Skip to content

Commit

Permalink
use service endpoints instead of private links for storage
Browse files Browse the repository at this point in the history
  • Loading branch information
Telemaco019 committed Aug 7, 2024
1 parent bb0b0bf commit 09a8734
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 193 deletions.
98 changes: 44 additions & 54 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a
| <a name="input_postgres_server_point_in_time_backup"></a> [postgres\_server\_point\_in\_time\_backup](#input\_postgres\_server\_point\_in\_time\_backup) | The backup settings of the PostgreSQL Server. | <pre>object({<br> geo_redundant : optional(bool, true)<br> retention_days : optional(number, 30)<br> })</pre> | <pre>{<br> "geo_redundant": true,<br> "retention_days": 30<br>}</pre> | no |
| <a name="input_postgres_server_sku"></a> [postgres\_server\_sku](#input\_postgres\_server\_sku) | The SKU of the PostgreSQL Server, including the Tier and the Name. Examples: B\_Standard\_B1ms, GP\_Standard\_D2s\_v3, MO\_Standard\_E4s\_v3 | <pre>object({<br> tier : string<br> name : string<br> })</pre> | <pre>{<br> "name": "Standard_D4ds_v5",<br> "tier": "GP"<br>}</pre> | no |
| <a name="input_postgres_version"></a> [postgres\_version](#input\_postgres\_version) | The PostgreSQL version to use. | `string` | `"16"` | no |
| <a name="input_private_dns_zones"></a> [private\_dns\_zones](#input\_private\_dns\_zones) | Private DNS zones to use for Private Endpoint connections. If not provided, a new DNS Zone <br> is created and linked to the respective subnet. | <pre>object({<br> file = optional(object({<br> name : string<br> id : string<br> }), null)<br> blob = optional(object({<br> name : string<br> id : string<br> }), null)<br> dfs = optional(object({<br> name : string<br> id : string<br> }), null)<br> flexible_postgres = optional(object({<br> name : string<br> id : string<br> }), null)<br> })</pre> | `{}` | no |
| <a name="input_private_dns_zones"></a> [private\_dns\_zones](#input\_private\_dns\_zones) | Private DNS zones to use for Private Endpoint connections. If not provided, a new DNS Zone <br> is created and linked to the respective subnet. | <pre>object({<br> flexible_postgres = optional(object({<br> name : string<br> id : string<br> }), null)<br> })</pre> | `{}` | no |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group where to provision the resources. | `string` | n/a | yes |
| <a name="input_resource_prefix"></a> [resource\_prefix](#input\_resource\_prefix) | The prefix that is used for generating resource names. | `string` | n/a | yes |
| <a name="input_subnet_address_space_aks_nodes"></a> [subnet\_address\_space\_aks\_nodes](#input\_subnet\_address\_space\_aks\_nodes) | Address space of the new subnet in which to create the nodes of the AKS cluster. <br> If `subnet_name_aks_nodes` is provided, the existing subnet is used and this variable is ignored. | `list(string)` | <pre>[<br> "10.0.0.0/22"<br>]</pre> | no |
Expand All @@ -84,56 +84,46 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a
## Resources


