Cloud2BR-MSFTLearningHub
diff --git a/‎.gitignore‎
Lines changed: 0 additions & 1 deletion b/‎.gitignore‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 2 additions & 0 deletions b/‎README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎terraform-infrastructure/README.md‎
Lines changed: 117 additions & 0 deletions b/‎terraform-infrastructure/README.md‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎terraform-infrastructure/main.tf‎
Lines changed: 213 additions & 0 deletions b/‎terraform-infrastructure/main.tf‎
Lines changed: 213 additions & 0 deletions
@@ -13,7 +13,6 @@ crash.*.log
 # password, private keys, and other secrets. These should not be part of version 
 # control as they are data points which are potentially sensitive and subject 
 # to change depending on the environment.
-*.tfvars
 *.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 
@@ -34,6 +34,8 @@ Last updated: 2025-07-30
 
 ## Overview 
 
+> The infrastructure sample for this architecture is available in [terraform-infrastructure](terraform-infrastructure/README.md). It provisions the Azure-side resources for the documented workflow, including the Resource Group, Function App dependencies, monitoring, Logic App, Key Vault, SQL, and the AI service account.
+
 
 <div align="center">
   <img src="https://github.com/user-attachments/assets/48774cdd-ba27-404c-b7fc-a124fd176e2a" alt="Centered Image" style="border: 2px solid #4CAF50; border-radius: 5px; padding: 5px;"/>
 
@@ -0,0 +1,117 @@
+# Azure Infrastructure Terraform Templates
+
+Costa Rica
+
+[![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/)
+[Cloud2BR OSS - Learning Hub](https://github.com/Cloud2BR-MSFTLearningHub)
+
+Last updated: 2026-04-06
+
+----------
+
+> This approach focuses on `setting up the required infrastructure via Terraform`. It allows for source control of not only the solution code, connections, and setups `but also the infrastructure itself`.
+
+## Prerequisites
+
+- An `Azure subscription is required`. All other resources, including instructions for creating a Resource Group, are provided in this workshop.
+- `Contributor role assigned or any custom role that allows`: access to manage all resources, and the ability to deploy resources within subscription.
+- Please ensure that:
+  - [Terraform is installed on your local machine](https://developer.hashicorp.com/terraform/tutorials/azure-get-started/install-cli#install-terraform).
+  - [Install the Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) to work with both Terraform and Azure commands.
+
+## Overview 
+
+Templates structure:
+
+```
+.
+├── README.md
+├────── main.tf
+├────── variables.tf
+├────── provider.tf
+├────── terraform.tfvars
+├────── outputs.tf
+```
+
+- main.tf `(Main Terraform configuration file)`: This file contains the core infrastructure code. It defines the resources you want to create, such as virtual machines, networks, and storage. It's the primary file where you describe your infrastructure in a declarative manner.
+- variables.tf `(Variable definitions)`: This file is used to define variables that can be used throughout your Terraform configuration. By using variables, you can make your configuration more flexible and reusable. For example, you can define variables for resource names, sizes, and other parameters that might change between environments.
+- provider.tf `(Provider configurations)`: Providers are plugins that Terraform uses to interact with cloud providers, SaaS providers, and other APIs. This file specifies which providers (e.g., AWS, Azure, Google Cloud) you are using and any necessary configuration for them, such as authentication details.
+- terraform.tfvars `(Variable values)`: This file contains the actual values for the variables defined in `variables.tf`. By separating variable definitions and values, you can easily switch between different sets of values for different environments (e.g., development, staging, production) without changing the main configuration files.
+- outputs.tf `(Output values)`: This file defines the output values that Terraform should return after applying the configuration. Outputs are useful for displaying information about the resources created, such as IP addresses, resource IDs, and other important details. They can also be used as inputs for other Terraform configurations or scripts.
+
+## How to execute it 
+
+```mermaid 
+graph TD;
+    A[az login] --> B(terraform init)
+    B --> C{Terraform provisioning stage}
+    C -->|Review| D[terraform plan]
+    C -->|Order Now| E[terraform apply]
+    C -->|Delete Resource if needed| F[terraform destroy]
+```
+
+> [!IMPORTANT]
+> Please modify `terraform.tfvars` with your information, then run the following flow. If you need more visual guidance, please check the video that illustrates the provisioning steps. 
