ER-698: Azure - Deploy Background Worker (#727)

* ER-701: Log Analytics workspace

* ER-698: Terraform script

* ER-691: Docker Image name

* ER-698: Omit default credentials

* ER-698: Formatting

* ER-698: Startup command

* ER-698: Startup command

* ER-698: Azure Container Instances

* Formatting

* ER-698: Unit test

* Supress checkov

---------

Co-authored-by: Sunny Sidhu <[email protected]>

.github/workflows/azure-deploy-dev.yml

@@ -28,7 +28,7 @@ env:
   ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
   ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-  IMAGE_URL: ghcr.io/dfe-digital/early-years-foundation-recovery
+  DOCKER_IMAGE: dfe-digital/early-years-foundation-recovery
 
 jobs:
   build-and-deploy:
@@ -73,14 +73,23 @@ jobs:
             BUILDKIT_INLINE_CACHE=1
             SHA=${{ github.sha }}
           cache-from: |
-            ${{ env.IMAGE_URL }}:${{ github.sha }}
+            ${{ env.DOCKER_IMAGE }}:${{ github.sha }}
           tags: |
-            ${{ env.IMAGE_URL }}:${{ github.sha }}
-            ${{ env.IMAGE_URL }}:latest
+            ${{ env.DOCKER_IMAGE }}:${{ github.sha }}
+            ${{ env.DOCKER_IMAGE }}:latest
 
-      # Deploy container
-      - name: Deploy Container
+      # Deploy Web Application
+      - name: Deploy to Azure App Services
         uses: azure/webapps-deploy@v2
         with:
           app-name: ${{ vars.WEBAPP_NAME }}
-          images: '${{ env.IMAGE_URL }}:${{ github.sha }}'
+          images: ${{ env.DOCKER_IMAGE }}:${{ github.sha }}
+
+      # Deploy Background Worker
+      - name: Deploy to Azure Container Instances
+        uses: azure/aci-deploy@v1
+        with:
+          resource-group: ${{ secrets.AZURE_RESOURCE_GROUP }}
+          image: ${{ env.DOCKER_IMAGE }}:${{ github.sha }}
+          name: eyrecovery-worker
+          location: 'west europe'

.github/workflows/tf-azure-deploy-dev.yml

@@ -32,9 +32,7 @@ env:
   TF_VAR_webapp_name: ${{ vars.WEBAPP_NAME }}
   TF_VAR_webapp_database_url: ${{ secrets.TF_VAR_WEBAPP_DATABASE_URL }}
   TF_VAR_webapp_docker_registry_url: https://ghcr.io
-  TF_VAR_webapp_docker_registry_username: ${{ github.repository_owner }}
-  TF_VAR_webapp_docker_registry_password: ${{ secrets.GITHUB_TOKEN }}
-  TF_VAR_webapp_docker_image_url: ghcr.io/dfe-digital/early-years-foundation-recovery
+  TF_VAR_webapp_docker_image: dfe-digital/early-years-foundation-recovery
   TF_VAR_webapp_docker_image_tag: latest
   TF_VAR_webapp_config_bot_token: ${{ secrets.TF_VAR_WEBAPP_CONFIG_BOT_TOKEN }}
   TF_VAR_webapp_config_contentful_environment: ${{ vars.TF_VAR_WEBAPP_CONFIG_CONTENTFUL_ENVIRONMENT }}

