Fixing #13 and #14

Azure · Oct 23, 2023 · dfc3008 · dfc3008
1 parent 103f1b7
commit dfc3008
Show file tree

Hide file tree

Showing 17 changed files with 329 additions and 20 deletions.
diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
diff --git a/infra/main.tf b/infra/main.tf
@@ -21,6 +21,18 @@ module "vnet" {
   virtual_network_name = var.virtual_network_name
 }
 
+module "nsg" {
+  source              = "./modules/nsg"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  nsg_apim_name       = "nsg-apim"
+  apim_subnet_id      = module.vnet.apim_subnet_id
+  nsg_cae_name        = "nsg-cae"
+  cae_subnet_id       = module.vnet.cae_subnet_id
+  nsg_pe_name         = "nsg-pe"
+  pe_subnet_id        = module.vnet.pe_subnet_id
+}
+
 module "apim" {
   source              = "./modules/apim"
   location            = azurerm_resource_group.rg.location
@@ -29,6 +41,9 @@ module "apim" {
   apim_subnet_id      = module.vnet.apim_subnet_id
   publisher_name      = var.publisher_name
   publisher_email     = var.publisher_email
+  enable_apim         = var.enable_apim
+
+  depends_on = [module.nsg]
 }
 
 module "mi" {
@@ -70,7 +85,7 @@ module "appi" {
   source              = "./modules/appi"
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
-  appi_name           = var.apim_name
+  appi_name           = var.appi_name
   log_id              = module.log.log_id
 }
 
@@ -103,23 +118,24 @@ module "cae" {
 }
 
 module "ca_back" {
-  source                     = "./modules/ca-back"
-  location                   = azurerm_resource_group.rg.location
-  resource_group_id          = azurerm_resource_group.rg.id
-  ca_name                    = var.ca_back_name
-  cae_id                     = module.cae.cae_id
-  managed_identity_id        = module.mi.mi_id
-  chat_gpt_deployment        = module.openai.gpt_deployment_name
-  chat_gpt_model             = module.openai.gpt_deployment_name
-  embeddings_deployment      = module.openai.embedding_deployment_name
-  embeddings_model           = module.openai.embedding_deployment_name
-  storage_account_name       = module.st.storage_account_name
-  storage_container_name     = module.st.storage_container_name
-  search_service_name        = module.search.search_service_name
-  search_index_name          = module.search.search_index_name
-  openai_service_name        = module.openai.openai_service_name
-  tenant_id                  = data.azurerm_subscription.current.tenant_id
-  managed_identity_client_id = module.mi.client_id
+  source                         = "./modules/ca-back"
+  location                       = azurerm_resource_group.rg.location
+  resource_group_id              = azurerm_resource_group.rg.id
+  ca_name                        = var.ca_back_name
+  cae_id                         = module.cae.cae_id
+  managed_identity_id            = module.mi.mi_id
+  chat_gpt_deployment            = module.openai.gpt_deployment_name
+  chat_gpt_model                 = module.openai.gpt_deployment_name
+  embeddings_deployment          = module.openai.embedding_deployment_name
+  embeddings_model               = module.openai.embedding_deployment_name
+  storage_account_name           = module.st.storage_account_name
+  storage_container_name         = module.st.storage_container_name
+  search_service_name            = module.search.search_service_name
+  search_index_name              = module.search.search_index_name
+  openai_service_name            = module.openai.openai_service_name
+  tenant_id                      = data.azurerm_subscription.current.tenant_id
+  managed_identity_client_id     = module.mi.client_id
+  enable_entra_id_authentication = var.enable_entra_id_authentication
 }
 
