Merge pull request #9 from redpanda-data/paulz/azure-byo-vnet-1

Azure customer managed resources deployed via TF

Author: paulzhang97

customer-managed/azure/terraform/.terraform.lock.hcl

@@ -0,0 +1,5 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_location" "redpanda" {
+  location = var.region
+}

customer-managed/azure/terraform/data.tf

@@ -0,0 +1,35 @@
+resource "azurerm_user_assigned_identity" "redpanda_agent" {
+  location            = azurerm_resource_group.iam.location
+  name                = "${var.resource_name_prefix}${var.redpanda_agent_identity_name}"
+  resource_group_name = azurerm_resource_group.iam.name
+}
+
+resource "azurerm_user_assigned_identity" "cert_manager" {
+  location            = azurerm_resource_group.iam.location
+  name                = "${var.resource_name_prefix}${var.redpanda_cert_manager_identity_name}"
+  resource_group_name = azurerm_resource_group.iam.name
+}
+
+resource "azurerm_user_assigned_identity" "external_dns" {
+  location            = azurerm_resource_group.iam.location
+  name                = "${var.resource_name_prefix}${var.redpanda_external_dns_identity_name}"
+  resource_group_name = azurerm_resource_group.iam.name
+}
+
+resource "azurerm_user_assigned_identity" "redpanda_cluster" {
+  location            = azurerm_resource_group.iam.location
+  name                = "${var.resource_name_prefix}${var.redpanda_cluster_identity_name}"
+  resource_group_name = azurerm_resource_group.iam.name
+}
+
+resource "azurerm_user_assigned_identity" "aks" {
+  location            = azurerm_resource_group.iam.location
+  name                = "${var.resource_name_prefix}${var.aks_identity_name}"
+  resource_group_name = azurerm_resource_group.iam.name
+}
+
+resource "azurerm_user_assigned_identity" "redpanda_console" {
+  location            = azurerm_resource_group.iam.location
+  name                = "${var.resource_name_prefix}${var.redpanda_console_identity_name}"
+  resource_group_name = azurerm_resource_group.iam.name
+}

customer-managed/azure/terraform/identities.tf

@@ -0,0 +1,88 @@
+locals {
+  allowed_subnet_ids = [for s in azurerm_subnet.private : s.id]
+}
+
+
+resource "azurerm_key_vault" "vault" {
+  count               = var.redpanda_management_key_vault_name != "" ? 1 : 0
+  name                = "${var.resource_name_prefix}${var.redpanda_management_key_vault_name}"
+  resource_group_name = azurerm_resource_group.redpanda.name
+  location            = azurerm_resource_group.redpanda.location
+  sku_name            = "standard"
+  tenant_id           = var.azure_tenant_id
+
+  public_network_access_enabled = true
+
+  enabled_for_deployment          = true
+  enabled_for_disk_encryption     = true
+  enabled_for_template_deployment = true
+  purge_protection_enabled        = true
+  enable_rbac_authorization       = true
+
+  network_acls {
+    bypass                     = "AzureServices"
+    default_action             = "Allow"
+    virtual_network_subnet_ids = local.allowed_subnet_ids
+  }
+
+  access_policy {
+    tenant_id      = var.azure_tenant_id
+    object_id      = data.azurerm_client_config.current.object_id
+    application_id = data.azurerm_client_config.current.client_id
+
+    secret_permissions = [
+      "Set",
+      "Get",
+      "List",
+      "Delete",
+      "Purge",
+      "Recover",
+      "Restore",
+      "Backup",
+    ]
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_key_vault" "console" {
+  count               = var.redpanda_console_key_vault_name != "" ? 1 : 0
+  name                = "${var.resource_name_prefix}${var.redpanda_console_key_vault_name}"
+  resource_group_name = azurerm_resource_group.redpanda.name
+  location            = azurerm_resource_group.redpanda.location
+  sku_name            = "standard"
+  tenant_id           = var.azure_tenant_id
+
+  public_network_access_enabled = true
+
+  enabled_for_deployment          = true
+  enabled_for_disk_encryption     = true
+  enabled_for_template_deployment = true
+  purge_protection_enabled        = true
+  enable_rbac_authorization       = true
+
+  network_acls {
+    bypass                     = "AzureServices"
+    default_action             = "Allow"
+    virtual_network_subnet_ids = local.allowed_subnet_ids
+  }
+
+  access_policy {
+    tenant_id      = var.azure_tenant_id
+    object_id      = data.azurerm_client_config.current.object_id
+    application_id = data.azurerm_client_config.current.client_id
+
+    secret_permissions = [
+      "Set",
+      "Get",
+      "List",
+      "Delete",
+      "Purge",
+      "Recover",
+      "Restore",
+      "Backup",
+    ]
+  }
+
+  tags = var.tags
+}

