluster" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/databricks_permissions" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/databricks_secrets" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/databricks_workspace" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/event_grid_topic" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/event_grid_topic_subscription" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/event_hub" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/frontdoor_classic" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/frontdoor_firewall_policy" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/function_app_linux" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/function_app_linux_managed_identity" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/function_app_windows" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/iam" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/key_vault" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/key_vault_certificate" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/key_vault_secret" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/key_vault_secrets_put" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/key_vault_secrets_put_once" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/log_analytics_diagnostic_setting" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/log_analytics_queries" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/log_analytics_workspace" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/logic_app" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/logic_app_set" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/logic_app_standard" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/logic_app_standard_connection" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/logic_app_standard_connection_access_policy" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/logic_app_trigger_http_request_data" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/maps_account" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/monitoring_action_group" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/monitoring_log_analytics_alert" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/monitoring_metric_alert" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/mssql" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/mysql" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/mysql_flexible_server" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/mysql_flexible_server_public" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/network_security_group" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/postgresql" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/postgresql_public" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/private_dns_zone" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/public_ip" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/recovery_services_vault" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/resource_group" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/route_table" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/service_bus_public" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/service_bus_subscription" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/service_bus_topic" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/service_plan" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_account_private" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_account_public" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_blob" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_container" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_event_grid" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_queue" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_share" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_table" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_table_entities" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/storage_table_entity" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/stream_analytics" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/subnet" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/synapse_workspace" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/virtual_machine" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/virtual_machine_extension" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/virtual_network" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/virtual_network_peering" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/web_app_linux" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/azure/web_app_windows" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/cloudflare/dns_records" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/elastic/cluster" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/other/local_exec" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/other/password_generator" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/kubernetes/configmap" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/kubernetes/cron_job" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/kubernetes/deployment_with_service" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/kubernetes/ingress" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/kubernetes/secret" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/kubernetes/pvc" - schedule: - interval: "daily" - - - package-ecosystem: "terraform" - directory: "/modules/other/vm_with_power_automate_desktop" + directories: + - "/modules/azure/analysis_services" + - "/modules/azure/api_connectors/arm_managed_identity" + - "/modules/azure/api_connectors/custom_connector" + - "/modules/azure/api_connectors/event_hub_managed_identity" + - "/modules/azure/api_connectors/excel_online" + - "/modules/azure/api_connectors/key_vault_managed_identity" + - "/modules/azure/api_connectors/log_analytics" + - "/modules/azure/api_connectors/logic_app_custom_connector" + - "/modules/azure/api_connectors/office365" + - "/modules/azure/api_connectors/office365_set" + - "/modules/azure/api_connectors/service_bus_managed_identity" + - "/modules/azure/api_connectors/service_bus_managed_identity_set" + - "/modules/azure/api_connectors/sharepoint_online" + - "/modules/azure/api_connectors/storage_blob" + - "/modules/azure/api_connectors/storage_blob_managed_identity" + - "/modules/azure/api_connectors/storage_table" + - "/modules/azure/api_management" + - "/modules/azure/api_management_api" + - "/modules/azure/api_management_api_operation" + - "/modules/azure/api_management_api_operation_policy" + - "/modules/azure/api_management_api_schema" + - "/modules/azure/api_management_api_simple" + - "/modules/azure/api_management_certificate" + - "/modules/azure/api_management_custom_domains" + - "/modules/azure/api_management_custom_domains_simple" + - "/modules/azure/api_management_groups" + - "/modules/azure/api_management_logging" + - "/modules/azure/api_management_named_values" + - "/modules/azure/api_management_permissions" + - "/modules/azure/application_insights" + - "/modules/azure/application_insights_smart_detection_rule" + - "/modules/azure/application_insights_workbook" + - "/modules/azure/application_performance_workbook" + - "/modules/azure/application_role_assignment" + - "/modules/azure/container_registery" + - "/modules/azure/databricks_cluster" + - "/modules/azure/databricks_permissions" + - "/modules/azure/databricks_permissions_user_based" + - "/modules/azure/databricks_secrets" + - "/modules/azure/databricks_workspace" + - "/modules/azure/data_factory" + - "/modules/azure/data_factory_blob_to_blob" + - "/modules/azure/data_factory_http_to_blob" + - "/modules/azure/data_lake_filesystem" + - "/modules/azure/data_lake_storage" + - "/modules/azure/event_grid_topic" + - "/modules/azure/event_grid_topic_subscription" + - "/modules/azure/event_hub" + - "/modules/azure/frontdoor_classic" + - "/modules/azure/frontdoor_firewall_policy" + - "/modules/azure/function_app_linux" + - "/modules/azure/function_app_linux_managed_identity" + - "/modules/azure/function_app_windows" + - "/modules/azure/iam" + - "/modules/azure/iam_set" + - "/modules/azure/key_vault" + - "/modules/azure/key_vault_certificate" + - "/modules/azure/key_vault_secret" + - "/modules/azure/key_vault_secrets_put" + - "/modules/azure/key_vault_secrets_put_once" + - "/modules/azure/log_analytics_diagnostic_setting" + - "/modules/azure/log_analytics_queries" + - "/modules/azure/log_analytics_workspace" + - "/modules/azure/logic_app" + - "/modules/azure/logic_app_bicep" + - "/modules/azure/logic_app_set" + - "/modules/azure/logic_app_standard" + - "/modules/azure/logic_app_standard_connection" + - "/modules/azure/logic_app_standard_connection_access_policy" + - "/modules/azure/logic_app_trigger_http_request_data" + - "/modules/azure/maps_account" + - "/modules/azure/monitoring_action_group" + - "/modules/azure/monitoring_log_analytics_alert" + - "/modules/azure/monitoring_metric_alert" + - "/modules/azure/mssql" + - "/modules/azure/mysql" + - "/modules/azure/mysql_flexible_server" + - "/modules/azure/mysql_flexible_server_public" + - "/modules/azure/network_security_group" + - "/modules/azure/postgresql" + - "/modules/azure/postgresql_public" + - "/modules/azure/private_dns_zone" + - "/modules/azure/private_endpoint" + - "/modules/azure/public_ip" + - "/modules/azure/recovery_services_vault" + - "/modules/azure/resource_group" + - "/modules/azure/route_table" + - "/modules/azure/service_bus_public" + - "/modules/azure/service_bus_subscription" + - "/modules/azure/service_bus_topic" + - "/modules/azure/service_plan" + - "/modules/azure/storage_account_private" + - "/modules/azure/storage_account_public" + - "/modules/azure/storage_blob" + - "/modules/azure/storage_container" + - "/modules/azure/storage_event_grid" + - "/modules/azure/storage_queue" + - "/modules/azure/storage_share" + - "/modules/azure/storage_table" + - "/modules/azure/storage_table_entities" + - "/modules/azure/storage_table_entities_rewritable" + - "/modules/azure/storage_table_entity" + - "/modules/azure/stream_analytics" + - "/modules/azure/subnet" + - "/modules/azure/synapse_workspace" + - "/modules/azure/virtual_machine" + - "/modules/azure/virtual_machine_extension" + - "/modules/azure/virtual_network" + - "/modules/azure/virtual_network_peering" + - "/modules/azure/web_app_linux" + - "/modules/azure/web_app_windows" + - "/modules/cloudflare/dns_records" + - "/modules/elastic/cluster" + - "/modules/kubernetes/configmap" + - "/modules/kubernetes/cron_job" + - "/modules/kubernetes/deployment_with_service" + - "/modules/kubernetes/ingress" + - "/modules/kubernetes/pvc" + - "/modules/kubernetes/secret" + - "/modules/other/local_exec" + - "/modules/other/password_generator" + - "/modules/other/vm_with_power_automate_desktop" schedule: interval: "daily" diff --git a/.github/workflows/dummy-code-scanning.yaml b/.github/workflows/dummy-code-scanning.yaml index 22725e10..3c54e20f 100644 --- a/.github/workflows/dummy-code-scanning.yaml +++ b/.github/workflows/dummy-code-scanning.yaml @@ -20,14 +20,14 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: javascript packs: codeql/javascript-queries # Autobuild the language if possible - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index e012f86a..d4173b3d 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Lint Terraform steps: - uses: actions/checkout@v4 - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@v3 with: terraform_wrapper: false - run: terraform fmt -check -diff -recursive diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index c12a4145..8dca394e 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -11,7 +11,7 @@ jobs: name: Validate Terraform steps: - uses: actions/checkout@v4 - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@v3 with: terraform_wrapper: false - run: bash ./validate/validate.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index b678fef2..ba309790 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,83 @@ All notable changes to this project will be documented in this file. The format is based on [Common Changelog](https://common-changelog.org), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [3.12.0] - 2024-07-15 + +### Changed + +- Update version of multiple GitHub Actions ([#372](https://github.com/recognizegroup/terraform/pull/372), [#379](https://github.com/recognizegroup/terraform/pull/379)) ([@tom-reinders](https://github.com/tom-reinders)) +- `azure/logic_app`: Deprecate output `enpoint`, replace with `endpoint` ([#384](https://github.com/recognizegroup/terraform/pull/384)) ([@pipalmic](https://github.com/pipalmic), [@tom-reinders](https://github.com/tom-reinders)) +- `azure/function_app_linux_managed_identity`: Add `group_id` to `managed_identity_provider` variable in `var.managed_identity_provider.create` path ([#386](https://github.com/recognizegroup/terraform/pull/386)) ([@zjanura](https://github.com/zjanura)) +- `azure/function_app_linux_managed_identity`: Deprecate variable `storage_account_access_key`, use `use_managed_identity` instead ([#414](https://github.com/recognizegroup/terraform/pull/414)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/function_app_linux_managed_identity`: Add default with value of `null` to variable `storage_account_access_key` ([#414](https://github.com/recognizegroup/terraform/pull/414)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/monitoring_log_analytics_alert`: Add default with value of `null` to variable `action_group_id` ([#415](https://github.com/recognizegroup/terraform/pull/415)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/api_management`: Add `frontend_request_body_bytes` to `diagnostic_settings` variable ([#416](https://github.com/recognizegroup/terraform/pull/416), [#419](https://github.com/recognizegroup/terraform/pull/419)) ([@pipalmic](https://github.com/pipalmic), [@tom-reinders](https://github.com/tom-reinders)) +- `azure/api_management`: Add `frontend_response_body_bytes` to `diagnostic_settings` variable ([#416](https://github.com/recognizegroup/terraform/pull/416), [#419](https://github.com/recognizegroup/terraform/pull/419)) ([@pipalmic](https://github.com/pipalmic), [@tom-reinders](https://github.com/tom-reinders)) +- `azure/api_management`: Add `backend_request_body_bytes` to `diagnostic_settings` variable ([#416](https://github.com/recognizegroup/terraform/pull/416), [#419](https://github.com/recognizegroup/terraform/pull/419)) ([@pipalmic](https://github.com/pipalmic), [@tom-reinders](https://github.com/tom-reinders)) +- `azure/api_management`: Add `backend_response_body_bytes` to `diagnostic_settings` variable ([#416](https://github.com/recognizegroup/terraform/pull/416), [#419](https://github.com/recognizegroup/terraform/pull/419)) ([@pipalmic](https://github.com/pipalmic), [@tom-reinders](https://github.com/tom-reinders)) +- `azure/storage_account_public`: Change default of variable `cors_rules` from `null` to `[]` ([#419](https://github.com/recognizegroup/terraform/pull/419)) ([@tom-reinders](https://github.com/tom-reinders)) + +### Added + +- `azure/log_analytics_workspace`: Add output `primary_key` ([#366](https://github.com/recognizegroup/terraform/pull/366)) ([@pipalmic](https://github.com/pipalmic)) +- `azure/service_bus_public`: Add output `endpoint` ([#366](https://github.com/recognizegroup/terraform/pull/366)) ([@pipalmic](https://github.com/pipalmic)) +- Add module `azure/private_endpoint` ([#369](https://github.com/recognizegroup/terraform/pull/369), [#370](https://github.com/recognizegroup/terraform/pull/370), [#371](https://github.com/recognizegroup/terraform/pull/371)) ([@pipalmic](https://github.com/pipalmic)) +- `azure/logic_app_set`: Add variable `use_managed_identity` ([#368](https://github.com/recognizegroup/terraform/pull/368)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- `azure/logic_app_set`: Add output `principal_id` ([#368](https://github.com/recognizegroup/terraform/pull/368)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- Add module `azure/iam_set` ([#368](https://github.com/recognizegroup/terraform/pull/368)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- Add module `azure/api_connectors/service_bus_managed_identity_set` ([#368](https://github.com/recognizegroup/terraform/pull/368)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- Add module `azure/api_connectors/event_hub_managed_identity` ([#374](https://github.com/recognizegroup/terraform/pull/374)) ([@mkostalrecognize](https://github.com/mkostalrecognize)) +- `azure/web_app_linux`: Add variable `docker_registry_url` ([#376](https://github.com/recognizegroup/terraform/pull/376)) ([@pipalmic](https://github.com/pipalmic)) +- `azure/web_app_linux`: Add variable `vnet_route_all_enabled` ([#376](https://github.com/recognizegroup/terraform/pull/376), [#419](https://github.com/recognizegroup/terraform/pull/419)) ([@pipalmic](https://github.com/pipalmic), [@tom-reinders](https://github.com/tom-reinders)) +- `azure/web_app_linux`: Add variable `ip_restrictions` ([#376](https://github.com/recognizegroup/terraform/pull/376)) ([@pipalmic](https://github.com/pipalmic)) +- Add module `azure/storage_table_entities_rewritable` ([#377](https://github.com/recognizegroup/terraform/pull/377)) ([@pipalmic](https://github.com/pipalmic)) +- Add module `azure/api_connectors/arm_managed_identity` ([#378](https://github.com/recognizegroup/terraform/pull/378)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- Add module `azure/api_connectors/excel_online` ([#378](https://github.com/recognizegroup/terraform/pull/378)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- Add module `azure/api_connectors/sharepoint_online` ([#378](https://github.com/recognizegroup/terraform/pull/378)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- `azure/key_vault_secrets_put_once`: Add output `secrets` ([#380](https://github.com/recognizegroup/terraform/pull/380), [#387](https://github.com/recognizegroup/terraform/pull/387), [#388](https://github.com/recognizegroup/terraform/pull/388)) ([@pipalmic](https://github.com/pipalmic), [@szymonrozek](https://github.com/szymonrozek)) +- `azure/api_management_api`: Add output `api_audiences` ([#381](https://github.com/recognizegroup/terraform/pull/381)) ([@zjanura](https://github.com/zjanura)) +- `azure/api_management_api`: Add output `api_audience` ([#381](https://github.com/recognizegroup/terraform/pull/381)) ([@zjanura](https://github.com/zjanura)) +- `azure/function_app_linux_managed_identity`: Add output `api_audiences` ([#382](https://github.com/recognizegroup/terraform/pull/382), [#383](https://github.com/recognizegroup/terraform/pull/383)) ([@zjanura](https://github.com/zjanura)) +- `azure/logic_app`: Add output `endpoint` ([#384](https://github.com/recognizegroup/terraform/pull/384)) ([@pipalmic](https://github.com/pipalmic)) +- `azure/api_management_api`: Add variable `group_id` ([#389](https://github.com/recognizegroup/terraform/pull/389)) ([@zjanura](https://github.com/zjanura)) +- `azure/api_management_api`: Add output `app_registration_secret` ([#390](https://github.com/recognizegroup/terraform/pull/390)) ([@szymonrozek](https://github.com/szymonrozek)) +- `azure/function_app_linux_managed_identity`: Add variable `dotnet_version` ([#393](https://github.com/recognizegroup/terraform/pull/393)) ([@szymonrozek](https://github.com/szymonrozek)) +- `azure/function_app_linux_managed_identity`: Add variable `dotnet_isolated` ([#393](https://github.com/recognizegroup/terraform/pull/393), [#419](https://github.com/recognizegroup/terraform/pull/419)) ([@szymonrozek](https://github.com/szymonrozek), [@tom-reinders](https://github.com/tom-reinders)) +- Add module `azure/logic_app_bicep` ([#394](https://github.com/recognizegroup/terraform/pull/394)) ([@zjanura](https://github.com/zjanura)) +- Add module `azure/api_connectors/logic_app_custom_connector` ([#395](https://github.com/recognizegroup/terraform/pull/395), [#404](https://github.com/recognizegroup/terraform/pull/404)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- `azure/function_app_linux`: Add variable `dotnet_version` ([#396](https://github.com/recognizegroup/terraform/pull/396)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- `azure/function_app_linux`: Add variable `dotnet_isolated` ([#396](https://github.com/recognizegroup/terraform/pull/396), [#419](https://github.com/recognizegroup/terraform/pull/419)) ([@patrik-pa4k](https://github.com/patrik-pa4k), [@tom-reinders](https://github.com/tom-reinders)) +- Add module `azure/api_management_api_operation` ([#397](https://github.com/recognizegroup/terraform/pull/397), [#400](https://github.com/recognizegroup/terraform/pull/400), [#401](https://github.com/recognizegroup/terraform/pull/401), [#408](https://github.com/recognizegroup/terraform/pull/408)) ([@zjanura](https://github.com/zjanura)) +- `azure/api_management_api_simple`: Add output `id` ([#397](https://github.com/recognizegroup/terraform/pull/397)) ([@zjanura](https://github.com/zjanura)) +- `azure/api_management_api_simple`: Add variable `schema` ([#399](https://github.com/recognizegroup/terraform/pull/399)) ([@zjanura](https://github.com/zjanura)) +- Add module `azure/api_connectors/custom_connector` ([#398](https://github.com/recognizegroup/terraform/pull/398)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- Add module `azure/api_management_api_schema` ([#402](https://github.com/recognizegroup/terraform/pull/402)) ([@zjanura](https://github.com/zjanura)) +- `azure/postgresql`: Add variable `postgresql_zone` ([#410](https://github.com/recognizegroup/terraform/pull/410)) ([@khillen](https://github.com/khillen)) +- `azure/databricks_cluster`: Add variable `cluster_policy` ([#409](https://github.com/recognizegroup/terraform/pull/409)) ([@tom-reinders](https://github.com/tom-reinders)) +- Add module `azure/databricks_permissions_user_based` ([#409](https://github.com/recognizegroup/terraform/pull/409)) ([@tom-reinders](https://github.com/tom-reinders)) +- `azure/storage_account_public`: Add variable `delete_retention_policy_days` ([#411](https://github.com/recognizegroup/terraform/pull/411)) ([@patrik-pa4k](https://github.com/patrik-pa4k)) +- `azure/postgresql`: Add variable `public_network_access_enabled` ([#412](https://github.com/recognizegroup/terraform/pull/412)) ([@khillen](https://github.com/khillen)) +- `azure/service_bus_public`: Add variable `log_analytics_workspace_id` ([#413](https://github.com/recognizegroup/terraform/pull/413)) ([@pipalmic](https://github.com/pipalmic)) +- `azure/function_app_linux_managed_identity`: Add variable `use_managed_identity` ([#414](https://github.com/recognizegroup/terraform/pull/414)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/monitoring_log_analytics_alert`: Add variable `action_groups` ([#415](https://github.com/recognizegroup/terraform/pull/415)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/event_grid_topic`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/event_hub`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/log_analytics_workspace`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/network_security_group`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/public_ip`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/service_plan`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/storage_account_public`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/stream_analytics`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/virtual_network`: Add variable `loganalytics_diagnostic_setting` ([#417](https://github.com/recognizegroup/terraform/pull/417)) ([@ArtiomMatiom](https://github.com/ArtiomMatiom)) +- `azure/function_app_windows`: Add variable `dotnet_version` ([#419](https://github.com/recognizegroup/terraform/pull/419)) ([@tom-reinders](https://github.com/tom-reinders)) +- `azure/function_app_windows`: Add variable `dotnet_isolated` ([#419](https://github.com/recognizegroup/terraform/pull/419)) ([@tom-reinders](https://github.com/tom-reinders)) + +### Fixed + +- `azure/function_app_linux`: Fix VNET integration definition ([#373](https://github.com/recognizegroup/terraform/pull/373)) ([@pipalmic](https://github.com/pipalmic)) +- `azure/function_app_linux_managed_identity`: Fix VNET integration definition ([#373](https://github.com/recognizegroup/terraform/pull/373)) ([@pipalmic](https://github.com/pipalmic)) +- `azure/function_app_windows`: Fix VNET integration definition ([#373](https://github.com/recognizegroup/terraform/pull/373)) ([@pipalmic](https://github.com/pipalmic)) + ## [3.11.0] - 2023-10-02 ### Added @@ -189,6 +266,7 @@ _If you are upgrading: please see [UPGRADE_3.0.md](UPGRADE_3.0.md)._ - **Breaking:** Remove module `azure/monitoring`, replace with `azure/azure/monitoring_action_group` and `azure/monitoring_log_analytics_alert` ([#268](https://github.com/recognizegroup/terraform/pull/268)) ([`5bd013c1`](https://github.com/recognizegroup/terraform/commit/5bd013c1)) ([@pipalmic](https://github.com/pipalmic)) - **Breaking:** Remove module `azure/api_connectors/storage_account`, replace with `azure/api_connectors/storage_blob` and `azure/api_connectors/storage_table` ([#276](https://github.com/recognizegroup/terraform/pull/276)) ([`7a483886`](https://github.com/recognizegroup/terraform/commit/7a483886)) ([@pipalmic](https://github.com/pipalmic)) +[3.12.0]: https://github.com/recognizegroup/terraform/releases/tag/v3.12.0 [3.11.0]: https://github.com/recognizegroup/terraform/releases/tag/v3.11.0 [3.10.0]: https://github.com/recognizegroup/terraform/releases/tag/v3.10.0 [3.9.0]: https://github.com/recognizegroup/terraform/releases/tag/v3.9.0 diff --git a/modules/azure/api_connectors/arm_managed_identity/connection.json b/modules/azure/api_connectors/arm_managed_identity/connection.json new file mode 100644 index 00000000..323b5be9 --- /dev/null +++ b/modules/azure/api_connectors/arm_managed_identity/connection.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "metadata": { + "description": "location" + } + }, + "arm_connection_name": { + "type": "String", + "metadata": { + "description": "Name to use for this connection" + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[parameters('arm_connection_name')]", + "location": "[parameters('location')]", + "kind": "V1", + "properties": { + "displayName": "Arm connection", + "api": { + "name": "arm", + "id": "[format('{0}/providers/Microsoft.Web/locations/{1}/managedApis/arm', subscription().id, parameters('location'))]" + }, + "alternativeParameterValues": {}, + "parameterValueType": "Alternative" + } + } + ] +} \ No newline at end of file diff --git a/modules/azure/api_connectors/arm_managed_identity/main.tf b/modules/azure/api_connectors/arm_managed_identity/main.tf new file mode 100644 index 00000000..24373813 --- /dev/null +++ b/modules/azure/api_connectors/arm_managed_identity/main.tf @@ -0,0 +1,33 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group_template_deployment" "arm_managed_identity" { + name = "${var.connection_name}_deployment" + resource_group_name = var.resource_group_name + + template_content = file("./connection.json") + parameters_content = jsonencode({ + "arm_connection_name" = { + value = var.connection_name + } + "location" = { + value = var.location + } + }) + deployment_mode = "Incremental" +} + diff --git a/modules/azure/api_connectors/arm_managed_identity/outputs.tf b/modules/azure/api_connectors/arm_managed_identity/outputs.tf new file mode 100644 index 00000000..e1e4f872 --- /dev/null +++ b/modules/azure/api_connectors/arm_managed_identity/outputs.tf @@ -0,0 +1,3 @@ +output "name" { + value = var.connection_name +} \ No newline at end of file diff --git a/modules/azure/api_connectors/arm_managed_identity/variables.tf b/modules/azure/api_connectors/arm_managed_identity/variables.tf new file mode 100644 index 00000000..9b04e5e6 --- /dev/null +++ b/modules/azure/api_connectors/arm_managed_identity/variables.tf @@ -0,0 +1,14 @@ +variable "resource_group_name" { + type = string + description = "Resource group the connection should be placed in" +} + +variable "connection_name" { + type = string + description = "Name for the connection" +} + +variable "location" { + type = string + description = "The location of the connector, set by Azure if not provided and used to avoid deployment differences." +} diff --git a/modules/azure/api_connectors/custom_connector/connection.json b/modules/azure/api_connectors/custom_connector/connection.json new file mode 100644 index 00000000..df73ad4b --- /dev/null +++ b/modules/azure/api_connectors/custom_connector/connection.