Merge pull request #38 from Pwd9000-ML/v2.1.0-beta

V2.1.0 beta
Pwd9000-ML · Jan 23, 2024 · 4136c6e · 4136c6e
2 parents 93d7b67 + ed0e220
commit 4136c6e
Show file tree

Hide file tree

Showing 6 changed files with 225 additions and 61 deletions.
diff --git a/06_librechat_app.tf b/06_librechat_app.tf
@@ -68,19 +68,35 @@ resource "azurerm_linux_web_app" "librechat" {
 
   site_config {
     minimum_tls_version = "1.2"
-    #TODO - Make dynamic 
+
+    # allow subnet access from built in created subnet of this module
     ip_restriction {
       virtual_network_subnet_id = var.libre_app_virtual_network_subnet_id != null ? var.libre_app_virtual_network_subnet_id : azurerm_subnet.az_openai_subnet.id
       priority                  = 100
       name                      = "${azurerm_subnet.az_openai_subnet.name}-access" # "Allow from LibreChat app subnet and hosted services e.g. cosmosdb, meilisearch etc."
       action                    = "Allow"
     }
 
-    ip_restriction {
-      ip_address = var.libre_app_allowed_ip_address
-      priority   = 200
-      name       = "ip-access" # "The CIDR notation of the IP or IP Range to match to allow. For example: 10.0.0.0/24 or 192.168.10.1/32"
-      action     = "Allow"
+    # ip_restriction for subnet access add additional via dynamic (optional)
+    dynamic "ip_restriction" {
+      for_each = var.libre_app_allowed_subnets != null ? var.libre_app_allowed_subnets : []
+      content {
+        virtual_network_subnet_id = ip_restriction.value.virtual_network_subnet_id
+        priority                  = ip_restriction.value.priority
+        name                      = ip_restriction.value.name
+        action                    = ip_restriction.value.action
+      }
+    }
+
+    # ip_restriction for ip access add additional via dynamic (optional)
+    dynamic "ip_restriction" {
+      for_each = var.libre_app_allowed_ip_addresses != null ? var.libre_app_allowed_ip_addresses : []
+      content {
+        ip_address = ip_restriction.value.ip_address
+        priority   = ip_restriction.value.priority
+        name       = ip_restriction.value.name
+        action     = ip_restriction.value.action
+      }
     }
   }
 
@@ -119,34 +135,49 @@ resource "azurerm_role_assignment" "librechat_app_kv_access" {
 #   resource_group_name = var.azure_resource_group_name
 # }
 
-# resource "azurerm_linux_web_app" "app-service" {
-#   name                = "some-service"
-#   resource_group_name = var.azure_resource_group_name
-#   location            = var.azure_region
-#   service_plan_id = "some-plan"
-#   site_config {}
-# }
+resource "azurerm_dns_txt_record" "domain_verification" {
+  count               = var.libre_app_custom_domain_create == true ? 1 : 0
+  name                = "${var.librechat_app_custom_domain_name}txt"
+  zone_name           = var.librechat_app_custom_dns_zone_name
+  resource_group_name = var.dns_resource_group_name
+  ttl                 = 600
 
-# resource "azurerm_dns_txt_record" "domain-verification" {
-#   name                = "asuid.api.domain.com"
-#   zone_name           = var.azure_dns_zone
-#   resource_group_name = var.azure_resource_group_name
-#   ttl                 = 300
+  record {
+    value = azurerm_linux_web_app.librechat.custom_domain_verification_id
+  }
+}
 
-#   record {
-#     value = azurerm_linux_web_app.app-service.custom_domain_verification_id
-#   }
-# }
+resource "azurerm_dns_cname_record" "cname_record" {
+  count               = var.libre_app_custom_domain_create == true ? 1 : 0
+  name                = var.librechat_app_custom_domain_name
+  zone_name           = var.librechat_app_custom_dns_zone_name
+  resource_group_name = var.dns_resource_group_name
+  ttl                 = 600
+  record              = azurerm_linux_web_app.librechat.default_hostname
 
