Planning-Inspectorate · m-juckes-pins · Oct 22, 2024 · Oct 22, 2024 · Oct 22, 2024 · Oct 22, 2024
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,56 @@
+default_install_hook_types: [commit-msg, pre-commit]
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: end-of-file-fixer
+        stages: [pre-commit]
+      - id: trailing-whitespace
+        stages: [pre-commit]
+      - id: check-json
+        stages: [pre-commit]
+      - id: check-yaml
+        stages: [pre-commit]
+        args:
+          - --unsafe
+      - id: check-symlinks
+        stages: [pre-commit]
+      - id: check-added-large-files
+        stages: [pre-commit]
+        args:
+          - --maxkb=15000
+      - id: detect-private-key
+        stages: [pre-commit]
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform.git
+    rev: v1.96.1
+    hooks:
+      - id: terraform_fmt
+        stages: [pre-commit]
+      - id: terraform_docs
+        stages: [pre-commit]
+        args:
+          - --args=--config=.config/terraform-docs.yml
+          - --hook-config=--use-standard-markers=true
+        exclude: "^modules|^example|^tools"
+      - id: terraform_validate
+        stages: [pre-commit]
+        exclude: ^examples
+        args:
+          - --tf-init-args=-upgrade
+          - --hook-config=--retry-once-with-cleanup=true
+      - id: terraform_tflint
+        stages: [pre-commit]
+        exclude: ^examples
+        args:
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+      - id: terraform_trivy
+        stages: [pre-commit]
+      - id: terraform_checkov
+
+  # - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+  #   rev: v9.18.0
+  #   hooks:
+  #     - id: commitlint
+  #       stages: [commit-msg]
+  #       additional_dependencies: ["@commitlint/config-conventional"]
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,45 @@
+config {
+  disabled_by_default = false
+}
+
+plugin "azurerm" {
+  enabled = true
+  version = "0.26.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-azurerm"
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_required_providers" {
+  enabled = false
+}
+
+rule "terraform_required_version" {
+  enabled = false
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_unused_required_providers" {
+  enabled = true
+}
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -14,4 +14,4 @@ Differences between environments are managed with simple tfvars files, found in
 
 Variables with common values across environments are set in the `terraform.tfvars` file, which Terraform looks for automatically.
 
-https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files
+<https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files>
diff --git a/infrastructure/app-api.tf b/infrastructure/app-api.tf
@@ -1,10 +1,12 @@
 module "app_api" {
   #checkov:skip=CKV_TF_1: Use of commit hash are not required for our Terraform modules
-  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-app-service?ref=1.24"
+  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-app-service?ref=7e4e94e"
 
   resource_group_name = azurerm_resource_group.primary.name
   location            = module.primary_region.location
 
+  tooling_config = var.tooling_config
+
   # naming
   app_name        = "api"
   resource_suffix = var.environment
@@ -96,10 +98,10 @@ module "app_api" {
 
   }
 
-  providers = {
-    azurerm         = azurerm
-    azurerm.tooling = azurerm.tooling
-  }
+  # providers = {
+  #   azurerm         = azurerm
+  #   azurerm.tooling = azurerm.tooling
+  # }
 }
 
 ## RBAC for secrets

diff --git a/infrastructure/app-web.tf b/infrastructure/app-web.tf
@@ -1,10 +1,12 @@
 module "app_web" {
   #checkov:skip=CKV_TF_1: Use of commit hash are not required for our Terraform modules
-  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-app-service?ref=1.24"
+  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-app-service?ref=7e4e94e"
 
   resource_group_name = azurerm_resource_group.primary.name
   location            = module.primary_region.location
 
+  tooling_config = var.tooling_config
+
   # naming
   app_name        = "web"
   resource_suffix = var.environment
@@ -79,10 +81,10 @@ module "app_web" {
     FEATURE_FLAG_S78_WRITTEN = var.apps_config.featureFlags.featureFlagS78Written
   }
 
-  providers = {
-    azurerm         = azurerm
-    azurerm.tooling = azurerm.tooling
-  }
+  # providers = {
+  #   azurerm = azurerm
+  #   azurerm.tooling = azurerm.tooling
+  # }
 }
 
