diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 71ce2002..49a018a5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -15,14 +15,8 @@ repos: - id: renovate-config-validator args: [--strict] - # - repo: https://github.com/terraform-docs/terraform-docs - # rev: "v0.19.0" - # hooks: - # - id: terraform-docs-go - # args: ["markdown", "table", "--output-file", "README-terraform.md", "./base-infrastructure/terraform"] - - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: "v1.98.0" + rev: "v1.105.0" hooks: - id: terraform_fmt - id: terraform_tflint diff --git a/applications/argocd/production/applications/alert-hub-backend.yaml b/applications/argocd/production/applications/alert-hub-backend.yaml index c9fa3e9a..98f1f3ab 100644 --- a/applications/argocd/production/applications/alert-hub-backend.yaml +++ b/applications/argocd/production/applications/alert-hub-backend.yaml @@ -44,6 +44,14 @@ spec: clientID: "5853dc85-0d06-4f6d-9145-c72680a65ad9" keyvaultName: "alert-hub-production-kv" tenantId: "a2b53be5-734e-4e6c-ab0d-d184f60fd917" + # App level configs - temporary + api: + replicaCount: 2 + resources: + requests: + memory: 2Gi + limits: + memory: 2Gi destination: server: https://kubernetes.default.svc namespace: alert-hub diff --git a/applications/argocd/staging/applications/cacheppuccino.yaml b/applications/argocd/staging/applications/cacheppuccino.yaml index 7a19eaaa..6011403f 100644 --- a/applications/argocd/staging/applications/cacheppuccino.yaml +++ b/applications/argocd/staging/applications/cacheppuccino.yaml @@ -10,27 +10,29 @@ spec: source: repoURL: ghcr.io/ifrcgo chart: cacheppuccino-helm - targetRevision: 0.1.0-b413077 + targetRevision: 0.1.0-cadf32b helm: + valueFiles: + - values/go-deploy.yaml + - values/staging.yaml valuesObject: fullnameOverride: ifrcgo-cacheppuccino ingress: - enabled: true - host: cacheppuccino-stage.ifrc.org className: nginx + host: cacheppuccino-stage.ifrc.org tls: - enabled: true secretName: cacheppuccino-helm-secret-cert - app: - translation: - baseUrl: "https://ifrc-translationapi.azurewebsites.net" - applicationId: "18" - existingSecret: - name: "cacheppuccino-api-token-secret" - key: "TRANSLATION_API_KEY" sqlite: pvc: size: 512Mi + serviceAccount: + annotations: + azure.workload.identity/client-id: "f39be471-33b8-4a7b-ae8b-e156427a6589" + secretsStoreCsiDriver: + parameters: + clientID: "f39be471-33b8-4a7b-ae8b-e156427a6589" + keyvaultName: "cacheppuccino-staging-kv" + tenantId: "a2b53be5-734e-4e6c-ab0d-d184f60fd917" destination: server: https://kubernetes.default.svc namespace: cacheppuccino diff --git a/applications/argocd/staging/applications/montandon-eoapi/application.yaml b/applications/argocd/staging/applications/montandon-eoapi/application.yaml index f95de7b3..cfe28d67 100644 --- a/applications/argocd/staging/applications/montandon-eoapi/application.yaml +++ b/applications/argocd/staging/applications/montandon-eoapi/application.yaml @@ -121,7 +121,7 @@ spec: env: UPSTREAM_URL: "http://montandon-eoapi-stac:8080" # UPSTREAM_URL: "https://montandon-eoapi-stage.ifrc.org/stac" - OIDC_DISCOVERY_URL: "https://goadmin-stage.ifrc.org/o/.well-known/openid-configuration" + OIDC_DISCOVERY_URL: "https://goadmin.ifrc.org/o/.well-known/openid-configuration" OVERRIDE_HOST: "0" ROOT_PATH: "/stac" COLLECTIONS_FILTER_CLS: stac_auth_proxy.montandon_filters:CollectionsFilter diff --git a/applications/argocd/staging/applications/montandon-etl.yaml b/applications/argocd/staging/applications/montandon-etl.yaml index 22993b7a..a12e6b46 100644 --- a/applications/argocd/staging/applications/montandon-etl.yaml +++ b/applications/argocd/staging/applications/montandon-etl.yaml @@ -10,7 +10,7 @@ spec: source: repoURL: ghcr.io/ifrcgo/montandon-etl chart: montandon-etl-helm-alpha - targetRevision: 0.1.1-project-fix-rabbitmq-ack-issue.c3fab621 + targetRevision: 0.1.1-project-fix-rabbitmq-ack-issue.c49f5d29 helm: valueFiles: - values/operators.yaml diff --git a/applications/argocd/staging/applications/risk-module.yaml b/applications/argocd/staging/applications/risk-module.yaml new file mode 100644 index 00000000..2ac0f758 --- /dev/null +++ b/applications/argocd/staging/applications/risk-module.yaml @@ -0,0 +1,51 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: risk-module + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: ghcr.io/ifrcgo + chart: ifrcgo-risk-module-helm + targetRevision: 0.0.1-develop.c8fef799 + helm: + valueFiles: + - values/operators.yaml + - values/go-deploy.yaml + - values/staging.yaml + valuesObject: + app: + ingress: + host: "go-risk-api-stage.ifrc.org" + tls: + secretName: "risk-helm-secret-cert" + env: + RISK_API_FQDN: "https://go-risk-api-stage.ifrc.org" + DJANGO_ALLOWED_HOSTS: "go-risk-api-stage.ifrc.org" + # Blob Storage Configs + USE_AZURE_STORAGE: "true" + AZURE_CLIENT_ID: "1a891bd5-87e2-4489-8050-84f26c3f99ce" + AZURE_TENANT_ID: "a2b53be5-734e-4e6c-ab0d-d184f60fd917" + AZURE_STORAGE_CONTAINER: "risk-module-staging-storage-container" + AZURE_STORAGE_ACCOUNT_NAME: "riskmodulestaging4254" + AZURE_STORAGE_MANAGED_IDENTITY: "true" + serviceAccount: + annotations: + azure.workload.identity/client-id: + secretsStoreCsiDriver: + parameters: + clientID: "1a891bd5-87e2-4489-8050-84f26c3f99ce" + keyvaultName: "risk-module-staging-kv" + tenantId: "a2b53be5-734e-4e6c-ab0d-d184f60fd917" + destination: + server: https://kubernetes.default.svc + namespace: risk-module + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/applications/go-api/azure-pipelines.yaml b/applications/go-api/azure-pipelines.yaml index b9e10582..4d60ee60 100644 --- a/applications/go-api/azure-pipelines.yaml +++ b/applications/go-api/azure-pipelines.yaml @@ -32,7 +32,7 @@ jobs: displayName: "Deploy staging instance of go-api" env: ENVIRONMENT: staging - VERSION: "0.0.2-develop.c5d07b03" + VERSION: "0.0.2-develop.c4e4e741" # For Azure CLI AZURE_TENANT_ID: $(TERRAFORM_TENANT_ID) AZURE_CLIENT_ID: $(TERRAFORM_SERVICE_PRINCIPAL_ID) @@ -120,7 +120,7 @@ jobs: displayName: "Deploy production instance of go-api" env: ENVIRONMENT: production - VERSION: "0.0.2-master.cdedc133" + VERSION: "0.0.2-master.c1ba18c1" # For Azure CLI AZURE_TENANT_ID: $(TERRAFORM_TENANT_ID) AZURE_CLIENT_ID: $(TERRAFORM_SERVICE_PRINCIPAL_ID) diff --git a/base-infrastructure/terraform/app_resources.tf b/base-infrastructure/terraform/app_resources.tf index 38df65d6..6984a367 100644 --- a/base-infrastructure/terraform/app_resources.tf +++ b/base-infrastructure/terraform/app_resources.tf @@ -1,3 +1,20 @@ +locals { + user_principal_ids = { + tc_navin = "c31baae7-afbf-4ad3-8e01-5abbd68adb16" + tc_ranjan = "fc0ebb01-c8f1-456b-a7a5-0a2d6c79e6d9" + tc_sushil = "fd7b3704-8168-4b27-901c-f984b6b82c9a" + + # TODO: remove this + dfs_moses = "32053268-3970-48f3-9b09-c4280cd0b67d" + } + + risk_module_db_name = "riskmodule" + alerthub_db_name = "alerthubdb" + montandon_db_name = "montandondb" + sdt_db_name = "sdtdb" + montandon_eoapi_db_name = "montandoneoapidb" +} + module "risk_module_resources" { source = "./app_resources" @@ -10,13 +27,40 @@ module "risk_module_resources" { app_name = "risk-module" environment = var.environment resource_group_name = module.resources.resource_group -} -locals { - alerthub_db_name = "alerthubdb" - montandon_db_name = "montandondb" - sdt_db_name = "sdtdb" - montandon_eoapi_db_name = "montandoneoapidb" + database_config = { + create_database = true + database_name = local.risk_module_db_name + server_id = module.resources.risk_module_db_server_id + } + + storage_config = { + container_refs = [ + { + container_ref = "storage" + access_type = "blob" + } + ] + + enabled = true + storage_account_id = module.resources.risk_module_storage_account_id + storage_account_name = module.resources.risk_module_storage_account_name + } + + secrets = { + # DB + DATABASE_NAME = local.risk_module_db_name + DATABASE_HOST = module.resources.risk_module_db_host + DATABASE_USER = module.resources.risk_module_db_user + DATABASE_PASSWORD = module.resources.risk_module_db_user_password + DATABASE_PORT = 5432 + } + + + vault_admin_ids = [ + local.user_principal_ids.tc_navin, + local.user_principal_ids.tc_ranjan, + ] } module "alert_hub_resources" { @@ -55,14 +99,15 @@ module "alert_hub_resources" { } ] - enabled = true + enabled = true + # FIXME: This is using go-api storage account id? storage_account_id = module.resources.storage_account_id storage_account_name = module.resources.storage_account_name } vault_admin_ids = [ - "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC) - "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS) + local.user_principal_ids.tc_navin, + local.user_principal_ids.dfs_moses, ] } @@ -112,8 +157,8 @@ module "sdt_resources" { } vault_admin_ids = [ - "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC) - "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS) + local.user_principal_ids.tc_navin, + local.user_principal_ids.dfs_moses, ] } @@ -160,9 +205,9 @@ module "montandon_etl_resources" { } vault_admin_ids = [ - "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC) - "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS) - "fc0ebb01-c8f1-456b-a7a5-0a2d6c79e6d9", # Ranjan (TC) + local.user_principal_ids.tc_navin, + local.user_principal_ids.dfs_moses, + local.user_principal_ids.tc_ranjan, ] } @@ -192,8 +237,27 @@ module "montandon_eoapi_resources" { } vault_admin_ids = [ - "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC) - "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS) - "fc0ebb01-c8f1-456b-a7a5-0a2d6c79e6d9", # Ranjan (TC) + local.user_principal_ids.tc_navin, + local.user_principal_ids.dfs_moses, + local.user_principal_ids.tc_ranjan, + ] +} + +module "cacheppuccino_resources" { + source = "./app_resources" + + app_name = "cacheppuccino" + environment = var.environment + resource_group_name = module.resources.resource_group + + aks_config = { + cluster_namespace = "cacheppuccino" + cluster_oidc_issuer_url = module.resources.cluster_oidc_issuer_url + service_account_name = "ifrcgo-cacheppuccino" + } + + vault_admin_ids = [ + local.user_principal_ids.tc_navin, + local.user_principal_ids.tc_sushil, ] } diff --git a/base-infrastructure/terraform/app_resources/outputs.tf b/base-infrastructure/terraform/app_resources/outputs.tf index 688be93d..124109ea 100644 --- a/base-infrastructure/terraform/app_resources/outputs.tf +++ b/base-infrastructure/terraform/app_resources/outputs.tf @@ -14,6 +14,10 @@ output "storage_containers" { value = var.storage_config.enabled ? azurerm_storage_container.app_container[*].name : null } +output "storage_account_name" { + value = var.storage_config.enabled ? var.storage_config.storage_account_name : null +} + output "tenant_id" { value = data.azurerm_client_config.current.tenant_id } diff --git a/base-infrastructure/terraform/output.tf b/base-infrastructure/terraform/output.tf index 6777d269..ac8a3c28 100644 --- a/base-infrastructure/terraform/output.tf +++ b/base-infrastructure/terraform/output.tf @@ -1,20 +1,22 @@ output "alert_hub_app_resource_details" { value = { - database_name = module.alert_hub_resources.database_name - key_vault_name = module.alert_hub_resources.key_vault_name - storage_containers = module.alert_hub_resources.storage_containers - tenant_id = module.alert_hub_resources.tenant_id - workload_id = module.alert_hub_resources.workload_client_id + database_name = module.alert_hub_resources.database_name + key_vault_name = module.alert_hub_resources.key_vault_name + storage_account_name = module.alert_hub_resources.storage_account_name + storage_containers = module.alert_hub_resources.storage_containers + tenant_id = module.alert_hub_resources.tenant_id + workload_id = module.alert_hub_resources.workload_client_id } } output "risk_module_app_resource_details" { value = { - database_name = module.risk_module_resources.database_name - key_vault_name = module.risk_module_resources.key_vault_name - storage_containers = module.risk_module_resources.storage_containers - tenant_id = module.risk_module_resources.tenant_id - workload_id = module.risk_module_resources.workload_client_id + database_name = module.risk_module_resources.database_name + key_vault_name = module.risk_module_resources.key_vault_name + storage_account_name = module.risk_module_resources.storage_account_name + storage_containers = module.risk_module_resources.storage_containers + tenant_id = module.risk_module_resources.tenant_id + workload_id = module.risk_module_resources.workload_client_id } } @@ -38,3 +40,11 @@ output "motandon_eoapi_app_resource_details" { workload_id = module.montandon_eoapi_resources.workload_client_id } } + +output "cacheppuccino_app_resource_details" { + value = { + key_vault_name = module.cacheppuccino_resources.key_vault_name + tenant_id = module.cacheppuccino_resources.tenant_id + workload_id = module.cacheppuccino_resources.workload_client_id + } +} diff --git a/base-infrastructure/terraform/resources/database.tf b/base-infrastructure/terraform/resources/database.tf index 1d37aa28..02521460 100644 --- a/base-infrastructure/terraform/resources/database.tf +++ b/base-infrastructure/terraform/resources/database.tf @@ -4,7 +4,7 @@ data "azurerm_postgresql_flexible_server" "ifrcgo" { resource_group_name = data.azurerm_resource_group.ifrcgo.name } -# Database for AlertHub +# Database for AlertHub -------------------------------------- resource "random_password" "alert_hub_db_admin" { length = 16 special = true @@ -67,7 +67,7 @@ resource "azurerm_postgresql_flexible_server_configuration" "alerthub_postgres_c value = each.value } -# Database for SDT +# Database for Survey designer -------------------------------------- resource "random_password" "sdt_db_admin" { length = 16 special = true @@ -117,7 +117,8 @@ resource "azurerm_postgresql_flexible_server_configuration" "sdt_db_extensions" value = "CITEXT" } -# Database for Montandon +# Database for Montandon -------------------------------------- +# Montandon ETL ********************************************** resource "random_password" "montandon_db_user" { length = 16 special = true @@ -167,6 +168,7 @@ resource "azurerm_postgresql_flexible_server_configuration" "montandon_db_extens value = "POSTGIS" } +# Montandon eoAPI ********************************************** resource "random_password" "montandon_eoapi_db_user" { length = 16 special = true @@ -217,3 +219,54 @@ resource "azurerm_postgresql_flexible_server_configuration" "montandon_eoapi_db_ server_id = azurerm_postgresql_flexible_server.montandon_eoapi.id value = "POSTGIS" } + + +# Database for Risk Module -------------------------------------- +resource "random_password" "risk_module_db_user" { + length = 16 + special = true + + lifecycle { + create_before_destroy = true + } +} + +resource "azurerm_postgresql_flexible_server" "risk_module" { + name = "risk-module-${var.environment}-psql-flexible-server" + resource_group_name = data.azurerm_resource_group.ifrcgo.name + location = data.azurerm_resource_group.ifrcgo.location + version = "16" + administrator_login = "postgres" + administrator_password = random_password.risk_module_db_user.result + backup_retention_days = 35 + auto_grow_enabled = true + sku_name = "GP_Standard_D2ds_v5" + delegated_subnet_id = azurerm_subnet.postgres.id + private_dns_zone_id = azurerm_private_dns_zone.ifrcgo.id + public_network_access_enabled = false + zone = 1 + + lifecycle { + ignore_changes = [ + version + ] + } + + depends_on = [ + azurerm_private_dns_zone_virtual_network_link.ifrcgo + ] +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "risk_module_db_vnet_rule" { + name = "risk-module-${var.environment}-psql-vnet-access-fw-rule" + server_id = azurerm_postgresql_flexible_server.risk_module.id + start_ip_address = cidrhost(azurerm_virtual_network.ifrcgo-cluster.address_space[0], 0) + end_ip_address = cidrhost(azurerm_virtual_network.ifrcgo-cluster.address_space[0], -1) +} + +# Enable extensions for risk_module db +resource "azurerm_postgresql_flexible_server_configuration" "risk_module_db_extensions" { + name = "azure.extensions" + server_id = azurerm_postgresql_flexible_server.risk_module.id + value = "POSTGIS" +} diff --git a/base-infrastructure/terraform/resources/helm-argocd.tf b/base-infrastructure/terraform/resources/helm-argocd.tf index b5051d02..240a672b 100644 --- a/base-infrastructure/terraform/resources/helm-argocd.tf +++ b/base-infrastructure/terraform/resources/helm-argocd.tf @@ -9,7 +9,7 @@ resource "helm_release" "argo-cd" { repository = "https://argoproj.github.io/argo-helm" namespace = "argocd" - version = "7.6.7" + version = "9.3.4" values = [ yamlencode({ diff --git a/base-infrastructure/terraform/resources/output.tf b/base-infrastructure/terraform/resources/output.tf index cad40eb7..ef654b37 100644 --- a/base-infrastructure/terraform/resources/output.tf +++ b/base-infrastructure/terraform/resources/output.tf @@ -1,11 +1,3 @@ -output "alert_hub_db_admin_password" { - value = random_password.alert_hub_db_admin.result -} - -output "alert_hub_db_server_id" { - value = azurerm_postgresql_flexible_server.alerthub.id -} - output "environment" { value = var.environment } @@ -46,6 +38,26 @@ output "azure_storage_connection_string" { value = azurerm_storage_account.ifrcgo.primary_connection_string } +output "storage_account_name" { + value = azurerm_storage_account.ifrcgo.name +} + +output "storage_account_id" { + value = azurerm_storage_account.ifrcgo.id +} + +# Alert Hub ---------------------------------------- +output "alert_hub_db_admin_password" { + value = random_password.alert_hub_db_admin.result +} + +output "alert_hub_db_server_id" { + value = azurerm_postgresql_flexible_server.alerthub.id +} + +# Montandon ---------------------------------------- +# -- ETL + # Montandon DB Details output "montandon_db_user_password" { value = random_password.montandon_db_user.result @@ -67,6 +79,8 @@ output "montandon_storage_account_name" { value = azurerm_storage_account.montandon.name } +# -- eoAPI + # Montandon eoAPI DB Details output "montandon_eoapi_db_user_password" { value = random_password.montandon_eoapi_db_user.result @@ -80,7 +94,9 @@ output "montandon_eoapi_db_server_id" { value = azurerm_postgresql_flexible_server.montandon_eoapi.id } -# SDT DB Details +# Survey designer -------------------------------------- + +# DB output "sdt_db_admin_password" { value = random_password.sdt_db_admin.result } @@ -93,6 +109,7 @@ output "sdt_db_server_id" { value = azurerm_postgresql_flexible_server.sdt.id } +# Storage output "sdt_storage_account_id" { value = azurerm_storage_account.sdt.id } @@ -101,10 +118,30 @@ output "sdt_storage_account_name" { value = azurerm_storage_account.sdt.name } -output "storage_account_name" { - value = azurerm_storage_account.ifrcgo.name +# Risk Module ---------------------------------------- + +# DB +output "risk_module_db_server_id" { + value = azurerm_postgresql_flexible_server.risk_module.id } -output "storage_account_id" { - value = azurerm_storage_account.ifrcgo.id +output "risk_module_db_host" { + value = azurerm_postgresql_flexible_server.risk_module.fqdn +} + +output "risk_module_db_user" { + value = azurerm_postgresql_flexible_server.risk_module.administrator_login +} + +output "risk_module_db_user_password" { + value = random_password.risk_module_db_user.result +} + +# Storage +output "risk_module_storage_account_id" { + value = azurerm_storage_account.risk_module.id +} + +output "risk_module_storage_account_name" { + value = azurerm_storage_account.risk_module.name } diff --git a/base-infrastructure/terraform/resources/storage.tf b/base-infrastructure/terraform/resources/storage.tf index f11054be..9d2d61dc 100644 --- a/base-infrastructure/terraform/resources/storage.tf +++ b/base-infrastructure/terraform/resources/storage.tf @@ -1,3 +1,5 @@ +# GO ----------------------------------------- + resource "azurerm_storage_account" "ifrcgo" { name = local.storage resource_group_name = data.azurerm_resource_group.ifrcgo.name @@ -12,6 +14,7 @@ resource "azurerm_storage_container" "data" { container_access_type = "private" } +# Survey designer -------------------------------------- resource "random_integer" "sdt_storage_account_suffix" { min = 1000 max = 9999 @@ -35,6 +38,7 @@ resource "azurerm_storage_account" "sdt" { } } +# Montandon ETL -------------------------------------- resource "random_integer" "montandon_storage_account_suffix" { min = 1000 max = 9999 @@ -47,3 +51,17 @@ resource "azurerm_storage_account" "montandon" { account_tier = "Standard" account_replication_type = "LRS" } + +# Risk module -------------------------------------- +resource "random_integer" "risk_module_storage_account_suffix" { + min = 1000 + max = 9999 +} + +resource "azurerm_storage_account" "risk_module" { + name = "riskmodule${var.environment}${random_integer.risk_module_storage_account_suffix.result}" + resource_group_name = data.azurerm_resource_group.ifrcgo.name + location = data.azurerm_resource_group.ifrcgo.location + account_tier = "Standard" + account_replication_type = "LRS" +}