customer-managed/azure/terraform/key_vaults.tf

@@ -0,0 +1,48 @@
+resource "azurerm_virtual_network" "redpanda" {
+  name                = "${var.resource_name_prefix}${var.vnet_name}"
+  location            = var.region
+  resource_group_name = azurerm_resource_group.network.name
+  address_space       = var.vnet_addresses
+
+  tags = var.tags
+}
+
+
+resource "azurerm_subnet" "private" {
+  for_each = var.private_subnets
+
+  name                 = "${var.resource_name_prefix}${each.value.name}"
+  resource_group_name  = azurerm_resource_group.network.name
+  virtual_network_name = azurerm_virtual_network.redpanda.name
+  address_prefixes     = [each.value.cidr]
+
+  # Use Azure's internal network to reach out to the following Azure services
+  service_endpoints = [
+    "Microsoft.Storage.Global",
+    "Microsoft.AzureActiveDirectory",
+    "Microsoft.KeyVault"
+  ]
+
+  lifecycle {
+    # AKS automatically configures subnet delegations when the subnets are assigned
+    # to node pools. To prevent undoing the delegations when network provisioning
+    # re-runs, we ignore any changes on them.
+    ignore_changes = [delegation]
+  }
+}
+
+resource "azurerm_subnet" "public" {
+  for_each = var.egress_subnets
+
+  name                 = "${var.resource_name_prefix}${each.value.name}"
+  resource_group_name  = azurerm_resource_group.network.name
+  virtual_network_name = azurerm_virtual_network.redpanda.name
+  address_prefixes     = [each.value.cidr]
+
+  # Use Azure's internal network to reach out to the following Azure services
+  service_endpoints = [
+    "Microsoft.Storage.Global",
+    "Microsoft.AzureActiveDirectory",
+    "Microsoft.KeyVault",
+  ]
+}

