Upgrade to v4 of azurerm

Author: marvinbuss

code/infra/alerts.tf

@@ -1,5 +1,6 @@
 resource "azurerm_monitor_activity_log_alert" "monitor_activity_log_alert_service_health" {
   name                = "${local.prefix}-alert-servicehealth"
+  location            = var.location
   resource_group_name = azurerm_resource_group.logging_rg.name
   tags                = var.tags
 

code/infra/applicationinsights.tf

@@ -0,0 +1,14 @@
+module "application_insights" {
+  source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/applicationinsights?ref=main"
+  providers = {
+    azurerm = azurerm
+  }
+
+  location                                        = var.location
+  resource_group_name                             = azurerm_resource_group.logging_rg.name
+  tags                                            = var.tags
+  application_insights_name                       = "${local.prefix}-appi001"
+  application_insights_application_type           = "other"
+  application_insights_log_analytics_workspace_id = var.log_analytics_workspace_id
+  diagnostics_configurations                      = {} # local.diagnostics_configurations # Disabled to avoid duplicate logs in LAW and App Insights
+}

code/infra/appserviceplan.tf

@@ -0,0 +1,18 @@
+module "app_service_plan" {
+  source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/appserviceplan?ref=main"
+  providers = {
+    azurerm = azurerm
+  }
+
+  location                                  = var.location
+  resource_group_name                       = azurerm_resource_group.app_rg.name
+  tags                                      = var.tags
+  service_plan_name                         = "${local.prefix}-asp001"
+  service_plan_maximum_elastic_worker_count = null
+  service_plan_os_type                      = "Linux"
+  service_plan_per_site_scaling_enabled     = false
+  service_plan_sku_name                     = var.function_sku
+  service_plan_worker_count                 = 1     # Update to '3' for production
+  service_plan_zone_balancing_enabled       = false # Update to 'true' for production
+  diagnostics_configurations                = local.diagnostics_configurations
+}

code/infra/function.tf

@@ -1,44 +1,3 @@
-resource "azurerm_service_plan" "service_plan" {
-  name                = "${local.prefix}-asp001"
-  location            = var.location
-  resource_group_name = azurerm_resource_group.app_rg.name
-  tags                = var.tags
-
-  # maximum_elastic_worker_count = 20
-  os_type                  = "Linux"
-  per_site_scaling_enabled = false
-  sku_name                 = var.function_sku
-  worker_count             = 1     # Update to '3' for production
-  zone_balancing_enabled   = false # Update to 'true' for production
-}
-
-data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_service_plan" {
-  resource_id = azurerm_service_plan.service_plan.id
-}
-
-resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_service_plan" {
-  name                       = "logAnalytics"
-  target_resource_id         = azurerm_service_plan.service_plan.id
-  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
-
-  dynamic "enabled_log" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.log_category_groups
-    content {
-      category_group = entry.value
-    }
-  }
-
-  dynamic "metric" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.metrics
-    content {
-      category = entry.value
-      enabled  = true
-    }
-  }
-}
-
 resource "azapi_resource" "function" {
   type      = "Microsoft.Web/sites@2022-09-01"
   parent_id = azurerm_resource_group.app_rg.id
@@ -65,7 +24,7 @@ resource "azapi_resource" "function" {
       redundancyMode            = "None"
       reserved                  = true
       scmSiteAlsoStopped        = true
-      serverFarmId              = azurerm_service_plan.service_plan.id
+      serverFarmId              = module.app_service_plan.service_plan_id
       storageAccountRequired    = false
       vnetContentShareEnabled   = true
       vnetImagePullEnabled      = false # Set to 'true' when pulling image from private Azure Container Registry
@@ -91,7 +50,7 @@ resource "azapi_resource" "function" {
         appSettings = [
           {
             name  = "APPLICATIONINSIGHTS_CONNECTION_STRING"
-            value = azurerm_application_insights.application_insights.connection_string
+            value = module.application_insights.application_insights_connection_string
           },
           {
             name  = "AZURE_SDK_TRACING_IMPLEMENTATION"
@@ -123,23 +82,23 @@ resource "azapi_resource" "function" {
           },
           {
             name  = "WEBSITE_OS_TYPE"
-            value = azurerm_service_plan.service_plan.os_type
+            value = module.app_service_plan.service_plan_os_type
           },
           {
             name  = "WEBSITE_RUN_FROM_PACKAGE"
             value = "0"
           },
           {
             name  = "AzureWebJobsStorage__accountName"
-            value = azurerm_storage_account.storage.name
+            value = module.storage_account.storage_account_name
           },
           {
             name  = "AzureWebJobsSecretStorageType"
             value = "keyvault"
           },
           {
             name  = "AzureWebJobsSecretStorageKeyVaultUri"
-            value = azurerm_key_vault.key_vault.vault_uri
+            value = module.key_vault.key_vault_uri
           },
           {
             name  = "WEBSITES_ENABLE_APP_SERVICE_STORAGE" # Disable when not running a container
@@ -219,11 +178,8 @@ resource "azapi_resource" "function" {
   #   "properties.siteConfig.appSettings"
   # ]
   depends_on = [
-    azurerm_private_endpoint.key_vault_private_endpoint,
-    azurerm_private_endpoint.storage_private_endpoint_blob,
-    azurerm_private_endpoint.storage_private_endpoint_file,
-    azurerm_private_endpoint.storage_private_endpoint_queue,
-    azurerm_private_endpoint.storage_private_endpoint_table,
+    module.key_vault.key_vault_setup_completed,
+    module.storage_account.storage_setup_completed,
   ]
 }
 
