From c3410c4489166e5aed4d3bf1d4e6e346893fa61c Mon Sep 17 00:00:00 2001 From: Basilio Bogado <541149+basiliskus@users.noreply.github.com> Date: Wed, 4 Sep 2024 09:52:45 -0700 Subject: [PATCH] Create Azure storage account and container to store HL7 files for automated testing (#1280) * Added initial terraform config for sftp storage * Create buckets for initial and final hl7 files. Disabled SFTP as we may not use it * Added role assignment. Still need to figure out the principal_id * Updated principal_id to var.deployer_id * Added customer managed key for new container * Commenting code as workaround for order of execution issue with terraform apply * Uncommenting code to apply changes --------- Co-authored-by: halprin --- operations/template/key.tf | 12 +++++++ operations/template/storage.tf | 59 ++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) diff --git a/operations/template/key.tf b/operations/template/key.tf index a824b5551..184559c32 100644 --- a/operations/template/key.tf +++ b/operations/template/key.tf @@ -88,6 +88,18 @@ resource "azurerm_key_vault_access_policy" "allow_storage_storage_account_wrappi ] } +resource "azurerm_key_vault_access_policy" "allow_automated_storage_storage_account_wrapping" { + key_vault_id = azurerm_key_vault.key_storage.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = azurerm_storage_account.automated_storage.identity.0.principal_id + + key_permissions = [ + "Get", + "UnwrapKey", + "WrapKey", + ] +} + resource "azurerm_key_vault_secret" "report_stream_public_key" { name = "organization-report-stream-public-key-${var.environment}" value = "dogcow" diff --git a/operations/template/storage.tf b/operations/template/storage.tf index d3ba0a27c..b67a2f607 100644 --- a/operations/template/storage.tf +++ b/operations/template/storage.tf @@ -55,3 +55,62 @@ resource "azurerm_role_assignment" "allow_api_read_write" { role_definition_name = "Storage Blob Data Contributor" principal_id = azurerm_linux_web_app.api.identity.0.principal_id } + +resource "azurerm_storage_account" "automated_storage" { + name = "cdctiautomated${var.environment}" + resource_group_name = data.azurerm_resource_group.group.name + location = data.azurerm_resource_group.group.location + account_tier = "Standard" + account_replication_type = "GRS" + account_kind = "StorageV2" + allow_nested_items_to_be_public = false + min_tls_version = "TLS1_2" + infrastructure_encryption_enabled = true + + # below tags are managed by CDC + lifecycle { + ignore_changes = [ + customer_managed_key, + # below tags are managed by CDC + tags["business_steward"], + tags["center"], + tags["environment"], + tags["escid"], + tags["funding_source"], + tags["pii_data"], + tags["security_compliance"], + tags["security_steward"], + tags["support_group"], + tags["system"], + tags["technical_steward"], + tags["zone"] + ] + } + + identity { + type = "SystemAssigned" + } +} + +resource "azurerm_storage_account_customer_managed_key" "automated_storage_storage_account_customer_key" { + storage_account_id = azurerm_storage_account.automated_storage.id + key_vault_id = azurerm_key_vault.key_storage.id + key_name = azurerm_key_vault_key.customer_managed_key.name + + depends_on = [ + azurerm_key_vault_access_policy.allow_github_deployer, + azurerm_key_vault_access_policy.allow_automated_storage_storage_account_wrapping + ] +} + +resource "azurerm_storage_container" "automated_container" { + name = "automated" + storage_account_name = azurerm_storage_account.automated_storage.name + container_access_type = "private" +} + +resource "azurerm_role_assignment" "allow_automated_test_read_write" { + scope = azurerm_storage_container.automated_container.resource_manager_id + role_definition_name = "Storage Blob Data Contributor" + principal_id = var.deployer_id +}