From 30cf839f65d078170e3c4b6f65648d2bf3a727f2 Mon Sep 17 00:00:00 2001 From: Mihail Radkov Date: Sun, 19 Nov 2023 17:04:13 +0200 Subject: [PATCH] TES-307: Removed data sources Data sources are used when a resource is managed outside the current Terraform. - Replaced data sources with the needed identifier variables - Removed incorrect depends_on - Minor code organization and comment updates for consistency --- main.tf | 88 ++++++++++++------------------ modules/address/main.tf | 13 +---- modules/address/outputs.tf | 5 ++ modules/address/variables.tf | 5 ++ modules/bastion/README.md | 1 + modules/bastion/main.tf | 34 +++++------- modules/bastion/outputs.tf | 0 modules/bastion/variables.tf | 13 +++-- modules/configuration/main.tf | 26 +++------ modules/configuration/variables.tf | 13 ++--- modules/gateway/main.tf | 33 ++--------- modules/gateway/variables.tf | 22 ++++---- modules/identity/main.tf | 8 +-- modules/identity/output.tf | 10 ++++ modules/identity/variables.tf | 5 ++ modules/tls/main.tf | 24 ++------ modules/tls/outputs.tf | 5 ++ modules/tls/variables.tf | 9 ++- modules/vault/main.tf | 8 +-- modules/vault/output.tf | 5 ++ modules/vault/variables.tf | 5 ++ modules/vm/main.tf | 56 +++++-------------- modules/vm/variables.tf | 27 +++++++-- 23 files changed, 181 insertions(+), 234 deletions(-) create mode 100644 modules/bastion/README.md create mode 100644 modules/bastion/outputs.tf diff --git a/main.tf b/main.tf index cdb32cd..257e2e9 100644 --- a/main.tf +++ b/main.tf @@ -67,12 +67,11 @@ module "address" { source = "./modules/address" resource_name_prefix = var.resource_name_prefix + location = var.location resource_group_name = azurerm_resource_group.graphdb.name zones = var.zones tags = local.tags - - depends_on = [azurerm_resource_group.graphdb] } # Creates a user assigned identity which will be provided to GraphDB VMs. @@ -80,11 +79,10 @@ module "identity" { source = "./modules/identity" resource_name_prefix = var.resource_name_prefix + location = var.location resource_group_name = azurerm_resource_group.graphdb.name tags = local.tags - - depends_on = [azurerm_resource_group.graphdb] } # Creates Key Vault for secure storage of GraphDB configurations and secrets @@ -92,20 +90,18 @@ module "vault" { source = "./modules/vault" resource_name_prefix = var.resource_name_prefix + location = var.location resource_group_name = azurerm_resource_group.graphdb.name tags = local.tags - - depends_on = [azurerm_resource_group.graphdb] } # Managed GraphDB configurations in the Key Vault module "configuration" { source = "./modules/configuration" - resource_group_name = azurerm_resource_group.graphdb.name - identity_name = module.identity.identity_name - key_vault_name = module.vault.key_vault_name + key_vault_id = module.vault.key_vault_id + identity_principal_id = module.identity.identity_principal_id graphdb_license_path = var.graphdb_license_path graphdb_cluster_token = var.graphdb_cluster_token @@ -114,11 +110,8 @@ module "configuration" { tags = local.tags - depends_on = [ - azurerm_resource_group.graphdb, - # Wait for complete module creation - module.vault - ] + # Wait for role assignments + depends_on = [module.vault] } # Creates a TLS certificate secret in the Key Vault and related identity @@ -126,40 +119,36 @@ module "tls" { source = "./modules/tls" resource_name_prefix = var.resource_name_prefix + location = var.location resource_group_name = azurerm_resource_group.graphdb.name - key_vault_name = module.vault.key_vault_name + key_vault_id = module.vault.key_vault_id tls_certificate = filebase64(var.tls_certificate_path) tls_certificate_password = var.tls_certificate_password tags = local.tags - depends_on = [azurerm_resource_group.graphdb, module.identity, module.vault] + # Wait for role assignments + depends_on = [module.identity, module.vault] } # Creates a public application gateway for forwarding internet traffic to the GraphDB proxies module "application_gateway" { source = "./modules/gateway" - resource_name_prefix = var.resource_name_prefix - resource_group_name = azurerm_resource_group.graphdb.name - network_interface_name = azurerm_virtual_network.graphdb.name - - gateway_subnet_name = azurerm_subnet.graphdb-gateway.name + resource_name_prefix = var.resource_name_prefix + location = var.location + resource_group_name = azurerm_resource_group.graphdb.name - gateway_public_ip_name = module.address.public_ip_address_name - gateway_identity_name = module.tls.tls_identity_name + gateway_subnet_id = azurerm_subnet.graphdb-gateway.id + gateway_public_ip_id = module.address.public_ip_address_id + gateway_identity_id = module.tls.tls_identity_id gateway_tls_certificate_secret_id = module.tls.tls_certificate_key_vault_secret_id tags = local.tags - depends_on = [ - azurerm_resource_group.graphdb, - azurerm_virtual_network.graphdb, - azurerm_subnet.graphdb-vmss, - module.address, - module.tls - ] + # Wait for role assignments + depends_on = [module.tls] } # Module for resolving the GraphDB shared image ID @@ -177,36 +166,36 @@ module "bastion" { source = "./modules/bastion" resource_group_name = azurerm_resource_group.graphdb.name + location = var.location virtual_network_name = azurerm_virtual_network.graphdb.name resource_name_prefix = var.resource_name_prefix bastion_subnet_address_prefix = var.bastion_subnet_address_prefix tags = local.tags - - depends_on = [ - azurerm_resource_group.graphdb, - azurerm_virtual_network.graphdb - ] } # Creates a VM scale set for GraphDB and GraphDB cluster proxies module "vm" { source = "./modules/vm" - resource_name_prefix = var.resource_name_prefix - resource_group_name = azurerm_resource_group.graphdb.name - network_interface_name = azurerm_virtual_network.graphdb.name - zones = var.zones + resource_name_prefix = var.resource_name_prefix + location = var.location + resource_group_name = azurerm_resource_group.graphdb.name + resource_group_id = azurerm_resource_group.graphdb.id + zones = var.zones + + graphdb_subnet_id = azurerm_subnet.graphdb-vmss.id + graphdb_subnet_cidr = one(azurerm_subnet.graphdb-vmss.address_prefixes) - graphdb_subnet_name = azurerm_subnet.graphdb-vmss.name + identity_id = module.identity.identity_id + identity_principal_id = module.identity.identity_principal_id application_gateway_backend_address_pool_ids = [module.application_gateway.gateway_backend_address_pool_id] - identity_name = module.identity.identity_name - key_vault_name = module.vault.key_vault_name + # Configurations for the user data script graphdb_external_address_fqdn = module.address.public_ip_address_fqdn - - data_disk_performance_tier = var.data_disk_performance_tier - disk_size_gb = var.disk_size_gb + key_vault_name = module.vault.key_vault_name + data_disk_performance_tier = var.data_disk_performance_tier + disk_size_gb = var.disk_size_gb instance_type = var.instance_type image_id = module.graphdb_image.image_id @@ -218,11 +207,6 @@ module "vm" { tags = local.tags - depends_on = [ - azurerm_resource_group.graphdb, - azurerm_virtual_network.graphdb, - azurerm_subnet.graphdb-vmss, - # Needed because the license is being created at the same time as the machines. - module.configuration - ] + # Wait for configurations to be created in the key vault and roles to be assigned + depends_on = [module.configuration] } diff --git a/modules/address/main.tf b/modules/address/main.tf index 24db6e3..37d385a 100644 --- a/modules/address/main.tf +++ b/modules/address/main.tf @@ -1,12 +1,3 @@ -data "azurerm_resource_group" "graphdb" { - name = var.resource_group_name -} - -locals { - resource_group = data.azurerm_resource_group.graphdb.name - location = data.azurerm_resource_group.graphdb.location -} - resource "random_string" "fqdn" { length = 6 special = false @@ -16,8 +7,8 @@ resource "random_string" "fqdn" { resource "azurerm_public_ip" "graphdb-public-ip-address" { name = "${var.resource_name_prefix}-public-address" - resource_group_name = local.resource_group - location = local.location + resource_group_name = var.resource_group_name + location = var.location sku = "Standard" allocation_method = "Static" diff --git a/modules/address/outputs.tf b/modules/address/outputs.tf index b109bf5..1dc74c0 100644 --- a/modules/address/outputs.tf +++ b/modules/address/outputs.tf @@ -3,6 +3,11 @@ output "public_ip_address_name" { value = azurerm_public_ip.graphdb-public-ip-address.name } +output "public_ip_address_id" { + description = "Name of the public IP address" + value = azurerm_public_ip.graphdb-public-ip-address.id +} + output "public_ip_address_fqdn" { description = "The assigned FQDN of the public IP address" value = azurerm_public_ip.graphdb-public-ip-address.fqdn