From fef1226f312d4747f772ba7883d06434e1d2fa77 Mon Sep 17 00:00:00 2001 From: Ravi Malvia Date: Fri, 26 Jul 2024 15:50:57 +0530 Subject: [PATCH] fix: fixed the multiple provider issue --- _example/basic/example.tf | 15 +++++++++++++++ _example/basic/version.tf | 4 ++-- _example/complete/example.tf | 36 ++++++++++++++++++++++++++++++++---- _example/complete/version.tf | 4 ++-- main.tf | 29 ++++++++++++++++++++++++++--- variables.tf | 2 +- versions.tf | 4 ++-- 7 files changed, 80 insertions(+), 14 deletions(-) diff --git a/_example/basic/example.tf b/_example/basic/example.tf index 9c3d178..e9fe1ab 100644 --- a/_example/basic/example.tf +++ b/_example/basic/example.tf @@ -1,7 +1,18 @@ provider "azurerm" { features {} + storage_use_azuread = true + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" } +provider "azurerm" { + features {} + alias = "peer" + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" +} + + locals { name = "app" environment = "test" @@ -13,6 +24,10 @@ locals { ## Here default storage will be deployed i.e. storage account without cmk encryption. ##----------------------------------------------------------------------------- module "storage" { + providers = { + azurerm.dns_sub = azurerm.peer, + azurerm.main_sub = azurerm + } source = "../.." name = local.name environment = local.environment diff --git a/_example/basic/version.tf b/_example/basic/version.tf index dc9fae4..a52431b 100644 --- a/_example/basic/version.tf +++ b/_example/basic/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.6.6" + required_version = ">= 1.7.8" } terraform { @@ -9,4 +9,4 @@ terraform { version = ">=3.89.0" } } -} \ No newline at end of file +} diff --git a/_example/complete/example.tf b/_example/complete/example.tf index 8c4f5b2..0c476df 100644 --- a/_example/complete/example.tf +++ b/_example/complete/example.tf @@ -1,8 +1,19 @@ + +provider "azurerm" { + features {} + storage_use_azuread = true + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" +} + provider "azurerm" { - storage_use_azuread = true features {} + alias = "peer" + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" } + data "azurerm_client_config" "current_client_config" {} locals { @@ -44,7 +55,7 @@ module "vnet" { ##----------------------------------------------------------------------------- module "subnet" { source = "clouddrove/subnet/azure" - version = "1.1.0" + version = "1.2.0" name = local.name environment = local.environment label_order = local.label_order @@ -83,7 +94,7 @@ module "vault" { source = "clouddrove/key-vault/azure" version = "1.1.0" - name = "vae596058" + name = "vae5960581" environment = "test" label_order = ["name", "environment", ] resource_group_name = module.resource_group.resource_group_name @@ -116,6 +127,11 @@ module "vault" { ## Here storage account will be deployed with CMK encryption. ##----------------------------------------------------------------------------- module "storage" { + providers = { + azurerm.dns_sub = azurerm.peer, + azurerm.main_sub = azurerm + } + source = "../.." name = local.name environment = local.environment @@ -132,6 +148,18 @@ module "storage" { cmk_encryption_enabled = true key_vault_id = module.vault.id + ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone. + + # diff_sub = true + # alias = "" + # alias_sub = "" + + #########Following to be uncommmented when using DNS zone from different resource group or different subscription. + # existing_private_dns_zone = "privatelink.blob.core.windows.net" + # existing_private_dns_zone_resource_group_name = "dns-rg" + + + ## Storage Container containers_list = [ { name = "app-test", access_type = "private" }, @@ -145,4 +173,4 @@ module "storage" { virtual_network_id = module.vnet.vnet_id subnet_id = module.subnet.default_subnet_id[0] log_analytics_workspace_id = module.log-analytics.workspace_id -} \ No newline at end of file +} diff --git a/_example/complete/version.tf b/_example/complete/version.tf index dc9fae4..a52431b 100644 --- a/_example/complete/version.tf +++ b/_example/complete/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.6.6" + required_version = ">= 1.7.8" } terraform { @@ -9,4 +9,4 @@ terraform { version = ">=3.89.0" } } -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index b901bea..3dc046c 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ data "azurerm_client_config" "current" {} + ##----------------------------------------------------------------------------- ## Labels module callled that will be used for naming and tags. ##----------------------------------------------------------------------------- @@ -19,6 +20,7 @@ module "labels" { ## To create storage account with cmk(customer managed key) encryption set 'var.default_enabled = false'. ##----------------------------------------------------------------------------- resource "azurerm_storage_account" "storage" { + provider = azurerm.main_sub count = var.enabled ? 1 : 0 name = var.storage_account_name resource_group_name = var.resource_group_name @@ -211,6 +213,7 @@ resource "azurerm_storage_account" "storage" { ## This user assigned identity will be created when storage account with cmk is created. ##----------------------------------------------------------------------------- resource "azurerm_user_assigned_identity" "identity" { + provider = azurerm.main_sub count = var.enabled && var.cmk_encryption_enabled ? 