Feat: agency-specific Terraform variables (#346)

terraform/app_service.tf

@@ -12,7 +12,7 @@ locals {
 
 resource "azurerm_linux_web_app" "main" {
   # name needs to be globally unique and is more specific because it's used in the app URL
-  name                = "mst-courtesy-cards-eligibility-server-${local.env_name}"
+  name                = "${var.AGENCY_CARD}-eligibility-server-${local.env_name}"
   location            = data.azurerm_resource_group.main.location
   resource_group_name = data.azurerm_resource_group.main.name
   service_plan_id     = azurerm_service_plan.main.id

terraform/environment.tf

@@ -5,5 +5,5 @@ locals {
 }
 
 data "azurerm_resource_group" "main" {
-  name = "courtesy-cards-eligibility-${local.env_name}"
+  name = "${var.AGENCY_RESOURCE_GROUP_PREFIX}-eligibility-${local.env_name}"
 }

terraform/front_door.tf

@@ -10,7 +10,7 @@ resource "azurerm_cdn_frontdoor_profile" "main" {
 
 resource "azurerm_cdn_frontdoor_endpoint" "main" {
   # used in the front door URL
-  name                     = "mst-courtesy-cards-eligibility-server-${local.env_name}"
+  name                     = "${var.AGENCY_CARD}-eligibility-server-${local.env_name}"
   cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.main.id
 }
 

terraform/init.sh

@@ -11,7 +11,7 @@ if [ $# -ne 2 ]; then
   exit 1
 fi
 
-source "$AGENCY/env"
+source "$AGENCY/local.env"
 
 echo "Setting the subscription for the Azure CLI..."
 az account set --subscription="$SUBSCRIPTION"

terraform/mst/azure-pipelines.yml

@@ -27,5 +27,5 @@ pool:
 stages:
   - template: ../pipeline/deploy.yml
     parameters:
-      resource_group: mst-courtesy-cards-eligibility-terraform
-      storage_account: mstcourtesycardstf
+      # path is relative to the template path (see line above)
+      variable_file: ../mst/azure-vars.yml

terraform/mst/azure-vars.yml

@@ -0,0 +1,7 @@
+variables:
+  TF_RESOURCE_GROUP: "mst-courtesy-cards-eligibility-terraform"
+  TF_STORAGE_ACCOUNT: "mstcourtesycardstf"
+  TF_VAR_AGENCY_CARD: "mst-courtesy-cards"
+  TF_VAR_AGENCY_RESOURCE_GROUP_PREFIX: "courtesy-cards"
+  TF_VAR_AGENCY_STORAGE_ACCOUNT_PREFIX: "mstcceligibility"
+  TF_VAR_AGENCY_CARD_DATA_ETL_FILE: "velocity.csv"

terraform/pipeline/deploy.yml

@@ -1,11 +1,12 @@
 parameters:
-  - name: resource_group
-    type: string
-  - name: storage_account
+  - name: variable_file
     type: string
 
+
 stages:
   - stage: TerraformPlan
+    variables:
+      - template: ${{ parameters.variable_file }}
     jobs:
       - job: Plan
         variables:
@@ -46,9 +47,8 @@ stages:
               commandOptions: -input=false
               # service connection
               backendServiceArm: deployer
-              # needs to match main.tf
-              backendAzureRmResourceGroupName: ${{ parameters.resource_group }}
-              backendAzureRmStorageAccountName: ${{ parameters.storage_account }}
+              backendAzureRmResourceGroupName: $(TF_RESOURCE_GROUP)
+              backendAzureRmStorageAccountName: $(TF_STORAGE_ACCOUNT)
               backendAzureRmContainerName: tfstate
               backendAzureRmKey: terraform.tfstate
           - task: TerraformTaskV3@3
@@ -85,6 +85,7 @@ stages:
   - stage: TerraformApply
     dependsOn: TerraformPlan
     variables:
+      - template: ${{ parameters.variable_file }}
       - name: workspace
         value: $[ dependencies.TerraformPlan.outputs['Plan.setvars.workspace'] ]
       - name: tag_type
@@ -128,9 +129,8 @@ stages:
                     commandOptions: -input=false
                     # service connection
                     backendServiceArm: deployer
-                    # needs to match main.tf
-                    backendAzureRmResourceGroupName: ${{ parameters.resource_group }}
-                    backendAzureRmStorageAccountName: ${{ parameters.storage_account }}
+                    backendAzureRmResourceGroupName: $(TF_RESOURCE_GROUP)
+                    backendAzureRmStorageAccountName: $(TF_STORAGE_ACCOUNT)
                     backendAzureRmContainerName: tfstate
                     backendAzureRmKey: terraform.tfstate
                 - task: TerraformTaskV3@3