- resource.azuread_application.main (/terraform-docs/main.tf#317)
- resource.azuread_service_principal.main (/terraform-docs/main.tf#323)
- resource.azuread_service_principal_password.main (/terraform-docs/main.tf#328)
- resource.azurerm_cognitive_account.main (/terraform-docs/main.tf#512)
- resource.azurerm_cognitive_deployment.gpt_4_turbo (/terraform-docs/main.tf#531)
- resource.azurerm_cognitive_deployment.gpt_4o_mini (/terraform-docs/main.tf#546)
- resource.azurerm_key_vault.main (/terraform-docs/main.tf#250)
- resource.azurerm_key_vault_secret.azure_openai_api_key (/terraform-docs/main.tf#561)
- resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#332)
- resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#341)
- resource.azurerm_key_vault_secret.jwt_signing_key (/terraform-docs/main.tf#796)
- resource.azurerm_key_vault_secret.postgres_password (/terraform-docs/main.tf#495)
- resource.azurerm_key_vault_secret.postgres_user (/terraform-docs/main.tf#486)
- resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#753)
- resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#429)
- resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#437)
- resource.azurerm_postgresql_flexible_server.main (/terraform-docs/main.tf#359)
- resource.azurerm_postgresql_flexible_server_configuration.mandatory_configurations (/terraform-docs/main.tf#410)
- resource.azurerm_postgresql_flexible_server_configuration.optional_configurations (/terraform-docs/main.tf#403)
- resource.azurerm_postgresql_flexible_server_database.analytics (/terraform-docs/main.tf#423)
- resource.azurerm_postgresql_flexible_server_database.auth (/terraform-docs/main.tf#417)
- resource.azurerm_private_dns_zone.blob (/terraform-docs/main.tf#193)
- resource.azurerm_private_dns_zone.dfs (/terraform-docs/main.tf#211)
- resource.azurerm_private_dns_zone.file (/terraform-docs/main.tf#175)
- resource.azurerm_private_dns_zone.flexible_postgres (/terraform-docs/main.tf#229)
- resource.azurerm_private_dns_zone_virtual_network_link.blob (/terraform-docs/main.tf#199)
- resource.azurerm_private_dns_zone_virtual_network_link.dfs (/terraform-docs/main.tf#217)
- resource.azurerm_private_dns_zone_virtual_network_link.file (/terraform-docs/main.tf#181)
- resource.azurerm_private_dns_zone_virtual_network_link.flexible_postgres (/terraform-docs/main.tf#235)
- resource.azurerm_private_endpoint.blob (/terraform-docs/main.tf#600)
- resource.azurerm_private_endpoint.dfs (/terraform-docs/main.tf#640)
- resource.azurerm_private_endpoint.file (/terraform-docs/main.tf#620)
- resource.azurerm_private_endpoint.key_vault (/terraform-docs/main.tf#276)
- resource.azurerm_role_assignment.aks_network_contributor (/terraform-docs/main.tf#748)
- resource.azurerm_role_assignment.key_vault_secret_officer__current (/terraform-docs/main.tf#307)
- resource.azurerm_role_assignment.key_vault_secret_user__aks (/terraform-docs/main.tf#302)
- resource.azurerm_role_assignment.storage_container_models__data_contributor (/terraform-docs/main.tf#595)
- resource.azurerm_storage_account.main (/terraform-docs/main.tf#577)
- resource.azurerm_storage_container.models (/terraform-docs/main.tf#591)
- resource.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#131)
- resource.azurerm_subnet.flexible_postgres (/terraform-docs/main.tf#153)
- resource.azurerm_subnet.private_endpints (/terraform-docs/main.tf#145)
- resource.azurerm_virtual_network.main (/terraform-docs/main.tf#123)
- resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#354)
- resource.time_sleep.wait_aks_creation (/terraform-docs/main.tf#735)
- resource.tls_private_key.aks (/terraform-docs/main.tf#664)
- resource.tls_private_key.jwt_signing_key (/terraform-docs/main.tf#792)
- data source.azurerm_client_config.current (/terraform-docs/main.tf#77)
- data source.azurerm_resource_group.main (/terraform-docs/main.tf#74)
- data source.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#85)
- data source.azurerm_subnet.flexible_postgres (/terraform-docs/main.tf#106)
- data source.azurerm_subnet.private_endpoints (/terraform-docs/main.tf#99)
- data source.azurerm_virtual_network.main (/terraform-docs/main.tf#79)
- resource.azuread_application.main (/terraform-docs/main.tf#251)
- resource.azuread_service_principal.main (/terraform-docs/main.tf#257)
- resource.azuread_service_principal_password.main (/terraform-docs/main.tf#262)
- resource.azurerm_cognitive_account.main (/terraform-docs/main.tf#446)
- resource.azurerm_cognitive_deployment.gpt_4_turbo (/terraform-docs/main.tf#465)
- resource.azurerm_cognitive_deployment.gpt_4o_mini (/terraform-docs/main.tf#480)
- resource.azurerm_key_vault.main (/terraform-docs/main.tf#184)
- resource.azurerm_key_vault_secret.azure_openai_api_key (/terraform-docs/main.tf#495)
- resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#266)
- resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#275)
- resource.azurerm_key_vault_secret.jwt_signing_key (/terraform-docs/main.tf#675)
- resource.azurerm_key_vault_secret.postgres_password (/terraform-docs/main.tf#429)
- resource.azurerm_key_vault_secret.postgres_user (/terraform-docs/main.tf#420)
- resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#632)
- resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#363)
- resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#371)
- resource.azurerm_postgresql_flexible_server.main (/terraform-docs/main.tf#293)
- resource.azurerm_postgresql_flexible_server_configuration.mandatory_configurations (/terraform-docs/main.tf#344)
- resource.azurerm_postgresql_flexible_server_configuration.optional_configurations (/terraform-docs/main.tf#337)
- resource.azurerm_postgresql_flexible_server_database.analytics (/terraform-docs/main.tf#357)
- resource.azurerm_postgresql_flexible_server_database.auth (/terraform-docs/main.tf#351)
- resource.azurerm_private_dns_zone.flexible_postgres (/terraform-docs/main.tf#163)
- resource.azurerm_private_dns_zone_virtual_network_link.flexible_postgres (/terraform-docs/main.tf#169)
- resource.azurerm_private_endpoint.key_vault (/terraform-docs/main.tf#210)
- resource.azurerm_role_assignment.aks_network_contributor (/terraform-docs/main.tf#627)
- resource.azurerm_role_assignment.key_vault_secret_officer__current (/terraform-docs/main.tf#241)
- resource.azurerm_role_assignment.key_vault_secret_user__aks (/terraform-docs/main.tf#236)
- resource.azurerm_role_assignment.storage_container_models__data_contributor (/terraform-docs/main.tf#535)
- resource.azurerm_storage_account.main (/terraform-docs/main.tf#511)
- resource.azurerm_storage_container.models (/terraform-docs/main.tf#531)
- resource.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#119)
- resource.azurerm_subnet.flexible_postgres (/terraform-docs/main.tf#141)
- resource.azurerm_subnet.private_endpints (/terraform-docs/main.tf#133)
- resource.azurerm_virtual_network.main (/terraform-docs/main.tf#111)
- resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#288)
- resource.time_sleep.wait_aks_creation (/terraform-docs/main.tf#614)
- resource.tls_private_key.aks (/terraform-docs/main.tf#543)
- resource.tls_private_key.jwt_signing_key (/terraform-docs/main.tf#671)
- data source.azurerm_client_config.current (/terraform-docs/main.tf#72)
- data source.azurerm_resource_group.main (/terraform-docs/main.tf#69)
- data source.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#80)
- data source.azurerm_subnet.flexible_postgres (/terraform-docs/main.tf#94)
- data source.azurerm_virtual_network.main (/terraform-docs/main.tf#74)
133 changes: 6 additions & 127 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,6 @@ locals {
data.azurerm_subnet.aks_nodes[0] :
azurerm_subnet.aks_nodes[0]
)
private_endpoints_subnet = (
local.use_existing_private_endpoints_subnet ?
data.azurerm_subnet.private_endpoints[0] :
azurerm_subnet.private_endpints[0]
)
flexible_postgres_subnet = (
local.use_existing_flexible_postgres_subnet ?
data.azurerm_subnet.flexible_postgres[0] :
Expand Down Expand Up @@ -96,13 +91,6 @@ data "azurerm_subnet" "aks_nodes" {
}
}
}
data "azurerm_subnet" "private_endpoints" {
count = local.use_existing_private_endpoints_subnet ? 1 : 0

