[Feature] Add Service Bus, Container Apps and Container Registry Terraform modules (#12)

* feat: initial aca module

* feat: initial acr module

* feat: initial service bus module

* feat: add aca ingress and workload profile config

* feat: add additional acr network settings and formatting

* feat: add zone redundancy to service bus

* feat: add private dns to aca and separate dev and prod envs

* feat: update acr networking options

* feat: add prod options for service bus

* feat: add comments to modules

* feat: update acr output description

Author: ibersanoMS

infra/dev/shared/terraform/modules/aca/main.tf

@@ -0,0 +1,146 @@
+terraform {
+  required_providers {
+    azurecaf = {
+      source  = "aztfmod/azurecaf"
+      version = "1.2.26"
+    }
+  }
+}
+
+# Create Azure Container Apps Environment in Dev
+
+resource "azurerm_container_app_environment" "container_app_environment_dev" {
+  count                      = var.environment == "dev" ? 1 : 0
+  name                       = var.application_name
+  location                   = var.location
+  resource_group_name        = var.resource_group
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+
+  workload_profile {
+    name                  = "Consumption"
+    workload_profile_type = "Consumption"
+  }
+}
+
+# Create Azure Container Apps Environment in Prod
+
+resource "azurerm_container_app_environment" "container_app_environment_prod" {
+  count                      = var.environment == "prod" ? 1 : 0
+  name                       = var.application_name
+  location                   = var.location
+  resource_group_name        = var.resource_group
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+  zone_redundancy_enabled    = true
+
+  internal_load_balancer_enabled = var.isNetworkIsolated
+  infrastructure_subnet_id       = var.infrastructure_subnet_id
+
+  workload_profile {
+    name                  = "Consumption"
+    workload_profile_type = "Consumption"
+  }
+}
+
+# Create Azure Container App in the specified environment
+
+resource "azurerm_container_app" "container_app" {
+  name                         = "email-processor"
+  container_app_environment_id = var.environment == "dev" ? azurerm_container_app_environment.container_app_environment_dev[0].id : azurerm_container_app_environment.container_app_environment_prod[0].id
+  resource_group_name          = var.resource_group
+  revision_mode                = "Single"
+  workload_profile_name        = "Consumption"
+  ingress {
+    allow_insecure_connections = false
+    external_enabled           = true
+    target_port                = 80
+    traffic_weight {
+      percentage      = 100
+      latest_revision = true
+    }
+  }
+  tags = {
+    "environment"      = var.environment
+    "application-name" = var.application_name
+    "azd-service-name" = "email-processor"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      template.0.container["image"]
+    ]
+  }
+
+  identity {
+    type = "SystemAssigned, UserAssigned"
+    identity_ids = [
+      var.container_registry_user_assigned_identity_id
+    ]
+  }
+
+  registry {
+    server   = var.acr_login_server
+    identity = var.container_registry_user_assigned_identity_id
+  }
+
+  secret {
+    name  = "azure-servicebus-connection-string"
+    value = var.servicebus_namespace_primary_connection_string
+  }
+
+  template {
+    container {
+      name = "email-processor-app"
+
+      // A container image is required to deploy the ACA resource.
+      // Since the rendering service image is not available yet,
+      // we use a placeholder image for now.
+      image  = "mcr.microsoft.com/cbl-mariner/busybox:2.0"
+      cpu    = 1.0
+      memory = "2.0Gi"
+      env {
+        name  = "AZURE_SERVICEBUS_NAMESPACE"
+        value = var.servicebus_namespace
+      }
+      env {
+        name  = "AZURE_SERVICEBUS_EMAIL_REQUEST_QUEUE_NAME"
+        value = var.email_request_queue_name
+      }
+      env {
+        name  = "AZURE_SERVICEBUS_EMAIL_RESPONSE_QUEUE_NAME"
+        value = var.email_response_queue_name
+      }
+    }
+    max_replicas = 10
+    min_replicas = 1
+
+    custom_scale_rule {
+      name             = "service-bus-queue-length-rule"
+      custom_rule_type = "azure-servicebus"
+      metadata = {
+        messageCount = 10
+        namespace    = var.servicebus_namespace
+        queueName    = var.email_request_queue_name
+      }
+      authentication {
+        secret_name       = "azure-servicebus-connection-string"
+        trigger_parameter = "connection"
+      }
+    }
+  }
+}
+
+# Create Private DNS Zone for Azure Container Apps in Prod if internal load balancer is enabled
+
+resource "azurerm_private_dns_zone" "dns_for_aca" {
+  count               = var.environment == "prod" && var.isNetworkIsolated ? 1 : 0
+  name                = var.environment == "prod" ? azurerm_container_app_environment.container_app_environment_prod[0].default_domain : azurerm_container_app_environment.container_app_environment_dev[0].default_domain
+  resource_group_name = var.resource_group
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "virtual_network_link_aca" {
+  count                 = var.environment == "prod" && var.isNetworkIsolated ? 1 : 0
+  name                  = "privatelink.azurecr.io"
+  private_dns_zone_name = azurerm_private_dns_zone.dns_for_aca[0].name
+  virtual_network_id    = var.spoke_vnet_id
+  resource_group_name   = var.resource_group
+}

