Skip to content

Commit

Permalink
Merge pull request #1088 from equinor/sqldatabases-private-endpoint
Browse files Browse the repository at this point in the history 
Sqldatabases private endpoint
  • Loading branch information
@sveinpj
sveinpj authored Nov 14, 2023
2 parents 11fd9da + 9eed17a commit 33b7cc1
Show file tree
Hide file tree
Showing 6 changed files with 166 additions and 62 deletions.
60 changes: 50 additions & 10 deletions terraform/infrastructure/s940/prod/sqldatabases/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,30 @@ data "azurerm_key_vault_secret" "keyvault_secrets" {
key_vault_id = data.azurerm_key_vault.keyvault[each.value["vault"]].id
}

data "azurerm_subnet" "subnet" {
for_each = var.virtual_networks
name = "private-links"
virtual_network_name = "vnet-hub"
resource_group_name = "cluster-vnet-hub-${each.key}"
}

data "azurerm_private_dns_zone" "dns_zone" {
for_each = var.virtual_networks
name = "privatelink.database.windows.net"
resource_group_name = "cluster-vnet-hub-${each.key}"
}

resource "azurerm_mssql_server" "sqlserver" {
for_each = var.sql_server
administrator_login = each.value["administrator_login"]
administrator_login_password = data.azurerm_key_vault_secret.keyvault_secrets[each.value["name"]].value
location = each.value["location"]
minimum_tls_version = each.value["minimum_tls_version"]
name = each.value["name"]
resource_group_name = each.value["rg_name"]
tags = each.value["tags"]
version = each.value["version"]
for_each = var.sql_server
administrator_login = each.value["administrator_login"]
administrator_login_password = data.azurerm_key_vault_secret.keyvault_secrets[each.value["name"]].value
location = each.value["location"]
minimum_tls_version = each.value["minimum_tls_version"]
name = each.value["name"]
resource_group_name = each.value["rg_name"]
tags = each.value["tags"]
version = each.value["version"]
public_network_access_enabled = false

dynamic "azuread_administrator" {
for_each = each.value["azuread_administrator"] != null ? [each.value["azuread_administrator"]] : []
Expand All @@ -46,7 +60,7 @@ resource "azurerm_mssql_server" "sqlserver" {

dynamic "identity" {
for_each = each.value["identity"] ? [1] : []

content {
identity_ids = []
type = "SystemAssigned"
Expand All @@ -66,3 +80,29 @@ resource "azurerm_mssql_database" "mssql_database" {
tags = each.value["tags"]
depends_on = [azurerm_mssql_server.sqlserver]
}

resource "azurerm_private_endpoint" "endpoint" {
for_each = var.sql_server
name = "pe-${each.key}"
location = each.value.location
resource_group_name = each.value["rg_name"]
subnet_id = data.azurerm_subnet.subnet[each.value["env"]].id
private_service_connection {
name = "pe-${each.key}"
private_connection_resource_id = azurerm_mssql_server.sqlserver[each.key].id
subresource_names = ["sqlServer"]
is_manual_connection = false
}
depends_on = [azurerm_mssql_server.sqlserver]
}

resource "azurerm_private_dns_a_record" "dns_record" {
for_each = var.sql_server
name = each.value["name"]
zone_name = "privatelink.database.windows.net"
resource_group_name = join("", ["cluster-vnet-hub-", each.value["env"]])
ttl = 300
records = azurerm_private_endpoint.endpoint[each.key].custom_dns_configs[0].ip_addresses
depends_on = [azurerm_private_endpoint.endpoint]
}

9 changes: 9 additions & 0 deletions terraform/infrastructure/s940/prod/sqldatabases/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ variable "sql_server" {
identity = optional(bool, true)
db_admin = string # Used in azurerm_key_vault_secret
vault = string
env = string
}))
default = {}
}
Expand All @@ -38,3 +39,11 @@ variable "key_vault" {
}))
default = {}
}

variable "virtual_networks" {
type = map(object({
name = optional(string, "vnet-hub")
rg_name = string
}))
default = {}
}
60 changes: 50 additions & 10 deletions terraform/infrastructure/s941/dev/sqldatabases/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,30 @@ data "azurerm_key_vault_secret" "keyvault_secrets" {
key_vault_id = data.azurerm_key_vault.keyvault[each.value["vault"]].id
}

data "azurerm_subnet" "subnet" {
for_each = var.virtual_networks
name = "private-links"
virtual_network_name = "vnet-hub"
resource_group_name = "cluster-vnet-hub-${each.key}"
}

data "azurerm_private_dns_zone" "dns_zone" {
for_each = var.virtual_networks
name = "privatelink.database.windows.net"
resource_group_name = "cluster-vnet-hub-${each.key}"
}

