diff --git a/scripts/ingress-nginx/bootstrap.sh b/scripts/ingress-nginx/bootstrap.sh index 0f930eef8..e9b67a0a3 100755 --- a/scripts/ingress-nginx/bootstrap.sh +++ b/scripts/ingress-nginx/bootstrap.sh @@ -207,7 +207,7 @@ verify_cluster_access ### Create secret required by ingress-nginx ### -SELECTED_INGRESS_IP_RAW_ADDRESS=$(terraform -chdir="../../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/pre-clusters" output -json clusters | jq -r '.[] | select(.cluster==env.CLUSTER_NAME).ingressIp') +SELECTED_INGRESS_IP_RAW_ADDRESS=$(terraform -chdir="../terraform/subscriptions/$AZ_SUBSCRIPTION_NAME/$RADIX_ZONE/pre-clusters" output -json clusters | jq -r '.[] | select(.cluster==env.CLUSTER_NAME).ingressIp') create-a-record "*.${CLUSTER_NAME}" "$SELECTED_INGRESS_IP_RAW_ADDRESS" "$AZ_RESOURCE_GROUP_IPPRE" "$AZ_RESOURCE_DNS" "60" || { echo "ERROR: failed to create A record *.${CLUSTER_NAME}" >&2 } diff --git a/scripts/install_base_components.sh b/scripts/install_base_components.sh index e637e2ce7..23ce4e111 100755 --- a/scripts/install_base_components.sh +++ b/scripts/install_base_components.sh @@ -250,27 +250,6 @@ wait ### For network security policy applied by operator to work, the namespace hosting prometheus and nginx-ingress-controller need to be labeled kubectl label ns default purpose=radix-base-ns --overwrite -####################################################################################### -### Install prerequisites for Velero -### - -echo "" -printf "%s► Execute %s%s\n" "${grn}" "$WORKDIR_PATH/scripts/velero/install_prerequisites_in_cluster.sh" "${normal}" -(USER_PROMPT="$USER_PROMPT" ./velero/install_prerequisites_in_cluster.sh) -wait - -####################################################################################### -### Patching kube-dns metrics -### - -# TODO: Even with this, kube-dns is not discovered in prometheus. Needs to be debugged. -# -# echo "Patching kube-dns metrics" -# kubectl patch deployment -n kube-system kube-dns-v20 \ -# --patch "$(cat ./manifests/kube-dns-metrics-patch.yaml)" - -# - ####################################################################################### ### Install Flux diff --git a/scripts/velero/install_prerequisites_in_cluster.sh b/scripts/velero/install_prerequisites_in_cluster.sh deleted file mode 100755 index 79f89ed22..000000000 --- a/scripts/velero/install_prerequisites_in_cluster.sh +++ /dev/null @@ -1,248 +0,0 @@ -#!/usr/bin/env bash - -####################################################################################### -### PURPOSE -### - -# Install prerequisites for velero (flux handles the main installation) - -####################################################################################### -### PRECONDITIONS -### - -# - AKS cluster is available -# - User has role cluster-admin -# - Velereo service principal credentials exist in keyvault - -####################################################################################### -### INPUTS -### - -# Required: -# - RADIX_ZONE_ENV : Path to *.env file -# - CLUSTER_NAME : Ex: "test-2", "weekly-93" - -# Optional: -# - USER_PROMPT : Is human interaction is required to run script? true/false. Default is true. - -####################################################################################### -### HOW TO USE -### - -# NORMAL -# RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME=power-monkey ./install_prerequisites_in_cluster.sh - -####################################################################################### -### START -### - -echo "" -echo "Start install of Velero prerequisites in cluster..." - -####################################################################################### -### Check for prerequisites binaries -### - -echo "" -printf "Check for neccesary executables... " -hash az 2>/dev/null || { - echo -e "\nERROR: Azure-CLI not found in PATH. Exiting..." >&2 - exit 1 -} -hash kubectl 2>/dev/null || { - echo -e "\nERROR: kubectl not found in PATH. Exiting..." >&2 - exit 1 -} -hash jq 2>/dev/null || { - echo -e "\nERROR: jq not found in PATH. Exiting..." >&2 - exit 1 -} -printf "All is good." -echo "" - -####################################################################################### -### Read inputs and configs -### - -# Required inputs -if [[ -z "$RADIX_ZONE_ENV" ]]; then - echo "ERROR: Please provide RADIX_ZONE_ENV" >&2 - exit 1 -else - if [[ ! -f "$RADIX_ZONE_ENV" ]]; then - echo "ERROR: RADIX_ZONE_ENV=$RADIX_ZONE_ENV is invalid, the file does not exist." >&2 - exit 1 - fi - source "$RADIX_ZONE_ENV" -fi - -if [[ -z "$CLUSTER_NAME" ]]; then - echo "ERROR: Please provide CLUSTER_NAME" >&2 - exit 1 -fi - -# Source util scripts - -source ${RADIX_PLATFORM_REPOSITORY_PATH}/scripts/utility/util.sh - -# Optional inputs -if [[ -z "$USER_PROMPT" ]]; then - USER_PROMPT=true -fi - -# Configs and dependencies -CREDENTIALS_GENERATED_PATH="$(mktemp)" -CREDENTIALS_TEMPLATE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/template_credentials.env" -if [[ ! -f "$CREDENTIALS_TEMPLATE_PATH" ]]; then - echo "ERROR: The dependency CREDENTIALS_TEMPLATE_PATH=$CREDENTIALS_TEMPLATE_PATH is invalid, the file does not exist." >&2 - exit 1 -fi - -####################################################################################### -### Prepare az session -### - -echo "" -printf "Logging you in to Azure if not already logged in... " -az account show >/dev/null || az login >/dev/null -az account set --subscription "$AZ_SUBSCRIPTION_ID" >/dev/null -printf "Done." -echo "" - -####################################################################################### -### Verify task at hand -### - -echo -e "" -echo -e "Install Velero prequisistes in cluster will use the following configuration:" -echo -e "" -echo -e " > WHERE:" -echo -e " ------------------------------------------------------------------" -echo -e " - RADIX_ZONE : $RADIX_ZONE" -echo -e " - RADIX_ENVIRONMENT : $RADIX_ENVIRONMENT" -echo -e " - CLUSTER_NAME : $CLUSTER_NAME" -echo -e " - KUBECTL CURRENT CONTEXT : $(kubectl config current-context)" -echo -e "" -echo -e " > WHAT:" -echo -e " -------------------------------------------------------------------" -echo -e " - VELERO_NAMESPACE : $VELERO_NAMESPACE" -echo -e " - CREDENTIALS_TEMPLATE_PATH : $CREDENTIALS_TEMPLATE_PATH" -echo -e " - BACKUP_STORAGE_CONTAINER : $CLUSTER_NAME" -echo -e "" -echo -e " > WHO:" -echo -e " -------------------------------------------------------------------" -echo -e " - AZ_SUBSCRIPTION : $(az account show --query name -otsv)" -echo -e " - AZ_USER : $(az account show --query user.name -o tsv)" -echo -e "" - -echo "" - -if [[ $USER_PROMPT == true ]]; then - while true; do - read -p "Is this correct? (Y/n) " yn - case $yn in - [Yy]*) break ;; - [Nn]*) - echo "" - echo "Quitting." - exit 0 - ;; - *) echo "Please answer yes or no." ;; - esac - done - echo "" -fi - -####################################################################################### -### CLUSTER? -### - -kubectl_context="$(kubectl config current-context)" - -if [ "$kubectl_context" = "$CLUSTER_NAME" ] || [ "$kubectl_context" = "${CLUSTER_NAME}" ]; then - echo "kubectl is ready..." -else - echo "ERROR: Please set your kubectl current-context to be ${CLUSTER_NAME}" >&2 - exit 1 -fi - -####################################################################################### -### Verify cluster access -### -verify_cluster_access - -####################################################################################### -### MAIN -### - -# 1. Download secret in shell var -# 2. Create tmp azure.json using template -# 3. Create namespace -# 4. Create k8s secret with azure.json as payload in namespace -# 5. Create configmap for flux deployments -# 6. Create the cluster specific blob container -# 7. Ensure that generated credentials file is deleted on local machine even if script crash - -function cleanup() { - rm -f "$CREDENTIALS_GENERATED_PATH" -} - -# Run cleanup even if script crashed -trap cleanup 0 2 3 15 - -printf "\nWorking on namespace..." -case "$(kubectl get ns $VELERO_NAMESPACE 2>&1)" in -*Error*) - kubectl create ns "$VELERO_NAMESPACE" 2>&1 >/dev/null - ;; -esac -printf "...Done" - - -# Create the