Draft topology

.terraform-docs.yml

@@ -0,0 +1,29 @@
+---
+formatter: "markdown table"
+version: "~> 0.16"
+sections:
+  hide:
+    - modules
+settings:
+  anchor: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true
+sort:
+  enabled: true
+  by: name
+output:
+  file: README.md
+  mode: inject
+  template: |-
+        <!-- BEGIN_TF_DOCS -->
+        {{ .Content }}
+        <!-- END_TF_DOCS -->

.terraform-version

@@ -0,0 +1 @@
+1.7.5

Brewfile

@@ -0,0 +1,4 @@
+brew "tfenv"
+brew "terraform-docs"
+brew "tfsec"
+brew "tflint"

README.md

@@ -78,7 +78,7 @@
 | <a name="input_mssql_collation"></a> [mssql\_collation](#input\_mssql\_collation) | Set the collation for the SQL database | `string` | `"SQL_Latin1_General_CP1_CI_AS"` | no |
 | <a name="input_mssql_database_name"></a> [mssql\_database\_name](#input\_mssql\_database\_name) | The name of the MSSQL database to create. Must be set if `enable_mssql_database` is true | `string` | `""` | no |
 | <a name="input_mssql_firewall_ipv4_allow_list"></a> [mssql\_firewall\_ipv4\_allow\_list](#input\_mssql\_firewall\_ipv4\_allow\_list) | A list of IPv4 Addresses that require remote access to the MSSQL Server | <pre>map(object({<br>    start_ip_range : string,<br>    end_ip_range : optional(string, "")<br>  }))</pre> | `{}` | no |
-| <a name="input_mssql_managed_identity_assign_role"></a> [mssql\_managed\_identity\_assign\_role](#input\_mssql\_managed\_identity\_assign\_role) | Assign the 'Storage Blob Data Contributor' Role to the SQL Server User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'Storage Blob Data Contributor' Role to the identity | `bool` | `true` | no |
+| <a name="input_mssql_managed_identity_assign_role"></a> [mssql\_managed\_identity\_assign\_role](#input\_mssql\_managed\_identity\_assign\_role) | Assign the 'Storage Blob Data Contributor' Role to the SQL Server User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'Storage Blob Data Contributor' Role to the identity | `bool` | `false` | no |
 | <a name="input_mssql_max_size_gb"></a> [mssql\_max\_size\_gb](#input\_mssql\_max\_size\_gb) | The max size of the database in gigabytes | `number` | `2` | no |
 | <a name="input_mssql_security_storage_firewall_ipv4_allow_list"></a> [mssql\_security\_storage\_firewall\_ipv4\_allow\_list](#input\_mssql\_security\_storage\_firewall\_ipv4\_allow\_list) | Additional IP addresses to add to the Storage Account that holds the Vulnerability Assessments | `list(string)` | `[]` | no |
 | <a name="input_mssql_server_admin_password"></a> [mssql\_server\_admin\_password](#input\_mssql\_server\_admin\_password) | The local administrator password for the MSSQL server | `string` | `""` | no |

backend.tf

@@ -0,0 +1,3 @@
+terraform {
+  backend "azurerm" {}
+}

backend.vars.example

@@ -0,0 +1,5 @@
+subscription_id      = "<subscription_id>"
+resource_group_name  = "<resource_group_name>"
+storage_account_name = "<storage_account_name>"
+container_name       = "<container_name>"
+key                  = "terraform.tstate"

data.tf

@@ -0,0 +1,54 @@
+data "azurerm_virtual_network" "existing_virtual_network" {
+  count = local.existing_virtual_network == "" ? 0 : 1
+
+  name                = local.existing_virtual_network
+  resource_group_name = local.existing_resource_group
+}
+
+data "azurerm_resource_group" "existing_resource_group" {
+  count = local.existing_resource_group == "" ? 0 : 1
+
+  name = local.existing_resource_group
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_logic_app_workflow" "existing_logic_app_workflow" {
+  count = local.existing_logic_app_workflow.name == "" ? 0 : 1
+
+  name                = local.existing_logic_app_workflow.name
+  resource_group_name = local.existing_logic_app_workflow.resource_group_name
+}
+
+# There is not currently a way to get the full HTTP Trigger callback URL from a Logic App
+# so we have to use AzAPI to query the Logic App Workflow for the value instead.
+# https://github.com/hashicorp/terraform-provider-azurerm/issues/18866
+data "azapi_resource_action" "existing_logic_app_workflow_callback_url" {
+  count = local.existing_logic_app_workflow.name == "" ? 0 : 1
+
+  resource_id = "${data.azurerm_logic_app_workflow.existing_logic_app_workflow[0].id}/triggers/${data.azurerm_logic_app_workflow.existing_logic_app_workflow[0].name}-trigger"
+  action      = "listCallbackUrl"
+  type        = "Microsoft.Logic/workflows/triggers@2018-07-01-preview"
+
+  depends_on = [
+    data.azurerm_logic_app_workflow.existing_logic_app_workflow[0]
+  ]
+
+  response_export_values = ["value"]
+}
+
+data "azurerm_virtual_network" "private_endpoints" {
+  for_each = local.private_endpoint_configurations
+
+  name                = each.value["vnet_name"]
+  resource_group_name = each.value["vnet_resource_group_name"]
+}
+
+data "azurerm_route_table" "private_endpoints" {
+  for_each = {
+    for k, v in local.private_endpoint_configurations : k => v if v["subnet_route_table_name"] != null
+  }
+
+  name                = each.value["subnet_route_table_name"]
+  resource_group_name = each.value["vnet_resource_group_name"]
+}

