[EC-357] - Moved core vpn resources to modular structure (#1102)

pagopa · Aug 5, 2024 · c28f3ef · c28f3ef
1 parent dcd2301
commit c28f3ef
Show file tree

Hide file tree

Showing 11 changed files with 258 additions and 36 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -15,3 +15,4 @@ repos:
           - --tf-init-args=-lockfile=readonly
           - --args=-json
           - --args=-no-color
+          - --hook-config=--retry-once-with-cleanup=true
diff --git a/src/core/README.md b/src/core/README.md
@@ -52,8 +52,6 @@
 | <a name="module_azdoa_li_infra"></a> [azdoa\_li\_infra](#module\_azdoa\_li\_infra) | github.com/pagopa/terraform-azurerm-v3//azure_devops_agent | v8.27.0 |
 | <a name="module_azdoa_loadtest_li"></a> [azdoa\_loadtest\_li](#module\_azdoa\_loadtest\_li) | github.com/pagopa/terraform-azurerm-v3//azure_devops_agent | v8.27.0 |
 | <a name="module_azdoa_snet"></a> [azdoa\_snet](#module\_azdoa\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 |
-| <a name="module_dns_forwarder"></a> [dns\_forwarder](#module\_dns\_forwarder) | github.com/pagopa/terraform-azurerm-v3//dns_forwarder | v8.27.0 |
-| <a name="module_dns_forwarder_snet"></a> [dns\_forwarder\_snet](#module\_dns\_forwarder\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 |
 | <a name="module_event_hub"></a> [event\_hub](#module\_event\_hub) | github.com/pagopa/terraform-azurerm-v3//eventhub | v8.27.0 |
 | <a name="module_eventhub_snet"></a> [eventhub\_snet](#module\_eventhub\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 |
 | <a name="module_locked_profiles_storage"></a> [locked\_profiles\_storage](#module\_locked\_profiles\_storage) | github.com/pagopa/terraform-azurerm-v3//storage_account | v8.27.0 |
@@ -62,8 +60,6 @@
 | <a name="module_storage_api"></a> [storage\_api](#module\_storage\_api) | github.com/pagopa/terraform-azurerm-v3//storage_account | v8.27.0 |
 | <a name="module_storage_api_object_replication_to_replica"></a> [storage\_api\_object\_replication\_to\_replica](#module\_storage\_api\_object\_replication\_to\_replica) | github.com/pagopa/terraform-azurerm-v3//storage_object_replication | v8.27.0 |
 | <a name="module_storage_api_replica"></a> [storage\_api\_replica](#module\_storage\_api\_replica) | github.com/pagopa/terraform-azurerm-v3//storage_account | v8.27.0 |
-| <a name="module_vpn"></a> [vpn](#module\_vpn) | github.com/pagopa/terraform-azurerm-v3//vpn_gateway | v8.27.0 |
-| <a name="module_vpn_snet"></a> [vpn\_snet](#module\_vpn\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 |
 | <a name="module_web_test_api"></a> [web\_test\_api](#module\_web\_test\_api) | github.com/pagopa/terraform-azurerm-v3//application_insights_web_test_preview | v8.29.1 |
 
 ## Resources
@@ -169,7 +165,6 @@
 | [azurerm_subnet_network_security_group_association.snet_nsg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource |
 | [azurerm_user_assigned_identity.appgateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
 | [azurerm_web_application_firewall_policy.api_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy) | resource |
-| [azuread_application.vpn_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application) | data source |
 | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_service_principal.app_gw_uai_kvreader](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |

diff --git a/src/core/_modules/vpn/data.tf b/src/core/_modules/vpn/data.tf
@@ -0,0 +1,3 @@
+data "azuread_application" "vpn_app" {
+  display_name = "${var.prefix}-${var.env_short}-app-vpn"
+}
diff --git a/src/core/_modules/vpn/locals.tf b/src/core/_modules/vpn/locals.tf
@@ -0,0 +1,9 @@
+locals {
+  nonstandard = {
+    weu = {
+      vpn                = "${var.project}-vpn"
+      dns_forwarder_snet = "${var.project}-dnsforwarder"
+      dns_forwarder      = "${var.project}-dns-forwarder"
+    }
+  }
+}
diff --git a/src/core/vpn.tf → src/core/_modules/vpn/main.tf b/src/core/vpn.tf → src/core/_modules/vpn/main.tf
@@ -1,25 +1,21 @@
-data "azuread_application" "vpn_app" {
-  display_name = format("%s-app-vpn", local.project)
-}
-
 ## VPN
 
