feat(deploy): implement robotics infrastructure with Azure resources (#9)

* feat(deploy): implement robotics infrastructure with Azure resources

- add Terraform configurations for resource group, AKS, PostgreSQL, and Redis
- create deployment scripts for OSMO Control Plane components
- define Helm charts and values for OSMO services
- establish internal load balancer ingress for secure connectivity

🔧 - Generated by Copilot

* chore(deploy): remove unused variable for OSMO private DNS creation

🔒 - Generated by Copilot

* feat(deploy): add key vault output for robotics secrets

- include key vault name in outputs
- remove unused variables for PostgreSQL and Redis

🔒 - Generated by Copilot

Author: agreaves-ms

.cspell-dictionary.txt

@@ -10,3 +10,4 @@ PYTHONHASHSEED
 PYTHONPATH
 rollouts
 skrl
+tolerations

.gitignore

@@ -396,6 +396,35 @@ MigrationBackup/
 # Fody - auto-generated XML schema
 FodyWeavers.xsd
 
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Ignore tfplan files
+*.tfplan
+
+# Ignore .terraform lock
+.terraform.lock.hcl
+
+# Crash log files
+crash.log
+
+# Ignore all .tfvars files, which are likely to contain sensitive data, such as passwords
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and should not be shared
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
 # VS Code files for those working on multiple tools
 .vscode/*
 !.vscode/settings.json

deploy/000-prerequisites/az-sub-init.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+
+tenant=""
+help="Usage: az-sub-init.sh [--tenant your-tenant.onmicrosoft.com] [--help]
+
+Attempts to set the ARM_SUBSCRIPTION_ID env var to 'id' from 'az account show' in the following ways:
+- 'az login' if not logged in (optionally with specific tenant)
+- 'az account show -o tsv --query id' for the current logged in account
+
+Needed for Terraform
+
+Current ARM_SUBSCRIPTION_ID: ${ARM_SUBSCRIPTION_ID}"
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+  --tenant)
+    tenant="$2"
+    shift 2
+    ;;
+  --help)
+    echo "${help}"
+    exit 0
+    ;;
+  *)
+    echo "${help}"
+    echo
+    echo "Unknown option: $1"
+    exit 1
+    ;;
+  esac
+done
+
+get_current_subscription_id() {
+  az account show -o tsv --query "id" 2>/dev/null
+}
+
+is_correct_tenant() {
+  if [[ -z "${tenant}" ]]; then
+    return 0 # No specific tenant required
+  fi
+
+  local current_tenant
+  current_tenant=$(az rest --method get --url https://graph.microsoft.com/v1.0/domains \
+    --query 'value[?isDefault].id' -o tsv 2>/dev/null || echo "")
+
+  [[ "${tenant}" == "${current_tenant}" ]]
+}
+
+login_to_azure() {
+  echo "Logging into Azure..."
+  if [[ -n "${tenant}" ]]; then
+    if ! az login --tenant "${tenant}"; then
+      echo "Error: Failed to login to Azure with tenant ${tenant}"
+      exit 1
+    fi
+  else
+    if ! az login; then
+      echo "Error: Failed to login to Azure"
+      exit 1
+    fi
+  fi
+}
+
+current_subscription_id=$(get_current_subscription_id)
+
+if [[ -z "${current_subscription_id}" ]] || ! is_correct_tenant; then
+  login_to_azure
+
+  current_subscription_id=$(get_current_subscription_id)
+  if [[ -z "${current_subscription_id}" ]]; then
+    echo "Error: Login succeeded but could not retrieve subscription ID"
+    exit 1
+  fi
+fi
+
+export ARM_SUBSCRIPTION_ID="${current_subscription_id}"
+echo "ARM_SUBSCRIPTION_ID set to: ${ARM_SUBSCRIPTION_ID}"

deploy/000-prerequisites/mek-generation.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# Generate MEK for OSMO
+
+# Generate random 32-byte key
+RANDOM_KEY="$(openssl rand -base64 32 | tr -d '\n')"
+
+# Create JWK
+JWK_JSON="{\"k\":\"$RANDOM_KEY\",\"kid\":\"key1\",\"kty\":\"oct\"}"
+
+# Base64 encode the JWK
+ENCODED_JWK="$(echo -n "$JWK_JSON" | base64 | tr -d '\n')"
+
+mkdir -p ./out
+
+cat > ./out/mek-config.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mek-config
+data:
+  mek.yaml: |
+    currentMek: key1
+    meks:
+      key1: $ENCODED_JWK
+EOF
+
+echo "ConfigMap written to ./out/mek-config.yaml"

