Merge pull request #3 from cds-snc/feat/add_open_ai_terraform_code

Adding module to create open-ai keys and setting up repo

.devcontainer/devcontainer.json

@@ -0,0 +1,47 @@
+{
+	"image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04@sha256:167e522ad50971b29dda8c09faac30562fce5a7596f1aba765995728985184b8",
+	"features": {
+		"ghcr.io/devcontainers/features/azure-cli:1": {
+			"installBicep": true
+		},
+		"ghcr.io/devcontainers/features/terraform:1": {
+			"installTFsec": true,
+			"installTerraformDocs": true
+		},
+		"ghcr.io/devcontainers-contrib/features/checkov:1": {
+			"version": "latest"
+		}
+	},
+	"customizations": {
+		// Configure properties specific to VS Code.
+		"vscode": {		
+			// Add the IDs of extensions you want installed when the container is created.
+			"extensions": [
+				"ms-vscode.azurecli",
+				"hashicorp.terraform",
+				"github.copilot",
+				"ms-azuretools.vscode-bicep",
+				"msazurermtools.azurerm-vscode-tools",
+				"mhutchie.git-graph",
+				"eamodio.gitlens",
+				"esbenp.prettier-vscode",
+				"timonwong.shellcheck",
+				"GitHub.copilot-chat",
+				"hashicorp.hcl"
+			],
+			// Set *default* container specific settings.json values on container create.
+			"settings": {
+				"terminal.integrated.defaultProfile.linux": "zsh", 
+				"terminal.integrated.profiles.linux": {
+					"zsh": {
+						"path": "/bin/zsh"
+					}
+				},
+				"[terraform]": {
+					"editor.formatOnSave": true
+				}
+			}
+		}
+	},
+	"postCreateCommand": "zsh .devcontainer/postCreateCommand.sh"
+}

.devcontainer/postCreateCommand.sh

@@ -0,0 +1,11 @@
+#!/bin/zsh
+
+touch /home/vscode/.zshrc 
+echo 'complete -C /usr/local/bin/terraform terraform' >> /home/vscode/.zshrc 
+echo 'complete -C /usr/local/bin/terraform terragrunt' >> /home/vscode/.zshrc 
+echo 'alias tf=\"terraform\"' >> /home/vscode/.zshrc 
+echo 'alias tg=\"terragrunt\"' >> /home/vscode/.zshrc 
+echo 'alias ll=\"ls -la\"' >> /home/vscode/.zshrc
+
+# Azure CLI login
+az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID

.github/workflows/tf_apply.yml

@@ -0,0 +1,47 @@
+name: "Terraform apply"
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "terragrunt/**"
+      - ".github/workflows/**"
+env:
+  TERRAFORM_VERSION: 1.9.8
+  TERRAGRUNT_VERSION: 0.68.2
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID}}
+  ARM_TF_STATE_SUBSCRIPTION_ID: ${{ secrets.ARM_TF_STATE_SUBSCRIPTION_ID}}
+  ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+  AZURE_RESOURCES_RESOURCE_GROUP_NAME: ${{ secrets.AZURE_RESOURCES_RESOURCE_GROUP_NAME}}
+  AZURE_RESOURCES_STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_RESOURCES_STORAGE_ACCOUNT_NAME}}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  terragrunt-apply:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Terraform Tools
+        uses: cds-snc/terraform-tools-setup@v1
+
+        # Log into Azure
+      - name: Azure Login using OIDC
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+        with:
+          tenant-id: ${{ env.ARM_TENANT_ID }}
+          client-id: ${{ env.ARM_CLIENT_ID }}
+          subscription-id: ${{ env.ARM_TF_STATE_SUBSCRIPTION_ID}}
+
+      - name: Apply Terraform 
+        working-directory: terragrunt 
+        env:
+          ARM_USE_OIDC: true
+        run: |
+          terragrunt run-all init --terragrunt-non-interactive
+          terragrunt apply --terragrunt-non-interactive -auto-approve

.github/workflows/tf_plan.yml

@@ -0,0 +1,52 @@
+name: "Terraform plan"
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - "terragrunt/**"
+      - ".github/workflows/**"
+env:
+  TERRAFORM_VERSION: 1.9.8
+  TERRAGRUNT_VERSION: 0.68.2
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID}}
+  ARM_TF_STATE_SUBSCRIPTION_ID: ${{ secrets.ARM_TF_STATE_SUBSCRIPTION_ID}}
+  ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+  AZURE_RESOURCES_RESOURCE_GROUP_NAME: ${{ secrets.AZURE_RESOURCES_RESOURCE_GROUP_NAME}}
+  AZURE_RESOURCES_STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_RESOURCES_STORAGE_ACCOUNT_NAME}}
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  terraform-plan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Terraform
+        uses: cds-snc/terraform-tools-setup@v1
+
+        # Log into Azure
+      - name: Azure Login using OIDC
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+        with:
+          tenant-id: ${{ env.ARM_TENANT_ID }}
+          client-id: ${{ env.ARM_CLIENT_ID }}
+          subscription-id: ${{ env.ARM_TF_STATE_SUBSCRIPTION_ID}}
+
+      - name: Terraform plan
+        uses: cds-snc/terraform-plan@8986e57fae5b6758df6b977b9813b11622eac395 #v3.3.1
+        env:
+          ARM_USE_OIDC: true
+          RESOURCE_GROUP_NAME: ${{ env.AZURE_RESOURCES_RESOURCE_GROUP_NAME}}
+          STORAGE_ACCOUNT_NAME: ${{ env.AZURE_RESOURCES_STORAGE_ACCOUNT_NAME}}
+        with:
+          comment-delete: true
+          comment-title: Terraform Plan
+          plan-character-limit: 100000
+          directory: ./terragrunt
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          terragrunt: true