+
+1. **Login to Azure**: This command logs you into your Azure account. It opens a browser window where you can enter your Azure credentials. Once logged in, you can manage your Azure resources from the command line.
+
+    > Go to the path where Terraform files are located:
+
+    ```sh
+    cd terraform-infrastructure
+    ```
+    
+    ```sh
+    az login
+    ```
+
+    <img width="550" alt="img" src="https://github.com/user-attachments/assets/53b47aa7-134e-4cf7-b0b8-cdebdd0583ed" />
+
+    <img width="550" alt="img" src="https://github.com/user-attachments/assets/1d9a247d-3dc9-472f-9305-4e4f0ecb72f1" />
+
+2. **Initialize Terraform**: Initializes the working directory containing the Terraform configuration files. It downloads the necessary provider plugins and sets up the backend for storing the state.
+
+    ``` sh
+    terraform init
+    ```
+
+   <img width="550" alt="img" src="https://github.com/user-attachments/assets/a7a32891-ad72-423a-a1fe-bdb50925b546" />
+
+3. **Terraform Provisioning Stage**: 
+
+   - **Review**: Creates an execution plan, showing what actions Terraform will take to achieve the desired state defined in your configuration files. It uses the variable values specified in `terraform.tfvars`.
+
+        ```sh
+        terraform plan -var-file terraform.tfvars
+        ```
+
+        > At the end, you will see a message in green if everything was executed successfully: 
+
+        <img width="550" alt="Screenshot 2025-03-18 145143" src="https://github.com/user-attachments/assets/4741e863-1ccd-4f2a-a0b8-d5d1964bd890" />
+
+   - **Order Now**: Applies the changes required to reach the desired state of the configuration. It prompts for confirmation before making any changes. It also uses the variable values specified in `terraform.tfvars`.
+
+        ```sh
+        terraform apply -var-file terraform.tfvars
+        ```
+
+        > At the end, you will see a message in green if everything was executed successfully: 
+
+        <img width="550" alt="image" src="https://github.com/user-attachments/assets/2b32b63f-3e9f-46da-a5e9-c39360135251">
+
+   - **Remove**: Destroys the infrastructure managed by Terraform. It prompts for confirmation before deleting any resources. It also uses the variable values specified in `terraform.tfvars`.
+    
+        ```sh
+        terraform destroy -var-file terraform.tfvars
+        ```
+
+        > At the end, you will see a message in green if everything was executed successfully: 
+
+        <img width="550" alt="image" src="https://github.com/user-attachments/assets/f2089d03-3a3d-431d-b462-8148ef519104">
+
+<!-- START BADGE -->
+<div align="center">
+  <img src="https://img.shields.io/badge/Total%20views-1327-limegreen" alt="Total views">
+  <p>Refresh Date: 2026-04-06</p>
+</div>
+<!-- END BADGE -->
@@ -0,0 +1,213 @@
+locals {
+  prefix               = lower(replace("${var.workload_name}-${var.environment}", "_", "-"))
+  compact_prefix       = substr(replace(local.prefix, "-", ""), 0, 16)
+  tags                 = merge(var.tags, { environment = var.environment, workload = var.workload_name, managed_by = "terraform" })
+  resource_group_name  = "${local.prefix}-rg"
+  log_analytics_name   = "${local.prefix}-law"
+  app_insights_name    = "${local.prefix}-appi"
+  key_vault_name       = substr("${local.prefix}-kv", 0, 24)
+  identity_name        = "${local.prefix}-mi"
+  runtime_storage_name = substr("${local.compact_prefix}func", 0, 24)
+  data_storage_name    = substr("${local.compact_prefix}data", 0, 24)
+  service_plan_name    = "${local.prefix}-plan"
+  function_app_name    = "${local.prefix}-func"
+  sql_server_name      = substr("${local.prefix}-sql", 0, 60)
+  sql_database_name    = "${local.prefix}-sqldb"
+  logic_app_name       = "${local.prefix}-logic"
+  ai_account_name      = substr("${local.prefix}-ai", 0, 64)
+}
+
+resource "azurerm_resource_group" "resource_group" {
+  name     = local.resource_group_name
+  location = var.location
+  tags     = local.tags
+}
+
+resource "azurerm_log_analytics_workspace" "log_analytics" {
+  name                = local.log_analytics_name
+  location            = var.location