deploy/001-iac/dns/main.tf

@@ -0,0 +1,36 @@
+/**
+ * Private DNS Zone for OSMO UI Service
+ *
+ * Creates a private DNS zone for internal resolution of the OSMO UI service
+ * running on an internal LoadBalancer within the AKS cluster.
+ */
+locals {
+  resource_group_name  = coalesce(var.resource_group_name, "rg-${var.resource_prefix}-${var.environment}-${var.instance}")
+  virtual_network_name = coalesce(var.virtual_network_name, "vnet-${var.resource_prefix}-${var.environment}-${var.instance}")
+}
+
+data "azurerm_virtual_network" "this" {
+  name                = local.virtual_network_name
+  resource_group_name = local.resource_group_name
+}
+
+resource "azurerm_private_dns_zone" "osmo" {
+  name                = var.osmo_private_dns_zone_name
+  resource_group_name = local.resource_group_name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "osmo" {
+  name                  = "vnet-pzl-osmo-${var.resource_prefix}-${var.environment}-${var.instance}"
+  resource_group_name   = local.resource_group_name
+  private_dns_zone_name = azurerm_private_dns_zone.osmo.name
+  virtual_network_id    = data.azurerm_virtual_network.this.id
+  registration_enabled  = false
+}
+
+resource "azurerm_private_dns_a_record" "osmo" {
+  name                = var.osmo_hostname
+  zone_name           = azurerm_private_dns_zone.osmo.name
+  resource_group_name = local.resource_group_name
+  ttl                 = 300
+  records             = [var.osmo_loadbalancer_ip]
+}

deploy/001-iac/dns/outputs.tf

@@ -0,0 +1,17 @@
+/*
+ * OSMO Private DNS Outputs
+ */
+
+output "osmo_private_dns_zone" {
+  description = "Private DNS zone for OSMO services"
+  value = {
+    id             = azurerm_private_dns_zone.osmo.id
+    name           = azurerm_private_dns_zone.osmo.name
+    resource_group = azurerm_private_dns_zone.osmo.resource_group_name
+  }
+}
+
+output "osmo_fqdn" {
+  description = "Fully qualified domain name for OSMO service"
+  value       = "${var.osmo_hostname}.${var.osmo_private_dns_zone_name}"
+}

deploy/001-iac/dns/variables.tf

@@ -0,0 +1,65 @@
+/*
+ * Core Variables - Required
+ */
+
+variable "environment" {
+  type        = string
+  description = "Environment for all resources in this module: dev, test, or prod"
+}
+
+variable "location" {
+  type        = string
+  description = "Location for all resources in this module"
+}
+
+variable "resource_prefix" {
+  type        = string
+  description = "Prefix for all resources in this module"
+}
+
+/*
+ * Core Variables - Optional
+ */
+
+variable "instance" {
+  type        = string
+  description = "Instance identifier for naming resources: 001, 002, etc"
+  default     = "001"
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "Existing resource group name containing foundational and ML resources (Otherwise 'rg-{resource_prefix}-{environment}-{instance}')"
+  default     = null
+}
+
+variable "virtual_network_name" {
+  type        = string
+  description = "Existing virtual network name (Otherwise 'vnet-{resource_prefix}-{environment}-{instance}')"
+  default     = null
+}
+
+/*
+ * OSMO Private DNS Configuration - Required
+ */
+
+variable "osmo_loadbalancer_ip" {
+  type        = string
+  description = "Internal LoadBalancer IP address for the OSMO service"
+}
+
+/*
+ * OSMO Private DNS Configuration - Optional
+ */
+
+variable "osmo_private_dns_zone_name" {
+  type        = string
+  description = "Private DNS zone name for OSMO services (e.g., osmo.local, osmo.internal)"
+  default     = "osmo.local"
+}
+
+variable "osmo_hostname" {
+  type        = string
+  description = "Hostname for the OSMO service within the private DNS zone"
+  default     = "dev"
+}

deploy/001-iac/dns/versions.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4.51.0"
+    }
+  }
+  required_version = ">= 1.9.8, < 2.0"
+}
+
+provider "azurerm" {
+  storage_use_azuread = true
+  partner_id          = "acce1e78-0375-4637-a593-86aa36dcfeac"
+  features {}
+}