From f3f868ca2efa057d71c7dd449fe4ddbe507052ca Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 27 Sep 2024 12:26:08 +0100
Subject: [PATCH] Update Terraform
github.com/DFE-Digital/terraform-azurerm-container-apps-hosting to v1.12.0
(#129)
* Update Terraform github.com/DFE-Digital/terraform-azurerm-container-apps-hosting to v1.12.0
* Update Terraform github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars to v0.5.0
* Updated readme
* Updated lockfile
* Corrected deprecation
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
---
terraform/.terraform.lock.hcl | 58 +++++++--------------------
terraform/README.md | 18 ++++-----
terraform/container-apps-hosting.tf | 2 +-
terraform/key-vault-tfvars-secrets.tf | 2 +-
terraform/private-endpoint.tf | 10 ++---
5 files changed, 30 insertions(+), 60 deletions(-)
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 87e4767..c1f3652 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -37,16 +37,6 @@ provider "registry.terraform.io/hashicorp/azuread" {
constraints = ">= 2.37.1"
hashes = [
"h1:1iMc+QBAyb6ob4fUcnObBTriuZTbDi07qoADsxe4dRw=",
- "h1:8ZsC8aKh2MtmFUCBRFZxF/Xd8RvbaRlKj6jayZzgiOI=",
- "h1:HjA23T4x3G03m4FlsCbNr9N63dTTdabE7Xc8RZ7msas=",
- "h1:WXlxuWovsZgS+mBAGy/whImnBj7qG8oBk+elTBBr7PE=",
- "h1:Y4cCc3An46PKJXMH9duYod77fUauJNfcc95vz3vonn4=",
- "h1:hADfzm3akXVNKTXMMrjNcaEb0VxSFScVYhBSrXZn+Qo=",
- "h1:nKgjjczkIqCzss0wtF0oRX6tdVxxDRtxH0jGS1suKho=",
- "h1:pyWZ879eJQ7kzfIQEtK6cFtb6jxyLQ3RJce68nO4Ssk=",
- "h1:sxkgszQbSdzJ7TcxZYEjEB3kGio0BR842JKS/GVMzd4=",
- "h1:tat3ie2pv+b0rRK5njHPM7iDIgaPqBrj8Fegjzq+iN8=",
- "h1:wJN16D8vIyANW/2WGMNypY5PFT33a5LRfuU8frEeYys=",
"zh:01ffa046ee97ebc92fd89ad2b93ce354653ee6d731c2306d017ee8f1fc75ea71",
"zh:077cb1b465710de1c63775bf0ec89b7319db5aa60e051a64e8a91e22d276a0f5",
"zh:0f2f44ec7fcca6dcb507e4ce1288fd92bafd54b61a000329f7b06d52e19ac6ad",
@@ -63,31 +53,21 @@ provider "registry.terraform.io/hashicorp/azuread" {
}
provider "registry.terraform.io/hashicorp/azurerm" {
- version = "4.3.0"
- constraints = ">= 3.52.0, >= 3.67.0, >= 3.76.0"
+ version = "4.0.1"
+ constraints = ">= 3.67.0, >= 4.0.0, ~> 4.0.0, < 5.0.0"
hashes = [
- "h1:4lHvMesy5/1megffBSBg1C6VUbanG6W1Q0SAVq2AtfM=",
- "h1:E+fBvPYbOetPrJQ8/SZRA1e9ikeHAHBoiVLv9Z5ZJRU=",
- "h1:FOcvgHD1MmtKA7Tf0TPGT4EcTmxHeRvyGePEE8O2GMQ=",
- "h1:Q+E/OvEpNVJX/VVN5IesHdtV4mGpkuP6o0a1Q9v1vmg=",
- "h1:SAMh3QvvAeqW4LbYWGddL1pHSmFEA6VaeCvAvWJSHrU=",
- "h1:VTHN+ZLFednu2YiOO4KThpWY1/F7siueeCY5QXZjSQU=",
- "h1:fTnVSvgj8qXRZ9huFnRglu5sQexshjsVdk7b5eaOckc=",
- "h1:sCCRXMrmGLTjOi4LjFWf0mwXXvWL61o9DguRxDWC1xo=",
- "h1:v5jcyGEtwo4x6AB5ZgS4171eMhJ11loYSERoI8wn2Ug=",
- "h1:vxkNugAhv9mTwDNJaEG/S1E3J98JQ8AThd/6IcTa8zQ=",
- "h1:zxRfa3k/vxbeZfzeWoXe8bF7C04WK4TkGAUjcyv7xoA=",
- "zh:117f843126f7a045ef4401103243ef53245a5c60b3fcf1f5f22bcb3a472c71fd",
- "zh:4ae400db15d43a181527a585e51a237569631d49d685f9946212d1d9830f97ec",
- "zh:53d9e7c9f42918e9cefe6469898c08975504a565e684a049365c43037ac9e3e3",
- "zh:80f72cd97defcef1b23de85c5778499be44d5f034e3ecffdca161e1348602ffd",
- "zh:826f716d13fd567bcd2db27cdab3c08fceb96542958512a6406ce389e82532ed",
- "zh:9cd1ae99efa21bd90d8be47254c25b16f6e7ff9b3ba3ca2da5aaaa1695e9db16",
- "zh:a2b78223937b5d7445e9d567f109044f94ffe178200559ed1401f4371b72b25f",
- "zh:c7b5b4bfa05d90bc46cf300ec8d17a4554caef986c4c5fcf2610a492b78d65e7",
- "zh:ccb3ebed6c701fd502cc41c486603e443c62086dbc1cee6f69c97fcb49e2181f",
- "zh:d4d0edbdc373cbb94feffd0297289da2c1f5da36c1776f692151e98b7eadb1dd",
- "zh:ee63964ad68a720e3ec399228db40e40a8321639adf3fbf47716252ee6e2f070",
+ "h1:cbblXI9nw+Hp6T2E0tjfYU570kLpiqBKV+dJHQGa3a4=",
+ "zh:0e78a9200eef138d08050aab99c4fb9ab99c7c5ccbdd410592db7acc5ed421fe",
+ "zh:443157ba089ef4002817c4f3b3610654588084c2d8c8cf00f1ddf708c7c73411",
+ "zh:563595dd72b894b2ef9825226c04689ea9967113568a06077960cd863b3afa36",
+ "zh:5bef3c6bc8306b607078a09c3ab1d2ee55435e0099eedca459aca6c259c29079",
+ "zh:5eb305ca10a14a5cf5308e7225779f9f4152d5a8dd842c901fa47fc93432b346",
+ "zh:6041a5272b293ae95b46a39ceced3f14bf267a379263c10d11301c50c2e740d0",
