Add private endpoint support for mysql flexible server

examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars

@@ -27,14 +27,14 @@ cognitive_services_account = {
       # lz_key = "examples"
       key = "test-rg"
     }
-    name     = "cs-test-1"
-    kind     = "OpenAI"
-    sku_name = "S0"
+    name                          = "cs-test-1"
+    kind                          = "OpenAI"
+    sku_name                      = "S0"
     public_network_access_enabled = true
 
     identity = {
       type = "SystemAssigned, UserAssigned" // Can be "SystemAssigned, UserAssigned" or "SystemAssigned" or "UserAssigned"
-      key  = "cognitive_msi" // A must with "SystemAssigned, UserAssigned" and "UserAssigned"
+      key  = "cognitive_msi"                // A must with "SystemAssigned, UserAssigned" and "UserAssigned"
     }
 
     tags = {

examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars

@@ -0,0 +1,110 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+resource_groups = {
+  mysql_region1 = {
+    name   = "mysql-region1"
+    region = "region1"
+  }
+  security_region1 = {
+    name = "security-region1"
+  }
+}
+
+mysql_flexible_server = {
+  primary_region1 = {
+    name     = "vks-flexible-testservers"
+    version  = "8.0.21" #Possible values are 5.7, and 8.0.21
+    sku_name = "GP_Standard_D2ds_v4"
+    zone     = 1
+    resource_group = {
+      key = "mysql_region1"
+      # lz_key = ""                           # Set the lz_key if the resource group is remote.
+    }
+
+    private_dns_zone_id = "dns_zone1"
+
+    # Auto-generated administrator credentials stored in azure keyvault when not set (recommended).
+    #administrator_username  = "psqladmin"
+    #administrator_password  = "ComplxP@ssw0rd!"
+    keyvault = {
+      key = "mysql_region1" # (Required) when auto-generated administrator credentials needed.
+      # lz_key      = ""                      # Set the lz_key if the keyvault is remote.
+    }
+
+    # [Optional] Server Configurations
+    mysql_configurations = {
+      mysql_configurations = {
+        name  = "interactive_timeout"
+        value = "600"
+      }
+
+    }
+    # [Optional] Database Configurations
+    mysql_databases = {
+      flex_mysql_database = {
+        name      = "exampledb"
+        collation = "utf8mb3_unicode_ci"
+        charset   = "utf8mb3"
+      }
+    }
+
+    tags = {
+      server = "MysqlFlexible"
+    }
+
+    private_endpoints = {
+      private-link-level4 = {
+        name               = "sales-sql-rg1"
+        vnet_key           = "vnet_region1"
+        subnet_key         = "private_dns"
+        resource_group_key = "sql_region1"
+
+        private_service_connection = {
+          name                 = "sales-sql-rg1"
+          is_manual_connection = false
+          subresource_names    = ["mysqlServer"]
+        }
+      }
+    }
+
+  }
+
+}
+
+keyvaults = {
+  mysql_region1 = {
+    name                = "mysql-region123"
+    resource_group_key  = "security_region1"
+    sku_name            = "standard"
+    soft_delete_enabled = true
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
+      }
+    }
+  }
+}
+
+vnets = {
+  vnet_region1 = {
+    resource_group_key = "mysql_region1"
+    region             = "region1"
+    vnet = {
+      name          = "mysql"
+      address_space = ["10.10.0.0/24"]
+    }
+    subnets = {
+      private_dns = {
+        name                                           = "private-dns"
+        cidr                                           = ["10.10.0.0/25"]
+        enforce_private_link_endpoint_network_policies = true
+        enforce_private_link_service_network_policies  = false
+      }
+    }
+  }
+}

modules/databases/mysql_flexible_server/main.tf

@@ -12,4 +12,3 @@ locals {
   }
   tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null))
 }
-

modules/databases/mysql_flexible_server/private_endpoints.tf

@@ -0,0 +1,20 @@
+module "private_endpoint" {
+  source   = "../../networking/private_endpoint"
+  for_each = var.private_endpoints
+
+  resource_id = azurerm_mysql_flexible_server.mysql.id
+  name        = each.value.name
+  # location            = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  # resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id
+
+  settings        = each.value
+  global_settings = var.global_settings
+  base_tags       = var.inherit_base_tags
+  tags            = local.tags
+  private_dns     = var.private_dns
+  client_config   = var.client_config
+}

modules/databases/mysql_flexible_server/variables.tf

@@ -31,4 +31,21 @@ variable "settings" {
 variable "location" {
   description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created."
   type        = string
+}
+
+variable "private_dns" {
+  default = {}
+}
+
+variable "private_endpoints" {}
+
+variable "resource_groups" {}
+
+variable "resource_group" {}
+
+variable "vnets" {}
+
+variable "inherit_base_tags" {
+  description = "Base tags for the resource to be inherited from the resource group."
+  type        = bool
 }

mysql_flexible_servers.tf

@@ -15,7 +15,11 @@ module "mysql_flexible_server" {
   resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name
   location            = can(local.global_settings.regions[each.value.region]) || can(each.value.region) ? try(local.global_settings.regions[each.value.region], each.value.region) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
 
-
+  private_endpoints = try(each.value.private_endpoints, {})
+  resource_groups   = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups
+  resource_group    = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
+  vnets             = local.combined_objects_networking
+  inherit_base_tags = local.global_settings.inherit_tags
   remote_objects = {
     subnet_id           = can(each.value.vnet.subnet_key) ? local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][each.value.vnet.key].subnets[each.value.vnet.subnet_key].id : null
     private_dns_zone_id = can(each.value.private_dns_zone.key) ? local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.private_dns_zone.key].id : null