TES-307: Application Gateway

Ontotext-AD · Nov 17, 2023 · d17e7b8 · d17e7b8
1 parent f2fa4aa
commit d17e7b8
Show file tree

Hide file tree

Showing 24 changed files with 555 additions and 68 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/main.tf b/main.tf
@@ -46,6 +46,13 @@ resource "azurerm_virtual_network" "graphdb" {
   tags                = local.tags
 }
 
+resource "azurerm_subnet" "graphdb-gateway" {
+  name                 = "${var.resource_name_prefix}-gateway"
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  virtual_network_name = azurerm_virtual_network.graphdb.name
+  address_prefixes     = var.app_gateway_subnet_address_prefix
+}
+
 resource "azurerm_subnet" "graphdb-vmss" {
   name                 = "${var.resource_name_prefix}-vmss"
   resource_group_name  = azurerm_resource_group.graphdb.name
@@ -55,6 +62,21 @@ resource "azurerm_subnet" "graphdb-vmss" {
 
 # ------------------------------------------------------------
 
+# Creates a public IP address with assigned FQDN from the regional Azure DNS
+module "address" {
+  source = "./modules/address"
+
+  resource_name_prefix = var.resource_name_prefix
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  # TODO: Rename to availability_zones for clarity...
+  zones                = var.zones
+
+  # TODO: Could rename to common_tags
+  tags = local.tags
+
+  depends_on = [azurerm_resource_group.graphdb]
+}
+
 # Creates a user assigned identity which will be provided to GraphDB VMs.
 module "identity" {
   source = "./modules/identity"
@@ -101,17 +123,40 @@ module "configuration" {
   ]
 }
 
-# Creates a public load balancer for forwarding internet traffic to the GraphDB proxies
-module "load_balancer" {
-  source = "./modules/load_balancer"
+module "tls" {
+  source = "./modules/tls"
 
   resource_name_prefix = var.resource_name_prefix
   resource_group_name  = azurerm_resource_group.graphdb.name
-  zones                = var.zones
+
+  key_vault_name           = module.vault.key_vault_name
+  tls_certificate          = filebase64(var.gateway_ssl_certificate_path)
+  # TODO: tls vs ssl
+  tls_certificate_password = var.gateway_ssl_certificate_password
+
+  tags = local.tags
+
+  depends_on = [azurerm_resource_group.graphdb, module.identity, module.vault]
+}
+
+# Creates a public application gateway for forwarding internet traffic to the GraphDB proxies
+module "application_gateway" {
+  source = "./modules/application_gateway"
+
+  resource_name_prefix   = var.resource_name_prefix
+  resource_group_name    = azurerm_resource_group.graphdb.name
+  # TODO: Naming..
+  network_interface_name = azurerm_virtual_network.graphdb.name
+
+  gateway_subnet_name = azurerm_subnet.graphdb-gateway.name
+
+  gateway_public_ip_name            = module.address.public_ip_address_name
+  gateway_identity_name             = module.tls.tls_identity_name
+  gateway_tls_certificate_secret_id = module.tls.tls_certificate_key_vault_secret_id
 
   tags = local.tags
 
-  depends_on = [azurerm_resource_group.graphdb, azurerm_virtual_network.graphdb]
+  depends_on = [azurerm_resource_group.graphdb, azurerm_virtual_network.graphdb, azurerm_subnet.graphdb-vmss, module.address]
 }
 
 # Module for resolving the GraphDB shared image ID
@@ -149,11 +194,12 @@ module "vm" {
   network_interface_name = azurerm_virtual_network.graphdb.name
   zones                  = var.zones
 
