Add Private Endpoint feature for SQL MI module (#1963)

* Added block for sqlmi private endpoint deployment and updated examples * added sqlmi example in longrunners file
aztfmod · May 2, 2024 · 51be075 · 51be075
1 parent a0d4ba1
commit 51be075
Show file tree

Hide file tree

Showing 9 changed files with 111 additions and 3 deletions.
diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json
@@ -19,6 +19,7 @@
     "apim/117-api_management_product",
     "app_gateway/301-agw-v1",
     "compute/vmware_cluster/101-vmware_cluster",
+    "mssql_mi/200-mi",
     "networking/virtual_network_gateway/100-expressroute-gateway",
     "networking/virtual_network_gateway/101-vpn-site-to-site",
     "networking/virtual_network_gateway/102-vpn-site-to-site-active-active",

diff --git a/examples/mssql_mi/200-mi/configuration.tfvars b/examples/mssql_mi/200-mi/configuration.tfvars
@@ -21,7 +21,7 @@ vnets = {
     resource_group_key = "networking_region1"
     vnet = {
       name          = "sqlmi-rg1"
-      address_space = ["172.25.88.0/21"]
+      address_space = ["172.25.88.0/21","10.2.0.0/24"]
     }
     subnets = {
       sqlmi1 = {
@@ -39,6 +39,12 @@ vnets = {
           ]
         }
       }
+      subnet02 = {
+        name            = "subnet02"
+        cidr            = ["10.2.0.0/24"]
+        nsg_key         = "subnet02"
+        route_table_key = "sqlmi1"
+      }
     }
   }
 }
@@ -71,6 +77,19 @@ mssql_managed_instances = {
 
     storageSizeInGB = 32
     vCores          = 8
+    private_endpoints = {
+      privatelink-sqlmi = {
+        name               = "pe-sqlmi1"
+        vnet_key           = "sqlmi_region1"
+        subnet_key         = "subnet02"
+        resource_group_key = "sqlmi_region1"
+        private_service_connection = {
+          name                 = "conn-sqlmi1"
+          is_manual_connection = false
+          subresource_names    = ["managedInstance"]
+        }
+      }
+    }
   }
 }
 

diff --git a/examples/mssql_mi/200-mi/nsg.tfvars b/examples/mssql_mi/200-mi/nsg.tfvars
@@ -83,4 +83,7 @@ network_security_group_definition = {
       }
     ]
   }
+  subnet02 = {
+    nsg= []
+  }
 }
diff --git a/modules/databases/mssql_managed_instance/private_endpoints.tf b/modules/databases/mssql_managed_instance/private_endpoints.tf
@@ -0,0 +1,23 @@
+
+
+#
+# Private endpoint
+#
+
+module "private_endpoint" {
+  source   = "../../networking/private_endpoint"
+  for_each = var.private_endpoints
+
+  resource_id         = local.output.id
+  name                = each.value.name
+  location            = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name
+  subnet_id           = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id
+
+  settings        = each.value
+  global_settings = var.global_settings
+  base_tags       = var.inherit_tags
+  tags            = local.tags
+  private_dns     = var.private_dns
+  client_config   = var.client_config
+}
diff --git a/modules/databases/mssql_managed_instance/variables.tf b/modules/databases/mssql_managed_instance/variables.tf
@@ -7,6 +7,10 @@ variable "base_tags" {
   description = "Base tags for the resource to be inherited from the resource group."
   type        = map(any)
 }
+variable "inherit_tags" {
+  description = "Base tags for the resource to be inherited from the resource group."
+  type        = bool
+}
 variable "subnet_id" {}
 variable "resource_group_name" {
   description = "(Required) The name of the resource group where to create the resource."
@@ -20,3 +24,9 @@ variable "primary_server_id" {
   default = ""
 }
 variable "keyvault" {}
+variable "vnets" {}
+variable "resource_groups" {}
+variable "private_endpoints" {}
+variable "private_dns" {
+  default = {}
+}
diff --git a/modules/databases/mssql_managed_instance_v1/private_endpoints.tf b/modules/databases/mssql_managed_instance_v1/private_endpoints.tf
@@ -0,0 +1,23 @@
+
+
+#
+# Private endpoint
+#
+
+module "private_endpoint" {
+  source   = "../../networking/private_endpoint"
+  for_each = var.private_endpoints
+
+  resource_id         = azurerm_mssql_managed_instance.mssqlmi.id
+  name                = each.value.name
+  location            = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name
+  subnet_id           = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id
+
+  settings        = each.value
+  global_settings = var.global_settings
+  base_tags       = var.inherit_tags
+  tags            = local.tags
+  private_dns     = var.private_dns
+  client_config   = var.client_config
+}
diff --git a/modules/databases/mssql_managed_instance_v1/variables.tf b/modules/databases/mssql_managed_instance_v1/variables.tf
@@ -30,7 +30,16 @@ variable "group_id" {
 }
 
