Changes to Azure pre-reqs and CDP deploy to support Flexible Servers …

…in all deployments

Signed-off-by: Jim Enright <[email protected]>

modules/terraform-cdp-azure-pre-reqs/data.tf

@@ -24,3 +24,10 @@ data "azurerm_resource_group" "cdp_rmgp" {
 
   depends_on = [azurerm_resource_group.cdp_rmgp]
 }
+
+data "azurerm_virtual_network" "cdp_vnet" {
+  name                = local.cdp_vnet_name
+  resource_group_name = local.cdp_resourcegroup_name
+
+  depends_on = [module.azure_cdp_vnet]
+}

modules/terraform-cdp-azure-pre-reqs/defaults.tf

@@ -42,6 +42,12 @@ locals {
   cdp_gateway_subnet_names = (var.create_vnet ?
   module.azure_cdp_vnet[0].vnet_gateway_subnet_names : var.cdp_gw_subnet_names)
 
+  cdp_delegated_subnet_names = (var.create_vnet ?
+  module.azure_cdp_vnet[0].vnet_delegated_subnet_names : var.cdp_delegated_subnet_names)
+
+  create_private_flexible_server_resources = coalesce(var.create_private_flexible_server_resources, (var.deployment_template != "public") ? true : false)
+
+
   # ------- Storage Resources -------
   storage_suffix = var.random_id_for_bucket ? one(random_id.bucket_suffix).hex : ""
 

modules/terraform-cdp-azure-pre-reqs/main.tf

@@ -40,8 +40,9 @@ module "azure_cdp_vnet" {
   env_prefix = var.env_prefix
   tags       = local.env_tags
 
-  cdp_subnet_range     = var.cdp_subnet_range
-  gateway_subnet_range = var.gateway_subnet_range
+  cdp_subnet_range       = var.cdp_subnet_range
+  gateway_subnet_range   = var.gateway_subnet_range
+  delegated_subnet_range = var.delegated_subnet_range
 
   cdp_subnets_private_endpoint_network_policies_enabled     = var.cdp_subnets_private_endpoint_network_policies_enabled
   gateway_subnets_private_endpoint_network_policies_enabled = var.gateway_subnets_private_endpoint_network_policies_enabled
@@ -166,6 +167,29 @@ resource "azurerm_storage_container" "cdp_backup_storage" {
   ]
 }
 
+# ------- Resources for Private Flexible Servers -------
+resource "azurerm_private_dns_zone" "flexible_server_dns_zone" {
+
+  count = local.create_private_flexible_server_resources ? 1 : 0
+
+  name                = "${var.env_prefix}.postgres.database.azure.com"
+  resource_group_name = local.cdp_resourcegroup_name
+
+  tags = merge(local.env_tags)
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "flexible_server_vnet_link" {
+
+  count = local.create_private_flexible_server_resources ? 1 : 0
+
+  name                  = "${var.env_prefix}.flex-server-vent-link"
+  resource_group_name   = local.cdp_resourcegroup_name
+  private_dns_zone_name = azurerm_private_dns_zone.flexible_server_dns_zone[0].name
+  virtual_network_id    = data.azurerm_virtual_network.cdp_vnet.id
+
+  tags = merge(local.env_tags)
+}
+
 # ------- Azure Cross Account App -------
 
 # Create Azure AD Application

modules/terraform-cdp-azure-pre-reqs/modules/vnet/defaults.tf

@@ -16,11 +16,10 @@ locals {
 
   # Calculate subnets CIDR and names
   subnets_required = {
-    total           = (var.deployment_template == "semi-private") ? var.subnet_count + 1 : var.subnet_count
-    cdp_subnets     = var.subnet_count
-    gateway_subnets = (var.deployment_template == "semi-private") ? 1 : 0
-    # name            = "${var.env_prefix}-sbnt-${format("%02d", idx + 1)}"
-    # cidr            = cidrsubnet(var.vnet_cidr, ceil(log(var.subnet_count, 2)), idx)
+    total             = (var.deployment_template == "semi-private") ? var.subnet_count + 1 : var.subnet_count
+    cdp_subnets       = var.subnet_count
+    gateway_subnets   = (var.deployment_template == "semi-private") ? 1 : 0
+    delegated_subnets = (var.deployment_template != "public") ? 1 : 0
   }
 
   # Extract the VNet CIDR range from the user-provided CIDR
@@ -29,6 +28,8 @@ locals {
   # Calculate the first suitable CIDR range for public subnets after private subnets have been allocated (normalize the offset, expressed as a multiplier of gateway subnet ranges)
   gateway_subnet_offset = ceil(local.subnets_required.cdp_subnets * pow(2, 32 - var.cdp_subnet_range) / pow(2, 32 - var.gateway_subnet_range))
 
