Cosmos mongo (#15)

* cosmosDb configuration Co-authored-by: anttorre <[email protected]>
pagopa · Oct 15, 2021 · 3fedf23 · 3fedf23
1 parent f89b67a
commit 3fedf23
Show file tree

Hide file tree

Showing 10 changed files with 532 additions and 21 deletions.
diff --git a/src/core/dns_private.tf b/src/core/dns_private.tf
@@ -0,0 +1,53 @@
+resource "azurerm_private_dns_zone" "privatelink_documents_azure_com" {
+  name                = "privatelink.documents.azure.com"
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_documents_azure_com_vnet" {
+  name                  = module.vnet.name
+  resource_group_name   = azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = azurerm_private_dns_zone.privatelink_documents_azure_com.name
+  virtual_network_id    = module.vnet.id
+  registration_enabled  = false
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_documents_azure_com_vnet_integration" {
+  name                  = module.vnet_integration.name
+  resource_group_name   = azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = azurerm_private_dns_zone.privatelink_documents_azure_com.name
+  virtual_network_id    = module.vnet_integration.id
+  registration_enabled  = false
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_zone" "privatelink_mongo_cosmos_azure_com" {
+  name                = "privatelink.mongo.cosmos.azure.com"
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_mongo_cosmos_azure_com_vnet" {
+  name                  = module.vnet.name
+  resource_group_name   = azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = azurerm_private_dns_zone.privatelink_mongo_cosmos_azure_com.name
+  virtual_network_id    = module.vnet.id
+  registration_enabled  = false
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_mongo_cosmos_azure_com_vnet_integration" {
+  name                  = module.vnet_integration.name
+  resource_group_name   = azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = azurerm_private_dns_zone.privatelink_mongo_cosmos_azure_com.name
+  virtual_network_id    = module.vnet_integration.id
+  registration_enabled  = false
+
+  tags = var.tags
+}
diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars
@@ -13,13 +13,14 @@ lock_enable = false
 
 # networking
 # main vnet
-cidr_vnet                = ["10.1.0.0/16"]
-cidr_subnet_k8s          = ["10.1.0.0/17"]
-cidr_subnet_appgateway   = ["10.1.128.0/24"]
-cidr_subnet_azdoa        = ["10.1.130.0/24"]
-cidr_subnet_redis        = ["10.1.132.0/24"]
-cidr_subnet_vpn          = ["10.1.133.0/24"]
-cidr_subnet_dnsforwarder = ["10.1.134.0/29"]
+cidr_vnet                    = ["10.1.0.0/16"]
+cidr_subnet_k8s              = ["10.1.0.0/17"]
+cidr_subnet_appgateway       = ["10.1.128.0/24"]
+cidr_subnet_azdoa            = ["10.1.130.0/24"]
+cidr_subnet_redis            = ["10.1.132.0/24"]
+cidr_subnet_vpn              = ["10.1.133.0/24"]
+cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
+cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 
 # integration vnet
 # https://www.davidc.net/sites/default/subnets/subnets.html?network=10.230.7.0&mask=24&division=7.31
@@ -47,3 +48,7 @@ aks_alerts_enabled = false
 # This is the k8s ingress controller ip. It must be in the aks subnet range.
 reverse_proxy_ip = "10.1.0.250"
 aks_max_pods     = 100
+
+# CosmosDb MongoDb
+cosmosdb_mongodb_enable_serverless             = true
+cosmosdb_mongodb_public_network_access_enabled = true
diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
@@ -13,13 +13,14 @@ lock_enable = true
 
 # networking
 # main vnet
-cidr_vnet                = ["10.1.0.0/16"]
-cidr_subnet_k8s          = ["10.1.0.0/17"]
-cidr_subnet_appgateway   = ["10.1.128.0/24"]
-cidr_subnet_azdoa        = ["10.1.130.0/24"]
-cidr_subnet_redis        = ["10.1.132.0/24"]
-cidr_subnet_vpn          = ["10.1.133.0/24"]
-cidr_subnet_dnsforwarder = ["10.1.134.0/29"]
+cidr_vnet                    = ["10.1.0.0/16"]
+cidr_subnet_k8s              = ["10.1.0.0/17"]
+cidr_subnet_appgateway       = ["10.1.128.0/24"]
+cidr_subnet_azdoa            = ["10.1.130.0/24"]
+cidr_subnet_redis            = ["10.1.132.0/24"]
+cidr_subnet_vpn              = ["10.1.133.0/24"]
+cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
+cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 
 # integration vnet
 # https://www.davidc.net/sites/default/subnets/subnets.html?network=10.230.7.0&mask=24&division=7.31
@@ -56,3 +57,10 @@ aks_node_count = 1 # TODO to define before release to prod
 aks_max_pods   = 100
 # aks_vm_size            = "Standard_D8S_v3" # TODO to define and uncomment before release to prod
 # aks_sku_tier           = "Paid"            # TODO to define and uncomment before release to prod
+
+# CosmosDb MongoDb
+cosmosdb_mongodb_enable_serverless = true # TODO set to false before launch
+# cosmosdb_mongodb_enable_autoscaling = true TODO uncomment befor launch
+# cosmosdb_mongodb_max_throughput TODO define before launch
+cosmosdb_mongodb_enable_free_tier = true # TODO change to false before launch
+# cosmosdb_mongodb_additional_geo_locations TODO do we want replication?
diff --git a/src/core/env/uat/terraform.tfvars b/src/core/env/uat/terraform.tfvars
@@ -13,13 +13,14 @@ lock_enable = true
 
