DREF Updates

.pre-commit-config.yaml

@@ -15,14 +15,8 @@ repos:
       - id: renovate-config-validator
         args: [--strict]
 
-  # - repo: https://github.com/terraform-docs/terraform-docs
-  #   rev: "v0.19.0"
-  #   hooks:
-  #     - id: terraform-docs-go
-  #       args: ["markdown", "table", "--output-file", "README-terraform.md", "./base-infrastructure/terraform"]
-
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: "v1.98.0"
+    rev: "v1.105.0"
     hooks:
       - id: terraform_fmt
       - id: terraform_tflint

applications/argocd/production/applications/alert-hub-backend.yaml

@@ -44,6 +44,14 @@ spec:
               clientID: "5853dc85-0d06-4f6d-9145-c72680a65ad9"
               keyvaultName: "alert-hub-production-kv"
               tenantId: "a2b53be5-734e-4e6c-ab0d-d184f60fd917"
+          # App level configs - temporary
+          api:
+            replicaCount: 2
+            resources:
+              requests:
+                memory: 2Gi
+              limits:
+                memory: 2Gi
   destination:
     server: https://kubernetes.default.svc
     namespace: alert-hub

applications/argocd/staging/applications/cacheppuccino.yaml

@@ -10,27 +10,29 @@ spec:
   source:
     repoURL: ghcr.io/ifrcgo
     chart: cacheppuccino-helm
-    targetRevision: 0.1.0-b413077
+    targetRevision: 0.1.0-cadf32b
     helm:
+      valueFiles:
+        - values/go-deploy.yaml
+        - values/staging.yaml
       valuesObject:
         fullnameOverride: ifrcgo-cacheppuccino
         ingress:
-          enabled: true
-          host: cacheppuccino-stage.ifrc.org
           className: nginx
+          host: cacheppuccino-stage.ifrc.org
           tls:
-            enabled: true
             secretName: cacheppuccino-helm-secret-cert
-        app:
-          translation:
-            baseUrl: "https://ifrc-translationapi.azurewebsites.net"
-            applicationId: "18"
-            existingSecret:
-              name: "cacheppuccino-api-token-secret"
-              key: "TRANSLATION_API_KEY"
         sqlite:
           pvc:
             size: 512Mi
+        serviceAccount:
+          annotations:
+            azure.workload.identity/client-id: "f39be471-33b8-4a7b-ae8b-e156427a6589"
+        secretsStoreCsiDriver:
+          parameters:
+            clientID: "f39be471-33b8-4a7b-ae8b-e156427a6589"
+            keyvaultName: "cacheppuccino-staging-kv"
+            tenantId: "a2b53be5-734e-4e6c-ab0d-d184f60fd917"
   destination:
     server: https://kubernetes.default.svc
     namespace: cacheppuccino

applications/argocd/staging/applications/montandon-eoapi/application.yaml

@@ -121,7 +121,7 @@ spec:
         env:
           UPSTREAM_URL: "http://montandon-eoapi-stac:8080"
           # UPSTREAM_URL: "https://montandon-eoapi-stage.ifrc.org/stac"
-          OIDC_DISCOVERY_URL: "https://goadmin-stage.ifrc.org/o/.well-known/openid-configuration"
+          OIDC_DISCOVERY_URL: "https://goadmin.ifrc.org/o/.well-known/openid-configuration"
           OVERRIDE_HOST: "0"
           ROOT_PATH: "/stac"
           COLLECTIONS_FILTER_CLS: stac_auth_proxy.montandon_filters:CollectionsFilter

applications/argocd/staging/applications/montandon-etl.yaml

@@ -10,7 +10,7 @@ spec:
   source:
     repoURL: ghcr.io/ifrcgo/montandon-etl
     chart: montandon-etl-helm-alpha
-    targetRevision: 0.1.1-project-fix-rabbitmq-ack-issue.c3fab621
+    targetRevision: 0.1.1-project-fix-rabbitmq-ack-issue.c49f5d29
     helm:
       valueFiles:
         - values/operators.yaml