infra/dev/shared/terraform/modules/aca/outputs.tf

@@ -0,0 +1,3 @@
+output "identity_principal_id" {
+  value = azurerm_container_app.container_app.identity[0].principal_id
+}

infra/dev/shared/terraform/modules/aca/variables.tf

@@ -0,0 +1,73 @@
+variable "resource_group" {
+  type        = string
+  description = "The resource group"
+}
+
+variable "environment" {
+  type        = string
+  description = "The environment (dev, test, prod...)"
+  default     = "dev"
+}
+
+variable "location" {
+  type        = string
+  description = "The Azure region where all resources in this example should be created"
+}
+
+variable "application_name" {
+  type        = string
+  description = "The name of your application"
+}
+
+variable "log_analytics_workspace_id" {
+  type        = string
+  description = "The ID of the Log Analytics workspace"
+}
+
+variable "acr_login_server" {
+  type        = string
+  description = "The login server of the Azure Container Registry"
+}
+
+variable "container_registry_user_assigned_identity_id" {
+  type        = string
+  description = "The ID of the user-assigned identity for the Azure Container Registry"
+}
+
+variable "servicebus_namespace_primary_connection_string" {
+  type        = string
+  description = "The primary connection string of the Azure Service Bus namespace"
+}
+
+variable "servicebus_namespace" {
+  type        = string
+  description = "The name of the Azure Service Bus namespace"
+}
+
+variable "email_request_queue_name" {
+  type        = string
+  description = "The name of the email request queue"
+}
+
+variable "email_response_queue_name" {
+  type        = string
+  description = "The name of the email response queue"
+}
+
+variable "isNetworkIsolated" {
+  type        = bool
+  description = "Indicates if the container app should be network isolated"
+  default     = false
+}
+
+variable "infrastructure_subnet_id" {
+  type        = string
+  description = "The ID of the subnet where the infrastructure resources should be created"
+  default     = null
+}
+
+variable "spoke_vnet_id" {
+  type        = string
+  description = "The ID of the spoke VNET"
+  default     = null
+}