 # networking
 # main vnet
-cidr_vnet                = ["10.1.0.0/16"]
-cidr_subnet_k8s          = ["10.1.0.0/17"]
-cidr_subnet_appgateway   = ["10.1.128.0/24"]
-cidr_subnet_azdoa        = ["10.1.130.0/24"]
-cidr_subnet_redis        = ["10.1.132.0/24"]
-cidr_subnet_vpn          = ["10.1.133.0/24"]
-cidr_subnet_dnsforwarder = ["10.1.134.0/29"]
+cidr_vnet                    = ["10.1.0.0/16"]
+cidr_subnet_k8s              = ["10.1.0.0/17"]
+cidr_subnet_appgateway       = ["10.1.128.0/24"]
+cidr_subnet_azdoa            = ["10.1.130.0/24"]
+cidr_subnet_redis            = ["10.1.132.0/24"]
+cidr_subnet_vpn              = ["10.1.133.0/24"]
+cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
+cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 
 # integration vnet
 # https://www.davidc.net/sites/default/subnets/subnets.html?network=10.230.7.0&mask=24&division=7.31
@@ -47,3 +48,6 @@ aks_alerts_enabled = false
 # This is the k8s ingress controller ip. It must be in the aks subnet range.
 reverse_proxy_ip = "10.1.0.250"
 aks_max_pods     = 100
+
+# CosmosDb MongoDb
+cosmosdb_mongodb_enable_serverless = true
diff --git a/src/core/mongodb.tf b/src/core/mongodb.tf
@@ -0,0 +1,77 @@
+resource "azurerm_resource_group" "mongodb_rg" {
+  name     = format("%s-cosmosdb-mongodb-rg", local.project)
+  location = var.location
+
+  tags = var.tags
+}
+
+locals {
+  base_capabilities = [
+    "EnableMongo"
+  ]
+}
+
+# APIM subnet
+module "cosmosdb_mongodb_snet" {
+  source               = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.58"
+  name                 = format("%s-cosmosb-mongodb-snet", local.project)
+  resource_group_name  = azurerm_resource_group.rg_vnet.name
+  virtual_network_name = module.vnet.name
+  address_prefixes     = var.cidr_subnet_cosmosdb_mongodb
+
+  enforce_private_link_endpoint_network_policies = true
+  service_endpoints                              = ["Microsoft.Web"]
+}
+
+module "cosmosdb_account_mongodb" {
+  source = "../modules/azurerm_cosmosdb_account"
+
+  name                 = format("%s-cosmosdb-mongodb-account", local.project)
+  location             = azurerm_resource_group.mongodb_rg.location
+  resource_group_name  = azurerm_resource_group.mongodb_rg.name
+  offer_type           = var.cosmosdb_mongodb_offer_type
+  kind                 = "MongoDB"
+  subnet_id            = module.cosmosdb_mongodb_snet.id
+  private_dns_zone_ids = [azurerm_private_dns_zone.privatelink_mongo_cosmos_azure_com.id]
+
+  enable_free_tier = var.cosmosdb_mongodb_enable_free_tier
+
+  public_network_access_enabled     = var.cosmosdb_mongodb_public_network_access_enabled
+  is_virtual_network_filter_enabled = true
+
+  mongo_server_version = "4.0"
+
+  capabilities = var.cosmosdb_mongodb_enable_serverless ? concat(local.base_capabilities, ["EnableServerless"]) : local.base_capabilities
+
+  consistency_policy = var.cosmosdb_mongodb_consistency_policy
+
+  main_geo_location_location = azurerm_resource_group.mongodb_rg.location
+
+  additional_geo_locations = var.cosmosdb_mongodb_additional_geo_locations
+
+  tags = var.tags
+}
+
+resource "azurerm_cosmosdb_mongo_database" "mongodb" {
+  name                = format("%s-cosmosdb-mongodb", local.project)
+  resource_group_name = azurerm_resource_group.mongodb_rg.name
+  account_name        = module.cosmosdb_account_mongodb.name
+
+  throughput = var.cosmosdb_mongodb_enable_autoscaling || var.cosmosdb_mongodb_enable_serverless ? null : var.cosmosdb_mongodb_throughput
+
+  dynamic "autoscale_settings" {
+    for_each = var.cosmosdb_mongodb_enable_autoscaling && !var.cosmosdb_mongodb_enable_serverless ? [""] : []
+    content {
+      max_throughput = var.cosmosdb_mongodb_max_throughput
+    }
+  }
+}
+
+#tfsec:ignore:AZU023
+resource "azurerm_key_vault_secret" "cosmosdb_account_mongodb_connection_strings" {
+  name         = "mongodb-connection-string"
+  value        = module.cosmosdb_account_mongodb.connection_strings[0]
+  content_type = "text/plain"
+
+  key_vault_id = module.key_vault.id
+}
diff --git a/src/core/outputs.tf b/src/core/outputs.tf
@@ -118,3 +118,31 @@ output "api_fqdn" {
 output "reverse_proxy_ip" {
   value = var.reverse_proxy_ip
 }
+
+## CosmosDb - MongoDB ##
+output "cosmosdb_account_mongodb_id" {
+  value = module.cosmosdb_account_mongodb.id
+}
+
+output "cosmosdb_account_mongodb_endpoint" {
+  value = module.cosmosdb_account_mongodb.endpoint
+}
+
+output "cosmosdb_account_mongodb_primary_key" {
+  value     = module.cosmosdb_account_mongodb.primary_key
+  sensitive = true
+}
+
+output "cosmosdb_account_mongodb_primary_readonly_key" {
+  value     = module.cosmosdb_account_mongodb.primary_readonly_master_key
+  sensitive = true
+}
+
+output "cosmosdb_account_mongodb_connection_strings" {
+  value     = module.cosmosdb_account_mongodb.connection_strings
+  sensitive = true
+}
+
+output "cosmosdb_mongodb_id" {
+  value = azurerm_cosmosdb_mongo_database.mongodb.id
+}
diff --git a/src/core/variables.tf b/src/core/variables.tf
@@ -405,6 +405,11 @@ variable "cidr_subnet_dnsforwarder" {
   description = "DNS Forwarder network address space."
 }
 
