feat: Paymcloud-581 evh spoke streaming (#3639)

* prepared observability pe move

* prepared payopt pe move

* prepared printit pe move

* added check on new pe creation

* prepared qi pe move

* added pe dns boolean enabler

* precommit

Author: mamari90

src/domains/observability/.terraform.lock.hcl

@@ -47,3 +47,41 @@ resource "azurerm_subnet" "eventhub_observability_gpd_snet" {
 
   private_endpoint_network_policies = "Enabled"
 }
+
+module "eventhub_observability_spoke_pe_snet" {
+  source            = "./.terraform/modules/__v4__/IDH/subnet"
+  env               = var.env
+  idh_resource_tier = "slash28_privatelink_true"
+  name              = "${local.project}-spoke-streaming-evh-pe-snet"
+  product_name      = var.prefix
+
+  resource_group_name  = local.vnet_hub_spoke_rg_name
+  virtual_network_name = local.vnet_spoke_streaming_name
+
+  custom_nsg_configuration = {
+    target_service               = "eventhub"
+    source_address_prefixes_name = "All"
+    source_address_prefixes      = ["*"]
+  }
+
+  tags = module.tag_config.tags
+}
+
+module "eventhub_observability_gpd_spoke_pe_snet" {
+  source            = "./.terraform/modules/__v4__/IDH/subnet"
+  env               = var.env
+  idh_resource_tier = "slash28_privatelink_true"
+  name              = "${local.project}-spoke-streaming-evh-gpd-pe-snet"
+  product_name      = var.prefix
+
+  resource_group_name  = local.vnet_hub_spoke_rg_name
+  virtual_network_name = local.vnet_spoke_streaming_name
+
+  custom_nsg_configuration = {
+    target_service               = "eventhub"
+    source_address_prefixes_name = "All"
+    source_address_prefixes      = ["*"]
+  }
+
+  tags = module.tag_config.tags
+}

src/domains/observability/01_network.tf

@@ -5,6 +5,8 @@ resource "azurerm_resource_group" "eventhub_observability_rg" {
   tags = module.tag_config.tags
 }
 
+
+
 module "eventhub_namespace_observability" {
   source = "./.terraform/modules/__v4__/eventhub"
 
@@ -19,7 +21,7 @@ module "eventhub_namespace_observability" {
 
   private_endpoint_subnet_id    = azurerm_subnet.eventhub_observability_snet.id
   public_network_access_enabled = var.ehns_public_network_access
-  private_endpoint_created      = var.ehns_private_endpoint_is_present
+  private_endpoint_created      = var.ehns_private_endpoint_is_present && !var.is_feature_enabled.evh_spoke_pe
 
   private_endpoint_resource_group_name = azurerm_resource_group.eventhub_observability_rg.name
 
@@ -55,3 +57,31 @@ module "eventhub_observability_configuration" {
   eventhubs = var.eventhubs
 }
 
+# hub spoke private endpoint
+resource "azurerm_private_endpoint" "eventhub_spoke_pe" {
+  count = var.ehns_private_endpoint_is_present && var.is_feature_enabled.evh_spoke_pe ? 1 : 0
+
+  name                = "${local.project}-evh-spoke-pe"
+  location            = var.location_itn
+  resource_group_name = azurerm_resource_group.eventhub_observability_rg.name
+  subnet_id           = module.eventhub_observability_spoke_pe_snet.subnet_id
+
+  dynamic "private_dns_zone_group" {
+    for_each = var.ehns_private_endpoint_is_present && var.is_feature_enabled.evh_spoke_pe_dns ? [1] : []
+    content {
+      name                 = "${local.project}-evh-spoke-private-dns-zone-group"
+      private_dns_zone_ids = [data.azurerm_private_dns_zone.eventhub.id]
+    }
+  }
+
+
+  private_service_connection {
+    name                           = "${local.project}-evh-spoke-private-service-connection"
+    private_connection_resource_id = module.eventhub_namespace_observability.namespace_id
+    is_manual_connection           = false
+    subresource_names              = ["namespace"]
+  }
+
+  tags = module.tag_config.tags
+}
+

src/domains/observability/03_eventhub_msg.tf

@@ -13,7 +13,7 @@ module "eventhub_namespace_observability_gpd" {
 
   private_endpoint_subnet_id    = azurerm_subnet.eventhub_observability_gpd_snet.id
   public_network_access_enabled = var.ehns_public_network_access
-  private_endpoint_created      = var.ehns_private_endpoint_is_present
+  private_endpoint_created      = var.ehns_private_endpoint_is_present && !var.is_feature_enabled.evh_spoke_pe
 
   private_endpoint_resource_group_name = azurerm_resource_group.eventhub_observability_rg.name
 
@@ -49,6 +49,34 @@ module "eventhub_observability_gpd_configuration" {
   eventhubs = var.eventhubs_gpd
 }
 
