Reduce terraform churn.

CHANGELOG.md

@@ -17,6 +17,7 @@ ENHANCEMENTS:
 * Ability to customise UI header and footer text ([#4201](https://github.com/microsoft/AzureTRE/issues/4201))
 * Allow AUTO_GRANT_WORKSPACE_CONSENT config variable to set be set via CI/CD ([#4533](https://github.com/microsoft/AzureTRE/pull/4533))
 * Delete old database migrations ([#4168](https://github.com/microsoft/AzureTRE/issues/4168))
+* Update terraform to reduce recreation of private endpoints and other resources ([#4539](https://github.com/microsoft/AzureTRE/pull/4539))
 
 BUG FIXES:
 * Letsencrypt.yml fails with "Invalid reference in variable validation" ([#4506](https://github.com/microsoft/AzureTRE/4506))

core/terraform/airlock/airlock_processor.tf

@@ -63,6 +63,7 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   webdeploy_publish_basic_authentication_enabled = false
   storage_account_name                           = azurerm_storage_account.sa_airlock_processor_func_app.name
   storage_uses_managed_identity                  = true
+  vnet_image_pull_enabled                        = true
 
   tags = var.tre_core_tags
 
@@ -137,30 +138,11 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   depends_on = [azurerm_private_endpoint.function_storage]
 }
 
-resource "azapi_update_resource" "airlock_vnet_container_pull_routing" {
-  resource_id = azurerm_linux_function_app.airlock_function_app.id
-  type        = "Microsoft.Web/sites@2022-09-01"
-
-  body = jsonencode({
-    properties = {
-      vnetImagePullEnabled : true
-    }
-  })
-
-  depends_on = [
-    azurerm_linux_function_app.airlock_function_app
-  ]
-}
-
 resource "azapi_resource_action" "restart_airlock_function_app" {
   type        = "Microsoft.Web/sites@2022-09-01"
   resource_id = azurerm_linux_function_app.airlock_function_app.id
   method      = "POST"
   action      = "restart"
-
-  depends_on = [
-    azapi_update_resource.airlock_vnet_container_pull_routing
-  ]
 }
 
 resource "azurerm_monitor_diagnostic_setting" "airlock_function_app" {

core/terraform/airlock/data.tf

@@ -2,16 +2,6 @@ data "local_file" "airlock_processor_version" {
   filename = "${path.root}/../../airlock_processor/_version.py"
 }
 
-data "azurerm_private_dns_zone" "eventgrid" {
-  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.eventgrid.azure.net"]
-  resource_group_name = var.resource_group_name
-}
-
-data "azurerm_container_registry" "mgmt_acr" {
-  name                = var.mgmt_acr_name
-  resource_group_name = var.mgmt_resource_group_name
-}
-
 data "azurerm_monitor_diagnostic_categories" "eventgrid_custom_topics" {
   resource_id = azurerm_eventgrid_topic.airlock_notification.id
 }

core/terraform/airlock/eventgrid_topics.tf

@@ -44,7 +44,7 @@ resource "azurerm_private_endpoint" "eg_step_result" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {
@@ -99,7 +99,7 @@ resource "azurerm_private_endpoint" "eg_status_changed" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {
@@ -148,7 +148,7 @@ resource "azurerm_private_endpoint" "eg_data_deletion" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {
@@ -365,7 +365,7 @@ resource "azurerm_private_endpoint" "eg_airlock_notification" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {

core/terraform/airlock/identity.tf

@@ -8,7 +8,7 @@ resource "azurerm_user_assigned_identity" "airlock_id" {
 }
 
 resource "azurerm_role_assignment" "acrpull_role" {
-  scope                = data.azurerm_container_registry.mgmt_acr.id
+  scope                = var.acr_id
   role_definition_name = "AcrPull"
   principal_id         = azurerm_user_assigned_identity.airlock_id.principal_id
 }

core/terraform/airlock/variables.tf

@@ -34,14 +34,9 @@ variable "airlock_processor_image_repository" {
   default     = "microsoft/azuretre/airlock-processor"
 }
 