resource "azurerm_mssql_server" "sqlserver" {
for_each = var.sql_server
administrator_login = each.value["administrator_login"]
administrator_login_password = data.azurerm_key_vault_secret.keyvault_secrets[each.value["name"]].value
location = each.value["location"]
minimum_tls_version = each.value["minimum_tls_version"]
name = each.value["name"]
resource_group_name = each.value["rg_name"]
tags = each.value["tags"]
version = each.value["version"]
for_each = var.sql_server
administrator_login = each.value["administrator_login"]
administrator_login_password = data.azurerm_key_vault_secret.keyvault_secrets[each.value["name"]].value
location = each.value["location"]
minimum_tls_version = each.value["minimum_tls_version"]
name = each.value["name"]
resource_group_name = each.value["rg_name"]
tags = each.value["tags"]
version = each.value["version"]
public_network_access_enabled = false

dynamic "azuread_administrator" {
for_each = each.value["azuread_administrator"] != null ? [each.value["azuread_administrator"]] : []
Expand All @@ -46,7 +60,7 @@ resource "azurerm_mssql_server" "sqlserver" {

dynamic "identity" {
for_each = each.value["identity"] ? [1] : []

content {
identity_ids = []
type = "SystemAssigned"
Expand All @@ -66,3 +80,29 @@ resource "azurerm_mssql_database" "mssql_database" {
tags = each.value["tags"]
depends_on = [azurerm_mssql_server.sqlserver]
}

resource "azurerm_private_endpoint" "endpoint" {
for_each = var.sql_server
name = "pe-${each.key}"
location = each.value.location
resource_group_name = each.value["rg_name"]
subnet_id = data.azurerm_subnet.subnet[each.value["env"]].id
private_service_connection {
name = "pe-${each.key}"
private_connection_resource_id = azurerm_mssql_server.sqlserver[each.key].id
subresource_names = ["sqlServer"]
is_manual_connection = false
}
depends_on = [azurerm_mssql_server.sqlserver]
}

resource "azurerm_private_dns_a_record" "dns_record" {
for_each = var.sql_server
name = each.value["name"]
zone_name = "privatelink.database.windows.net"
resource_group_name = join("", ["cluster-vnet-hub-", each.value["env"]])
ttl = 300
records = azurerm_private_endpoint.endpoint[each.key].custom_dns_configs[0].ip_addresses
depends_on = [azurerm_private_endpoint.endpoint]
}

9 changes: 9 additions & 0 deletions terraform/infrastructure/s941/dev/sqldatabases/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ variable "sql_server" {
identity = optional(bool, true)
db_admin = string # Used in azurerm_key_vault_secret
vault = string
env = string
}))
default = {}
}
Expand All @@ -38,3 +39,11 @@ variable "key_vault" {
}))
default = {}
}

variable "virtual_networks" {
type = map(object({
name = optional(string, "vnet-hub")
rg_name = string
}))
default = {}
}
32 changes: 18 additions & 14 deletions terraform/radix-zone/radix_zone_dev.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ CLUSTER_TYPE = "development"
RADIX_ZONE = "dev"
RADIX_ENVIRONMENT = "dev"
RADIX_WEB_CONSOLE_ENVIRONMENTS = ["qa", "prod"]
K8S_ENVIROMENTS = {
K8S_ENVIROMENTS = {
"dev" = { "name" = "dev", "resourceGroup" = "clusters" },
"playground" = { "name" = "playground", "resourceGroup" = "clusters" }
}
Expand Down Expand Up @@ -236,36 +236,40 @@ storage_accounts = {

sql_server = {
"sql-radix-cost-allocation-dev" = {
name = "sql-radix-cost-allocation-dev"
rg_name = "cost-allocation"
db_admin = "radix-cost-allocation-db-admin"
vault = "radix-vault-dev"
tags = {
name = "sql-radix-cost-allocation-dev"
rg_name = "cost-allocation"
db_admin = "radix-cost-allocation-db-admin"
vault = "radix-vault-dev"
env = "dev"
tags = {
"displayName" = "SqlServer"
}
}
"sql-radix-cost-allocation-playground" = {
name = "sql-radix-cost-allocation-playground"
rg_name = "cost-allocation"
db_admin = "radix-cost-allocation-db-admin-playground"
vault = "radix-vault-dev"
tags = {
name = "sql-radix-cost-allocation-playground"
rg_name = "cost-allocation"
db_admin = "radix-cost-allocation-db-admin-playground"
vault = "radix-vault-dev"
env = "playground"
tags = {
"displayName" = "SqlServer"
}
}
"sql-radix-vulnerability-scan-dev" = {
name = "sql-radix-vulnerability-scan-dev"
rg_name = "vulnerability-scan"
db_admin = "radix-vulnerability-scan-db-admin"
identity = false
identity = true
vault = "radix-vault-dev"
env = "dev"
}
"sql-radix-vulnerability-scan-playground" = {
name = "sql-radix-vulnerability-scan-playground"
rg_name = "vulnerability-scan"
db_admin = "radix-vulnerability-scan-db-admin-playground"
identity = false
vault = "radix-vault-dev"
env = "playground"
}
}

