Upgrade azurerm to v4 and update configs

.github/workflows/_terraformDestroyTemplate.yml

@@ -0,0 +1,100 @@
+name: Terraform Destroy Template
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+        default: "dev"
+        description: "Specifies the environment of the deployment."
+      config:
+        required: true
+        type: string
+        description: "Specifies the configuration folder for the deployment."
+      terraform_version:
+        required: true
+        type: string
+        description: "Specifies the terraform version."
+      node_version:
+        required: true
+        type: number
+        description: "Specifies the node version."
+      working_directory:
+        required: true
+        type: string
+        description: "Specifies the working directory."
+      tenant_id:
+        required: true
+        type: string
+        description: "Specifies the tenant id of the deployment."
+      subscription_id:
+        required: true
+        type: string
+        description: "Specifies the subscription id of the deployment."
+    secrets:
+      CLIENT_ID:
+        required: true
+        description: "Specifies the client id."
+      MY_SAMPLE_SECRET:
+        required: true
+        description: "Specifies a sample secret."
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deployment:
+    name: Terraform Destroy
+    runs-on: [self-hosted]
+    continue-on-error: false
+    environment: ${{ inputs.environment }}
+    if: github.event_name == 'push' || github.event_name == 'release'
+    concurrency:
+      group: terraform-${{ inputs.config }}-${{ inputs.environment }}
+      cancel-in-progress: false
+
+    env:
+      ARM_TENANT_ID: ${{ inputs.tenant_id }}
+      ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
+      ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
+      ARM_USE_OIDC: true
+
+    steps:
+      # Setup Node
+      - name: Setup Node
+        id: node_setup
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+
+      # Setup Terraform
+      - name: Setup Terraform
+        id: terraform_setup
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: true
+
+      # Check Out Repository
+      - name: Check Out Repository
+        id: checkout_repository
+        uses: actions/checkout@v4
+
+      # Terraform Init
+      - name: Terraform Init
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform init -backend-config=../../config/${CONFIG}/azurerm.tfbackend
+        env:
+          CONFIG: ${{ inputs.config }}
+
+      # Terraform Destroy
+      - name: Terraform Destroy
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          terraform apply -var-file="../../config/${CONFIG}/vars.tfvars" -auto-approve -input=false -destroy
+        env:
+          CONFIG: ${{ inputs.config }}
+          TF_VAR_my_secret: ${{ secrets.MY_SAMPLE_SECRET }}

.github/workflows/_terraformEnvironmentTemplate.yml

@@ -35,9 +35,6 @@ on:
       CLIENT_ID:
         required: true
         description: "Specifies the client id."
-      CLIENT_SECRET:
-        required: true
-        description: "Specifies the client secret."
       MY_SAMPLE_SECRET:
         required: true
         description: "Specifies a sample secret."
@@ -101,15 +98,14 @@ jobs:
     environment: ${{ inputs.environment }}
     needs: [lint]
     concurrency:
-      group: terraform-apply-${{ inputs.config }}-${{ inputs.environment }}
+      group: terraform-${{ inputs.config }}-${{ inputs.environment }}
       cancel-in-progress: false
 
     env:
       ARM_TENANT_ID: ${{ inputs.tenant_id }}
       ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
       ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
-      ARM_USE_OIDC: false
+      ARM_USE_OIDC: true
 
     steps:
       # Setup Node
@@ -196,18 +192,17 @@ jobs:
     runs-on: [self-hosted]
     continue-on-error: false
     environment: ${{ inputs.environment }}
-    if: github.event_name == 'push' || github.event_name == 'release'
+    # if: github.event_name == 'push' || github.event_name == 'release'
     needs: [plan]
     concurrency:
-      group: terraform-apply-${{ inputs.config }}-${{ inputs.environment }}
+      group: terraform-${{ inputs.config }}-${{ inputs.environment }}
       cancel-in-progress: false
 
     env:
       ARM_TENANT_ID: ${{ inputs.tenant_id }}
       ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
       ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
-      ARM_USE_OIDC: false
+      ARM_USE_OIDC: true
 
