Add variables to for private_endpoint_network_policies for Azure subn…

…ets (#41) Signed-off-by: Jim Enright <[email protected]>
cloudera-labs · Nov 8, 2023 · 7583e8b · 7583e8b
1 parent d490650
commit 7583e8b
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 2 deletions.
diff --git a/modules/terraform-cdp-azure-pre-reqs/README.md b/modules/terraform-cdp-azure-pre-reqs/README.md
@@ -85,6 +85,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 | <a name="input_cdp_resourcegroup_name"></a> [cdp\_resourcegroup\_name](#input\_cdp\_resourcegroup\_name) | Pre-existing Resource Group for CDP environment. Required if create\_vnet is false. | `string` | `null` | no |
 | <a name="input_cdp_subnet_names"></a> [cdp\_subnet\_names](#input\_cdp\_subnet\_names) | List of subnet names for CDP Resources. Required if create\_vnet is false. | `list(any)` | `null` | no |
 | <a name="input_cdp_subnet_range"></a> [cdp\_subnet\_range](#input\_cdp\_subnet\_range) | Size of each (internal) cluster subnet. Required if create\_vpc is true. | `number` | `19` | no |
+| <a name="input_cdp_subnets_private_endpoint_network_policies_enabled"></a> [cdp\_subnets\_private\_endpoint\_network\_policies\_enabled](#input\_cdp\_subnets\_private\_endpoint\_network\_policies\_enabled) | Enable or Disable network policies for the private endpoint on the CDP subnets | `bool` | `true` | no |
 | <a name="input_cdp_vnet_name"></a> [cdp\_vnet\_name](#input\_cdp\_vnet\_name) | Pre-existing VNet Name for CDP environment. Required if create\_vnet is false. | `string` | `null` | no |
 | <a name="input_create_azure_cml_nfs"></a> [create\_azure\_cml\_nfs](#input\_create\_azure\_cml\_nfs) | Whether to create NFS for CML | `bool` | `false` | no |
 | <a name="input_create_vm_mounting_nfs"></a> [create\_vm\_mounting\_nfs](#input\_create\_vm\_mounting\_nfs) | Whether to create a VM which mounts this NFS | `bool` | `true` | no |
@@ -97,6 +98,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 | <a name="input_enable_raz"></a> [enable\_raz](#input\_enable\_raz) | Flag to enable Ranger Authorization Service (RAZ) | `bool` | `true` | no |
 | <a name="input_env_tags"></a> [env\_tags](#input\_env\_tags) | Tags applied to provisioned resources | `map(any)` | `null` | no |
 | <a name="input_gateway_subnet_range"></a> [gateway\_subnet\_range](#input\_gateway\_subnet\_range) | Size of each gateway subnet. Required if create\_vpc is true. | `number` | `24` | no |
+| <a name="input_gateway_subnets_private_endpoint_network_policies_enabled"></a> [gateway\_subnets\_private\_endpoint\_network\_policies\_enabled](#input\_gateway\_subnets\_private\_endpoint\_network\_policies\_enabled) | Enable or Disable network policies for the private endpoint on the Gateway subnets | `bool` | `true` | no |
 | <a name="input_idbroker_managed_identity_name"></a> [idbroker\_managed\_identity\_name](#input\_idbroker\_managed\_identity\_name) | IDBroker Managed Identity name | `string` | `null` | no |
 | <a name="input_idbroker_role_assignments"></a> [idbroker\_role\_assignments](#input\_idbroker\_role\_assignments) | List of Role Assignments for the IDBroker Managed Identity | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign VM Contributor Role to IDBroker Identity at Subscription Level",<br>    "role": "Virtual Machine Contributor"<br>  },<br>  {<br>    "description": "Assign Managed Identity Operator Role to IDBroker Identity at Subscription Level",<br>    "role": "Managed Identity Operator"<br>  }<br>]</pre> | no |
 | <a name="input_ingress_extra_cidrs_and_ports"></a> [ingress\_extra\_cidrs\_and\_ports](#input\_ingress\_extra\_cidrs\_and\_ports) | List of extra CIDR blocks and ports to include in Security Group Ingress rules | <pre>object({<br>    cidrs = list(string)<br>    ports = list(number)<br>  })</pre> | <pre>{<br>  "cidrs": [],<br>  "ports": []<br>}</pre> | no |

diff --git a/modules/terraform-cdp-azure-pre-reqs/main.tf b/modules/terraform-cdp-azure-pre-reqs/main.tf
@@ -43,6 +43,8 @@ module "azure_cdp_vnet" {
   cdp_subnet_range     = var.cdp_subnet_range
   gateway_subnet_range = var.gateway_subnet_range
 
+  cdp_subnets_private_endpoint_network_policies_enabled     = var.cdp_subnets_private_endpoint_network_policies_enabled
+  gateway_subnets_private_endpoint_network_policies_enabled = var.gateway_subnets_private_endpoint_network_policies_enabled
 }
 
 

diff --git a/modules/terraform-cdp-azure-pre-reqs/modules/vnet/main.tf b/modules/terraform-cdp-azure-pre-reqs/modules/vnet/main.tf
@@ -36,7 +36,7 @@ resource "azurerm_subnet" "cdp_subnets" {
   address_prefixes     = [each.value.cidr]
 
   service_endpoints                         = ["Microsoft.Sql", "Microsoft.Storage"]
-  private_endpoint_network_policies_enabled = true
+  private_endpoint_network_policies_enabled = var.cdp_subnets_private_endpoint_network_policies_enabled
 
 }
 
@@ -50,6 +50,6 @@ resource "azurerm_subnet" "gateway_subnets" {
   address_prefixes     = [each.value.cidr]
 
   service_endpoints                         = ["Microsoft.Sql", "Microsoft.Storage"]
-  private_endpoint_network_policies_enabled = true
+  private_endpoint_network_policies_enabled = var.gateway_subnets_private_endpoint_network_policies_enabled
 
 }
diff --git a/modules/terraform-cdp-azure-pre-reqs/modules/vnet/variables.tf b/modules/terraform-cdp-azure-pre-reqs/modules/vnet/variables.tf
@@ -74,3 +74,15 @@ variable "env_prefix" {
   type        = string
   description = "Shorthand name for the environment. Used in resource descriptions"
 }
+
+variable "cdp_subnets_private_endpoint_network_policies_enabled" {
+  type = bool
+
+  description = "Enable or Disable network policies for the private endpoint on the CDP subnets"
+}
+
+variable "gateway_subnets_private_endpoint_network_policies_enabled" {
+  type = bool
+
+  description = "Enable or Disable network policies for the private endpoint on the Gateway subnets"
+}
diff --git a/modules/terraform-cdp-azure-pre-reqs/variables.tf b/modules/terraform-cdp-azure-pre-reqs/variables.tf
@@ -167,6 +167,22 @@ variable "ingress_extra_cidrs_and_ports" {
   }
 }
 
+variable "cdp_subnets_private_endpoint_network_policies_enabled" {
+  type        = bool
+  description = "Enable or Disable network policies for the private endpoint on the CDP subnets"
+
+  default = true
+
+}
+
+variable "gateway_subnets_private_endpoint_network_policies_enabled" {
+  type = bool
+
+  description = "Enable or Disable network policies for the private endpoint on the Gateway subnets"
+
+  default = true
+}
+
 # ------- Storage Resources -------
 variable "random_id_for_bucket" {
   type = bool