[EC-260] Fundamental Terraform Core setup for Italy North region #944
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pasqualedevita
requested changes
Apr 9, 2024
Krusty93
force-pushed
the
EC-260-setup-italy-north-terraform-core
branch
from
10d48d1 to
6eb19dd
Compare
|
I would like also to integrate this |
Discarded because of lack of support |
Terraform Plan ('src/core/prod/italynorth') 📖Terraform PlanTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# azurerm_resource_group.vnet will be created
+ resource "azurerm_resource_group" "vnet" {
+ id = (known after apply)
+ location = "italynorth"
+ name = "io-p-itn-common-rg-001"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.azurewebsites_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.azurewebsites.net"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.blob_core_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "blob_core_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.blob.core.windows.net"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.documents_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "documents_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.documents.azure.com"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.file_core_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "file_core_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.file.core.windows.net"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.internal_io_pagopa_it_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "internal_io_pagopa_it_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "internal.io.pagopa.it"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-internal"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.mongo_cosmos_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "mongo_cosmos_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.mongo.cosmos.azure.com"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.privatelink_postgres_database_azure_com_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_database_azure_com_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.postgres.database.azure.com"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.queue_core_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "queue_core_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.queue.core.windows.net"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.servicebus_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "servicebus_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.servicebus.windows.net"
+ registration_enabled = false
+ resource_group_name = "io-p-evt-rg"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.azurerm_private_dns_zone_virtual_network_link.table_core_private_vnet_itn_common will be created
+ resource "azurerm_private_dns_zone_virtual_network_link" "table_core_private_vnet_itn_common" {
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001"
+ private_dns_zone_name = "privatelink.table.core.windows.net"
+ registration_enabled = false
+ resource_group_name = "io-p-rg-common"
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ virtual_network_id = (known after apply)
}
# module.networking.module.vnet_itn_common.azurerm_virtual_network.this will be created
+ resource "azurerm_virtual_network" "this" {
+ address_space = [
+ "10.20.0.0/16",
]
+ dns_servers = (known after apply)
+ guid = (known after apply)
+ id = (known after apply)
+ location = "italynorth"
+ name = "io-p-itn-common-vnet-001"
+ resource_group_name = "io-p-itn-common-rg-001"
+ subnet = (known after apply)
+ tags = {
+ "CostCenter" = "TS310 - PAGAMENTI & SERVIZI"
+ "CreatedBy" = "Terraform"
+ "Environment" = "Prod"
+ "Owner" = "IO"
+ "Source" = "https://github.com/pagopa/io-infra/blob/main/src/core/prod/italynorth"
}
+ ddos_protection_plan {
+ enable = true
+ id = "/subscriptions/0da48c97-355f-4050-a520-f11a18b8be90/resourceGroups/sec-p-ddos/providers/Microsoft.Network/ddosProtectionPlans/sec-p-ddos-protection"
}
}
# module.networking.module.vnet_peering_itn_common_weu_beta.azurerm_virtual_network_peering.source will be created
+ resource "azurerm_virtual_network_peering" "source" {
+ allow_forwarded_traffic = false
+ allow_gateway_transit = false
+ allow_virtual_network_access = true
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001-to-io-p-weu-beta-vnet"
+ remote_virtual_network_id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-weu-beta-vnet-rg/providers/Microsoft.Network/virtualNetworks/io-p-weu-beta-vnet"
+ resource_group_name = "io-p-itn-common-rg-001"
+ use_remote_gateways = false
+ virtual_network_name = "io-p-itn-common-vnet-001"
}
# module.networking.module.vnet_peering_itn_common_weu_beta.azurerm_virtual_network_peering.target will be created
+ resource "azurerm_virtual_network_peering" "target" {
