Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Core Subnets Creation and upgrade core Terraform to 4.14.0 #4255

Draft
wants to merge 9 commits into
base: main
Choose a base branch
from
29 changes: 14 additions & 15 deletions core/terraform/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions core/terraform/cosmos_mongo.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ resource "azurerm_cosmosdb_account" "mongo" {
kind = "MongoDB"
automatic_failover_enabled = false
mongo_server_version = 4.2
ip_range_filter = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"

ip_range_filter = toset(var.enable_local_debugging ? concat(split(",", local.azure_portal_cosmos_ips), [local.myip]) : split(",", local.azure_portal_cosmos_ips))
capabilities {
name = "EnableServerless"
}
Expand Down
2 changes: 1 addition & 1 deletion core/terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.117.0"
version = "=4.14.0"
}
random = {
source = "hashicorp/random"
Expand Down
22 changes: 22 additions & 0 deletions core/terraform/network/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion core/terraform/network/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.117"
version = "= 4.14.0"
}
}
}
214 changes: 92 additions & 122 deletions core/terraform/network/network.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,146 +5,112 @@ resource "azurerm_virtual_network" "core" {
address_space = [var.core_address_space]
tags = local.tre_core_tags
lifecycle { ignore_changes = [tags] }
}

resource "azurerm_subnet" "bastion" {
name = "AzureBastionSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.bastion_subnet_address_prefix]
}
subnet {
name = "AzureBastionSubnet"
address_prefixes = [local.bastion_subnet_address_prefix]
security_group = azurerm_network_security_group.bastion.id
}

resource "azurerm_subnet" "azure_firewall" {
name = "AzureFirewallSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.firewall_subnet_address_space]
depends_on = [azurerm_subnet.bastion]
}
subnet {
name = "AzureFirewallSubnet"
address_prefixes = [local.firewall_subnet_address_space]
}

resource "azurerm_subnet" "app_gw" {
name = "AppGwSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.app_gw_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
depends_on = [azurerm_subnet.azure_firewall]
}
subnet {
name = "AppGwSubnet"
address_prefixes = [local.app_gw_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
security_group = azurerm_network_security_group.app_gw.id
}

resource "azurerm_subnet" "web_app" {
name = "WebAppSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.web_app_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
depends_on = [azurerm_subnet.app_gw]

delegation {
name = "delegation"

service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
subnet {
name = "WebAppSubnet"
address_prefixes = [local.web_app_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
security_group = azurerm_network_security_group.default_rules.id

delegation {
name = "delegation"

service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
}

resource "azurerm_subnet" "shared" {
name = "SharedSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.shared_services_subnet_address_prefix]
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
depends_on = [azurerm_subnet.web_app]
}
subnet {
name = "SharedSubnet"
address_prefixes = [local.shared_services_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
}

resource "azurerm_subnet" "resource_processor" {
name = "ResourceProcessorSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.resource_processor_subnet_address_prefix]
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
depends_on = [azurerm_subnet.shared]
}
subnet {
name = "ResourceProcessorSubnet"
address_prefixes = [local.resource_processor_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
}

resource "azurerm_subnet" "airlock_processor" {
name = "AirlockProcessorSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.airlock_processor_subnet_address_prefix]
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
depends_on = [azurerm_subnet.resource_processor]

delegation {
name = "delegation"

service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
subnet {
name = "AirlockProcessorSubnet"
address_prefixes = [local.airlock_processor_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id

delegation {
name = "delegation"

service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}

service_endpoints = ["Microsoft.Storage"]
}

# Todo: needed as we want to open the fw for this subnet in some of the airlock storages (export inprogress)
# https://github.com/microsoft/AzureTRE/issues/2098
service_endpoints = ["Microsoft.Storage"]
}
subnet {
name = "AirlockNotifiactionSubnet"
address_prefixes = [local.airlock_notifications_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id

resource "azurerm_subnet" "airlock_notification" {
name = "AirlockNotifiactionSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.airlock_notifications_subnet_address_prefix]
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
depends_on = [azurerm_subnet.airlock_processor]

delegation {
name = "delegation"

service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
delegation {
name = "delegation"

service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
service_endpoints = ["Microsoft.ServiceBus"]
}
service_endpoints = ["Microsoft.ServiceBus"]
}

resource "azurerm_subnet" "airlock_storage" {
name = "AirlockStorageSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.airlock_storage_subnet_address_prefix]
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
depends_on = [azurerm_subnet.airlock_notification]
}
subnet {
name = "AirlockStorageSubnet"
address_prefixes = [local.airlock_storage_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
}

resource "azurerm_subnet" "airlock_events" {
name = "AirlockEventsSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.airlock_events_subnet_address_prefix]
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
depends_on = [azurerm_subnet.airlock_storage]

# Eventgrid CAN'T send messages over private endpoints, hence we need to allow service endpoints to the service bus
# We are using service endpoints + managed identity to send these messaages
# https://docs.microsoft.com/en-us/azure/event-grid/consume-private-endpoints
service_endpoints = ["Microsoft.ServiceBus"]
}
subnet {
name = "AirlockEventsSubnet"
address_prefixes = [local.airlock_events_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id

service_endpoints = ["Microsoft.ServiceBus"]
}

resource "azurerm_subnet" "firewall_management" {
name = "AzureFirewallManagementSubnet"
virtual_network_name = azurerm_virtual_network.core.name
resource_group_name = var.resource_group_name
address_prefixes = [local.firewall_management_subnet_address_prefix]
depends_on = [azurerm_subnet.airlock_events]
subnet {
name = "AzureFirewallManagementSubnet"
address_prefixes = [local.firewall_management_subnet_address_prefix]
}
}

resource "azurerm_ip_group" "resource_processor" {
Expand Down Expand Up @@ -187,3 +153,7 @@ module "terraform_azurerm_environment_configuration" {
source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
arm_environment = var.arm_environment
}

locals {
subnet_ids_map = { for s in azurerm_virtual_network.core.subnet : s.name => s.id }
}
Loading
Loading