-# resource "azurerm_dns_cname_record" "cname-record" {
-#   name                = "domain.com"
-#   zone_name           = azurerm_dns_zone.dns-zone.name
-#   resource_group_name = var.azure_resource_group_name
-#   ttl                 = 300
-#   record              = azurerm_linux_web_app.app-service.default_hostname
+  depends_on = [azurerm_dns_txt_record.domain_verification]
+}
 
-#   depends_on = [azurerm_dns_txt_record.domain-verification]
-# }
+resource "azurerm_app_service_custom_hostname_binding" "hostname_binding" {
+  count               = var.libre_app_custom_domain_create == true ? 1 : 0
+  hostname            = "${var.librechat_app_custom_domain_name}.${var.librechat_app_custom_dns_zone_name}"
+  app_service_name    = var.libre_app_name
+  resource_group_name = azurerm_resource_group.az_openai_rg.name
+
+  depends_on = [azurerm_dns_cname_record.cname_record, azurerm_linux_web_app.librechat ]
+}
+
+resource "azurerm_app_service_managed_certificate" "libre_app_cert" {
+  count                      = var.libre_app_custom_domain_create == true ? 1 : 0
+  custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.hostname_binding[0].id
+}
+
+resource "azurerm_app_service_certificate_binding" "libre_app_cert_binding" {
+  count               = var.libre_app_custom_domain_create == true ? 1 : 0
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.hostname_binding[0].id
+  certificate_id      = azurerm_app_service_managed_certificate.libre_app_cert[0].id
+  ssl_state           = "SniEnabled"
+}
 
 #TODO: Implement DALL-E 
 #TODO:

diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ New integrations and features have been added to the module to use the latest **
 
 ## Coming next - Feature development
 
-- [ ] Custom domain support with managed certificates
+- [x] Custom domain support with managed certificates (Released in v2.1.0)
 - [ ] Privatise solution with Private endpoint support
 - [ ] Front Door and WAF support for public entrypoint
 - [ ] Azure AI Search/MeiliSearch Integration

diff --git a/tests/auto_test1/main.tf b/tests/auto_test1/main.tf
@@ -94,7 +94,8 @@ module "private-chatgpt-openai" {
   libre_app_name                          = "${var.libre_app_name}${random_integer.number.result}"
   libre_app_virtual_network_subnet_id     = var.libre_app_virtual_network_subnet_id
   libre_app_public_network_access_enabled = var.libre_app_public_network_access_enabled
-  libre_app_allowed_ip_address            = var.libre_app_allowed_ip_address
+  libre_app_allowed_subnets               = var.libre_app_allowed_subnets
+  libre_app_allowed_ip_addresses          = var.libre_app_allowed_ip_addresses
 
   ### LibreChat App Settings ###
   # Server Config
@@ -143,4 +144,10 @@ module "private-chatgpt-openai" {
   libre_app_allow_social_registration = var.libre_app_allow_social_registration
   libre_app_jwt_secret                = var.libre_app_jwt_secret
   libre_app_jwt_refresh_secret        = var.libre_app_jwt_refresh_secret
+
+  # Custom Domain and Managed Certificate (Optional)
+  libre_app_custom_domain_create     = var.libre_app_custom_domain_create
+  librechat_app_custom_domain_name   = "${var.librechat_app_custom_domain_name}${random_integer.number.result}"
+  librechat_app_custom_dns_zone_name = var.librechat_app_custom_dns_zone_name
+  dns_resource_group_name            = var.dns_resource_group_name
 }
diff --git a/tests/auto_test1/testing.auto.tfvars b/tests/auto_test1/testing.auto.tfvars
@@ -118,8 +118,16 @@ app_service_sku_name = "B1"
 # LibreChat App Service
 libre_app_name                          = "librechatapp"
 libre_app_public_network_access_enabled = true
-libre_app_virtual_network_subnet_id     = null
-libre_app_allowed_ip_address            = "0.0.0.0/0"
+libre_app_virtual_network_subnet_id     = null # Access is allowed on the built in subnet of this module. If networking is created as part of the module, this will be automatically populated if value is 'null' (priority 100)
+libre_app_allowed_subnets               = null # Add any other subnet ids to allow access to the app service (optional)
+libre_app_allowed_ip_addresses = [
+  {
+    ip_address = "0.0.0.0/0" # Allow all IP Addresses (change to your IP range)
+    priority   = 200
+    name       = "ip-access-rule1"
+    action     = "Allow"
+  }
+]
 