+  # Similar calculation for the first suitable CIDR range for delegated subnets after private subnets and public have been allocated (normalize the offset, expressed as a multiplier of gateway subnet ranges)
+  delegated_subnet_offset = ceil(((local.subnets_required.cdp_subnets * pow(2, 32 - var.cdp_subnet_range)) + (local.subnets_required.gateway_subnets * pow(2, 32 - var.gateway_subnet_range))) / pow(2, 32 - var.delegated_subnet_range))
 
   # Network infrastructure for CDP resources
   cdp_subnets = [
@@ -48,4 +49,12 @@ locals {
     }
   ]
 
+  delegated_subnets = [
+    for idx in range(local.subnets_required.delegated_subnets) :
+    {
+      name = "${var.env_prefix}-delegated-sbnt-${format("%02d", idx + 1)}"
+      cidr = cidrsubnet(var.vnet_cidr, var.delegated_subnet_range - local.vnet_cidr_range, idx + local.delegated_subnet_offset)
+    }
+  ]
+
 }

modules/terraform-cdp-azure-pre-reqs/modules/vnet/main.tf

@@ -53,3 +53,25 @@ resource "azurerm_subnet" "gateway_subnets" {
   private_endpoint_network_policies_enabled = var.gateway_subnets_private_endpoint_network_policies_enabled
 
 }
+
+resource "azurerm_subnet" "delegation_subnet" {
+
+  for_each = { for idx, subnet in local.delegated_subnets : idx => subnet }
+
+  virtual_network_name = azurerm_virtual_network.cdp_vnet.name
+  resource_group_name  = var.resourcegroup_name
+  name                 = each.value.name
+  address_prefixes     = [each.value.cidr]
+
+  service_endpoints = ["Microsoft.Sql", "Microsoft.Storage"]
+
+  delegation {
+    name = "flexserver-delegation"
+    service_delegation {
+      name = "Microsoft.DBforPostgreSQL/flexibleServers"
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+      ]
+    }
+  }
+}

modules/terraform-cdp-azure-pre-reqs/modules/vnet/outputs.tf

@@ -40,4 +40,14 @@ output "vnet_gateway_subnet_ids" {
 output "vnet_gateway_subnet_names" {
   description = "Names of the subnets for CDP Gateway"
   value       = values(azurerm_subnet.gateway_subnets)[*].name
-}
+}
+
+output "vnet_delegated_subnet_ids" {
+  description = "List of IDs of subnets delegated for Private Flexbile Servers"
+  value       = values(azurerm_subnet.delegation_subnet)[*].id
+}
+
+output "vnet_delegated_subnet_names" {
+  description = "Names of subnets delegated for Private Flexbile Servers"
+  value       = values(azurerm_subnet.delegation_subnet)[*].name
+}

modules/terraform-cdp-azure-pre-reqs/modules/vnet/variables.tf

@@ -52,6 +52,12 @@ variable "gateway_subnet_range" {
 
 }
 
+variable "delegated_subnet_range" {
+  type        = number
+  description = "Size of each Postgres Flexible Server delegated subnet"
+
+}
+
 variable "vnet_region" {
   type        = string
   description = "Region which VNet will be created"

modules/terraform-cdp-azure-pre-reqs/outputs.tf

@@ -48,6 +48,19 @@ output "azure_cdp_gateway_subnet_names" {
   description = "Azure Virtual Subnet Names for CDP Endpoint Access Gateway"
 }
 
+output "azure_cdp_flexible_server_delegated_subnet_names" {
+  value = local.cdp_delegated_subnet_names
+
+  description = "Azure Virtual Subnet Names delegated for Private Flexible servers."
+
+}
+
+output "azure_database_private_dns_zone_id" {
+  value = (local.create_private_flexible_server_resources) ? azurerm_private_dns_zone.flexible_server_dns_zone[0].id : null
+
+  description = "The ID of an Azure private DNS zone used for the database."
+}
+
 output "azure_security_group_default_uri" {
   value = azurerm_network_security_group.cdp_default_sg.id
 

modules/terraform-cdp-azure-pre-reqs/variables.tf

@@ -102,6 +102,13 @@ variable "gateway_subnet_range" {
   default = 24
 }
 
+variable "delegated_subnet_range" {
+  type        = number
+  description = "Size of each Postgres Flexible Server delegated subnet. Required if create_vpc is true."
+
+  default = 26
+}
+
 variable "cdp_resourcegroup_name" {
   type        = string
   description = "Pre-existing Resource Group for CDP environment. Required if create_vnet is false."
@@ -130,13 +137,27 @@ variable "cdp_gw_subnet_names" {
   default = null
 }
 
