xximjasonxx/main.tf

## main.tf

# create the resource group
resource azurerm_resource_group this {
    name            = "rg-secureapp2"
    location        = "eastus2"
}

# create random string generator
resource random_string this {
  length           = 4
  special          = false
  upper            = false
  number           = true
}

locals {
  resource_base_name = "secureapp${random_string.this.result}"
  allowed_ips = var.my_ip == null ? [] : [ var.my_ip ]
}

# create the private vnet
module vnet {
  source      = "./modules/virtualnetwork"
  depends_on = [
    azurerm_resource_group.this
  ]

  network_name            = "secureapp2"
  resource_group_name     = azurerm_resource_group.this.name
  resource_group_location = azurerm_resource_group.this.location
  address_space           = [ "10.1.0.0/16" ]

  subnets = {
    storage_subnet = {
      name                          = "storage"
      address_prefix                = "10.1.1.0/24",
      allow_private_endpoint_policy = true
      service_endpoints             = [ "Microsoft.Storage" ]
    }
    apps_subnet = {
      name            = "apps"
      address_prefix  = "10.1.2.0/24"
      delegations     = {
        appservice = {
          name    = "appservice-delegation"
          service_delegations = {
            webfarm = {
              name      = "Microsoft.Web/serverFarms"
              actions   = [
                "Microsoft.Network/virtualNetworks/subnets/action"
              ]
            }
          }
        }
      }
    }
  }
}

# create storage account
module storage {
  source      = "./modules/storage"
  depends_on = [
    module.vnet
  ]

  resource_group_name       = azurerm_resource_group.this.name
  resource_group_location   = azurerm_resource_group.this.location
  storage_account_name      = local.resource_base_name
  container_name            = "pictures"
  vnet_id                   = module.vnet.vnet_id
  allowed_ips               = local.allowed_ips

  private_endpoints         = {
    pe = {
      name                  = "pe-${local.resource_base_name}"
      subnet_id             = module.vnet.subnets["storage"]
      subresource_names     = [ "blob" ]
    }
  }
}

# create app service
module appservice {
    source      = "./modules/appservice"
    depends_on = [
      module.storage
    ]

    resource_group_name      = azurerm_resource_group.this.name
  resource_group_location    = azurerm_resource_group.this.location
    appservice_name          = local.resource_base_name
    storage_account_endpoint = module.storage.container_endpoint

    private_connections = {
      pc = {
        subnet_id   = module.vnet.subnets["apps"]
      }
    }
}

# assign the identity to the storage account roles
resource azurerm_role_assignment this {
    scope                   = module.storage.storage_account_container_id
    role_definition_name    = "Storage Blob Data Contributor"
    principal_id            = module.appservice.appservice_identity_id

    depends_on = [
      module.appservice,
      module.storage
    ]
}

	# create the resource group
	resource azurerm_resource_group this {
	name = "rg-secureapp2"
	location = "eastus2"
	}

	# create random string generator
	resource random_string this {
	length = 4
	special = false
	upper = false
	number = true
	}

	locals {
	resource_base_name = "secureapp${random_string.this.result}"
	allowed_ips = var.my_ip == null ? [] : [ var.my_ip ]
	}

	# create the private vnet
	module vnet {
	source = "./modules/virtualnetwork"
	depends_on = [
	azurerm_resource_group.this
	]

	network_name = "secureapp2"
	resource_group_name = azurerm_resource_group.this.name
	resource_group_location = azurerm_resource_group.this.location
	address_space = [ "10.1.0.0/16" ]

	subnets = {
	storage_subnet = {
	name = "storage"
	address_prefix = "10.1.1.0/24",
	allow_private_endpoint_policy = true
	service_endpoints = [ "Microsoft.Storage" ]
	}
	apps_subnet = {
	name = "apps"
	address_prefix = "10.1.2.0/24"
	delegations = {
	appservice = {
	name = "appservice-delegation"
	service_delegations = {
	webfarm = {
	name = "Microsoft.Web/serverFarms"
	actions = [
	"Microsoft.Network/virtualNetworks/subnets/action"
	]
	}
	}
	}
	}
	}
	}
	}

	# create storage account
	module storage {
	source = "./modules/storage"
	depends_on = [
	module.vnet
	]

	resource_group_name = azurerm_resource_group.this.name
	resource_group_location = azurerm_resource_group.this.location
	storage_account_name = local.resource_base_name
	container_name = "pictures"
	vnet_id = module.vnet.vnet_id
	allowed_ips = local.allowed_ips

	private_endpoints = {
	pe = {
	name = "pe-${local.resource_base_name}"
	subnet_id = module.vnet.subnets["storage"]
	subresource_names = [ "blob" ]
	}
	}
	}

	# create app service
	module appservice {
	source = "./modules/appservice"
	depends_on = [
	module.storage
	]

	resource_group_name = azurerm_resource_group.this.name
	resource_group_location = azurerm_resource_group.this.location
	appservice_name = local.resource_base_name
	storage_account_endpoint = module.storage.container_endpoint

	private_connections = {
	pc = {
	subnet_id = module.vnet.subnets["apps"]
	}
	}
	}

	# assign the identity to the storage account roles
	resource azurerm_role_assignment this {
	scope = module.storage.storage_account_container_id
	role_definition_name = "Storage Blob Data Contributor"
	principal_id = module.appservice.appservice_identity_id

	depends_on = [
	module.appservice,
	module.storage
	]
	}