From 6b5384c8329e2bfe5be309d97098df17b02009e7 Mon Sep 17 00:00:00 2001
From: Umberto Coppola Bottazzi
<40359627+umbcoppolabottazzi@users.noreply.github.com>
Date: Fri, 12 Jan 2024 16:58:56 +0100
Subject: [PATCH] feat: Add scale set for dns forwarder (#101)
* feat: add scale set for dns forwarder
* code review
* fix: code review
* fix pre-commit
* minor fix
---
src/.env/dev/terraform.tfvars | 7 ++
src/core/00_network.tf | 4 +
src/core/09_dns_forwarder.tf | 110 ++++++++++++++++++++++++++++
src/core/99_variables.tf | 37 ++++++++++
src/core/README.md | 10 +++
src/packer/02_dns_forwarder.tf | 15 ++++
src/packer/99_variables.tf | 4 +
src/packer/README.md | 3 +
src/packer/env/dev/terraform.tfvars | 2 +
9 files changed, 192 insertions(+)
create mode 100644 src/core/00_network.tf
create mode 100644 src/core/09_dns_forwarder.tf
create mode 100644 src/packer/02_dns_forwarder.tf
diff --git a/src/.env/dev/terraform.tfvars b/src/.env/dev/terraform.tfvars
index 3e24a90e..75c934cb 100644
--- a/src/.env/dev/terraform.tfvars
+++ b/src/.env/dev/terraform.tfvars
@@ -31,6 +31,8 @@ cidr_subnet_apim = ["10.1.136.0/24"]
cidr_subnet_appgateway_beta = ["10.1.138.0/24"]
cidr_subnet_vpn = ["10.1.139.0/24"]
cidr_subnet_dnsforwarder = ["10.1.140.0/29"]
+cidr_subnet_dns_forwarder_vms = ["10.1.140.16/29"]
+cidr_subnet_dns_forwarder_lb = ["10.1.140.8/29"]
cidr_subnet_private_endpoints = ["10.1.141.0/24"]
cidr_subnet_eventhub = ["10.1.142.0/24"]
cidr_subnet_redis = ["10.1.143.0/24"]
@@ -55,6 +57,11 @@ enable_iac_pipeline = true
vpn_enabled = true
dns_forwarder_enabled = true
+dns_forwarder_lb_backend_pool_ips = {
+ vmss = ["10.1.140.20", "10.1.140.21", "10.1.140.22"]
+ ci = ["10.1.140.4", "10.1.140.5", "10.1.140.6"]
+}
+
# app_gateway
app_gateway_is_enabled = false
app_gateway_sku_name = "Standard_v2"
diff --git a/src/core/00_network.tf b/src/core/00_network.tf
new file mode 100644
index 00000000..ecbfac51
--- /dev/null
+++ b/src/core/00_network.tf
@@ -0,0 +1,4 @@
+data "azurerm_virtual_network" "vnet" {
+ name = "${local.project}-vnet"
+ resource_group_name = local.vnet_resource_group_name
+}
diff --git a/src/core/09_dns_forwarder.tf b/src/core/09_dns_forwarder.tf
new file mode 100644
index 00000000..46c432a8
--- /dev/null
+++ b/src/core/09_dns_forwarder.tf
@@ -0,0 +1,110 @@
+#
+# Subnet Vmss
+#
+
+module "dns_forwarder_vm_snet" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.41.0"
+ count = var.dns_forwarder_is_enabled ? 1 : 0
+
+ name = "${local.project}-dns-forwarder-vm-snet"
+ address_prefixes = var.cidr_subnet_dns_forwarder_vms
+ resource_group_name = local.vnet_resource_group_name
+ virtual_network_name = local.vnet_name
+}
+
+#
+# Scale Set
+#
+
+module "dns_forwarder_vmss" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_scale_set_vm?ref=v7.41.0"
+ count = var.dns_forwarder_is_enabled ? 1 : 0
+
+ name = "${local.project}-dns-forwarder-vmss"
+ resource_group_name = local.vnet_resource_group_name
+ subnet_id = module.dns_forwarder_vm_snet[0].id
+ subscription_name = data.azurerm_subscription.current.display_name
+ subscription_id = data.azurerm_subscription.current.subscription_id
+ location = var.location
+ source_image_name = local.dns_forwarder_vm_image_name
+
+ tags = var.tags
+}
+
+#
+# Subnet Load Balancer
+#
+
+module "dns_forwarder_lb_snet" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.41.0"