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "location" + } + }, + "arm_connection_name": { + "type": "string" + }, + "api_connector_id": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[parameters('arm_connection_name')]", + "location": "[parameters('location')]", + "kind": "V1", + "properties": { + "displayName": "[parameters('arm_connection_name')]", + "statuses": [ + { + "status": "Connected" + } + ], + "customParameterValues": {}, + "nonSecretParameterValues": {}, + "api": { + "name": "[parameters('arm_connection_name')]", + "displayName": "[parameters('arm_connection_name')]", + "id": "[parameters('api_connector_id')]", + "type": "Microsoft.Web/customApis" + } + } + } + ] +} \ No newline at end of file diff --git a/modules/azure/api_connectors/custom_connector/main.tf b/modules/azure/api_connectors/custom_connector/main.tf new file mode 100644 index 00000000..dfdd7ce5 --- /dev/null +++ b/modules/azure/api_connectors/custom_connector/main.tf @@ -0,0 +1,38 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +data "azurerm_subscription" "current" { +} + +resource "azurerm_resource_group_template_deployment" "arm_managed_identity" { + name = "${var.connection_name}_deployment" + resource_group_name = var.resource_group_name + + template_content = file("./connection.json") + parameters_content = jsonencode({ + "arm_connection_name" = { + value = var.connection_name + } + "location" = { + value = var.location + }, + "api_connector_id" = { + value = "${data.azurerm_subscription.current.id}/resourceGroups/${var.connector_resource_group_name}/providers/Microsoft.Web/customApis/${var.connector_name}" + } + }) + deployment_mode = "Incremental" +} diff --git a/modules/azure/api_connectors/custom_connector/outputs.tf b/modules/azure/api_connectors/custom_connector/outputs.tf new file mode 100644 index 00000000..4eebae8c --- /dev/null +++ b/modules/azure/api_connectors/custom_connector/outputs.tf @@ -0,0 +1,7 @@ +output "name" { + value = var.connection_name +} + +output "connector_id" { + value = "${data.azurerm_subscription.current.id}/resourceGroups/${var.connector_resource_group_name}/providers/Microsoft.Web/customApis/${var.connector_name}" +} diff --git a/modules/azure/api_connectors/custom_connector/variables.tf b/modules/azure/api_connectors/custom_connector/variables.tf new file mode 100644 index 00000000..b5ba835c --- /dev/null +++ b/modules/azure/api_connectors/custom_connector/variables.tf @@ -0,0 +1,24 @@ +variable "resource_group_name" { + type = string + description = "Resource group the connection should be placed in" +} + +variable "connection_name" { + type = string + description = "Name for the connection" +} + +variable "connector_resource_group_name" { + type = string + description = "Resource group name where the custom logic app connector is located" +} + +variable "connector_name" { + type = string + description = "The name of the custom logic app connector that connection will connect to" +} + +variable "location" { + type = string + description = "The location of the connector, set by Azure if not provided and used to avoid deployment differences." +} diff --git a/modules/azure/api_connectors/event_hub_managed_identity/connection.json b/modules/azure/api_connectors/event_hub_managed_identity/connection.json new file mode 100644 index 00000000..1db27e5b --- /dev/null +++ b/modules/azure/api_connectors/event_hub_managed_identity/connection.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "metadata": { + "description": "location" + } + }, + "event_hub_connection_name": { + "type": "String", + "metadata": { + "description": "Name to use for this connection" + } + }, + "event_hub_namespace_endpoint": { + "type": "String", + "metadata": { + "description": "Event Hub namespace" + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[parameters('event_hub_connection_name')]", + "location": "[parameters('location')]", + "kind": "V1", + "properties": { + "displayName": "Event Hub", + "api": { + "name": "eventhubs", + "id": "[format('{0}/providers/Microsoft.Web/locations/{1}/managedApis/eventhubs', subscription().id, parameters('location'))]" + }, + "alternativeParameterValues": {}, + "parameterValueSet": { + "name": "managedIdentityAuth", + "values": { + "namespaceEndpoint": { + "value": "[parameters('event_hub_namespace_endpoint')]" + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/modules/azure/api_connectors/event_hub_managed_identity/main.tf b/modules/azure/api_connectors/event_hub_managed_identity/main.tf new file mode 100644 index 00000000..2217fd24 --- /dev/null +++ b/modules/azure/api_connectors/event_hub_managed_identity/main.tf @@ -0,0 +1,35 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group_template_deployment" "event_hub_managed_identity" { + name = "${var.connection_name}_deployment" + resource_group_name = var.resource_group_name + + template_content = file("./connection.json") + parameters_content = jsonencode({ + "event_hub_connection_name" = { + value = var.connection_name + } + "event_hub_namespace_endpoint" = { + value = var.event_hub_namespace_endpoint + } + "location" = { + value = var.location + } + }) + deployment_mode = "Incremental" +} diff --git a/modules/azure/api_connectors/event_hub_managed_identity/outputs.tf b/modules/azure/api_connectors/event_hub_managed_identity/outputs.tf new file mode 100644 index 00000000..e1e4f872 --- /dev/null +++ b/modules/azure/api_connectors/event_hub_managed_identity/outputs.tf @@ -0,0 +1,3 @@ +output "name" { + value = var.connection_name +} \ No newline at end of file diff --git a/modules/azure/api_connectors/event_hub_managed_identity/variables.tf b/modules/azure/api_connectors/event_hub_managed_identity/variables.tf new file mode 100644 index 00000000..61cc537b --- /dev/null +++ b/modules/azure/api_connectors/event_hub_managed_identity/variables.tf @@ -0,0 +1,19 @@ +variable "resource_group_name" { + type = string + description = "Resource group the connection should be placed in" +} + +variable "connection_name" { + type = string + description = "Name for the connection" +} + +variable "event_hub_namespace_endpoint" { + type = string + description = "The namespace endpoint for the connected Event Hub" +} + +variable "location" { + type = string + description = "The location of the connector, set by Azure if not provided and used to avoid deployment differences." +} diff --git a/modules/azure/api_connectors/excel_online/connection.json b/modules/azure/api_connectors/excel_online/connection.json new file mode 100644 index 00000000..3427a5bc --- /dev/null +++ b/modules/azure/api_connectors/excel_online/connection.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "location" + } + }, + "connection_name": { + "type": "String", + "metadata": { + "description": "Connection resource name to connect to an Excel Online." + } + } + }, + "resources": [ + { + "name": "[parameters('connection_name')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "Shared Excel Online Account", + "api": { + "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location ,'/managedApis/excelonlinebusiness')]" + } + } + } + ] +} \ No newline at end of file diff --git a/modules/azure/api_connectors/excel_online/main.tf b/modules/azure/api_connectors/excel_online/main.tf new file mode 100644 index 00000000..d0d771d2 --- /dev/null +++ b/modules/azure/api_connectors/excel_online/main.tf @@ -0,0 +1,29 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group_template_deployment" "log_analytics" { + name = "${var.connection_name}_deployment" + resource_group_name = var.resource_group_name + + template_content = file("./connection.json") + parameters_content = jsonencode({ + "connection_name" = { + value = var.connection_name + } + }) + deployment_mode = "Incremental" +} diff --git a/modules/azure/api_connectors/excel_online/outputs.tf b/modules/azure/api_connectors/excel_online/outputs.tf new file mode 100644 index 00000000..f28257db --- /dev/null +++ b/modules/azure/api_connectors/excel_online/outputs.tf @@ -0,0 +1,3 @@ +output "name" { + value = var.connection_name +} diff --git a/modules/azure/api_connectors/excel_online/variables.tf b/modules/azure/api_connectors/excel_online/variables.tf new file mode 100644 index 00000000..541a77f5 --- /dev/null +++ b/modules/azure/api_connectors/excel_online/variables.tf @@ -0,0 +1,9 @@ +variable "resource_group_name" { + type = string + description = "Resource group this connection should be placed in" +} + +variable "connection_name" { + type = string + description = "The name the connection should have" +} diff --git a/modules/azure/api_connectors/logic_app_custom_connector/connection.json b/modules/azure/api_connectors/logic_app_custom_connector/connection.json new file mode 100644 index 00000000..b6a5f445 --- /dev/null +++ b/modules/azure/api_connectors/logic_app_custom_connector/connection.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "location" + } + }, + "connector_name": { + "type": "String", + "metadata": { + "description": "Connector resource name" + } + }, + "function_url": { + "type": "String", + "metadata": { + "description": "Url of the function" + } + }, + "swagger": { + "type": "object", + "metadata": { + "description": "Swagger definition" + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[parameters('connector_name')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('connector_name')]", + "backendService": { + "serviceurl": "[parameters('function_url')]" + }, + "swagger": "[parameters('swagger')]" + } + } + ] +} \ No newline at end of file diff --git a/modules/azure/api_connectors/logic_app_custom_connector/main.tf b/modules/azure/api_connectors/logic_app_custom_connector/main.tf new file mode 100644 index 00000000..b6ee93f0 --- /dev/null +++ b/modules/azure/api_connectors/logic_app_custom_connector/main.tf @@ -0,0 +1,35 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group_template_deployment" "log_analytics" { + name = "${var.connector_name}_deployment" + resource_group_name = var.resource_group_name + + template_content = file("./connection.json") + parameters_content = jsonencode({ + "connector_name" = { + value = var.connector_name + }, + "function_url" = { + value = var.function_url + }, + "swagger" = { + value = var.swagger_path != "" ? jsondecode(file(var.swagger_path)) : jsondecode(var.swagger) + } + }) + deployment_mode = "Incremental" +} diff --git a/modules/azure/api_connectors/logic_app_custom_connector/outputs.tf b/modules/azure/api_connectors/logic_app_custom_connector/outputs.tf new file mode 100644 index 00000000..a96be114 --- /dev/null +++ b/modules/azure/api_connectors/logic_app_custom_connector/outputs.tf @@ -0,0 +1,3 @@ +output "name" { + value = var.connector_name +} diff --git a/modules/azure/api_connectors/logic_app_custom_connector/variables.tf b/modules/azure/api_connectors/logic_app_custom_connector/variables.tf new file mode 100644 index 00000000..6e129655 --- /dev/null +++ b/modules/azure/api_connectors/logic_app_custom_connector/variables.tf @@ -0,0 +1,25 @@ +variable "resource_group_name" { + type = string + description = "Resource group this connection should be placed in" +} + +variable "connector_name" { + type = string + description = "The name the connection should have" +} + +variable "function_url" { + type = string + description = "The url of function" +} + +variable "swagger" { + type = string + description = "Swagger definition" +} + +variable "swagger_path" { + description = "Path to the Swagger JSON file" + type = string + default = "" +} diff --git a/modules/azure/api_connectors/service_bus_managed_identity_set/connection.json b/modules/azure/api_connectors/service_bus_managed_identity_set/connection.json new file mode 100644 index 00000000..cf79e8c7 --- /dev/null +++ b/modules/azure/api_connectors/service_bus_managed_identity_set/connection.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "metadata": { + "description": "location" + } + }, + "service_bus_connection_name": { + "type": "String", + "metadata": { + "description": "Name to use for this connection" + } + }, + "service_bus_namespace_endpoint": { + "type": "String", + "metadata": { + "description": "Service Bus namespace" + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[parameters('service_bus_connection_name')]", + "location": "[parameters('location')]", + "kind": "V1", + "properties": { + "displayName": "Service Bus", + "api": { + "name": "servicebus", + "id": "[format('{0}/providers/Microsoft.Web/locations/{1}/managedApis/servicebus', subscription().id, parameters('location'))]" + }, + "alternativeParameterValues": {}, + "parameterValueSet": { + "name": "managedIdentityAuth", + "values": { + "namespaceEndpoint": { + "value": "[parameters('service_bus_namespace_endpoint')]" + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/modules/azure/api_connectors/service_bus_managed_identity_set/main.tf b/modules/azure/api_connectors/service_bus_managed_identity_set/main.tf new file mode 100644 index 00000000..c3e9df6d --- /dev/null +++ b/modules/azure/api_connectors/service_bus_managed_identity_set/main.tf @@ -0,0 +1,37 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group_template_deployment" "service_bus_managed_identity" { + for_each = var.connection_names + + name = "${each.value}_deployment" + resource_group_name = var.resource_group_name + + template_content = file("./connection.json") + parameters_content = jsonencode({ + "service_bus_connection_name" = { + value = each.value + } + "service_bus_namespace_endpoint" = { + value = var.service_bus_namespace_endpoint + } + "location" = { + value = var.location + } + }) + deployment_mode = "Incremental" +} diff --git a/modules/azure/api_connectors/service_bus_managed_identity_set/outputs.tf b/modules/azure/api_connectors/service_bus_managed_identity_set/outputs.tf new file mode 100644 index 00000000..abe4bd9f --- /dev/null +++ b/modules/azure/api_connectors/service_bus_managed_identity_set/outputs.tf @@ -0,0 +1,3 @@ +output "names" { + value = var.connection_names +} \ No newline at end of file diff --git a/modules/azure/api_connectors/service_bus_managed_identity_set/variables.tf b/modules/azure/api_connectors/service_bus_managed_identity_set/variables.tf new file mode 100644 index 00000000..1e8e0a77 --- /dev/null +++ b/modules/azure/api_connectors/service_bus_managed_identity_set/variables.tf @@ -0,0 +1,19 @@ +variable "resource_group_name" { + type = string + description = "Resource group the connection should be placed in" +} + +variable "connection_names" { + type = set(string) + description = "The names for the connection" +} + +variable "service_bus_namespace_endpoint" { + type = string + description = "The namespace endpoint for the connected service bus" +} + +variable "location" { + type = string + description = "The location of the connector, set by Azure if not provided and used to avoid deployment differences." +} diff --git a/modules/azure/api_connectors/sharepoint_online/connection.json b/modules/azure/api_connectors/sharepoint_online/connection.json new file mode 100644 index 00000000..ccd50e32 --- /dev/null +++ b/modules/azure/api_connectors/sharepoint_online/connection.