terraform-azure/local.tf

@@ -0,0 +1,37 @@
+locals {
+  # Common tags to be assigned resources
+  common_tags = {
+    "Environment"      = var.environment
+    "Parent Business"  = "Children’s Care"
+    "Portfolio"        = "Newly Onboarded"
+    "Product"          = "EY Recovery"
+    "Service"          = "Newly Onboarded"
+    "Service Line"     = "Newly Onboarded"
+    "Service Offering" = "EY Recovery"
+  }
+
+  # Web App Configuration
+  webapp_app_settings = {
+    "DATABASE_URL"                        = var.webapp_database_url
+    "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
+    "GOVUK_APP_DOMAIN"                    = "london.cloudapps.digital" #TODO: Remove this dependency post-migration to Azure
+    "GOVUK_WEBSITE_ROOT"                  = "ey-recovery-dev"          #TODO: Remove this dependency post-migration to Azure
+    "BOT_TOKEN"                           = var.webapp_config_bot_token
+    "CONTENTFUL_ENVIRONMENT"              = var.webapp_config_contentful_environment
+    "CONTENTFUL_PREVIEW"                  = var.webapp_config_contentful_preview
+    "DOMAIN"                              = var.webapp_config_domain
+    "EDITOR"                              = var.webapp_config_editor
+    "FEEDBACK_URL"                        = var.webapp_config_feedback_url
+    "GROVER_NO_SANDBOX"                   = var.webapp_config_grover_no_sandbox
+    "GOOGLE_CLOUD_BUCKET"                 = var.webapp_config_google_cloud_bucket
+    "NODE_ENV"                            = var.webapp_config_node_env
+    "RAILS_ENV"                           = var.webapp_config_rails_env
+    "RAILS_LOG_TO_STDOUT"                 = var.webapp_config_rails_log_to_stdout
+    "RAILS_MASTER_KEY"                    = var.webapp_config_rails_master_key
+    "RAILS_MAX_THREADS"                   = var.webapp_config_rails_max_threads
+    "RAILS_SERVE_STATIC_FILES"            = var.webapp_config_rails_serve_static_files
+    "TRAINING_MODULES"                    = var.webapp_config_training_modules
+    "WEB_CONCURRENCY"                     = var.webapp_config_web_concurrency
+    "WEBSITES_CONTAINER_START_TIME_LIMIT" = 1800
+  }
+}

terraform-azure/main.tf

@@ -8,26 +8,12 @@ provider "azurerm" {
   }
 }
 
-locals {
-  # Common tags to be assigned to all resources
-  common_tags = {
-    "Environment"      = var.environment
-    "Parent Business"  = "Children’s Care"
-    "Portfolio"        = "Newly Onboarded"
-    "Product"          = "EY Recovery"
-    "Service"          = "Newly Onboarded"
-    "Service Line"     = "Newly Onboarded"
-    "Service Offering" = "EY Recovery"
-  }
-}
-
 # Create Resource Group
 resource "azurerm_resource_group" "rg" {
   name     = "${var.resource_name_prefix}-rg"
   location = var.azure_region
 
-  tags = merge(local.common_tags, {
-  })
+  tags = local.common_tags
 
   lifecycle {
     ignore_changes = [tags]
@@ -64,40 +50,35 @@ module "database" {
 module "webapp" {
   source = "./terraform-azure-web"
 