terraform/roles.tf

@@ -1,14 +1,14 @@
-resource "azurerm_role_assignment" "velocity_etl" {
+resource "azurerm_role_assignment" "agency_card_data_etl" {
   count = local.is_prod ? 1 : 0
 
   description          = "This role assignment gives write access only for the path of the hashed data file."
   scope                = azurerm_storage_container.config.resource_manager_id
   role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = var.VELOCITY_ETL_APP_OBJECT_ID
+  principal_id         = var.AGENCY_CARD_DATA_ETL_APP_OBJECT_ID
   condition            = <<EOF
 (
  (
-  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'velocity.csv'
+  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '${var.AGENCY_CARD_DATA_ETL_FILE}'
  )
 )
 EOF

terraform/storage.tf

@@ -1,6 +1,6 @@
 resource "azurerm_storage_account" "main" {
   # name needs to be unique per subscription
-  name                     = "mstcceligibility${local.env_name}"
+  name                     = "${var.AGENCY_STORAGE_ACCOUNT_PREFIX}${local.env_name}"
   location                 = data.azurerm_resource_group.main.location
   resource_group_name      = data.azurerm_resource_group.main.name
   account_tier             = "Standard"

terraform/uptime.tf

@@ -5,7 +5,7 @@ module "healthcheck" {
   action_group_id      = azurerm_monitor_action_group.eng_email.id
   application_insights = azurerm_application_insights.main
   # not strictly necessary to include the environment name, but helps to make the alerts more clear
-  name = "mst-courtesy-cards-eligibility-server-${local.env_name}-healthcheck"
+  name = "${var.AGENCY_CARD}-eligibility-server-${local.env_name}-healthcheck"
   url  = "https://${azurerm_cdn_frontdoor_endpoint.main.host_name}/healthcheck"
 }
 

terraform/variables.tf

@@ -1,6 +1,33 @@
+# Some of these are defined in <agency name>/azure-vars.yml. Others are defined in Azure DevOps UI.
+
 # needs to be uppercase "because Azure DevOps will always transform pipeline variables to uppercase environment variables"
 # https://gaunacode.com/terraform-input-variables-using-azure-devops
 
+variable "AGENCY_CARD" {
+  description = "The name of the agency's card program"
+  type        = string
+}
+
+variable "AGENCY_CARD_DATA_ETL_APP_OBJECT_ID" {
+  description = "Object ID from the registered application for the Agency Card server ETL uploading: https://cloudsight.zendesk.com/hc/en-us/articles/360016785598-Azure-finding-your-service-principal-object-ID"
+  type        = string
+}
+
+variable "AGENCY_CARD_DATA_ETL_FILE" {
+  description = "The name of the hashed data file that's uploaded to the storage account"
+  type        = string
+}
+
+variable "AGENCY_RESOURCE_GROUP_PREFIX" {
+  description = "The prefix to the name of the resource group for each environment"
+  type        = string
+}
+
+variable "AGENCY_STORAGE_ACCOUNT_PREFIX" {
+  description = "The prefix to the name of the storage account for each environment"
+  type        = string
+}
+
 variable "DEPLOYER_APP_OBJECT_ID" {
   description = "Object ID from the Azure DevOps deployer service principal application in Active Directory"
   type        = string
@@ -11,11 +38,6 @@ variable "ENGINEERING_GROUP_OBJECT_ID" {
   type        = string
 }
 
-variable "VELOCITY_ETL_APP_OBJECT_ID" {
-  description = "Object ID from the registered application for the Velocity server ETL uploading: https://cloudsight.zendesk.com/hc/en-us/articles/360016785598-Azure-finding-your-service-principal-object-ID"
-  type        = string
-}
-
 variable "IP_ADDRESS_WHITELIST_DEV" {
   description = "List of IP addresses allowed to connect to the app service, in CIDR notation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#ip_address. By default, all IP addresses are allowed."
   type        = list(string)