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "location" + } + }, + "connection_name": { + "type": "String", + "metadata": { + "description": "Connection resource name to connect to an SharePoint Online." + } + } + }, + "resources": [ + { + "name": "[parameters('connection_name')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "Shared SharePoint Online Account", + "api": { + "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location ,'/managedApis/sharepointonline')]" + } + } + } + ] +} \ No newline at end of file diff --git a/modules/azure/api_connectors/sharepoint_online/main.tf b/modules/azure/api_connectors/sharepoint_online/main.tf new file mode 100644 index 00000000..d0d771d2 --- /dev/null +++ b/modules/azure/api_connectors/sharepoint_online/main.tf @@ -0,0 +1,29 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group_template_deployment" "log_analytics" { + name = "${var.connection_name}_deployment" + resource_group_name = var.resource_group_name + + template_content = file("./connection.json") + parameters_content = jsonencode({ + "connection_name" = { + value = var.connection_name + } + }) + deployment_mode = "Incremental" +} diff --git a/modules/azure/api_connectors/sharepoint_online/outputs.tf b/modules/azure/api_connectors/sharepoint_online/outputs.tf new file mode 100644 index 00000000..f28257db --- /dev/null +++ b/modules/azure/api_connectors/sharepoint_online/outputs.tf @@ -0,0 +1,3 @@ +output "name" { + value = var.connection_name +} diff --git a/modules/azure/api_connectors/sharepoint_online/variables.tf b/modules/azure/api_connectors/sharepoint_online/variables.tf new file mode 100644 index 00000000..541a77f5 --- /dev/null +++ b/modules/azure/api_connectors/sharepoint_online/variables.tf @@ -0,0 +1,9 @@ +variable "resource_group_name" { + type = string + description = "Resource group this connection should be placed in" +} + +variable "connection_name" { + type = string + description = "The name the connection should have" +} diff --git a/modules/azure/api_management/main.tf b/modules/azure/api_management/main.tf index d100b24a..a0e13245 100644 --- a/modules/azure/api_management/main.tf +++ b/modules/azure/api_management/main.tf @@ -100,22 +100,22 @@ resource "azurerm_api_management_diagnostic" "apim_diagnostic" { http_correlation_protocol = var.diagnostic_settings.http_correlation_protocol frontend_request { - body_bytes = 32 + body_bytes = var.diagnostic_settings.frontend_request_body_bytes headers_to_log = var.diagnostic_settings.headers_to_log_request } frontend_response { - body_bytes = 32 + body_bytes = var.diagnostic_settings.frontend_response_body_bytes headers_to_log = var.diagnostic_settings.headers_to_log_response } backend_request { - body_bytes = 32 + body_bytes = var.diagnostic_settings.backend_request_body_bytes headers_to_log = var.diagnostic_settings.headers_to_log_request } backend_response { - body_bytes = 32 + body_bytes = var.diagnostic_settings.backend_response_body_bytes headers_to_log = var.diagnostic_settings.headers_to_log_response } } diff --git a/modules/azure/api_management/outputs.tf b/modules/azure/api_management/outputs.tf index 1b3bc7bd..2313a76c 100644 --- a/modules/azure/api_management/outputs.tf +++ b/modules/azure/api_management/outputs.tf @@ -20,4 +20,9 @@ output "developer_portal_url" { output "public_ip_addresses" { value = azurerm_api_management.api_management.public_ip_addresses +} + +output "app_registration_secret" { + value = azuread_application_password.password.value + sensitive = true } \ No newline at end of file diff --git a/modules/azure/api_management/variables.tf b/modules/azure/api_management/variables.tf index 107408c7..717a3290 100644 --- a/modules/azure/api_management/variables.tf +++ b/modules/azure/api_management/variables.tf @@ -70,23 +70,31 @@ variable "api_management_logger_settings" { variable "diagnostic_settings" { type = object({ - sampling_percentage = number, - always_log_errors = bool, - log_client_ip = bool, - verbosity = string, # possible values: verbose, information, error - http_correlation_protocol = string, # possible values: None, Legacy, W3C - headers_to_log_request = list(string), - headers_to_log_response = list(string) + sampling_percentage = number, + always_log_errors = bool, + log_client_ip = bool, + verbosity = string, # possible values: verbose, information, error + http_correlation_protocol = string, # possible values: None, Legacy, W3C + headers_to_log_request = list(string), + headers_to_log_response = list(string), + frontend_request_body_bytes = optional(number, 32), + frontend_response_body_bytes = optional(number, 32), + backend_request_body_bytes = optional(number, 32), + backend_response_body_bytes = optional(number, 32) }) description = "Settings for api management diagnostic, api-management-diagnostic will be created only if api_management_logger_settings have been provided. " default = { - sampling_percentage = 5.0, - always_log_errors = true, - log_client_ip = true, - verbosity = "verbose", # possible values: verbose, information, error - http_correlation_protocol = "W3C", - headers_to_log_request = ["content-type", "accept", "origin"], - headers_to_log_response = ["content-type", "content-length", "origin"] + sampling_percentage = 5.0, + always_log_errors = true, + log_client_ip = true, + verbosity = "verbose", # possible values: verbose, information, error + http_correlation_protocol = "W3C", + headers_to_log_request = ["content-type", "accept", "origin"], + headers_to_log_response = ["content-type", "content-length", "origin"], + frontend_request_body_bytes = 32, + frontend_response_body_bytes = 32, + backend_request_body_bytes = 32, + backend_response_body_bytes = 32 } } diff --git a/modules/azure/api_management_api/main.tf b/modules/azure/api_management_api/main.tf index cfcea96a..3f95805d 100644 --- a/modules/azure/api_management_api/main.tf +++ b/modules/azure/api_management_api/main.tf @@ -21,7 +21,8 @@ provider "azurerm" { locals { //Do this if statement here instead of twice for both api:// settings - app_api_endpoint = var.app_api_endpoint != null ? var.app_api_endpoint : "${lower(replace(var.application_name, " ", "-"))}" + app_api_endpoint = var.app_api_endpoint != null ? var.app_api_endpoint : "${lower(replace(var.application_name, " ", "-"))}" + should_assign_group = var.group_id != null ? true : false } ####################################################### @@ -312,6 +313,19 @@ resource "azurerm_api_management_authorization_server" "oauth2" { } +resource "azuread_service_principal" "application" { + count = local.should_assign_group ? 1 : 0 + application_id = azuread_application.application.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_group_member" "registered_app_member" { + count = local.should_assign_group ? 1 : 0 + group_object_id = var.group_id + member_object_id = azuread_service_principal.application[0].object_id +} + resource "azuread_application_password" "password" { application_object_id = azuread_application.application.object_id } diff --git a/modules/azure/api_management_api/outputs.tf b/modules/azure/api_management_api/outputs.tf index bcfb01c9..85263e2e 100644 --- a/modules/azure/api_management_api/outputs.tf +++ b/modules/azure/api_management_api/outputs.tf @@ -13,3 +13,11 @@ output "application_id" { output "default_role" { value = azuread_application.application.app_role_ids["Default.Access"] } + +output "api_audiences" { + value = azuread_application.application.identifier_uris +} + +output "api_audience" { + value = "api://${local.app_api_endpoint}" +} diff --git a/modules/azure/api_management_api/variables.tf b/modules/azure/api_management_api/variables.tf index ced165fe..7ba08013 100644 --- a/modules/azure/api_management_api/variables.tf +++ b/modules/azure/api_management_api/variables.tf @@ -43,6 +43,12 @@ variable "owners" { default = [] } +variable "group_id" { + type = string + description = "Group ID where service principal of the existing application will belong to" + default = null +} + variable "api_management_logger_id" { type = string description = "The Id of the API management Logger" diff --git a/modules/azure/api_management_api_operation/main.tf b/modules/azure/api_management_api_operation/main.tf new file mode 100644 index 00000000..d1bacc43 --- /dev/null +++ b/modules/azure/api_management_api_operation/main.tf @@ -0,0 +1,70 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +locals { + openapi_data = yamldecode(file(var.openapi_file_path)) + + all_operations = flatten([ + for path, methods in local.openapi_data["paths"] : [ + for method, details in methods : { + path = path + method = method + summary = details.summary + operationId = details.operationId + description = details.description + content_type = try(keys(details.requestBody.content), [""])[0] + responses = { for code, response in details.responses : code => response.description } + } + ] + ]) + + operations_map = { for op in local.all_operations : "${op.path}:${op.method}" => op } +} + +resource "azurerm_api_management_api_operation" "operation" { + for_each = local.operations_map + + operation_id = each.value.operationId + api_name = var.api_name + api_management_name = var.api_management_name + resource_group_name = var.resource_group_name + display_name = each.value.summary + method = each.value.method + url_template = each.value.path + description = each.value.description + + dynamic "response" { + for_each = each.value.responses + + content { + status_code = response.key + description = response.value + } + } + + dynamic "request" { + for_each = each.value.content_type != "" ? tolist([each.value.content_type]) : [] + + content { + representation { + content_type = request.value + } + } + } +} + + diff --git a/modules/azure/api_management_api_operation/outputs.tf b/modules/azure/api_management_api_operation/outputs.tf new file mode 100644 index 00000000..137ce4a8 --- /dev/null +++ b/modules/azure/api_management_api_operation/outputs.tf @@ -0,0 +1,3 @@ +output "operation_ids" { + value = { for k, op in azurerm_api_management_api_operation.operation : k => op.id } +} \ No newline at end of file diff --git a/modules/azure/api_management_api_operation/variables.tf b/modules/azure/api_management_api_operation/variables.tf new file mode 100644 index 00000000..b2a3eadc --- /dev/null +++ b/modules/azure/api_management_api_operation/variables.tf @@ -0,0 +1,22 @@ +variable "resource_group_name" { + type = string + description = "Name of the resource group." +} + +variable "api_management_name" { + type = string + description = "The name of the API management service." +} + +variable "api_name" { + type = string + description = "API name" +} + +variable "openapi_file_path" { + type = string + description = "Operation file path" +} + + + diff --git a/modules/azure/api_management_api_schema/main.tf b/modules/azure/api_management_api_schema/main.tf new file mode 100644 index 00000000..6f504086 --- /dev/null +++ b/modules/azure/api_management_api_schema/main.tf @@ -0,0 +1,29 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + + +###################################################### +############# API schema ############# +###################################################### + +resource "azurerm_api_management_global_schema" "schema" { + schema_id = var.schema_id + api_management_name = var.api_management_name + resource_group_name = var.resource_group_name + type = var.type + value = file(var.file_location) +} diff --git a/modules/azure/api_management_api_schema/outputs.tf b/modules/azure/api_management_api_schema/outputs.tf new file mode 100644 index 00000000..ccab37f8 --- /dev/null +++ b/modules/azure/api_management_api_schema/outputs.tf @@ -0,0 +1,7 @@ +output "id" { + value = azurerm_api_management_global_schema.schema.id +} + +output "schema_id" { + value = var.schema_id +} diff --git a/modules/azure/api_management_api_schema/variables.tf b/modules/azure/api_management_api_schema/variables.tf new file mode 100644 index 00000000..89051099 --- /dev/null +++ b/modules/azure/api_management_api_schema/variables.tf @@ -0,0 +1,24 @@ +variable "resource_group_name" { + type = string + description = "Name of the resource group." +} + +variable "api_management_name" { + type = string + description = "The name of the API management service." +} + +variable "file_location" { + type = string + description = "Path to schema file." +} + +variable "type" { + type = string + description = "The content type of the Schema. Possible values are xml and json." +} + +variable "schema_id" { + type = string + description = "A unique identifier for this Schema." +} diff --git a/modules/azure/api_management_api_simple/main.tf b/modules/azure/api_management_api_simple/main.tf index 010d0736..18e5720f 100644 --- a/modules/azure/api_management_api_simple/main.tf +++ b/modules/azure/api_management_api_simple/main.tf @@ -16,6 +16,7 @@ provider "azurerm" { } locals { + do_schema = var.schema.file_location != null && var.schema.type != null && var.schema.schema_id != null ? true : false } ####################################################### @@ -239,3 +240,12 @@ resource "azurerm_api_management_product_api" "product_api" { api_management_name = var.api_management_name resource_group_name = var.resource_group_name } + +resource "azurerm_api_management_global_schema" "json" { + count = local.do_schema ? 