.gitignore

@@ -0,0 +1,75 @@
+# Source for .gitignore file: https://www.gitignore.io/api/terraform
+
+.*.sw?
+.idea
+terragrunt.iml
+vendor
+.terraform
+.vscode
+*.tfstate
+*.tfstate.backup
+*.out
+.terragrunt-cache
+.bundle
+.ruby-version
+.terraform.lock.hcl
+.DS_Store
+mocks/
+.go-version
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+!terragrunt/terraform.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+!example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+*/**/backend.tf
+backend.tf
+common_variables.tf
+provider.tf
+!terragrunt/common/provider.tf
+!terragrunt/common/common_variables.tf
+
+secrets.auto.tfvars
+debug.log
+creds.sh
+
+.tool-versions
+.DS_Store
+
+__pycache__
+
+local

README.md

@@ -1,10 +1,9 @@
-# Generic Project Template
+# CDS Repo to host terraform modules related to managing our azure infrastructure
 
-This repository provides some base files for setting up a repository at
-CDS. Plan is to create more project template for specific technologies:
+This repo is a collection of terraform modules and instantiations that are used to manage our azure infrastructure. 
 
-- project-template-terraform
-- project-template-python
-- project-template-nodejs
+Examples of the modules include:
+- gh_oidc - A module that creates an Azure AD application that can be used to authenticate users with GitHub using OIDC.
+- openai-azure - A module that creates and deploys the OpenAI GPT-4 API on it.
 
-Note that default community health files are maintained at https://github.com/cds-snc/.github 
+More documenation and resources coming up soon.

terragrunt/common/common_variables.tf

@@ -0,0 +1,26 @@
+variable "root_id" {
+  type    = string
+  default = "cds-snc"
+}
+
+variable "root_name" {
+  type    = string
+  default = "CDS-SNC"
+}
+
+variable "region" {
+  type    = string
+  default = "canadacentral"
+}
+
+variable "primary_location" {
+  type        = string
+  description = "Sets the location for \"primary\" resources to be created in."
+  default     = "canadacentral"
+}
+
+variable "secondary_location" {
+  type        = string
+  description = "Sets the location for \"secondary\" resources to be created in."
+  default     = "canadaeast"
+}

terragrunt/common/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.107"
+    }
+    azapi = {
+      source  = "Azure/azapi"
+      version = ">= 1.13.1"
+    }
+  }
+}
+
+provider "azapi" {
+  use_msi = false
+}

terragrunt/modules/openai_api_key/main.tf

@@ -0,0 +1,61 @@
+# Define the provider configuration
+
+provider "azurerm" {
+  skip_provider_registration = true
+  features {}
+  subscription_id = var.subscription_id
+}
+
+# Get the current client configuration from the AzureRM provider.
+
+data "azurerm_client_config" "current" {}
+
+# This configuration generates a random string that is appended to resource names to ensure uniqueness, 
+# and then creates an Azure resource group and a Cognitive Services account of kind OpenAI. It conditionally 
+# uses user-supplied names or defaults to the random string, while also appending a user-defined prefix to the 
+# resource group name.
+
+# Create a random string to use in the resource group name
+resource "random_string" "azurerm_cognitive_account_name" {
+  length  = 7
+  lower   = true
+  numeric = false
+  special = false
+  upper   = false
+}
+
+# Resource group
+resource "azurerm_resource_group" "rg" {
+  name     = "${random_string.azurerm_cognitive_account_name.result}-${var.resource_group_name_prefix}"
+  location = var.resource_group_location
+}
+
+
+# Create the Azure Cognitive Services account with OpenAI kind
+resource "azurerm_cognitive_account" "openai" {
+  # if name is provided by the user, use it; otherwise, generate a random name
+  name                  = var.name != "" ? "${var.name}-${random_string.azurerm_cognitive_account_name.result}" : random_string.azurerm_cognitive_account_name.result
+  location              = azurerm_resource_group.rg.location
+  resource_group_name   = azurerm_resource_group.rg.name
+  custom_subdomain_name = var.custom_subdomain_name != "" ? "${var.custom_subdomain_name}-${random_string.azurerm_cognitive_account_name.result}" : random_string.azurerm_cognitive_account_name.result
+  kind                  = "OpenAI" # Specifies an OpenAI resource
+  sku_name              = var.sku  # SKU; adjust as needed
+}
+
+# Select and deploy the OpenAI model to the Cognitive Services account
+resource "azurerm_cognitive_deployment" "deployment" {
+  for_each = { for deployment in var.openai_deployments : deployment.name => deployment }
+
+  name                 = each.key
+  cognitive_account_id = azurerm_cognitive_account.openai.id
+
+  model {
+    format  = "OpenAI"
+    name    = each.value.model.name
+    version = each.value.model.version
+  }
+
+  scale {
+    type = "Standard"
+  }
+}

terragrunt/modules/openai_api_key/outputs.tf

@@ -0,0 +1,14 @@
+# Output the resource group name
+output "resource_group_name" {
+  value = azurerm_resource_group.rg.name
+}
+
+# output the Azure Cognitive Services account name
+output "azurerm_cognitive_account_id" {
+  value = azurerm_cognitive_account.openai.id
+}
+
+# ouptput the endpoint of the Azure Cognitive Services account
+output "azurerm_cognitive_account_endpoint" {
+  value = azurerm_cognitive_account.openai.endpoint
+}