1 : 0 location = var.location name = format("%s-storage-mid", module.labels.id) @@ -222,6 +225,7 @@ resource "azurerm_user_assigned_identity" "identity" { ## Below resource will assign 'Key Vault Crypto Service Encryption User' role to user assigned identity created above. ##----------------------------------------------------------------------------- resource "azurerm_role_assignment" "identity_assigned" { + provider = azurerm.main_sub depends_on = [azurerm_user_assigned_identity.identity] count = var.enabled && var.cmk_encryption_enabled && var.key_vault_rbac_auth_enabled ? 1 : 0 principal_id = azurerm_user_assigned_identity.identity[0].principal_id @@ -234,6 +238,7 @@ resource "azurerm_role_assignment" "identity_assigned" { ## if rbac is enabled then below resource will create. ##----------------------------------------------------------------------------- resource "azurerm_role_assignment" "rbac_keyvault_crypto_officer" { + provider = azurerm.main_sub for_each = toset(var.key_vault_rbac_auth_enabled && var.enabled && var.cmk_encryption_enabled ? var.admin_objects_ids : []) scope = var.key_vault_id @@ -245,6 +250,7 @@ resource "azurerm_role_assignment" "rbac_keyvault_crypto_officer" { ## Below resource will create key vault key that will be used for encryption. ##----------------------------------------------------------------------------- resource "azurerm_key_vault_key" "kvkey" { + provider = azurerm.main_sub depends_on = [azurerm_role_assignment.identity_assigned, azurerm_role_assignment.rbac_keyvault_crypto_officer] count = var.enabled && var.cmk_encryption_enabled ? 1 : 0 name = format("%s-storage-key-vault-key", module.labels.id) @@ -278,6 +284,7 @@ resource "azurerm_key_vault_key" "kvkey" { ## Below resource will create network rules for storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_account_network_rules" "network-rules" { + provider = azurerm.main_sub for_each = var.enabled ? { for rule in var.network_rules : rule.default_action => rule } : {} storage_account_id = azurerm_storage_account.storage[0].id default_action = lookup(each.value, "default_action", "Deny") @@ -297,6 +304,7 @@ resource "azurerm_storage_account_network_rules" "network-rules" { ## Below resource will create threat protection for storage account. ##----------------------------------------------------------------------------- resource "azurerm_advanced_threat_protection" "atp" { + provider = azurerm.main_sub count = var.enabled && var.enable_advanced_threat_protection ? 1 : 0 target_resource_id = azurerm_storage_account.storage[0].id enabled = var.enable_advanced_threat_protection @@ -307,6 +315,7 @@ resource "azurerm_advanced_threat_protection" "atp" { ## This resource is not required when key vault has role based authorization(rbac) enabled. ##----------------------------------------------------------------------------- resource "azurerm_key_vault_access_policy" "keyvault-access-policy" { + provider = azurerm.main_sub count = var.enabled && var.key_vault_rbac_auth_enabled == false ? 1 : 0 key_vault_id = var.key_vault_id tenant_id = data.azurerm_client_config.current.tenant_id @@ -347,6 +356,7 @@ resource "azurerm_key_vault_access_policy" "keyvault-access-policy" { ## Below resource will create container in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_container" "container" { + provider = azurerm.main_sub count = var.enabled ? length(var.containers_list) : 0 name = var.containers_list[count.index].name storage_account_name = azurerm_storage_account.storage[0].name @@ -357,6 +367,7 @@ resource "azurerm_storage_container" "container" { ## Below resource will create file share in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_share" "fileshare" { + provider = azurerm.main_sub count = var.enabled ? length(var.file_shares) : 0 name = var.file_shares[count.index].name storage_account_name = azurerm_storage_account.storage[0].name @@ -367,6 +378,7 @@ resource "azurerm_storage_share" "fileshare" { ## Below resource will create tables in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_table" "tables" { + provider = azurerm.main_sub count = var.enabled ? length(var.tables) : 0 name = var.tables[count.index] storage_account_name = azurerm_storage_account.storage[0].name @@ -376,6 +388,7 @@ resource "azurerm_storage_table" "tables" { ## Below resource will create queue in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_queue" "queues" { + provider = azurerm.main_sub count = var.enabled ? length(var.queues) : 0 name = var.queues[count.index] storage_account_name = azurerm_storage_account.storage[0].name @@ -385,6 +398,7 @@ resource "azurerm_storage_queue" "queues" { ## Below resource will create management policy for storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_management_policy" "lifecycle_management" { + provider = azurerm.main_sub count = var.enabled && var.management_policy_enable ? length(var.management_policy) : 0 storage_account_id = azurerm_storage_account.storage[0].id @@ -426,6 +440,7 @@ provider "azurerm" { ## Below resource will create private endpoint for storage account. ##----------------------------------------------------------------------------- resource "azurerm_private_endpoint" "pep" { + provider = azurerm.main_sub count = var.enabled && var.enable_private_endpoint ? 1 : 0 name = format("%s-%s-pe", module.labels.id, var.storage_account_name) location = local.location @@ -460,6 +475,7 @@ locals { ## Will work when storage account with cmk encryption. ##----------------------------------------------------------------------------- data "azurerm_private_endpoint_connection" "private-ip-0" { + provider = azurerm.main_sub count = var.enabled && var.enable_private_endpoint ? 