Merge pull request #38 from zscaler/ZTW-4049

feat: added support for invoking manual sync on function app. This wi…

.gitignore

@@ -52,3 +52,6 @@ override.tf.json
 
 examples/base_cc_vmss/terraform.tfvars.sample
 modules/terraform-zscc-ccvmss-azure/zscaler_cc_function_app_*
+scripts/exitstatus
+scripts/stderr
+scripts/stdout

examples/base_cc_vmss/main.tf

@@ -60,7 +60,6 @@ module "network" {
   lb_frontend_ip        = module.cc_lb.lb_ip
   workloads_enabled     = true
   bastion_enabled       = true
-  lb_enabled            = var.lb_enabled
 }
 
 
@@ -198,6 +197,8 @@ module "cc_functionapp" {
   managed_identity_client_id          = module.cc_identity.function_app_managed_identity_client_id
   existing_log_analytics_workspace    = var.existing_log_analytics_workspace
   existing_log_analytics_workspace_id = var.existing_log_analytics_workspace_id
+  run_manual_sync                     = var.run_manual_sync
+  path_to_scripts                     = coalesce(var.path_to_scripts, "../../scripts")
 }
 
 ################################################################################

examples/base_cc_vmss/outputs.tf

@@ -54,12 +54,22 @@ Bastion Public IP:
 ${module.bastion.public_ip}
 
 
+TB
+
+  testbedconfig_manual_sync_failed = <<TB
+**IMPORTANT (ONLY APPLICABLE FOR INITIAL CREATE OF FUNCTION APP)**
+Based on the recorded output, the manual sync to start your Azure Function App failed. To perform this manual sync perform one of the following steps:
+  1. Navigate to the Azure Function App ${module.cc_functionapp.function_app_id} on the Azure Portal. The loading of the Function App page triggers the manual sync and will start your Function App.
+  2. Attempt to rerun the manual_sync.sh script manually using the following command (path to file is based on root of the repo):
+      ../../modules/terraform-zscc-function-app-azure/manual_sync.sh ${module.cc_functionapp.subscription_id} ${module.network.resource_group_name} ${module.cc_functionapp.function_app_name}
+**IMPORTANT (ONLY APPLICABLE FOR INITIAL CREATE OF FUNCTION APP)**
+
 TB
 }
 
 output "testbedconfig" {
   description = "Azure Testbed results"
-  value       = local.testbedconfig
+  value       = module.cc_functionapp.manual_sync_exit_status != "1" ? local.testbedconfig : format("%s%s", local.testbedconfig, local.testbedconfig_manual_sync_failed)
 }
 
 resource "local_file" "testbed" {

examples/base_cc_vmss/variables.tf

@@ -202,12 +202,6 @@ variable "load_distribution" {
   }
 }
 
-variable "lb_enabled" {
-  type        = bool
-  description = "Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb_frontend_ip. If false, default route next hop directly to the CC Service IP passed from var.cc_service_ip"
-  default     = true
-}
-
 variable "health_check_interval" {
   type        = number
   description = "The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5"
@@ -381,3 +375,15 @@ variable "existing_log_analytics_workspace_id" {
   description = "ID of existing Log Analytics Workspace to associate with the AppInsights Instance."
   default     = ""
 }
+
+variable "run_manual_sync" {
+  type        = bool
+  description = "Set to True if you would like terraform to run the manual sync operation to start the Function App after creation. The alternative is to navigate to the Function App on the Azure Portal UI or to manually invoke the script yourself."
+  default     = true
+}
+
+variable "path_to_scripts" {
+  type        = string
+  description = "Path to script_directory"
+  default     = ""
+}

examples/base_cc_vmss_zpa/main.tf

@@ -61,7 +61,6 @@ module "network" {
   lb_frontend_ip        = module.cc_lb.lb_ip
   workloads_enabled     = true
   bastion_enabled       = true
-  lb_enabled            = var.lb_enabled
   zpa_enabled           = var.zpa_enabled
 }
 
@@ -200,6 +199,8 @@ module "cc_functionapp" {
   managed_identity_client_id          = module.cc_identity.function_app_managed_identity_client_id
   existing_log_analytics_workspace    = var.existing_log_analytics_workspace
   existing_log_analytics_workspace_id = var.existing_log_analytics_workspace_id
+  run_manual_sync                     = var.run_manual_sync
+  path_to_scripts                     = coalesce(var.path_to_scripts, "../../scripts")
 }
 
