Airlock resources - tf scripts (#1843)

* Airlock resources - tf scripts * reusing the existing sb + adding network rules bug fixes
microsoft · May 30, 2022 · 10a79de · 10a79de
1 parent a89017d
commit 10a79de
Show file tree

Hide file tree

Showing 13 changed files with 747 additions and 2 deletions.
diff --git a/templates/core/terraform/airlock/eventgrid_topics.tf b/templates/core/terraform/airlock/eventgrid_topics.tf
@@ -0,0 +1,148 @@
+# Event grid topics
+resource "azurerm_eventgrid_topic" "step_result" {
+  name                = local.step_result_topic_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = {
+    Publishers = "Airlock Orchestrator;"
+  }
+}
+
+resource "azurerm_eventgrid_topic" "status_changed" {
+  name                = local.status_changed_topic_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = {
+    Publishers = "TRE API;"
+  }
+}
+
+# System topic
+resource "azurerm_eventgrid_system_topic" "import_inprogress_blob_created" {
+  name                   = local.import_inprogress_sys_topic_name
+  location               = var.location
+  resource_group_name    = var.resource_group_name
+  source_arm_resource_id = azurerm_storage_account.sa_import_in_progress.id
+  topic_type             = "Microsoft.Storage.StorageAccounts"
+
+  tags = {
+    Publishers = "airlock;import-in-progress-sa"
+  }
+
+  depends_on = [
+    azurerm_storage_account.sa_import_in_progress
+  ]
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+
+resource "azurerm_eventgrid_system_topic" "import_rejected_blob_created" {
+  name                   = local.import_rejected_sys_topic_name
+  location               = var.location
+  resource_group_name    = var.resource_group_name
+  source_arm_resource_id = azurerm_storage_account.sa_import_rejected.id
+  topic_type             = "Microsoft.Storage.StorageAccounts"
+
+  tags = {
+    Publishers = "airlock;import-rejected-sa"
+  }
+
+  depends_on = [
+    azurerm_storage_account.sa_import_rejected
+  ]
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_eventgrid_system_topic" "export_approved_blob_created" {
+  name                   = local.export_approved_sys_topic_name
+  location               = var.location
+  resource_group_name    = var.resource_group_name
+  source_arm_resource_id = azurerm_storage_account.sa_export_approved.id
+  topic_type             = "Microsoft.Storage.StorageAccounts"
+
+  tags = {
+    Publishers = "airlock;export-approved-sa"
+  }
+
+  depends_on = [
+    azurerm_storage_account.sa_export_approved
+  ]
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+
+# Custom topic (for scanning)
+resource "azurerm_eventgrid_topic" "scan_result" {
+  name                = local.scan_result_topic_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = {
+    Publishers = "airlock;custom scanning service;"
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+## Subscriptions
+
+resource "azurerm_eventgrid_event_subscription" "step_result" {
+  name  = local.step_result_eventgrid_subscription_name
+  scope = azurerm_eventgrid_topic.step_result.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.step_result.id
+
+  depends_on = [
+    azurerm_eventgrid_topic.step_result
+  ]
+}
+
+resource "azurerm_eventgrid_event_subscription" "status_changed" {
+  name  = local.status_changed_eventgrid_subscription_name
+  scope = azurerm_eventgrid_topic.status_changed.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.status_changed.id
+
+  depends_on = [
+    azurerm_eventgrid_topic.status_changed
+  ]
+}
+
+resource "azurerm_eventgrid_event_subscription" "import_inprogress_blob_created" {
+  name  = local.import_inprogress_eventgrid_subscription_name
+  scope = azurerm_storage_account.sa_import_in_progress.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.import_in_progress_blob_created.id
+
+  depends_on = [
+    azurerm_eventgrid_system_topic.import_inprogress_blob_created
+  ]
+}
+
+resource "azurerm_eventgrid_event_subscription" "import_rejected_blob_created" {
+  name  = local.import_rejected_eventgrid_subscription_name
+  scope = azurerm_storage_account.sa_import_rejected.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.import_rejected_blob_created.id
+