+  resource_group_name = azurerm_resource_group.resource_group.name
+  sku                 = var.log_analytics_sku
+  retention_in_days   = var.log_retention_in_days
+  tags                = local.tags
+}
+
+resource "azurerm_application_insights" "application_insights" {
+  name                = local.app_insights_name
+  location            = var.location
+  resource_group_name = azurerm_resource_group.resource_group.name
+  workspace_id        = azurerm_log_analytics_workspace.log_analytics.id
+  application_type    = "web"
+  tags                = local.tags
+}
+
+resource "azurerm_user_assigned_identity" "managed_identity" {
+  name                = local.identity_name
+  location            = var.location
+  resource_group_name = azurerm_resource_group.resource_group.name
+  tags                = local.tags
+}
+
+resource "azurerm_key_vault" "key_vault" {
+  name                          = local.key_vault_name
+  location                      = var.location
+  resource_group_name           = azurerm_resource_group.resource_group.name
+  tenant_id                     = data.azurerm_client_config.current.tenant_id
+  sku_name                      = "standard"
+  soft_delete_retention_days    = 7
+  purge_protection_enabled      = false
+  enable_rbac_authorization     = true
+  public_network_access_enabled = true
+  tags                          = local.tags
+}
+
+resource "azurerm_storage_account" "storage_runtime" {
+  name                            = local.runtime_storage_name
+  location                        = var.location
+  resource_group_name             = azurerm_resource_group.resource_group.name
+  account_tier                    = "Standard"
+  account_replication_type        = var.storage_replication_type
+  account_kind                    = "StorageV2"
+  min_tls_version                 = "TLS1_2"
+  public_network_access_enabled   = true
+  shared_access_key_enabled       = true
+  allow_nested_items_to_be_public = false
+  tags                            = local.tags
+}
+
+resource "azurerm_storage_account" "storage_data" {
+  count                           = var.enable_data_storage_account ? 1 : 0
+  name                            = local.data_storage_name
+  location                        = var.location
+  resource_group_name             = azurerm_resource_group.resource_group.name
+  account_tier                    = "Standard"
+  account_replication_type        = var.storage_replication_type
+  account_kind                    = "StorageV2"
+  min_tls_version                 = "TLS1_2"
+  public_network_access_enabled   = true
+  shared_access_key_enabled       = true
+  allow_nested_items_to_be_public = false
+  tags                            = local.tags
+}
+
+resource "azurerm_storage_container" "raw_recommendations" {
+  count                 = var.enable_data_storage_account ? 1 : 0
+  name                  = "raw-recommendations"
+  storage_account_id    = azurerm_storage_account.storage_data[0].id
+  container_access_type = "private"
+}
+
+resource "azurerm_storage_container" "enriched_recommendations" {
+  count                 = var.enable_data_storage_account ? 1 : 0
+  name                  = "enriched-recommendations"
+  storage_account_id    = azurerm_storage_account.storage_data[0].id
+  container_access_type = "private"
+}
+
+resource "azurerm_service_plan" "app_service_plan" {
+  name                = local.service_plan_name
+  location            = var.location
+  resource_group_name = azurerm_resource_group.resource_group.name
+  os_type             = "Linux"
+  sku_name            = var.function_plan_sku_name
+  tags                = local.tags
+}
+
+resource "azurerm_cognitive_account" "ai" {
+  count                         = var.enable_ai_service ? 1 : 0
+  name                          = local.ai_account_name
+  location                      = var.location
+  resource_group_name           = azurerm_resource_group.resource_group.name
+  kind                          = var.ai_service_kind
+  sku_name                      = var.ai_service_sku_name
+  custom_subdomain_name         = substr(replace(local.ai_account_name, "-", ""), 0, 24)
+  public_network_access_enabled = true
