feat: DTOSS 4393 Initial modules commit (#2)

* Initial modules commit

* renamed RBAC folder

Author: rfk-nc

infrastructure/modules/managed-identity/main.tf

@@ -0,0 +1,8 @@
+
+resource "azurerm_user_assigned_identity" "mi" {
+  name                = var.uai_name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  tags = var.tags
+}

infrastructure/modules/managed-identity/output.tf

@@ -0,0 +1,7 @@
+output "name" {
+  value = azurerm_user_assigned_identity.mi.name
+}
+
+output "id" {
+  value = azurerm_user_assigned_identity.mi.id
+}

infrastructure/modules/managed-identity/variables.tf

@@ -0,0 +1,20 @@
+variable "resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which to create the VNET. Changing this forces a new resource to be created."
+}
+
+variable "location" {
+  type        = string
+  description = ""
+}
+
+variable "uai_name" {
+  type        = string
+  description = "The name of the user assigned identity."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Resource tags to be applied throughout the deployment."
+  default     = {}
+}

infrastructure/modules/network-security-group/main.tf

@@ -0,0 +1,23 @@
+resource "azurerm_network_security_group" "this" {
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  # Dynamically create security rules from the variable
+  dynamic "security_rule" {
+    for_each = var.nsg_rules
+    content {
+      name                       = security_rule.value.name
+      priority                   = security_rule.value.priority
+      direction                  = security_rule.value.direction
+      access                     = security_rule.value.access
+      protocol                   = security_rule.value.protocol
+      source_port_range          = security_rule.value.source_port_range
+      destination_port_range     = security_rule.value.destination_port_range
+      source_address_prefix      = security_rule.value.source_address_prefix
+      destination_address_prefix = security_rule.value.destination_address_prefix
+    }
+  }
+
+  tags = var.tags
+}

infrastructure/modules/network-security-group/output.tf

@@ -0,0 +1,7 @@
+output "name" {
+  value = azurerm_network_security_group.this.name
+}
+
+output "id" {
+  value = azurerm_network_security_group.this.id
+}

infrastructure/modules/network-security-group/variables.tf

@@ -0,0 +1,52 @@
+variable "name" {
+  type        = string
+  description = "The name of the nsg."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which to create the NSG. Changing this forces a new resource to be created."
+}
+
+variable "location" {
+  type        = string
+  description = "location"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Resource tags to be applied throughout the deployment."
+  default     = {}
+}
+
+variable "nsg_rules" {
+  description = "Additional NSG rules for securing subnets (Optional)."
+  type = list(object({
+    name                       = string
+    priority                   = number
+    direction                  = string
+    access                     = string
+    protocol                   = string
+    source_port_range          = string
+    destination_port_range     = string
+    source_address_prefix      = string
+    destination_address_prefix = string
+  }))
+
+  validation {
+    condition = length(var.nsg_rules) == 0 || alltrue([
+      for rule in var.nsg_rules : (
+        rule.name != "" &&
+        rule.priority > 99 &&
+        contains(["Inbound", "Outbound"], rule.direction) &&
+        contains(["Allow", "Deny"], rule.access) &&
+        contains(["Tcp", "Udp", "Icmp", "*"], rule.protocol) &&
+        rule.source_port_range != "" &&
+        rule.destination_port_range != "" &&
+        rule.source_address_prefix != "" &&
+        rule.destination_address_prefix != ""
+      )
+    ])
+    error_message = "Each network security group rule must have a valid name, priority, direction (Inbound or Outbound), access (Allow or Deny), protocol (Tcp, Udp, Icmp, or *), source port range, destination port range, source address prefix, and destination address prefix."
+  }
+}

infrastructure/modules/rbac-assignment/main.tf

@@ -0,0 +1,11 @@
+# Note it is not necessary to declare the name for the role assignment as this is auto-generated in GUID format.
+resource "azurerm_role_assignment" "role_assignment" {
+  scope              = var.scope
+  principal_id       = var.principal_id
+  role_definition_id = data.azurerm_role_definition.role_definition.id
+}
+
+# Look up the role definition by name as a convenience for the user
+data "azurerm_role_definition" "role_definition" {
+  name = var.role_definition_name
+}

infrastructure/modules/rbac-assignment/output.tf

@@ -0,0 +1,7 @@
+output "name" {
+  value = azurerm_role_assignment.role_assignment.name
+}
+
+output "id" {
+  value = azurerm_role_assignment.role_assignment.id
+}

infrastructure/modules/rbac-assignment/variables.tf

@@ -0,0 +1,14 @@
+variable "scope" {
+  description = "The scope at which the role assignment will be created."
+  type        = string
+}
+
+variable "principal_id" {
+  description = "The principal ID (e.g., user, group, or service principal) to which the role will be assigned."
+  type        = string
+}
+
+variable "role_definition_name" {
+  description = "The name of the role definition to assign."
+  type        = string
+}

infrastructure/modules/route-table/main.tf

@@ -0,0 +1,26 @@
+resource "azurerm_route_table" "route_table" {
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = var.tags
+
+  bgp_route_propagation_enabled = var.bgp_route_propagation_enabled
+
+  dynamic "route" {
+    for_each = var.routes
+    content {
+      name                   = route.value.name
+      address_prefix         = route.value.address_prefix
+      next_hop_type          = route.value.next_hop_type
+      next_hop_in_ip_address = route.value.next_hop_in_ip_address
+    }
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "route_table_association" {
+  count = length(var.subnet_ids)
+
+  subnet_id      = var.subnet_ids[count.index]
+  route_table_id = azurerm_route_table.route_table.id
+}