PPHA-645: create container app health checks (#359)

# What is the change?

This includes infrastructure alarming on the Database and Container
webapp.
Also includes an Application insights web test, this will test the
availability of the container app via hitting the healthcheck endpoint.
Also adds a boolean option to enable alerting or not, but default its
false
Also adds in the number of replicas for the container app. 
And adds in the memory used by the container app (default 1). 

To test this out:- 

- Add the infra secrets to the inf key vault
`kv-lungcs-[environment]-inf`
- Create an monitoring email address which will be used to fire alerts
to.
- Set `monitoring-email-address` to a pre created monitring email
address, if this is not set up then set it to your own email address.



<!-- Describe the intended changes. -->

# Why are we making this change?

<!-- Why is this change required? What problem does it solve? -->

Author: mrlockstar

infrastructure/environments/dev/variables.tfvars

@@ -15,3 +15,6 @@ postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = false
 vnet_address_space                    = "10.12.0.0/16"
 seed_demo_data                        = true
+enable_alerting                       = false
+min_replicas                          = 1
+container_memory                      = "1"

infrastructure/environments/preprod/variables.tfvars

@@ -15,3 +15,6 @@ postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = true
 vnet_address_space                    = "10.14.0.0/16"
 seed_demo_data                        = true
+enable_alerting                       = false
+min_replicas                          = 2
+container_memory                      = "1"

infrastructure/environments/prod/variables.tfvars

@@ -15,3 +15,6 @@ protect_keyvault                      = true
 vnet_address_space                    = "10.15.0.0/16"
 use_apex_domain                       = true
 cae_zone_redundancy_enabled           = true
+enable_alerting                       = true
+min_replicas                          = 2
+container_memory                      = "1"

infrastructure/modules/container-apps/main.tf

@@ -13,6 +13,13 @@ module "webapp" {
 
   name                             = "${var.app_short_name}-web-${var.environment}"
   container_app_environment_id     = var.container_app_environment_id
+
+  # alerts
+  action_group_id        = var.action_group_id
+  enable_alerting        = var.enable_alerting
+  alert_memory_threshold = 80
+  alert_cpu_threshold    = 90
+
   resource_group_name              = azurerm_resource_group.main.name
   fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
   infra_key_vault_name             = "kv-${var.app_short_name}-${var.env_config}-inf"
@@ -32,4 +39,19 @@ module "webapp" {
   secret_variables = var.deploy_database_as_container ? { DATABASE_PASSWORD = resource.random_password.admin_password[0].result } : {}
   is_web_app       = true
   port             = 8000
+  probe_path       = "/healthcheck"
+  min_replicas     = var.min_replicas
+  memory           = var.container_memory
+}
+
+module "azurerm_application_insights_standard_web_test" {
+  count = var.enable_alerting ? 1 : 0
+
+  source                  = "../dtos-devops-templates/infrastructure/modules/application-insights-availability-test"
+  name                    = "${var.app_short_name}-web-${var.environment}"
+  resource_group_name     = var.resource_group_name_infra
+  location                = var.region
+  action_group_id         = var.action_group_id
+  application_insights_id = var.app_insights_id
+  target_url              = var.features.front_door ? "${local.external_url}healthcheck" : null
 }

infrastructure/modules/container-apps/output.tf

@@ -2,7 +2,6 @@ output "internal_url" {
   value = module.webapp.url
 }
 
-# Commented out as the front door endpoints is not being used at the moment (awaiting for DNS to be sorted), but this can be re-enabled if front door is added back in.
-# output "external_url" {
-#   value = var.features.front_door ? "https://${module.frontdoor_endpoint[0].custom_domains["${var.environment}-domain"].host_name}/" : null
-# }
+output "external_url" {
+  value = var.features.front_door ? local.external_url : null
+}

infrastructure/modules/container-apps/postgres.tf

@@ -48,6 +48,13 @@ module "postgres" {
 
   public_network_access_enabled = !var.features.private_networking
 
+  # alerts
+  action_group_id         = var.action_group_id
+  enable_alerting         = var.enable_alerting
+  alert_memory_threshold  = 80
+  alert_cpu_threshold     = 90
+  alert_storage_threshold = 80
+
   databases = {
     db1 = {
       collation   = "en_US.utf8"
@@ -94,6 +101,13 @@ module "database_container" {
     POSTGRES_USER = local.database_user
     POSTGRES_DB   = local.database_name
   }
+
+  # alerts
+  action_group_id        = var.action_group_id
+  enable_alerting        = var.enable_alerting
+  alert_memory_threshold = 80
+  alert_cpu_threshold    = 90
+
   resource_group_name = azurerm_resource_group.main.name
   is_tcp_app          = true
   # postgres has a port of 5432

infrastructure/modules/container-apps/variables.tf

@@ -14,6 +14,11 @@ variable "app_short_name" {
   type        = string
 }
 
+variable "resource_group_name_infra" {
+  description = "resource group name infra"
+  type        = string
+}
+
 variable "container_app_environment_id" {
   description = "The ID of the container app environment where container apps are deployed"
   type        = string
@@ -40,6 +45,7 @@ variable "enable_entra_id_authentication" {
   type        = bool
 }
 
+
 variable "env_config" {
   description = "Environment configuration. Different environments may share the same environment config and the same infrastructure"
   type        = string
@@ -128,6 +134,17 @@ variable "main_subnet_id" {
   type        = string
 }
 
+variable "min_replicas" {
+  description = "Minimum number of container replicas"
+  type        = number
+}
+
+variable "app_insights_id" {
+  description = "The Application Insights id."
+  type        = string
+}
+
+
 variable "region" {
   description = "The region to deploy in"
   type        = string
@@ -144,6 +161,40 @@ variable "use_apex_domain" {
   type        = bool
 }
 
