feat: Move dns privatelink to core folder (#78)

* core: added postgres dns private link * coreplus: removed network resources not needed * pre-commit fixs
pagopa · Aug 11, 2023 · 5316cd2 · 5316cd2
1 parent 747a80b
commit 5316cd2
Show file tree

Hide file tree

Showing 13 changed files with 135 additions and 125 deletions.
diff --git a/src/core/01_network.tf b/src/core/01_network.tf
@@ -57,3 +57,20 @@ resource "azurerm_public_ip" "aks_outbound" {
 
   tags = var.tags
 }
+
+# Subnet to host the api config
+module "private_endpoints_snet" {
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.3.1"
+  name                 = "${local.project}-private-endpoints-snet"
+  address_prefixes     = var.cidr_subnet_private_endpoints
+  virtual_network_name = module.vnet.name
+
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+
+  private_endpoint_network_policies_enabled = false
+  service_endpoints = [
+    "Microsoft.Web",
+    "Microsoft.AzureCosmosDB",
+    "Microsoft.Storage",
+  ]
+}
diff --git a/src/core/02_dns_private.tf b/src/core/02_dns_private.tf
@@ -17,3 +17,25 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnet_core" {
 
   tags = var.tags
 }
+
+# DNS private single server
+resource "azurerm_private_dns_zone" "privatelink_postgres_database_azure_com" {
+
+  name                = "privatelink.postgres.database.azure.com"
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_database_azure_com_vnet" {
+
+  name                  = "${local.project}-pg-flex-link"
+  private_dns_zone_name = azurerm_private_dns_zone.privatelink_postgres_database_azure_com.name
+
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+  virtual_network_id  = module.vnet.id
+
+  registration_enabled = false
+
+  tags = var.tags
+}
diff --git a/src/core/10_github_runner_self_hosted.tf b/src/core/10_github_runner_self_hosted.tf
@@ -0,0 +1,67 @@
+# resource "azurerm_resource_group" "github_runner_rg" {
+#   name     = local.container_app_github_runner_env_rg
+#   location = var.location
+
+#   tags = var.tags
+# }
+
+# resource "azurerm_subnet" "github_runner_snet" {
+#   name                 = "${local.project}-github-runner-snet"
+#   resource_group_name  = data.azurerm_resource_group.rg_vnet.name
+#   virtual_network_name = data.azurerm_virtual_network.vnet.name
+#   address_prefixes     = var.cidr_subnet_github_runner_self_hosted
+# }
+
+# resource "null_resource" "update_az_cli" {
+
+#   triggers = {
+#     env_name                                   = local.container_app_github_runner_env_name
+#     rg_name                                    = azurerm_resource_group.github_runner_rg.name
+#     subnet_id                                  = azurerm_subnet.github_runner_snet.id
+#     log_analytics_id                           = data.azurerm_log_analytics_workspace.log_analytics_workspace.workspace_id
+#     log_analytics_workspace_primary_shared_key = data.azurerm_log_analytics_workspace.log_analytics_workspace.primary_shared_key
+#   }
+
+#   provisioner "local-exec" {
+#     command = <<EOT
+#       az extension add --name containerapp --upgrade
+#       az provider register --namespace Microsoft.App
+#       az provider register --namespace Microsoft.OperationalInsights
+#     EOT
+#   }
+
+#   depends_on = [
+#     azurerm_subnet.github_runner_snet,
+#     azurerm_resource_group.github_runner_rg,
+#   ]
+# }
+
+# resource "null_resource" "container_app_create_env_github_runner" {
+
+#   triggers = {
+#     env_name                                   = local.container_app_github_runner_env_name
+#     rg_name                                    = azurerm_resource_group.github_runner_rg.name
+#     subnet_id                                  = azurerm_subnet.github_runner_snet.id
+#     log_analytics_id                           = data.azurerm_log_analytics_workspace.log_analytics_workspace.workspace_id
+#     log_analytics_workspace_primary_shared_key = data.azurerm_log_analytics_workspace.log_analytics_workspace.primary_shared_key
+#   }
+
+#   provisioner "local-exec" {
+#     command = <<EOT
+#       az containerapp env create \
+#           -n ${local.container_app_github_runner_env_name} \
+#           -g ${azurerm_resource_group.github_runner_rg.name} \
+#           --location ${var.location} \
+#           --infrastructure-subnet-resource-id ${azurerm_subnet.github_runner_snet.id} \
+#           --internal-only true \
+#           --logs-destination log-analytics \
+#           --logs-workspace-id "${data.azurerm_log_analytics_workspace.log_analytics_workspace.workspace_id}" \
+#           --logs-workspace-key "${data.azurerm_log_analytics_workspace.log_analytics_workspace.primary_shared_key}"
+#     EOT
+#   }
+
+#   depends_on = [
+#     azurerm_subnet.github_runner_snet,
+#     azurerm_resource_group.github_runner_rg,
+#   ]
+# }
diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf
@@ -103,6 +103,11 @@ variable "cidr_subnet_postgres" {
   description = "Database network address space."
 }
 