customer-managed/azure/terraform/network.tf

@@ -0,0 +1,95 @@
+output "resource_groups" {
+  description = "Resource groups"
+  value = {
+    "redpanda" : {
+      "name" : azurerm_resource_group.redpanda.name,
+      "id" : azurerm_resource_group.redpanda.id
+    },
+    "storage" : {
+      "name" : azurerm_resource_group.storage.name,
+      "id" : azurerm_resource_group.storage.id
+    },
+    "network" : {
+      "name" : azurerm_resource_group.network.name,
+      "id" : azurerm_resource_group.network.id
+    },
+    "iam" : {
+      "name" : azurerm_resource_group.iam.name,
+      "id" : azurerm_resource_group.iam.id
+    }
+  }
+}
+
+output "roles" {
+  description = "IAM roles"
+  value = {
+    "agent" : azurerm_role_definition.redpanda_agent.id,
+    "console" : azurerm_role_definition.redpanda_console.id,
+    "private-link" : azurerm_role_definition.redpanda_private_link.id
+  }
+}
+
+output "identities" {
+  description = "User assigned identities"
+  value = {
+    "agent" : azurerm_user_assigned_identity.redpanda_agent.id,
+    "cert-manager" : azurerm_user_assigned_identity.cert_manager.id,
+    "external-dns" : azurerm_user_assigned_identity.external_dns.id,
+    "aks" : azurerm_user_assigned_identity.aks.id,
+    "redpanda-cluster" : azurerm_user_assigned_identity.redpanda_cluster.id,
+    "redpanda-console" : azurerm_user_assigned_identity.redpanda_console.id
+  }
+}
+
+output "networks" {
+  description = "Networks"
+  value = {
+    "vnet" : {
+      "name" : azurerm_virtual_network.redpanda.name,
+      "resource_group" : azurerm_virtual_network.redpanda.resource_group_name,
+      "address_space" : join(",", azurerm_virtual_network.redpanda.address_space)
+    },
+    "private-subnets" : {
+      for k, v in azurerm_subnet.private : k => {
+        "id" : v.id,
+        "address_prefixes" : join(",", v.address_prefixes)
+      }
+    },
+    "egress-subnets" : {
+      for k, v in azurerm_subnet.public : k => {
+        "id" : v.id,
+        "address_prefixes" : join(",", v.address_prefixes)
+      }
+    }
+    "subnet-cidrs-aks" : var.reserved_subnet_cidrs
+  }
+}
+
+output "security" {
+  description = "Security groups"
+  value = {
+    "redpanda-cluster" : azurerm_network_security_group.redpanda_cluster.id
+  }
+}
+
+output "storage" {
+  description = "Storage"
+  value = {
+    "management" : {
+      "storage-account-id" : azurerm_storage_account.management.id,
+      "bucket" : azurerm_storage_container.management.id
+    },
+    "tiered" : {
+      "storage-account-id" : azurerm_storage_account.tiered_storage.id,
+      "bucket" : azurerm_storage_container.tiered_storage.id
+    }
+  }
+}
+
+output "vault" {
+  description = "Key vault"
+  value = {
+    "redpanda-cluster" : var.redpanda_console_key_vault_name != "" ? azurerm_key_vault.vault[0].id : ""
+    "redpanda-console" : var.redpanda_console_key_vault_name != "" ? azurerm_key_vault.console[0].id : ""
+  }
+}

customer-managed/azure/terraform/outputs.tf

@@ -0,0 +1,30 @@
+terraform {
+  #backend "azurerm" {}
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "=3.98.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  skip_provider_registration = false
+
+  client_id       = var.azure_client_id
+  client_secret   = var.azure_client_secret
+  tenant_id       = var.azure_tenant_id
+  subscription_id = var.azure_subscription_id
+
+  use_cli  = var.azure_use_cli
+  use_msi  = var.azure_use_msi
+  use_oidc = var.azure_use_oidc
+
+  # Always use Entra ID authentication instead of shared static keys
+  # If set to false, we get
+  # Error: retrieving queue properties for Storage Account (Subscription: "60fc0bed-3072-4c53-906a-d130a934d520"
+  # Resource Group Name: "pz-tiered-storage-rg"
+  # Storage Account Name: "pztieredstorage"): unmarshalling response: could not parse response body
+  storage_use_azuread = true
+}

customer-managed/azure/terraform/providers.tf

@@ -0,0 +1,30 @@
+
+
+resource "azurerm_resource_group" "redpanda" {
+  name     = "${var.resource_name_prefix}${var.redpanda_resource_group_name}"
+  location = var.region
+
+  tags = var.tags
+}
+
+resource "azurerm_resource_group" "storage" {
+  name     = "${var.resource_name_prefix}${var.redpanda_storage_resource_group_name}"
+  location = var.region
+
+  tags = var.tags
+}
+
+resource "azurerm_resource_group" "network" {
+  name     = "${var.resource_name_prefix}${var.redpanda_network_resource_group_name}"
+  location = var.region
+
+  tags = var.tags
+}
+
+resource "azurerm_resource_group" "iam" {
+  name     = "${var.resource_name_prefix}${var.redpanda_iam_resource_group_name}"
+  location = var.region
+
+  tags = var.tags
+}
+