-variable "mgmt_resource_group_name" {
+variable "acr_id" {
   type        = string
-  description = "Shared management resource group"
-}
-
-variable "mgmt_acr_name" {
-  type        = string
-  description = "Management ACR name"
+  description = "ACR ID"
 }
 
 variable "airlock_app_service_plan_sku" {
@@ -94,6 +89,9 @@ variable "queue_core_dns_zone_id" {
 variable "table_core_dns_zone_id" {
   type = string
 }
+variable "eventgrid_private_dns_zone_id" {
+  type = string
+}
 
 variable "encryption_identity_id" {
   type        = string

core/terraform/appgateway/data.tf

@@ -1,5 +1,3 @@
-data "azurerm_client_config" "deployer" {}
-
 data "azurerm_monitor_diagnostic_categories" "agw" {
   resource_id = azurerm_application_gateway.agw.id
   depends_on = [

core/terraform/appgateway/staticweb.tf

@@ -52,7 +52,7 @@ resource "azurerm_storage_account_static_website" "staticweb_site" {
 resource "azurerm_role_assignment" "stgwriter" {
   scope                = azurerm_storage_account.staticweb.id
   role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = data.azurerm_client_config.deployer.object_id
+  principal_id         = var.deployer_principal_id
 }
 
 resource "azurerm_private_endpoint" "webpe" {

core/terraform/appgateway/variables.tf

@@ -38,3 +38,6 @@ variable "enable_cmk_encryption" {
 variable "encryption_key_versionless_id" {
   type = string
 }
+variable "deployer_principal_id" {
+  type = string
+}

core/terraform/data.tf

@@ -38,3 +38,13 @@ data "azurerm_monitor_diagnostic_categories" "sb" {
     azurerm_servicebus_namespace.sb
   ]
 }
+
+data "azurerm_storage_account" "mgmt_storage" {
+  name                = var.mgmt_storage_account_name
+  resource_group_name = var.mgmt_resource_group_name
+}
+
+data "azurerm_container_registry" "acr" {
+  name                = var.acr_name
+  resource_group_name = var.mgmt_resource_group_name
+}

core/terraform/main.tf

@@ -104,6 +104,7 @@ module "appgateway" {
   static_web_dns_zone_id     = module.network.static_web_dns_zone_id
   log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id
   app_gateway_sku            = var.app_gateway_sku
+  deployer_principal_id      = data.azurerm_client_config.current.object_id
 
   enable_cmk_encryption         = var.enable_cmk_encryption
   encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null
@@ -126,8 +127,7 @@ module "airlock_resources" {
   airlock_storage_subnet_id             = module.network.airlock_storage_subnet_id
   airlock_events_subnet_id              = module.network.airlock_events_subnet_id
   docker_registry_server                = local.docker_registry_server
-  mgmt_resource_group_name              = var.mgmt_resource_group_name
-  mgmt_acr_name                         = var.acr_name
+  acr_id                                = data.azurerm_container_registry.acr.id
   api_principal_id                      = azurerm_user_assigned_identity.id.principal_id
   airlock_app_service_plan_sku          = var.core_app_service_plan_sku
   airlock_processor_subnet_id           = module.network.airlock_processor_subnet_id
@@ -142,6 +142,7 @@ module "airlock_resources" {
   file_core_dns_zone_id                 = module.network.file_core_dns_zone_id
   queue_core_dns_zone_id                = module.network.queue_core_dns_zone_id
   table_core_dns_zone_id                = module.network.table_core_dns_zone_id
+  eventgrid_private_dns_zone_id         = module.network.eventgrid_private_dns_zone_id
 
   enable_local_debugging        = var.enable_local_debugging
   myip                          = local.myip
@@ -174,6 +175,7 @@ module "resource_processor_vmss_porter" {
   service_bus_resource_request_queue               = azurerm_servicebus_queue.workspacequeue.name
   service_bus_deployment_status_update_queue       = azurerm_servicebus_queue.service_bus_deployment_status_update_queue.name
   mgmt_storage_account_name                        = var.mgmt_storage_account_name
+  mgmt_storage_account_id                          = data.azurerm_storage_account.mgmt_storage.id
   mgmt_resource_group_name                         = var.mgmt_resource_group_name
   terraform_state_container_name                   = var.terraform_state_container_name
   key_vault_name                                   = azurerm_key_vault.kv.name