+variable "cidr_subnet_private_endpoints" {
+  type        = list(string)
+  description = "Subnet cidr postgres flex."
+}
+
 variable "cidr_subnet_vpn" {
   type        = list(string)
   description = "VPN network address space."

diff --git a/src/core/README.md b/src/core/README.md
@@ -42,6 +42,7 @@ az network dns zone show \
 | <a name="module_dns_forwarder_snet"></a> [dns\_forwarder\_snet](#module\_dns\_forwarder\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.20.0 |
 | <a name="module_postgres"></a> [postgres](#module\_postgres) | git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server | v4.1.0 |
 | <a name="module_postgres_snet"></a> [postgres\_snet](#module\_postgres\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.0 |
+| <a name="module_private_endpoints_snet"></a> [private\_endpoints\_snet](#module\_private\_endpoints\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.3.1 |
 | <a name="module_redis"></a> [redis](#module\_redis) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v4.1.0 |
 | <a name="module_redis_snet"></a> [redis\_snet](#module\_redis\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.0 |
 | <a name="module_security_monitoring_storage"></a> [security\_monitoring\_storage](#module\_security\_monitoring\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v4.1.0 |
@@ -67,6 +68,8 @@ az network dns zone show \
 | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource |
 | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource |
 | [azurerm_private_dns_zone.internal_devopslab](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
+| [azurerm_private_dns_zone.privatelink_postgres_database_azure_com](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
+| [azurerm_private_dns_zone_virtual_network_link.privatelink_postgres_database_azure_com_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
 | [azurerm_private_dns_zone_virtual_network_link.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
 | [azurerm_public_ip.aks_outbound](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_public_ip.appgateway_beta_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
@@ -97,6 +100,7 @@ az network dns zone show \
 | <a name="input_cidr_subnet_azdoa"></a> [cidr\_subnet\_azdoa](#input\_cidr\_subnet\_azdoa) | Azure DevOps agent network address space. | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_dnsforwarder"></a> [cidr\_subnet\_dnsforwarder](#input\_cidr\_subnet\_dnsforwarder) | DNS Forwarder network address space. | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_postgres"></a> [cidr\_subnet\_postgres](#input\_cidr\_subnet\_postgres) | Database network address space. | `list(string)` | n/a | yes |
+| <a name="input_cidr_subnet_private_endpoints"></a> [cidr\_subnet\_private\_endpoints](#input\_cidr\_subnet\_private\_endpoints) | Subnet cidr postgres flex. | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_redis"></a> [cidr\_subnet\_redis](#input\_cidr\_subnet\_redis) | Redis. | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_vpn"></a> [cidr\_subnet\_vpn](#input\_cidr\_subnet\_vpn) | VPN network address space. | `list(string)` | n/a | yes |
 | <a name="input_cidr_vnet"></a> [cidr\_vnet](#input\_cidr\_vnet) | Virtual network address space. | `list(string)` | n/a | yes |

diff --git a/src/coreplus/00_network.tf b/src/coreplus/00_network.tf
@@ -11,3 +11,14 @@ data "azurerm_private_dns_zone" "internal" {
   name                = local.dns_zone_private_name
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
 }
+
+data "azurerm_private_dns_zone" "privatelink_postgres_database_azure_com" {
+  name                = local.dns_zone_private_name_postgres
+  resource_group_name = data.azurerm_resource_group.rg_vnet.name
+}
+
+data "azurerm_subnet" "private_endpoints_snet" {
+  name                 = "${local.program}-private-endpoints-snet"
+  virtual_network_name = data.azurerm_virtual_network.vnet.name
+  resource_group_name  = data.azurerm_resource_group.rg_vnet.name
+}
diff --git a/src/coreplus/01_network.tf b/src/coreplus/01_network.tf
diff --git a/src/coreplus/05_postgres_flexible.tf b/src/coreplus/05_postgres_flexible.tf
@@ -38,27 +38,7 @@ module "postgres_flexible_snet" {
   }
 }
 
