Last active
August 22, 2021 16:50
-
-
Save xximjasonxx/191d5a0e26b173fac5ce234bdcd087bc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# create the resource group | |
resource azurerm_resource_group this { | |
name = "rg-secureapp2" | |
location = "eastus2" | |
} | |
# create random string generator | |
resource random_string this { | |
length = 4 | |
special = false | |
upper = false | |
number = true | |
} | |
locals { | |
resource_base_name = "secureapp${random_string.this.result}" | |
allowed_ips = var.my_ip == null ? [] : [ var.my_ip ] | |
} | |
# create the private vnet | |
module vnet { | |
source = "./modules/virtualnetwork" | |
depends_on = [ | |
azurerm_resource_group.this | |
] | |
network_name = "secureapp2" | |
resource_group_name = azurerm_resource_group.this.name | |
resource_group_location = azurerm_resource_group.this.location | |
address_space = [ "10.1.0.0/16" ] | |
subnets = { | |
storage_subnet = { | |
name = "storage" | |
address_prefix = "10.1.1.0/24", | |
allow_private_endpoint_policy = true | |
service_endpoints = [ "Microsoft.Storage" ] | |
} | |
apps_subnet = { | |
name = "apps" | |
address_prefix = "10.1.2.0/24" | |
delegations = { | |
appservice = { | |
name = "appservice-delegation" | |
service_delegations = { | |
webfarm = { | |
name = "Microsoft.Web/serverFarms" | |
actions = [ | |
"Microsoft.Network/virtualNetworks/subnets/action" | |
] | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
# create storage account | |
module storage { | |
source = "./modules/storage" | |
depends_on = [ | |
module.vnet | |
] | |
resource_group_name = azurerm_resource_group.this.name | |
resource_group_location = azurerm_resource_group.this.location | |
storage_account_name = local.resource_base_name | |
container_name = "pictures" | |
vnet_id = module.vnet.vnet_id | |
allowed_ips = local.allowed_ips | |
private_endpoints = { | |
pe = { | |
name = "pe-${local.resource_base_name}" | |
subnet_id = module.vnet.subnets["storage"] | |
subresource_names = [ "blob" ] | |
} | |
} | |
} | |
# create app service | |
module appservice { | |
source = "./modules/appservice" | |
depends_on = [ | |
module.storage | |
] | |
resource_group_name = azurerm_resource_group.this.name | |
resource_group_location = azurerm_resource_group.this.location | |
appservice_name = local.resource_base_name | |
storage_account_endpoint = module.storage.container_endpoint | |
private_connections = { | |
pc = { | |
subnet_id = module.vnet.subnets["apps"] | |
} | |
} | |
} | |
# assign the identity to the storage account roles | |
resource azurerm_role_assignment this { | |
scope = module.storage.storage_account_container_id | |
role_definition_name = "Storage Blob Data Contributor" | |
principal_id = module.appservice.appservice_identity_id | |
depends_on = [ | |
module.appservice, | |
module.storage | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment