Merge pull request #22 from Ontotext-AD/TES-293-module-changes

TES-293: Minor improvements

main.tf

@@ -10,6 +10,8 @@ provider "azurerm" {
       purge_soft_delete_on_destroy = true
     }
   }
+  # Required when shared_access_key_enabled is false
+  storage_use_azuread = true
 }
 
 locals {
@@ -30,7 +32,7 @@ resource "azurerm_resource_group" "graphdb" {
   tags     = local.tags
 }
 
-resource "azurerm_management_lock" "graphdb-rg-lock" {
+resource "azurerm_management_lock" "graphdb_rg_lock" {
   count      = var.lock_resources ? 1 : 0
   name       = "${var.resource_name_prefix}-rg"
   scope      = azurerm_resource_group.graphdb.id
@@ -46,23 +48,23 @@ resource "azurerm_virtual_network" "graphdb" {
   tags                = local.tags
 }
 
-resource "azurerm_subnet" "graphdb-gateway" {
+resource "azurerm_subnet" "graphdb_gateway" {
   name                 = "${var.resource_name_prefix}-gateway"
   resource_group_name  = azurerm_resource_group.graphdb.name
   virtual_network_name = azurerm_virtual_network.graphdb.name
   address_prefixes     = var.app_gateway_subnet_address_prefix
   service_endpoints    = ["Microsoft.KeyVault"]
 }
 
-resource "azurerm_subnet" "graphdb-vmss" {
+resource "azurerm_subnet" "graphdb_vmss" {
   name                 = "${var.resource_name_prefix}-vmss"
   resource_group_name  = azurerm_resource_group.graphdb.name
   virtual_network_name = azurerm_virtual_network.graphdb.name
   address_prefixes     = var.graphdb_subnet_address_prefix
   service_endpoints    = ["Microsoft.KeyVault", "Microsoft.Storage"]
 }
 
-resource "azurerm_network_security_group" "graphdb-gateway" {
+resource "azurerm_network_security_group" "graphdb_gateway" {
   name                = "${var.resource_name_prefix}-gateway"
   resource_group_name = azurerm_resource_group.graphdb.name
   location            = var.location
@@ -96,21 +98,21 @@ resource "azurerm_network_security_group" "graphdb-gateway" {
   tags = var.tags
 }
 
-resource "azurerm_network_security_group" "graphdb-vmss" {
+resource "azurerm_network_security_group" "graphdb_vmss" {
   name                = "${var.resource_name_prefix}-vmss"
   resource_group_name = azurerm_resource_group.graphdb.name
   location            = var.location
   tags                = var.tags
 }
 
-resource "azurerm_subnet_network_security_group_association" "graphdb-gateway" {
-  network_security_group_id = azurerm_network_security_group.graphdb-gateway.id
-  subnet_id                 = azurerm_subnet.graphdb-gateway.id
+resource "azurerm_subnet_network_security_group_association" "graphdb_gateway" {
+  network_security_group_id = azurerm_network_security_group.graphdb_gateway.id
+  subnet_id                 = azurerm_subnet.graphdb_gateway.id
 }
 
-resource "azurerm_subnet_network_security_group_association" "graphdb-vmss" {
-  network_security_group_id = azurerm_network_security_group.graphdb-vmss.id
-  subnet_id                 = azurerm_subnet.graphdb-vmss.id
+resource "azurerm_subnet_network_security_group_association" "graphdb_vmss" {
+  network_security_group_id = azurerm_network_security_group.graphdb_vmss.id
+  subnet_id                 = azurerm_subnet.graphdb_vmss.id
 }
 
 # ------------------------------------------------------------
@@ -146,7 +148,7 @@ module "vault" {
   location             = var.location
   resource_group_name  = azurerm_resource_group.graphdb.name
 
-  nacl_subnet_ids = [azurerm_subnet.graphdb-gateway.id, azurerm_subnet.graphdb-vmss.id]
+  nacl_subnet_ids = [azurerm_subnet.graphdb_gateway.id, azurerm_subnet.graphdb_vmss.id]
   nacl_ip_rules   = var.management_cidr_blocks
 
   key_vault_enable_purge_protection = var.key_vault_enable_purge_protection
@@ -163,7 +165,7 @@ module "backup" {
   location             = var.location
   resource_group_name  = azurerm_resource_group.graphdb.name
 
-  nacl_subnet_ids = [azurerm_subnet.graphdb-vmss.id]
+  nacl_subnet_ids = [azurerm_subnet.graphdb_vmss.id]
   nacl_ip_rules   = var.management_cidr_blocks
 
   storage_account_tier             = var.storage_account_tier
@@ -230,7 +232,7 @@ module "application_gateway" {
   location             = var.location
   resource_group_name  = azurerm_resource_group.graphdb.name
 