+ "zh:7b077b9358ef6878d0520febcf17ba651eda6636c66885c925ae27d20df6d575",
+ "zh:8a140a1f8eb35a5ab5b5d3d46759d45408ad14dc5ca3f7fc9af5dc5cf1bb2133",
+ "zh:9a9d707dbd3b111a28e914a277e1e1076221a41194f7eaa0389e0b4a9b4033e4",
+ "zh:e8c42fb6cde74ecae1fe0a5fd9bb4bd804a5441f8dfec9d3cb4966af2054ede4",
+ "zh:eb018fe31c8e6f3e495bd79c7b278aa7dc51b48453f6b83bdb0e7b13459b2aa0",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}
@@ -96,17 +76,7 @@ provider "registry.terraform.io/hashicorp/null" {
version = "3.2.3"
constraints = ">= 3.2.1"
hashes = [
- "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=",
"h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=",
- "h1:KN+takGblkyoaNFclDjQavXC/FNz/CkF1UY0nqNCUHY=",
- "h1:et7UFgRi/FtALhVrItMeSWc/HPuMnnnkDw7fk18dkDQ=",
- "h1:i3HVDAY1s3/9EuPwV5QTBQSr/E/LOxUN3px1sUZGbkA=",
- "h1:lIvitiHbzf+j9amFhEXljXncNo3O/8SoVQYQ6O29CSI=",
- "h1:nKUqWEza6Lcv3xRlzeiRQrHtqvzX1BhIzjaOVXRYQXQ=",
- "h1:obXguGZUWtNAO09f1f9Cb7hsPCOGXuGdN8bn/ohKRBQ=",
- "h1:v4DuXoLvBGe0xRT5St53bNICRVbHRUO+m/TreMBCw/U=",
- "h1:xtNWHxcFgrYF1TwPSdVloQPPfzsva9lIy+D2avuvelw=",
- "h1:zxoDtu918XPWJ/Y6s4aFrZydn6SfqkRc5Ax1ZLnC6Ew=",
"zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2",
"zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d",
"zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3",
diff --git a/terraform/README.md b/terraform/README.md
index b899e2c..6c78e52 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -133,14 +133,14 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.113.0 |
+| [azurerm](#provider\_azurerm) | 4.0.1 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.10.1 |
-| [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.4.2 |
+| [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.12.0 |
+| [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.5.0 |
| [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.4 |
## Resources
@@ -174,16 +174,16 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be
| [cdn\_frontdoor\_origin\_fqdn\_override](#input\_cdn\_frontdoor\_origin\_fqdn\_override) | Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN | `string` | `""` | no |
| [cdn\_frontdoor\_origin\_host\_header\_override](#input\_cdn\_frontdoor\_origin\_host\_header\_override) | Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host\_name (`cdn_frontdoor_origin_fqdn_override`) | `string` | `""` | no |
| [cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes](#input\_cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes) | CDN Front Door rate limiting duration in minutes | `number` | `5` | no |
-| [cdn\_frontdoor\_waf\_custom\_rules](#input\_cdn\_frontdoor\_waf\_custom\_rules) | Map of all Custom rules you want to apply to the CDN WAF | map(object({
priority : number,
action : string
match_conditions : map(object({
match_variable : string,
match_values : optional(list(string), []),
operator : optional(string, "Any"),
selector : optional(string, null),
negation_condition : optional(bool, false),
}))
})) | `{}` | no |
+| [cdn\_frontdoor\_waf\_custom\_rules](#input\_cdn\_frontdoor\_waf\_custom\_rules) | Map of all Custom rules you want to apply to the CDN WAF | map(object({
priority : number,
action : string
match_conditions : map(object({
match_variable : string,
match_values : optional(list(string), []),
operator : optional(string, "Any"),
selector : optional(string, null),
negation_condition : optional(bool, false),
}))
})) | `{}` | no |
| [container\_apps\_allow\_ips\_inbound](#input\_container\_apps\_allow\_ips\_inbound) | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | `list(string)` | `[]` | no |
| [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes |
| [container\_health\_probe\_path](#input\_container\_health\_probe\_path) | Specifies the path that is used to determine the liveness of the Container | `string` | `"/"` | no |
| [container\_health\_probe\_protocol](#input\_container\_health\_probe\_protocol) | Use HTTPS or a TCP connection for the Container liveness probe | `string` | `"tcp"` | no |