+ allow_forwarded_traffic = false
+ allow_gateway_transit = false
+ allow_virtual_network_access = true
+ id = (known after apply)
+ name = "io-p-weu-beta-vnet-to-io-p-itn-common-vnet-001"
+ remote_virtual_network_id = (known after apply)
+ resource_group_name = "io-p-weu-beta-vnet-rg"
+ use_remote_gateways = false
+ virtual_network_name = "io-p-weu-beta-vnet"
}
# module.networking.module.vnet_peering_itn_common_weu_prod01.azurerm_virtual_network_peering.source will be created
+ resource "azurerm_virtual_network_peering" "source" {
+ allow_forwarded_traffic = false
+ allow_gateway_transit = false
+ allow_virtual_network_access = true
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001-to-io-p-weu-prod01-vnet"
+ remote_virtual_network_id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-weu-prod01-vnet-rg/providers/Microsoft.Network/virtualNetworks/io-p-weu-prod01-vnet"
+ resource_group_name = "io-p-itn-common-rg-001"
+ use_remote_gateways = false
+ virtual_network_name = "io-p-itn-common-vnet-001"
}
# module.networking.module.vnet_peering_itn_common_weu_prod01.azurerm_virtual_network_peering.target will be created
+ resource "azurerm_virtual_network_peering" "target" {
+ allow_forwarded_traffic = false
+ allow_gateway_transit = false
+ allow_virtual_network_access = true
+ id = (known after apply)
+ name = "io-p-weu-prod01-vnet-to-io-p-itn-common-vnet-001"
+ remote_virtual_network_id = (known after apply)
+ resource_group_name = "io-p-weu-prod01-vnet-rg"
+ use_remote_gateways = false
+ virtual_network_name = "io-p-weu-prod01-vnet"
}
# module.networking.module.vnet_peering_weu_common_itn_common.azurerm_virtual_network_peering.source will be created
+ resource "azurerm_virtual_network_peering" "source" {
+ allow_forwarded_traffic = false
+ allow_gateway_transit = true
+ allow_virtual_network_access = true
+ id = (known after apply)
+ name = "io-p-vnet-common-to-io-p-itn-common-vnet-001"
+ remote_virtual_network_id = (known after apply)
+ resource_group_name = "io-p-rg-common"
+ use_remote_gateways = false
+ virtual_network_name = "io-p-vnet-common"
}
# module.networking.module.vnet_peering_weu_common_itn_common.azurerm_virtual_network_peering.target will be created
+ resource "azurerm_virtual_network_peering" "target" {
+ allow_forwarded_traffic = false
+ allow_gateway_transit = false
+ allow_virtual_network_access = true
+ id = (known after apply)
+ name = "io-p-itn-common-vnet-001-to-io-p-vnet-common"
+ remote_virtual_network_id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common"
+ resource_group_name = "io-p-itn-common-rg-001"
+ use_remote_gateways = true
+ virtual_network_name = "io-p-itn-common-vnet-001"
}
Plan: 18 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
|
Krusty93
force-pushed
the
EC-260-setup-italy-north-terraform-core
branch
from
0d3d26e to
558e083
Compare
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
List of changes
This PR contains a definition of new resources to be deployed in Italy North region.
They are completely separated from West Europe region resources, in order to break the coupling between the two.
They use the modules-approach, to simplify resource searching, breaking coupling and get rid of the long file list.
This core folder is intended to be used especially by cloud engineers, NOT developers; they instead shall define resources in their mono repos/application repos/domain folder, according to their patterns. Core folder shall contain fundamental blocks and nothing else. An RFC with more details and explanations have been opened some times ago.
This PR also uses HashiCorp module to auto generate CIDR blocks for subnets. This is useful to avoid CIDR collision in concurrent PRs, especially in "distributed repositories", and is intended to be used also in all Terraform configuration which are going to interact with North Italy region.
Also naming conventions have been updated: location is introduced, as well as the instance number. The former is useful to distinguish resources based on location (pattern in part already adopted in West Europe but then abandoned); the latter is useful for migrations, in order to be more ripetitive than creative (aka inventing names to create unique resources similar to old ones and creating confusion). This approach is also suggested by Microsoft.
Motivation and context
Getting the new region opportunity to fix some historical issues.
We need to deploy first resources in Italy very very very soon (this week)
Type of changes
Env to apply
Does this introduce a change to production resources with possible user impact?
Does this introduce an unwanted change on infrastructure? Check terraform plan execution result
Other information
If PR is partially applied, why? (reserved to mantainers)
How to apply
After PR is approved