core/terraform/network/locals.tf

@@ -32,6 +32,4 @@ locals {
     "privatelink.queue.core.windows.net",
     "privatelink.table.core.windows.net"
   ])
-
-  subnet_ids_map = { for subnet in azurerm_virtual_network.core.subnet : subnet.name => subnet.id }
 }

core/terraform/network/outputs.tf

@@ -3,43 +3,43 @@ output "core_vnet_id" {
 }
 
 output "bastion_subnet_id" {
-  value = local.subnet_ids_map["AzureBastionSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/AzureBastionSubnet"
 }
 
 output "azure_firewall_subnet_id" {
-  value = local.subnet_ids_map["AzureFirewallSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/AzureFirewallSubnet"
 }
 
 output "app_gw_subnet_id" {
-  value = local.subnet_ids_map["AppGwSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/AppGwSubnet"
 }
 
 output "web_app_subnet_id" {
-  value = local.subnet_ids_map["WebAppSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/WebAppSubnet"
 }
 
 output "shared_subnet_id" {
-  value = local.subnet_ids_map["SharedSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/SharedSubnet"
 }
 
-output "airlock_processor_subnet_id" {
-  value = local.subnet_ids_map["AirlockProcessorSubnet"]
+output "resource_processor_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/ResourceProcessorSubnet"
 }
 
-output "airlock_storage_subnet_id" {
-  value = local.subnet_ids_map["AirlockStorageSubnet"]
+output "airlock_processor_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockProcessorSubnet"
 }
 
-output "airlock_events_subnet_id" {
-  value = local.subnet_ids_map["AirlockEventsSubnet"]
+output "airlock_notification_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockNotifiactionSubnet"
 }
 
-output "resource_processor_subnet_id" {
-  value = local.subnet_ids_map["ResourceProcessorSubnet"]
+output "airlock_storage_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockStorageSubnet"
 }
 
-output "airlock_notification_subnet_id" {
-  value = local.subnet_ids_map["AirlockNotifiactionSubnet"]
+output "airlock_events_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockEventsSubnet"
 }
 
 # DNS Zones
@@ -84,6 +84,9 @@ output "table_core_dns_zone_id" {
   value = azurerm_private_dns_zone.private_dns_zones["privatelink.table.core.windows.net"].id
 }
 
+output "eventgrid_private_dns_zone_id" {
+  value = azurerm_private_dns_zone.eventgrid.id
+}
 
 output "azurecr_dns_zone_id" {
   value = azurerm_private_dns_zone.azurecr.id

core/terraform/resource_processor/vmss_porter/data.tf

@@ -49,8 +49,3 @@ data "azurerm_key_vault_key" "tre_encryption" {
   name         = var.kv_encryption_key_name
   key_vault_id = var.key_store_id
 }
-
-data "azurerm_storage_account" "mgmt_storage" {
-  name                = var.mgmt_storage_account_name
-  resource_group_name = var.mgmt_resource_group_name
-}

core/terraform/resource_processor/vmss_porter/main.tf

@@ -174,7 +174,7 @@ resource "terraform_data" "vm_linux_reimage" {
 }
 
 resource "azurerm_role_assignment" "mgmt_storage_account_blob_contributor" {
-  scope                = data.azurerm_storage_account.mgmt_storage.id
+  scope                = var.mgmt_storage_account_id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.vmss_msi.principal_id
 }
@@ -239,7 +239,7 @@ resource "azurerm_private_endpoint" "mgmtblobpe" {
 
   private_service_connection {
     name                           = "psc-mgmt-${var.tre_id}"
-    private_connection_resource_id = data.azurerm_storage_account.mgmt_storage.id
+    private_connection_resource_id = var.mgmt_storage_account_id
     is_manual_connection           = false
     subresource_names              = ["Blob"]
   }

core/terraform/resource_processor/vmss_porter/variables.tf

@@ -117,3 +117,8 @@ variable "airlock_malware_scan_result_topic_name" {
   type        = string
   description = "Name of the topic to publish Airlock malware scan results to"
 }
+
+variable "mgmt_storage_account_id" {
+  type        = string
+  description = "ID of the management storage account"
+}

core/version.txt

@@ -1 +1 @@
-__version__ = "0.14.0"
+__version__ = "0.14.4"