 # module "ca_webapi" {

diff --git a/infra/modules/apim/main.tf b/infra/modules/apim/main.tf
@@ -1,4 +1,5 @@
 resource "azurerm_api_management" "apim" {
+  count                = var.enable_apim ? 1 : 0
   name                 = var.apim_name
   location             = var.location
   resource_group_name  = var.resource_group_name

diff --git a/infra/modules/apim/outputs.tf b/infra/modules/apim/outputs.tf
@@ -1,3 +1,3 @@
 output "apim_name" {
-  value = azurerm_api_management.apim.name
+  value = var.enable_apim ?  azurerm_api_management.apim[0].name : ""
 }
diff --git a/infra/modules/apim/variables.tf b/infra/modules/apim/variables.tf
@@ -4,3 +4,5 @@ variable "apim_name" {}
 variable "publisher_name" {}
 variable "publisher_email" {}
 variable "apim_subnet_id" {}
+
+variable "enable_apim" {}
diff --git a/infra/modules/ca-back/auth_config.tf b/infra/modules/ca-back/auth_config.tf
@@ -0,0 +1,68 @@
+locals {
+  redirect_fqdn = jsondecode(azapi_resource.ca_back.output).properties.configuration.ingress.fqdn
+}
+
+module "sp" {
+  count   = var.enable_entra_id_authentication ? 1 : 0
+  source  = "../sp"
+  sp_name = var.ca_name
+}
+
+resource "azapi_resource" "current" {
+  count     = var.enable_entra_id_authentication ? 1 : 0
+  type      = "Microsoft.App/containerApps/authConfigs@2023-05-01"
+  name      = "Current"
+  parent_id = azapi_resource.ca_back.id
+  timeouts {}
+  body = jsonencode({
+    properties = {
+      platform = {
+        enabled = true
+      }
+      globalValidation = {
+        redirectToProvider          = "azureactivedirectory"
+        unauthenticatedClientAction = "RedirectToLoginPage"
+      }
+      identityProviders = {
+        azureActiveDirectory = {
+          enabled           = true
+          isAutoProvisioned = true
+          registration = {
+            clientId                = "${module.sp[0].client_id}"
+            clientSecretSettingName = "microsoft-provider-authentication-secret"
+            openIdIssuer            = "https://sts.windows.net/${var.tenant_id}/v2.0"
+          }
+          validation = {
+            allowedAudiences = [
+              "api://${module.sp[0].client_id}"
+            ]
+          }
+        }
+      }
+      login = {
+        preserveUrlFragmentsForLogins = false
+      }
+    }
+  })
+}
+
+locals {
+  fqdn                         = jsondecode(azapi_resource.ca_back.output).properties.configuration.ingress.fqdn
+  update_redirect_uris_command = var.enable_entra_id_authentication ? "az ad app update --id ${module.sp[0].client_id} --web-redirect-uris https://${local.fqdn}/.auth/login/aad/callback" : ""
+}
+
+resource "null_resource" "update_redirect_uris" {
+  count = var.enable_entra_id_authentication ? 1 : 0
+  provisioner "local-exec" {
+    command = local.update_redirect_uris_command
+  }
+  depends_on = [
+    module.sp,
+    azapi_resource.ca_back,
+    azapi_resource.current
+  ]
+  triggers = {
+    input_json                   = md5(local.update_redirect_uris_command)
+    update_redirect_uris_command = local.update_redirect_uris_command
+  }
+}
diff --git a/infra/modules/ca-back/main.tf b/infra/modules/ca-back/main.tf
@@ -14,7 +14,12 @@ resource "azapi_resource" "ca_back" {
     properties : {
       managedEnvironmentId = "${var.cae_id}"
       configuration = {
-        secrets = []
+        secrets = [
+          {
+            name  = "microsoft-provider-authentication-secret"
+            value = "${var.enable_entra_id_authentication ? module.sp[0].password : "None"}"
+          }
+        ]
         ingress = {
           external   = true
           targetPort = 50505

