Add Elastic Stack CRDs, ingress, and secret configurations

Introduced Kubernetes configurations for Elastic Stack components. Includes CustomResourceDefinitions (CRDs) for Elastic Operator, ingress rules for Kibana, Elasticsearch, and APM, and a SecretProviderClass for secure storage integration. These files facilitate the deployment and management of Elastic services in a Kubernetes environment.

app_service/README.md

@@ -0,0 +1,133 @@
+# App service
+
+This module allow the creation of an app service.
+In terraform output you can get the the app service's name and id.
+
+## How to use it
+Use the example Terraform template, saved in `./tests`, to test this module and get some advices.
+
+## How to migrate from `azurerm_app_service` to `azurerm_linux_web_app`
+The script tests/migrate.sh will remove and import the deprecated resources as new ones.
+You need to know the resource old and new names.
+```
+e.g.
+# app_service resources to migrate
+cd tests
+./migrate.sh module.web_app_service_docker.azurerm_app_service.this module.web_app_service_docker.azurerm_linux_web_app.this
+./migrate.sh azurerm_app_service_plan.app_docker azurerm_service_plan.app_docker
+
+# app_service_slot resource to migrate
+./migrate.sh module.web_app_service_slot_docker.azurerm_app_service_slot.this module.web_app_service_slot_docker.azurerm_linux_web_app_slot.this
+```
+
+## Note about migrating from `azurerm_app_service` to `azurerm_linux_web_app`
+
+Since the resource `azurerm_app_service` has been deprecated in version 3.0 of the AzureRM provider, the newer `azurerm_linux_web_app` resource is used in this module, thus the following variables have been:
+
+removed:
+- os_type
+- app_service_plan_info/sku_tier
+- linux_fx_version
+- app_service_plan_id
+- plan_kind
+
+replaced:
+- min_tls_version -> minimum_tls_version
+- client_cert_enabled -> client_certificate_enabled
+
+## How to configure the Linux framework
+
+Don't use `linux_fx_version` anymore.
+Now you need to specify **only** one variable of the following list:
+- docker - (Optional) One or more docker blocks as defined below.
+- dotnet_version - (Optional) The version of .NET to use. Possible values include 3.1, 6.0 and 7.0.
+- use_dotnet_isolated_runtime - (Optional) Should the DotNet process use an isolated runtime. Defaults to false.
+- java_version - (Optional) The Version of Java to use. Supported versions include 8, 11 & 17 (In-Preview).
+- node_version - (Optional) The version of Node to run. Possible values include 12, 14, 16 and 18.
+- python_version - (Optional) The version of Python to run. Possible values are 3.10, 3.9, 3.8 and 3.7.
+- powershell_core_version - (Optional) The version of PowerShell Core to run. Possible values are 7, and 7.2.
+- use_custom_runtime - (Optional) Should the Linux Function App use a custom runtime?
+
+Of course, the values listed above may change in the future, so please check which ones are still valid.
+
+<!-- markdownlint-disable -->
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 4 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_app_service_virtual_network_swift_connection.app_service_virtual_network_swift_connection](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_virtual_network_swift_connection) | resource |
+| [azurerm_linux_web_app.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app) | resource |
+| [azurerm_service_plan.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allowed_ips"></a> [allowed\_ips](#input\_allowed\_ips) | (Optional) List of ips allowed to call the appserver endpoint. | `list(string)` | `[]` | no |
+| <a name="input_allowed_service_tags"></a> [allowed\_service\_tags](#input\_allowed\_service\_tags) | (Optional) List of service tags allowed to call the appserver endpoint. | `list(string)` | `[]` | no |