-  gateway_subnet_id                 = azurerm_subnet.graphdb-gateway.id
+  gateway_subnet_id                 = azurerm_subnet.graphdb_gateway.id
   gateway_public_ip_id              = module.address.public_ip_address_id
   gateway_identity_id               = module.tls.tls_identity_id
   gateway_tls_certificate_secret_id = module.tls.tls_certificate_key_vault_secret_id
@@ -275,42 +277,52 @@ module "nat" {
   resource_group_name  = azurerm_resource_group.graphdb.name
   zones                = var.zones
 
-  nat_subnet_id = azurerm_subnet.graphdb-vmss.id
+  nat_subnet_id = azurerm_subnet.graphdb_vmss.id
 
   tags = local.tags
 }
 
+module "user_data" {
+  source = "./modules/user-data"
+
+  count = var.custom_graphdb_vm_user_data != null ? 0 : 1
+
+  graphdb_external_address_fqdn = module.address.public_ip_address_fqdn
+
+  key_vault_name = module.vault.key_vault_name
+
+  disk_iops_read_write = var.disk_iops_read_write
+  disk_mbps_read_write = var.disk_mbps_read_write
+  disk_size_gb         = var.disk_size_gb
+
+  backup_storage_container_url = module.backup.storage_container_id
+  backup_schedule              = var.backup_schedule
+}
+
+locals {
+  user_data_script = var.custom_graphdb_vm_user_data != null ? var.custom_graphdb_vm_user_data : module.user_data[0].graphdb_vmss_user_data
+}
+
 # Creates a VM scale set for GraphDB and GraphDB cluster proxies
-module "vm" {
-  source = "./modules/vm"
+module "vmss" {
+  source = "./modules/vmss"
 
   resource_name_prefix = var.resource_name_prefix
   location             = var.location
   resource_group_name  = azurerm_resource_group.graphdb.name
   zones                = var.zones
 
-  graphdb_subnet_id = azurerm_subnet.graphdb-vmss.id
+  graphdb_subnet_id = azurerm_subnet.graphdb_vmss.id
 
   identity_id                                  = module.identity.identity_id
   application_gateway_backend_address_pool_ids = [module.application_gateway.gateway_backend_address_pool_id]
 
-  # Configurations for the user data script
-  graphdb_external_address_fqdn = module.address.public_ip_address_fqdn
-  key_vault_name                = module.vault.key_vault_name
-
-  disk_iops_read_write = var.disk_iops_read_write
-  disk_mbps_read_write = var.disk_mbps_read_write
-  disk_size_gb         = var.disk_size_gb
-
   instance_type = var.instance_type
   image_id      = module.graphdb_image.image_id
   node_count    = var.node_count
   ssh_key       = var.ssh_key
 
-  custom_user_data = var.custom_graphdb_vm_user_data
-
-  backup_storage_container_url = module.backup.storage_container_id
-  backup_schedule              = var.backup_schedule
+  user_data_script = local.user_data_script
 
   tags = local.tags
 
@@ -321,11 +333,9 @@ module "vm" {
 module "dns" {
   source = "./modules/dns"
 
-  resource_name_prefix  = var.resource_name_prefix
-  resource_group_name   = azurerm_resource_group.graphdb.name
-  identity_name         = module.identity.identity_name
-  identity_principal_id = module.identity.identity_principal_id
-  virtual_network_id    = azurerm_virtual_network.graphdb.id
+  resource_name_prefix = var.resource_name_prefix
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  virtual_network_id   = azurerm_virtual_network.graphdb.id
 
   tags = local.tags
 

modules/address/main.tf

@@ -5,7 +5,7 @@ resource "random_string" "fqdn" {
   numeric = true
 }
 
-resource "azurerm_public_ip" "graphdb-public-ip-address" {
+resource "azurerm_public_ip" "graphdb_public_ip_address" {
   name                = "${var.resource_name_prefix}-public-address"
   resource_group_name = var.resource_group_name
   location            = var.location

modules/address/outputs.tf

@@ -1,19 +1,19 @@
 output "public_ip_address_name" {
   description = "Name of the public IP address"
-  value       = azurerm_public_ip.graphdb-public-ip-address.name
+  value       = azurerm_public_ip.graphdb_public_ip_address.name
 }
 
 output "public_ip_address" {
   description = "The public IPv4 address"
-  value       = azurerm_public_ip.graphdb-public-ip-address.ip_address
+  value       = azurerm_public_ip.graphdb_public_ip_address.ip_address
 }
 
 output "public_ip_address_id" {
   description = "Identifier of the public IP address"
-  value       = azurerm_public_ip.graphdb-public-ip-address.id
+  value       = azurerm_public_ip.graphdb_public_ip_address.id
 }
 
 output "public_ip_address_fqdn" {
   description = "The assigned FQDN of the public IP address"
-  value       = azurerm_public_ip.graphdb-public-ip-address.fqdn
+  value       = azurerm_public_ip.graphdb_public_ip_address.fqdn
 }

modules/backup/main.tf

@@ -20,16 +20,19 @@ locals {
 }
 
 # Create an Azure Storage Account for backups
-resource "azurerm_storage_account" "graphdb-backup" {
+resource "azurerm_storage_account" "graphdb_backup" {
   name                = local.storage_account_name
   resource_group_name = var.resource_group_name
   location            = var.location
 