+ count = var.dns_forwarder_is_enabled ? 1 : 0
+
+ name = "${local.project}-dns-forwarder-lb-snet"
+ address_prefixes = var.cidr_subnet_dns_forwarder_lb
+ resource_group_name = local.vnet_resource_group_name
+ virtual_network_name = local.vnet_name
+}
+
+#
+# Load Balancer
+#
+
+module "dns_forwarder_lb" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//load_balancer?ref=v7.41.0"
+ count = var.dns_forwarder_is_enabled ? 1 : 0
+
+ name = "${local.project}-dns-forwarder-internal"
+ resource_group_name = local.vnet_resource_group_name
+ location = var.location
+ lb_sku = "Standard"
+ type = "private"
+
+ frontend_name = "${local.project}-dns-forwarder-ip-private"
+ frontend_private_ip_address_allocation = "Static"
+ frontend_private_ip_address = local.dns_forwarder_lb_private_ip
+ frontend_subnet_id = module.dns_forwarder_lb_snet[0].id
+
+ lb_backend_pools = [
+ {
+ name = "${var.prefix}-default-backend"
+ ips = flatten([
+ for type, ips in var.dns_forwarder_lb_backend_pool_ips : [
+ for ip in ips : {
+ type = type
+ ip = ip
+ vnet_id = data.azurerm_virtual_network.vnet.id
+ }
+ ]
+ ])
+ }
+ ]
+
+ lb_port = {
+ "${var.prefix}-dns-tcp" = {
+ frontend_port = "53"
+ protocol = "Tcp"
+ backend_port = "53"
+ backend_pool_name = "${var.prefix}-default-backend"
+ probe_name = "${var.prefix}-dns"
+ }
+ "${var.prefix}-dns-udp" = {
+ frontend_port = "53"
+ protocol = "Udp"
+ backend_port = "53"
+ backend_pool_name = "${var.prefix}-default-backend"
+ probe_name = "${var.prefix}-dns"
+ }
+ }
+
+ lb_probe = {
+ "${var.prefix}-dns" = {
+ protocol = "Tcp"
+ port = "53"
+ request_path = ""
+ }
+ }
+ tags = var.tags
+}
+
+
+// Modificare nome del backendpool con un prefisso optional (vmss per le vm e ci per le container instance)
diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf
index 22f39423..670851f3 100644
--- a/src/core/99_variables.tf
+++ b/src/core/99_variables.tf
@@ -43,6 +43,10 @@ locals {
azuredevops_rg_name = "${local.project}-azdoa-rg"
azuredevops_agent_vm_name = "${local.project}-vmss-ubuntu-azdoa"
azuredevops_subnet_name = "${local.project}-azdoa-snet"
+
+ # Dns Forwarder
+ dns_forwarder_vm_image_name = "${local.project}-dns-forwarder-ubuntu2204-image-v1"
+ dns_forwarder_lb_private_ip = cidrhost(join(",", var.cidr_subnet_dns_forwarder_lb), 4)
}
variable "prefix" {
@@ -358,3 +362,36 @@ variable "apim_subnet_nsg_security_rules" {
variable "apim_enabled" {
type = bool
}
+
+#
+# dns forwarder
+#
+variable "dns_forwarder_is_enabled" {
+ type = bool
+ default = true
+ description = "Allow to enable or disable dns forwarder backup"
+}
+
+variable "dns_forwarder_vm_image_name" {
+ type = string
+ description = "Image name for dns forwarder"
+ default = null
+}
+
+variable "cidr_subnet_dns_forwarder_vms" {
+ type = list(string)
+ description = "Address prefixes subnet dns forwarder scale set"
+ default = []
+}
+
+variable "cidr_subnet_dns_forwarder_lb" {
+ type = list(string)
+ description = "Address prefixes subnet dns forwarder lb"
+ default = []
+}
+
+variable "dns_forwarder_lb_backend_pool_ips" {
+ type = map(list(string))
+ description = "Backend pool address for dns forwarder load balancer"
+ default = {}
+}
diff --git a/src/core/README.md b/src/core/README.md
index abbcd1a1..7dc1e0f3 100644
--- a/src/core/README.md