| [container\_scale\_http\_concurrency](#input\_container\_scale\_http\_concurrency) | When the number of concurrent HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the max-replicas amount. | `number` | `10` | no |
| [container\_secret\_environment\_variables](#input\_container\_secret\_environment\_variables) | Container secret environment variables | `map(string)` | n/a | yes |
-| [dns\_mx\_records](#input\_dns\_mx\_records) | DNS MX records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(
object({
preference : number,
exchange : string
})
)
})
)
| `{}` | no |
-| [dns\_ns\_records](#input\_dns\_ns\_records) | DNS NS records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
-| [dns\_txt\_records](#input\_dns\_txt\_records) | DNS TXT records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
+| [dns\_mx\_records](#input\_dns\_mx\_records) | DNS MX records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(
object({
preference : number,
exchange : string
})
)
})
)
| `{}` | no |
+| [dns\_ns\_records](#input\_dns\_ns\_records) | DNS NS records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
+| [dns\_txt\_records](#input\_dns\_txt\_records) | DNS TXT records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
| [dns\_zone\_domain\_name](#input\_dns\_zone\_domain\_name) | DNS zone domain name. If created, records will automatically be created to point to the CDN. | `string` | n/a | yes |
| [enable\_cdn\_frontdoor](#input\_enable\_cdn\_frontdoor) | Enable Azure CDN FrontDoor. This will use the Container Apps endpoint as the origin. | `bool` | n/a | yes |
| [enable\_cdn\_frontdoor\_health\_probe](#input\_enable\_cdn\_frontdoor\_health\_probe) | Enable CDN Front Door health probe | `bool` | `false` | no |
@@ -192,7 +192,7 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be
| [enable\_dns\_zone](#input\_enable\_dns\_zone) | Conditionally create a DNS zone | `bool` | n/a | yes |
| [enable\_monitoring](#input\_enable\_monitoring) | Create an App Insights instance and notification group for the Container App | `bool` | n/a | yes |
| [environment](#input\_environment) | Environment name. Will be used along with `project_name` as a prefix for all resources. | `string` | n/a | yes |
-| [existing\_logic\_app\_workflow](#input\_existing\_logic\_app\_workflow) | Name, and Resource Group of an existing Logic App Workflow. Leave empty to create a new Resource | object({
name : string
resource_group_name : string
}) | {
"name": "",
"resource_group_name": ""
} | no |
+| [existing\_logic\_app\_workflow](#input\_existing\_logic\_app\_workflow) | Name, and Resource Group of an existing Logic App Workflow. Leave empty to create a new Resource | object({
name : string
resource_group_name : string
}) | {
"name": "",
"resource_group_name": ""
} | no |
| [existing\_network\_watcher\_name](#input\_existing\_network\_watcher\_name) | Use an existing network watcher to add flow logs. | `string` | n/a | yes |
| [existing\_network\_watcher\_resource\_group\_name](#input\_existing\_network\_watcher\_resource\_group\_name) | Existing network watcher resource group. | `string` | n/a | yes |
| [image\_name](#input\_image\_name) | Image name | `string` | n/a | yes |
@@ -200,7 +200,7 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be
| [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
| [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that should be notified by monitoring alerts | `list(string)` | n/a | yes |
| [monitor\_endpoint\_healthcheck](#input\_monitor\_endpoint\_healthcheck) | Specify a route that should be monitored for a 200 OK status | `string` | n/a | yes |
-| [private\_endpoint\_configurations](#input\_private\_endpoint\_configurations) | Map of private endpoint configurations, specifying the VNet name/resource-group and a new subnet CIDR. A subnet, private endpoint and DNS zone will be created within the specified VNet.
