wip

.gitignore

@@ -23,5 +23,8 @@
 
 # Ignore terraform files
 bin/terrafile
-terraform/application/.terraform/
-terraform/application/vendor/
+.terraform
+terraform/application/vendor
+terraform/domains/environment_domains/vendor
+terraform/domains/infrastructure/vendor
+terraform.tfstate*

terraform/application/application.tf

@@ -0,0 +1,36 @@
+module "application_configuration" {
+  source = "./vendor/modules/aks//aks/application_configuration"
+
+  namespace              = var.namespace
+  environment            = var.environment
+  azure_resource_prefix  = var.azure_resource_prefix
+  service_short          = var.service_short
+  config_short           = var.config_short
+  secret_key_vault_short = "app"
+
+  # Delete for non rails apps
+  is_rails_application = true
+
+  config_variables = {
+    ENVIRONMENT_NAME = var.environment
+  }
+
+}
+
+module "web_application" {
+  source = "./vendor/modules/aks//aks/application"
+
+  is_web = true
+
+  namespace    = var.namespace
+  environment  = var.environment
+  service_name = var.service_name
+
+  cluster_configuration_map  = module.cluster_data.configuration_map
+  kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name
+  kubernetes_secret_name     = module.application_configuration.kubernetes_secret_name
+  web_port = 80
+  probe_path = "/"
+
+  docker_image = var.docker_image
+}

terraform/application/cluster_data.tf

@@ -0,0 +1,4 @@
+module "cluster_data" {
+  source = "./vendor/modules/aks//aks/cluster_data"
+  name   = var.cluster
+}

terraform/application/config/development.tfvars.json

@@ -0,0 +1,7 @@
+{
+    "cluster": "test",
+    "namespace": "tech-arch-development",
+    "environment": "development",
+    "deploy_azure_backing_services": false,
+    "enable_postgres_ssl" : false
+}

terraform/application/config/development_Terrafile

@@ -0,0 +1,3 @@
+aks:
+    source:  "https://github.com/DFE-Digital/terraform-modules"
+    version: "main"

terraform/application/config/production.tfvars.json

@@ -0,0 +1,6 @@
+{
+    "cluster": "production",
+    "namespace": "tech-arch-production",
+    "environment": "production",
+    "enable_postgres_backup_storage" : true
+}

terraform/application/config/production_Terrafile

@@ -0,0 +1,3 @@
+aks:
+    source:  "https://github.com/DFE-Digital/terraform-modules"
+    version: "main"

terraform/application/output.tf

@@ -0,0 +1,3 @@
+output "url" {
+  value = "https://${module.web_application.hostname}/"
+}

terraform/application/secrets.tf

@@ -0,0 +1,8 @@
+module "infrastructure_secrets" {
+  source = "./vendor/modules/aks//aks/secrets"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  service_short         = var.service_short
+  config_short          = var.config_short
+  key_vault_short       = "inf"
+}

terraform/application/terraform.tf

@@ -0,0 +1,34 @@
+terraform {
+  required_version = "= 1.6.4"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.82.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.24.0"
+    }
+
+  }
+  backend "azurerm" {
+    container_name = "terraform-state"
+  }
+}
+
+provider "azurerm" {
+  features {}
+
+  skip_provider_registration = true
+  subscription_id            = try(local.azure_credentials.subscriptionId, null)
+  client_id                  = try(local.azure_credentials.clientId, null)
+  client_secret              = try(local.azure_credentials.clientSecret, null)
+  tenant_id                  = try(local.azure_credentials.tenantId, null)
+}
+
+provider "kubernetes" {
+  host                   = module.cluster_data.kubernetes_host
+  client_certificate     = module.cluster_data.kubernetes_client_certificate
+  client_key             = module.cluster_data.kubernetes_client_key
+  cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+}

terraform/application/variables.tf

@@ -0,0 +1,58 @@
+variable "cluster" {
+  description = "AKS cluster where this app is deployed. Either 'test' or 'production'"
+}
+variable "namespace" {
+  description = "AKS namespace where this app is deployed"
+}
+variable "environment" {
+  description = "Name of the deployed environment in AKS"
+}
+variable "azure_credentials_json" {
+  default     = null
+  description = "JSON containing the service principal authentication key when running in automation"
+}
+variable "azure_resource_prefix" {
+  description = "Standard resource prefix. Usually s189t01 (test) or s189p01 (production)"
+}
+variable "config_short" {
+  description = "Short name of the environment configuration, e.g. dv, st, pd..."
+}
+variable "service_name" {
+  description = "Full name of the service. Lowercase and hyphen separated"
+}
+variable "service_short" {
+  description = "Short name to identify the service. Up to 6 charcters."
+}
+variable "deploy_azure_backing_services" {
+  default     = true
+  description = "Deploy real Azure backing services like databases, as opposed to containers inside of AKS"
+}
+variable "enable_postgres_ssl" {
+  default     = true
+  description = "Enforce SSL connection from the client side"
+}
+variable "enable_postgres_backup_storage" {
+  default     = false
+  description = "Create a storage account to store database dumps"
+}
+variable "docker_image" {
+  description = "Docker image full name to identify it in the registry. Includes docker registry, repository and tag e.g.: ghcr.io/dfe-digital/teacher-pay-calculator:673f6309fd0c907014f44d6732496ecd92a2bcd0"
+}
+variable "external_url" {
+  default     = null
+  description = "Healthcheck URL for StatusCake monitoring"
+}
+variable "statuscake_contact_groups" {
+  default     = []
+  description = "ID of the contact group in statuscake web UI"
+}
+variable "enable_monitoring" {
+  default     = false
+  description = "Enable monitoring and alerting"
+}
+
+locals {
+  azure_credentials = try(jsondecode(var.azure_credentials_json), null)
+
+  postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
+}