-  asp_sku              = var.asp_sku
-  location             = var.azure_region
-  resource_group       = azurerm_resource_group.rg.name
-  resource_name_prefix = var.resource_name_prefix
-  webapp_subnet_id     = module.network.webapp_subnet_id
-  webapp_name          = var.webapp_name
-  webapp_app_settings = {
-    "DATABASE_URL"                        = var.webapp_database_url
-    "DOCKER_REGISTRY_SERVER_URL"          = var.webapp_docker_registry_url
-    "DOCKER_REGISTRY_SERVER_USERNAME"     = var.webapp_docker_registry_username
-    "DOCKER_REGISTRY_SERVER_PASSWORD"     = var.webapp_docker_registry_password
-    "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
-    "GOVUK_APP_DOMAIN"                    = "london.cloudapps.digital" #TODO: Remove this dependency post-migration to Azure
-    "GOVUK_WEBSITE_ROOT"                  = "ey-recovery-dev"          #TODO: Remove this dependency post-migration to Azure
-    "BOT_TOKEN"                           = var.webapp_config_bot_token
-    "CONTENTFUL_ENVIRONMENT"              = var.webapp_config_contentful_environment
-    "CONTENTFUL_PREVIEW"                  = var.webapp_config_contentful_preview
-    "DOMAIN"                              = var.webapp_config_domain
-    "EDITOR"                              = var.webapp_config_editor
-    "FEEDBACK_URL"                        = var.webapp_config_feedback_url
-    "GROVER_NO_SANDBOX"                   = var.webapp_config_grover_no_sandbox
-    "GOOGLE_CLOUD_BUCKET"                 = var.webapp_config_google_cloud_bucket
-    "NODE_ENV"                            = var.webapp_config_node_env
-    "RAILS_ENV"                           = var.webapp_config_rails_env
-    "RAILS_LOG_TO_STDOUT"                 = var.webapp_config_rails_log_to_stdout
-    "RAILS_MASTER_KEY"                    = var.webapp_config_rails_master_key
-    "RAILS_MAX_THREADS"                   = var.webapp_config_rails_max_threads
-    "RAILS_SERVE_STATIC_FILES"            = var.webapp_config_rails_serve_static_files
-    "TRAINING_MODULES"                    = var.webapp_config_training_modules
-    "WEB_CONCURRENCY"                     = var.webapp_config_web_concurrency
-    "WEBSITES_CONTAINER_START_TIME_LIMIT" = 1800
-  }
-  webapp_docker_image_url  = var.webapp_docker_image_url
-  webapp_docker_image_tag  = var.webapp_docker_image_tag
-  webapp_health_check_path = "/health"
-  depends_on               = [module.network, module.database]
+  asp_sku                                  = var.asp_sku
+  location                                 = var.azure_region
+  resource_group                           = azurerm_resource_group.rg.name
+  resource_name_prefix                     = var.resource_name_prefix
+  webapp_subnet_id                         = module.network.webapp_subnet_id
+  webapp_name                              = var.webapp_name
+  webapp_app_settings                      = local.webapp_app_settings
+  webapp_docker_image                      = var.webapp_docker_image
+  webapp_docker_image_tag                  = var.webapp_docker_image_tag
+  webapp_docker_registry_url               = var.webapp_docker_registry_url
+  webapp_health_check_path                 = "/health"
+  webapp_health_check_eviction_time_in_min = 10
+  depends_on                               = [module.network, module.database]
+}
+
+## Create Background Worker Application resources
+module "app-worker" {
+  source = "./terraform-azure-app"
+
+  location                         = var.azure_region
+  resource_group                   = azurerm_resource_group.rg.name
+  resource_name_prefix             = "${var.resource_name_prefix}-worker"
+  app_worker_subnet_id             = module.network.app_worker_subnet_id
+  app_worker_name                  = "${var.webapp_name}-worker"
+  container_name                   = "eyrecovery-worker"
+  app_worker_environment_variables = local.webapp_app_settings
+  app_worker_docker_image          = var.webapp_docker_image
+  app_worker_docker_image_tag      = var.webapp_docker_image_tag
+  app_worker_docker_registry       = "ghcr.io"
+  app_worker_startup_command       = ["bundle", "exec", "que"]
+  depends_on                       = [module.network, module.database]
 }

terraform-azure/terraform-azure-app/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 DFE-Digital
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

terraform-azure/terraform-azure-app/README.md

@@ -0,0 +1,3 @@
+# Azure App Module
+
+This module provisions a new Azure Container Instances resource to host a Docker container for a background job Application.