+  depends_on = [
+    azurerm_eventgrid_system_topic.import_rejected_blob_created
+  ]
+}
+
+resource "azurerm_eventgrid_event_subscription" "export_approved_blob_created" {
+  name  = local.export_approved_eventgrid_subscription_name
+  scope = azurerm_storage_account.sa_export_approved.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.export_approved_blob_created.id
+
+  depends_on = [
+    azurerm_eventgrid_system_topic.export_approved_blob_created
+  ]
+}
+
diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf
@@ -0,0 +1,36 @@
+locals {
+  # STorage AirLock EXternal
+  import_external_storage_name = lower(replace("stalexim${var.tre_id}", "-", ""))
+  # STorage AirLock InProgress IMport
+  import_in_progress_storage_name = lower(replace("stalipim${var.tre_id}", "-", ""))
+  # STorage AirLock REJected IMport
+  import_rejected_storage_name = lower(replace("stalrejim${var.tre_id}", "-", ""))
+  # STorage AirLock APProved EXPort
+  export_approved_storage_name = lower(replace("stalappexp${var.tre_id}", "-", ""))
+
+  import_inprogress_sys_topic_name = "evgt-airlock-import-in-progress-${var.tre_id}"
+  import_rejected_sys_topic_name   = "evgt-airlock-import-rejected-${var.tre_id}"
+  export_approved_sys_topic_name   = "evgt-airlock-export-approved-${var.tre_id}"
+
+  scan_result_topic_name    = "evgt-airlock-scan-result-${var.tre_id}"
+  step_result_topic_name    = "evgt-airlock-step-result-${var.tre_id}"
+  status_changed_topic_name = "evgt-airlock-status-changed-${var.tre_id}"
+
+  step_result_queue_name       = "airlock-step-result"
+  status_changed_queue_name    = "airlock-status-changed"
+  scan_result_queue_name       = "airlock-scan-result"
+  import_inprogress_queue_name = "airlock-import-in-progress-blob-created"
+  import_rejected_queue_name   = "airlock-import-rejected-blob-created"
+
+  import_approved_queue_name   = "airlock-import-approved-blob-created"
+  export_inprogress_queue_name = "airlock-export-inprogress-blob-created"
+  export_rejected_queue_name   = "airlock-export-rejected-blob-created"
+  export_approved_queue_name   = "airlock-export-approved-blob-created"
+
+  step_result_eventgrid_subscription_name       = "evgs-airlock-update-status"
+  status_changed_eventgrid_subscription_name    = "evgs-airlock-status-changed"
+  import_inprogress_eventgrid_subscription_name = "evgs-airlock-import-in-progress-blob-created"
+  import_rejected_eventgrid_subscription_name   = "evgs-airlock-import-rejected-blob-created"
+  export_approved_eventgrid_subscription_name   = "evgs-airlock-export-approved-blob-created"
+
+}
diff --git a/templates/core/terraform/airlock/service_bus.tf b/templates/core/terraform/airlock/service_bus.tf
@@ -0,0 +1,76 @@
+# Utilize the existing service bus - add new queue
+data "azurerm_servicebus_namespace" "airlock_sb" {
+  name                = "sb-${var.tre_id}"
+  resource_group_name = var.resource_group_name
+
+}
+
+resource "azurerm_servicebus_queue" "step_result" {
+  name         = local.step_result_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "status_changed" {
+  name         = local.status_changed_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+resource "azurerm_servicebus_queue" "import_in_progress_blob_created" {
+  name         = local.import_inprogress_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+resource "azurerm_servicebus_queue" "import_rejected_blob_created" {
+  name         = local.import_rejected_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+resource "azurerm_servicebus_queue" "scan_result" {
+  name         = local.scan_result_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "import_approved_blob_created" {
+  name         = local.import_approved_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "export_in_progress_blob_created" {
+  name         = local.export_inprogress_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "export_rejected_blob_created" {
+  name         = local.export_rejected_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+# Approved export
+resource "azurerm_servicebus_queue" "export_approved_blob_created" {
+  name         = local.export_approved_queue_name
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+