1 : 0 + schema_id = var.schema.schema_id + api_management_name = var.api_management_name + resource_group_name = var.resource_group_name + type = var.schema.type + value = file(var.schema.file_location) +} diff --git a/modules/azure/api_management_api_simple/outputs.tf b/modules/azure/api_management_api_simple/outputs.tf index 7c838078..a2088ca3 100644 --- a/modules/azure/api_management_api_simple/outputs.tf +++ b/modules/azure/api_management_api_simple/outputs.tf @@ -2,6 +2,10 @@ output "api_name" { value = azurerm_api_management_api.api.name } +output "id" { + value = azurerm_api_management_api.api.id +} + output "api_management_api_diagnostic" { value = (var.api_diagnostic_settings != null && var.api_management_logger_id != null) ? azurerm_api_management_api_diagnostic.api_diagnostic[0].id : null } diff --git a/modules/azure/api_management_api_simple/variables.tf b/modules/azure/api_management_api_simple/variables.tf index f5909a6a..806435d0 100644 --- a/modules/azure/api_management_api_simple/variables.tf +++ b/modules/azure/api_management_api_simple/variables.tf @@ -163,3 +163,24 @@ variable "custom_outbound_policy" { description = "Additional outbound xml policies" default = null } + +variable "schema" { + type = object({ + file_location = optional(string), + type = optional(string), + schema_id = optional(string) + }) + + default = { + file_location = null + type = null + schema_id = null + } + + validation { + condition = ((var.schema.file_location != null && var.schema.type != null && var.schema.schema_id != null) || (var.schema.file_location == null && var.schema.type == null && var.schema.schema_id == null)) + error_message = "schema_id, file_location and type must be provided." + } + + description = "Schema for validation of request" +} diff --git a/modules/azure/databricks_cluster/main.tf b/modules/azure/databricks_cluster/main.tf index ea60e31f..730debb8 100644 --- a/modules/azure/databricks_cluster/main.tf +++ b/modules/azure/databricks_cluster/main.tf @@ -54,3 +54,21 @@ resource "databricks_global_init_script" "init_script" { name = "init script" enabled = true } + +resource "databricks_cluster_policy" "fair_use_policy" { + count = var.cluster_policy == "" ? 0 : 1 + + name = "Fair use cluster policy" + definition = var.cluster_policy +} + +resource "databricks_permissions" "fair_use_policy_usage" { + count = var.cluster_policy == "" ? 0 : 1 + + cluster_policy_id = databricks_cluster_policy.fair_use_policy[0].id + + access_control { + group_name = "users" + permission_level = "CAN_USE" + } +} diff --git a/modules/azure/databricks_cluster/variables.tf b/modules/azure/databricks_cluster/variables.tf index 7cb9bf96..b07c2a3e 100644 --- a/modules/azure/databricks_cluster/variables.tf +++ b/modules/azure/databricks_cluster/variables.tf @@ -81,3 +81,9 @@ variable "init_script" { description = "Script to run when initalizing a databricks job or cluster." default = "" } + +variable "cluster_policy" { + type = string + description = "Default cluster policy." + default = "" +} diff --git a/modules/azure/databricks_permissions_user_based/main.tf b/modules/azure/databricks_permissions_user_based/main.tf new file mode 100644 index 00000000..dbec6211 --- /dev/null +++ b/modules/azure/databricks_permissions_user_based/main.tf @@ -0,0 +1,52 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + databricks = { + source = "databricks/databricks" + version = "~> 1.0" + } + } + + backend "azurerm" {} +} + +provider "databricks" { + host = var.workspace_url +} + +resource "databricks_user" "user" { + for_each = toset(var.users) + user_name = each.key + display_name = each.key + force = true +} + +data "databricks_group" "admins" { + display_name = "admins" +} + +resource "databricks_group_member" "admins" { + for_each = toset(var.admins) + group_id = data.databricks_group.admins.id + member_id = databricks_user.user[each.value].id +} + +// HACK: Initial tokens needs to be present for token usage permissions to be set +resource "databricks_token" "token" { + comment = "Initial token" + lifetime_seconds = 8640000 +} + +resource "databricks_permissions" "token_usage" { + authorization = "tokens" + + access_control { + group_name = "users" + permission_level = "CAN_USE" + } + + depends_on = [ + databricks_token.token + ] +} diff --git a/modules/azure/databricks_permissions_user_based/variables.tf b/modules/azure/databricks_permissions_user_based/variables.tf new file mode 100644 index 00000000..07c2dea1 --- /dev/null +++ b/modules/azure/databricks_permissions_user_based/variables.tf @@ -0,0 +1,16 @@ +variable "workspace_url" { + type = string + description = "The url of the databricks workspace." +} + +variable "users" { + type = list(string) + description = "A list of users in the databricks workspace." + default = [] +} + +variable "admins" { + type = list(string) + description = "A list of admins in the databricks workspace." + default = [] +} diff --git a/modules/azure/event_grid_topic/main.tf b/modules/azure/event_grid_topic/main.tf index b2541364..7b05f8cd 100644 --- a/modules/azure/event_grid_topic/main.tf +++ b/modules/azure/event_grid_topic/main.tf @@ -21,4 +21,34 @@ resource "azurerm_eventgrid_system_topic" "topic" { resource_group_name = var.resource_group_name source_arm_resource_id = var.source_arm_resource_id topic_type = var.topic_type -} \ No newline at end of file +} + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_eventgrid_system_topic.topic.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.topic_name}" + target_resource_id = azurerm_eventgrid_system_topic.topic.id + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} diff --git a/modules/azure/event_grid_topic/variables.tf b/modules/azure/event_grid_topic/variables.tf index b328c74e..33728556 100644 --- a/modules/azure/event_grid_topic/variables.tf +++ b/modules/azure/event_grid_topic/variables.tf @@ -22,3 +22,13 @@ variable "source_arm_resource_id" { type = string description = "The ID of the Event Grid System Topic ARM Source." } + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} \ No newline at end of file diff --git a/modules/azure/event_hub/main.tf b/modules/azure/event_hub/main.tf index 0e82fc0c..f4561735 100644 --- a/modules/azure/event_hub/main.tf +++ b/modules/azure/event_hub/main.tf @@ -37,3 +37,34 @@ resource "azurerm_eventhub_consumer_group" "consumer" { eventhub_name = azurerm_eventhub.eventhub.name resource_group_name = var.resource_group_name } + + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_eventhub_namespace.namespace.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.namespace_name}" + target_resource_id = azurerm_eventhub_namespace.namespace.id + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + log_analytics_destination_type = var.loganalytics_diagnostic_setting.destination_type == null ? null : var.loganalytics_diagnostic_setting.destination_type + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} diff --git a/modules/azure/event_hub/variables.tf b/modules/azure/event_hub/variables.tf index 8d04d839..6519b5a8 100644 --- a/modules/azure/event_hub/variables.tf +++ b/modules/azure/event_hub/variables.tf @@ -46,3 +46,15 @@ variable "consumer_group_name" { type = string description = "Eventhub consumer group name." } + + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + destination_type = optional(string), // AzureDiagnostics or Dedicated + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} diff --git a/modules/azure/function_app_linux/main.tf b/modules/azure/function_app_linux/main.tf index 09497b3d..3b4578c0 100644 --- a/modules/azure/function_app_linux/main.tf +++ b/modules/azure/function_app_linux/main.tf @@ -33,6 +33,15 @@ resource "azurerm_linux_function_app" "function_app" { vnet_route_all_enabled = var.route_all_outbound_traffic use_32_bit_worker = var.use_32_bit_worker + dynamic "application_stack" { + for_each = var.dotnet_version != "" ? [1] : [] + + content { + dotnet_version = var.dotnet_version + use_dotnet_isolated_runtime = var.dotnet_isolated + } + } + dynamic "ip_restriction" { for_each = var.ip_restrictions @@ -70,6 +79,14 @@ resource "azurerm_linux_function_app" "function_app" { identity { type = "SystemAssigned" } + + /* + * VNet integration is set by a separate resource 'vnet_integration' below, so this must be ignored, see 'NOTE on regional virtual network integration:' here + * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app + */ + lifecycle { + ignore_changes = [virtual_network_subnet_id] + } } # VNet integration diff --git a/modules/azure/function_app_linux/variables.tf b/modules/azure/function_app_linux/variables.tf index 732ec3e9..3d14f9b4 100644 --- a/modules/azure/function_app_linux/variables.tf +++ b/modules/azure/function_app_linux/variables.tf @@ -13,6 +13,18 @@ variable "name" { description = "Specifies the name of the function app." } +variable "dotnet_version" { + type = string + description = "Specifies the version of dotnet." + default = "" +} + +variable "dotnet_isolated" { + type = bool + description = "Specifies if it is isolated function app." + default = false +} + variable "service_plan_id" { type = string description = "The ID of the Service Plan within which to create this Function App." diff --git a/modules/azure/function_app_linux_managed_identity/main.tf b/modules/azure/function_app_linux_managed_identity/main.tf index d767d27e..0bf622d3 100644 --- a/modules/azure/function_app_linux_managed_identity/main.tf +++ b/modules/azure/function_app_linux_managed_identity/main.tf @@ -32,31 +32,42 @@ provider "null" { } locals { - should_create_app = var.managed_identity_provider.existing != null ? false : true - identifiers = concat(local.should_create_app ? ["api://${var.managed_identity_provider.create.application_name}"] : [], var.managed_identity_provider.identifier_uris != null ? var.managed_identity_provider.identifier_uris : []) - allowed_audiences = concat(local.identifiers, var.managed_identity_provider.allowed_audiences != null ? var.managed_identity_provider.allowed_audiences : []) + should_create_app = var.managed_identity_provider.existing != null ? false : true + should_assign_group = var.managed_identity_provider.create.group_id != null ? true : false + identifiers = concat(local.should_create_app ? ["api://${var.managed_identity_provider.create.application_name}"] : [], var.managed_identity_provider.identifier_uris != null ? var.managed_identity_provider.identifier_uris : []) + allowed_audiences = concat(local.identifiers, var.managed_identity_provider.allowed_audiences != null ? var.managed_identity_provider.allowed_audiences : []) } # Function App resource "azurerm_linux_function_app" "function_app" { - name = var.name - location = var.location - resource_group_name = var.resource_group_name - service_plan_id = var.service_plan_id - storage_account_name = var.storage_account_name - storage_account_access_key = var.storage_account_access_key + name = var.name + location = var.location + resource_group_name = var.resource_group_name + service_plan_id = var.service_plan_id + storage_account_name = var.storage_account_name + + storage_account_access_key = (var.use_managed_identity == null || var.use_managed_identity == false) ? var.storage_account_access_key : null + storage_uses_managed_identity = var.use_managed_identity == true ? var.use_managed_identity : null //null due to conflict with storage_account_access_key + functions_extension_version = var.runtime_version app_settings = merge(var.app_settings, { MICROSOFT_PROVIDER_AUTHENTICATION_SECRET = "${local.should_create_app ? azuread_application_password.password[0].value : var.managed_identity_provider.existing.client_secret}" }) - site_config { always_on = var.always_on vnet_route_all_enabled = var.route_all_outbound_traffic use_32_bit_worker = var.use_32_bit_worker + dynamic "application_stack" { + for_each = var.dotnet_version != "" ? [var.dotnet_version] : [] + content { + dotnet_version = application_stack.value + use_dotnet_isolated_runtime = var.dotnet_isolated + } + } + dynamic "ip_restriction" { for_each = var.ip_restrictions @@ -94,6 +105,14 @@ resource "azurerm_linux_function_app" "function_app" { identity { type = "SystemAssigned" } + + /* + * VNet integration is set by a separate resource 'vnet_integration' below, so this must be ignored, see 'NOTE on regional virtual network integration:' here + * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app + */ + lifecycle { + ignore_changes = [virtual_network_subnet_id] + } } @@ -200,6 +219,19 @@ resource "azuread_application" "application" { } } +resource "azuread_service_principal" "application" { + count = local.should_assign_group ? 1 : 0 + application_id = azuread_application.application[0].application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_group_member" "registered_app_member" { + count = local.should_assign_group ? 1 : 0 + group_object_id = var.managed_identity_provider.create.group_id + member_object_id = azuread_service_principal.application[0].object_id +} + resource "azuread_application_password" "password" { count = local.should_create_app ? 