Create Azure storage account and container to store HL7 files for aut…

…omated testing (#1280) * Added initial terraform config for sftp storage * Create buckets for initial and final hl7 files. Disabled SFTP as we may not use it * Added role assignment. Still need to figure out the principal_id * Updated principal_id to var.deployer_id * Added customer managed key for new container * Commenting code as workaround for order of execution issue with terraform apply * Uncommenting code to apply changes --------- Co-authored-by: halprin <[email protected]>
CDCgov · Sep 4, 2024 · c3410c4 · c3410c4
1 parent b8bbcf0
commit c3410c4
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 0 deletions.
diff --git a/operations/template/key.tf b/operations/template/key.tf
@@ -88,6 +88,18 @@ resource "azurerm_key_vault_access_policy" "allow_storage_storage_account_wrappi
   ]
 }
 
+resource "azurerm_key_vault_access_policy" "allow_automated_storage_storage_account_wrapping" {
+  key_vault_id = azurerm_key_vault.key_storage.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = azurerm_storage_account.automated_storage.identity.0.principal_id
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
+
 resource "azurerm_key_vault_secret" "report_stream_public_key" {
   name  = "organization-report-stream-public-key-${var.environment}"
   value = "dogcow"

diff --git a/operations/template/storage.tf b/operations/template/storage.tf
@@ -55,3 +55,62 @@ resource "azurerm_role_assignment" "allow_api_read_write" {
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_linux_web_app.api.identity.0.principal_id
 }
+
+resource "azurerm_storage_account" "automated_storage" {
+  name                              = "cdctiautomated${var.environment}"
+  resource_group_name               = data.azurerm_resource_group.group.name
+  location                          = data.azurerm_resource_group.group.location
+  account_tier                      = "Standard"
+  account_replication_type          = "GRS"
+  account_kind                      = "StorageV2"
+  allow_nested_items_to_be_public   = false
+  min_tls_version                   = "TLS1_2"
+  infrastructure_encryption_enabled = true
+
+  #   below tags are managed by CDC
+  lifecycle {
+    ignore_changes = [
+      customer_managed_key,
+      # below tags are managed by CDC
+      tags["business_steward"],
+      tags["center"],
+      tags["environment"],
+      tags["escid"],
+      tags["funding_source"],
+      tags["pii_data"],
+      tags["security_compliance"],
+      tags["security_steward"],
+      tags["support_group"],
+      tags["system"],
+      tags["technical_steward"],
+      tags["zone"]
+    ]
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_storage_account_customer_managed_key" "automated_storage_storage_account_customer_key" {
+  storage_account_id = azurerm_storage_account.automated_storage.id
+  key_vault_id       = azurerm_key_vault.key_storage.id
+  key_name           = azurerm_key_vault_key.customer_managed_key.name
+
+  depends_on = [
+    azurerm_key_vault_access_policy.allow_github_deployer,
+    azurerm_key_vault_access_policy.allow_automated_storage_storage_account_wrapping
+  ]
+}
+
+resource "azurerm_storage_container" "automated_container" {
+  name                  = "automated"
+  storage_account_name  = azurerm_storage_account.automated_storage.name
+  container_access_type = "private"
+}
+
+resource "azurerm_role_assignment" "allow_automated_test_read_write" {
+  scope                = azurerm_storage_container.automated_container.resource_manager_id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.deployer_id
+}