+++ b/src/core/README.md
@@ -44,7 +44,11 @@ az network dns zone show \
| [azdoa\_vmss\_li](#module\_azdoa\_vmss\_li) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent | v7.23.0 |
| [container\_registry\_private](#module\_container\_registry\_private) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry | v7.23.0 |
| [dns\_forwarder](#module\_dns\_forwarder) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder | v7.23.0 |
+| [dns\_forwarder\_lb](#module\_dns\_forwarder\_lb) | git::https://github.com/pagopa/terraform-azurerm-v3.git//load_balancer | v7.41.0 |
+| [dns\_forwarder\_lb\_snet](#module\_dns\_forwarder\_lb\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.41.0 |
| [dns\_forwarder\_snet](#module\_dns\_forwarder\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.23.0 |
+| [dns\_forwarder\_vm\_snet](#module\_dns\_forwarder\_vm\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.41.0 |
+| [dns\_forwarder\_vmss](#module\_dns\_forwarder\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_scale_set_vm | v7.41.0 |
| [postgres](#module\_postgres) | git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server | v7.23.0 |
| [postgres\_snet](#module\_postgres\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.23.0 |
| [private\_endpoints\_snet](#module\_private\_endpoints\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.23.0 |
@@ -108,6 +112,7 @@ az network dns zone show \
| [azurerm_key_vault_secret.postgres_administrator_login](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.postgres_administrator_login_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
## Inputs
@@ -124,6 +129,8 @@ az network dns zone show \
| [cidr\_subnet\_apim](#input\_cidr\_subnet\_apim) | Address prefixes subnet api management. | `list(string)` | `null` | no |
| [cidr\_subnet\_apim\_stv2](#input\_cidr\_subnet\_apim\_stv2) | Address prefixes subnet api management stv2. | `list(string)` | `null` | no |
| [cidr\_subnet\_azdoa](#input\_cidr\_subnet\_azdoa) | Azure DevOps agent network address space. | `list(string)` | n/a | yes |
+| [cidr\_subnet\_dns\_forwarder\_lb](#input\_cidr\_subnet\_dns\_forwarder\_lb) | Address prefixes subnet dns forwarder lb | `list(string)` | `[]` | no |
+| [cidr\_subnet\_dns\_forwarder\_vms](#input\_cidr\_subnet\_dns\_forwarder\_vms) | Address prefixes subnet dns forwarder scale set | `list(string)` | `[]` | no |
| [cidr\_subnet\_dnsforwarder](#input\_cidr\_subnet\_dnsforwarder) | DNS Forwarder network address space. | `list(string)` | n/a | yes |
| [cidr\_subnet\_postgres](#input\_cidr\_subnet\_postgres) | Database network address space. | `list(string)` | n/a | yes |
| [cidr\_subnet\_private\_endpoints](#input\_cidr\_subnet\_private\_endpoints) | Subnet cidr postgres flex. | `list(string)` | n/a | yes |
@@ -132,6 +139,9 @@ az network dns zone show \
| [cidr\_vnet](#input\_cidr\_vnet) | Virtual network address space. | `list(string)` | n/a | yes |
| [dns\_default\_ttl\_sec](#input\_dns\_default\_ttl\_sec) | value | `number` | `3600` | no |
| [dns\_forwarder\_enabled](#input\_dns\_forwarder\_enabled) | Enable dns forwarder setup | `bool` | `false` | no |
+| [dns\_forwarder\_is\_enabled](#input\_dns\_forwarder\_is\_enabled) | Allow to enable or disable dns forwarder backup | `bool` | `true` | no |
