microsoft · eladiw · May 30, 2022 · May 15, 2022 · May 19, 2022 · May 25, 2022
diff --git a/templates/core/terraform/airlock/eventgrid_topics.tf b/templates/core/terraform/airlock/eventgrid_topics.tf
@@ -0,0 +1,128 @@
+# Event grid topics
+resource "azurerm_eventgrid_topic" "egt_update_status_topic" {
+  name                = local.egt_update_status_topic_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = {
+    Publishers = "Airlock Orchestrator;"
+  }
+}
+
+resource "azurerm_eventgrid_topic" "egt_status_changed_topic" {
+  name                = local.egt_status_changed_topic_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = {
+    Publishers = "TRE API;"
+  }
+}
+
+# System topic
+resource "azurerm_eventgrid_system_topic" "inprogress_import_system_topic" {
+  name                   = local.egst_inprogress_import_sys_topic_name
+  location               = var.location
+  resource_group_name    = var.resource_group_name
+  source_arm_resource_id = azurerm_storage_account.sa_in_progress_import.id
+  topic_type             = "Microsoft.Storage.StorageAccounts"
+
+  tags = {
+    Publishers = "airlock;in-progress-import-sa"
+  }
+
+  depends_on = [
+    azurerm_storage_account.sa_in_progress_import
+  ]
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+
+resource "azurerm_eventgrid_system_topic" "rejected_import_system_topic" {
+  name                   = local.egst_rejected_import_sys_topic_name
+  location               = var.location
+  resource_group_name    = var.resource_group_name
+  source_arm_resource_id = azurerm_storage_account.sa_rejected_import.id
+  topic_type             = "Microsoft.Storage.StorageAccounts"
+
+  tags = {
+    Publishers = "airlock;rejected-import-sa"
+  }
+
+  depends_on = [
+    azurerm_storage_account.sa_rejected_import
+  ]
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_eventgrid_system_topic" "accepted_export_system_topic" {
+  name                   = local.egst_accepted_export_sys_topic_name
+  location               = var.location
+  resource_group_name    = var.resource_group_name
+  source_arm_resource_id = azurerm_storage_account.sa_accepted_export.id
+  topic_type             = "Microsoft.Storage.StorageAccounts"
+
+  tags = {
+    Publishers = "airlock;accepted-export-sa"
+  }
+
+  depends_on = [
+    azurerm_storage_account.sa_accepted_export
+  ]
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+
+# Custom topic (for scanning)
+resource "azurerm_eventgrid_topic" "scan_result_topic" {
+  name                = local.egt_scan_result_topic_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = {
+    Publishers = "airlock;custom scanning service;"
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+## Subscriptions
+
+resource "azurerm_eventgrid_event_subscription" "updated-status-subscription" {
+  name  = "update-status"
+  scope = azurerm_eventgrid_topic.egt_update_status_topic.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.update_status_queue.id
+}
+
+resource "azurerm_eventgrid_event_subscription" "status-changed-subscription" {
+  name  = "status-changed"
+  scope = azurerm_eventgrid_topic.egt_status_changed_topic.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.status_changed_queue.id
+}
+
+resource "azurerm_eventgrid_event_subscription" "inprogress-import-blob-created-subscription" {
+  name  = "in-prog-import-blob-created"
+  scope = azurerm_storage_account.sa_in_progress_import.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.in_progress_import_blob_created_queue.id
+}
+
+resource "azurerm_eventgrid_event_subscription" "rejected-import-blob-created-subscription" {
+  name  = "rejected-import-blob-created"
+  scope = azurerm_storage_account.sa_rejected_import.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.rejected_import_blob_created_queue.id
+}
+
+resource "azurerm_eventgrid_event_subscription" "accepted-export-blob-created-subscription" {
+  name  = "accepted-export-blob-created"
+  scope = azurerm_storage_account.sa_accepted_export.id
+
+  service_bus_queue_endpoint_id = azurerm_servicebus_queue.accepted_export_blob_created_queue.id
+}
+
diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf
@@ -0,0 +1,17 @@
+locals {
+  # STorage AirLock EXternal
+  airlock_external_import_storage_name = lower(replace("stalexim${var.tre_id}", "-", ""))
+  # STorage AirLock InProgress IMport
+  airlock_in_progress_import_storage_name = lower(replace("stalipim${var.tre_id}", "-", ""))
+  # STorage AirLock REJected IMport
+  airlock_rejected_import_storage_name = lower(replace("stalrejim${var.tre_id}", "-", ""))
+  # STorage AirLock ACCepted EXPort
+  airlock_accepted_export_storage_name = lower(replace("stalaccexp${var.tre_id}", "-", ""))
+
+  egst_inprogress_import_sys_topic_name = "egst-in-prog-import-${var.tre_id}"
+  egst_rejected_import_sys_topic_name   = "egst-rejected-import-${var.tre_id}"
+  egst_accepted_export_sys_topic_name   = "egst-accepted-export-${var.tre_id}"
+  egt_scan_result_topic_name            = "egt-scan-res-${var.tre_id}"
+  egt_update_status_topic_name          = "egt-update-status-${var.tre_id}"
+  egt_status_changed_topic_name         = "egt-status-changed-${var.tre_id}"
+}
diff --git a/templates/core/terraform/airlock/outputs.tf b/templates/core/terraform/airlock/outputs.tf
diff --git a/templates/core/terraform/airlock/service-bus.tf b/templates/core/terraform/airlock/service-bus.tf
@@ -0,0 +1,76 @@
+# Utilize the existing service bus - add new queue
+data "azurerm_servicebus_namespace" "airlock_sb" {
+  name                = "sb-${var.tre_id}"
+  resource_group_name = var.resource_group_name
+
+}
+
+resource "azurerm_servicebus_queue" "update_status_queue" {
+  name         = "update_status"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "status_changed_queue" {
+  name         = "status_changed"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+resource "azurerm_servicebus_queue" "in_progress_import_blob_created_queue" {
+  name         = "in_progress_import_blob_created"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+resource "azurerm_servicebus_queue" "rejected_import_blob_created_queue" {
+  name         = "rejected_import_blob_created"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+resource "azurerm_servicebus_queue" "scan_result_queue" {
+  name         = "scan_result_queue"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "accepted_import_blob_created_queue" {
+  name         = "accepted_import_blob_created"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "in_progress_export_blob_created_queue" {
+  name         = "inprogress_export_blob_created"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+resource "azurerm_servicebus_queue" "rejected_export_blob_created_queue" {
+  name         = "rejected_export_blob_created"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+# Accepted export
+resource "azurerm_servicebus_queue" "accepted_export_blob_created_queue" {
+  name         = "accepted_export_blob_created"
+  namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id
+
+  enable_partitioning = false
+}
+
+
+
diff --git a/templates/core/terraform/airlock/storage_accounts.tf b/templates/core/terraform/airlock/storage_accounts.tf
@@ -0,0 +1,127 @@
+# 'External' storage account - drop location for import
+resource "azurerm_storage_account" "sa_external_import" {
+  name                     = local.airlock_external_import_storage_name
+  location                 = var.location
+  resource_group_name      = var.resource_group_name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  # Don't allow anonymous access (unrelated to the 'public' networking rules)
+  allow_blob_public_access = false
+
+  tags = {
+    description = "airlock;import;external"
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+# 'Accepted' export
+resource "azurerm_storage_account" "sa_accepted_export" {
+  name                     = local.airlock_accepted_export_storage_name
+  location                 = var.location
+  resource_group_name      = var.resource_group_name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  # Don't allow anonymous access (unrelated to the 'public' networking rules)
+  allow_blob_public_access = false
+
+  tags = {
+    description = "airlock;export;accepted"
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+# 'In-Progress' storage account
+resource "azurerm_storage_account" "sa_in_progress_import" {
+  name                     = local.airlock_in_progress_import_storage_name
+  location                 = var.location
+  resource_group_name      = var.resource_group_name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  allow_blob_public_access = false
+
+  tags = {
+    description = "airlock;import;in-progress"
+  }
+
+  network_rules {
+    default_action = var.enable_local_debugging ? "Allow" : "Deny"
+    bypass         = ["AzureServices"]
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+data "azurerm_private_dns_zone" "blobcore" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_private_endpoint" "stg_ip_import_pe" {
+  name                = "stgipimport-blob-${var.tre_id}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.shared_subnet_id
+
+  lifecycle { ignore_changes = [tags] }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-stg-ip-import"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
+  }
+
+  private_service_connection {
+    name                           = "psc-stgipimport-${var.tre_id}"
+    private_connection_resource_id = azurerm_storage_account.sa_in_progress_import.id
+    is_manual_connection           = false
+    subresource_names              = ["Blob"]
+  }
+}
+
+
+# 'Rejected' storage account
+resource "azurerm_storage_account" "sa_rejected_import" {
+  name                     = local.airlock_rejected_import_storage_name
+  location                 = var.location
+  resource_group_name      = var.resource_group_name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  allow_blob_public_access = false
+
+  tags = {
+    description = "airlock;import;rejected"
+  }
+
+  network_rules {
+    default_action             = var.enable_local_debugging ? "Allow" : "Deny"
+    bypass                     = ["AzureServices"]
+    virtual_network_subnet_ids = [var.shared_subnet_id]
+
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_endpoint" "stgipimportpe" {
+  name                = "stg-rej-import-blob-${var.tre_id}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.shared_subnet_id
+
+  lifecycle { ignore_changes = [tags] }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-stg-rej-import"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
+  }
+
+  private_service_connection {
+    name                           = "psc-stg-rej-import-${var.tre_id}"
+    private_connection_resource_id = azurerm_storage_account.sa_rejected_import.id
+    is_manual_connection           = false
+    subresource_names              = ["Blob"]
+  }
+}
diff --git a/templates/core/terraform/airlock/variables.tf b/templates/core/terraform/airlock/variables.tf
@@ -0,0 +1,5 @@
+variable "tre_id" {}
+variable "location" {}
+variable "resource_group_name" {}
+variable "shared_subnet_id" {}
+variable "enable_local_debugging" {}
diff --git a/templates/core/terraform/appgateway/staticweb.tf b/templates/core/terraform/appgateway/staticweb.tf
@@ -48,7 +48,7 @@ resource "azurerm_private_endpoint" "webpe" {
   }
 
