Skip to content
This repository has been archived by the owner on Feb 7, 2025. It is now read-only.

Create Azure storage account and container to store HL7 files for automated testing #1280

Merged
merged 10 commits into from
Sep 4, 2024
Merged

Create Azure storage account and container to store HL7 files for automated testing #1280

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
85c0e1b
Added initial terraform config for sftp storage
basiliskus Aug 28, 2024
b4dcf7c
Create buckets for initial and final hl7 files. Disabled SFTP as we m…
basiliskus Aug 28, 2024
75ccc4e
Added role assignment. Still need to figure out the principal_id
basiliskus Aug 29, 2024
1279799
Updated principal_id to var.deployer_id
basiliskus Aug 29, 2024
a82f20b
Merge branch 'main' into story/1255/add-azure-storage-account
halprin Aug 29, 2024
bb93e7f
Merge branch 'main' into story/1255/add-azure-storage-account
halprin Aug 30, 2024
3f90bb0
Merge branch 'main' into story/1255/add-azure-storage-account
basiliskus Sep 3, 2024
f91a4fa
Added customer managed key for new container
basiliskus Sep 3, 2024
8ffcaa9
Commenting code as workaround for order of execution issue with terra…
basiliskus Sep 4, 2024
d8e6fce
Uncommenting code to apply changes
basiliskus Sep 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions operations/template/key.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,18 @@ resource "azurerm_key_vault_access_policy" "allow_storage_storage_account_wrappi
]
}

resource "azurerm_key_vault_access_policy" "allow_automated_storage_storage_account_wrapping" {
key_vault_id = azurerm_key_vault.key_storage.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.automated_storage.identity.0.principal_id

key_permissions = [
"Get",
"UnwrapKey",
"WrapKey",
]
}

resource "azurerm_key_vault_secret" "report_stream_public_key" {
name = "organization-report-stream-public-key-${var.environment}"
value = "dogcow"
Expand Down
59 changes: 59 additions & 0 deletions operations/template/storage.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,62 @@ resource "azurerm_role_assignment" "allow_api_read_write" {
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_linux_web_app.api.identity.0.principal_id
}

resource "azurerm_storage_account" "automated_storage" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you set this storage account with encryption with our customer managed key? You can take inspiration from CDCgov/reportstream-sftp-ingestion#144

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm adding the azurerm_storage_account_customer_managed_key for the new container. Do I also need to add a new azurerm_key_vault_access_policy unique to this new container? Similar to azurerm_key_vault_access_policy.allow_storage_storage_account_wrapping?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just added the changes here: f91a4fa

name = "cdctiautomated${var.environment}"
resource_group_name = data.azurerm_resource_group.group.name
location = data.azurerm_resource_group.group.location
account_tier = "Standard"
account_replication_type = "GRS"
account_kind = "StorageV2"
allow_nested_items_to_be_public = false
min_tls_version = "TLS1_2"
infrastructure_encryption_enabled = true

# below tags are managed by CDC
lifecycle {
ignore_changes = [
customer_managed_key,
# below tags are managed by CDC
tags["business_steward"],
tags["center"],
tags["environment"],
tags["escid"],
tags["funding_source"],
tags["pii_data"],
tags["security_compliance"],
tags["security_steward"],
tags["support_group"],
tags["system"],
tags["technical_steward"],
tags["zone"]
]
}

identity {
type = "SystemAssigned"
}
}

resource "azurerm_storage_account_customer_managed_key" "automated_storage_storage_account_customer_key" {
storage_account_id = azurerm_storage_account.automated_storage.id
key_vault_id = azurerm_key_vault.key_storage.id
key_name = azurerm_key_vault_key.customer_managed_key.name

depends_on = [
azurerm_key_vault_access_policy.allow_github_deployer,
azurerm_key_vault_access_policy.allow_automated_storage_storage_account_wrapping
]
}

resource "azurerm_storage_container" "automated_container" {
name = "automated"
storage_account_name = azurerm_storage_account.automated_storage.name
container_access_type = "private"
}

resource "azurerm_role_assignment" "allow_automated_test_read_write" {
scope = azurerm_storage_container.automated_container.resource_manager_id
role_definition_name = "Storage Blob Data Contributor"
principal_id = var.deployer_id
}