+variable "cdp_delegated_subnet_names" {
+  type        = list(any)
+  description = "List of subnet names delegated for Flexible Servers. Required if create_vnet is false."
+
+  default = null
+}
+
 variable "subnet_count" {
   type        = string
-  description = "Number of Subnets Required"
+  description = "Number of CDP Subnets Required"
 
   default = "3"
 }
 
+variable "create_private_flexible_server_resources" {
+  type        = bool
+  description = "Flag to specify if resources to support a Private Postgres flexible server should be created."
+
+  default = null
+}
+
 # Security Groups
 variable "security_group_default_name" {
   type = string

modules/terraform-cdp-deploy/examples/ex02-azure-basic/main.tf

@@ -60,6 +60,9 @@ module "cdp_deploy" {
   azure_cdp_subnet_names         = module.cdp_azure_prereqs.azure_cdp_subnet_names
   azure_cdp_gateway_subnet_names = module.cdp_azure_prereqs.azure_cdp_gateway_subnet_names
 
+  azure_cdp_flexible_server_delegated_subnet_names = module.cdp_azure_prereqs.azure_cdp_flexible_server_delegated_subnet_names
+  azure_database_private_dns_zone_id               = module.cdp_azure_prereqs.azure_database_private_dns_zone_id
+
   azure_security_group_default_uri = module.cdp_azure_prereqs.azure_security_group_default_uri
   azure_security_group_knox_uri    = module.cdp_azure_prereqs.azure_security_group_knox_uri
 

modules/terraform-cdp-deploy/main.tf

@@ -113,12 +113,13 @@ module "cdp_on_azure" {
   subscription_id = var.azure_subscription_id
   tenant_id       = var.azure_tenant_id
 
-  region                   = var.region
-  resource_group_name      = var.azure_resource_group_name
-  vnet_name                = var.azure_vnet_name
-  cdp_subnet_names         = var.azure_cdp_subnet_names
-  cdp_gateway_subnet_names = var.azure_cdp_gateway_subnet_names
-  public_key_text          = var.public_key_text
+  region                                     = var.region
+  resource_group_name                        = var.azure_resource_group_name
+  vnet_name                                  = var.azure_vnet_name
+  cdp_subnet_names                           = var.azure_cdp_subnet_names
+  cdp_gateway_subnet_names                   = var.azure_cdp_gateway_subnet_names
+  cdp_flexible_server_delegated_subnet_names = var.azure_cdp_flexible_server_delegated_subnet_names
+  public_key_text                            = var.public_key_text
 
   data_storage_location   = var.data_storage_location
   log_storage_location    = var.log_storage_location

modules/terraform-cdp-deploy/modules/azure/main.tf

@@ -50,6 +50,7 @@ resource "cdp_environments_azure_environment" "cdp_env" {
     subnet_ids                   = var.cdp_subnet_names
     aks_private_dns_zone_id      = var.azure_aks_private_dns_zone_id
     database_private_dns_zone_id = var.azure_database_private_dns_zone_id
+    flexible_server_subnet_ids   = var.cdp_flexible_server_delegated_subnet_names
   }
   create_private_endpoints = var.create_private_endpoints
 

modules/terraform-cdp-deploy/modules/azure/variables.tf

@@ -297,6 +297,17 @@ variable "cdp_gateway_subnet_names" {
 
 }
 
+variable "cdp_flexible_server_delegated_subnet_names" {
+  type        = list(any)
+  description = "Azure Subnet Names delegated for Private Flexible servers."
+
+  validation {
+    condition     = var.cdp_flexible_server_delegated_subnet_names != null
+    error_message = "Valid values for var: cdp_flexible_server_delegated_subnet_names must be a list of existing Azure Virtual Subnets."
+  }
+
+}
+
 variable "security_group_default_uri" {
   type        = string
   description = "Azure Default Security Group URI."

modules/terraform-cdp-deploy/variables.tf

@@ -522,6 +522,14 @@ variable "azure_cdp_gateway_subnet_names" {
 
 }
 
+variable "azure_cdp_flexible_server_delegated_subnet_names" {
+  type        = list(any)
+  description = "List of Azure Subnet Names delegated for Private Flexible servers. Required for CDP deployment on Azure."
+
+  default = null
+
+}
+
 variable "azure_security_group_default_uri" {
   type        = string
   description = "Azure Default Security Group URI. Required for CDP deployment on Azure."