[#DEVEX-116] Create Dev APIM and bind OpenAPI specs and default Policy #22
Conversation
| @@ -10,7 +10,7 @@ on: | |||
| - ready_for_review | |||
| paths: | |||
| # Trigger the workflow when resources are modified | |||
| - "infra/resources/**" | |||
| - "infra/resources/prod/westeurope/**" | |||
There was a problem hiding this comment.
Please get rid of line 25 as well
There was a problem hiding this comment.
yep, we need to remove the region parameter (westeurope) which is not used in the new workflow
| ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} | ||
| with: | ||
| environment: dev | ||
| region: italynorth |
| "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.subscription_id | ||
| "ARM_TENANT_ID" = data.azurerm_client_config.current.tenant_id, | ||
| "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.subscription_id | ||
| "ARM_DEV_SUBSCRIPTION_ID" = data.azurerm_subscription.dev.subscription_id |
There was a problem hiding this comment.
we need another identity and another github environment to manage DEV-IO as current identities have roles on PROD-IO only
There was a problem hiding this comment.
why dx-typescript runners have roles on PROD-IO ?
There was a problem hiding this comment.
we have moved the state into DEV-ENGINEERING subscription
| subscription_required = false # Public API | ||
|
|
||
| content_format = "openapi" | ||
| content_value = templatefile("../../../../apps/azure-functions-api/api/external.yaml", |
There was a problem hiding this comment.
Not sure if it works, probably you need to use ${path.module} or anything similar
There was a problem hiding this comment.
does this update the resource during apply if the content changes?
| } | ||
| ) | ||
|
|
||
| xml_content = file("../../../../apps/azure-functions-api/api/policy/default.xml") |
| @@ -0,0 +1,18 @@ | |||
| resource "azurerm_resource_group" "sec_rg" { | |||
There was a problem hiding this comment.
I wouldn't use another resource group
| publisher_email = data.azurerm_key_vault_secret.apim_publisher_email.value | ||
| notification_sender_email = data.azurerm_key_vault_secret.apim_publisher_email.value | ||
| sku_name = "Developer_1" | ||
| virtual_network_type = "Internal" |
There was a problem hiding this comment.
Do we need a private endpoint here?
| "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.subscription_id | ||
| "ARM_TENANT_ID" = data.azurerm_client_config.current.tenant_id, | ||
| "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.subscription_id | ||
| "ARM_DEV_SUBSCRIPTION_ID" = data.azurerm_subscription.dev.subscription_id |
There was a problem hiding this comment.
why dx-typescript runners have roles on PROD-IO ?
| @@ -32,3 +32,7 @@ provider "github" { | |||
| data "azurerm_client_config" "current" {} | |||
|
|
|||
| data "azurerm_subscription" "current" {} | |||
|
|
|||
| data "azurerm_subscription" "dev" { | |||
| subscription_id = "a4e96bcd-59dc-4d66-b2f7-5547ad157c12" # DEV-IO | |||
| subscription_required = false # Public API | ||
|
|
||
| content_format = "openapi" | ||
| content_value = templatefile("../../../../apps/azure-functions-api/api/external.yaml", |
There was a problem hiding this comment.
does this update the resource during apply if the content changes?
|
| @@ -10,7 +10,7 @@ on: | |||
| - ready_for_review | |||
| paths: | |||
| # Trigger the workflow when resources are modified | |||
| - "infra/resources/**" | |||
| - "infra/resources/prod/westeurope/**" | |||
There was a problem hiding this comment.
yep, we need to remove the region parameter (westeurope) which is not used in the new workflow
| ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} | ||
| with: | ||
| environment: dev | ||
| region: italynorth |
There was a problem hiding this comment.
| region: italynorth |
| "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.subscription_id | ||
| "ARM_TENANT_ID" = data.azurerm_client_config.current.tenant_id, | ||
| "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.subscription_id | ||
| "ARM_DEV_SUBSCRIPTION_ID" = data.azurerm_subscription.dev.subscription_id |
There was a problem hiding this comment.
we have moved the state into DEV-ENGINEERING subscription
| protocols = ["http", "https"] | ||
| product_ids = [module.apim_product_example_api.product_id] | ||
|
|
||
| service_url = null |
There was a problem hiding this comment.
what's this? (I'd add a comment)
| ] | ||
| } | ||
|
|
||
| resource "azurerm_network_security_group" "nsg_apim" { |
There was a problem hiding this comment.
I'd add a comment on what's happening here
| allocation_method = "Static" | ||
| sku = "Standard" | ||
| domain_name_label = "apimdx" | ||
| zones = ["1", "2", "3"] |
| default_ssl_binding = false | ||
| host_name = format("%s-apim-api.azure-api.net", local.project) | ||
| key_vault_id = null | ||
| }, | ||
| ] | ||
| developer_portal = null | ||
| management = null | ||
| portal = null |
There was a problem hiding this comment.
I'd add some comments to clarify the reason of this params
|
|
||
| autoscale = local.apim_autoscale | ||
|
|
||
| alerts_enabled = local.apim_alerts_enabled |
There was a problem hiding this comment.
as an example? probably. A nice to have would be to have this logic inside a more abstract APIM module (with presets for autoscaling + preconfigured alerts)
| resource_group_name = "terraform-state-rg" | ||
| storage_account_name = "tfdevdx" | ||
| container_name = "terraform-state" | ||
| key = "dx-typescript.resources.dev.italynorth.tfstate" |
A test development APIM is created under
DEV-IOsubscription.Created all the related resources.
Use default empty policy for product and api.
The function OpenAPI specification are divided into internal and external. The internal spec describe how the API are implemented al the application level, instead the external describe as the API are served outside the APIM.
Updated the pipeline to handle the new environment
dev/italynorthfor the resources.