 ## RBAC for secrets

diff --git a/infrastructure/data-front-office.tf b/infrastructure/data-front-office.tf
@@ -14,4 +14,4 @@ data "azurerm_storage_container" "front_office_documents" {
 
   name                 = "uploads"
   storage_account_name = replace("pinsstdocs${var.environment}ukw001", "-", "")
-}
+}
diff --git a/infrastructure/database-monitoring.tf b/infrastructure/database-monitoring.tf
@@ -15,7 +15,7 @@ resource "azurerm_storage_account" "sql_server" {
   account_tier                     = "Standard"
   account_replication_type         = "GRS"
   min_tls_version                  = "TLS1_2"
-  enable_https_traffic_only        = true
+  https_traffic_only_enabled       = true
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 

diff --git a/infrastructure/document-storage.tf b/infrastructure/document-storage.tf
@@ -16,7 +16,7 @@ resource "azurerm_storage_account" "documents" {
   account_replication_type         = var.documents_config.account_replication_type
   allow_nested_items_to_be_public  = true
   cross_tenant_replication_enabled = false
-  enable_https_traffic_only        = true
+  https_traffic_only_enabled       = true
   min_tls_version                  = "TLS1_2"
 
   tags = local.tags

diff --git a/infrastructure/function-casedata-import.tf b/infrastructure/function-casedata-import.tf
@@ -1,6 +1,6 @@
 module "function_casedata_import" {
   #checkov:skip=CKV_TF_1: Use of commit hash are not required for our Terraform modules
-  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=1.24"
+  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=7e4e94e"
 
   resource_group_name = azurerm_resource_group.primary.name
   location            = module.primary_region.location

diff --git a/infrastructure/function-doc-processing.tf b/infrastructure/function-doc-processing.tf
@@ -1,6 +1,6 @@
 module "function_doc_processing" {
   #checkov:skip=CKV_TF_1: Use of commit hash are not required for our Terraform modules
-  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=1.24"
+  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=7e4e94e"
 
   resource_group_name = azurerm_resource_group.primary.name
   location            = module.primary_region.location

diff --git a/infrastructure/function-scheduled-jobs.tf b/infrastructure/function-scheduled-jobs.tf
@@ -1,6 +1,6 @@
 module "function_scheduled_jobs" {
   #checkov:skip=CKV_TF_1: Use of commit hash are not required for our Terraform modules
-  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=1.24"
+  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=7e4e94e"
 
   resource_group_name = azurerm_resource_group.primary.name
   location            = module.primary_region.location

diff --git a/infrastructure/function-user-import.tf b/infrastructure/function-user-import.tf
@@ -1,6 +1,6 @@
 module "function_user_import" {
   #checkov:skip=CKV_TF_1: Use of commit hash are not required for our Terraform modules
-  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=1.24"
+  source = "github.com/Planning-Inspectorate/infrastructure-modules.git//modules/node-function-app?ref=7e4e94e"
 
   resource_group_name = azurerm_resource_group.primary.name
   location            = module.primary_region.location

diff --git a/infrastructure/function.tf b/infrastructure/function.tf
@@ -30,7 +30,7 @@ resource "azurerm_storage_account" "functions" {
   account_replication_type         = "GRS"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
-  enable_https_traffic_only        = true
+  https_traffic_only_enabled       = true
   min_tls_version                  = "TLS1_2"
 
   tags = local.tags

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -1,13 +1,13 @@
 module "primary_region" {
   source  = "claranet/regions/azurerm"
-  version = "7.1.1"
+  version = "7.2.1"
 
   azure_region = local.primary_location
 }
 
 module "secondary_region" {
   source  = "claranet/regions/azurerm"
-  version = "7.1.1"
+  version = "7.2.1"
 
   azure_region = local.secondary_location
 }

diff --git a/infrastructure/monitoring.tf b/infrastructure/monitoring.tf
@@ -27,4 +27,4 @@ resource "azurerm_key_vault_secret" "app_insights_connection_string" {
   content_type = "connection-string"
 
   tags = local.tags
-}
+}
diff --git a/infrastructure/networking-secondary.tf b/infrastructure/networking-secondary.tf
@@ -8,10 +8,11 @@ resource "azurerm_virtual_network" "secondary" {
 }
 
 resource "azurerm_subnet" "secondary_apps" {
-  name                 = "${local.org}-snet-${local.service_name}-apps-secondary-${var.environment}"
-  resource_group_name  = azurerm_resource_group.secondary.name
-  virtual_network_name = azurerm_virtual_network.secondary.name
-  address_prefixes     = [var.vnet_config.secondary_apps_subnet_address_space]
+  name                              = "${local.org}-snet-${local.service_name}-apps-secondary-${var.environment}"
+  resource_group_name               = azurerm_resource_group.secondary.name
+  virtual_network_name              = azurerm_virtual_network.secondary.name
+  address_prefixes                  = [var.vnet_config.secondary_apps_subnet_address_space]
+  private_endpoint_network_policies = "Enabled"
 