+| [dns\_forwarder\_lb\_backend\_pool\_ips](#input\_dns\_forwarder\_lb\_backend\_pool\_ips) | Backend pool address for dns forwarder load balancer | `map(list(string))` | `{}` | no |
+| [dns\_forwarder\_vm\_image\_name](#input\_dns\_forwarder\_vm\_image\_name) | Image name for dns forwarder | `string` | `null` | no |
| [domain](#input\_domain) | n/a | `string` | n/a | yes |
| [enable\_azdoa](#input\_enable\_azdoa) | Enable Azure DevOps agent. | `bool` | n/a | yes |
| [enable\_iac\_pipeline](#input\_enable\_iac\_pipeline) | If true create the key vault policy to allow used by azure devops iac pipelines. | `bool` | `false` | no |
diff --git a/src/packer/02_dns_forwarder.tf b/src/packer/02_dns_forwarder.tf
new file mode 100644
index 00000000..a69d2e46
--- /dev/null
+++ b/src/packer/02_dns_forwarder.tf
@@ -0,0 +1,15 @@
+data "azurerm_resource_group" "vnet_rg" {
+ name = "${local.project}-vnet-rg"
+}
+
+module "dns_forwarder_image" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_vm_image?ref=v7.35.1"
+ resource_group_name = data.azurerm_resource_group.vnet_rg.name
+ location = var.location
+ image_name = "${local.project}-dns-forwarder-ubuntu2204-image"
+ image_version = var.dns_forwarder_image_version
+ subscription_id = data.azurerm_subscription.current.subscription_id
+ prefix = local.project
+
+ tags = var.tags
+}
diff --git a/src/packer/99_variables.tf b/src/packer/99_variables.tf
index 6b73988b..97f0a25c 100644
--- a/src/packer/99_variables.tf
+++ b/src/packer/99_variables.tf
@@ -46,6 +46,10 @@ variable "location_short" {
description = "Location short like eg: neu, weu.."
}
+variable "dns_forwarder_image_version" {
+ type = string
+ description = "Version string to allow to force the creation of the image"
+}
variable "tags" {
type = map(any)
diff --git a/src/packer/README.md b/src/packer/README.md
index e6a6696a..feed9712 100644
--- a/src/packer/README.md
+++ b/src/packer/README.md
@@ -14,6 +14,7 @@
| Name | Source | Version |
|------|--------|---------|
| [azdoa\_custom\_image](#module\_azdoa\_custom\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image | v7.8.0 |
+| [dns\_forwarder\_image](#module\_dns\_forwarder\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_vm_image | v7.35.1 |
## Resources
@@ -21,12 +22,14 @@
|------|------|
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/client_config) | data source |
| [azurerm_resource_group.resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.vnet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/resource_group) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/subscription) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [dns\_forwarder\_image\_version](#input\_dns\_forwarder\_image\_version) | Version string to allow to force the creation of the image | `string` | n/a | yes |
| [env](#input\_env) | n/a | `string` | n/a | yes |
| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
| [location](#input\_location) | n/a | `string` | `"westeurope"` | no |
diff --git a/src/packer/env/dev/terraform.tfvars b/src/packer/env/dev/terraform.tfvars
index 44e55d8a..60d0ff2c 100644
--- a/src/packer/env/dev/terraform.tfvars
+++ b/src/packer/env/dev/terraform.tfvars
@@ -14,3 +14,5 @@ tags = {
CostCenter = "TS310 - PAGAMENTI & SERVIZI"
Application = "marco.common"
}
+
+dns_forwarder_image_version = "v1"