+| <a name="input_allowed_subnets"></a> [allowed\_subnets](#input\_allowed\_subnets) | (Optional) List of subnet allowed to call the appserver endpoint. | `list(string)` | `[]` | no |
+| <a name="input_always_on"></a> [always\_on](#input\_always\_on) | (Optional) Should the app be loaded at all times? Defaults to false. | `bool` | `false` | no |
+| <a name="input_app_command_line"></a> [app\_command\_line](#input\_app\_command\_line) | (Optional) App command line to launch, e.g. /sbin/myserver -b 0.0.0.0. | `string` | `null` | no |
+| <a name="input_app_settings"></a> [app\_settings](#input\_app\_settings) | n/a | `map(string)` | `{}` | no |
+| <a name="input_auto_heal_enabled"></a> [auto\_heal\_enabled](#input\_auto\_heal\_enabled) | (Optional) True to enable the auto heal on the app service | `bool` | `false` | no |
+| <a name="input_auto_heal_settings"></a> [auto\_heal\_settings](#input\_auto\_heal\_settings) | (Optional) Auto heal settings | <pre>object({<br/>    startup_time           = string<br/>    slow_requests_count    = number<br/>    slow_requests_interval = string<br/>    slow_requests_time     = string<br/>  })</pre> | `null` | no |
+| <a name="input_client_affinity_enabled"></a> [client\_affinity\_enabled](#input\_client\_affinity\_enabled) | (Optional) Should the App Service send session affinity cookies, which route client requests in the same session to the same instance? Defaults to false. | `bool` | `false` | no |
+| <a name="input_client_cert_enabled"></a> [client\_cert\_enabled](#input\_client\_cert\_enabled) | (Optional) Does the App Service require client certificates for incoming requests? Defaults to false. | `bool` | `false` | no |
+| <a name="input_docker_image"></a> [docker\_image](#input\_docker\_image) | Framework choice | `string` | `null` | no |
+| <a name="input_docker_image_tag"></a> [docker\_image\_tag](#input\_docker\_image\_tag) | n/a | `string` | `null` | no |
+| <a name="input_dotnet_version"></a> [dotnet\_version](#input\_dotnet\_version) | n/a | `string` | `null` | no |
+| <a name="input_ftps_state"></a> [ftps\_state](#input\_ftps\_state) | (Optional) Enable FTPS connection ( Default: Disabled ) | `string` | `"Disabled"` | no |
+| <a name="input_go_version"></a> [go\_version](#input\_go\_version) | n/a | `string` | `null` | no |
+| <a name="input_health_check_maxpingfailures"></a> [health\_check\_maxpingfailures](#input\_health\_check\_maxpingfailures) | Max ping failures allowed | `number` | `null` | no |
+| <a name="input_health_check_path"></a> [health\_check\_path](#input\_health\_check\_path) | (Optional) The health check path to be pinged by App Service. | `string` | `null` | no |
+| <a name="input_https_only"></a> [https\_only](#input\_https\_only) | (Optional) Can the App Service only be accessed via HTTPS? Defaults to true. | `bool` | `true` | no |
+| <a name="input_ip_restriction_default_action"></a> [ip\_restriction\_default\_action](#input\_ip\_restriction\_default\_action) | The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. | `string` | n/a | yes |
+| <a name="input_java_server"></a> [java\_server](#input\_java\_server) | n/a | `string` | `null` | no |
+| <a name="input_java_server_version"></a> [java\_server\_version](#input\_java\_server\_version) | n/a | `string` | `null` | no |
+| <a name="input_java_version"></a> [java\_version](#input\_java\_version) | n/a | `string` | `null` | no |
+| <a name="input_location"></a> [location](#input\_location) | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | `"westeurope"` | no |
+| <a name="input_name"></a> [name](#input\_name) | (Required) Specifies the name of the App Service. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_node_version"></a> [node\_version](#input\_node\_version) | n/a | `string` | `null` | no |
+| <a name="input_php_version"></a> [php\_version](#input\_php\_version) | n/a | `string` | `null` | no |