applications/argocd/staging/applications/risk-module.yaml

@@ -0,0 +1,51 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: risk-module
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ghcr.io/ifrcgo
+    chart: ifrcgo-risk-module-helm
+    targetRevision: 0.0.1-develop.c8fef799
+    helm:
+      valueFiles:
+        - values/operators.yaml
+        - values/go-deploy.yaml
+        - values/staging.yaml
+      valuesObject:
+        app:
+          ingress:
+            host: "go-risk-api-stage.ifrc.org"
+            tls:
+              secretName: "risk-helm-secret-cert"
+          env:
+            RISK_API_FQDN: "https://go-risk-api-stage.ifrc.org"
+            DJANGO_ALLOWED_HOSTS: "go-risk-api-stage.ifrc.org"
+            # Blob Storage Configs
+            USE_AZURE_STORAGE: "true"
+            AZURE_CLIENT_ID: "1a891bd5-87e2-4489-8050-84f26c3f99ce"
+            AZURE_TENANT_ID: "a2b53be5-734e-4e6c-ab0d-d184f60fd917"
+            AZURE_STORAGE_CONTAINER: "risk-module-staging-storage-container"
+            AZURE_STORAGE_ACCOUNT_NAME: "riskmodulestaging4254"
+            AZURE_STORAGE_MANAGED_IDENTITY: "true"
+          serviceAccount:
+            annotations:
+              azure.workload.identity/client-id:
+          secretsStoreCsiDriver:
+            parameters:
+              clientID: "1a891bd5-87e2-4489-8050-84f26c3f99ce"
+              keyvaultName: "risk-module-staging-kv"
+              tenantId: "a2b53be5-734e-4e6c-ab0d-d184f60fd917"
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: risk-module
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

applications/go-api/azure-pipelines.yaml

@@ -32,7 +32,7 @@ jobs:
     displayName: "Deploy staging instance of go-api"
     env:
       ENVIRONMENT: staging
-      VERSION: "0.0.2-develop.c5d07b03"
+      VERSION: "0.0.2-develop.c4e4e741"
       # For Azure CLI
       AZURE_TENANT_ID: $(TERRAFORM_TENANT_ID)
       AZURE_CLIENT_ID: $(TERRAFORM_SERVICE_PRINCIPAL_ID)
@@ -120,7 +120,7 @@ jobs:
     displayName: "Deploy production instance of go-api"
     env:
       ENVIRONMENT: production
-      VERSION: "0.0.2-master.cdedc133"
+      VERSION: "0.0.2-master.c1ba18c1"
       # For Azure CLI
       AZURE_TENANT_ID: $(TERRAFORM_TENANT_ID)
       AZURE_CLIENT_ID: $(TERRAFORM_SERVICE_PRINCIPAL_ID)

base-infrastructure/terraform/app_resources.tf

@@ -1,3 +1,20 @@
+locals {
+  user_principal_ids = {
+    tc_navin  = "c31baae7-afbf-4ad3-8e01-5abbd68adb16"
+    tc_ranjan = "fc0ebb01-c8f1-456b-a7a5-0a2d6c79e6d9"
+    tc_sushil = "fd7b3704-8168-4b27-901c-f984b6b82c9a"
+
+    # TODO: remove this
+    dfs_moses = "32053268-3970-48f3-9b09-c4280cd0b67d"
+  }
+
+  risk_module_db_name     = "riskmodule"
+  alerthub_db_name        = "alerthubdb"
+  montandon_db_name       = "montandondb"
+  sdt_db_name             = "sdtdb"
+  montandon_eoapi_db_name = "montandoneoapidb"
+}
+
 module "risk_module_resources" {
   source = "./app_resources"
 
@@ -10,13 +27,40 @@ module "risk_module_resources" {
   app_name            = "risk-module"
   environment         = var.environment
   resource_group_name = module.resources.resource_group
-}
 
-locals {
-  alerthub_db_name        = "alerthubdb"
-  montandon_db_name       = "montandondb"
-  sdt_db_name             = "sdtdb"
-  montandon_eoapi_db_name = "montandoneoapidb"
+  database_config = {
+    create_database = true
+    database_name   = local.risk_module_db_name
+    server_id       = module.resources.risk_module_db_server_id
+  }
+
+  storage_config = {
+    container_refs = [
+      {
+        container_ref = "storage"
+        access_type   = "blob"
+      }
+    ]
+
+    enabled              = true
+    storage_account_id   = module.resources.risk_module_storage_account_id
+    storage_account_name = module.resources.risk_module_storage_account_name
+  }
+
+  secrets = {
+    # DB
+    DATABASE_NAME     = local.risk_module_db_name
+    DATABASE_HOST     = module.resources.risk_module_db_host
+    DATABASE_USER     = module.resources.risk_module_db_user
+    DATABASE_PASSWORD = module.resources.risk_module_db_user_password
+    DATABASE_PORT     = 5432
+  }
+
+
+  vault_admin_ids = [
+    local.user_principal_ids.tc_navin,
+    local.user_principal_ids.tc_ranjan,
+  ]
 }
 
 module "alert_hub_resources" {
@@ -55,14 +99,15 @@ module "alert_hub_resources" {
       }
     ]
 