terraform-azure/terraform-azure-app/main.tf

@@ -0,0 +1,42 @@
+# Create Background Worker Application
+resource "azurerm_container_group" "app_worker" {
+  name                = var.app_worker_name
+  location            = var.location
+  resource_group_name = var.resource_group
+  ip_address_type     = "None"
+  os_type             = "Linux"
+  restart_policy      = "OnFailure"
+
+  container {
+    name                  = var.container_name
+    image                 = "${var.app_worker_docker_registry}/${var.app_worker_docker_image}:${var.app_worker_docker_image_tag}"
+    cpu                   = "1.0"
+    memory                = "2.0"
+    environment_variables = var.app_worker_environment_variables
+    commands              = var.app_worker_startup_command
+  }
+
+  diagnostics {
+    log_analytics {
+      workspace_id  = azurerm_log_analytics_workspace.app_worker_logs.workspace_id
+      workspace_key = azurerm_log_analytics_workspace.app_worker_logs.primary_shared_key
+    }
+  }
+
+  subnet_ids = [var.app_worker_subnet_id]
+
+  #checkov:skip=CKV2_AZURE_28:Using VNet
+}
+
+# Create Log Analytics
+resource "azurerm_log_analytics_workspace" "app_worker_logs" {
+  name                = "${var.resource_name_prefix}-log"
+  location            = var.location
+  resource_group_name = var.resource_group
+  sku                 = "PerGB2018"
+  retention_in_days   = 30
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}

terraform-azure/terraform-azure-app/variables.tf

@@ -0,0 +1,54 @@
+variable "location" {
+  description = "Name of the Azure region to deploy resources"
+  type        = string
+}
+
+variable "resource_group" {
+  description = "Name of the Azure Resource Group to deploy resources"
+  type        = string
+}
+
+variable "resource_name_prefix" {
+  description = "Prefix for resource names"
+  type        = string
+}
+
+variable "app_worker_name" {
+  description = "Name for the Application"
+  type        = string
+}
+
+variable "container_name" {
+  description = "Name for the Container"
+  type        = string
+}
+
+variable "app_worker_subnet_id" {
+  description = "ID of the delegated Subnet for the Application"
+  type        = string
+}
+
+variable "app_worker_environment_variables" {
+  description = "Environment Variables to expose to the Application"
+  type        = map(string)
+}
+
+variable "app_worker_docker_registry" {
+  description = "Docker Registry Server"
+  type        = string
+}
+
+variable "app_worker_docker_image" {
+  description = "Docker Image to deploy"
+  type        = string
+}
+
+variable "app_worker_docker_image_tag" {
+  description = "Tag for the Docker Image"
+  type        = string
+}
+
+variable "app_worker_startup_command" {
+  description = "Startup command to pass into the Application"
+  type        = list(string)
+}

terraform-azure/terraform-azure-database/variables.tf

@@ -36,11 +36,13 @@ variable "psqlfs_storage" {
 variable "psqlfs_username" {
   description = "Username of the Database Server"
   type        = string
+  sensitive   = true
 }
 
 variable "psqlfs_password" {
   description = "Password of the Database Server"
   type        = string
+  sensitive   = true
 }
 
 variable "psqlfs_geo_redundant_backup" {

terraform-azure/terraform-azure-network/main.tf

@@ -69,5 +69,25 @@ resource "azurerm_subnet" "webapp_snet" {
     }
   }
 
+  #checkov:skip=CKV2_AZURE_31:NSG not required
+}
+
+# Create Subnet for Background Worker App
+resource "azurerm_subnet" "app_worker_snet" {
+  name                 = "${var.resource_name_prefix}-app-worker-snet"
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = var.resource_group
+  address_prefixes     = ["172.1.2.0/24"]
+  service_endpoints    = ["Microsoft.Storage"]
+
+  delegation {
+    name = "${var.resource_name_prefix}-app-worker-dn"
+
+    service_delegation {
+      name    = "Microsoft.ContainerInstance/containerGroups"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    }
+  }
+
   #checkov:skip=CKV2_AZURE_31:NSG not required
 }

terraform-azure/terraform-azure-network/outputs.tf

@@ -16,4 +16,9 @@ output "psqlfs_dns_zone_id" {
 output "webapp_subnet_id" {
   description = "ID of the delegated Subnet for the Web Application"
   value       = azurerm_subnet.webapp_snet.id
+}
+
+output "app_worker_subnet_id" {
+  description = "ID of the delegated Subnet for the Background Worker"
+  value       = azurerm_subnet.app_worker_snet.id
 }