1 : 0 application_object_id = azuread_application.application[0].object_id diff --git a/modules/azure/function_app_linux_managed_identity/outputs.tf b/modules/azure/function_app_linux_managed_identity/outputs.tf index 60a44582..1a8ad7f4 100644 --- a/modules/azure/function_app_linux_managed_identity/outputs.tf +++ b/modules/azure/function_app_linux_managed_identity/outputs.tf @@ -13,3 +13,7 @@ output "id" { output "aad_application_name" { value = var.managed_identity_provider.existing == null ? "api://${var.managed_identity_provider.create.application_name}" : null } + +output "api_audiences" { + value = local.allowed_audiences +} diff --git a/modules/azure/function_app_linux_managed_identity/variables.tf b/modules/azure/function_app_linux_managed_identity/variables.tf index bab5925d..16547954 100644 --- a/modules/azure/function_app_linux_managed_identity/variables.tf +++ b/modules/azure/function_app_linux_managed_identity/variables.tf @@ -13,6 +13,18 @@ variable "name" { description = "Specifies the name of the function app." } +variable "dotnet_version" { + type = string + description = "Specifies the version of dotnet." + default = "" +} + +variable "dotnet_isolated" { + type = bool + description = "Specifies if it is isolated function app." + default = false +} + variable "managed_identity_provider" { type = object({ existing = optional(object({ @@ -33,6 +45,7 @@ variable "managed_identity_provider" { }) owners = optional(list(string)) # Deployment user will be added as owner by default redirect_uris = optional(list(string)) # Only for additional URIs, function uri will be added by default + group_id = optional(string) # Group ID where service principal of the existing application will belong to })) identifier_uris = optional(list(string)) # api:// will be added by default if application is create allowed_audiences = optional(list(string)) # api:// will be added by default @@ -62,7 +75,14 @@ variable "storage_account_name" { variable "storage_account_access_key" { type = string - description = " The access key which will be used to access the backend storage account for the Function App." + description = "DEPRECATED in favor of use_managed_identity instead. The access key which will be used to access the backend storage account for the Function App." + default = null +} + +variable "use_managed_identity" { + type = bool + description = "Adds managed identity to the function app, that allows to avoid explicit access token usage" + default = null } variable "app_settings" { diff --git a/modules/azure/function_app_windows/main.tf b/modules/azure/function_app_windows/main.tf index a7f4c485..8036b7ab 100644 --- a/modules/azure/function_app_windows/main.tf +++ b/modules/azure/function_app_windows/main.tf @@ -33,6 +33,15 @@ resource "azurerm_windows_function_app" "function_app" { vnet_route_all_enabled = var.route_all_outbound_traffic use_32_bit_worker = var.use_32_bit_worker + dynamic "application_stack" { + for_each = var.dotnet_version != "" ? [1] : [] + + content { + dotnet_version = var.dotnet_version + use_dotnet_isolated_runtime = var.dotnet_isolated + } + } + dynamic "ip_restriction" { for_each = var.ip_restrictions @@ -70,6 +79,14 @@ resource "azurerm_windows_function_app" "function_app" { identity { type = "SystemAssigned" } + + /* + * VNet integration is set by a separate resource below, so this must be ignored, see 'NOTE on regional virtual network integration:' here + * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app + */ + lifecycle { + ignore_changes = [virtual_network_subnet_id] + } } # Host keys diff --git a/modules/azure/function_app_windows/variables.tf b/modules/azure/function_app_windows/variables.tf index e555002e..749b9b7e 100644 --- a/modules/azure/function_app_windows/variables.tf +++ b/modules/azure/function_app_windows/variables.tf @@ -13,6 +13,18 @@ variable "name" { description = "Specifies the name of the function app." } +variable "dotnet_version" { + type = string + description = "Specifies the version of dotnet." + default = "" +} + +variable "dotnet_isolated" { + type = bool + description = "Specifies if it is isolated function app." + default = false +} + variable "service_plan_id" { type = string description = "The ID of the Service Plan within which to create this Function App." diff --git a/modules/azure/iam_set/main.tf b/modules/azure/iam_set/main.tf new file mode 100644 index 00000000..68bcbfd4 --- /dev/null +++ b/modules/azure/iam_set/main.tf @@ -0,0 +1,39 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +locals { + role_assignments = flatten([ + for principal_key, principal_id in var.principals : + [ + for role in var.roles : { + scope = role.scope + role_definition_name = role.role_name + principal_id = principal_id + role_name = role.name + } + ] + ]) +} + +resource "azurerm_role_assignment" "role_assignment" { + for_each = { for ra in local.role_assignments : + "${ra.principal_id}_${ra.role_definition_name}${ra.role_name != null ? "_${ra.role_name}" : ""}" => ra } + + scope = each.value.scope + role_definition_name = each.value.role_definition_name + principal_id = each.value.principal_id +} diff --git a/modules/azure/iam_set/variables.tf b/modules/azure/iam_set/variables.tf new file mode 100644 index 00000000..374e74ac --- /dev/null +++ b/modules/azure/iam_set/variables.tf @@ -0,0 +1,13 @@ +variable "roles" { + type = list(object({ + name = optional(string), + role_name = string, + scope = string, + })) + description = "List of role objects to apply roles on users given a certain scope." +} + +variable "principals" { + description = "Map of principals to assign roles to" + type = map(string) +} \ No newline at end of file diff --git a/modules/azure/key_vault_secrets_put_once/outputs.tf b/modules/azure/key_vault_secrets_put_once/outputs.tf new file mode 100644 index 00000000..9a4ba47d --- /dev/null +++ b/modules/azure/key_vault_secrets_put_once/outputs.tf @@ -0,0 +1,10 @@ +output "secrets" { + value = { + for prop in values(resource.azurerm_key_vault_secret.secret)[*] : + prop.name => { + value = prop.value + versionlessid = prop.versionless_id + } + } + sensitive = true +} \ No newline at end of file diff --git a/modules/azure/log_analytics_workspace/main.tf b/modules/azure/log_analytics_workspace/main.tf index f5d95518..9d9a360a 100644 --- a/modules/azure/log_analytics_workspace/main.tf +++ b/modules/azure/log_analytics_workspace/main.tf @@ -23,3 +23,36 @@ resource "azurerm_log_analytics_workspace" "workspace" { retention_in_days = var.retention_in_days daily_quota_gb = var.daily_quota_gb } + + + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_log_analytics_workspace.workspace.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.name}" + target_resource_id = azurerm_log_analytics_workspace.workspace.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.workspace.id + log_analytics_destination_type = var.loganalytics_diagnostic_setting.destination_type == null ? null : var.loganalytics_diagnostic_setting.destination_type + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} + diff --git a/modules/azure/log_analytics_workspace/outputs.tf b/modules/azure/log_analytics_workspace/outputs.tf index ca9bfab6..054ec37a 100644 --- a/modules/azure/log_analytics_workspace/outputs.tf +++ b/modules/azure/log_analytics_workspace/outputs.tf @@ -10,3 +10,8 @@ output "workspace_id" { value = azurerm_log_analytics_workspace.workspace.workspace_id } +output "primary_key" { + value = azurerm_log_analytics_workspace.workspace.primary_shared_key + sensitive = true +} + diff --git a/modules/azure/log_analytics_workspace/variables.tf b/modules/azure/log_analytics_workspace/variables.tf index 1f8b36a0..73680064 100644 --- a/modules/azure/log_analytics_workspace/variables.tf +++ b/modules/azure/log_analytics_workspace/variables.tf @@ -30,3 +30,13 @@ variable "daily_quota_gb" { description = "The workspace daily quota for ingestion in GB." default = 5 } + +variable "loganalytics_diagnostic_setting" { + type = object({ + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + destination_type = optional(string), // AzureDiagnostics or Dedicated + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} diff --git a/modules/azure/logic_app/outputs.tf b/modules/azure/logic_app/outputs.tf index e0ba415e..76e52fc8 100644 --- a/modules/azure/logic_app/outputs.tf +++ b/modules/azure/logic_app/outputs.tf @@ -2,9 +2,14 @@ output "principal_id" { value = var.use_managed_identity ? azurerm_logic_app_workflow.workflow.identity[0].principal_id : null } +# Deprecated output output "enpoint" { value = azurerm_logic_app_workflow.workflow.access_endpoint } + +output "endpoint" { + value = azurerm_logic_app_workflow.workflow.access_endpoint +} output "id" { value = azurerm_logic_app_workflow.workflow.id } diff --git a/modules/azure/logic_app_bicep/main.tf b/modules/azure/logic_app_bicep/main.tf new file mode 100644 index 00000000..ee28f0a4 --- /dev/null +++ b/modules/azure/logic_app_bicep/main.tf @@ -0,0 +1,134 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + + local = { + source = "hashicorp/local" + version = "2.4.1" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +locals { + // Remove need for specifying the "value" field for every parameter + parameters_content = { + for key, value in var.arm_parameters : + key => { "value" = value } + } + + do_bicep_build = var.templates_files.bicep_path != null ? true : false +} + +resource "azurerm_logic_app_workflow" "workflow" { + name = var.logic_app_name + location = var.location + resource_group_name = var.resource_group_name + enabled = var.enabled + + dynamic "identity" { + for_each = var.use_managed_identity ? [1] : [] + content { + type = "SystemAssigned" + } + } + + dynamic "access_control" { + for_each = length(var.trigger_oauth_policy_claims) > 0 ? [1] : [] + content { + trigger { + allowed_caller_ip_address_range = var.trigger_ip_address_range + open_authentication_policy { + name = "Default" + dynamic "claim" { + for_each = var.trigger_oauth_policy_claims + content { + name = claim.key + value = claim.value + } + } + } + } + } + } +} + +// Deploy workflow as ARM template conditional when arm_template_path is specified +// To export the ARM template from the Azure portal go to Logic App > Automation > Export Template +resource "azurerm_resource_group_template_deployment" "workflow_deployment" { + count = (var.templates_files.arm_template_path == null && var.templates_files.bicep_path == null) ? 0 : 1 + name = "${var.logic_app_name}-deployment" + resource_group_name = var.resource_group_name + deployment_mode = "Incremental" + template_content = var.templates_files.arm_template_path != null ? file(var.templates_files.arm_template_path) : data.local_file.workflow_json.content + parameters_content = jsonencode(local.parameters_content) + + depends_on = [azurerm_logic_app_workflow.workflow] +} + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.log_analytics_workspace_id == null ? 0 : 1 + resource_id = azurerm_logic_app_workflow.workflow.id +} + +// Write logs and metrics to log analytics if specified +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.log_analytics_workspace_id == null ? 0 : 1 + name = "diag-${var.logic_app_name}" + target_resource_id = azurerm_logic_app_workflow.workflow.id + log_analytics_workspace_id = var.log_analytics_workspace_id + + // TODO: not yet implemented by Azure + // log_analytics_destination_type = "Dedicated" + + dynamic "enabled_log" { + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types + + content { + category = enabled_log.value + + retention_policy { + enabled = false + } + } + } + + dynamic "metric" { + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics + + content { + category = metric.value + enabled = true + + retention_policy { + enabled = false + } + } + } +} + +resource "null_resource" "bicep_build" { + count = local.do_bicep_build ? 1 : 0 + triggers = { + timestamp = "${timestamp()}" # by setting the timestamp we will make it running every time + } + provisioner "local-exec" { + command = "az bicep build --file ${var.templates_files.bicep_path}" + working_dir = var.module_dir + } +} + +data "local_file" "workflow_json" { + depends_on = [null_resource.bicep_build] + filename = "${var.module_dir}/workflow.json" +} diff --git a/modules/azure/logic_app_bicep/outputs.tf b/modules/azure/logic_app_bicep/outputs.tf new file mode 100644 index 00000000..76e52fc8 --- /dev/null +++ b/modules/azure/logic_app_bicep/outputs.tf @@ -0,0 +1,15 @@ +output "principal_id" { + value = var.use_managed_identity ? azurerm_logic_app_workflow.workflow.identity[0].principal_id : null +} + +# Deprecated output +output "enpoint" { + value = azurerm_logic_app_workflow.workflow.access_endpoint +} + +output "endpoint" { + value = azurerm_logic_app_workflow.workflow.access_endpoint +} +output "id" { + value = azurerm_logic_app_workflow.workflow.id +} diff --git a/modules/azure/logic_app_bicep/variables.tf b/modules/azure/logic_app_bicep/variables.tf new file mode 100644 index 00000000..03357c2a --- /dev/null +++ b/modules/azure/logic_app_bicep/variables.tf @@ -0,0 +1,80 @@ +variable "location" { + type = string + description = "A datacenter location in Azure." +} + +variable "resource_group_name" { + type = string + description = "Name of the resource group." +} + +variable "logic_app_name" { + type = string + description = "Specifies the name of the Log Analytics Workspace." +} + +variable "arm_parameters" { + type = any + description = "Parameter values for the ARM template." + default = {} +} + +variable "templates_files" { + type = object({ + bicep_path = optional(string), + arm_template_path = optional(string) + }) + + default = { + bicep_path = null + arm_template_path = null + } + + validation { + condition = ((var.templates_files.bicep_path == null && var.templates_files.arm_template_path != null) || (var.templates_files.bicep_path != null && var.templates_files.arm_template_path == null)) + error_message = "One of these (bicep_path, arm_template_path) needs to be set " + } +} + +# it is neccessary for the creation of workflow.json localy using bicep +variable "module_dir" { + type = string + description = "Module direcory" + default = "." +} + +variable "log_analytics_workspace_id" { + type = string + description = "Specifies the ID of a Log Analytics Workspace where diagnostics data should be sent." + default = null +} + +variable "log_retention_days" { + type = number + description = "Number of days for