diff --git a/terraform/subscriptions/modules/storageaccount/input.tf b/terraform/subscriptions/modules/storageaccount/input.tf index 86cee1ab8..55eec1eb4 100644 --- a/terraform/subscriptions/modules/storageaccount/input.tf +++ b/terraform/subscriptions/modules/storageaccount/input.tf @@ -1,9 +1,10 @@ locals { - flattened_config = { + flattened_roleassignment = { for key, value in var.roleassignment : key => { - backup = value.backup - kind = var.kind - + backup = value.backup + kind = var.kind + private_endpoint = var.roleassignment } } } + diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf index 2da25d28d..f77cfa21b 100644 --- a/terraform/subscriptions/modules/storageaccount/main.tf +++ b/terraform/subscriptions/modules/storageaccount/main.tf @@ -36,8 +36,8 @@ resource "azurerm_storage_account" "storageaccount" { resource "azurerm_role_assignment" "roleassignment" { for_each = { - for key in compact([for key, value in local.flattened_config : value.backup && value.kind == "StorageV2" ? key : ""]) : key => - local.flattened_config[key] + for key in compact([for key, value in local.flattened_roleassignment : value.backup && value.kind == "StorageV2" ? key : ""]) : key => + local.flattened_roleassignment[key] } scope = azurerm_storage_account.storageaccount.id role_definition_name = each.key @@ -50,10 +50,7 @@ resource "azurerm_role_assignment" "roleassignment" { ## resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceblobstorage" { - for_each = { - for key in compact([for key, value in local.flattened_config : value.backup && value.kind == "StorageV2" ? key : ""]) : key => - local.flattened_config[key] - } + for_each = { for key in compact([for key, value in local.flattened_roleassignment : value.backup && value.kind == "StorageV2" ? key : ""]) : key => local.flattened_roleassignment[key] } name = azurerm_storage_account.storageaccount.name vault_id = var.vault_id location = var.location @@ -62,3 +59,37 @@ resource "azurerm_data_protection_backup_instance_blob_storage" "backupinstanceb depends_on = [azurerm_role_assignment.roleassignment] } +###################################################################################### +## Private Link +## + +resource "azurerm_private_endpoint" "this" { + for_each = var.private_endpoint ? { "this" : "true" } : {} + name = azurerm_storage_account.storageaccount.name + resource_group_name = azurerm_storage_account.storageaccount.resource_group_name + location = azurerm_storage_account.storageaccount.location + subnet_id = var.subnet_id + depends_on = [azurerm_storage_account.storageaccount] + + private_service_connection { + name = "Private_Service_Connection" + private_connection_resource_id = azurerm_storage_account.storageaccount.id + is_manual_connection = false + subresource_names = ["blob"] + } +} + + +###################################################################################### +## Private DNS +## +resource "azurerm_private_dns_a_record" "this" { + for_each = var.private_endpoint ? { "this" : "true" } : {} + name = azurerm_storage_account.storageaccount.name + zone_name = "privatelink.blob.core.windows.net" + resource_group_name = var.vnethub_resource_group + ttl = 10 + records = ["10.0.0.16"] + # depends_on = [azurerm_private_endpoint.this] +} + diff --git a/terraform/subscriptions/modules/storageaccount/output.tf b/terraform/subscriptions/modules/storageaccount/output.tf index a8d4cdf63..71376341a 100644 --- a/terraform/subscriptions/modules/storageaccount/output.tf +++ b/terraform/subscriptions/modules/storageaccount/output.tf @@ -2,3 +2,4 @@ output "data" { description = "storageaccount" value = azurerm_storage_account.storageaccount } + diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf index 15ec60578..180700fca 100644 --- a/terraform/subscriptions/modules/storageaccount/variables.tf +++ b/terraform/subscriptions/modules/storageaccount/variables.tf @@ -86,4 +86,17 @@ variable "vault_id" { variable "policyblobstorage_id" { description = "The ID of the Backup Policy." type = string +} + +variable "private_endpoint" { + type = bool +} + +variable "subnet_id" { + type = string + +} + +variable "vnethub_resource_group" { + type = string } \ No newline at end of file diff --git a/terraform/subscriptions/modules/virtualnetwork/input.tf b/terraform/subscriptions/modules/virtualnetwork/input.tf new file mode 100644 index 000000000..9dec92c43 --- /dev/null +++ b/terraform/subscriptions/modules/virtualnetwork/input.tf @@ -0,0 +1,21 @@ +locals { + AZ_PRIVATE_DNS_ZONES = [ + "privatelink.database.windows.net", + "privatelink.blob.core.windows.net", + "privatelink.table.core.windows.net", + "privatelink.queue.core.windows.net", + "privatelink.file.core.windows.net", + "privatelink.web.core.windows.net", + "privatelink.dfs.core.windows.net", + "privatelink.documents.azure.com", + "privatelink.mongo.cosmos.azure.com", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.table.cosmos.azure.com", + "privatelink.postgres.database.