infra/dev/shared/terraform/modules/acr/main.tf

@@ -0,0 +1,112 @@
+terraform {
+  required_providers {
+    azurecaf = {
+      source  = "aztfmod/azurecaf"
+      version = "1.2.26"
+    }
+  }
+}
+
+data "azuread_client_config" "current" {}
+
+# Create Azure Container Registry
+
+resource "azurerm_container_registry" "acr" {
+  name                = var.application_name
+  resource_group_name = var.resource_group
+  location            = var.location
+
+  sku = var.environment == "prod" ? "Premium" : "Basic"
+
+  admin_enabled                 = false
+  network_rule_bypass_option    = "AzureServices"
+  public_network_access_enabled = var.environment == "prod" ? false : true
+  zone_redundancy_enabled       = var.environment == "prod" ? true : false
+
+  dynamic "georeplications" {
+    for_each = var.georeplications
+    content {
+      location = georeplications.value.location
+    }
+
+  }
+  dynamic "network_rule_set" {
+    for_each = var.network_rules != null ? { this = var.network_rules } : {}
+    content {
+      default_action = network_rule_set.value.default_action
+
+      dynamic "ip_rule" {
+        for_each = network_rule_set.value.ip_rules
+        content {
+          action   = ip_rule.value.action
+          ip_range = ip_rule.value.ip_range
+        }
+      }
+    }
+  }
+}
+
+# Create role assignments
+
+resource "azurerm_role_assignment" "container_app_acr_pull" {
+  principal_id         = var.aca_identity_principal_id
+  role_definition_name = "AcrPull"
+  scope                = azurerm_container_registry.acr.id
+}
+
+resource "azurerm_user_assigned_identity" "container_registry_user_assigned_identity" {
+  name                = "ContainerRegistryUserAssignedIdentity"
+  resource_group_name = var.resource_group
+  location            = var.location
+}
+
+resource "azurerm_role_assignment" "container_registry_user_assigned_identity_acr_pull" {
+  scope                = azurerm_container_registry.acr.id
+  role_definition_name = "AcrPull"
+  principal_id         = azurerm_user_assigned_identity.container_registry_user_assigned_identity.principal_id
+}
+
+
+# For demo purposes, allow current user access to the container registry
+# Note: when running as a service principal, this is also needed
+resource "azurerm_role_assignment" "acr_contributor_user_role_assignement" {
+  scope                = azurerm_container_registry.acr.id
+  role_definition_name = "Contributor"
+  principal_id         = data.azuread_client_config.current.object_id
+}
+
+# Create Private DNS Zone and Endpoint for ACR
+
+resource "azurerm_private_dns_zone" "dns_for_acr" {
+  count               = var.environment == "prod" ? 1 : 0
+  name                = "privatelink.azurecr.io"
+  resource_group_name = var.resource_group
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "virtual_network_link_acr" {
+  count                 = var.environment == "prod" ? 1 : 0
+  name                  = "privatelink.azurecr.io"
+  private_dns_zone_name = azurerm_private_dns_zone.dns_for_acr[0].name
+  virtual_network_id    = var.spoke_vnet_id
+  resource_group_name   = var.resource_group
+}
+
+resource "azurerm_private_endpoint" "acr_pe" {
+  count               = var.environment == "prod" ? 1 : 0
+  name                = "private-endpoint-acr"
+  location            = var.location
+  resource_group_name = var.resource_group
+  subnet_id           = var.private_endpoint_subnet_id
+
+  private_dns_zone_group {
+    name                 = "privatednsacrzonegroup"
+    private_dns_zone_ids = [azurerm_private_dns_zone.dns_for_acr[0].id]
+  }
+
+  private_service_connection {
+    name                           = "peconnection-acr"
+    private_connection_resource_id = azurerm_container_registry.acr.id
+    is_manual_connection           = false
+    subresource_names              = ["registry"]
+  }
+}

infra/dev/shared/terraform/modules/acr/outputs.tf

@@ -0,0 +1,15 @@
+output "acr_name" {
+  value       = azurerm_container_registry.acr.name
+  description = "The Azure Container Registry Name."
+}
+
+output "acr_login_server" {
+  value       = azurerm_container_registry.acr.login_server
+  description = "The Azure Container Registry Login Server."
+}
+
+output "container_registry_user_assigned_identity_id" {
+  value       = azurerm_user_assigned_identity.container_registry_user_assigned_identity.id
+  description = "The ACR User Assigned Identity ID."
+
+}