 module "vpn_snet" {
-  source                                    = "github.com/pagopa/terraform-azurerm-v3//subnet?ref=v8.27.0"
+  source                                    = "github.com/pagopa/terraform-azurerm-v3//subnet?ref=v8.33.1"
   name                                      = "GatewaySubnet"
-  address_prefixes                          = var.cidr_subnet_vpn
-  resource_group_name                       = azurerm_resource_group.rg_common.name
-  virtual_network_name                      = data.azurerm_virtual_network.common.name
+  address_prefixes                          = var.vpn_cidr_subnet
+  resource_group_name                       = var.resource_group_name
+  virtual_network_name                      = var.vnet_common.name
   service_endpoints                         = []
   private_endpoint_network_policies_enabled = false
 }
 
 module "vpn" {
-  source = "github.com/pagopa/terraform-azurerm-v3//vpn_gateway?ref=v8.27.0"
+  source = "github.com/pagopa/terraform-azurerm-v3//vpn_gateway?ref=v8.33.0"
 
-  name                = format("%s-vpn", local.project)
+  name                = try(local.nonstandard[var.location_short].vpn, "${var.project}-vgw-01")
   location            = var.location
-  resource_group_name = azurerm_resource_group.rg_common.name
+  resource_group_name = var.resource_group_name
   sku                 = var.vpn_sku
   pip_sku             = var.vpn_pip_sku
   subnet_id           = module.vpn_snet.id
@@ -29,8 +25,8 @@ module "vpn" {
       address_space         = ["172.16.2.0/24"],
       vpn_client_protocols  = ["OpenVPN"],
       aad_audience          = data.azuread_application.vpn_app.application_id
-      aad_issuer            = format("https://sts.windows.net/%s/", data.azurerm_subscription.current.tenant_id)
-      aad_tenant            = format("https://login.microsoftonline.com/%s", data.azurerm_subscription.current.tenant_id)
+      aad_issuer            = "https://sts.windows.net/${var.subscription_current.tenant_id}/"
+      aad_tenant            = "https://login.microsoftonline.com/${var.subscription_current.tenant_id}"
       radius_server_address = null
       radius_server_secret  = null
       revoked_certificate   = []
@@ -43,11 +39,11 @@ module "vpn" {
 
 ## DNS FORWARDER
 module "dns_forwarder_snet" {
-  source                                    = "github.com/pagopa/terraform-azurerm-v3//subnet?ref=v8.27.0"
-  name                                      = format("%s-dnsforwarder", local.project)
-  address_prefixes                          = var.cidr_subnet_dnsforwarder
-  resource_group_name                       = azurerm_resource_group.rg_common.name
-  virtual_network_name                      = data.azurerm_virtual_network.common.name
+  source                                    = "github.com/pagopa/terraform-azurerm-v3//subnet?ref=v8.33.1"
+  name                                      = try(local.nonstandard[var.location_short].dns_forwarder_snet, "${var.project}-dns-forwarder-snet-01")
+  address_prefixes                          = var.dnsforwarder_cidr_subnet
+  resource_group_name                       = var.resource_group_name
+  virtual_network_name                      = var.vnet_common.name
   private_endpoint_network_policies_enabled = false
 
   delegation = {
@@ -60,10 +56,10 @@ module "dns_forwarder_snet" {
 }
 
 module "dns_forwarder" {
-  source              = "github.com/pagopa/terraform-azurerm-v3//dns_forwarder?ref=v8.27.0"
-  name                = format("%s-dns-forwarder", local.project)
+  source              = "github.com/pagopa/terraform-azurerm-v3//dns_forwarder?ref=v8.33.1"
+  name                = try(local.nonstandard[var.location_short].dns_forwarder, "${var.project}-dns-forwarder-ci-01")
   location            = var.location
-  resource_group_name = azurerm_resource_group.rg_common.name
+  resource_group_name = var.resource_group_name
   subnet_id           = module.dns_forwarder_snet.id
 