which logs and metrics will be saved." + default = 30 +} + +variable "enabled" { + type = bool + description = "If this workflow should be enabled by default or not, defaults to true" + default = true +} + +variable "use_managed_identity" { + type = bool + description = "Use Managed Identity for this logic app" + default = false +} + +variable "trigger_oauth_policy_claims" { + type = map(string) + description = "Claims validated by OAuth policy in HTTP trigger" + default = {} +} + +variable "trigger_ip_address_range" { + type = set(string) + description = "IP address range allowed to call HTTP trigger" + default = ["0.0.0.0/0"] +} diff --git a/modules/azure/logic_app_set/main.tf b/modules/azure/logic_app_set/main.tf index ee2ed6fd..d6c69fc8 100644 --- a/modules/azure/logic_app_set/main.tf +++ b/modules/azure/logic_app_set/main.tf @@ -24,6 +24,13 @@ resource "azurerm_logic_app_workflow" "workflow" { name = each.value.logic_app_name location = var.location resource_group_name = var.resource_group_name + + dynamic "identity" { + for_each = var.use_managed_identity ? [1] : [] + content { + type = "SystemAssigned" + } + } } // Deploy workflow as ARM template conditional when arm_template_path is specified diff --git a/modules/azure/logic_app_set/outputs.tf b/modules/azure/logic_app_set/outputs.tf index e69de29b..60842ddf 100644 --- a/modules/azure/logic_app_set/outputs.tf +++ b/modules/azure/logic_app_set/outputs.tf @@ -0,0 +1,6 @@ +output "principal_id" { + value = { + for key, workflow_instance in azurerm_logic_app_workflow.workflow : + key => var.use_managed_identity ? workflow_instance.identity[0].principal_id : null + } +} diff --git a/modules/azure/logic_app_set/variables.tf b/modules/azure/logic_app_set/variables.tf index 70aef306..7cda5abf 100644 --- a/modules/azure/logic_app_set/variables.tf +++ b/modules/azure/logic_app_set/variables.tf @@ -32,4 +32,10 @@ variable "logic_app_instances" { arm_parameters = any })) description = "Individual logic app configuration" +} + +variable "use_managed_identity" { + type = bool + description = "Use Managed Identity for this logic app" + default = false } \ No newline at end of file diff --git a/modules/azure/monitoring_log_analytics_alert/main.tf b/modules/azure/monitoring_log_analytics_alert/main.tf index 280bf29e..9322d6e2 100644 --- a/modules/azure/monitoring_log_analytics_alert/main.tf +++ b/modules/azure/monitoring_log_analytics_alert/main.tf @@ -28,7 +28,7 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "query_alert" { data_source_id = each.value.data_source_id action { - action_group = [var.action_group_id] + action_group = var.action_groups != null ? var.action_groups : [var.action_group_id] email_subject = "Monitoring Alert" } diff --git a/modules/azure/monitoring_log_analytics_alert/variables.tf b/modules/azure/monitoring_log_analytics_alert/variables.tf index 8b462c40..4cec8fd2 100644 --- a/modules/azure/monitoring_log_analytics_alert/variables.tf +++ b/modules/azure/monitoring_log_analytics_alert/variables.tf @@ -11,6 +11,13 @@ variable "resource_group_name" { variable "action_group_id" { type = string description = "ID of the action group to associate the alert with." + default = null +} + +variable "action_groups" { + type = list(string) + description = "Action groups that must be triggered" + default = null } variable "monitoring_rules" { diff --git a/modules/azure/network_security_group/main.tf b/modules/azure/network_security_group/main.tf index 5cf21fa4..120a2ba7 100644 --- a/modules/azure/network_security_group/main.tf +++ b/modules/azure/network_security_group/main.tf @@ -46,3 +46,36 @@ resource "azurerm_subnet_network_security_group_association" "nsg_subnet_associa subnet_id = each.key network_security_group_id = azurerm_network_security_group.network_security_group.id } + + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_network_security_group.network_security_group.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.network_security_group_name}" + target_resource_id = azurerm_network_security_group.network_security_group.id + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} + + diff --git a/modules/azure/network_security_group/variables.tf b/modules/azure/network_security_group/variables.tf index 8f62626b..1c7f1cd9 100644 --- a/modules/azure/network_security_group/variables.tf +++ b/modules/azure/network_security_group/variables.tf @@ -37,3 +37,14 @@ variable "subnet_ids" { description = "List of subnet ids to associate with network security group." default = [] } + + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} diff --git a/modules/azure/postgresql/main.tf b/modules/azure/postgresql/main.tf index 49f9741b..4e743b21 100644 --- a/modules/azure/postgresql/main.tf +++ b/modules/azure/postgresql/main.tf @@ -33,13 +33,14 @@ resource "azurerm_postgresql_flexible_server" "postgresql_server" { sku_name = var.postgresql_sku_name - storage_mb = var.postgresql_db_size - backup_retention_days = 30 + storage_mb = var.postgresql_db_size + backup_retention_days = 30 + public_network_access_enabled = var.public_network_access_enabled administrator_login = var.admin_username administrator_password = random_password.postgresql_admin.result version = var.postgresql_version - zone = "1" + zone = var.postgresql_zone delegated_subnet_id = var.delegated_subnet_id private_dns_zone_id = var.private_dns_zone_id diff --git a/modules/azure/postgresql/variables.tf b/modules/azure/postgresql/variables.tf index b354f836..d2be8190 100644 --- a/modules/azure/postgresql/variables.tf +++ b/modules/azure/postgresql/variables.tf @@ -23,11 +23,23 @@ variable "postgresql_db_size" { description = "Specifies the max storage allowed for this PostgreSQL Server" } +variable "public_network_access_enabled" { + type = bool + description = "Specifies whether or not public network access is allowed for this PostgreSQL Server" + default = false +} + variable "postgresql_version" { type = string description = "Version of the PostgreSQL database." } +variable "postgresql_zone" { + type = string + description = "Zone of the PostgreSQL database." + default = "1" +} + variable "postgresql_database_name" { type = string description = "Name of the PostgreSQL resource." diff --git a/modules/azure/private_endpoint/main.tf b/modules/azure/private_endpoint/main.tf new file mode 100644 index 00000000..2b3fcbdb --- /dev/null +++ b/modules/azure/private_endpoint/main.tf @@ -0,0 +1,36 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_private_endpoint" "private_endpoint" { + name = var.name + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.subnet_id + + private_service_connection { + name = var.private_connection_name + private_connection_resource_id = var.private_connection_resource_id + subresource_names = var.private_connection_subresource_names + is_manual_connection = var.is_manual_connection + request_message = var.private_connection_request_message + } + + private_dns_zone_group { + name = var.private_dns_zone_group_name + private_dns_zone_ids = var.private_dns_zone_ids + } +} diff --git a/modules/azure/private_endpoint/outputs.tf b/modules/azure/private_endpoint/outputs.tf new file mode 100644 index 00000000..1330f117 --- /dev/null +++ b/modules/azure/private_endpoint/outputs.tf @@ -0,0 +1,3 @@ +output "private_endpoint_id" { + value = azurerm_private_endpoint.private_endpoint.id +} diff --git a/modules/azure/private_endpoint/variables.tf b/modules/azure/private_endpoint/variables.tf new file mode 100644 index 00000000..3330184c --- /dev/null +++ b/modules/azure/private_endpoint/variables.tf @@ -0,0 +1,56 @@ +variable "name" { + type = string + description = "Name of the Private Endpoint" +} + +variable "location" { + type = string + description = "A datacenter location in Azure." +} + +variable "resource_group_name" { + type = string + description = "Name of the resource group." +} + +variable "private_connection_resource_id" { + type = string + description = "The ID of the resource where the connection should be made to." +} + +variable "private_connection_subresource_names" { + type = set(string) + description = "The subresource names of the resource where the connection should be made to." +} + +variable "is_manual_connection" { + type = bool + description = "Specifies whether the connection must be approved manually" +} + +variable "private_connection_request_message" { + type = string + description = "The message sent with manual connection request. Relevant only for manual connections" + default = null +} + +variable "subnet_id" { + type = string + description = "The Id of the subnet" +} + +variable "private_connection_name" { + type = string + description = "The name of the private connection name" +} + +variable "private_dns_zone_ids" { + type = set(string) + description = "The IDs of the private DNS zones." +} + +variable "private_dns_zone_group_name" { + type = string + description = "The name of the private DNS zone group." + default = "deployedByPolicy" +} diff --git a/modules/azure/public_ip/main.tf b/modules/azure/public_ip/main.tf index 238424cb..bf85d686 100644 --- a/modules/azure/public_ip/main.tf +++ b/modules/azure/public_ip/main.tf @@ -23,3 +23,34 @@ resource "azurerm_public_ip" "public_ip" { domain_name_label = var.domain_name_label sku = var.sku } + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_public_ip.public_ip.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.name}" + target_resource_id = azurerm_public_ip.public_ip.id + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} + diff --git a/modules/azure/public_ip/variables.tf b/modules/azure/public_ip/variables.tf index b712c9e8..0f12f620 100644 --- a/modules/azure/public_ip/variables.tf +++ b/modules/azure/public_ip/variables.tf @@ -30,3 +30,13 @@ variable "domain_name_label" { description = "Label for the Domain Name. Will be used to make up the FQDN" default = null } + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} diff --git a/modules/azure/service_bus_public/main.tf b/modules/azure/service_bus_public/main.tf index 26f59473..38f674b2 100644 --- a/modules/azure/service_bus_public/main.tf +++ b/modules/azure/service_bus_public/main.tf @@ -31,3 +31,32 @@ resource "azurerm_servicebus_namespace_authorization_rule" "authorization_rule" send = var.authorization_rule.send manage = var.authorization_rule.manage } + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.log_analytics_workspace_id == null ? 0 : 1 + resource_id = azurerm_servicebus_namespace.service_bus.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.log_analytics_workspace_id == null ? 0 : 1 + name = "diag-${var.name}" + target_resource_id = azurerm_servicebus_namespace.service_bus.id + log_analytics_workspace_id = var.log_analytics_workspace_id + + dynamic "enabled_log" { + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics + + content { + category = metric.value + enabled = true + } + } +} diff --git a/modules/azure/service_bus_public/outputs.tf b/modules/azure/service_bus_public/outputs.tf index 860cc827..6e347c84 100644 --- a/modules/azure/service_bus_public/outputs.tf +++ b/modules/azure/service_bus_public/outputs.tf @@ -14,4 +14,8 @@ output "primary_access_key" { output "primary_access_connection_string" { value = azurerm_servicebus_namespace.service_bus.default_primary_connection_string sensitive = true -} \ No newline at end of file +} + +output "endpoint" { + value = azurerm_servicebus_namespace.service_bus.endpoint +} diff --git a/modules/azure/service_bus_public/variables.tf b/modules/azure/service_bus_public/variables.tf index f72c085a..8b022c10 100644 --- a/modules/azure/service_bus_public/variables.tf +++ b/modules/azure/service_bus_public/variables.tf @@ -28,3 +28,9 @@ variable "authorization_rule" { description = "Manages a ServiceBus Namespace authorization Rule within the ServiceBus." default = null } + +variable "log_analytics_workspace_id" { + type = string + description = "Specifies the ID of a Log Analytics Workspace where diagnostics data should be sent." + default = null +} diff --git a/modules/azure/service_bus_subscription/main.tf b/modules/azure/service_bus_subscription/main.tf index 75022a76..8c2f40f0 100644 --- a/modules/azure/service_bus_subscription/main.tf +++ b/modules/azure/service_bus_subscription/main.tf @@ -55,3 +55,13 @@ resource "azurerm_servicebus_subscription_rule" "correlation_filter" { properties = var.correlation_filter.properties } } + +# When no filter is specified, we create a default to capture all (otherwise, the subs is unreachable) +# This filter is automatically create by Azure during initial create, but is not created during update (if someone deletes a filter) +resource "azurerm_servicebus_subscription_rule" "default_route_all_sql_filter" { + count = var.sql_filter_query == null && var.correlation_filter == null ? 1 : 0 + name = "Default-ConsumeAll" + subscription_id = azurerm_servicebus_subscription.service_bus_subscription.id + filter_type = "SqlFilter" + sql_filter = "1=1" +} diff --git a/modules/azure/service_plan/main.tf b/modules/azure/service_plan/main.tf index 4b8e58a8..654f3750 100644 --- a/modules/azure/service_plan/main.tf +++ b/modules/azure/service_plan/main.tf @@ -84,3 +84,35 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_setting" { } } } + + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_service_plan.sp.