resource_group_name = data.azurerm_resource_group.main.name
virtual_network_name = var.virtual_network_name
name = var.subnet_name_private_endpoints
}
data "azurerm_subnet" "flexible_postgres" {
count = local.use_existing_flexible_postgres_subnet ? 1 : 0

Expand Down Expand Up @@ -172,60 +160,6 @@ resource "azurerm_subnet" "flexible_postgres" {


# ------ Networking: Private DNS Zones ------ #
resource "azurerm_private_dns_zone" "file" {
count = var.private_dns_zones.file == null ? 1 : 0

name = "privatelink.file.core.windows.net"
resource_group_name = data.azurerm_resource_group.main.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "file" {
count = var.private_dns_zones.file == null ? 1 : 0

name = format(
"%s-file-%s",
var.resource_prefix,
local.virtual_network.name,
)
resource_group_name = data.azurerm_resource_group.main.name
virtual_network_id = local.virtual_network.id
private_dns_zone_name = azurerm_private_dns_zone.file[0].name
}
resource "azurerm_private_dns_zone" "blob" {
count = var.private_dns_zones.blob == null ? 1 : 0

name = "privatelink.blob.core.windows.net"
resource_group_name = data.azurerm_resource_group.main.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "blob" {
count = var.private_dns_zones.blob == null ? 1 : 0