-  account_tier                    = var.storage_account_tier
-  account_replication_type        = var.storage_account_replication_type
-  enable_https_traffic_only       = true
-  allow_nested_items_to_be_public = false
-  min_tls_version                 = "TLS1_2"
+  account_kind                      = var.storage_account_kind
+  account_tier                      = var.storage_account_tier
+  account_replication_type          = var.storage_account_replication_type
+  enable_https_traffic_only         = true
+  allow_nested_items_to_be_public   = false
+  shared_access_key_enabled         = false
+  min_tls_version                   = "TLS1_2"
+  infrastructure_encryption_enabled = true
 
   network_rules {
     bypass                     = ["AzureServices"]
@@ -42,14 +45,14 @@ resource "azurerm_storage_account" "graphdb-backup" {
 }
 
 # Create an Azure Storage container
-resource "azurerm_storage_container" "graphdb-backup" {
+resource "azurerm_storage_container" "graphdb_backup" {
   name                  = "${var.resource_name_prefix}-backup"
-  storage_account_name  = azurerm_storage_account.graphdb-backup.name
+  storage_account_name  = azurerm_storage_account.graphdb_backup.name
   container_access_type = "private"
 }
 
-resource "azurerm_storage_management_policy" "graphdb-backup-retention" {
-  storage_account_id = azurerm_storage_account.graphdb-backup.id
+resource "azurerm_storage_management_policy" "graphdb_backup_retention" {
+  storage_account_id = azurerm_storage_account.graphdb_backup.id
 
   rule {
     enabled = true

modules/backup/outputs.tf

@@ -1,19 +1,19 @@
 output "storage_account_id" {
   description = "Storage account identifier for storing GraphDB backups"
-  value       = azurerm_storage_account.graphdb-backup.id
+  value       = azurerm_storage_account.graphdb_backup.id
 }
 
 output "storage_account_name" {
   description = "Storage account name for storing GraphDB backups"
-  value       = azurerm_storage_account.graphdb-backup.name
+  value       = azurerm_storage_account.graphdb_backup.name
 }
 
 output "storage_container_id" {
   description = "Identifier of the storage container for GraphDB backups"
-  value       = azurerm_storage_container.graphdb-backup.id
+  value       = azurerm_storage_container.graphdb_backup.id
 }
 
 output "storage_container_name" {
   description = "Name of the storage container for GraphDB backups"
-  value       = azurerm_storage_container.graphdb-backup.name
+  value       = azurerm_storage_container.graphdb_backup.name
 }

modules/backup/variables.tf

@@ -37,6 +37,12 @@ variable "nacl_ip_rules" {
 
 # Storage specifics
 
+variable "storage_account_kind" {
+  description = "Specifies the type of the storage account."
+  type        = string
+  default     = "StorageV2"
+}
+
 variable "storage_account_tier" {
   description = "Specify the performance and redundancy characteristics of the Azure Storage Account that you are creating"
   type        = string

modules/bastion/main.tf

@@ -1,11 +1,11 @@
-resource "azurerm_subnet" "graphdb-bastion" {
+resource "azurerm_subnet" "graphdb_bastion" {
   name                 = "AzureBastionSubnet"
   resource_group_name  = var.resource_group_name
   virtual_network_name = var.virtual_network_name
   address_prefixes     = var.bastion_subnet_address_prefix
 }
 
-resource "azurerm_network_security_group" "graphdb-bastion" {
+resource "azurerm_network_security_group" "graphdb_bastion" {
   name                = "${var.resource_name_prefix}-bastion"
   resource_group_name = var.resource_group_name
   location            = var.location
@@ -73,12 +73,12 @@ resource "azurerm_network_security_group" "graphdb-bastion" {
   tags = var.tags
 }
 
-resource "azurerm_subnet_network_security_group_association" "graphdb-bastion" {
-  network_security_group_id = azurerm_network_security_group.graphdb-bastion.id
-  subnet_id                 = azurerm_subnet.graphdb-bastion.id
+resource "azurerm_subnet_network_security_group_association" "graphdb_bastion" {
+  network_security_group_id = azurerm_network_security_group.graphdb_bastion.id
+  subnet_id                 = azurerm_subnet.graphdb_bastion.id
 }
 
-resource "azurerm_public_ip" "graphdb-bastion" {
+resource "azurerm_public_ip" "graphdb_bastion" {
   name                = "${var.resource_name_prefix}_bastion_publicIP"
   location            = var.location
   resource_group_name = var.resource_group_name
@@ -98,8 +98,8 @@ resource "azurerm_bastion_host" "graphdb" {
 
   ip_configuration {
     name                 = "configuration"
-    subnet_id            = azurerm_subnet.graphdb-bastion.id
-    public_ip_address_id = azurerm_public_ip.graphdb-bastion.id
+    subnet_id            = azurerm_subnet.graphdb_bastion.id
+    public_ip_address_id = azurerm_public_ip.graphdb_bastion.id
   }
 
   tags = var.tags