Gitea shared service supports app-service standard SKUs (#2523)

* Gitea shared service supports app-service S* SKUs

* update changelog

* lint

CHANGELOG.md

@@ -14,6 +14,7 @@ FEATURES:
 ENHANCEMENTS:
 
 * Adding Log Analytics & Antimalware VM extensions ([#2520](https://github.com/microsoft/AzureTRE/pull/2520))
+* Gitea shared service support app-service standard SKUs ([#2523](https://github.com/microsoft/AzureTRE/pull/2523))
 
 BUG FIXES:
 

templates/shared_services/gitea/porter.yaml

@@ -1,6 +1,6 @@
 ---
 name: tre-shared-service-gitea
-version: 0.3.11
+version: 0.3.12
 description: "A Gitea shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/gitea/terraform/data.tf

@@ -3,7 +3,7 @@ data "azurerm_log_analytics_workspace" "tre" {
   resource_group_name = local.core_resource_group_name
 }
 
-data "azurerm_app_service_plan" "core" {
+data "azurerm_service_plan" "core" {
   name                = "plan-${var.tre_id}"
   resource_group_name = local.core_resource_group_name
 }
@@ -52,3 +52,10 @@ data "azurerm_key_vault" "keyvault" {
 data "azurerm_resource_group" "rg" {
   name = local.core_resource_group_name
 }
+
+data "azurerm_monitor_diagnostic_categories" "webapp" {
+  resource_id = data.azurerm_service_plan.core.id
+  depends_on = [
+    azurerm_linux_web_app.gitea,
+  ]
+}

templates/shared_services/gitea/terraform/gitea-webapp.tf

@@ -17,13 +17,14 @@ resource "azurerm_user_assigned_identity" "gitea_id" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_app_service" "gitea" {
+resource "azurerm_linux_web_app" "gitea" {
   name                            = local.webapp_name
   resource_group_name             = local.core_resource_group_name
   location                        = data.azurerm_resource_group.rg.location
-  app_service_plan_id             = data.azurerm_app_service_plan.core.id
+  service_plan_id                 = data.azurerm_service_plan.core.id
   https_only                      = true
   key_vault_reference_identity_id = azurerm_user_assigned_identity.gitea_id.id
+  virtual_network_subnet_id       = data.azurerm_subnet.web_app.id
   tags                            = local.tre_shared_service_tags
 
   app_settings = {
@@ -59,39 +60,26 @@ resource "azurerm_app_service" "gitea" {
   }
 
   site_config {
-    linux_fx_version                     = "DOCKER|${data.azurerm_container_registry.mgmt_acr.login_server}/microsoft/azuretre/gitea:${local.version}"
-    remote_debugging_enabled             = false
-    scm_use_main_ip_restriction          = true
-    acr_use_managed_identity_credentials = true
-    acr_user_managed_identity_client_id  = azurerm_user_assigned_identity.gitea_id.client_id
-    ftps_state                           = "Disabled"
-    websockets_enabled                   = false
-    always_on                            = true
-    min_tls_version                      = "1.2"
-    vnet_route_all_enabled               = true
-
-    cors {
-      allowed_origins     = []
-      support_credentials = false
-    }
-
-    ip_restriction {
-      action     = "Deny"
-      ip_address = "0.0.0.0/0"
-      name       = "Deny all"
-      priority   = 2147483647
+    container_registry_use_managed_identity       = true
+    container_registry_managed_identity_client_id = azurerm_user_assigned_identity.gitea_id.client_id
+    ftps_state                                    = "Disabled"
+    always_on                                     = true
+    minimum_tls_version                           = "1.2"
+    vnet_route_all_enabled                        = true
+
+    application_stack {
+      docker_image     = "${data.azurerm_container_registry.mgmt_acr.login_server}/microsoft/azuretre/gitea"
+      docker_image_tag = local.version
     }
   }
 
