Some work in dev enviroment - Terraform (#1149)

Co-authored-by: Automatic Update <[email protected]>
equinor · Jan 9, 2024 · f5452e7 · f5452e7
1 parent 52e08f8
commit f5452e7
Show file tree

Hide file tree

Showing 10 changed files with 125 additions and 18 deletions.
diff --git a/terraform/subscriptions/modules/storageaccount/input.tf b/terraform/subscriptions/modules/storageaccount/input.tf
@@ -1,9 +1,10 @@
 locals {
-  flattened_config = {
+  flattened_roleassignment = {
     for key, value in var.roleassignment : key => {
-      backup = value.backup
-      kind   = var.kind
-
+      backup           = value.backup
+      kind             = var.kind
+      private_endpoint = var.roleassignment
     }
   }
 }
+
diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf
@@ -36,8 +36,8 @@ resource "azurerm_storage_account" "storageaccount" {
 
 resource "azurerm_role_assignment" "roleassignment" {
   for_each = {
-    for key in compact([for key, value in local.flattened_config : value.backup && value.kind == "StorageV2" ? key : ""]) : key =>
-    local.flattened_config[key]
+    for key in compact([for key, value in local.flattened_roleassignment : value.backup && value.kind == "StorageV2" ? key : ""]) : key =>
+    local.flattened_roleassignment[key]
   }
   scope                = azurerm_storage_account.storageaccount.id
   role_definition_name = each.key
@@ -50,10 +50,7 @@ resource "azurerm_role_assignment" "roleassignment" {
 ##
 
 resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceblobstorage" {
-  for_each = {
-    for key in compact([for key, value in local.flattened_config : value.backup && value.kind == "StorageV2" ? key : ""]) : key =>
-    local.flattened_config[key]
-  }
+  for_each           = { for key in compact([for key, value in local.flattened_roleassignment : value.backup && value.kind == "StorageV2" ? key : ""]) : key => local.flattened_roleassignment[key] }
   name               = azurerm_storage_account.storageaccount.name
   vault_id           = var.vault_id
   location           = var.location
@@ -62,3 +59,37 @@ resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceb
   depends_on         = [azurerm_role_assignment.roleassignment]
 }
 
+######################################################################################
+## Private Link
+##
+
+resource "azurerm_private_endpoint" "this" {
+  for_each            = var.private_endpoint ? { "this" : "true" } : {}
+  name                = azurerm_storage_account.storageaccount.name
+  resource_group_name = azurerm_storage_account.storageaccount.resource_group_name
+  location            = azurerm_storage_account.storageaccount.location
+  subnet_id           = var.subnet_id
+  depends_on          = [azurerm_storage_account.storageaccount]
+
+  private_service_connection {
+    name                           = "Private_Service_Connection"
+    private_connection_resource_id = azurerm_storage_account.storageaccount.id
+    is_manual_connection           = false
+    subresource_names              = ["blob"]
+  }
+}
+
+
+######################################################################################
+## Private DNS
+##
+resource "azurerm_private_dns_a_record" "this" {
+  for_each            = var.private_endpoint ? { "this" : "true" } : {}
+  name                = azurerm_storage_account.storageaccount.name
+  zone_name           = "privatelink.blob.core.windows.net"
+  resource_group_name = var.vnethub_resource_group
+  ttl                 = 10
+  records             = ["10.0.0.16"]
+  # depends_on          = [azurerm_private_endpoint.this]
+}
+
diff --git a/terraform/subscriptions/modules/storageaccount/output.tf b/terraform/subscriptions/modules/storageaccount/output.tf
@@ -2,3 +2,4 @@ output "data" {
   description = "storageaccount"
   value       = azurerm_storage_account.storageaccount
 }
+
diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf
@@ -86,4 +86,17 @@ variable "vault_id" {
 variable "policyblobstorage_id" {
   description = "The ID of the Backup Policy."
   type        = string
+}
+
+variable "private_endpoint" {
+  type = bool
+}
+
+variable "subnet_id" {
+  type = string
+
+}
+
+variable "vnethub_resource_group" {
+  type = string
 }
diff --git a/terraform/subscriptions/modules/virtualnetwork/input.tf b/terraform/subscriptions/modules/virtualnetwork/input.tf
@@ -0,0 +1,21 @@
+locals {
+  AZ_PRIVATE_DNS_ZONES = [
+    "privatelink.database.windows.net",
+    "privatelink.blob.core.windows.net",
+    "privatelink.table.core.windows.net",
+    "privatelink.queue.core.windows.net",
+    "privatelink.file.core.windows.net",
+    "privatelink.web.core.windows.net",
+    "privatelink.dfs.core.windows.net",
+    "privatelink.documents.azure.com",
+    "privatelink.mongo.cosmos.azure.com",
+    "privatelink.cassandra.cosmos.azure.com",
+    "privatelink.gremlin.cosmos.azure.com",
+    "privatelink.table.cosmos.azure.com",
+    "privatelink.postgres.database.azure.com",
+    "privatelink.mysql.database.azure.com",
+    "privatelink.mariadb.database.azure.com",
+    "privatelink.vaultcore.azure.net",
+    "private.radix.equinor.com"
+  ]
+}
diff --git a/terraform/subscriptions/modules/virtualnetwork/main.tf b/terraform/subscriptions/modules/virtualnetwork/main.tf
@@ -4,3 +4,16 @@ resource "azurerm_virtual_network" "vnet-hub" {
   address_space       = ["10.0.0.0/16"]
   location            = var.location
 }
+
+resource "azurerm_subnet" "this" {
+  name                 = "private-links"
+  resource_group_name  = "cluster-vnet-hub-${var.enviroment}"
+  virtual_network_name = azurerm_virtual_network.vnet-hub.name
+  address_prefixes     = ["10.0.0.0/18"]
+}
+
+resource "azurerm_private_dns_zone" "this" {
+  for_each            = toset(local.AZ_PRIVATE_DNS_ZONES)
+  name                = each.key
+  resource_group_name = "cluster-vnet-hub-${var.enviroment}"
+}
diff --git a/terraform/subscriptions/modules/virtualnetwork/output.tf b/terraform/subscriptions/modules/virtualnetwork/output.tf
@@ -1,4 +1,8 @@
 output "data" {
-  description = "IDs of vnet-hub"
-  value       = azurerm_virtual_network.vnet-hub
+  description = "IDs of virtualnetworks"
+  value = {
+    "vnet_hub"         = azurerm_virtual_network.vnet-hub
+    "vnet_subnet"      = azurerm_subnet.this
+    "private_dns_zone" = azurerm_private_dns_zone.this
+  }
 }
diff --git a/terraform/subscriptions/s941/dev/common/input.tf b/terraform/subscriptions/s941/dev/common/input.tf
@@ -1,6 +1,7 @@
 locals {
   external_outputs = {
-    global = data.terraform_remote_state.global.outputs
+    global         = data.terraform_remote_state.global.outputs
+    virtualnetwork = data.terraform_remote_state.virtualnetwork.outputs
   }
 