     steps:
       # Setup Node

.github/workflows/terraform.yml

@@ -27,12 +27,27 @@ jobs:
     with:
       environment: "dev"
       config: "PerfectThymeTech"
-      terraform_version: "1.6.6"
-      node_version: 18
+      terraform_version: "1.9.6"
+      node_version: 20
       working_directory: "./code/infra"
-      tenant_id: "3556be79-2979-4b19-a1af-4dd4e6d9ed7e"
-      subscription_id: "8f171ff9-2b5b-4f0f-aed5-7fa360a1d094"
+      tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
+      subscription_id: "1fdab118-1638-419a-8b12-06c9543714a0"
+    secrets:
+      CLIENT_ID: ${{ secrets.CLIENT_ID }}
+      MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }}
+
+  terraform_dev_destroy:
+    uses: ./.github/workflows/_terraformDestroyTemplate.yml
+    name: "Dev - Destroy"
+    needs: [terraform_dev]
+    with:
+      environment: "dev"
+      config: "PerfectThymeTech"
+      terraform_version: "1.9.6"
+      node_version: 20
+      working_directory: "./code/infra"
+      tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
+      subscription_id: "1fdab118-1638-419a-8b12-06c9543714a0"
     secrets:
       CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
       MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }}

code/infra/alerts.tf

@@ -1,5 +1,6 @@
 resource "azurerm_monitor_activity_log_alert" "monitor_activity_log_alert_service_health" {
   name                = "${local.prefix}-alert-servicehealth"
+  location            = "global"
   resource_group_name = azurerm_resource_group.logging_rg.name
   tags                = var.tags
 

code/infra/applicationinsights.tf

@@ -0,0 +1,14 @@
+module "application_insights" {
+  source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/applicationinsights?ref=main"
+  providers = {
+    azurerm = azurerm
+  }
+
+  location                                        = var.location
+  resource_group_name                             = azurerm_resource_group.logging_rg.name
+  tags                                            = var.tags
+  application_insights_name                       = "${local.prefix}-appi001"
+  application_insights_application_type           = "other"
+  application_insights_log_analytics_workspace_id = var.log_analytics_workspace_id
+  diagnostics_configurations                      = [] # local.diagnostics_configurations # Disabled to avoid duplicate logs in LAW and App Insights
+}

code/infra/appserviceplan.tf

@@ -0,0 +1,18 @@
+module "app_service_plan" {
+  source = "github.com/PerfectThymeTech/terraform-azurerm-modules//modules/appserviceplan?ref=main"
+  providers = {
+    azurerm = azurerm
+  }
+
+  location                                  = var.location
+  resource_group_name                       = azurerm_resource_group.app_rg.name
+  tags                                      = var.tags
+  service_plan_name                         = "${local.prefix}-asp001"
+  service_plan_maximum_elastic_worker_count = null
+  service_plan_os_type                      = "Linux"
+  service_plan_per_site_scaling_enabled     = false
+  service_plan_sku_name                     = var.function_sku
+  service_plan_worker_count                 = 1     # Update to '3' for production
+  service_plan_zone_balancing_enabled       = false # Update to 'true' for production
+  diagnostics_configurations                = local.diagnostics_configurations
+}