diff --git a/infra/modules/ca-back/variables.tf b/infra/modules/ca-back/variables.tf
@@ -15,3 +15,5 @@ variable "chat_gpt_model" {}
 variable "embeddings_deployment" {}
 variable "embeddings_model" {}
 variable "openai_service_name" {}
+
+variable "enable_entra_id_authentication" {}
diff --git a/infra/modules/nsg/nsg_apim.tf b/infra/modules/nsg/nsg_apim.tf
@@ -0,0 +1,70 @@
+resource "azurerm_network_security_group" "nsg_apim" {
+  name                = var.nsg_apim_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  security_rule {
+    name                       = "management-endpoint"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "3443"
+    source_address_prefix      = "ApiManagement"
+    destination_address_prefix = "VirtualNetwork"
+  }
+
+  security_rule {
+    name                       = "load-balancer"
+    priority                   = 200
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "6390"
+    source_address_prefix      = "AzureLoadBalancer"
+    destination_address_prefix = "VirtualNetwork"
+  }
+
+  security_rule {
+    name                       = "dependency-on-storage"
+    priority                   = 100
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "VirtualNetwork"
+    destination_address_prefix = "Storage"
+  }
+
+  security_rule {
+    name                       = "dependency-on-sql"
+    priority                   = 200
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "1433"
+    source_address_prefix      = "VirtualNetwork"
+    destination_address_prefix = "SQL"
+  }
+
+  security_rule {
+    name                       = "dependency-on-kv"
+    priority                   = 300
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "VirtualNetwork"
+    destination_address_prefix = "AzureKeyVault"
+  }
+}
+
+resource "azurerm_subnet_network_security_group_association" "nsg_apim_association" {
+  subnet_id                 = var.apim_subnet_id
+  network_security_group_id = azurerm_network_security_group.nsg_apim.id
+}
diff --git a/infra/modules/nsg/nsg_cae.tf b/infra/modules/nsg/nsg_cae.tf
@@ -0,0 +1,10 @@
+resource "azurerm_network_security_group" "nsg_cae" {
+  name                = var.nsg_cae_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_subnet_network_security_group_association" "nsg_cae_association" {
+  subnet_id                 = var.cae_subnet_id
+  network_security_group_id = azurerm_network_security_group.nsg_cae.id
+}
diff --git a/infra/modules/nsg/nsg_pe.tf b/infra/modules/nsg/nsg_pe.tf
@@ -0,0 +1,10 @@
+resource "azurerm_network_security_group" "nsg_pe" {
+  name                = var.nsg_pe_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_subnet_network_security_group_association" "nsg_pe_association" {
+  subnet_id                 = var.pe_subnet_id
+  network_security_group_id = azurerm_network_security_group.nsg_pe.id
+}
diff --git a/infra/modules/nsg/variables.tf b/infra/modules/nsg/variables.tf
@@ -0,0 +1,11 @@
+variable "resource_group_name" {}
+variable "location" {}
+
+variable "nsg_apim_name" {}
+variable "apim_subnet_id" {}
+
+variable "nsg_cae_name" {}
+variable "cae_subnet_id" {}
+
+variable "nsg_pe_name" {}
+variable "pe_subnet_id" {}
diff --git a/infra/modules/sp/main.tf b/infra/modules/sp/main.tf
@@ -0,0 +1,44 @@
+data "azurerm_client_config" "current" {}
+
+resource "azuread_application" "sp" {
+  display_name    = var.sp_name
+  identifier_uris = ["api://${var.sp_name}"]
+  owners = [
+    data.azurerm_client_config.current.object_id
+  ]
+
+  web {
+    implicit_grant {
+      id_token_issuance_enabled = true
+    }
+    redirect_uris = []
+  }
+
+  api {
+    mapped_claims_enabled          = true
+    requested_access_token_version = null
+
+    oauth2_permission_scope {
+      admin_consent_description  = "Allow the application to access example on behalf of the signed-in user."
+      admin_consent_display_name = "Allow the application to access example on behalf of the signed-in user."
+      enabled                    = true
+      id                         = "96183846-204b-4b43-82e1-5d2222eb4b9b"
+      type                       = "User"
+      user_consent_description   = "Allow the application to access example on your behalf."
+      user_consent_display_name  = "Allow the application to access example on behalf of the signed-in user."
+      value                      = "user_impersonation"
+    }
+  }
+}
+
+resource "azuread_service_principal" "sp" {
+  client_id = azuread_application.sp.client_id
+  owners = [
+    data.azurerm_client_config.current.object_id
+  ]
+}
+
+resource "azuread_service_principal_password" "sp" {
+  service_principal_id = azuread_service_principal.sp.id
+  end_date             = "2099-01-01T00:00:00Z"
+}