-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
147 lines (129 loc) · 5.68 KB
/
main.tf
File metadata and controls
147 lines (129 loc) · 5.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Local Variables
locals {
resource_group_name = "${var.prefix}-rg"
storage_account_name = "${var.prefix}storage${var.suffix}"
app_service_plan_name = "${var.prefix}-app-service-plan-${var.suffix}"
function_app_name = "${var.prefix}-functionapp-${var.suffix}"
managed_identity_name = "${var.prefix}-identity-${var.suffix}"
}
# Create a resource group
resource "azurerm_resource_group" "example" {
location = var.location
name = local.resource_group_name
tags = var.tags
}
# Create a storage account
resource "azurerm_storage_account" "example" {
name = local.storage_account_name
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_replication_type = var.account_replication_type
account_kind = var.account_kind
account_tier = var.account_tier
tags = var.tags
identity {
type = "SystemAssigned"
}
lifecycle {
ignore_changes = [
tags
]
}
}
# Create input storage container
resource "azurerm_storage_container" "input" {
name = var.input_container_name
storage_account_id = azurerm_storage_account.example.id
container_access_type = "private"
}
# Create output storage container
resource "azurerm_storage_container" "output" {
name = var.output_container_name
storage_account_id = azurerm_storage_account.example.id
container_access_type = "private"
}
# Conditionally create a user assigned identity for the function app
resource "azurerm_user_assigned_identity" "identity" {
count = var.managed_identity_type == "UserAssigned" ? 1 : 0
name = local.managed_identity_name
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
}
# Assign Storage Blob Data Contributor role to the function app identity
resource "azurerm_role_assignment" "blob_contributor" {
scope = azurerm_storage_account.example.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = var.managed_identity_type == "UserAssigned" ? azurerm_user_assigned_identity.identity[0].principal_id : azurerm_linux_function_app.example.identity[0].principal_id
}
# Assign Storage Queue Data Contributor role to the function app identity
resource "azurerm_role_assignment" "queue_contributor" {
scope = azurerm_storage_account.example.id
role_definition_name = "Storage Queue Data Contributor"
principal_id = var.managed_identity_type == "UserAssigned" ? azurerm_user_assigned_identity.identity[0].principal_id : azurerm_linux_function_app.example.identity[0].principal_id
}
# Create a service plan
resource "azurerm_service_plan" "example" {
name = local.app_service_plan_name
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku_name = var.sku_name
os_type = var.os_type
zone_balancing_enabled = var.zone_balancing_enabled
tags = var.tags
lifecycle {
ignore_changes = [
tags
]
}
}
# Create a function app
resource "azurerm_linux_function_app" "example" {
name = local.function_app_name
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
service_plan_id = azurerm_service_plan.example.id
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
https_only = var.https_only
public_network_access_enabled = var.public_network_access_enabled
tags = var.tags
functions_extension_version = "~4"
identity {
type = var.managed_identity_type
identity_ids = var.managed_identity_type == "UserAssigned" ? [
azurerm_user_assigned_identity.identity[0].id
] : []
}
site_config {
always_on = var.always_on
minimum_tls_version = var.minimum_tls_version
application_stack {
python_version = var.python_version
}
}
app_settings = {
SCM_DO_BUILD_DURING_DEPLOYMENT = "true"
ENABLE_ORYX_BUILD = "true"
AZURE_CLIENT_ID = var.managed_identity_type == "UserAssigned" ? azurerm_user_assigned_identity.identity[0].client_id : ""
AzureWebJobsStorage = "DefaultEndpointsProtocol=https;AccountName=${azurerm_storage_account.example.name};AccountKey=${azurerm_storage_account.example.primary_access_key};EndpointSuffix=core.windows.net;"
STORAGE_ACCOUNT_CONNECTION_STRING__blobServiceUri = azurerm_storage_account.example.primary_blob_endpoint
STORAGE_ACCOUNT_CONNECTION_STRING__queueServiceUri = azurerm_storage_account.example.primary_queue_endpoint
STORAGE_ACCOUNT_CONNECTION_STRING__tableServiceUri = azurerm_storage_account.example.primary_table_endpoint
INPUT_STORAGE_CONTAINER_NAME = var.input_container_name
OUTPUT_STORAGE_CONTAINER_NAME = var.output_container_name
FUNCTIONS_WORKER_RUNTIME = var.runtime_name
FUNCTIONS_EXTENSION_VERSION = "~4"
}
lifecycle {
ignore_changes = [
tags
]
}
}
# Create an app source control configuration
resource "azurerm_app_service_source_control" "example" {
count = var.repo_url == "" ? 0 : 1
app_id = azurerm_linux_function_app.example.id
repo_url = var.repo_url
branch = "main"
}