Merge pull request #7 from Ontotext-AD/TES-307-AppGateway

TES-307: Application Gateway

main.tf

@@ -46,6 +46,13 @@ resource "azurerm_virtual_network" "graphdb" {
   tags                = local.tags
 }
 
+resource "azurerm_subnet" "graphdb-gateway" {
+  name                 = "${var.resource_name_prefix}-gateway"
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  virtual_network_name = azurerm_virtual_network.graphdb.name
+  address_prefixes     = var.app_gateway_subnet_address_prefix
+}
+
 resource "azurerm_subnet" "graphdb-vmss" {
   name                 = "${var.resource_name_prefix}-vmss"
   resource_group_name  = azurerm_resource_group.graphdb.name
@@ -55,6 +62,19 @@ resource "azurerm_subnet" "graphdb-vmss" {
 
 # ------------------------------------------------------------
 
+# Creates a public IP address with assigned FQDN from the regional Azure DNS
+module "address" {
+  source = "./modules/address"
+
+  resource_name_prefix = var.resource_name_prefix
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  zones                = var.zones
+
+  tags = local.tags
+
+  depends_on = [azurerm_resource_group.graphdb]
+}
+
 # Creates a user assigned identity which will be provided to GraphDB VMs.
 module "identity" {
   source = "./modules/identity"
@@ -101,17 +121,45 @@ module "configuration" {
   ]
 }
 
-# Creates a public load balancer for forwarding internet traffic to the GraphDB proxies
-module "load_balancer" {
-  source = "./modules/load_balancer"
+# Creates a TLS certificate secret in the Key Vault and related identity
+module "tls" {
+  source = "./modules/tls"
 
   resource_name_prefix = var.resource_name_prefix
   resource_group_name  = azurerm_resource_group.graphdb.name
-  zones                = var.zones
+
+  key_vault_name           = module.vault.key_vault_name
+  tls_certificate          = filebase64(var.tls_certificate_path)
+  tls_certificate_password = var.tls_certificate_password
 
   tags = local.tags
 
-  depends_on = [azurerm_resource_group.graphdb, azurerm_virtual_network.graphdb]
+  depends_on = [azurerm_resource_group.graphdb, module.identity, module.vault]
+}
+
+# Creates a public application gateway for forwarding internet traffic to the GraphDB proxies
+module "application_gateway" {
+  source = "./modules/gateway"
+
+  resource_name_prefix   = var.resource_name_prefix
+  resource_group_name    = azurerm_resource_group.graphdb.name
+  network_interface_name = azurerm_virtual_network.graphdb.name
+
+  gateway_subnet_name = azurerm_subnet.graphdb-gateway.name
+
+  gateway_public_ip_name            = module.address.public_ip_address_name
+  gateway_identity_name             = module.tls.tls_identity_name
+  gateway_tls_certificate_secret_id = module.tls.tls_certificate_key_vault_secret_id
+
+  tags = local.tags
+
+  depends_on = [
+    azurerm_resource_group.graphdb,
+    azurerm_virtual_network.graphdb,
+    azurerm_subnet.graphdb-vmss,
+    module.address,
+    module.tls
+  ]
 }
 
 # Module for resolving the GraphDB shared image ID
@@ -122,6 +170,7 @@ module "graphdb_image" {
   graphdb_image_id = var.graphdb_image_id
 }
 
+# Creates a bastion host for secure remote connections
 module "bastion" {
   count = var.deploy_bastion ? 1 : 0
 
@@ -149,11 +198,12 @@ module "vm" {
   network_interface_name = azurerm_virtual_network.graphdb.name
   zones                  = var.zones
 
-  graphdb_subnet_name                   = azurerm_subnet.graphdb-vmss.name
-  load_balancer_backend_address_pool_id = module.load_balancer.load_balancer_backend_address_pool_id
-  load_balancer_fqdn                    = module.load_balancer.load_balancer_fqdn
-  identity_name                         = module.identity.identity_name
-  key_vault_name                        = module.vault.key_vault_name
+  graphdb_subnet_name                          = azurerm_subnet.graphdb-vmss.name
+  application_gateway_backend_address_pool_ids = [module.application_gateway.gateway_backend_address_pool_id]
+  identity_name                                = module.identity.identity_name
+  key_vault_name                               = module.vault.key_vault_name
+
+  graphdb_external_address_fqdn = module.address.public_ip_address_fqdn
 
   data_disk_performance_tier = var.data_disk_performance_tier
   disk_size_gb               = var.disk_size_gb

modules/address/README.md

@@ -0,0 +1 @@
+# GraphDB Public IP Address Module

modules/address/main.tf

@@ -0,0 +1,31 @@
+data "azurerm_resource_group" "graphdb" {
+  name = var.resource_group_name
+}
+
+locals {
+  resource_group = data.azurerm_resource_group.graphdb.name
+  location       = data.azurerm_resource_group.graphdb.location
+}
+
+resource "random_string" "fqdn" {
+  length  = 6
+  special = false
+  upper   = false
+  numeric = true
+}
+
+resource "azurerm_public_ip" "graphdb-public-ip-address" {
+  name                = "${var.resource_name_prefix}-public-address"
+  resource_group_name = local.resource_group
+  location            = local.location
+
+  sku               = "Standard"
+  allocation_method = "Static"
+  zones             = var.zones
+
+  # TODO: idle_timeout_in_minutes is between 4 and 30 minutes, gotta test if this affects our data loading
+
+  domain_name_label = "${var.resource_name_prefix}-${random_string.fqdn.result}"
+
+  tags = var.tags
+}

modules/address/outputs.tf

@@ -0,0 +1,9 @@
+output "public_ip_address_name" {
+  description = "Name of the public IP address"
+  value       = azurerm_public_ip.graphdb-public-ip-address.name
+}
+
+output "public_ip_address_fqdn" {
+  description = "The assigned FQDN of the public IP address"
+  value       = azurerm_public_ip.graphdb-public-ip-address.fqdn
+}

modules/address/variables.tf

@@ -0,0 +1,23 @@
+# General configurations
+
+variable "resource_name_prefix" {
+  description = "Resource name prefix used for tagging and naming AWS resources"
+  type        = string
+}
+
+variable "zones" {
+  description = "Availability zones for the public IP address."
+  type        = list(number)
+  default     = [1, 2, 3]
+}
+
+variable "tags" {
+  description = "Common resource tags."
+  type        = map(string)
+  default     = {}
+}
+
+variable "resource_group_name" {
+  description = "Name of the resource group where GraphDB will be deployed."
+  type        = string
+}

modules/load_balancer/versions.tf → modules/address/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.3.1"
+  required_version = ">= 1.5.0"
 
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">=3.76.0"
+      version = ">=3.80.0"
     }
     random = {
       source  = "hashicorp/random"

modules/bastion/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.3.1"
+  required_version = ">= 1.5.0"
 
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">=3.71.0"
+      version = ">=3.80.0"
     }
   }
 }

modules/configuration/main.tf

@@ -65,7 +65,7 @@ resource "azurerm_key_vault_secret" "graphdb-java-options" {
 resource "azurerm_role_assignment" "graphdb-license-reader" {
   principal_id         = data.azurerm_user_assigned_identity.graphdb-instances.principal_id
   scope                = data.azurerm_key_vault.graphdb.id
-  role_definition_name = "Reader"
+  role_definition_name = "Key Vault Reader"
 }
 
 # Give rights to the provided identity to actually get the secret value

modules/configuration/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.3.1"
+  required_version = ">= 1.5.0"
 
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">=3.71.0"
+      version = ">=3.80.0"
     }
     random = {
       source  = "hashicorp/random"

modules/gateway/README.md

@@ -0,0 +1 @@
+# GraphDB Application Gateway Module