   private_service_connection {
-    name                           = "psc-web--${local.staticweb_storage_name}"
+    name                           = "psc-web-${local.staticweb_storage_name}"
     private_connection_resource_id = azurerm_storage_account.staticweb.id
     is_manual_connection           = false
     subresource_names              = ["web"]

diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf
@@ -72,6 +72,20 @@ module "appgateway" {
   ]
 }
 
+module "airlock_resources" {
+  source                 = "./airlock"
+  tre_id                 = var.tre_id
+  location               = var.location
+  resource_group_name    = azurerm_resource_group.core.name
+  shared_subnet_id       = module.network.shared_subnet_id
+  enable_local_debugging = var.enable_local_debugging
+
+  depends_on = [
+    azurerm_servicebus_namespace.sb,
+    module.network
+  ]
+}
+
 module "resource_processor_vmss_porter" {
   count                                            = var.resource_processor_type == "vmss_porter" ? 1 : 0
   source                                           = "./resource_processor/vmss_porter"

diff --git a/templates/core/terraform/network/network.tf b/templates/core/terraform/network/network.tf
@@ -55,6 +55,9 @@ resource "azurerm_subnet" "shared" {
   address_prefixes     = [local.shared_services_subnet_address_prefix]
   # notice that private endpoints do not adhere to NSG rules
   enforce_private_link_endpoint_network_policies = true
+
+  service_endpoints = ["Microsoft.Storage"]
+
 }
 
 resource "azurerm_subnet" "resource_processor" {