identity.tf

@@ -0,0 +1,17 @@
+resource "azurerm_user_assigned_identity" "mssql" {
+  count = local.enable_mssql_database ? 1 : 0
+
+  location            = local.resource_group.location
+  name                = "${local.resource_prefix}-uami-mssql"
+  resource_group_name = local.resource_group.name
+  tags                = local.tags
+}
+
+resource "azurerm_role_assignment" "mssql_storageblobdatacontributor" {
+  count = local.enable_mssql_database && local.mssql_managed_identity_assign_role ? 1 : 0
+
+  scope                = azurerm_storage_account.mssql_security_storage[0].id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_user_assigned_identity.mssql[0].id
+  description          = "Allow SQL Auditing to write reports and findings into the MSSQL Security Storage Account"
+}

key-vault-tfvars.tf

@@ -0,0 +1,15 @@
+module "azurerm_key_vault" {
+  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.1"
+
+  environment                             = local.environment
+  project_name                            = local.project_name
+  existing_resource_group                 = local.resource_group.name
+  azure_location                          = local.azure_location
+  key_vault_access_use_rbac_authorization = true
+  key_vault_access_users                  = []
+  key_vault_access_ipv4                   = local.key_vault_access_ipv4
+  tfvars_filename                         = local.tfvars_filename
+  enable_diagnostic_setting               = false
+  enable_diagnostic_storage_account       = false
+  tags                                    = local.tags
+}

locals.tf

@@ -0,0 +1,56 @@
+locals {
+  # Global options
+  environment     = var.environment
+  project_name    = var.project_name
+  resource_prefix = "${local.environment}${local.project_name}"
+  azure_location  = var.azure_location
+  tags            = var.tags
+
+  # Key Vault
+  key_vault_access_ipv4 = var.key_vault_access_ipv4
+  tfvars_filename       = var.tfvars_filename
+
+  # Resource Group
+  existing_resource_group = var.existing_resource_group
+  resource_group          = local.existing_resource_group == "" ? azurerm_resource_group.default[0] : data.azurerm_resource_group.existing_resource_group[0]
+
+  # Networking
+  launch_in_vnet                     = var.launch_in_vnet
+  existing_virtual_network           = var.existing_virtual_network
+  virtual_network                    = local.existing_virtual_network == "" ? azurerm_virtual_network.default[0] : data.azurerm_virtual_network.existing_virtual_network[0]
+  virtual_network_address_space      = var.virtual_network_address_space
+  virtual_network_address_space_mask = element(split("/", local.virtual_network_address_space), 1)
+  mssql_private_endpoint_subnet_cidr = cidrsubnet(local.virtual_network_address_space, 23 - local.virtual_network_address_space_mask, 1)
+  private_endpoint_configurations    = var.private_endpoint_configurations
+
+  # SQL Server
+  enable_mssql_database                           = var.enable_mssql_database
+  mssql_server_admin_password                     = var.mssql_server_admin_password
+  mssql_sku_name                                  = var.mssql_sku_name
+  mssql_collation                                 = var.mssql_collation
+  mssql_max_size_gb                               = var.mssql_max_size_gb
+  mssql_database_name                             = var.mssql_database_name
+  mssql_firewall_ipv4_allow_list                  = var.mssql_firewall_ipv4_allow_list
+  mssql_azuread_admin_username                    = var.mssql_azuread_admin_username
+  mssql_azuread_admin_object_id                   = var.mssql_azuread_admin_object_id
+  mssql_azuread_auth_only                         = var.mssql_azuread_auth_only
+  mssql_version                                   = var.mssql_version
+  mssql_server_public_access_enabled              = var.mssql_server_public_access_enabled
+  enable_mssql_vulnerability_assessment           = var.enable_mssql_vulnerability_assessment
+  mssql_security_storage_firewall_ipv4_allow_list = var.mssql_security_storage_firewall_ipv4_allow_list
+  mssql_managed_identity_assign_role              = var.mssql_managed_identity_assign_role
+
+  # Azure Monitor
+  enable_monitoring = var.enable_monitoring
+  # Azure Monitor / Logic App Workflow
+  existing_logic_app_workflow     = var.existing_logic_app_workflow
+  logic_app_workflow_name         = local.existing_logic_app_workflow.name != "" ? data.azurerm_logic_app_workflow.existing_logic_app_workflow[0].name : null
+  logic_app_workflow_id           = local.existing_logic_app_workflow.name != "" ? data.azurerm_logic_app_workflow.existing_logic_app_workflow[0].id : null
+  logic_app_workflow_callback_url = local.existing_logic_app_workflow.name != "" ? jsondecode(data.azapi_resource_action.existing_logic_app_workflow_callback_url[0].output).value : null
+  monitor_email_receivers         = var.monitor_email_receivers
+  monitor_logic_app_receiver = {
+    name         = local.logic_app_workflow_name
+    resource_id  = local.logic_app_workflow_id
+    callback_url = local.logic_app_workflow_callback_url
+  }
+}