 ### LibreChat App Settings ###
 # Server Config
@@ -167,4 +175,10 @@ libre_app_allow_registration        = true
 libre_app_allow_social_login        = false
 libre_app_allow_social_registration = false
 libre_app_jwt_secret                = null
-libre_app_jwt_refresh_secret        = null
+libre_app_jwt_refresh_secret        = null
+
+# Custom Domain and Managed Certificate (Optional)
+libre_app_custom_domain_create     = true
+librechat_app_custom_domain_name   = "privategpt"
+librechat_app_custom_dns_zone_name = "pwd9000.com"
+dns_resource_group_name            = "Pwd9000-EB-Network"
diff --git a/tests/auto_test1/variables.tf b/tests/auto_test1/variables.tf
@@ -386,14 +386,44 @@ variable "libre_app_public_network_access_enabled" {
 
 variable "libre_app_virtual_network_subnet_id" {
   type        = string
-  description = "The ID of the subnet to deploy the LibreChat App Service in."
+  description = "The ID of the subnet, used to allow access to the App Service (priority 100), e.g. cosmosdb, meilisearch etc. If networking is created as part of the module, this will be automatically populated if value is 'null'."
   default     = null
 }
 
-variable "libre_app_allowed_ip_address" {
-  type        = string
-  description = "The IP Address to allow access to the LibreChat App Service from. (Change to your IP Address). default is allow all"
-  default     = "0.0.0.0/0"
+variable "libre_app_allowed_subnets" {
+  description = "Allowed Subnets (By default the subnet the app service is deployed in is allowed access already as priority 100). Add any additionals here"
+  type = list(object({
+    virtual_network_subnet_id = string
+    priority                  = number
+    name                      = string
+    action                    = string
+  }))
+  default = [
+    {
+      virtual_network_subnet_id = "subnet_id1"
+      priority                  = 200
+      name                      = "subnet-access-rule1"
+      action                    = "Allow"
+    }
+  ]
+}
+
+variable "libre_app_allowed_ip_addresses" {
+  description = "Allowed IP Addresses. The CIDR notation of the IP or IP Range to match to allow. For example: 10.0.0.0/24 or 192.168.10.1/32"
+  type = list(object({
+    ip_address = string
+    priority   = number
+    name       = string
+    action     = string
+  }))
+  default = [
+    {
+      ip_address = "0.0.0.0/0" # Allow all IP Addresses (change to your IP range)
+      priority   = 300
+      name       = "ip-access-rule1"
+      action     = "Allow"
+    }
+  ]
 }
 
 # LibreChat App Service App Settings
@@ -607,4 +637,30 @@ variable "libre_app_jwt_refresh_secret" {
   description = "JWT Refresh Secret"
   default     = null
   sensitive   = true
+}
+
+# Custom Domain and Managed Certificate (Optional)
+
+variable "libre_app_custom_domain_create" {
+  type        = bool
+  description = "Create a custom domain and managed certificate for the App Service."
+  default     = false
+}
+
+variable "librechat_app_custom_domain_name" {
+  type        = string
+  description = "The custom domain to use for the App Service."
+  default     = "privategpt"
+}
+
+variable "librechat_app_custom_dns_zone_name" {
+  type        = string
+  description = "The DNS Zone to use for the App Service."
+  default     = "domain.com"
+}
+
+variable "dns_resource_group_name" {
+  type        = string
+  description = "The Resource Group that contains the custom DNS Zone to use for the App Service"
+  default     = "dns-rg"
 }
diff --git a/variables.tf b/variables.tf
@@ -391,14 +391,44 @@ variable "libre_app_public_network_access_enabled" {
 
 variable "libre_app_virtual_network_subnet_id" {
   type        = string
-  description = "The ID of the subnet to deploy the LibreChat App Service in."
+  description = "The ID of the subnet, used to allow access to the App Service (priority 100), e.g. cosmosdb, meilisearch etc. If networking is created as part of the module, this will be automatically populated if value is 'null'."
   default     = null
 }
 