-  graphdb_subnet_name                   = azurerm_subnet.graphdb-vmss.name
-  load_balancer_backend_address_pool_id = module.load_balancer.load_balancer_backend_address_pool_id
-  load_balancer_fqdn                    = module.load_balancer.load_balancer_fqdn
-  identity_name                         = module.identity.identity_name
-  key_vault_name                        = module.vault.key_vault_name
+  # TODO: A NAMING AAAAAA
+  graphdb_subnet_name                    = azurerm_subnet.graphdb-vmss.name
+  load_balancer_backend_address_pool_ids = [module.application_gateway.gateway_backend_address_pool_id]
+  load_balancer_fqdn                     = module.address.public_ip_address_fqdn
+  identity_name                          = module.identity.identity_name
+  key_vault_name                         = module.vault.key_vault_name
 
   data_disk_performance_tier = var.data_disk_performance_tier
   disk_size_gb               = var.disk_size_gb

diff --git a/modules/address/README.md b/modules/address/README.md
@@ -0,0 +1 @@
+# GraphDB Public IP Address Module
diff --git a/modules/address/main.tf b/modules/address/main.tf
@@ -0,0 +1,33 @@
+data "azurerm_resource_group" "graphdb" {
+  name = var.resource_group_name
+}
+
+locals {
+  resource_group = data.azurerm_resource_group.graphdb.name
+  location       = data.azurerm_resource_group.graphdb.location
+}
+
+resource "random_string" "fqdn" {
+  length  = 6
+  special = false
+  upper   = false
+  numeric = true
+}
+
+resource "azurerm_public_ip" "graphdb-public-ip-address" {
+  name                = "${var.resource_name_prefix}-public-address"
+  resource_group_name = local.resource_group
+  location            = local.location
+
+  sku               = "Standard"
+  allocation_method = "Static"
+  zones             = var.zones
+
+  # TODO: idle_timeout_in_minutes is between 4 and 30 minutes, gotta test if this affects our data loading
+
+  # TODO: This could be conditional or provided
+  # TODO: If we use a dedicated domain with TLS, this would not be needed
+  domain_name_label = "${var.resource_name_prefix}-${random_string.fqdn.result}"
+
+  tags = var.tags
+}
diff --git a/modules/address/outputs.tf b/modules/address/outputs.tf
@@ -0,0 +1,9 @@
+output "public_ip_address_name" {
+  description = "Name of the public IP address"
+  value       = azurerm_public_ip.graphdb-public-ip-address.name
+}
+
+output "public_ip_address_fqdn" {
+  description = "The assigned FQDN of the public IP address"
+  value       = azurerm_public_ip.graphdb-public-ip-address.fqdn
+}
diff --git a/modules/address/variables.tf b/modules/address/variables.tf
@@ -0,0 +1,23 @@
+# General configurations
+
+variable "resource_name_prefix" {
+  description = "Resource name prefix used for tagging and naming AWS resources"
+  type        = string
+}
+
+variable "zones" {
+  description = "Availability zones for the public IP address."
+  type        = list(number)
+  default     = [1, 2, 3]
+}
+
+variable "tags" {
+  description = "Common resource tags."
+  type        = map(string)
+  default     = {}
+}
+
+variable "resource_group_name" {
+  description = "Name of the resource group where GraphDB will be deployed."
+  type        = string
+}
diff --git a/modules/address/versions.tf b/modules/address/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.3.1"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.71.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.0"
+    }
+  }
+}
diff --git a/modules/application_gateway/README.md b/modules/application_gateway/README.md
@@ -0,0 +1 @@
+# GraphDB Application Gateway Module
diff --git a/modules/application_gateway/main.tf b/modules/application_gateway/main.tf
@@ -0,0 +1,126 @@
+data "azurerm_resource_group" "graphdb" {
+  name = var.resource_group_name
+}
+
+data "azurerm_subnet" "graphdb-gateway" {
+  name                 = var.gateway_subnet_name
+  resource_group_name  = var.resource_group_name
+  virtual_network_name = var.network_interface_name
+}
+
+data "azurerm_public_ip" "graphdb-gateway" {
+  name                = var.gateway_public_ip_name
+  resource_group_name = var.resource_group_name
+}
+
+data "azurerm_user_assigned_identity" "graphdb-gateway-tls" {
+  name                = var.gateway_identity_name
+  resource_group_name = var.resource_group_name
+}