@@ -267,7 +223,7 @@ resource "azurerm_private_endpoint" "function_private_endpoint" {
     private_connection_resource_id = azapi_resource.function.id
     subresource_names              = ["sites"]
   }
-  subnet_id = azapi_resource.subnet_services.id
+  subnet_id = azapi_resource.subnet_private_endpoints.id
   private_dns_zone_group {
     name = "${azapi_resource.function.name}-arecord"
     private_dns_zone_ids = [

code/infra/keyvault.tf

@@ -1,85 +1,30 @@
-resource "azurerm_key_vault" "key_vault" {
-  name                = "${local.prefix}-vault001"
-  location            = var.location
-  resource_group_name = azurerm_resource_group.app_rg.name
-  tags                = var.tags
-
-  access_policy                   = []
-  enable_rbac_authorization       = true
-  enabled_for_deployment          = false
-  enabled_for_disk_encryption     = false
-  enabled_for_template_deployment = false
-  network_acls {
-    bypass                     = "AzureServices"
-    default_action             = "Deny"
-    ip_rules                   = []
-    virtual_network_subnet_ids = []
+module "key_vault" {
+  source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/keyvault?ref=main"
+  providers = {
+    azurerm = azurerm
+    time    = time
   }
-  public_network_access_enabled = false
-  purge_protection_enabled      = true
-  sku_name                      = "standard"
-  soft_delete_retention_days    = 7
-  tenant_id                     = data.azurerm_client_config.current.tenant_id
+
+  location                             = var.location
+  resource_group_name                  = azurerm_resource_group.app_rg.name
+  tags                                 = var.tags
+  key_vault_name                       = "${local.prefix}-kv001"
+  key_vault_sku_name                   = "standard"
+  key_vault_soft_delete_retention_days = 7
+  diagnostics_configurations           = local.diagnostics_configurations
+  subnet_id                            = azapi_resource.subnet_private_endpoints.id
+  connectivity_delay_in_seconds        = var.connectivity_delay_in_seconds
+  private_dns_zone_id_vault            = var.private_dns_zone_id_key_vault
 }
 
 resource "azurerm_key_vault_secret" "key_vault_secret_sample" {
   name         = "MySampleSecret"
-  key_vault_id = azurerm_key_vault.key_vault.id
+  key_vault_id = module.key_vault.key_vault_id
 
   content_type = "text/plain"
   value        = var.my_secret
 
   depends_on = [
-    azurerm_role_assignment.current_role_assignment_key_vault,
-    azurerm_private_endpoint.key_vault_private_endpoint
+    module.key_vault.key_vault_setup_completed,
   ]
 }
-
-data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" {
-  resource_id = azurerm_key_vault.key_vault.id
-}
-
-resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_key_vault" {
-  name                       = "logAnalytics"
-  target_resource_id         = azurerm_key_vault.key_vault.id
-  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
-
-  dynamic "enabled_log" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.log_category_groups
-    content {
-      category_group = entry.value
-    }
-  }
-
-  dynamic "metric" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_key_vault.metrics
-    content {
-      category = entry.value
-      enabled  = true
-    }
-  }
-}
-
-resource "azurerm_private_endpoint" "key_vault_private_endpoint" {
-  name                = "${azurerm_key_vault.key_vault.name}-pe"
-  location            = var.location
-  resource_group_name = azurerm_key_vault.key_vault.resource_group_name
-  tags                = var.tags
-
-  custom_network_interface_name = "${azurerm_key_vault.key_vault.name}-nic"
-  private_service_connection {
-    name                           = "${azurerm_key_vault.key_vault.name}-pe"
-    is_manual_connection           = false
-    private_connection_resource_id = azurerm_key_vault.key_vault.id
-    subresource_names              = ["vault"]
-  }
-  subnet_id = azapi_resource.subnet_services.id
-  private_dns_zone_group {
-    name = "${azurerm_key_vault.key_vault.name}-arecord"
-    private_dns_zone_ids = [
-      var.private_dns_zone_id_key_vault
-    ]
-  }
-}

code/infra/locals.tf

@@ -1,18 +1,39 @@
 locals {
+  # General locals
   prefix = "${lower(var.prefix)}-${var.environment}"
+  resource_providers_to_register = [
+    "Microsoft.Authorization",
+    "Microsoft.Insights",
+    "Microsoft.KeyVault",
+    "Microsoft.ManagedIdentity",
+    "Microsoft.Network",
+    "Microsoft.Resources",
+    "Microsoft.Storage",
+    "Microsoft.Web",
+  ]
 
+  # Resource locals
   virtual_network = {
     resource_group_name = split("/", var.vnet_id)[4]
     name                = split("/", var.vnet_id)[8]
   }
-
   network_security_group = {
     resource_group_name = split("/", var.nsg_id)[4]
     name                = split("/", var.nsg_id)[8]
   }
-
   route_table = {
     resource_group_name = split("/", var.route_table_id)[4]
     name                = split("/", var.route_table_id)[8]
   }
+  
+  # Logging locals
+  diagnostics_configurations = [
+    {
+      log_analytics_workspace_id = var.log_analytics_workspace_id
+      storage_account_id         = ""
+    }
+  ]
+
+  # CMK locals
+  customer_managed_key = null
 }