-variable "libre_app_allowed_ip_address" {
-  type        = string
-  description = "The IP Address to allow access to the LibreChat App Service from. (Change to your IP Address). default is allow all"
-  default     = "0.0.0.0/0"
+variable "libre_app_allowed_subnets" {
+  description = "Allowed Subnets (By default the subnet the app service is deployed in is allowed access already as priority 100). Add any additionals here"
+  type = list(object({
+    virtual_network_subnet_id = string
+    priority                  = number
+    name                      = string
+    action                    = string
+  }))
+  default = [
+    {
+      virtual_network_subnet_id = "subnet_id1"
+      priority                  = 200
+      name                      = "subnet-access-rule1" # "Allow from LibreChat app subnet and hosted services e.g. cosmosdb, meilisearch etc."
+      action                    = "Allow"
+    }
+  ]
+}
+
+variable "libre_app_allowed_ip_addresses" {
+  description = "Allowed IP Addresses. The CIDR notation of the IP or IP Range to match to allow. For example: 10.0.0.0/24 or 192.168.10.1/32"
+  type = list(object({
+    ip_address = string
+    priority   = number
+    name       = string
+    action     = string
+  }))
+  default = [
+    {
+      ip_address = "0.0.0.0/0" # Allow all IP Addresses (change to your IP range)
+      priority   = 300
+      name       = "ip-access-rule1"
+      action     = "Allow"
+    }
+  ]
 }
 
 # LibreChat App Service App Settings
@@ -558,24 +588,24 @@ variable "libre_app_enable_meilisearch" {
   default     = false
 }
 
-# # variable "libre_app_disable_meilisearch_analytics" {
-# #   type        = bool
-# #   description = "Disable Meilisearch Analytics"
-# #   default     = true
-# # }
+# variable "libre_app_disable_meilisearch_analytics" {
+#   type        = bool
+#   description = "Disable Meilisearch Analytics"
+#   default     = true
+# }
 
-# # variable "libre_app_meili_host" {
-# #   type        = string
-# #   description = "For the API server to connect to the search server. E.g. https://meilisearch.example.com"
-# #   default     = null
-# # }
+# variable "libre_app_meili_host" {
+#   type        = string
+#   description = "For the API server to connect to the search server. E.g. https://meilisearch.example.com"
+#   default     = null
+# }
 
-# # variable "libre_app_meili_key" {
-# #   type        = string
-# #   description = "Meilisearch API Key"
-# #   default     = null
-# #   sensitive   = true
-# # }
+# variable "libre_app_meili_key" {
+#   type        = string
+#   description = "Meilisearch API Key"
+#   default     = null
+#   sensitive   = true
+# }
 
 # User Registration
 variable "libre_app_allow_email_login" {
@@ -614,4 +644,30 @@ variable "libre_app_jwt_refresh_secret" {
   description = "JWT Refresh Secret"
   default     = null
   sensitive   = true
+}
+
+# Custom Domain and Managed Certificate (Optional)
+
+variable "libre_app_custom_domain_create" {
+  type        = bool
+  description = "Create a custom domain and managed certificate for the App Service."
+  default     = false
+}
+
+variable "librechat_app_custom_domain_name" {
+  type        = string
+  description = "The custom domain to use for the App Service."
+  default     = "privategpt"
+}
+
+variable "librechat_app_custom_dns_zone_name" {
+  type        = string
+  description = "The DNS Zone to use for the App Service."
+  default     = "domain.com"
+}
+
+variable "dns_resource_group_name" {
+  type        = string
+  description = "The Resource Group that contains the custom DNS Zone to use for the App Service"
+  default     = "dns-rg"
 }