+| <a name="input_plan_id"></a> [plan\_id](#input\_plan\_id) | (Optional only if plan\_type=internal) Specifies the external app service plan id. | `string` | `null` | no |
+| <a name="input_plan_maximum_elastic_worker_count"></a> [plan\_maximum\_elastic\_worker\_count](#input\_plan\_maximum\_elastic\_worker\_count) | (Optional) The maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | `number` | `null` | no |
+| <a name="input_plan_name"></a> [plan\_name](#input\_plan\_name) | (Optional) Specifies the name of the App Service Plan component. Changing this forces a new resource to be created. | `string` | `null` | no |
+| <a name="input_plan_per_site_scaling"></a> [plan\_per\_site\_scaling](#input\_plan\_per\_site\_scaling) | (Optional) Can Apps assigned to this App Service Plan be scaled independently? If set to false apps assigned to this plan will scale to all instances of the plan. Defaults to false. | `bool` | `false` | no |
+| <a name="input_plan_type"></a> [plan\_type](#input\_plan\_type) | (Required) Specifies if app service plan is external or internal | `string` | `"internal"` | no |
+| <a name="input_public_network_access_enabled"></a> [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | (Optional) Should public network access be enabled for the App Service. Defaults to true. | `bool` | `true` | no |
+| <a name="input_python_version"></a> [python\_version](#input\_python\_version) | n/a | `string` | `null` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the App Service and App Service Plan. | `string` | n/a | yes |
+| <a name="input_ruby_version"></a> [ruby\_version](#input\_ruby\_version) | n/a | `string` | `null` | no |
+| <a name="input_sku_name"></a> [sku\_name](#input\_sku\_name) | (Required) The SKU for the plan. | `string` | `null` | no |
+| <a name="input_sticky_settings"></a> [sticky\_settings](#input\_sticky\_settings) | (Optional) A list of app\_setting names that the Linux Function App will not swap between Slots when a swap operation is triggered | `list(string)` | `[]` | no |
+| <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | (Optional) Subnet id wether you want to integrate the app service to a subnet. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | n/a | yes |
+| <a name="input_use_32_bit_worker_process"></a> [use\_32\_bit\_worker\_process](#input\_use\_32\_bit\_worker\_process) | (Optional) Should the Function App run in 32 bit mode, rather than 64 bit mode? Defaults to false. | `bool` | `false` | no |
+| <a name="input_vnet_integration"></a> [vnet\_integration](#input\_vnet\_integration) | (optional) enable vnet integration. Wheter it's true the subnet\_id should not be null. | `bool` | `false` | no |
+| <a name="input_zone_balancing_enabled"></a> [zone\_balancing\_enabled](#input\_zone\_balancing\_enabled) | (Optional) Should the Service Plan balance across Availability Zones in the region. Changing this forces a new resource to be created. If this setting is set to true and the worker\_count value is specified, it should be set to a multiple of the number of availability zones in the region. Please see the Azure documentation for the number of Availability Zones in your region. | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_custom_domain_verification_id"></a> [custom\_domain\_verification\_id](#output\_custom\_domain\_verification\_id) | n/a |
+| <a name="output_default_site_hostname"></a> [default\_site\_hostname](#output\_default\_site\_hostname) | n/a |
+| <a name="output_id"></a> [id](#output\_id) | n/a |
+| <a name="output_name"></a> [name](#output\_name) | n/a |
+| <a name="output_plan_id"></a> [plan\_id](#output\_plan\_id) | n/a |
+| <a name="output_plan_name"></a> [plan\_name](#output\_plan\_name) | n/a |
+| <a name="output_principal_id"></a> [principal\_id](#output\_principal\_id) | n/a |
+| <a name="output_resource_group_name"></a> [resource\_group\_name](#output\_resource\_group\_name) | n/a |
+<!-- END_TF_DOCS -->