 ################################################################################

examples/base_cc_vmss_zpa/outputs.tf

@@ -54,12 +54,22 @@ Bastion Public IP:
 ${module.bastion.public_ip}
 
 
+TB
+
+  testbedconfig_manual_sync_failed = <<TB
+**IMPORTANT (ONLY APPLICABLE FOR INITIAL CREATE OF FUNCTION APP)**
+Based on the recorded output, the manual sync to start your Azure Function App failed. To perform this manual sync perform one of the following steps:
+  1. Navigate to the Azure Function App ${module.cc_functionapp.function_app_id} on the Azure Portal. The loading of the Function App page triggers the manual sync and will start your Function App.
+  2. Attempt to rerun the manual_sync.sh script manually using the following command (path to file is based on root of the repo):
+      ../../modules/terraform-zscc-function-app-azure/manual_sync.sh ${module.cc_functionapp.subscription_id} ${module.network.resource_group_name} ${module.cc_functionapp.function_app_name}
+**IMPORTANT (ONLY APPLICABLE FOR INITIAL CREATE OF FUNCTION APP)**
+
 TB
 }
 
 output "testbedconfig" {
   description = "Azure Testbed results"
-  value       = local.testbedconfig
+  value       = module.cc_functionapp.manual_sync_exit_status != "1" ? local.testbedconfig : format("%s%s", local.testbedconfig, local.testbedconfig_manual_sync_failed)
 }
 
 resource "local_file" "testbed" {

examples/base_cc_vmss_zpa/variables.tf

@@ -208,12 +208,6 @@ variable "load_distribution" {
   }
 }
 
-variable "lb_enabled" {
-  type        = bool
-  description = "Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb_frontend_ip. If false, default route next hop directly to the CC Service IP passed from var.cc_service_ip"
-  default     = true
-}
-
 variable "health_check_interval" {
   type        = number
   description = "The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5"
@@ -406,3 +400,16 @@ variable "target_address" {
   description = "Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses"
   default     = ["185.46.212.88", "185.46.212.89"]
 }
+
+variable "run_manual_sync" {
+  type        = bool
+  description = "Set to True if you would like terraform to run the manual sync operation to start the Function App after creation. The alternative is to navigate to the Function App on the Azure Portal UI or to manually invoke the script yourself."
+  default     = true
+}
+
+variable "path_to_scripts" {
+  type        = string
+  description = "Path to script_directory"
+  default     = ""
+}
+

examples/cc_vmss/main.tf

@@ -170,11 +170,15 @@ module "cc_functionapp" {
   existing_storage_account_rg    = var.existing_storage_account_rg
 
   #required app_settings inputs
-  terminate_unhealthy_instances = var.terminate_unhealthy_instances
-  cc_vm_prov_url                = var.cc_vm_prov_url
-  azure_vault_url               = var.azure_vault_url
-  vmss_names                    = module.cc_vmss.vmss_names
-  managed_identity_client_id    = module.cc_identity.function_app_managed_identity_client_id
+  terminate_unhealthy_instances       = var.terminate_unhealthy_instances
+  cc_vm_prov_url                      = var.cc_vm_prov_url
+  azure_vault_url                     = var.azure_vault_url
+  vmss_names                          = module.cc_vmss.vmss_names
+  managed_identity_client_id          = module.cc_identity.function_app_managed_identity_client_id
+  existing_log_analytics_workspace    = var.existing_log_analytics_workspace
+  existing_log_analytics_workspace_id = var.existing_log_analytics_workspace_id
+  run_manual_sync                     = var.run_manual_sync
+  path_to_scripts                     = coalesce(var.path_to_scripts, "../../scripts")
 }
 
 ################################################################################

examples/cc_vmss/outputs.tf

@@ -46,12 +46,23 @@ ${try(module.private_dns.private_dns_forwarding_ruleset_name, "N/A")}
 Private DNS Outbound Endpoint:
 ${try(module.private_dns.private_dns_outbound_endpoint_name, "N/A")}
 