+# hub spoke private endpoint
+resource "azurerm_private_endpoint" "eventhub_gpd_spoke_pe" {
+  count = var.ehns_private_endpoint_is_present && var.is_feature_enabled.evh_spoke_pe ? 1 : 0
+
+  name                = "${local.project}-evh-gpd-spoke-pe"
+  location            = var.location_itn
+  resource_group_name = azurerm_resource_group.eventhub_observability_rg.name
+  subnet_id           = module.eventhub_observability_gpd_spoke_pe_snet.subnet_id
+
+  dynamic "private_dns_zone_group" {
+    for_each = var.ehns_private_endpoint_is_present && var.is_feature_enabled.evh_spoke_pe_dns ? [1] : []
+    content {
+      name                 = "${local.project}-evh-gpd-spoke-private-dns-zone-group"
+      private_dns_zone_ids = [data.azurerm_private_dns_zone.eventhub.id]
+    }
+  }
+
+
+  private_service_connection {
+    name                           = "${local.project}-evh-spoke-private-service-connection"
+    private_connection_resource_id = module.eventhub_namespace_observability_gpd.namespace_id
+    is_manual_connection           = false
+    subresource_names              = ["namespace"]
+  }
+
+  tags = module.tag_config.tags
+}
+
 resource "azurerm_eventhub_namespace_authorization_rule" "cdc_connection_string" {
   name                = "cdc-gpd-connection-string"
   namespace_name      = module.eventhub_namespace_observability_gpd.name

src/domains/observability/03_eventhub_msg_gdp.tf

@@ -1,9 +1,10 @@
 locals {
-  project         = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
-  project_itn     = "${var.prefix}-${var.env_short}-${var.location_short_itn}-${var.domain}"
-  project_legacy  = "${var.prefix}-${var.env_short}"
-  product         = "${var.prefix}-${var.env_short}"
-  product_network = "${var.prefix}-${var.env_short}-${var.location_short}-network"
+  project              = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
+  project_itn          = "${var.prefix}-${var.env_short}-${var.location_short_itn}-${var.domain}"
+  project_legacy       = "${var.prefix}-${var.env_short}"
+  product              = "${var.prefix}-${var.env_short}"
+  product_location_itn = "${var.prefix}-${var.env_short}-${var.location_short_itn}"
+  product_network      = "${var.prefix}-${var.env_short}-${var.location_short}-network"
 
   apim_hostname = "api.${var.apim_dns_zone_prefix}.${var.external_domain}"
 
@@ -26,6 +27,9 @@ locals {
   vnet_italy_name                = "${local.product}-itn-vnet"
   vnet_italy_resource_group_name = "${local.product}-itn-vnet-rg"
 
+  vnet_hub_spoke_rg_name    = "${local.product_location_itn}-network-hub-spoke-rg"
+  vnet_spoke_streaming_name = "${local.product_location_itn}-spoke-streaming-vnet"
+
   dataexplorer_ls_name = "AzureDataExplorer${var.env_short}LinkService"
 
   linked_service_cruscotto_kv_name = "crusc8-${var.env_short}-key-vault"

src/domains/observability/99_locals.tf

@@ -380,8 +380,16 @@ variable "gpd_ingestion_storage_account" {
   }
 }
 
+variable "is_feature_enabled" {
+  type = object({
+    evh_spoke_pe     = optional(bool, false)
+    evh_spoke_pe_dns = optional(bool, false)
+
+  })
+
+  default = {
+    evh_spoke_pe     = false
+    evh_spoke_pe_dns = false
+  }
 
-variable "app_forwarder_ip_restriction_default_action" {
-  type        = string
-  description = "(Required) The Default action for traffic that does not match any ip_restriction rule. possible values include Allow and Deny. "
 }