app_service/docs/module-arch.drawio

@@ -0,0 +1 @@
+<mxfile host="Electron" modified="2022-02-05T17:50:38.342Z" agent="5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/16.5.1 Chrome/96.0.4664.110 Electron/16.0.7 Safari/537.36" version="16.5.1" etag="Ua514yKN4BHx_ESaPj8N" type="device"><diagram id="9A2pzYOPz7P9K7geToaf" name="Page-1">7Vlbc+I2FP41PIbxBRvySEhoO013mTLdNk8ZYQtbjWx5JZlLfn2PZPkOKd11U7qzZAasT7Klc853Ph05I3eRHH7gKIt/YSGmI8cKDyP3fuQ49sTx4UchxwKZeU4BRJyEZlANrMkrNqBl0JyEWLQGSsaoJFkbDFia4kC2MMQ527eHbRltz5qhCPeAdYBoH/2dhDI2VjjTGv8RkyguZ7b926InQeVgY4mIUcj2Dch9GLkLzpgsrpLDAlPlvNIvxX3LM73VwjhO5SU3bD7fHI5P9rPz2z1Jbn+ef35cPN3YJhpCHkuLcQgOME3GZcwiliL6UKN3nOVpiNVjLWiJFywDZaoNjfqGR8YyA/6JpTya0KJcMoBimVDTC8vnxz/Uw8aW7ZfAkwbs2awE7g9mvqJ1bLZWmJMES8wNuGWpXKKEUDVqzoOYSOCGADthfoiVGqgHrVnOA7WsWEoglOO5c/gCF6ovNUCMI8YiilFGxDhgie4IhB663BZTwGVrEs+5605T2G5rYw5EFtZO3LKtjLXBete0a1tV49hodC0Ncr7TkSg8Gc4V5aEZEB7oWAG2JJSa4UWwVYTPkshAovTMOeYY4kjEIyzfYphdcR1EAjNYPQefWRxTJMmuvRBksjWqxtWEhgvD6X/Ab7PKHaK5mWmeZQCsMd8RsK9L/orMyltIZIWkbMlBObnJ2owRYIe6ybsbefdqNCVRqlwPrtSRJ4nWlh4DDA6rjMAmSjbKMhEgWM0SVvds1ibGYhddGZkp2mC6YoJIwlq27jCXBFTzsTNAKhGoeufGRRsmJUxf8lF148PbjOwTqLxhavTVbDAOZJVu7xtybYbEDaUuscEp5/Uo15fYOlFTliqOhEjEVR43aKbwFZLg5FQjjqU0QkjOXqr9yOlJ8qVp3ndqw2neCaeV2MXJa2ZYqWypYzaZtGPmW51gFOpj7mruaX/zoEnnOYU69Z6j41pZ/eWh9nuhxgcVKkS1jworRF9kYpSpy4wz6Ial3u1Vvq0zpNN3D5VUmwUbFLxEOsQfc0lJig1eR93ubsRbEP0Fo4zrKd2tp/6MUDTw4lNRqtHj68+V6U9XSgfQj8nsNIUamVBhzVToUm0w/Sgr3zMlGZhF5PFXnYAsfYeyDAoTx2uXZe63VpQNWBdNL6yLnP+yLJr2hEseQZLgBKEa1oNRsb50vWNJhF5zjpWdCGoiYWqidon0vKIoLeukt8Twiqg3gGR5fluybL+vWf6kL1klNjidbgdRrK87O97WR8VCpCbf3tmxReoBNWv2f9AsOB13Retjphilqq0T9NNHkTZdenrUPZgkJAwLZmJBXtFGP886qW3d2FzEm7PJb15fmRlH1UujZjTPp95ZpbixxvbE9VpqceMOUsOX7/HKY5fXfgDbbgX+V4ruWY8GIt+kai6fSlUsc7iK1NWnDwq1YNk44lp8rmI/g7XuGX8hqer7RLjMEX3+UIDfNzP31GY2fc/62367OPopLY94V8Cl77VRh06u1TnOef3XQQPVRtCs394X6lb/D8R9+As=</diagram></mxfile>