{
endpoint-name = {
vnet\_name: The Name of the VNet to create the private endpoint resources
vnet\_resource\_group\_name: The Name of the resource group containing the VNet
subnet\_cidr: The CIDR of the Private Endpoint subnet to be created
subresource\_name: The type of resource you are targeting (e.g. sqlServer)
target\_resource\_id: The Resource ID for the target resource you are trying to connect to
create\_private\_dns\_zone: Do you want to automatically create the Private DNS Zone?
private\_dns\_hostname: The hostname to use for the Private DNS Zone
subnet\_route\_table\_name: The Route Table ID to associate the subnet with (Optional)
}
} | map(object({
vnet_name = string
vnet_resource_group_name = string
subnet_cidr = string
subresource_name = string
target_resource_id = string
create_private_dns_zone = optional(bool, true)
private_dns_hostname = string
subnet_route_table_name = optional(string, null)
})) | `{}` | no |
+| [private\_endpoint\_configurations](#input\_private\_endpoint\_configurations) | Map of private endpoint configurations, specifying the VNet name/resource-group and a new subnet CIDR. A subnet, private endpoint and DNS zone will be created within the specified VNet.
{
endpoint-name = {
vnet\_name: The Name of the VNet to create the private endpoint resources
vnet\_resource\_group\_name: The Name of the resource group containing the VNet
subnet\_cidr: The CIDR of the Private Endpoint subnet to be created
subresource\_name: The type of resource you are targeting (e.g. sqlServer)
target\_resource\_id: The Resource ID for the target resource you are trying to connect to
create\_private\_dns\_zone: Do you want to automatically create the Private DNS Zone?
private\_dns\_hostname: The hostname to use for the Private DNS Zone
subnet\_route\_table\_name: The Route Table ID to associate the subnet with (Optional)
}
} | map(object({
vnet_name = string
vnet_resource_group_name = string
subnet_cidr = string
subresource_name = string
target_resource_id = string
create_private_dns_zone = optional(bool, true)
private_dns_hostname = string
subnet_route_table_name = optional(string, null)
})) | `{}` | no |
| [project\_name](#input\_project\_name) | Project name. Will be used along with `environment` as a prefix for all resources. | `string` | n/a | yes |
| [registry\_admin\_enabled](#input\_registry\_admin\_enabled) | Do you want to enable access key based authentication for your Container Registry? | `bool` | `true` | no |
| [registry\_managed\_identity\_assign\_role](#input\_registry\_managed\_identity\_assign\_role) | Assign the 'AcrPull' Role to the Container App User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'AcrPull' Role to the identity | `bool` | `false` | no |
diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
index 0cb6827..91b2872 100644
--- a/terraform/container-apps-hosting.tf
+++ b/terraform/container-apps-hosting.tf
@@ -1,5 +1,5 @@
module "azure_container_apps_hosting" {
- source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.10.1"
+ source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.12.0"
environment = local.environment
project_name = local.project_name
diff --git a/terraform/key-vault-tfvars-secrets.tf b/terraform/key-vault-tfvars-secrets.tf
index 66c20e5..ecbb042 100644
--- a/terraform/key-vault-tfvars-secrets.tf
+++ b/terraform/key-vault-tfvars-secrets.tf
@@ -1,5 +1,5 @@
module "azurerm_key_vault" {
- source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.2"
+ source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.5.0"
environment = local.environment
project_name = local.project_name
diff --git a/terraform/private-endpoint.tf b/terraform/private-endpoint.tf
index 3c0cb08..0934c6d 100644
--- a/terraform/private-endpoint.tf
+++ b/terraform/private-endpoint.tf
@@ -1,11 +1,11 @@
resource "azurerm_subnet" "private_endpoint" {
for_each = local.private_endpoint_configurations
- name = lower("${local.resource_prefix}-${each.value.subresource_name}privateendpoint")
- virtual_network_name = "${local.resource_prefix}default"
- resource_group_name = local.resource_prefix
- address_prefixes = [each.value["subnet_cidr"]]
- private_endpoint_network_policies_enabled = false
+ name = lower("${local.resource_prefix}-${each.value.subresource_name}privateendpoint")
+ virtual_network_name = "${local.resource_prefix}default"
+ resource_group_name = local.resource_prefix
+ address_prefixes = [each.value["subnet_cidr"]]
+ private_endpoint_network_policies = "Disabled"
}
resource "azurerm_subnet_route_table_association" "private_endpoint" {