 variable "keyvault" {}
-
+variable "resource_groups" {}
+variable "vnets" {}
+variable "private_endpoints" {}
+variable "base_tags" {
+  description = "Base tags for the resource to be inherited from the resource group."
+  type        = map(any)
+}
+variable "private_dns" {
+  default = {}
+}
 variable "primary_server_id" {}
 
 variable "settings" {
@@ -54,6 +63,7 @@ variable "settings" {
             "minimal_tls_version",
             "name",
             "networking",
+            "private_endpoints",
             "primary_server",
             "proxy_override",
             "public_data_endpoint_enabled",

diff --git a/msssql_managed_instances.tf b/msssql_managed_instances.tf
@@ -16,8 +16,12 @@ module "mssql_managed_instances" {
   location            = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
   resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name
   base_tags           = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
+  inherit_tags        = try(local.global_settings.inherit_tags, false)
   keyvault            = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)]
-
+  vnets             = local.combined_objects_networking
+  private_endpoints = try(each.value.private_endpoints, {})
+  private_dns       = local.combined_objects_private_dns
+  resource_groups   = local.combined_objects_resource_groups
 }
 
 module "mssql_managed_instances_secondary" {
@@ -34,9 +38,14 @@ module "mssql_managed_instances_secondary" {
   location            = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
   resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name
   base_tags           = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
+  inherit_tags        = try(local.global_settings.inherit_tags, false)
   subnet_id           = can(each.value.networking.subnet_id) ? each.value.networking.subnet_id : local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id
   primary_server_id   = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id
   keyvault            = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)]
+   vnets             = local.combined_objects_networking
+  private_endpoints = try(each.value.private_endpoints, {})
+  private_dns       = local.combined_objects_private_dns
+  resource_groups   = local.combined_objects_resource_groups
 }
 
 module "mssql_mi_failover_groups" {

diff --git a/msssql_managed_instances_v1.tf b/msssql_managed_instances_v1.tf
@@ -34,7 +34,12 @@ module "mssql_managed_instances_v1" {
   keyvault           = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)]
   primary_server_id  = null
   group_id           = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null
+  vnets             = local.combined_objects_networking
+  private_endpoints = try(each.value.private_endpoints, {})
+  private_dns       = local.combined_objects_private_dns
+  resource_groups   = local.combined_objects_resource_groups
 
+  base_tags           = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
   inherit_tags        = try(local.global_settings.inherit_tags, false)
   resource_group      = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? null : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
   resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null
@@ -57,7 +62,12 @@ module "mssql_managed_instances_secondary_v1" {
   primary_server_id  = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id
   keyvault           = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)]
   group_id           = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.administrators.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null
+  vnets             = local.combined_objects_networking
+  private_endpoints = try(each.value.private_endpoints, {})
+  private_dns       = local.combined_objects_private_dns
+  resource_groups   = local.combined_objects_resource_groups
 
+  base_tags           = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
   inherit_tags        = try(local.global_settings.inherit_tags, false)
   resource_group      = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? null : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
   resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null
-Original file line number
+Diff line change
@@ Expand Up / @@ -83,4 +83,7 @@ network_security_group_definition = { @@
           }
         ]
       }
+      subnet02 = {
+        nsg= []
+      }
     }