Add Private Endpoint module (#1448)

Co-authored-by: Automatic Update <radix@statoilsrm.onmicrosoft.com>
equinor · Sep 10, 2024 · 28a5300 · 28a5300
1 parent 161af29
commit 28a5300
Show file tree

Hide file tree

Showing 9 changed files with 206 additions and 1 deletion.
diff --git a/terraform/subscriptions/modules/private-endpoints/main.tf b/terraform/subscriptions/modules/private-endpoints/main.tf
@@ -0,0 +1,66 @@
+locals {
+  dnszone = lookup(var.subresourcename_dns, "${var.subresourcename}", "")
+}
+
+data "azurerm_subnet" "this" {
+  name                 = "private-links"
+  virtual_network_name = var.virtual_network
+  resource_group_name  = var.vnet_resource_group
+}
+
+data "azurerm_private_dns_zone" "this" {
+  name                = local.dnszone
+  resource_group_name = var.vnet_resource_group
+}
+
+resource "azurerm_private_endpoint" "this" {
+  name                = "pe-${var.server_name}"
+  location            = var.location
+  resource_group_name = var.vnet_resource_group
+  subnet_id           = data.azurerm_subnet.this.id
+  tags = {
+    IaC = "terraform"
+  }
+
+  dynamic "private_service_connection" {
+    for_each = var.manual_connection == true ? [1] : []
+    content {
+      name                           = "pe-${var.server_name}"
+      private_connection_resource_id = var.resource_id
+      subresource_names              = [var.subresourcename]
+      is_manual_connection           = var.manual_connection
+      request_message                = "RadixPrivateLink"
+    }
+  }
+
+  dynamic "private_service_connection" {
+    for_each = var.manual_connection == false ? [1] : []
+    content {
+      name                           = "pe-${var.server_name}"
+      private_connection_resource_id = var.resource_id
+      subresource_names              = [var.subresourcename]
+      is_manual_connection           = var.manual_connection
+    }
+  }
+
+  dynamic "private_dns_zone_group" {
+    for_each = var.manual_connection == true ? [1] : []
+    content {
+      name                 = "default"
+      private_dns_zone_ids = [data.azurerm_private_dns_zone.this.id]
+    }
+  }
+}
+
+resource "azurerm_private_dns_a_record" "this" {
+  name                = var.server_name
+  zone_name           = local.dnszone
+  resource_group_name = var.vnet_resource_group
+  ttl                 = 300
+  records             = [azurerm_private_endpoint.this.private_service_connection[0].private_ip_address]
+  tags = {
+    IaC = "terraform"
+  }
+}
+
+
diff --git a/terraform/subscriptions/modules/private-endpoints/variables.tf b/terraform/subscriptions/modules/private-endpoints/variables.tf
@@ -0,0 +1,41 @@
+variable "subresourcename_dns" {
+  type = map(string)
+  default = {
+    "blob"             = "privatelink.blob.core.windows.net"
+    "postgresqlServer" = "privatelink.postgres.database.azure.com"
+    "sqlServer"        = "privatelink.database.windows.net"
+  }
+}
+
+variable "manual_connection" {
+  type    = bool
+  default = false
+}
+
+
+variable "virtual_network" {
+  type    = string
+  default = "vnet-hub"
+}
+
+
+variable "vnet_resource_group" {
+  type = string
+}
+
+variable "server_name" {
+  type = string
+}
+
+variable "location" {
+  default = "northeurope"
+  type    = string
+}
+
+variable "resource_id" {
+  type = string
+}
+
+variable "subresourcename" {
+  type = string
+}
diff --git a/terraform/subscriptions/modules/virtualnetwork/main.tf b/terraform/subscriptions/modules/virtualnetwork/main.tf
@@ -17,7 +17,7 @@ resource "azurerm_subnet" "this" {
   resource_group_name  = var.vnet_resource_group
   virtual_network_name = azurerm_virtual_network.vnet-hub.name
   address_prefixes     = ["10.0.0.0/18"]
-  service_endpoints    = ["Microsoft.Storage"] #["Microsoft.Storage"],"Microsoft.ContainerRegistry","Microsoft.KeyVault","Microsoft.Sql","Microsoft.Storage"]
+  service_endpoints    = ["Microsoft.Storage"] #"["Microsoft.Storage","Microsoft.ContainerRegistry","Microsoft.KeyVault","Microsoft.Sql","Microsoft.Storage"]
 }
 
 resource "azurerm_private_dns_zone" "this" {

diff --git a/terraform/subscriptions/s940/c2/virtualnetwork/main.tf b/terraform/subscriptions/s940/c2/virtualnetwork/main.tf
@@ -15,6 +15,7 @@ module "azurerm_virtual_network" {
   vnet_resource_group = module.resourcegroups.data.name
   private_dns_zones   = tolist(module.config.private_dns_zones_names)
   depends_on          = [module.resourcegroups]
+
 }
 
