CDCgov · marycrawford · Nov 25, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
diff --git a/.github/actions/tf-setup/action.yml b/.github/actions/tf-setup/action.yml
@@ -16,6 +16,9 @@ inputs:
   azure-subscription-id:
     description: The Azure subscription_id for this environment.
     required: true
+  azure-object-id:
+    description: The Azure object_id for this environment.
+    required: true
   app-name:
     description: The name of the application being deployed in Terraform.
     required: true
@@ -50,6 +53,7 @@ runs:
         ARM_CLIENT_ID: ${{ inputs.azure-client-id }}
         ARM_TENANT_ID: ${{ inputs.azure-tenant-id }}
         ARM_SUBSCRIPTION_ID: ${{ inputs.azure-subscription-id }}
+        ARM_OBJECT_ID: ${{ inputs.azure-object-id }}
       shell: bash
       run: |
         terraform init -backend-config=config/${{ inputs.deploy-env }}.config

diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf
@@ -1,5 +1,10 @@
 locals {
   environment = terraform.workspace
+
+  # Explicitly get object_id from the environment variable (e.g., in GitHub Actions)
+  azure_object_id = getenv("ARM_OBJECT_ID", var.object_id)
+  vite_api_url    = getenv("VITE_API_URL", "") # Default to an empty string if not set
+
   init = {
     environment = local.environment
     location    = "eastus2"
@@ -20,4 +25,4 @@ locals {
       lbsubnetcidr  = "10.1.3.0/24"
     }
   }
-}
+}
diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf
@@ -8,9 +8,6 @@ locals {
   }
 }
 
-##########
-## 02-network
-##########
 module "networking" {
   source         = "./modules/network"
   name           = var.name
@@ -23,10 +20,6 @@ module "networking" {
   env            = local.environment
 }
 
-##########
-## 02-security
-##########
-
 module "securitygroup" {
   source         = "./modules/security"
   name           = var.name
@@ -53,10 +46,6 @@ module "app_gateway" {
   depends_on = [module.networking, module.ocr_api]
 }
 
-##########
-## 05-Persistent
-##########
-
 module "storage" {
   source          = "./modules/storage"
   name            = var.name
@@ -68,10 +57,6 @@ module "storage" {
   web_subnet_id   = module.networking.websubnet_id
 }
 
-##########
-## 06-App
-##########
-
 module "ocr_api" {
   source         = "./modules/app_service"
   name           = var.name
@@ -98,26 +83,16 @@ module "ocr_autoscale" {
   weekend_capacity_instances = 1
 }
 
-# module "compute" {
-#   source         = "./modules/container_instances"
-#   location       = data.azurerm_resource_group.rg.location
-#   resource_group = data.azurerm_resource_group.rg.name
-#   environment    = local.environment
-#   app_subnet     = module.networking.appsubnet_id
-#   # web_subnet_id   = module.networking.websubnet_id
-#   # app_subnet_id   = module.networking.appsubnet_id
-#   # web_host_name   = local.app.web_host_name
-#   # web_username    = local.app.web_username
-#   # web_os_password = local.app.web_os_password
-#   # app_host_name   = local.app.app_host_name
-#   # app_username    = local.app.app_username
-#   # app_os_password = local.app.app_os_password
-# }
-
-##########
-## 04-config
-##########
+module "database" {
+  source              = "./modules/database"
+  resource_group_name = data.azurerm_resource_group.rg.name
+  subnet              = module.network.azurerm_subnet.app-subnet.id
+}
 