src/domains/observability/99_variables.tf

@@ -20,6 +20,8 @@
 | <a name="module_eventhub_namespace_observability_gpd"></a> [eventhub\_namespace\_observability\_gpd](#module\_eventhub\_namespace\_observability\_gpd) | ./.terraform/modules/__v4__/eventhub | n/a |
 | <a name="module_eventhub_observability_configuration"></a> [eventhub\_observability\_configuration](#module\_eventhub\_observability\_configuration) | ./.terraform/modules/__v4__/eventhub_configuration | n/a |
 | <a name="module_eventhub_observability_gpd_configuration"></a> [eventhub\_observability\_gpd\_configuration](#module\_eventhub\_observability\_gpd\_configuration) | ./.terraform/modules/__v4__/eventhub_configuration | n/a |
+| <a name="module_eventhub_observability_gpd_spoke_pe_snet"></a> [eventhub\_observability\_gpd\_spoke\_pe\_snet](#module\_eventhub\_observability\_gpd\_spoke\_pe\_snet) | ./.terraform/modules/__v4__/IDH/subnet | n/a |
+| <a name="module_eventhub_observability_spoke_pe_snet"></a> [eventhub\_observability\_spoke\_pe\_snet](#module\_eventhub\_observability\_spoke\_pe\_snet) | ./.terraform/modules/__v4__/IDH/subnet | n/a |
 | <a name="module_gpd_ingestion_sa"></a> [gpd\_ingestion\_sa](#module\_gpd\_ingestion\_sa) | ./.terraform/modules/__v4__/storage_account | n/a |
 | <a name="module_observability_sa"></a> [observability\_sa](#module\_observability\_sa) | ./.terraform/modules/__v4__/storage_account | n/a |
 | <a name="module_observability_st_snet"></a> [observability\_st\_snet](#module\_observability\_st\_snet) | ./.terraform/modules/__v4__/subnet | n/a |
@@ -113,6 +115,8 @@
 | [azurerm_kusto_eventhub_data_connection.eventhub_connection_for_ingestion_qi_iuvs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kusto_eventhub_data_connection) | resource |
 | [azurerm_kusto_eventhub_data_connection.eventhub_connection_for_re_event](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kusto_eventhub_data_connection) | resource |
 | [azurerm_kusto_script.create_merge_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kusto_script) | resource |
+| [azurerm_private_endpoint.eventhub_gpd_spoke_pe](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
+| [azurerm_private_endpoint.eventhub_spoke_pe](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
 | [azurerm_private_endpoint.observability_storage_private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
 | [azurerm_resource_group.eventhub_observability_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.gpd_ingestion_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
@@ -172,7 +176,6 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_apim_dns_zone_prefix"></a> [apim\_dns\_zone\_prefix](#input\_apim\_dns\_zone\_prefix) | The dns subdomain for apim. | `string` | `null` | no |
 | <a name="input_app_forwarder_enabled"></a> [app\_forwarder\_enabled](#input\_app\_forwarder\_enabled) | Enable app\_forwarder | `bool` | `false` | no |
-| <a name="input_app_forwarder_ip_restriction_default_action"></a> [app\_forwarder\_ip\_restriction\_default\_action](#input\_app\_forwarder\_ip\_restriction\_default\_action) | (Required) The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. | `string` | n/a | yes |
 | <a name="input_cidr_subnet_observability_evh"></a> [cidr\_subnet\_observability\_evh](#input\_cidr\_subnet\_observability\_evh) | Address prefixes evh | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_observability_gpd_evh"></a> [cidr\_subnet\_observability\_gpd\_evh](#input\_cidr\_subnet\_observability\_gpd\_evh) | Address prefixes evh | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_observability_storage"></a> [cidr\_subnet\_observability\_storage](#input\_cidr\_subnet\_observability\_storage) | Storage address space | `list(string)` | `null` | no |
@@ -199,6 +202,7 @@
 | <a name="input_external_domain"></a> [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `null` | no |
 | <a name="input_gpd_ingestion_storage_account"></a> [gpd\_ingestion\_storage\_account](#input\_gpd\_ingestion\_storage\_account) | n/a | <pre>object({<br/>    advanced_threat_protection    = bool<br/>    blob_delete_retention_days    = number<br/>    blob_versioning_enabled       = bool<br/>    backup_enabled                = bool<br/>    backup_retention              = optional(number, 0)<br/>    account_replication_type      = string<br/>    public_network_access_enabled = bool<br/><br/>  })</pre> | <pre>{<br/>  "account_replication_type": "LRS",<br/>  "advanced_threat_protection": false,<br/>  "backup_enabled": false,<br/>  "backup_retention": 0,<br/>  "blob_delete_retention_days": 30,<br/>  "blob_versioning_enabled": false,<br/>  "public_network_access_enabled": true<br/>}</pre> | no |
 | <a name="input_instance"></a> [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
+| <a name="input_is_feature_enabled"></a> [is\_feature\_enabled](#input\_is\_feature\_enabled) | n/a | <pre>object({<br/>    evh_spoke_pe     = optional(bool, false)<br/>    evh_spoke_pe_dns = optional(bool, false)<br/><br/>  })</pre> | <pre>{<br/>  "evh_spoke_pe": false,<br/>  "evh_spoke_pe_dns": false<br/>}</pre> | no |
 | <a name="input_location"></a> [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
 | <a name="input_location_itn"></a> [location\_itn](#input\_location\_itn) | italynorth | `string` | n/a | yes |
 | <a name="input_location_short"></a> [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes |

src/domains/observability/README.md

@@ -370,3 +370,9 @@ app_forwarder_ip_restriction_default_action = "Allow"
 #     ],
 #   },
 # }
+
+
+is_feature_enabled = {
+  evh_spoke_pe     = true
+  evh_spoke_pe_dns = false
+}

src/domains/observability/env/dev/terraform.tfvars

@@ -412,3 +412,7 @@ app_forwarder_ip_restriction_default_action = "Deny"
 #     ],
 #   },
 # }
+
+is_feature_enabled = {
+  evh_spoke_pe = false
+}

src/domains/observability/env/prod/terraform.tfvars

@@ -387,3 +387,9 @@ ehns_metric_alerts_gpd = {
     ],
   },
 }
+
+
+is_feature_enabled = {
+  evh_spoke_pe     = true
+  evh_spoke_pe_dns = true
+}