Merged with story/1255/add-azure-storage-account

CDCgov · Sep 3, 2024 · a290679 · a290679
2 parents 4cb62d0 + 3f90bb0
commit a290679
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 4 deletions.
diff --git a/operations/template/app.tf b/operations/template/app.tf
@@ -41,6 +41,24 @@ resource "azurerm_user_assigned_identity" "key_vault_identity" {
   location            = data.azurerm_resource_group.group.location
 
   name = "key-vault-identity-${var.environment}"
+
+  lifecycle {
+    ignore_changes = [
+      # below tags are managed by CDC
+      tags["business_steward"],
+      tags["center"],
+      tags["environment"],
+      tags["escid"],
+      tags["funding_source"],
+      tags["pii_data"],
+      tags["security_compliance"],
+      tags["security_steward"],
+      tags["support_group"],
+      tags["system"],
+      tags["technical_steward"],
+      tags["zone"]
+    ]
+  }
 }
 
 resource "azurerm_role_assignment" "allow_app_to_pull_from_registry" {

diff --git a/operations/template/docs.tf b/operations/template/docs.tf
@@ -13,9 +13,10 @@ resource "azurerm_storage_account" "docs" {
     index_document = "index.html"
   }
 
-  #   below tags are managed by CDC
   lifecycle {
     ignore_changes = [
+      customer_managed_key,
+      # below tags are managed by CDC
       tags["business_steward"],
       tags["center"],
       tags["environment"],
@@ -28,7 +29,6 @@ resource "azurerm_storage_account" "docs" {
       tags["system"],
       tags["technical_steward"],
       tags["zone"],
-      customer_managed_key,
     ]
   }
 

diff --git a/operations/template/storage.tf b/operations/template/storage.tf
@@ -9,9 +9,10 @@ resource "azurerm_storage_account" "storage" {
   min_tls_version                   = "TLS1_2"
   infrastructure_encryption_enabled = true
 
-  #   below tags are managed by CDC
   lifecycle {
     ignore_changes = [
+      customer_managed_key,
+      # below tags are managed by CDC
       tags["business_steward"],
       tags["center"],
       tags["environment"],
@@ -54,3 +55,60 @@ resource "azurerm_role_assignment" "allow_api_read_write" {
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_linux_web_app.api.identity.0.principal_id
 }
+
+resource "azurerm_storage_account" "automated_storage" {
+  name                              = "cdctiautomated${var.environment}"
+  resource_group_name               = data.azurerm_resource_group.group.name
+  location                          = data.azurerm_resource_group.group.location
+  account_tier                      = "Standard"
+  account_replication_type          = "GRS"
+  account_kind                      = "StorageV2"
+  allow_nested_items_to_be_public   = false
+  min_tls_version                   = "TLS1_2"
+  infrastructure_encryption_enabled = true
+
+  #   below tags are managed by CDC
+  lifecycle {
+    ignore_changes = [
+      tags["business_steward"],
+      tags["center"],
+      tags["environment"],
+      tags["escid"],
+      tags["funding_source"],
+      tags["pii_data"],
+      tags["security_compliance"],
+      tags["security_steward"],
+      tags["support_group"],
+      tags["system"],
+      tags["technical_steward"],
+      tags["zone"]
+    ]
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_storage_account_customer_managed_key" "storage_storage_account_customer_key" {
+  storage_account_id = azurerm_storage_account.storage.id
+  key_vault_id       = azurerm_key_vault.key_storage.id
+  key_name           = azurerm_key_vault_key.customer_managed_key.name
+
+  depends_on = [
+    azurerm_key_vault_access_policy.allow_github_deployer,
+    azurerm_key_vault_access_policy.allow_storage_storage_account_wrapping
+  ] //wait for the permission that allows our deployer to write the secret
+}
+
+resource "azurerm_storage_container" "automated_container" {
+  name                  = "automated"
+  storage_account_name  = azurerm_storage_account.automated_storage.name
+  container_access_type = "private"
+}
+
+resource "azurerm_role_assignment" "allow_automated_test_read_write" {
+  scope                = azurerm_storage_container.automated_container.resource_manager_id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.deployer_id
+}
diff --git a/shared/build.gradle b/shared/build.gradle
@@ -54,7 +54,7 @@ dependencies {
     testFixturesImplementation 'nl.jqno.equalsverifier:equalsverifier:3.16.2'
 
     // dotenv-java
-    implementation 'io.github.cdimascio:dotenv-java:3.0.1'
+    implementation 'io.github.cdimascio:dotenv-java:3.0.2'
 
     // postgres
     implementation 'org.postgresql:postgresql:42.7.4'