-##########
-## 07-Monitor
-##########
+module "vault" {
+  source              = "./modules/vault.tf"
+  resource_group_name = data.azurerm_resource_group.rg.name
+  azure_tenant_id     = var.azure_tenant_id
+  object_id           = local.azure_object_id
+  vite_api_url        = local.vite_api_url
+}
diff --git a/ops/terraform/modules/database/data.tf b/ops/terraform/modules/database/data.tf
@@ -0,0 +1,3 @@
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf
@@ -0,0 +1,44 @@
+# PostgreSQL Server
+resource "azurerm_postgresql_server" "postgres_server" {
+  name                         = "reportvisionpgserver"
+  location                     = data.azurerm_resource_group.rg.location
+  resource_group_name          = data.azurerm_resource_group.rg.name
+  sku_name                     = var.sku_name
+  version                      = var.engine_version
+  administrator_login          = var.db_username
+  administrator_login_password = random_string.setup_rds_password.result
+  storage_mb                   = 5120 # 5 GB storage
+  backup_retention_days        = 7
+  ssl_enforcement_enabled      = true
+
+  # Enable Virtual Network service endpoint
+  virtual_network_subnet_id = var.subnet
+
+}
+
+# PostgreSQL Database
+resource "azurerm_postgresql_database" "postgres_db" {
+  name                = "postgresdb"
+  resource_group_name = data.azurerm_resource_group.rg.name
+  server_name         = azurerm_postgresql_server.postgres_server.name
+  charset             = "UTF8"
+  collation           = "English_United Kingdom.1252"
+}
+
+# Firewall rule for the PostgreSQL server, allowing 
+# db access to Azure services in same resource group
+resource "azurerm_postgresql_firewall_rule" "allow_azure" {
+  name                = "AllowAllAzureIps"
+  server_name         = azurerm_postgresql_server.postgres_server.name
+  resource_group_name = data.azurerm_resource_group.rg.name
+  start_ip_address    = "0.0.0.0"
+  end_ip_address      = "0.0.0.0"
+}
+
+resource "random_string" "setup_rds_password" {
+  length = 13
+
+  # Character set that excludes problematic characters like quotes, backslashes, etc.
+  override_special = "_!@#-$%^&*()[]{}"
+}
+
diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf
@@ -0,0 +1,30 @@
+variable "resource_group_name" {}
+variable "subnet" {}
+
+variable "db_username" {
+  type        = string
+  description = "Username of RDS Instance."
+  default     = "reportVisionDbUser"
+}
+
+variable "engine_version" {
+  description = "Postgres DB engine version."
+  default     = "11"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resource."
+  default     = "eastus"
+}
+
+variable "sku_name" {
+  type        = string
+  description = "value"
+  default     = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore
+}
+
+variable "subnet" {
+  description = "The subnet ID to associate with the PostgreSQL server"
+  type        = string
+}
diff --git a/ops/terraform/modules/vault.tf/data.tf b/ops/terraform/modules/vault.tf/data.tf
@@ -0,0 +1,3 @@
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
diff --git a/ops/terraform/modules/vault.tf/main.tf b/ops/terraform/modules/vault.tf/main.tf
@@ -0,0 +1,39 @@
+resource "azurerm_key_vault" "key_vault" {
+  name                = "reportvision_keyvault"
+  location            = "eastus"
+  resource_group_name = data.azurerm_resource_group.rg.name
+  sku_name            = "standard"
+  tenant_id           = var.azure_tenant_id
+
+  access_policy {
+
+    object_id = var.object_id
+
+    key_permissions = [
+      "get"
+    ]
+
+    secret_permissions = [
+      "get"
+    ]
+  }
+}
+
+# Saves the random password into Azure Key Vault
+resource "azurerm_key_vault_secret" "postgres_password" {
+  name         = "postgres-password"
+  value        = azurerm_postgresql_server.postgres_db.administrator_login_password.result
+  key_vault_id = azurerm_key_vault.key_vault.id
+}
+
+# Define the Service Principal for which we are granting access
+resource "azurerm_azuread_application" "frontendapp" {
+  name = "frontend-application"
+  # TODO: Ask if the VITE_API_URL is the correct endpoint we are using
+  homepage        = var.vite_api_url
+  identifier_uris = [var.vite_api_url]
+}
+
+resource "azurerm_azuread_service_principal" "this" {
+  application_id = azurerm_azuread_application.frontendapp.application_id
+}
diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf
@@ -0,0 +1,32 @@
+variable "resource_group_name" {}
+variable "azure_tenant_id" {}
+variable "object_id" {}
+variable "vite_api_url" {}
+
+variable "db_username" {
+  type        = string
+  description = "Username of RDS Instance."
+  default     = "reportVisionDbUser"
+}
+
+variable "engine_version" {
+  description = "Postgres DB engine version."
+  default     = "11"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resource."
+  default     = "eastus"
+}
+
+variable "object_id" {
+  description = "The Azure Object ID"
+  type        = string
+}
+
+variable "sku_name" {
+  type        = string
+  description = "value"
+  default     = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore
+}
diff --git a/ops/terraform/providers.tf b/ops/terraform/providers.tf
@@ -15,5 +15,9 @@ terraform {
 }
 
 provider "azurerm" {
-  features {}
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy    = true
+      recover_soft_deleted_key_vaults = true
+  }
 }
diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf
@@ -4,4 +4,6 @@ variable "resource_group_name" {
 
 variable "name" {}
 
-variable "sku_name" {}
+variable "sku_name" {}
+
+variable "azure_tenant_id" {}