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.mariadb.database.azure.com", + "privatelink.vaultcore.azure.net", + "private.radix.equinor.com" + ] +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/virtualnetwork/main.tf b/terraform/subscriptions/modules/virtualnetwork/main.tf index 8c9abc856..59020d515 100644 --- a/terraform/subscriptions/modules/virtualnetwork/main.tf +++ b/terraform/subscriptions/modules/virtualnetwork/main.tf @@ -4,3 +4,16 @@ resource "azurerm_virtual_network" "vnet-hub" { address_space = ["10.0.0.0/16"] location = var.location } + +resource "azurerm_subnet" "this" { + name = "private-links" + resource_group_name = "cluster-vnet-hub-${var.enviroment}" + virtual_network_name = azurerm_virtual_network.vnet-hub.name + address_prefixes = ["10.0.0.0/18"] +} + +resource "azurerm_private_dns_zone" "this" { + for_each = toset(local.AZ_PRIVATE_DNS_ZONES) + name = each.key + resource_group_name = "cluster-vnet-hub-${var.enviroment}" +} \ No newline at end of file diff --git a/terraform/subscriptions/modules/virtualnetwork/output.tf b/terraform/subscriptions/modules/virtualnetwork/output.tf index 6d2b72e78..88958f0e0 100644 --- a/terraform/subscriptions/modules/virtualnetwork/output.tf +++ b/terraform/subscriptions/modules/virtualnetwork/output.tf @@ -1,4 +1,8 @@ output "data" { - description = "IDs of vnet-hub" - value = azurerm_virtual_network.vnet-hub + description = "IDs of virtualnetworks" + value = { + "vnet_hub" = azurerm_virtual_network.vnet-hub + "vnet_subnet" = azurerm_subnet.this + "private_dns_zone" = azurerm_private_dns_zone.this + } } diff --git a/terraform/subscriptions/s941/dev/common/input.tf b/terraform/subscriptions/s941/dev/common/input.tf index 48eae8277..34f131095 100644 --- a/terraform/subscriptions/s941/dev/common/input.tf +++ b/terraform/subscriptions/s941/dev/common/input.tf @@ -1,6 +1,7 @@ locals { external_outputs = { - global = data.terraform_remote_state.global.outputs + global = data.terraform_remote_state.global.outputs + virtualnetwork = data.terraform_remote_state.virtualnetwork.outputs } ## Backend Config @@ -17,3 +18,10 @@ data "terraform_remote_state" "global" { local.backend, { key = "dev/globals/terraform.tfstate" }) } + +data "terraform_remote_state" "virtualnetwork" { + backend = "azurerm" + config = merge( + local.backend, + { key = "dev/virtualnetwork/terraform.tfstate" }) +} diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index eeec4d390..4aaf8d3fc 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -1,3 +1,4 @@ + module "resourcegroups" { for_each = toset(var.resource_groups) source = "../../../modules/resourcegroups" @@ -26,7 +27,7 @@ module "backupvault" { module "storageaccount" { source = "../../../modules/storageaccount" for_each = var.storageaccounts - name = "${local.external_outputs.global.data.subscription_shortname}${each.key}${local.outputs.enviroment_L}" + name = "${local.external_outputs.global.data.subscription_shortname}${each.key}${local.outputs.enviroment_S}" tier = each.value.account_tier account_replication_type = each.value.account_replication_type resource_group_name = each.value.resource_group_name @@ -39,4 +40,8 @@ module "storageaccount" { principal_id = module.backupvault.data.backupvault.identity[0].principal_id vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id + private_endpoint = each.value.private_endpoint + subnet_id = local.external_outputs.virtualnetwork.data.vnet_subnet.id + vnethub_resource_group = local.external_outputs.virtualnetwork.data.vnet_hub.resource_group_name } + diff --git a/terraform/subscriptions/s941/dev/common/variables.tf b/terraform/subscriptions/s941/dev/common/variables.tf index 8c82285ca..bb1821cd1 100644 --- a/terraform/subscriptions/s941/dev/common/variables.tf +++ b/terraform/subscriptions/s941/dev/common/variables.tf @@ -4,6 +4,7 @@ variable "resource_groups" { } variable "storageaccounts" { + description = "Max 15 characters lowercase in the storageaccount name" type = map(object({ name = string resource_group_name = optional(string, "s941-development") @@ -13,14 +14,23 @@ variable "storageaccounts" { kind = optional(string, "StorageV2") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) - enable_backup = optional(bool, false) roleassignment = optional(map(object({ backup = optional(bool, false) }))) principal_id = optional(string) + private_endpoint = optional(bool, false) })) default = { - diag = { - name = "diag" - enable_backup = true + diagnostics = { + name = "diagnostics" + roleassignment = { + "Storage Account Backup Contributor" = { + backup = true + } + } + } + terraform = { + name = "terraform" + account_replication_type = "RAGRS" + private_endpoint = true roleassignment = { "Storage Account Backup Contributor" = { backup = true