name = format(
"%s-blob-%s",
var.resource_prefix,
local.virtual_network.name
)
resource_group_name = data.azurerm_resource_group.main.name
virtual_network_id = local.virtual_network.id
private_dns_zone_name = azurerm_private_dns_zone.blob[0].name
}
resource "azurerm_private_dns_zone" "dfs" {
count = var.private_dns_zones.dfs == null ? 1 : 0

name = "privatelink.dfs.core.windows.net"
resource_group_name = data.azurerm_resource_group.main.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "dfs" {
count = var.private_dns_zones.dfs == null ? 1 : 0

name = format(
"%s-dfs-%s",
var.resource_prefix,
local.virtual_network.name,
)
resource_group_name = data.azurerm_resource_group.main.name
virtual_network_id = local.virtual_network.id
private_dns_zone_name = azurerm_private_dns_zone.dfs[0].name
}
resource "azurerm_private_dns_zone" "flexible_postgres" {
count = var.private_dns_zones.flexible_postgres == null ? 1 : 0

Expand Down Expand Up @@ -586,6 +520,12 @@ resource "azurerm_storage_account" "main" {
public_network_access_enabled = true # TODO
is_hns_enabled = false

network_rules {
default_action = "Deny"
ip_rules = []
virtual_network_subnet_ids = [local.aks_nodes_subnet.id]
}

tags = var.tags
}
resource "azurerm_storage_container" "models" {
Expand All @@ -597,67 +537,6 @@ resource "azurerm_role_assignment" "storage_container_models__data_contributor"
principal_id = azuread_service_principal.main.object_id
scope = azurerm_storage_container.models.resource_manager_id
}
resource "azurerm_private_endpoint" "blob" {
name = "${azurerm_storage_account.main.name}-blob"
location = var.location
resource_group_name = data.azurerm_resource_group.main.name
subnet_id = local.private_endpoints_subnet.id

private_service_connection {
name = "${azurerm_storage_account.main.name}-blob"
private_connection_resource_id = azurerm_storage_account.main.id
is_manual_connection = false
subresource_names = ["blob"]
}

private_dns_zone_group {
name = "privatelink-blob-core-windows-net"
private_dns_zone_ids = [
length(azurerm_private_dns_zone.blob) > 0 ? azurerm_private_dns_zone.blob[0].id : var.private_dns_zones.blob.id
]
}
}
resource "azurerm_private_endpoint" "file" {
name = "${azurerm_storage_account.main.name}-file"
location = var.location
resource_group_name = data.azurerm_resource_group.main.name
subnet_id = local.private_endpoints_subnet.id

private_service_connection {
name = "${azurerm_storage_account.main.name}-file"
private_connection_resource_id = azurerm_storage_account.main.id
is_manual_connection = false
subresource_names = ["file"]
}

private_dns_zone_group {
name = "privatelink-file-core-windows-net"
private_dns_zone_ids = [
length(azurerm_private_dns_zone.file) > 0 ? azurerm_private_dns_zone.file[0].id : var.private_dns_zones.file.id
]
}
}
resource "azurerm_private_endpoint" "dfs" {
name = "${azurerm_storage_account.main.name}-dfs"
location = var.location
resource_group_name = data.azurerm_resource_group.main.name
subnet_id = local.private_endpoints_subnet.id

private_service_connection {
name = "${azurerm_storage_account.main.name}-dfs"
private_connection_resource_id = azurerm_storage_account.main.id
is_manual_connection = false
subresource_names = ["dfs"]
}

private_dns_zone_group {
name = "privatelink-blob-core-windows-net"
private_dns_zone_ids = [
length(azurerm_private_dns_zone.dfs) > 0 ? azurerm_private_dns_zone.dfs[0].id : var.private_dns_zones.dfs.id
]
}
}



# ------ AKS ------ #
Expand Down
12 changes: 0 additions & 12 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -290,18 +290,6 @@ variable "private_dns_zones" {
is created and linked to the respective subnet.
EOT
type = object({
file = optional(object({
name : string
id : string
}), null)
blob = optional(object({
name : string
id : string
}), null)
dfs = optional(object({
name : string
id : string
}), null)
flexible_postgres = optional(object({
name : string
id : string
Expand Down

0 comments on commit 09a8734

Please sign in to comment.