   tags = var.tags

diff --git a/src/core/_modules/vpn/variables.tf b/src/core/_modules/vpn/variables.tf
@@ -0,0 +1,82 @@
+variable "project" {
+  type        = string
+  description = "IO prefix, short environment and short location"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix for resources"
+  validation {
+    condition = (
+      length(var.prefix) < 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "env_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.env_short) == 1
+    )
+    error_message = "Length must be 1 chars."
+  }
+}
+
+variable "location" {
+  type        = string
+  description = "Azure region"
+}
+
+variable "location_short" {
+  type        = string
+  description = "Azure region short name"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Resource tags"
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group name for VNet"
+}
+
+variable "subscription_current" {
+  description = "Current subscription information"
+}
+
+## VPN ##
+variable "vnet_common" {
+  type = object({
+    id                  = string
+    name                = string
+    address_space       = list(string)
+    resource_group_name = string
+  })
+  description = "Information of the common VNet"
+}
+
+variable "vpn_sku" {
+  type        = string
+  default     = "VpnGw1"
+  description = "VPN Gateway SKU"
+}
+
+variable "vpn_pip_sku" {
+  type        = string
+  default     = "Basic"
+  description = "VPN GW PIP SKU"
+}
+
+variable "vpn_cidr_subnet" {
+  type        = list(string)
+  description = "VPN network address space."
+}
+
+variable "dnsforwarder_cidr_subnet" {
+  type        = list(string)
+  description = "DNS Forwarder network address space."
+}
diff --git a/src/core/prod/.terraform.lock.hcl b/src/core/prod/.terraform.lock.hcl
diff --git a/src/core/prod/README.md b/src/core/prod/README.md
@@ -17,6 +17,7 @@
 | <a name="module_networking_weu"></a> [networking\_weu](#module\_networking\_weu) | ../_modules/networking | n/a |
 | <a name="module_vnet_peering_itn"></a> [vnet\_peering\_itn](#module\_vnet\_peering\_itn) | ../_modules/vnet_peering | n/a |
 | <a name="module_vnet_peering_weu"></a> [vnet\_peering\_weu](#module\_vnet\_peering\_weu) | ../_modules/vnet_peering | n/a |
+| <a name="module_vpn_weu"></a> [vpn\_weu](#module\_vpn\_weu) | ../_modules/vpn | n/a |
 
 ## Resources
 
@@ -26,7 +27,8 @@
 | [azurerm_api_management.apim_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_public_ip.appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip) | data source |
-| [azurerm_resource_group.vnet_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.common_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [azurerm_virtual_network.weu_beta](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 | [azurerm_virtual_network.weu_prod01](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 

diff --git a/src/core/prod/data.tf b/src/core/prod/data.tf
@@ -1,5 +1,7 @@
 data "azurerm_client_config" "current" {}
 
+data "azurerm_subscription" "current" {}
+
 data "azurerm_virtual_network" "weu_beta" {
   name                = "${local.project_weu}-beta-vnet"
   resource_group_name = "${local.project_weu}-beta-vnet-rg"

diff --git a/src/core/prod/refactor.tf b/src/core/prod/refactor.tf
@@ -0,0 +1,24 @@
+import {
+  to = module.vpn_weu.module.dns_forwarder.azurerm_container_group.this
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.ContainerInstance/containerGroups/io-p-dns-forwarder"
+}
+
+import {
+  to = module.vpn_weu.module.dns_forwarder_snet.azurerm_subnet.this
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/io-p-dnsforwarder"
+}
+
+import {
+  to = module.vpn_weu.module.vpn.azurerm_public_ip.gw[0]
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/publicIPAddresses/io-p-vpn-gw-pip"
+}
+
+import {
+  to = module.vpn_weu.module.vpn.azurerm_virtual_network_gateway.gw
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworkGateways/io-p-vpn-gw"
+}
+
+import {
+  to = module.vpn_weu.module.vpn_snet.azurerm_subnet.this
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/GatewaySubnet"
+}