## Description This Terraform-defined infrastructure sets up a collection of Azure resources designed to automate traffic routing management for web applications hosted on Azure App Service. The core of this solution is an **Automation Account** that runs a **PowerShell runbook**. This runbook monitors tag changes on App Services via **Event Grid** and, based on the presence of a specific tag (e.g., `"maintenance"`), redirects traffic to a designated slot (such as a maintenance or production slot). Additionally, the architecture incorporates security and isolation mechanisms (virtual networks, subnets, private DNS zones, private endpoints, and network security groups) to ensure secure communication among components.  > ✅ *terraform apply: successful*. ## Architecture components ## Architecture components | **Resource** | **Resource Type** | **Description** | |-------------------------------------|------------------------------------------------------|--------------------------------------------------------------| | **Virtual Network** | `azurerm_virtual_network` | Defines a private network for Azure resources | | **Subnet for Private Endpoint** | `azurerm_subnet` | Subnet dedicated to private endpoints | | **Automation Account** | `azurerm_automation_account` | Manages automation workflows and runbooks in Azure | | **Runbook** | `azurerm_automation_runbook` | Scripted process for automation tasks in Azure | | **Private DNS Zone** | `azurerm_private_dns_zone` | Defines a DNS zone for private name resolution in Azure | | **DNS Zone VNet Link** | `azurerm_private_dns_zone_virtual_network_link` | Links a private DNS zone to a virtual network | | **Private Endpoint** | `azurerm_private_endpoint` | Connects Azure resources to a private virtual network | | **Private DNS A Record** | `azurerm_private_dns_a_record` | Creates a private DNS A record for name resolution | | **Network Security Group (NSG)** | `azurerm_network_security_group` | Controls inbound and outbound traffic to Azure resources | | **Application Resource Group** | `azurerm_resource_group` | Logical container for managing Azure resources | | **App Service Plan** | `azurerm_app_service_plan` | Defines compute resources for hosting an App Service | | **App Service** | `azurerm_app_service` | Hosts web applications and APIs in Azure | | **App Service Slot** | `azurerm_app_service_slot` | Deployment slot for staging and testing applications | | **Event Grid Subscription** | `azurerm_eventgrid_event_subscription` | Subscribes to Azure Event Grid for automated event handling| | **Automation Webhook** | `azurerm_automation_webhook` | Allows external services to trigger automation runbooks | | **Role Assignments** | `azurerm_role_assignment` | Assigns Azure roles and permissions to resources | ## Requirements | **Name** | **Configuration** | |-----------------------|-----------------------------------------------------------------------------------| | Terraform | All versions | | Provider | Azure RM | | Provider Version | >= 3.88.0 | | Access | Contributor service principal | | Variables | Define custom variables (e.g., `var.app_name`, `var.env`, `var.location`, `var.tags`)| | Source Control | Configure repository using `var.repo_url` and `var.repo_branch` | | Managed Identity | Utilized by the Automation Account | | Role Assignments | Reader, Website Contributor, Automation Contributor | | Virtual Network | Dedicated VNet and subnet with defined address spaces | | Network Security Group| Configured to secure the Private Endpoint subnet | | Private Endpoint | Configured with a Private DNS Zone for secure internal communications | ## How to use the architecture Clone the architecture and modify the following variables according to your needs: ## Variables and Default Values | **Variable** | **Default Value** | **Description** | |---------------------------|---------------------------------------------------------------------------------|-----------------------------------------------------------| | `ac_sku_name` | `"Free"` | SKU type for the automation account | | `app_name` | `"AutoMaintenance"` | Name of the deployed application | | `asp_sku_size` | `"S1"` | Size of the App Service Plan | | `asp_sku_tier` | `"Standard"` | SKU tier of the App Service Plan | | `env` | `"prod"` | Deployment environment (e.g., dev, staging, prod) | | `location` | `"East US"` | Azure region where resources are deployed | | `location_short` | `"eastus"` | Abbreviation of the Azure region | | `nsg_snet_pep_name` | `"nsg_snet_pep_ac"` | Name of the network security group for the subnet | | `pv_dns_zone_link_name` | `"private_link_automation"` | Name of the private DNS zone link | | `repo_branch` | `"master"` | Git repository branch used for deployment | | `repo_url` | `"https://github.com/Azure-Samples/app-service-web-nodejs-get-started.git"` | Git repository URL for the source code | | `runbook_name` | `"maintenance"` | Name of the automation runbook | | `service_connection_name`| `"psc-automation-account"` | Name of the private service connection for automation | | `slot_name` | `"maintenance"` | Name of the deployment slot in the App Service | | `snet_pep_adress_space` | `"10.0.1.16/28"` | IP address range for the private endpoint subnet | | `vnet_app_adress_space` | `"10.0.1.0/25"` | IP address range for the virtual network | | `tags` | `{ archuuid = "6f0bb22a-167a-473b-bad0-9626959fb837", env = "Development" }` | Tags associated with the Azure resources | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)