Add private endpoint for Function

Author: marvinbuss

.github/workflows/terraform.yml

@@ -38,7 +38,7 @@ jobs:
     uses: ./.github/workflows/_terraformApplyTemplate.yml
     name: "Terraform Apply"
     needs: [terraform_plan_dev]
-    if: github.event_name == 'push' || github.event_name == 'release'
+    # if: github.event_name == 'push' || github.event_name == 'release'
     with:
       environment: "dev"
       terraform_version: "1.4.6"

code/infra/function.tf

@@ -131,3 +131,25 @@ resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_function" {
     }
   }
 }
+
+resource "azurerm_private_endpoint" "function_private_endpoint" {
+  name                = "${azapi_resource.function.name}-pe"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.app_rg.name
+  tags                = var.tags
+
+  custom_network_interface_name = "${azapi_resource.function.name}-nic"
+  private_service_connection {
+    name                           = "${azapi_resource.function.name}-pe"
+    is_manual_connection           = false
+    private_connection_resource_id = azapi_resource.function.id
+    subresource_names              = ["sites"]
+  }
+  subnet_id = azapi_resource.subnet_services.id
+  private_dns_zone_group {
+    name = "${azapi_resource.function.name}-arecord"
+    private_dns_zone_ids = [
+      var.private_dns_zone_id_sites
+    ]
+  }
+}

code/infra/variables.tf

@@ -116,3 +116,14 @@ variable "private_dns_zone_id_key_vault" {
     error_message = "Please specify a valid resource ID for the private DNS Zone."
   }
 }
+
+variable "private_dns_zone_id_sites" {
+  description = "Specifies the resource ID of the private DNS zone for Azure Websites. Not required if DNS A-records get created via Azue Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_sites == "" || (length(split("/", var.private_dns_zone_id_sites)) == 9 && endswith(var.private_dns_zone_id_sites, "privatelink.azurewebsites.net"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}

code/infra/vars.dev.tfvars

@@ -10,3 +10,4 @@ private_dns_zone_id_queue     = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1
 private_dns_zone_id_table     = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net"
 private_dns_zone_id_file      = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net"
 private_dns_zone_id_key_vault = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
+private_dns_zone_id_sites     = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"