+  tags                          = local.tags
+}
+
+resource "azurerm_mssql_server" "sql" {
+  count                         = var.enable_sql_backend ? 1 : 0
+  name                          = local.sql_server_name
+  resource_group_name           = azurerm_resource_group.resource_group.name
+  location                      = var.location
+  version                       = "12.0"
+  administrator_login           = var.sql_admin_login
+  administrator_login_password  = var.sql_admin_password
+  minimum_tls_version           = "1.2"
+  public_network_access_enabled = true
+  tags                          = local.tags
+}
+
+resource "azurerm_mssql_database" "sql_database" {
+  count     = var.enable_sql_backend ? 1 : 0
+  name      = local.sql_database_name
+  server_id = azurerm_mssql_server.sql[0].id
+  sku_name  = var.sql_sku_name
+  tags      = local.tags
+}
+
+resource "azurerm_linux_function_app" "function_app" {
+  name                       = local.function_app_name
+  location                   = var.location
+  resource_group_name        = azurerm_resource_group.resource_group.name
+  service_plan_id            = azurerm_service_plan.app_service_plan.id
+  storage_account_name       = azurerm_storage_account.storage_runtime.name
+  storage_account_access_key = azurerm_storage_account.storage_runtime.primary_access_key
+  https_only                 = true
+  tags                       = local.tags
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.managed_identity.id]
+  }
+
+  site_config {
+    application_insights_connection_string = azurerm_application_insights.application_insights.connection_string
+    application_insights_key               = azurerm_application_insights.application_insights.instrumentation_key
+    ftps_state                             = "Disabled"
+
+    application_stack {
+      python_version = var.function_python_version
+    }
+  }
+
+  app_settings = merge(
+    {
+      "AzureWebJobsStorage"                    = "DefaultEndpointsProtocol=https;AccountName=${azurerm_storage_account.storage_runtime.name};AccountKey=${azurerm_storage_account.storage_runtime.primary_access_key};EndpointSuffix=core.windows.net"
+      "FUNCTIONS_EXTENSION_VERSION"            = "~4"
+      "FUNCTIONS_WORKER_RUNTIME"               = "python"
+      "WEBSITE_RUN_FROM_PACKAGE"               = "1"
+      "WORKLOAD_NAME"                          = var.workload_name
+      "AZURE_CLIENT_ID"                        = azurerm_user_assigned_identity.managed_identity.client_id
+      "KEY_VAULT_NAME"                         = azurerm_key_vault.key_vault.name
+      "DATA_STORAGE_ACCOUNT_NAME"              = var.enable_data_storage_account ? azurerm_storage_account.storage_data[0].name : ""
+      "SQL_SERVER_FQDN"                        = var.enable_sql_backend ? azurerm_mssql_server.sql[0].fully_qualified_domain_name : ""
+      "SQL_DATABASE_NAME"                      = var.enable_sql_backend ? azurerm_mssql_database.sql_database[0].name : ""
+      "AI_SERVICE_ENDPOINT"                    = var.enable_ai_service ? azurerm_cognitive_account.ai[0].endpoint : ""
+      "APPLICATIONINSIGHTS_CONNECTION_STRING"  = azurerm_application_insights.application_insights.connection_string
+    },
+    var.function_app_settings
+  )
+}
+
+resource "azurerm_logic_app_workflow" "logic_app" {
+  count               = var.enable_logic_app ? 1 : 0
+  name                = local.logic_app_name
+  location            = var.location
+  resource_group_name = azurerm_resource_group.resource_group.name
+  enabled             = true
+  tags                = local.tags
+}
+
+resource "azurerm_role_assignment" "key_vault_secrets_user" {
+  scope                = azurerm_key_vault.key_vault.id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azurerm_user_assigned_identity.managed_identity.principal_id
+}
+
+resource "azurerm_role_assignment" "data_storage_blob_contributor" {
+  count                = var.enable_data_storage_account ? 1 : 0
+  scope                = azurerm_storage_account.storage_data[0].id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_user_assigned_identity.managed_identity.principal_id
+}