 module "azurerm_public_ip_prefix_ingress" {
@@ -57,3 +58,14 @@ output "public_ip_prefix_ids" {
     ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
   }
 }
+
+module "private_endpoints" {
+  source              = "../../../modules/private-endpoints"
+  for_each            = var.private_endpoints
+  server_name         = each.key
+  subresourcename     = each.value.subresourcename
+  resource_id         = each.value.resource_id
+  vnet_resource_group = module.resourcegroups.data.name
+  manual_connection   = each.value.manual_connection
+  location            = module.config.location
+}
diff --git a/terraform/subscriptions/s940/c2/virtualnetwork/variables.tf b/terraform/subscriptions/s940/c2/virtualnetwork/variables.tf
@@ -6,4 +6,23 @@ variable "resource_groups" {
 variable "resource_groups_common_temporary" {
   type    = string
   default = "common-westeurope"
+}
+
+variable "private_endpoints" {
+  description = "List of private endpoints"
+  type = map(object({
+    subresourcename   = string
+    resource_id       = string
+    manual_connection = optional(bool, false)
+  }))
+  default = {
+    sql-radix-cost-allocation-c2 = {
+      subresourcename = "sqlServer"
+      resource_id     = "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/cost-allocation-c2/providers/Microsoft.Sql/servers/sql-radix-cost-allocation-c2"
+    }
+    sql-radix-vulnerability-scan-c2 = {
+      subresourcename = "sqlServer"
+      resource_id     = "/subscriptions/ded7ca41-37c8-4085-862f-b11d21ab341a/resourceGroups/vulnerability-scan-c2/providers/Microsoft.Sql/servers/sql-radix-vulnerability-scan-c2"
+    }
+  }
 }
diff --git a/terraform/subscriptions/s941/dev/virtualnetwork/main.tf b/terraform/subscriptions/s941/dev/virtualnetwork/main.tf
@@ -55,3 +55,13 @@ output "public_ip_prefix_ids" {
     ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
   }
 }
+
+module "private_endpoints" {
+  source              = "../../../modules/private-endpoints"
+  for_each            = var.private_endpoints
+  server_name         = each.key
+  subresourcename     = each.value.subresourcename
+  resource_id         = each.value.resource_id
+  vnet_resource_group = module.resourcegroups.data.name
+  manual_connection   = each.value.manual_connection
+}
diff --git a/terraform/subscriptions/s941/dev/virtualnetwork/variables.tf b/terraform/subscriptions/s941/dev/virtualnetwork/variables.tf
@@ -11,4 +11,28 @@ variable "enviroment_temporary" {
 variable "resource_groups_common_temporary" {
   type    = string
   default = "common"
+}
+
+variable "private_endpoints" {
+  description = "List of private endpoints"
+  type = map(object({
+    subresourcename   = string
+    resource_id       = string
+    manual_connection = optional(bool, false)
+  }))
+  default = {
+    radixblobtest6 = {
+      subresourcename   = "blob"
+      resource_id       = "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/test-resources/providers/Microsoft.Storage/storageAccounts/radixblobtest6"
+      manual_connection = true
+    }
+    sql-radix-cost-allocation-dev = {
+      subresourcename = "sqlServer"
+      resource_id     = "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/cost-allocation-dev/providers/Microsoft.Sql/servers/sql-radix-cost-allocation-dev"
+    }
+    sql-radix-vulnerability-scan-dev = {
+      subresourcename = "sqlServer"
+      resource_id     = "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/vulnerability-scan-dev/providers/Microsoft.Sql/servers/sql-radix-vulnerability-scan-dev"
+    }
+  }
 }
diff --git a/terraform/subscriptions/s941/playground/virtualnetwork/main.tf b/terraform/subscriptions/s941/playground/virtualnetwork/main.tf
@@ -54,5 +54,14 @@ output "public_ip_prefix_ids" {
     egress_id  = module.azurerm_public_ip_prefix_egress.data.id
     ingress_id = module.azurerm_public_ip_prefix_ingress.data.id
   }
+}
 
+module "private_endpoints" {
+  source              = "../../../modules/private-endpoints"
+  for_each            = var.private_endpoints
+  server_name         = each.key
+  subresourcename     = each.value.subresourcename
+  resource_id         = each.value.resource_id
+  vnet_resource_group = module.resourcegroups.data.name
+  manual_connection   = each.value.manual_connection
 }
diff --git a/terraform/subscriptions/s941/playground/virtualnetwork/variables.tf b/terraform/subscriptions/s941/playground/virtualnetwork/variables.tf
@@ -6,4 +6,28 @@ variable "resource_groups" {
 variable "resource_groups_common_temporary" {
   type    = string
   default = "common"
+}
+
+variable "private_endpoints" {
+  description = "List of private endpoints"
+  type = map(object({
+    subresourcename   = string
+    resource_id       = string
+    manual_connection = optional(bool, false)
+  }))
+  default = {
+    psql-s209nlpdevpsql01-playground = {
+      subresourcename   = "postgresqlServer"
+      resource_id       = "/subscriptions/f63116e3-4460-4b18-9e64-5a58ce7cf837/resourceGroups/S209-NE-NLP-DEV/providers/Microsoft.DBforPostgreSQL/flexibleServers/s209nlpdevpsql01"
+      manual_connection = true
+    }
+    sql-radix-cost-allocation-playground = {
+      subresourcename = "sqlServer"
+      resource_id     = "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/cost-allocation-playground/providers/Microsoft.Sql/servers/sql-radix-cost-allocation-playground"
+    }
+    sql-radix-vulnerability-scan-playground = {
+      subresourcename = "sqlServer"
+      resource_id     = "/subscriptions/16ede44b-1f74-40a5-b428-46cca9a5741b/resourceGroups/vulnerability-scan-playground/providers/Microsoft.Sql/servers/sql-radix-vulnerability-scan-playground"
+    }
+  }
 }