+variable "enable_alerting" {
+  description = "Whether monitoring and alerting is enabled."
+  type        = bool
+}
+
+variable "alert_window_size" {
+  type     = string
+  nullable = false
+  validation {
+    condition     = contains(["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H"], var.alert_window_size)
+    error_message = "The alert_window_size must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H"
+  }
+  description = "The period of time that is used to monitor alert activity e.g. PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H. The interval between checks is adjusted accordingly."
+}
+
+variable "container_memory" {
+  description = "Memory allocated to the webapp container in Gi. CPU is automatically set to half the memory value by the container-app module."
+  type        = string
+}
+
+variable "action_group_id" {
+  type        = string
+  description = "ID of the action group to notify."
+}
+
+variable "infra_key_vault_name" {
+  description = "Name of the infra key vault"
+  type        = string
+}
+
+variable "infra_key_vault_rg" {
+  description = "Name of the infra key vault resource group"
+  type        = string
+}
 
 locals {
   resource_group_name = "rg-${var.app_short_name}-${var.environment}-container-app-uks"
@@ -179,7 +230,7 @@ locals {
     DATABASE_NAME   = var.deploy_database_as_container ? null : module.postgres[0].database_names[0]
     DATABASE_USER   = var.deploy_database_as_container ? null : module.db_connect_identity[0].name
   }
-
+  external_url         = "https://${module.frontdoor_endpoint[0].custom_domains["${var.environment}-domain"].host_name}/"
   storage_account_name = "st${var.app_short_name}${var.environment}uks"
   storage_containers   = {}
   storage_queues       = []

infrastructure/modules/infra/alerts.tf

@@ -0,0 +1,41 @@
+module "service_health_alert" {
+  source = "../dtos-devops-templates/infrastructure/modules/monitor-activity-log-alert"
+
+  name                = "service-health-alerts-${var.app_short_name}-${var.environment}"
+  location            = "global"
+  resource_group_name = azurerm_resource_group.main.name
+  description         = "Azure Service Health alert for services impacting ${var.app_short_name} in ${var.environment}"
+
+  scopes = [data.azurerm_subscription.current.id]
+
+  criteria = {
+    category = "ServiceHealth"
+    level    = null
+
+    service_health = {
+      events    = ["Incident", "Maintenance", "Informational", "ActionRequired", "Security"]
+      locations = [var.region]
+
+      # Only monitor Azure services used by this application
+      # This reduces noise from unrelated service health events
+      services = [
+        "Application Insights",
+        "Azure Container Apps",
+        "Azure Container Service",
+        "Azure Container Storage",
+        "Azure Database for PostgreSQL flexible servers",
+        "Azure DNS",
+        "Azure Frontdoor",
+        "Azure Monitor",
+        "Azure Private Link",
+        "Key Vault",
+        "Log Analytics",
+        "Storage",
+        "Virtual Network",
+        "Windows Virtual Desktop"
+      ]
+    }
+  }
+
+  action_group_id = module.monitor_action_group.monitor_action_group.id
+}

infrastructure/modules/infra/data.tf

@@ -1,3 +1,5 @@
+data "azurerm_subscription" "current" {}
+
 data "azuread_service_principal" "github-mi" {
   display_name = var.github_mi_name
 }
@@ -7,3 +9,15 @@ data "azuread_group" "kv_officers" {
 
   display_name = each.value
 }
+
+data "azurerm_key_vault" "infra" {
+  provider = azurerm.hub
+
+  name                = var.infra_key_vault_name
+  resource_group_name = var.infra_key_vault_rg
+}
+
+data "azurerm_key_vault_secret" "infra" {
+  name         = "monitoring-email-address"
+  key_vault_id = data.azurerm_key_vault.infra.id
+}

infrastructure/modules/infra/main.tf

@@ -70,3 +70,44 @@ module "container-app-environment" {
   private_dns_zone_rg_name       = var.features.private_networking ? "rg-hub-${var.hub}-uks-private-dns-zones" : null
   zone_redundancy_enabled        = var.cae_zone_redundancy_enabled
 }
+
+module "app_insights_audit" {
+  source = "../dtos-devops-templates/infrastructure/modules/app-insights"
+
+  name                = "appi-${var.environment}-uks-${var.app_short_name}"
+  location            = var.region
+  resource_group_name = azurerm_resource_group.main.name
+  appinsights_type    = "web"
+
+  log_analytics_workspace_id = module.log_analytics_workspace_audit.id
+
+  # alerts
+  action_group_id = module.monitor_action_group.monitor_action_group.id
+  enable_alerting = var.enable_alerting
+}
+
+module "private_link_scoped_service_law" {
+  source = "../dtos-devops-templates/infrastructure/modules/private-link-scoped-service"
+
+  providers = {
+    azurerm = azurerm.hub
+  }
+
+  name                = "pls-${var.app_short_name}-${var.environment}-law"
+  resource_group_name = "rg-hub-${var.hub}-uks-hub-private-endpoints"
+  linked_resource_id  = module.log_analytics_workspace_audit.id
+  scope_name          = "ampls-${var.hub}hub"
+}
+
+module "private_link_scoped_service_app_insights" {
+  source = "../dtos-devops-templates/infrastructure/modules/private-link-scoped-service"
+
+  providers = {
+    azurerm = azurerm.hub
+  }
+
+  name                = "pls-${var.app_short_name}-${var.environment}-appinsights"
+  resource_group_name = "rg-hub-${var.hub}-uks-hub-private-endpoints"
+  linked_resource_id  = module.app_insights_audit.id
+  scope_name          = "ampls-${var.hub}hub"
+}