code/infra/function.tf

@@ -1,44 +1,3 @@
-resource "azurerm_service_plan" "service_plan" {
-  name                = "${local.prefix}-asp001"
-  location            = var.location
-  resource_group_name = azurerm_resource_group.app_rg.name
-  tags                = var.tags
-
-  # maximum_elastic_worker_count = 20
-  os_type                  = "Linux"
-  per_site_scaling_enabled = false
-  sku_name                 = var.function_sku
-  worker_count             = 1     # Update to '3' for production
-  zone_balancing_enabled   = false # Update to 'true' for production
-}
-
-data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_service_plan" {
-  resource_id = azurerm_service_plan.service_plan.id
-}
-
-resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_service_plan" {
-  name                       = "logAnalytics"
-  target_resource_id         = azurerm_service_plan.service_plan.id
-  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
-
-  dynamic "enabled_log" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.log_category_groups
-    content {
-      category_group = entry.value
-    }
-  }
-
-  dynamic "metric" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.metrics
-    content {
-      category = entry.value
-      enabled  = true
-    }
-  }
-}
-
 resource "azapi_resource" "function" {
   type      = "Microsoft.Web/sites@2022-09-01"
   parent_id = azurerm_resource_group.app_rg.id
@@ -65,7 +24,7 @@ resource "azapi_resource" "function" {
       redundancyMode            = "None"
       reserved                  = true
       scmSiteAlsoStopped        = true
-      serverFarmId              = azurerm_service_plan.service_plan.id
+      serverFarmId              = module.app_service_plan.service_plan_id
       storageAccountRequired    = false
       vnetContentShareEnabled   = true
       vnetImagePullEnabled      = false # Set to 'true' when pulling image from private Azure Container Registry
@@ -91,7 +50,7 @@ resource "azapi_resource" "function" {
         appSettings = [
           {
             name  = "APPLICATIONINSIGHTS_CONNECTION_STRING"
-            value = azurerm_application_insights.application_insights.connection_string
+            value = module.application_insights.application_insights_connection_string
           },
           {
             name  = "AZURE_SDK_TRACING_IMPLEMENTATION"
@@ -123,23 +82,23 @@ resource "azapi_resource" "function" {
           },
           {
             name  = "WEBSITE_OS_TYPE"
-            value = azurerm_service_plan.service_plan.os_type
+            value = module.app_service_plan.service_plan_os_type
           },
           {
             name  = "WEBSITE_RUN_FROM_PACKAGE"
             value = "0"
           },
           {
             name  = "AzureWebJobsStorage__accountName"
-            value = azurerm_storage_account.storage.name
+            value = module.storage_account.storage_account_name
           },
           {
             name  = "AzureWebJobsSecretStorageType"
             value = "keyvault"
           },
           {
             name  = "AzureWebJobsSecretStorageKeyVaultUri"
-            value = azurerm_key_vault.key_vault.vault_uri
+            value = module.key_vault.key_vault_uri
           },
           {
             name  = "WEBSITES_ENABLE_APP_SERVICE_STORAGE" # Disable when not running a container
@@ -219,11 +178,8 @@ resource "azapi_resource" "function" {
   #   "properties.siteConfig.appSettings"
   # ]
   depends_on = [
-    azurerm_private_endpoint.key_vault_private_endpoint,
-    azurerm_private_endpoint.storage_private_endpoint_blob,
-    azurerm_private_endpoint.storage_private_endpoint_file,
-    azurerm_private_endpoint.storage_private_endpoint_queue,
-    azurerm_private_endpoint.storage_private_endpoint_table,
+    module.key_vault.key_vault_setup_completed,
+    module.storage_account.storage_setup_completed,
   ]
 }
 
@@ -234,7 +190,7 @@ data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_function" {
 resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_function" {
   name                       = "logAnalytics"
   target_resource_id         = azapi_resource.function.id
-  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+  log_analytics_workspace_id = var.log_analytics_workspace_id
 
   dynamic "enabled_log" {
     iterator = entry
@@ -267,11 +223,20 @@ resource "azurerm_private_endpoint" "function_private_endpoint" {
     private_connection_resource_id = azapi_resource.function.id
     subresource_names              = ["sites"]
   }
-  subnet_id = azapi_resource.subnet_services.id
-  private_dns_zone_group {
-    name = "${azapi_resource.function.name}-arecord"
-    private_dns_zone_ids = [
-      var.private_dns_zone_id_sites
+  subnet_id = azapi_resource.subnet_private_endpoints.id
+  dynamic "private_dns_zone_group" {
+    for_each = var.private_dns_zone_id_sites == "" ? [] : [1]
+    content {
+      name = "${azapi_resource.function.name}-arecord"
+      private_dns_zone_ids = [
+        var.private_dns_zone_id_sites
+      ]
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      private_dns_zone_group
     ]
   }
 }