   ## Backend Config
@@ -17,3 +18,10 @@ data "terraform_remote_state" "global" {
     local.backend,
   { key = "dev/globals/terraform.tfstate" })
 }
+
+data "terraform_remote_state" "virtualnetwork" {
+  backend = "azurerm"
+  config = merge(
+    local.backend,
+  { key = "dev/virtualnetwork/terraform.tfstate" })
+}
diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf
@@ -1,3 +1,4 @@
+
 module "resourcegroups" {
   for_each = toset(var.resource_groups)
   source   = "../../../modules/resourcegroups"
@@ -26,7 +27,7 @@ module "backupvault" {
 module "storageaccount" {
   source                   = "../../../modules/storageaccount"
   for_each                 = var.storageaccounts
-  name                     = "${local.external_outputs.global.data.subscription_shortname}${each.key}${local.outputs.enviroment_L}"
+  name                     = "${local.external_outputs.global.data.subscription_shortname}${each.key}${local.outputs.enviroment_S}"
   tier                     = each.value.account_tier
   account_replication_type = each.value.account_replication_type
   resource_group_name      = each.value.resource_group_name
@@ -39,4 +40,8 @@ module "storageaccount" {
   principal_id             = module.backupvault.data.backupvault.identity[0].principal_id
   vault_id                 = module.backupvault.data.backupvault.id
   policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
+  private_endpoint         = each.value.private_endpoint
+  subnet_id                = local.external_outputs.virtualnetwork.data.vnet_subnet.id
+  vnethub_resource_group   = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name
 }
+
diff --git a/terraform/subscriptions/s941/dev/common/variables.tf b/terraform/subscriptions/s941/dev/common/variables.tf
@@ -4,6 +4,7 @@ variable "resource_groups" {
 }
 
 variable "storageaccounts" {
+  description = "Max 15 characters lowercase in the storageaccount name"
   type = map(object({
     name                     = string
     resource_group_name      = optional(string, "s941-development")
@@ -13,14 +14,23 @@ variable "storageaccounts" {
     kind                     = optional(string, "StorageV2")
     change_feed_enabled      = optional(bool, false)
     versioning_enabled       = optional(bool, false)
-    enable_backup            = optional(bool, false)
     roleassignment           = optional(map(object({ backup = optional(bool, false) })))
     principal_id             = optional(string)
+    private_endpoint         = optional(bool, false)
   }))
   default = {
-    diag = {
-      name          = "diag"
-      enable_backup = true
+    diagnostics = {
+      name = "diagnostics"
+      roleassignment = {
+        "Storage Account Backup Contributor" = {
+          backup = true
+        }
+      }
+    }
+    terraform = {
+      name                     = "terraform"
+      account_replication_type = "RAGRS"
+      private_endpoint         = true
       roleassignment = {
         "Storage Account Backup Contributor" = {
           backup = true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,3 +2,4 @@ output "data" {
		description = "storageaccount"
		value = azurerm_storage_account.storageaccount
		}