+variable "cidr_subnet_cosmosdb_mongodb" {
+  type        = list(string)
+  description = "Application gateway address space."
+}
+
 # DNS
 variable "dns_default_ttl_sec" {
   type        = number
@@ -487,3 +492,69 @@ variable "enable_iac_pipeline" {
   description = "If true create the key vault policy to allow used by azure devops iac pipelines."
   default     = false
 }
+
+# CosmosDb Mongo
+variable "cosmosdb_mongodb_offer_type" {
+  type        = string
+  description = "Specifies the Offer Type to use for this CosmosDB Account - currently this can only be set to Standard"
+  default     = "Standard"
+}
+
+variable "cosmosdb_mongodb_enable_free_tier" {
+  type        = bool
+  description = "Enable Free Tier pricing option for this Cosmos DB account"
+  default     = true
+}
+
+variable "cosmosdb_mongodb_public_network_access_enabled" {
+  type        = bool
+  description = "Whether or not public network access is allowed for this CosmosDB account"
+  default     = false
+}
+
+variable "cosmosdb_mongodb_consistency_policy" {
+  type = object({
+    consistency_level       = string
+    max_interval_in_seconds = number
+    max_staleness_prefix    = number
+  })
+
+  default = {
+    consistency_level       = "Session"
+    max_interval_in_seconds = null
+    max_staleness_prefix    = null
+  }
+}
+
+variable "cosmosdb_mongodb_additional_geo_locations" {
+  type = list(object({
+    location          = string
+    failover_priority = number
+  }))
+  description = "The name of the Azure region to host replicated data and the priority to apply starting from 1. Not used when cosmosdb_mongodb_enable_serverless"
+  default     = []
+}
+
+variable "cosmosdb_mongodb_throughput" {
+  type        = number
+  description = "The throughput of the MongoDB database (RU/s). Must be set in increments of 100. The minimum value is 400. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply."
+  default     = 400
+}
+
+variable "cosmosdb_mongodb_enable_serverless" {
+  type        = bool
+  description = "It will enable serverless mode. If true, cosmosdb_mongodb_throughput and cosmosdb_mongodb_enable_autoscaling will be ignored"
+  default     = false
+}
+
+variable "cosmosdb_mongodb_enable_autoscaling" {
+  type        = bool
+  description = "It will enable autoscaling mode. If true, cosmosdb_mongodb_throughput must be unset"
+  default     = false
+}
+
+variable "cosmosdb_mongodb_max_throughput" {
+  type        = number
+  description = "The maximum throughput of the MongoDB database (RU/s). Must be between 4,000 and 1,000,000. Must be set in increments of 1,000. Conflicts with throughput"
+  default     = 4000
+}