   # for app services
   delegation {
@@ -27,10 +28,11 @@ resource "azurerm_subnet" "secondary_apps" {
 }
 
 resource "azurerm_subnet" "secondary" {
-  name                 = "${local.org}-snet-${local.secondary_resource_suffix}"
-  resource_group_name  = azurerm_resource_group.secondary.name
-  virtual_network_name = azurerm_virtual_network.secondary.name
-  address_prefixes     = [var.vnet_config.secondary_subnet_address_space]
+  name                              = "${local.org}-snet-${local.secondary_resource_suffix}"
+  resource_group_name               = azurerm_resource_group.secondary.name
+  virtual_network_name              = azurerm_virtual_network.secondary.name
+  address_prefixes                  = [var.vnet_config.secondary_subnet_address_space]
+  private_endpoint_network_policies = "Enabled"
 }
 
 resource "azurerm_virtual_network_peering" "secondary_bo_to_tooling" {

diff --git a/infrastructure/networking.tf b/infrastructure/networking.tf
@@ -8,10 +8,11 @@ resource "azurerm_virtual_network" "main" {
 }
 
 resource "azurerm_subnet" "apps" {
-  name                 = "${local.org}-snet-${local.service_name}-apps-${var.environment}"
-  resource_group_name  = azurerm_resource_group.primary.name
-  virtual_network_name = azurerm_virtual_network.main.name
-  address_prefixes     = [var.vnet_config.apps_subnet_address_space]
+  name                              = "${local.org}-snet-${local.service_name}-apps-${var.environment}"
+  resource_group_name               = azurerm_resource_group.primary.name
+  virtual_network_name              = azurerm_virtual_network.main.name
+  address_prefixes                  = [var.vnet_config.apps_subnet_address_space]
+  private_endpoint_network_policies = "Enabled"
 
   # for app services
   delegation {
@@ -27,10 +28,11 @@ resource "azurerm_subnet" "apps" {
 }
 
 resource "azurerm_subnet" "main" {
-  name                 = "${local.org}-snet-${local.resource_suffix}"
-  resource_group_name  = azurerm_resource_group.primary.name
-  virtual_network_name = azurerm_virtual_network.main.name
-  address_prefixes     = [var.vnet_config.main_subnet_address_space]
+  name                              = "${local.org}-snet-${local.resource_suffix}"
+  resource_group_name               = azurerm_resource_group.primary.name
+  virtual_network_name              = azurerm_virtual_network.main.name
+  address_prefixes                  = [var.vnet_config.main_subnet_address_space]
+  private_endpoint_network_policies = "Enabled"
 }
 
 ## peer to tooling VNET for DevOps agents

diff --git a/infrastructure/pipelines/terraform-ci.yaml b/infrastructure/pipelines/terraform-ci.yaml
@@ -1,4 +1,4 @@
-trigger: 
+trigger:
   branches:
     include:
       - main

diff --git a/infrastructure/provider.tf b/infrastructure/provider.tf
@@ -9,7 +9,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.99.0"
+      version = "=4.5.0"
     }
   }
   required_version = ">= 1.1.6, < 1.10.0"
@@ -27,9 +27,9 @@ provider "azurerm" {
 }
 
 provider "azurerm" {
-  alias                      = "horizon"
-  subscription_id            = var.horizon_infra_config.subscription_id
-  skip_provider_registration = true
+  alias                           = "horizon"
+  subscription_id                 = var.horizon_infra_config.subscription_id
+  resource_provider_registrations = "none"
 
   features {}
 }
diff --git a/infrastructure/service-bus.tf b/infrastructure/service-bus.tf
@@ -8,7 +8,6 @@ resource "azurerm_servicebus_namespace" "main" {
 
   sku                          = var.service_bus_config.sku
   capacity                     = var.service_bus_config.capacity
-  zone_redundant               = var.service_bus_config.sku == "Premium"
   premium_messaging_partitions = var.service_bus_config.sku == "Premium" ? 1 : 0
 
   minimum_tls_version           = "1.2"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,4 +14,4 @@ Differences between environments are managed with simple tfvars files, found in

		Variables with common values across environments are set in the `terraform.tfvars` file, which Terraform looks for automatically.

		https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files
		<https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files>
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,4 +14,4 @@ data "azurerm_storage_container" "front_office_documents" { @@
       name                 = "uploads"
       storage_account_name = replace("pinsstdocs${var.environment}ukw001", "-", "")
-    }
+    }