   storage_account {
     name         = "gitea-data"
     type         = "AzureFiles"
     account_name = data.azurerm_storage_account.gitea.name
-
-    access_key = data.azurerm_storage_account.gitea.primary_access_key
-    share_name = azurerm_storage_share.gitea.name
-
-    mount_path = "/data"
+    access_key   = data.azurerm_storage_account.gitea.primary_access_key
+    share_name   = azurerm_storage_share.gitea.name
+    mount_path   = "/data"
   }
 
   logs {
@@ -120,7 +108,7 @@ resource "azurerm_private_endpoint" "gitea_private_endpoint" {
   tags                = local.tre_shared_service_tags
 
   private_service_connection {
-    private_connection_resource_id = azurerm_app_service.gitea.id
+    private_connection_resource_id = azurerm_linux_web_app.gitea.id
     name                           = "psc-${local.webapp_name}"
     subresource_names              = ["sites"]
     is_manual_connection           = false
@@ -134,25 +122,19 @@ resource "azurerm_private_endpoint" "gitea_private_endpoint" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_app_service_virtual_network_swift_connection" "gitea_integrated_vnet" {
-  app_service_id = azurerm_app_service.gitea.id
-  subnet_id      = data.azurerm_subnet.web_app.id
-}
-
 resource "azurerm_monitor_diagnostic_setting" "webapp_gitea" {
   name                       = "diag-${var.tre_id}"
-  target_resource_id         = azurerm_app_service.gitea.id
+  target_resource_id         = azurerm_linux_web_app.gitea.id
   log_analytics_workspace_id = data.azurerm_log_analytics_workspace.tre.id
 
   dynamic "log" {
-    for_each = toset(["AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceFileAuditLogs",
-    "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"])
+    for_each = data.azurerm_monitor_diagnostic_categories.webapp.logs
     content {
       category = log.value
-      enabled  = true
+      enabled  = contains(local.webapp_diagnostic_categories_enabled, log.value) ? true : false
 
       retention_policy {
-        enabled = true
+        enabled = contains(local.webapp_diagnostic_categories_enabled, log.value) ? true : false
         days    = 365
       }
     }

templates/shared_services/gitea/terraform/locals.tf

@@ -2,7 +2,6 @@ locals {
   core_vnet                = "vnet-${var.tre_id}"
   core_resource_group_name = "rg-${var.tre_id}"
   webapp_name              = "gitea-${var.tre_id}"
-  firewall_name            = "fw-${var.tre_id}"
   storage_account_name     = lower(replace("stg-${var.tre_id}", "-", ""))
   keyvault_name            = "kv-${var.tre_id}"
   version                  = replace(replace(replace(data.local_file.version.content, "__version__ = \"", ""), "\"", ""), "\n", "")
@@ -11,4 +10,8 @@ locals {
     tre_id                = var.tre_id
     tre_shared_service_id = var.tre_resource_id
   }
+  webapp_diagnostic_categories_enabled = [
+    "AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceFileAuditLogs",
+    "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"
+  ]
 }

templates/shared_services/gitea/terraform/main.tf

@@ -3,15 +3,15 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.16.0"
+      version = "=3.20.0"
     }
     local = {
       source  = "hashicorp/local"
       version = "~> 2.2.0"
     }
     random = {
       source  = "hashicorp/random"
-      version = "~> 3.2.0"
+      version = "~> 3.3.0"
     }
   }
 

templates/shared_services/gitea/terraform/mysql.tf

@@ -24,7 +24,7 @@ resource "azurerm_mysql_server" "gitea" {
   ssl_minimal_tls_version_enforced  = "TLS1_2"
   tags                              = local.tre_shared_service_tags
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [tags, threat_detection_policy] }
 }
 
 resource "azurerm_mysql_database" "gitea" {

templates/shared_services/gitea/terraform/outputs.tf

@@ -1,5 +1,5 @@
 output "gitea_fqdn" {
-  value = azurerm_app_service.gitea.default_site_hostname
+  value = azurerm_linux_web_app.gitea.default_hostname
 }
 
 output "address_prefixes" {