cluster specific blob container -printf "\nWorking on storage container..." -az storage container create -n "$CLUSTER_NAME" \ - --public-access off \ - --account-name "$AZ_VELERO_STORAGE_ACCOUNT_ID" \ - --auth-mode login \ - 2>&1 >/dev/null -printf "...Done" - - -# Create configMap that will hold the cluster specific values that Flux will later use when it manages the deployment of Velero -printf "Working on configmap for flux..." -cat <&1 >/dev/null -apiVersion: v1 -kind: ConfigMap -metadata: - name: velero-flux-values - namespace: $VELERO_NAMESPACE -data: - values: | - configuration: - backupStorageLocation: - - name: default - provider: azure - default: true - bucket: "$CLUSTER_NAME" - config: - resourceGroup: "common-${RADIX_ZONE}" - storageAccount: "$AZ_VELERO_STORAGE_ACCOUNT_ID" - useAAD: "true" - volumeSnapshotLocation: - - name: azure - provider: azure - apitimeout: 300s -EOF -printf "...Done" - -printf "\nClean up local tmp files..." -cleanup -printf "...Done" - -####################################################################################### -### END -### - -echo -e "" -echo -e "Install of Velereo prerequisites done!" diff --git a/scripts/velero/restore/restore_apps.sh b/scripts/velero/restore/restore_apps.sh index 97a595728..a6f2a22c9 100755 --- a/scripts/velero/restore/restore_apps.sh +++ b/scripts/velero/restore/restore_apps.sh @@ -427,6 +427,7 @@ start_radix_operator() { printf " Done.\n" } +flux suspend ks -n flux-system velero wait_for_velero "BackupStorageLocation default" kubectl patch BackupStorageLocation default --namespace velero --type merge --patch "$(echo $PATCH_JSON)" @@ -570,8 +571,10 @@ PATCH_JSON="$( } END )" + # Set velero in read/write mode kubectl patch BackupStorageLocation default --namespace velero --type merge --patch "$(echo $PATCH_JSON)" +flux resume ks -n flux-system velero ####################################################################################### ### Done! diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index 1502bf994..4a665458a 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -55,26 +55,27 @@ data "azurerm_subnet" "this" { } module "storageaccount" { - source = "../../../modules/storageaccount" - for_each = var.storageaccounts - name = "radix${each.key}${module.config.environment}" - tier = each.value.account_tier - account_replication_type = each.value.account_replication_type - resource_group_name = each.value.resource_group_name - location = each.value.location - environment = module.config.environment - kind = each.value.kind - change_feed_enabled = each.value.change_feed_enabled - versioning_enabled = each.value.versioning_enabled - backup = each.value.backup - principal_id = module.backupvault.data.backupvault.identity[0].principal_id - vault_id = module.backupvault.data.backupvault.id - policyblobstorage_id = module.backupvault.data.policyblobstorage.id - subnet_id = data.azurerm_subnet.this.id - vnet_resource_group = module.config.vnet_resource_group - lifecyclepolicy = each.value.lifecyclepolicy - ip_rule = data.azurerm_key_vault_secret.this.value - log_analytics_id = module.loganalytics.workspace_id + source = "../../../modules/storageaccount" + for_each = var.storageaccounts + name = "radix${each.key}${module.config.environment}" + tier = each.value.account_tier + account_replication_type = each.value.account_replication_type + resource_group_name = each.value.resource_group_name + location = each.value.location + environment = module.config.environment + kind = each.value.kind + change_feed_enabled = each.value.change_feed_enabled + versioning_enabled = each.value.versioning_enabled + backup = each.value.backup + principal_id = module.backupvault.data.backupvault.identity[0].principal_id + vault_id = module.backupvault.data.backupvault.id + policyblobstorage_id = module.backupvault.data.policyblobstorage.id + subnet_id = data.azurerm_subnet.this.id + vnet_resource_group = module.config.vnet_resource_group + lifecyclepolicy = each.value.lifecyclepolicy + ip_rule = data.azurerm_key_vault_secret.this.value + log_analytics_id = module.loganalytics.workspace_id + shared_access_key_enabled = each.value.shared_access_key_enabled #Needed in module create container when running apply } module "acr" { diff --git a/terraform/subscriptions/s940/c2/common/variables.tf b/terraform/subscriptions/s940/c2/common/variables.tf index d63f800cc..ef6e3de9f 100644 --- a/terraform/subscriptions/s940/c2/common/variables.tf +++ b/terraform/subscriptions/s940/c2/common/variables.tf @@ -1,18 +1,19 @@ variable "storageaccounts" { description = "Max 15 characters lowercase in the storageaccount name" type = map(object({ - name = string - resource_group_name = optional(string, "common-c2") - location = optional(string, "westeurope") - account_tier = optional(string, "Standard") - account_replication_type = optional(string, "LRS") - kind = optional(string, "StorageV2") - change_feed_enabled = optional(bool, false) - versioning_enabled = optional(bool, false) - backup = optional(bool, false) - principal_id = optional(string) - private_endpoint = optional(bool, false) - lifecyclepolicy = optional(bool, false) + name = string + resource_group_name = optional(string, "common-c2") + location = optional(string, "westeurope") + account_tier = optional(string, "Standard") + account_replication_type = optional(string, "LRS") + kind = optional(string, "StorageV2") + change_feed_enabled = optional(bool, false) + versioning_enabled = optional(bool, false) + backup = optional(bool, false) + principal_id = optional(string) + private_endpoint = optional(bool, false) + lifecyclepolicy = optional(bool, false) + shared_access_key_enabled = optional(bool, false) })) default = { log = { @@ -22,10 +23,11 @@ variable "storageaccounts" { }, velero = { - name = "velero" - account_replication_type = "GRS" - backup = true - lifecyclepolicy = true + name = "velero" + account_replication_type = "GRS" + backup = true + lifecyclepolicy = true + shared_access_key_enabled = true } } } diff --git a/terraform/subscriptions/s940/c2/post-clusters/velero.tf b/terraform/subscriptions/s940/c2/post-clusters/velero.tf index 3e0db5b1c..212de678e 100644 --- a/terraform/subscriptions/s940/c2/post-clusters/velero.tf +++ b/terraform/subscriptions/s940/c2/post-clusters/velero.tf @@ -13,3 +13,10 @@ resource "azurerm_federated_identity_credential" "velero-mi-fedcred" { parent_id = data.azurerm_user_assigned_identity.velero.id resource_group_name = module.config.common_resource_group } + +resource "azurerm_storage_container" "velero" { + for_each = module.clusters.oidc_issuer_url + name = each.key + storage_account_name = "radixvelero${module.config.environment}" + container_access_type = "private" # Options: private, blob, container +} diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf index decf713e4..0260cf2b1 100644 --- a/terraform/subscriptions/s940/extmon/common/main.tf +++ b/terraform/subscriptions/s940/extmon/common/main.tf @@ -82,23 +82,24 @@ resource "azurerm_private_dns_a_record" "cache" { } module "storageaccount" { - source = "../../../modules/storageaccount" - for_each = var.storageaccounts - name = "radix${each.key}${module.config.environment}" - tier = each.value.account_tier - account_replication_type = each.value.account_replication_type - resource_group_name = each.value.resource_group_name - location = each.value.location - environment = module.config.environment - kind = each.value.kind - change_feed_enabled = each.value.change_feed_enabled - versioning_enabled = each.value.versioning_enabled - backup = each.value.backup - subnet_id = data.azurerm_subnet.this.id - vnet_resource_group = module.config.vnet_resource_group - lifecyclepolicy = each.value.lifecyclepolicy - ip_rule = data.azurerm_key_vault_secret.this.value - log_analytics_id = module.loganalytics.workspace_id + source = "../../../modules/storageaccount" + for_each = var.storageaccounts + name = "radix${each.key}${module.config.environment}" + tier = each.value.account_tier + account_replication_type = each.value.account_replication_type + resource_group_name = each.value.resource_group_name + location = each.value.location + environment = module.config.environment + kind = each.value.kind + change_feed_enabled = each.value.change_feed_enabled + versioning_enabled = each.value.versioning_enabled + backup = each.value.backup + subnet_id = data.azurerm_subnet.this.id + vnet_resource_group = module.config.vnet_resource_group + lifecyclepolicy = each.value.lifecyclepolicy + ip_rule = data.azurerm_key_vault_secret.this.value + log_analytics_id = module.loganalytics.workspace_id + shared_access_key_enabled = each.value.shared_access_key_enabled #Needed in module create container when running apply } module "radix_id_gitrunner" { diff --git a/terraform/subscriptions/s940/extmon/common/variables.tf b/terraform/subscriptions/s940/extmon/common/variables.tf index 8b7e7beb1..a33986110 100644 --- a/terraform/subscriptions/s940/extmon/common/variables.tf +++ b/terraform/subscriptions/s940/extmon/common/variables.tf @@ -1,26 +1,28 @@ variable "storageaccounts" { description = "Max 15 characters lowercase in the storageaccount name" type = map(object({ - name = string - resource_group_name = optional(string, "common-extmon") - location = optional(string, "northeurope") - account_tier = optional(string, "Standard") - account_replication_type = optional(string, "LRS") - kind = optional(string, "StorageV2") - change_feed_enabled = optional(bool, false) - versioning_enabled = optional(bool, false) - backup = optional(bool, false) - principal_id = optional(string) - private_endpoint = optional(bool, false) - lifecyclepolicy = optional(bool, false) + name = string + resource_group_name = optional(string, "common-extmon") + location = optional(string, "northeurope") + account_tier = optional(string, "Standard") + account_replication_type = optional(string, "LRS") + kind = optional(string, "StorageV2") + change_feed_enabled = optional(bool, false) + versioning_enabled = optional(bool, false) + backup = optional(bool, false) + principal_id = optional(string) + private_endpoint = optional(bool, false) + lifecyclepolicy = optional(bool, false) + shared_access_key_enabled = optional(bool, false) })) default = { log = { name = "log" }, velero = { - name = "velero" - lifecyclepolicy = true + name = "velero" + lifecyclepolicy = true + shared_access_key_enabled = true } } } \ No newline at end of file diff --git a/terraform/subscriptions/s940/extmon/post-clusters/velero.tf b/terraform/subscriptions/s940/extmon/post-clusters/velero.tf index 3e0db5b1c..212de678e 100644 --- a/terraform/subscriptions/s940/extmon/post-clusters/velero.tf +++ b/terraform/subscriptions/s940/extmon/post-clusters/velero.tf @@ -13,3 +13,10 @@ resource "azurerm_federated_identity_credential" "velero-mi-fedcred" { parent_id = data.azurerm_user_assigned_identity.velero.id resource_group_name = module.config.common_resource_group } + +resource "azurerm_storage_container" "velero" { + for_each = module.clusters.oidc_issuer_url + name = each.key + storage_account_name = "radixvelero${module.config.environment}" + container_access_type = "private" # Options: private, blob, container +} diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index de12ae6b2..c51e32419 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -52,26 +52,27 @@ data "azurerm_subnet" "this" { } module "storageaccount" { - source = "../../../modules/storageaccount" - for_each = var.storageaccounts - name = "radix${each.key}${module.config.environment}" - tier = each.value.account_tier - account_replication_type = each.value.account_replication_type - resource_group_name = module.config.common_resource_group - location = module.config.location - environment = module.config.environment - kind = each.value.kind - change_feed_enabled = each.value.change_feed_enabled - versioning_enabled = each.value.versioning_enabled - backup = each.value.backup - principal_id = data.azurerm_data_protection_backup_vault.this.identity[0].principal_id - vault_id = data.azurerm_data_protection_backup_vault.this.id - policyblobstorage_id = "${data.azurerm_data_protection_backup_vault.this.id}/backupPolicies/Backuppolicy-blob" - subnet_id = data.azurerm_subnet.this.id - vnet_resource_group = module.config.vnet_resource_group - lifecyclepolicy = each.value.lifecyclepolicy - ip_rule = data.azurerm_key_vault_secret.this.value - log_analytics_id = module.loganalytics.workspace_id + source = "../../../modules/storageaccount" + for_each = var.storageaccounts + name = "radix${each.key}${module.config.environment}" + tier = each.value.account_tier + account_replication_type = each.value.account_replication_type + resource_group_name = module.config.common_resource_group + location = module.config.location + environment = module.config.environment + kind = each.value.kind + change_feed_enabled = each.value.change_feed_enabled + versioning_enabled = each.value.versioning_enabled + backup = each.value.backup + principal_id = data.azurerm_data_protection_backup_vault.this.identity[0].principal_id + vault_id = data.azurerm_data_protection_backup_vault.this.id + policyblobstorage_id = "${data.azurerm_data_protection_backup_vault.this.id}/backupPolicies/Backuppolicy-blob" + subnet_id = data.azurerm_subnet.this.id + vnet_resource_group = module.config.vnet_resource_group + lifecyclepolicy = each.value.lifecyclepolicy + ip_rule = data.azurerm_key_vault_secret.this.value + log_analytics_id = module.loganalytics.workspace_id + shared_access_key_enabled = each.value.shared_access_key_enabled #Needed in module create container when running apply } module "acr" { diff --git a/terraform/subscriptions/s940/prod/common/variables.tf b/terraform/subscriptions/s940/prod/common/variables.tf index 8210ded02..046eaa75d 100644 --- a/terraform/subscriptions/s940/prod/common/variables.tf +++ b/terraform/subscriptions/s940/prod/common/variables.tf @@ -2,16 +2,17 @@ variable "storageaccounts" { description = "Max 15 characters lowercase in the storageaccount name" type = map(object({ - name = string - account_tier = optional(string, "Standard") - account_replication_type = optional(string, "LRS") - kind = optional(string, "StorageV2") - change_feed_enabled = optional(bool, false) - versioning_enabled = optional(bool, false) - backup = optional(bool, false) - principal_id = optional(string) - private_endpoint = optional(bool, false) - lifecyclepolicy = optional(bool, false) + name = string + account_tier = optional(string, "Standard") + account_replication_type = optional(string, "LRS") + kind = optional(string, "StorageV2") + change_feed_enabled = optional(bool, false) + versioning_enabled = optional(bool, false) + backup = optional(bool, false) + principal_id = optional(string) + private_endpoint = optional(bool, false) + lifecyclepolicy = optional(bool, false) + shared_access_key_enabled = optional(bool, false) })) default = { log = { @@ -21,10 +22,11 @@ variable "storageaccounts" { }, velero = { - name = "velero" - account_replication_type = "GRS" - backup = true - lifecyclepolicy = true + name = "velero" + account_replication_type = "GRS" + backup = true + lifecyclepolicy = true + shared_access_key_enabled = true } } } diff --git a/terraform/subscriptions/s940/prod/post-clusters/velero.tf b/terraform/subscriptions/s940/prod/post-clusters/velero.tf index 3e0db5b1c..fb87610e7 100644 --- a/terraform/subscriptions/s940/prod/post-clusters/velero.tf +++ b/terraform/subscriptions/s940/prod/post-clusters/velero.tf @@ -13,3 +13,10 @@ resource "azurerm_federated_identity_credential" "velero-mi-fedcred" { parent_id = data.azurerm_user_assigned_identity.velero.id resource_group_name = module.config.common_resource_group } + +resource "azurerm_storage_container" "velero" { + for_each = module.clusters.oidc_issuer_url + name = each.key + storage_account_name = "radixvelero${module.config.environment}" + container_access_type = "private" # Options: private, blob, container +} \ No newline at end of file diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index dcb75bcee..7f30de230 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -50,23 +50,25 @@ data "azurerm_subnet" "this" { } module "storageaccount" { - source = "../../../modules/storageaccount" - for_each = var.storageaccounts - name = "radix${each.key}${module.config.environment}" - tier = each.value.account_tier - account_replication_type = each.value.account_replication_type - resource_group_name = module.config.common_resource_group - location = module.config.location - environment = module.config.environment - kind = each.value.kind - change_feed_enabled = each.value.change_feed_enabled - versioning_enabled = each.value.versioning_enabled - backup = each.value.backup - subnet_id = data.azurerm_subnet.this.id - vnet_resource_group = module.config.vnet_resource_group - lifecyclepolicy = each.value.lifecyclepolicy - ip_rule = data.azurerm_key_vault_secret.this.value - log_analytics_id = module.loganalytics.workspace_id + source = "../../../modules/storageaccount" + for_each = var.storageaccounts + name = "radix${each.key}${module.config.environment}" + tier = each.value.account_tier + account_replication_type = each.value.account_replication_type + resource_group_name = module.config.common_resource_group + location = module.config.location + environment = module.config.environment + kind = each.value.kind + change_feed_enabled = each.value.change_feed_enabled + versioning_enabled = each.value.versioning_enabled + backup = each.value.backup + subnet_id = data.azurerm_subnet.this.id + vnet_resource_group = module.config.vnet_resource_group + lifecyclepolicy = each.value.lifecyclepolicy + ip_rule = data.azurerm_key_vault_secret.this.value + log_analytics_id = module.loganalytics.workspace_id + shared_access_key_enabled = each.value.shared_access_key_enabled #Needed in module create container when running apply + } module "acr" { diff --git a/terraform/subscriptions/s941/dev/common/variables.tf b/terraform/subscriptions/s941/dev/common/variables.tf index 33b918288..f27f0276c 100644 --- a/terraform/subscriptions/s941/dev/common/variables.tf +++ b/terraform/subscriptions/s941/dev/common/variables.tf @@ -2,24 +2,26 @@ variable "storageaccounts" { description = "Max 15 characters lowercase in the storageaccount name" type = map(object({ - name = string - account_tier = optional(string, "Standard") - account_replication_type = optional(string, "LRS") - kind = optional(string, "StorageV2") - change_feed_enabled = optional(bool, false) - versioning_enabled = optional(bool, false) - backup = optional(bool, false) - principal_id = optional(string) - private_endpoint = optional(bool, false) - lifecyclepolicy = optional(bool, false) + name = string + account_tier = optional(string, "Standard") + account_replication_type = optional(string, "LRS") + kind = optional(string, "StorageV2") + change_feed_enabled = optional(bool, false) + versioning_enabled = optional(bool, false) + backup = optional(bool, false) + principal_id = optional(string) + private_endpoint = optional(bool, false) + lifecyclepolicy = optional(bool, false) + shared_access_key_enabled = optional(bool, false) })) default = { log = { name = "log" }, velero = { - name = "velero" - lifecyclepolicy = true + name = "velero" + lifecyclepolicy = true + shared_access_key_enabled = true } } } diff --git a/terraform/subscriptions/s941/dev/post-clusters/velero.tf b/terraform/subscriptions/s941/dev/post-clusters/velero.tf index 3e0db5b1c..fb87610e7 100644 --- a/terraform/subscriptions/s941/dev/post-clusters/velero.tf +++ b/terraform/subscriptions/s941/dev/post-clusters/velero.tf @@ -13,3 +13,10 @@ resource "azurerm_federated_identity_credential" "velero-mi-fedcred" { parent_id = data.azurerm_user_assigned_identity.velero.id resource_group_name = module.config.common_resource_group } + +resource "azurerm_storage_container" "velero" { + for_each = module.clusters.oidc_issuer_url + name = each.key + storage_account_name = "radixvelero${module.config.environment}" + container_access_type = "private" # Options: private, blob, container +} \ No newline at end of file diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index fb5c81dca..78f5b66ad 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -46,23 +46,24 @@ data "azurerm_subnet" "this" { } module "storageaccount" { - source = "../../../modules/storageaccount" - for_each = var.storageaccounts - name = "radix${each.key}${module.config.environment}" - tier = each.value.account_tier - account_replication_type = each.value.account_replication_type - resource_group_name = each.value.resource_group_name - location = each.value.location - environment = module.config.environment - kind = each.value.kind - change_feed_enabled = each.value.change_feed_enabled - versioning_enabled = each.value.versioning_enabled - backup = each.value.backup - subnet_id = data.azurerm_subnet.this.id - vnet_resource_group = module.config.vnet_resource_group - lifecyclepolicy = each.value.lifecyclepolicy - ip_rule = data.azurerm_key_vault_secret.this.value - log_analytics_id = module.loganalytics.workspace_id + source = "../../../modules/storageaccount" + for_each = var.storageaccounts + name = "radix${each.key}${module.config.environment}" + tier = each.value.account_tier + account_replication_type = each.value.account_replication_type + resource_group_name = each.value.resource_group_name + location = each.value.location + environment = module.config.environment + kind = each.value.kind + change_feed_enabled = each.value.change_feed_enabled + versioning_enabled = each.value.versioning_enabled + backup = each.value.backup + subnet_id = data.azurerm_subnet.this.id + vnet_resource_group = module.config.vnet_resource_group + lifecyclepolicy = each.value.lifecyclepolicy + ip_rule = data.azurerm_key_vault_secret.this.value + log_analytics_id = module.loganalytics.workspace_id + shared_access_key_enabled = each.value.shared_access_key_enabled #Needed in module create container when running apply } module "acr" { diff --git a/terraform/subscriptions/s941/playground/common/variables.tf b/terraform/subscriptions/s941/playground/common/variables.tf index d5e044f43..6e55eb419 100644 --- a/terraform/subscriptions/s941/playground/common/variables.tf +++ b/terraform/subscriptions/s941/playground/common/variables.tf @@ -1,26 +1,28 @@ variable "storageaccounts" { description = "Max 15 characters lowercase in the storageaccount name" type = map(object({ - name = string - resource_group_name = optional(string, "common-playground") - location = optional(string, "northeurope") - account_tier = optional(string, "Standard") - account_replication_type = optional(string, "LRS") - kind = optional(string, "StorageV2") - change_feed_enabled = optional(bool, false) - versioning_enabled = optional(bool, false) - backup = optional(bool, false) - principal_id = optional(string) - private_endpoint = optional(bool, false) - lifecyclepolicy = optional(bool, false) + name = string + resource_group_name = optional(string, "common-playground") + location = optional(string, "northeurope") + account_tier = optional(string, "Standard") + account_replication_type = optional(string, "LRS") + kind = optional(string, "StorageV2") + change_feed_enabled = optional(bool, false) + versioning_enabled = optional(bool, false) + backup = optional(bool, false) + principal_id = optional(string) + private_endpoint = optional(bool, false) + lifecyclepolicy = optional(bool, false) + shared_access_key_enabled = optional(bool, false) })) default = { log = { name = "log" }, velero = { - name = "velero" - lifecyclepolicy = true + name = "velero" + lifecyclepolicy = true + shared_access_key_enabled = true } } } diff --git a/terraform/subscriptions/s941/playground/post-clusters/velero.tf b/terraform/subscriptions/s941/playground/post-clusters/velero.tf index 3e0db5b1c..fb87610e7 100644 --- a/terraform/subscriptions/s941/playground/post-clusters/velero.tf +++ b/terraform/subscriptions/s941/playground/post-clusters/velero.tf @@ -13,3 +13,10 @@ resource "azurerm_federated_identity_credential" "velero-mi-fedcred" { parent_id = data.azurerm_user_assigned_identity.velero.id resource_group_name = module.config.common_resource_group } + +resource "azurerm_storage_container" "velero" { + for_each = module.clusters.oidc_issuer_url + name = each.key + storage_account_name = "radixvelero${module.config.environment}" + container_access_type = "private" # Options: private, blob, container +} \ No newline at end of file