-    enabled              = true
+    enabled = true
+    # FIXME: This is using go-api storage account id?
     storage_account_id   = module.resources.storage_account_id
     storage_account_name = module.resources.storage_account_name
   }
 
   vault_admin_ids = [
-    "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC)
-    "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS)
+    local.user_principal_ids.tc_navin,
+    local.user_principal_ids.dfs_moses,
   ]
 }
 
@@ -112,8 +157,8 @@ module "sdt_resources" {
   }
 
   vault_admin_ids = [
-    "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC)
-    "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS)
+    local.user_principal_ids.tc_navin,
+    local.user_principal_ids.dfs_moses,
   ]
 }
 
@@ -160,9 +205,9 @@ module "montandon_etl_resources" {
   }
 
   vault_admin_ids = [
-    "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC)
-    "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS)
-    "fc0ebb01-c8f1-456b-a7a5-0a2d6c79e6d9", # Ranjan (TC)
+    local.user_principal_ids.tc_navin,
+    local.user_principal_ids.dfs_moses,
+    local.user_principal_ids.tc_ranjan,
   ]
 }
 
@@ -192,8 +237,27 @@ module "montandon_eoapi_resources" {
   }
 
   vault_admin_ids = [
-    "c31baae7-afbf-4ad3-8e01-5abbd68adb16", # Navin (TC)
-    "32053268-3970-48f3-9b09-c4280cd0b67d", # Moses (DFS)
-    "fc0ebb01-c8f1-456b-a7a5-0a2d6c79e6d9", # Ranjan (TC)
+    local.user_principal_ids.tc_navin,
+    local.user_principal_ids.dfs_moses,
+    local.user_principal_ids.tc_ranjan,
+  ]
+}
+
+module "cacheppuccino_resources" {
+  source = "./app_resources"
+
+  app_name            = "cacheppuccino"
+  environment         = var.environment
+  resource_group_name = module.resources.resource_group
+
+  aks_config = {
+    cluster_namespace       = "cacheppuccino"
+    cluster_oidc_issuer_url = module.resources.cluster_oidc_issuer_url
+    service_account_name    = "ifrcgo-cacheppuccino"
+  }
+
+  vault_admin_ids = [
+    local.user_principal_ids.tc_navin,
+    local.user_principal_ids.tc_sushil,
   ]
 }

base-infrastructure/terraform/app_resources/outputs.tf

@@ -14,6 +14,10 @@ output "storage_containers" {
   value = var.storage_config.enabled ? azurerm_storage_container.app_container[*].name : null
 }
 
+output "storage_account_name" {
+  value = var.storage_config.enabled ? var.storage_config.storage_account_name : null
+}
+
 output "tenant_id" {
   value = data.azurerm_client_config.current.tenant_id
 }

base-infrastructure/terraform/output.tf

@@ -1,20 +1,22 @@
 output "alert_hub_app_resource_details" {
   value = {
-    database_name      = module.alert_hub_resources.database_name
-    key_vault_name     = module.alert_hub_resources.key_vault_name
-    storage_containers = module.alert_hub_resources.storage_containers
-    tenant_id          = module.alert_hub_resources.tenant_id
-    workload_id        = module.alert_hub_resources.workload_client_id
+    database_name        = module.alert_hub_resources.database_name
+    key_vault_name       = module.alert_hub_resources.key_vault_name
+    storage_account_name = module.alert_hub_resources.storage_account_name
+    storage_containers   = module.alert_hub_resources.storage_containers
+    tenant_id            = module.alert_hub_resources.tenant_id
+    workload_id          = module.alert_hub_resources.workload_client_id
   }
 }
 
 output "risk_module_app_resource_details" {
   value = {
-    database_name      = module.risk_module_resources.database_name
-    key_vault_name     = module.risk_module_resources.key_vault_name
-    storage_containers = module.risk_module_resources.storage_containers
-    tenant_id          = module.risk_module_resources.tenant_id
-    workload_id        = module.risk_module_resources.workload_client_id
+    database_name        = module.risk_module_resources.database_name
+    key_vault_name       = module.risk_module_resources.key_vault_name
+    storage_account_name = module.risk_module_resources.storage_account_name
+    storage_containers   = module.risk_module_resources.storage_containers
+    tenant_id            = module.risk_module_resources.tenant_id
+    workload_id          = module.risk_module_resources.workload_client_id
   }
 }
 
@@ -38,3 +40,11 @@ output "motandon_eoapi_app_resource_details" {
     workload_id    = module.montandon_eoapi_resources.workload_client_id
   }
 }
+
+output "cacheppuccino_app_resource_details" {
+  value = {
+    key_vault_name = module.cacheppuccino_resources.key_vault_name
+    tenant_id      = module.cacheppuccino_resources.tenant_id
+    workload_id    = module.cacheppuccino_resources.workload_client_id
+  }
+}