+
+locals {
+  resource_group = data.azurerm_resource_group.graphdb.name
+  location       = data.azurerm_resource_group.graphdb.location
+
+  gateway_ip_configuration_name          = "${var.resource_name_prefix}-gateway-ip-configuration"
+  gateway_frontend_port_name             = "${var.resource_name_prefix}-gateway-public-port-configuration"
+  gateway_frontend_ip_configuration_name = "${var.resource_name_prefix}-gateway-public-ip-configuration"
+  gateway_backend_address_pool_name      = "${var.resource_name_prefix}-gateway-backend-address-pool"
+  gateway_backend_http_settings_name     = "${var.resource_name_prefix}-gateway-backend-http-settings"
+  gateway_http_probe_name                = "${var.resource_name_prefix}-gateway-http-probe"
+  gateway_http_listener_name             = "${var.resource_name_prefix}-gateway-http-listener"
+  gateway_request_routing_rule_name      = "${var.resource_name_prefix}-gateway-request-routing-rule"
+  gateway_ssl_certificate_name           = "${var.resource_name_prefix}-ssl"
+}
+
+resource "azurerm_application_gateway" "graphdb" {
+  name                = var.resource_name_prefix
+  resource_group_name = local.resource_group
+  location            = local.location
+
+  autoscale_configuration {
+    min_capacity = var.gateway_min_capacity
+    max_capacity = var.gateway_max_capacity
+  }
+
+  enable_http2 = true
+
+  # TODO: Connection draining?
+
+  sku {
+    name = "Standard_v2"
+    tier = "Standard_v2"
+  }
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [data.azurerm_user_assigned_identity.graphdb-gateway-tls.id]
+  }
+
+  ssl_certificate {
+    name                = local.gateway_ssl_certificate_name
+    key_vault_secret_id = var.gateway_tls_certificate_secret_id
+  }
+
+  gateway_ip_configuration {
+    name      = local.gateway_ip_configuration_name
+    subnet_id = data.azurerm_subnet.graphdb-gateway.id
+  }
+
+  frontend_port {
+    name = local.gateway_frontend_port_name
+    port = 443
+  }
+
+  frontend_ip_configuration {
+    name                 = local.gateway_frontend_ip_configuration_name
+    public_ip_address_id = data.azurerm_public_ip.graphdb-gateway.id
+  }
+
+  backend_address_pool {
+    name = local.gateway_backend_address_pool_name
+  }
+
+  probe {
+    name = local.gateway_http_probe_name
+
+    host                = "127.0.0.1"
+    path                = var.gateway_probe_path
+    protocol            = var.gateway_backend_protocol
+    interval            = var.gateway_probe_interval
+    timeout             = var.gateway_probe_timeout
+    unhealthy_threshold = var.gateway_probe_threshold
+  }
+
+  backend_http_settings {
+    name            = local.gateway_backend_http_settings_name
+    path            = var.gateway_backend_path
+    port            = var.gateway_backend_port
+    protocol        = var.gateway_backend_protocol
+    request_timeout = var.gateway_backend_request_timeout
+
+    # Use dedicated HTTP probe
+    probe_name = local.gateway_http_probe_name
+
+    cookie_based_affinity = "Disabled"
+  }
+
+  http_listener {
+    name                           = local.gateway_http_listener_name
+    frontend_ip_configuration_name = local.gateway_frontend_ip_configuration_name
+    frontend_port_name             = local.gateway_frontend_port_name
+    protocol                       = "Https"
+    ssl_certificate_name           = local.gateway_ssl_certificate_name
+  }
+
+  request_routing_rule {
+    name                       = local.gateway_request_routing_rule_name
+    priority                   = 1
+    rule_type                  = "Basic"
+    http_listener_name         = local.gateway_http_listener_name
+    backend_address_pool_name  = local.gateway_backend_address_pool_name
+    backend_http_settings_name = local.gateway_backend_http_settings_name
+  }
+
+  tags = var.tags
+}
diff --git a/modules/application_gateway/outputs.tf b/modules/application_gateway/outputs.tf
@@ -0,0 +1,9 @@
+output "gateway_id" {
+  description = "Identifier of the application gateway for GraphDB"
+  value       = azurerm_application_gateway.graphdb.id
+}
+
+output "gateway_backend_address_pool_id" {
+  description = "Identifier of the application gateway backend address pool"
+  value       = one(azurerm_application_gateway.graphdb.backend_address_pool).id
+}