1 : 0 name = azurerm_private_endpoint.pep[0].name resource_group_name = local.resource_group_name @@ -471,6 +487,7 @@ data "azurerm_private_endpoint_connection" "private-ip-0" { ## Will be created only when there is no existing private dns zone and private endpoint is enabled. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone" "dnszone" { + provider = azurerm.main_sub count = var.enabled && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0 name = "privatelink.blob.core.windows.net" resource_group_name = local.resource_group_name @@ -482,6 +499,7 @@ resource "azurerm_private_dns_zone" "dnszone" { ## Vnet link will be created when there is no existing private dns zone or existing private dns zone is in same subscription. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "vent-link" { + provider = azurerm.main_sub count = var.enabled && var.enable_private_endpoint && (var.existing_private_dns_zone != null ? (var.existing_private_dns_zone_resource_group_name == "" ? false : true) : true) && var.diff_sub == false ? 1 : 0 name = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-storage", module.labels.id) : format("%s-pdz-vnet-link-storage-1", module.labels.id) resource_group_name = local.valid_rg_name @@ -495,7 +513,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vent-link" { ## Vnet link will be created when existing private dns zone is in different subscription. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-1" { - provider = azurerm.peer + provider = azurerm.dns_sub count = var.enabled && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0 name = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-storage", module.labels.id) : format("%s-pdz-vnet-link-storage-1", module.labels.id) resource_group_name = local.valid_rg_name @@ -510,7 +528,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-1" { ## This resource is deployed when more than 1 vnet link is required and module can be called again to do so without deploying other storage account resources. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff-subs" { - provider = azurerm.peer + provider = azurerm.dns_sub count = var.enabled && var.multi_sub_vnet_link && var.existing_private_dns_zone != null ? 1 : 0 name = format("%s-pdz-vnet-link-storage-1", module.labels.id) resource_group_name = var.existing_private_dns_zone_resource_group_name @@ -524,6 +542,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff-subs" { ## Below resource will be created when extra vnet link is required in dns zone in same subscription. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" { + provider = azurerm.main_sub count = var.enabled && var.addon_vent_link ? 1 : 0 name = format("%s-pdz-vnet-link-storage-addon", module.labels.id) resource_group_name = var.addon_resource_group_name @@ -536,6 +555,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" { ## Below resource will create dns A record for private ip of private endpoint in private dns zone. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_a_record" "arecord" { + provider = azurerm.main_sub count = var.enabled && var.enable_private_endpoint && var.diff_sub == false ? 1 : 0 name = var.key_vault_id != null ? azurerm_storage_account.storage[0].name : null zone_name = local.private_dns_zone_name @@ -556,7 +576,7 @@ resource "azurerm_private_dns_a_record" "arecord" { ##----------------------------------------------------------------------------- resource "azurerm_private_dns_a_record" "arecord1" { count = var.enabled && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0 - provider = azurerm.peer + provider = azurerm.dns_sub name = var.key_vault_id != null ? azurerm_storage_account.storage[0].name : null zone_name = local.private_dns_zone_name resource_group_name = local.valid_rg_name @@ -574,6 +594,7 @@ resource "azurerm_private_dns_a_record" "arecord1" { ## Below resources will create diagnostic setting for storage account and its components. ##----------------------------------------------------------------------------- resource "azurerm_monitor_diagnostic_setting" "storage" { + provider = azurerm.main_sub count = var.enabled && var.enable_diagnostic ? 1 : 0 name = format("storage-diagnostic-log") target_resource_id = azurerm_storage_account.storage[0].id @@ -593,6 +614,7 @@ resource "azurerm_monitor_diagnostic_setting" "storage" { } resource "azurerm_monitor_diagnostic_setting" "datastorage" { + provider = azurerm.main_sub depends_on = [azurerm_storage_account.storage] count = var.enabled && var.enable_diagnostic ? length(var.datastorages) : 0 name = format("%s-diagnostic-log", var.datastorages[count.index]) @@ -620,6 +642,7 @@ resource "azurerm_monitor_diagnostic_setting" "datastorage" { } resource "azurerm_monitor_diagnostic_setting" "storage-nic" { + provider = azurerm.main_sub depends_on = [azurerm_private_endpoint.pep] count = var.enabled && var.enable_diagnostic && var.enable_private_endpoint ? 1 : 0 name = format("%s-storage-nic-diagnostic-log", module.labels.id) diff --git a/variables.tf b/variables.tf index 73b8cdb..cfe4be6 100644 --- a/variables.tf +++ b/variables.tf @@ -308,7 +308,7 @@ variable "key_vault_id" { variable "expiration_date" { type = string - default = null + default = "2034-10-22T18:29:59Z" description = "Expiration UTC datetime (Y-m-d'T'H:M:S'Z')" } diff --git a/versions.tf b/versions.tf index dc9fae4..a52431b 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.6.6" + required_version = ">= 1.7.8" } terraform { @@ -9,4 +9,4 @@ terraform { version = ">=3.89.0" } } -} \ No newline at end of file +}