app_service/main.tf

@@ -0,0 +1,156 @@
+locals {
+  allowed_ips     = [for ip in var.allowed_ips : { ip_address = ip, virtual_network_subnet_id = null }]
+  allowed_subnets = [for s in var.allowed_subnets : { ip_address = null, virtual_network_subnet_id = s }]
+  ip_restrictions = concat(local.allowed_subnets, local.allowed_ips)
+}
+
+resource "azurerm_service_plan" "this" {
+  count = var.plan_type == "internal" ? 1 : 0
+
+  name                = var.plan_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  sku_name = var.sku_name
+  os_type  = "Linux"
+
+  maximum_elastic_worker_count = var.plan_maximum_elastic_worker_count
+  per_site_scaling_enabled     = var.plan_per_site_scaling
+
+  zone_balancing_enabled = var.zone_balancing_enabled
+
+  tags = var.tags
+}
+
+resource "azurerm_linux_web_app" "this" {
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  service_plan_id               = var.plan_type == "internal" ? azurerm_service_plan.this[0].id : var.plan_id
+  https_only                    = var.https_only
+  public_network_access_enabled = var.public_network_access_enabled
+  #tfsec:ignore:azure-appservice-require-client-cert
+  client_certificate_enabled = var.client_cert_enabled
+  client_affinity_enabled    = var.client_affinity_enabled
+
+  # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings
+  app_settings = merge(
+    {
+      # https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
+      WEBSITE_DNS_SERVER = "168.63.129.16"
+      # https://docs.microsoft.com/en-us/azure/azure-monitor/app/sampling
+      APPINSIGHTS_SAMPLING_PERCENTAGE = 5
+    },
+    var.app_settings,
+  )
+  site_config {
+    always_on         = var.always_on
+    use_32_bit_worker = var.use_32_bit_worker_process
+    application_stack {
+      docker_image_name = "${var.docker_image}:${var.docker_image_tag}"
+
+      dotnet_version      = var.dotnet_version
+      python_version      = var.python_version
+      go_version          = var.go_version
+      java_server         = var.java_server
+      java_server_version = var.java_server_version
+      java_version        = var.java_version
+      node_version        = var.node_version
+      php_version         = var.php_version
+      ruby_version        = var.ruby_version
+    }
+    app_command_line       = var.app_command_line
+    minimum_tls_version    = "1.2"
+    ftps_state             = var.ftps_state
+    vnet_route_all_enabled = var.subnet_id == null ? false : true
+
+    health_check_path                 = var.health_check_path != null ? var.health_check_path : null
+    health_check_eviction_time_in_min = var.health_check_path != null ? var.health_check_maxpingfailures : null
+
+    http2_enabled = true
+
+    ip_restriction_default_action = var.ip_restriction_default_action
+
+    dynamic "ip_restriction" {
+      for_each = var.allowed_subnets
+      iterator = subnet
+
+      content {
+        ip_address                = null
+        virtual_network_subnet_id = subnet.value
+        name                      = "rule"
+      }
+    }
+
+    dynamic "ip_restriction" {
+      for_each = local.ip_restrictions
+      iterator = ip
+
+      content {
+        ip_address                = ip.value.ip_address
+        virtual_network_subnet_id = ip.value.virtual_network_subnet_id
+        name                      = "rule"
+      }
+    }
+
+    dynamic "ip_restriction" {
+      for_each = var.allowed_service_tags
+      iterator = st
+
+      content {
+        service_tag = st.value
+        name        = "rule"
+      }
+    }
+
+    dynamic "auto_heal_setting" {
+      for_each = var.auto_heal_enabled ? [1] : []
+      content {
+        action {
+          action_type                    = "Recycle"
+          minimum_process_execution_time = var.auto_heal_settings.startup_time
+        }
+        trigger {
+          slow_request {
+            count      = var.auto_heal_settings.slow_requests_count
+            interval   = var.auto_heal_settings.slow_requests_interval
+            time_taken = var.auto_heal_settings.slow_requests_time
+          }
+        }
+      }
+    }
+  }
+
+  # Managed identity
+  identity {
+    type = "SystemAssigned"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      app_settings["DOCKER_CUSTOM_IMAGE_NAME"],
+      virtual_network_subnet_id,
+      app_settings["WEBSITE_HEALTHCHECK_MAXPINGFAILURES"],
+      tags["hidden-link: /app-insights-conn-string"],
+      tags["hidden-link: /app-insights-instrumentation-key"],
+      tags["hidden-link: /app-insights-resource-id"]
+    ]
+  }
+
+  dynamic "sticky_settings" {
+    for_each = length(var.sticky_settings) == 0 ? [] : [1]
+    content {
+      app_setting_names = var.sticky_settings
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_app_service_virtual_network_swift_connection" "app_service_virtual_network_swift_connection" {
+  count = var.vnet_integration ? 1 : 0
+
+  app_service_id = azurerm_linux_web_app.this.id
+  subnet_id      = var.subnet_id
+}

app_service/outputs.tf

@@ -0,0 +1,31 @@
+output "id" {
+  value = azurerm_linux_web_app.this.id
+}
+
+output "resource_group_name" {
+  value = azurerm_linux_web_app.this.resource_group_name
+}
+
+output "name" {
+  value = azurerm_linux_web_app.this.name
+}
+
+output "plan_id" {
+  value = var.plan_type == "internal" ? azurerm_service_plan.this[0].id : var.plan_id
+}
+
+output "plan_name" {
+  value = var.plan_type == "internal" ? azurerm_service_plan.this[0].name : null
+}
+
+output "default_site_hostname" {
+  value = azurerm_linux_web_app.this.default_hostname
+}
+
+output "principal_id" {
+  value = azurerm_linux_web_app.this.identity[0].principal_id
+}
+
+output "custom_domain_verification_id" {
+  value = azurerm_linux_web_app.this.custom_domain_verification_id
+}

app_service/tests/README.md

@@ -0,0 +1,9 @@
+# Test for Azure the app_service module
+
+Terraform template to test the Azure function_app module
+
+
+## How to use it
+- terraform init
+- terraform plan
+- terraform apply

app_service/tests/backend.ini

@@ -0,0 +1 @@
+subscription=DevOpsLab