Expand All @@ -277,14 +281,14 @@ sql_database = {
"sql-radix-cost-allocation-dev" = {
name = "sqldb-radix-cost-allocation"
server = "sql-radix-cost-allocation-dev"
tags = {
tags = {
"displayName" = "Database"
}
}
"sql-radix-cost-allocation-playground" = {
name = "sqldb-radix-cost-allocation"
server = "sql-radix-cost-allocation-playground"
tags = {
tags = {
"displayName" = "Database"
}
}
Expand Down
58 changes: 30 additions & 28 deletions terraform/radix-zone/radix_zone_prod.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,23 +232,23 @@ aks_clouster_resource_groups = ["clusters-westeurope", "clusters"]

storage_accounts = {
"radixflowlogsc2prod" = {
name = "radixflowlogsc2prod"
rg_name = "logs-westeurope"
location = "westeurope"
backup_center = true
life_cycle = false
managed_identity = true
name = "radixflowlogsc2prod"
rg_name = "logs-westeurope"
location = "westeurope"
backup_center = true
life_cycle = false
managed_identity = true
life_cycle = true
life_cycle_version = 3
life_cycle_blob = 90
life_cycle_blob_cool = 7
}
"radixflowlogsprod" = {
name = "radixflowlogsprod"
rg_name = "Logs"
backup_center = true
life_cycle = false
managed_identity = true
name = "radixflowlogsprod"
rg_name = "Logs"
backup_center = true
life_cycle = false
managed_identity = true
life_cycle = true
life_cycle_version = 3
life_cycle_blob = 90
Expand All @@ -262,7 +262,7 @@ storage_accounts = {
backup_center = true
firewall = false
create_with_rbac = true
life_cycle_blob = 0
life_cycle_blob = 0
}
"s940radixveleroc2" = {
name = "s940radixveleroc2"
Expand Down Expand Up @@ -300,25 +300,25 @@ storage_accounts = {

sql_server = {
"sql-radix-cost-allocation-c2-prod" = {
name = "sql-radix-cost-allocation-c2-prod"
rg_name = "cost-allocation-westeurope"
location = "westeurope"
db_admin = "radix-cost-allocation-db-admin"
minimum_tls_version = "Disabled"
vault = "radix-vault-c2-prod"
tags = {
name = "sql-radix-cost-allocation-c2-prod"
rg_name = "cost-allocation-westeurope"
location = "westeurope"
db_admin = "radix-cost-allocation-db-admin"
vault = "radix-vault-c2-prod"
env = "c2"
tags = {
"displayName" = "SqlServer"
}
identity = false
}
"sql-radix-cost-allocation-prod" = {
name = "sql-radix-cost-allocation-prod"
rg_name = "cost-allocation"
db_admin = "radix-cost-allocation-db-admin"
minimum_tls_version = "Disabled"
vault = "radix-vault-prod"
sku_name = "S3"
tags = {
name = "sql-radix-cost-allocation-prod"
rg_name = "cost-allocation"
db_admin = "radix-cost-allocation-db-admin"
vault = "radix-vault-prod"
env = "prod"
sku_name = "S3"
tags = {
"displayName" = "SqlServer"
}
}
Expand All @@ -329,12 +329,14 @@ sql_server = {
db_admin = "radix-vulnerability-scan-db-admin"
identity = false
vault = "radix-vault-c2-prod"
env = "c2"
}
"sql-radix-vulnerability-scan-prod" = {
name = "sql-radix-vulnerability-scan-prod"
rg_name = "vulnerability-scan"
db_admin = "radix-vulnerability-scan-db-admin"
vault = "radix-vault-prod"
env = "prod"
sku_name = "S3"
}
}
Expand All @@ -347,15 +349,15 @@ sql_database = {
"sql-radix-cost-allocation-c2-prod" = {
name = "sqldb-radix-cost-allocation"
server = "sql-radix-cost-allocation-c2-prod"
tags = {
tags = {
"displayName" = "Database"
}
}
"sql-radix-cost-allocation-prod" = {
name = "sqldb-radix-cost-allocation"
server = "sql-radix-cost-allocation-prod"
sku_name = "S3"
tags = {
tags = {
"displayName" = "Database"
}
}
Expand Down

0 comments on commit 33b7cc1

Please sign in to comment.