From 51be0750e4cb69567b1fa1d34520c71a4c5d713c Mon Sep 17 00:00:00 2001 From: Leela Satyavathi Pentakota <106110313+leelasatyavathip@users.noreply.github.com> Date: Thu, 2 May 2024 11:39:41 +0530 Subject: [PATCH] Add Private Endpoint feature for SQL MI module (#1963) * Added block for sqlmi private endpoint deployment and updated examples * added sqlmi example in longrunners file --- .../standalone-scenarios-longrunners.json | 1 + examples/mssql_mi/200-mi/configuration.tfvars | 21 ++++++++++++++++- examples/mssql_mi/200-mi/nsg.tfvars | 3 +++ .../private_endpoints.tf | 23 +++++++++++++++++++ .../mssql_managed_instance/variables.tf | 10 ++++++++ .../private_endpoints.tf | 23 +++++++++++++++++++ .../mssql_managed_instance_v1/variables.tf | 12 +++++++++- msssql_managed_instances.tf | 11 ++++++++- msssql_managed_instances_v1.tf | 10 ++++++++ 9 files changed, 111 insertions(+), 3 deletions(-) create mode 100644 modules/databases/mssql_managed_instance/private_endpoints.tf create mode 100644 modules/databases/mssql_managed_instance_v1/private_endpoints.tf diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json index 06cf1ee6fc..89371a1435 100644 --- a/.github/workflows/standalone-scenarios-longrunners.json +++ b/.github/workflows/standalone-scenarios-longrunners.json @@ -19,6 +19,7 @@ "apim/117-api_management_product", "app_gateway/301-agw-v1", "compute/vmware_cluster/101-vmware_cluster", + "mssql_mi/200-mi", "networking/virtual_network_gateway/100-expressroute-gateway", "networking/virtual_network_gateway/101-vpn-site-to-site", "networking/virtual_network_gateway/102-vpn-site-to-site-active-active", diff --git a/examples/mssql_mi/200-mi/configuration.tfvars b/examples/mssql_mi/200-mi/configuration.tfvars index 72c3278848..962c048b99 100644 --- a/examples/mssql_mi/200-mi/configuration.tfvars +++ b/examples/mssql_mi/200-mi/configuration.tfvars @@ -21,7 +21,7 @@ vnets = { resource_group_key = "networking_region1" vnet = { name = "sqlmi-rg1" - address_space = ["172.25.88.0/21"] + address_space = ["172.25.88.0/21","10.2.0.0/24"] } subnets = { sqlmi1 = { @@ -39,6 +39,12 @@ vnets = { ] } } + subnet02 = { + name = "subnet02" + cidr = ["10.2.0.0/24"] + nsg_key = "subnet02" + route_table_key = "sqlmi1" + } } } } @@ -71,6 +77,19 @@ mssql_managed_instances = { storageSizeInGB = 32 vCores = 8 + private_endpoints = { + privatelink-sqlmi = { + name = "pe-sqlmi1" + vnet_key = "sqlmi_region1" + subnet_key = "subnet02" + resource_group_key = "sqlmi_region1" + private_service_connection = { + name = "conn-sqlmi1" + is_manual_connection = false + subresource_names = ["managedInstance"] + } + } + } } } diff --git a/examples/mssql_mi/200-mi/nsg.tfvars b/examples/mssql_mi/200-mi/nsg.tfvars index a01fed2440..d07e9224d5 100644 --- a/examples/mssql_mi/200-mi/nsg.tfvars +++ b/examples/mssql_mi/200-mi/nsg.tfvars @@ -83,4 +83,7 @@ network_security_group_definition = { } ] } + subnet02 = { + nsg= [] + } } diff --git a/modules/databases/mssql_managed_instance/private_endpoints.tf b/modules/databases/mssql_managed_instance/private_endpoints.tf new file mode 100644 index 0000000000..81e3668e46 --- /dev/null +++ b/modules/databases/mssql_managed_instance/private_endpoints.tf @@ -0,0 +1,23 @@ + + +# +# Private endpoint +# + +module "private_endpoint" { + source = "../../networking/private_endpoint" + for_each = var.private_endpoints + + resource_id = local.output.id + name = each.value.name + location = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + + settings = each.value + global_settings = var.global_settings + base_tags = var.inherit_tags + tags = local.tags + private_dns = var.private_dns + client_config = var.client_config +} diff --git a/modules/databases/mssql_managed_instance/variables.tf b/modules/databases/mssql_managed_instance/variables.tf index 2aafbc3456..7b6ba43c80 100644 --- a/modules/databases/mssql_managed_instance/variables.tf +++ b/modules/databases/mssql_managed_instance/variables.tf @@ -7,6 +7,10 @@ variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = map(any) } +variable "inherit_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} variable "subnet_id" {} variable "resource_group_name" { description = "(Required) The name of the resource group where to create the resource." @@ -20,3 +24,9 @@ variable "primary_server_id" { default = "" } variable "keyvault" {} +variable "vnets" {} +variable "resource_groups" {} +variable "private_endpoints" {} +variable "private_dns" { + default = {} +} diff --git a/modules/databases/mssql_managed_instance_v1/private_endpoints.tf b/modules/databases/mssql_managed_instance_v1/private_endpoints.tf new file mode 100644 index 0000000000..7b1d83fe7b --- /dev/null +++ b/modules/databases/mssql_managed_instance_v1/private_endpoints.tf @@ -0,0 +1,23 @@ + + +# +# Private endpoint +# + +module "private_endpoint" { + source = "../../networking/private_endpoint" + for_each = var.private_endpoints + + resource_id = azurerm_mssql_managed_instance.mssqlmi.id + name = each.value.name + location = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + + settings = each.value + global_settings = var.global_settings + base_tags = var.inherit_tags + tags = local.tags + private_dns = var.private_dns + client_config = var.client_config +} diff --git a/modules/databases/mssql_managed_instance_v1/variables.tf b/modules/databases/mssql_managed_instance_v1/variables.tf index 8504b3733b..2ee8d621a8 100644 --- a/modules/databases/mssql_managed_instance_v1/variables.tf +++ b/modules/databases/mssql_managed_instance_v1/variables.tf @@ -30,7 +30,16 @@ variable "group_id" { } variable "keyvault" {} - +variable "resource_groups" {} +variable "vnets" {} +variable "private_endpoints" {} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) +} +variable "private_dns" { + default = {} +} variable "primary_server_id" {} variable "settings" { @@ -54,6 +63,7 @@ variable "settings" { "minimal_tls_version", "name", "networking", + "private_endpoints", "primary_server", "proxy_override", "public_data_endpoint_enabled", diff --git a/msssql_managed_instances.tf b/msssql_managed_instances.tf index 5bf6b33d61..e4e0b84ad3 100644 --- a/msssql_managed_instances.tf +++ b/msssql_managed_instances.tf @@ -16,8 +16,12 @@ module "mssql_managed_instances" { location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + inherit_tags = try(local.global_settings.inherit_tags, false) keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] - + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_managed_instances_secondary" { @@ -34,9 +38,14 @@ module "mssql_managed_instances_secondary" { location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + inherit_tags = try(local.global_settings.inherit_tags, false) subnet_id = can(each.value.networking.subnet_id) ? each.value.networking.subnet_id : local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_mi_failover_groups" { diff --git a/msssql_managed_instances_v1.tf b/msssql_managed_instances_v1.tf index f1ac78b3f0..9de5953861 100644 --- a/msssql_managed_instances_v1.tf +++ b/msssql_managed_instances_v1.tf @@ -34,7 +34,12 @@ module "mssql_managed_instances_v1" { keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] primary_server_id = null group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) resource_group = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? null : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null @@ -57,7 +62,12 @@ module "mssql_managed_instances_secondary_v1" { primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.administrators.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) resource_group = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? null : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null