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.name}" + target_resource_id = azurerm_service_plan.sp.id + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} + diff --git a/modules/azure/service_plan/variables.tf b/modules/azure/service_plan/variables.tf index 1c5f1ccd..98dfa568 100644 --- a/modules/azure/service_plan/variables.tf +++ b/modules/azure/service_plan/variables.tf @@ -65,3 +65,14 @@ variable "scaling_rules" { } ] } + + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} diff --git a/modules/azure/storage_account_public/main.tf b/modules/azure/storage_account_public/main.tf index a7e23ccb..34cbc1a4 100644 --- a/modules/azure/storage_account_public/main.tf +++ b/modules/azure/storage_account_public/main.tf @@ -28,20 +28,24 @@ resource "azurerm_storage_account" "storage_account" { nfsv3_enabled = var.nfsv3_enabled is_hns_enabled = var.is_hns_enabled - dynamic "blob_properties" { - for_each = var.cors_rules != null ? [1] : [] + blob_properties { + dynamic "cors_rule" { + for_each = var.cors_rules + + content { + allowed_headers = cors_rule.value.allowed_headers + allowed_methods = cors_rule.value.allowed_methods + allowed_origins = cors_rule.value.allowed_origins + exposed_headers = cors_rule.value.exposed_headers + max_age_in_seconds = cors_rule.value.max_age_in_seconds + } + } - content { - dynamic "cors_rule" { - for_each = var.cors_rules - - content { - allowed_headers = cors_rule.value.allowed_headers - allowed_methods = cors_rule.value.allowed_methods - allowed_origins = cors_rule.value.allowed_origins - exposed_headers = cors_rule.value.exposed_headers - max_age_in_seconds = cors_rule.value.max_age_in_seconds - } + dynamic "delete_retention_policy" { + for_each = var.delete_retention_policy_days != null ? [1] : [] + + content { + days = var.delete_retention_policy_days } } } @@ -112,3 +116,119 @@ resource "azurerm_storage_management_policy" "storage_management_policy" { } } } + +data "azurerm_monitor_diagnostic_categories" "blob" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.blob == null ? 0 : 1 + resource_id = "${azurerm_storage_account.storage_account.id}/blobServices/default/" +} + +data "azurerm_monitor_diagnostic_categories" "queue" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.queue == null ? 0 : 1 + resource_id = "${azurerm_storage_account.storage_account.id}/queueServices/default/" +} + +data "azurerm_monitor_diagnostic_categories" "table" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.table == null ? 0 : 1 + resource_id = "${azurerm_storage_account.storage_account.id}/tableServices/default/" +} + +data "azurerm_monitor_diagnostic_categories" "file" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.file == null ? 0 : 1 + resource_id = "${azurerm_storage_account.storage_account.id}/fileServices/default/" +} + +resource "azurerm_monitor_diagnostic_setting" "blob" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.blob == null ? 0 : 1 + name = "diag-blob-${var.name}" + target_resource_id = "${azurerm_storage_account.storage_account.id}/blobServices/default/" + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.blob.categories == null ? data.azurerm_monitor_diagnostic_categories.blob[0].log_category_types : var.loganalytics_diagnostic_setting.blob.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.blob.metrics == null ? data.azurerm_monitor_diagnostic_categories.blob[0].metrics : var.loganalytics_diagnostic_setting.blob.metrics + + content { + category = metric.value + enabled = true + } + } +} + +resource "azurerm_monitor_diagnostic_setting" "queue" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.queue == null ? 0 : 1 + name = "diag-queue-${var.name}" + target_resource_id = "${azurerm_storage_account.storage_account.id}/queueServices/default/" + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.queue.categories == null ? data.azurerm_monitor_diagnostic_categories.queue[0].log_category_types : var.loganalytics_diagnostic_setting.queue.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.queue.metrics == null ? data.azurerm_monitor_diagnostic_categories.queue[0].metrics : var.loganalytics_diagnostic_setting.queue.metrics + + content { + category = metric.value + enabled = true + } + } +} + +resource "azurerm_monitor_diagnostic_setting" "table" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.table == null ? 0 : 1 + name = "diag-table-${var.name}" + target_resource_id = "${azurerm_storage_account.storage_account.id}/tableServices/default/" + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.table.categories == null ? data.azurerm_monitor_diagnostic_categories.table[0].log_category_types : var.loganalytics_diagnostic_setting.table.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.table.metrics == null ? data.azurerm_monitor_diagnostic_categories.table[0].metrics : var.loganalytics_diagnostic_setting.table.metrics + + content { + category = metric.value + enabled = true + } + } +} + +resource "azurerm_monitor_diagnostic_setting" "file" { + count = var.loganalytics_diagnostic_setting.workspace_id == null || var.loganalytics_diagnostic_setting.table == null ? 0 : 1 + name = "diag-file-${var.name}" + target_resource_id = "${azurerm_storage_account.storage_account.id}/fileServices/default/" + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.file.categories == null ? data.azurerm_monitor_diagnostic_categories.file[0].log_category_types : var.loganalytics_diagnostic_setting.file.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.file.metrics == null ? data.azurerm_monitor_diagnostic_categories.file[0].metrics : var.loganalytics_diagnostic_setting.file.metrics + + content { + category = metric.value + enabled = true + } + } +} diff --git a/modules/azure/storage_account_public/variables.tf b/modules/azure/storage_account_public/variables.tf index 92bcaf88..11cd624b 100644 --- a/modules/azure/storage_account_public/variables.tf +++ b/modules/azure/storage_account_public/variables.tf @@ -89,7 +89,7 @@ variable "cors_rules" { max_age_in_seconds = number })) description = "Describes the CORS rules for the storage account" - default = null + default = [] } variable "static_website" { @@ -108,4 +108,39 @@ variable "custom_domain" { }) description = "Describes the custom domain configuration for the storage account" default = null -} \ No newline at end of file +} + +variable "delete_retention_policy_days" { + type = number + description = "Number of days to retain deleted blobs." + default = null +} + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + blob = optional(object({ + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + destination_type = optional(string), // AzureDiagnostics or Dedicated + })), + queue = optional(object({ + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + destination_type = optional(string), // AzureDiagnostics or Dedicated + })), + table = optional(object({ + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + destination_type = optional(string), // AzureDiagnostics or Dedicated + })) + file = optional(object({ + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + destination_type = optional(string), // AzureDiagnostics or Dedicated + })) + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} + diff --git a/modules/azure/storage_table_entities_rewritable/main.tf b/modules/azure/storage_table_entities_rewritable/main.tf new file mode 100644 index 00000000..445f3ff7 --- /dev/null +++ b/modules/azure/storage_table_entities_rewritable/main.tf @@ -0,0 +1,28 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.48" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +resource "azurerm_storage_table_entity" "storage_table_entity" { + for_each = { for entity in var.rows : entity.row_key => entity } + + table_name = var.storage_table_name + storage_account_name = var.storage_account_name + + partition_key = each.value.partition_key + row_key = each.value.row_key + + entity = each.value.entity +} diff --git a/modules/azure/storage_table_entities_rewritable/variables.tf b/modules/azure/storage_table_entities_rewritable/variables.tf new file mode 100644 index 00000000..b0db70b2 --- /dev/null +++ b/modules/azure/storage_table_entities_rewritable/variables.tf @@ -0,0 +1,18 @@ +variable "storage_account_name" { + type = string + description = "Name of the storage account" +} + +variable "storage_table_name" { + type = string + description = "Name of the storage table" +} + +variable "rows" { + type = set(object({ + partition_key = string + row_key = string + entity = any + })) + description = "Rows to insert into the table. Every entry should contain a partition key, a row key and a set of properties. Rows are updated by TF if definition changes, rewriting whatever value is in Storage Table" +} diff --git a/modules/azure/stream_analytics/main.tf b/modules/azure/stream_analytics/main.tf index 35dd0fb5..5bb8c5e7 100644 --- a/modules/azure/stream_analytics/main.tf +++ b/modules/azure/stream_analytics/main.tf @@ -100,3 +100,34 @@ resource "azurerm_stream_analytics_output_blob" "stream_output" { format = each.value.serialization.format } } + + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_stream_analytics_job.job.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.name}" + target_resource_id = azurerm_stream_analytics_job.job.id + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} diff --git a/modules/azure/stream_analytics/variables.tf b/modules/azure/stream_analytics/variables.tf index 2d708dce..58d444c3 100644 --- a/modules/azure/stream_analytics/variables.tf +++ b/modules/azure/stream_analytics/variables.tf @@ -94,3 +94,13 @@ variable "stream_query" { description = "SAQL query that will be run in the streaming job." default = null } + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} diff --git a/modules/azure/virtual_network/main.tf b/modules/azure/virtual_network/main.tf index 21cec685..a3f4484e 100644 --- a/modules/azure/virtual_network/main.tf +++ b/modules/azure/virtual_network/main.tf @@ -26,3 +26,34 @@ resource "azurerm_virtual_network" "virtual_network" { ignore_changes = [subnet] } } + + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + resource_id = azurerm_virtual_network.virtual_network.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" { + count = var.loganalytics_diagnostic_setting == null ? 0 : 1 + name = "diag-${var.name}" + target_resource_id = azurerm_virtual_network.virtual_network.id + log_analytics_workspace_id = var.loganalytics_diagnostic_setting.workspace_id + + + dynamic "enabled_log" { + for_each = var.loganalytics_diagnostic_setting.categories == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].log_category_types : var.loganalytics_diagnostic_setting.categories + + content { + category = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.loganalytics_diagnostic_setting.metrics == null ? data.azurerm_monitor_diagnostic_categories.diagnostic_categories[0].metrics : var.loganalytics_diagnostic_setting.metrics + + content { + category = metric.value + enabled = true + } + } +} diff --git a/modules/azure/virtual_network/variables.tf b/modules/azure/virtual_network/variables.tf index 97b77b0f..f2790cfb 100644 --- a/modules/azure/virtual_network/variables.tf +++ b/modules/azure/virtual_network/variables.tf @@ -17,3 +17,13 @@ variable "address_space" { type = list(string) description = "Address space of the virtual network." } + +variable "loganalytics_diagnostic_setting" { + type = object({ + workspace_id = string, // log analytics workspace ID + categories = optional(list(string)), // null list,means send all categories + metrics = optional(list(string)), // null list means send all metrics + }) + description = "Specifies the log categories that have to be sent to Log analytics." + default = null +} diff --git a/modules/azure/web_app_linux/main.tf b/modules/azure/web_app_linux/main.tf index a5a9f1fd..20caf95b 100644 --- a/modules/azure/web_app_linux/main.tf +++ b/modules/azure/web_app_linux/main.tf @@ -23,19 +23,31 @@ resource "azurerm_linux_web_app" "web_app" { https_only = true site_config { - always_on = var.always_on - websockets_enabled = var.websockets_enabled - health_check_path = var.health_check_path - use_32_bit_worker = var.use_32_bit_worker - ftps_state = var.ftps_state - http2_enabled = true - minimum_tls_version = 1.2 + always_on = var.always_on + websockets_enabled = var.websockets_enabled + health_check_path = var.health_check_path + use_32_bit_worker = var.use_32_bit_worker + ftps_state = var.ftps_state + http2_enabled = true + minimum_tls_version = 1.2 + vnet_route_all_enabled = var.vnet_route_all_enabled application_stack { - dotnet_version = var.dotnet_version - docker_image_name = var.docker_image_name - docker_image = var.docker_image - docker_image_tag = var.docker_image_tag + dotnet_version = var.dotnet_version + docker_image_name = var.docker_image_name + docker_registry_url = var.docker_registry_url + docker_image = var.docker_image + docker_image_tag = var.docker_image_tag + } + + dynamic "ip_restriction" { + for_each = var.ip_restrictions + content { + action = ip_restriction.value.action + ip_address = ip_restriction.value.ip_address + name = ip_restriction.value.name + priority = ip_restriction.value.priority + } } } diff --git a/modules/azure/web_app_linux/variables.tf b/modules/azure/web_app_linux/variables.tf index 846e1b95..ab4c488c 100644 --- a/modules/azure/web_app_linux/variables.tf +++ b/modules/azure/web_app_linux/variables.tf @@ -36,6 +36,12 @@ variable "dotnet_version" { default = null } +variable "docker_registry_url" { + type = string + description = "URL where to look for a Docker image for the web app." + default = null +} + variable "docker_image_name" { type = string description = "Docker image name and tag for the web app." @@ -112,6 +118,12 @@ variable "use_32_bit_worker" { default = false } +variable "vnet_route_all_enabled" { + type = bool + description = "Should all outbound traffic have NAT Gateways, Network Security Groups and User Defined Routes applied?" + default = false +} + variable "ftps_state" { type = string description = "State of FTP / FTPS service for this Web App." @@ -130,3 +142,14 @@ variable "storage_mount" { description = "Storage container or share to be mount within web app instance(s). Note that container mounts are read-only." default = null } + +variable "ip_restrictions" { + type = set(object({ + action = optional(string, "Allow") + ip_address = string + name = string + priority = number + })) + description = "Specify IP addresses which are allowed to access the app" + default = [] +} diff --git a/validate/validate.sh b/validate/validate.sh index 40ed50fc..7a6dea93 100755 --- a/validate/validate.sh +++ b/validate/validate.sh @@ -11,6 +11,8 @@ find ./modules -name "*.tf" -exec dirname {} + | sort | uniq | while read -r lin cd "$line" || exit terraform init terraform validate + rm -r .terraform + rm .terraform.lock.hcl cd - || exit rm "$line/main_override.tf" done