terraform/domains/environment_domains/config/development.tfvars.json

@@ -0,0 +1,16 @@
+{
+  "hosted_zone": {
+    "technical-guidance.education.gov.uk": {
+      "front_door_name": "s189p01-techg-domains-fd",
+      "resource_group_name": "s189p01-techg-domains-rg",
+      "domains": [
+        "development"
+      ],
+      "cached_paths": [
+        "/assets/*"
+      ],
+      "environment_short": "dv",
+      "origin_hostname": "technical-guidance-development.test.teacherservices.cloud"
+    }
+  }
+}

terraform/domains/environment_domains/config/development_Terrafile

@@ -0,0 +1,3 @@
+domains:
+    source:  "https://github.com/DFE-Digital/terraform-modules"
+    version: "testing"

terraform/domains/environment_domains/config/production.tfvars.json

@@ -0,0 +1,16 @@
+{
+  "hosted_zone": {
+    "technical-guidance.education.gov.uk": {
+      "front_door_name": "s189p01-techg-domains-fd",
+      "resource_group_name": "s189p01-techg-domains-rg",
+      "domains": [
+        "apex"
+      ],
+      "cached_paths": [
+        "/assets/*"
+      ],
+      "environment_short": "pd",
+      "origin_hostname": "technical-guidance-production.teacherservices.cloud"
+    }
+  }
+}

terraform/domains/environment_domains/config/production_Terrafile

@@ -0,0 +1,3 @@
+domains:
+    source:  "https://github.com/DFE-Digital/terraform-modules"
+    version: "stable"

terraform/domains/environment_domains/main.tf

@@ -0,0 +1,13 @@
+# Used to create domains to be managed by front door.
+module "domains" {
+  for_each            = var.hosted_zone
+  source              = "./vendor/modules/domains//domains/environment_domains"
+  zone                = each.key
+  front_door_name     = each.value.front_door_name
+  resource_group_name = each.value.resource_group_name
+  domains             = each.value.domains
+  environment         = each.value.environment_short
+  host_name           = each.value.origin_hostname
+  null_host_header    = try(each.value.null_host_header, false)
+  cached_paths        = try(each.value.cached_paths, [])
+}

terraform/domains/environment_domains/terraform.tf

@@ -0,0 +1,19 @@
+terraform {
+
+  required_version = "= 1.6.4"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.82.1"
+    }
+  }
+  backend "azurerm" {
+    container_name = "terraform-state"
+  }
+}
+
+provider "azurerm" {
+  features {}
+
+  skip_provider_registration = true
+}

terraform/domains/environment_domains/variables.tf

@@ -0,0 +1,4 @@
+variable "hosted_zone" {
+  type    = map(any)
+  default = {}
+}

terraform/domains/infrastructure/config/zones.tfvars.json

@@ -0,0 +1,15 @@
+{
+    "hosted_zone": {
+      "technical-guidance.education.gov.uk": {
+        "caa_records": {},
+        "txt_records": {
+          "_dmarc": {
+            "value": "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:[email protected],mailto:[email protected];ruf=mailto:[email protected]"
+          }
+        },
+        "resource_group_name": "s189p01-techg-domains-rg",
+        "front_door_name": "s189p01-techg-domains-fd"
+      }
+    },
+    "deploy_default_records": false
+  }

terraform/domains/infrastructure/config/zones_Terrafile

@@ -0,0 +1,3 @@
+domains:
+    source:  "https://github.com/DFE-Digital/terraform-modules"
+    version: "stable"

terraform/domains/infrastructure/main.tf

@@ -0,0 +1,5 @@
+module "domains_infrastructure" {
+  source                 = "./vendor/modules/domains//domains/infrastructure"
+  hosted_zone            = var.hosted_zone
+  deploy_default_records = var.deploy_default_records
+}

terraform/domains/infrastructure/terraform.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_version = "= 1.6.4"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.82.1"
+    }
+  }
+  backend "azurerm" {
+    container_name = "terraform-state"
+  }
+}
+
+provider "azurerm" {
+  features {}
+
+  skip_provider_registration = true
+}

terraform/domains/infrastructure/variables.tf

@@ -0,0 +1,7 @@
+variable "hosted_zone" {
+  type = map(any)
+}
+
+variable "deploy_default_records" {
+  default = true
+}