+
+TB
+
+  testbedconfig_manual_sync_failed = <<TB
+**IMPORTANT (ONLY APPLICABLE FOR INITIAL CREATE OF FUNCTION APP)**
+Based on the recorded output, the manual sync to start your Azure Function App failed. To perform this manual sync perform one of the following steps:
+  1. Navigate to the Azure Function App ${module.cc_functionapp.function_app_id} on the Azure Portal. The loading of the Function App page triggers the manual sync and will start your Function App.
+  2. Attempt to rerun the manual_sync.sh script manually using the following command (path to file is based on root of the repo):
+      ../../modules/terraform-zscc-function-app-azure/manual_sync.sh ${module.cc_functionapp.subscription_id} ${module.network.resource_group_name} ${module.cc_functionapp.function_app_name}
+**IMPORTANT (ONLY APPLICABLE FOR INITIAL CREATE OF FUNCTION APP)**
+
 TB
 }
 
 output "testbedconfig" {
   description = "Azure Testbed results"
-  value       = local.testbedconfig
+  value       = module.cc_functionapp.manual_sync_exit_status != "1" ? local.testbedconfig : format("%s%s", local.testbedconfig, local.testbedconfig_manual_sync_failed)
 }
 
 resource "local_file" "testbed" {

examples/cc_vmss/variables.tf

@@ -142,16 +142,6 @@ variable "http_probe_port" {
   }
 }
 
-variable "workload_count" {
-  type        = number
-  description = "The number of Workload VMs to deploy"
-  default     = 1
-  validation {
-    condition     = var.workload_count >= 1 && var.workload_count <= 250
-    error_message = "Input workload_count must be a whole number between 1 and 250."
-  }
-}
-
 variable "zones_enabled" {
   type        = bool
   description = "Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance"
@@ -352,6 +342,29 @@ variable "function_app_managed_identity_rg" {
   default     = ""
 }
 
+variable "existing_log_analytics_workspace" {
+  type        = bool
+  description = "Set to True if you wish to use an existing Log Analytics Workspace to associate with the AppInsights Instance. Default is false meaning Terraform module will create a new one"
+  default     = false
+}
+
+variable "existing_log_analytics_workspace_id" {
+  type        = string
+  description = "ID of existing Log Analytics Workspace to associate with the AppInsights Instance."
+  default     = ""
+}
+
+variable "run_manual_sync" {
+  type        = bool
+  description = "Set to True if you would like terraform to run the manual sync operation to start the Function App after creation. The alternative is to navigate to the Function App on the Azure Portal UI or to manually invoke the script yourself."
+  default     = true
+}
+
+variable "path_to_scripts" {
+  type        = string
+  description = "Path to script_directory"
+  default     = ""
+}
 
 # Azure Private DNS specific variables
 variable "zpa_enabled" {

modules/terraform-zscc-function-app-azure/main.tf

@@ -86,6 +86,7 @@ resource "azurerm_application_insights" "vmss_orchestration_app_insights" {
 # Create Function App
 ################################################################################
 resource "azurerm_linux_function_app" "vmss_orchestration_app" {
+  count               = var.run_manual_sync ? 0 : 1
   name                = "${var.name_prefix}-ccvmss-${var.resource_tag}-function-app"
   resource_group_name = var.resource_group
   location            = var.location
@@ -129,3 +130,61 @@ resource "azurerm_linux_function_app" "vmss_orchestration_app" {
 