-# DNS private single server
-resource "azurerm_private_dns_zone" "privatelink_postgres_database_azure_com" {
 
-  name                = "privatelink.postgres.database.azure.com"
-  resource_group_name = data.azurerm_resource_group.rg_vnet.name
-
-  tags = var.tags
-}
-
-resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_database_azure_com_vnet" {
-
-  name                  = "${local.program}-pg-flex-link"
-  private_dns_zone_name = azurerm_private_dns_zone.privatelink_postgres_database_azure_com.name
-
-  resource_group_name = data.azurerm_resource_group.rg_vnet.name
-  virtual_network_id  = data.azurerm_virtual_network.vnet.id
-
-  registration_enabled = false
-
-  tags = var.tags
-}
 
 # https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-compare-single-server-flexible-server
 module "postgres_flexible_server_private" {
@@ -73,7 +53,7 @@ module "postgres_flexible_server_private" {
 
   ### Network
   private_endpoint_enabled = false
-  private_dns_zone_id      = azurerm_private_dns_zone.privatelink_postgres_database_azure_com.id
+  private_dns_zone_id      = data.azurerm_private_dns_zone.privatelink_postgres_database_azure_com.id
   delegated_subnet_id      = module.postgres_flexible_snet.id
 
   ### Admin
@@ -111,9 +91,6 @@ module "postgres_flexible_server_private" {
   diagnostic_settings_enabled               = true
   log_analytics_workspace_id                = data.azurerm_log_analytics_workspace.log_analytics_workspace.id
   diagnostic_setting_destination_storage_id = data.azurerm_storage_account.security_monitoring_storage.id
-
-  depends_on = [azurerm_private_dns_zone_virtual_network_link.privatelink_postgres_database_azure_com_vnet]
-
 }
 
 #

diff --git a/src/coreplus/06_cosmosdb_mongo.tf b/src/coreplus/06_cosmosdb_mongo.tf
@@ -54,13 +54,13 @@ module "cosmos_mongo" {
   ip_range = ""
 
   allowed_virtual_network_subnet_ids = [
-    module.private_endpoints_snet.id
+    data.azurerm_subnet.private_endpoints_snet.id
   ]
 
   # private endpoint
   private_endpoint_name    = "${local.project}-cosmos-mongo-sql-endpoint"
   private_endpoint_enabled = true
-  subnet_id                = module.private_endpoints_snet.id
+  subnet_id                = data.azurerm_subnet.private_endpoints_snet.id
   private_dns_zone_ids     = [data.azurerm_private_dns_zone.internal.id]
 
   tags = var.tags

diff --git a/src/coreplus/06_cosmosdb_sql.tf b/src/coreplus/06_cosmosdb_sql.tf
@@ -46,13 +46,13 @@ module "cosmos_core" {
   ip_range = ""
 
   allowed_virtual_network_subnet_ids = [
-    module.private_endpoints_snet.id
+    data.azurerm_subnet.private_endpoints_snet.id
   ]
 
   # private endpoint
   private_endpoint_name    = "${local.project}-cosmos-core-sql-endpoint"
   private_endpoint_enabled = true
-  subnet_id                = module.private_endpoints_snet.id
+  subnet_id                = data.azurerm_subnet.private_endpoints_snet.id
   private_dns_zone_ids     = [data.azurerm_private_dns_zone.internal.id]
 
   tags = var.tags

diff --git a/src/coreplus/08_github_runner_self_hosted.tf b/src/coreplus/08_github_runner_self_hosted.tf
diff --git a/src/coreplus/99_variables.tf b/src/coreplus/99_variables.tf
@@ -32,7 +32,8 @@ locals {
 
   cosmosdb_enable = 1
 
-  dns_zone_private_name = "internal.${var.prod_dns_zone_prefix}.${var.external_domain}"
+  dns_zone_private_name          = "internal.${var.prod_dns_zone_prefix}.${var.external_domain}"
+  dns_zone_private_name_postgres = "privatelink.postgres.database.azure.com"
 
   #
   # Container App
@@ -164,11 +165,6 @@ variable "cidr_subnet_flex_dbms" {
   description = "Subnet cidr postgres flex."
 }
 
-variable "cidr_subnet_private_endpoints" {
-  type        = list(string)
-  description = "Subnet cidr postgres flex."
-}
-
 variable "cidr_subnet_vpn" {
   type        = list(string)
   description = "Subnet cidr postgres flex."