   tags = var.global_tags
 }
+
+resource "azurerm_linux_function_app" "vmss_orchestration_app_with_manual_sync" {
+  count               = var.run_manual_sync ? 1 : 0
+  name                = "${var.name_prefix}-ccvmss-${var.resource_tag}-function-app"
+  resource_group_name = var.resource_group
+  location            = var.location
+
+  storage_account_name       = local.storage_account_name
+  storage_account_access_key = local.storage_account_access_key
+  service_plan_id            = azurerm_service_plan.vmss_orchestration_app_service_plan.id
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [var.managed_identity_id]
+  }
+
+  app_settings = {
+    "SUBSCRIPTION_ID"                              = data.azurerm_subscription.current.id
+    "MANAGED_IDENTITY"                             = var.managed_identity_client_id
+    "RESOURCE_GROUP"                               = var.resource_group
+    "VMSS_NAME"                                    = jsonencode(var.vmss_names)
+    "TERMINATE_UNHEALTHY_INSTANCES"                = var.terminate_unhealthy_instances
+    "VAULT_URL"                                    = var.azure_vault_url
+    "CC_URL"                                       = var.cc_vm_prov_url
+    "APPLICATIONINSIGHTS_CONNECTION_STRING"        = azurerm_application_insights.vmss_orchestration_app_insights.connection_string
+    "ApplicationInsightsAgent_EXTENSION_VERSION"   = "~3"
+    "XDT_MicrosoftApplicationInsights_Mode"        = "recommended"
+    "WEBSITE_RUN_FROM_PACKAGE"                     = var.upload_function_app_zip ? azurerm_storage_blob.cc_function_storage_blob[0].url : var.zscaler_cc_function_public_url
+    "WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID" = var.managed_identity_id
+  }
+
+  site_config {
+    application_stack {
+      python_version = "3.11"
+    }
+    application_insights_connection_string = azurerm_application_insights.vmss_orchestration_app_insights.connection_string
+  }
+
+  lifecycle {
+    ignore_changes = [
+      app_settings["APPLICATIONINSIGHTS_CONNECTION_STRING"],
+    ]
+  }
+
+  tags = var.global_tags
+
+  provisioner "local-exec" {
+    command = "${var.path_to_scripts}/manual_sync.sh ${data.azurerm_subscription.current.subscription_id} ${var.resource_group} ${azurerm_linux_function_app.vmss_orchestration_app_with_manual_sync[0].name} 2>${var.path_to_scripts}/stderr >${var.path_to_scripts}/stdout; echo $? >${var.path_to_scripts}/exitstatus"
+  }
+}
+
+data "local_file" "manual_sync_exist_status" {
+  count    = var.run_manual_sync && fileexists("${var.path_to_scripts}/exitstatus") ? 1 : 0
+  filename = "${var.path_to_scripts}/exitstatus"
+  depends_on = [
+    azurerm_linux_function_app.vmss_orchestration_app_with_manual_sync[0]
+  ]
+}

modules/terraform-zscc-function-app-azure/outputs.tf

@@ -1,9 +1,24 @@
 output "function_app_id" {
   description = "Function App ID"
-  value       = azurerm_linux_function_app.vmss_orchestration_app.id
+  value       = var.run_manual_sync ? azurerm_linux_function_app.vmss_orchestration_app_with_manual_sync[0].id : azurerm_linux_function_app.vmss_orchestration_app[0].id
+}
+
+output "function_app_name" {
+  description = "Function App ID"
+  value       = "${var.name_prefix}-ccvmss-${var.resource_tag}-function-app"
 }
 
 output "function_app_outbound_ip_address_list" {
   description = "A list of outbound IP addresses used by the function"
-  value       = azurerm_linux_function_app.vmss_orchestration_app.outbound_ip_address_list
+  value       = var.run_manual_sync ? azurerm_linux_function_app.vmss_orchestration_app_with_manual_sync[0].outbound_ip_address_list : azurerm_linux_function_app.vmss_orchestration_app[0].outbound_ip_address_list
+}
+
+output "manual_sync_exit_status" {
+  description = "Exit status of the operation to manually sync the Azure Function App after deployment."
+  value       = var.run_manual_sync && fileexists("${path.module}/exitstatus") ? chomp(data.local_file.manual_sync_exist_status[0].content) : "0"
+}
+
+output "subscription_id" {
+  description = "Subscription ID."
+  value       = data.azurerm_subscription.current.subscription_id
 }

modules/terraform-zscc-function-app-azure/variables.tf

@@ -116,3 +116,15 @@ variable "log_analytics_retention_days" {
   description = "Log Analytics Workspace retention time in days."
   default     = 30
 }
+
+variable "run_manual_sync" {
+  type        = bool
+  description = "Set to True if you would like terraform to run the manual sync operation to start the Function App after creation. The alternative is to navigate to the Function App on the Azure Portal UI or to manually invoke the script yourself."
+  default     = true
+}
+
+variable "path_to_scripts" {
+  type        = string
+  description = "Path to script_directory"
+  default     = ""
+}