diff --git a/modules/address/variables.tf b/modules/address/variables.tf index 5cb03aa..678cb38 100644 --- a/modules/address/variables.tf +++ b/modules/address/variables.tf @@ -5,6 +5,11 @@ variable "resource_name_prefix" { type = string } +variable "location" { + description = "Azure geographical location where resources will be deployed" + type = string +} + variable "zones" { description = "Availability zones for the public IP address." type = list(number) diff --git a/modules/bastion/README.md b/modules/bastion/README.md new file mode 100644 index 0000000..53c24a7 --- /dev/null +++ b/modules/bastion/README.md @@ -0,0 +1 @@ +# GraphDB Bastion Module diff --git a/modules/bastion/main.tf b/modules/bastion/main.tf index 5ac6051..bb973ef 100644 --- a/modules/bastion/main.tf +++ b/modules/bastion/main.tf @@ -1,37 +1,29 @@ -data "azurerm_resource_group" "graphdb" { - name = var.resource_group_name -} - -data "azurerm_virtual_network" "graphdb" { - name = var.virtual_network_name - resource_group_name = data.azurerm_resource_group.graphdb.name -} - -resource "azurerm_subnet" "subnet" { +resource "azurerm_subnet" "graphdb-bastion-subnet" { name = "AzureBastionSubnet" - resource_group_name = data.azurerm_resource_group.graphdb.name - virtual_network_name = data.azurerm_virtual_network.graphdb.name + resource_group_name = var.resource_group_name + virtual_network_name = var.virtual_network_name address_prefixes = var.bastion_subnet_address_prefix } -resource "azurerm_public_ip" "publicIP" { +resource "azurerm_public_ip" "graphdb-bastion-public-ip" { name = "${var.resource_name_prefix}_bastion_publicIP" - location = data.azurerm_resource_group.graphdb.location - resource_group_name = data.azurerm_resource_group.graphdb.name + location = var.location + resource_group_name = var.resource_group_name allocation_method = "Static" sku = "Standard" tags = var.tags } -resource "azurerm_bastion_host" "bastionHost" { +resource "azurerm_bastion_host" "graphdb-bastion-host" { name = "${var.resource_name_prefix}_bastion" - location = data.azurerm_resource_group.graphdb.location - resource_group_name = data.azurerm_resource_group.graphdb.name - tags = var.tags + location = var.location + resource_group_name = var.resource_group_name ip_configuration { name = "configuration" - subnet_id = azurerm_subnet.subnet.id - public_ip_address_id = azurerm_public_ip.publicIP.id + subnet_id = azurerm_subnet.graphdb-bastion-subnet.id + public_ip_address_id = azurerm_public_ip.graphdb-bastion-public-ip.id } + + tags = var.tags } diff --git a/modules/bastion/outputs.tf b/modules/bastion/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf index 35c4b8a..30264aa 100644 --- a/modules/bastion/variables.tf +++ b/modules/bastion/variables.tf @@ -1,12 +1,12 @@ # Common configurations -variable "resource_group_name" { - description = "Name of the resource group where Bastion will be deployed." +variable "resource_name_prefix" { + description = "Resource name prefix" type = string } -variable "resource_name_prefix" { - description = "Resource name prefix" +variable "location" { + description = "Azure geographical location where resources will be deployed" type = string } @@ -16,6 +16,11 @@ variable "tags" { default = {} } +variable "resource_group_name" { + description = "Name of the resource group where Bastion will be deployed." + type = string +} + # Networking variable "virtual_network_name" { diff --git a/modules/configuration/main.tf b/modules/configuration/main.tf index 728601a..fc8bb6c 100644 --- a/modules/configuration/main.tf +++ b/modules/configuration/main.tf @@ -1,13 +1,3 @@ -data "azurerm_user_assigned_identity" "graphdb-instances" { - name = var.identity_name - resource_group_name = var.resource_group_name -} - -data "azurerm_key_vault" "graphdb" { - name = var.key_vault_name - resource_group_name = var.resource_group_name -} - resource "random_password" "graphdb-cluster-token" { count = var.graphdb_cluster_token != null ? 0 : 1 length = 16 @@ -19,7 +9,7 @@ locals { } resource "azurerm_key_vault_secret" "graphdb-license" { - key_vault_id = data.azurerm_key_vault.graphdb.id + key_vault_id = var.key_vault_id name = var.graphdb_license_secret_name value = filebase64(var.graphdb_license_path) @@ -28,7 +18,7 @@ resource "azurerm_key_vault_secret" "graphdb-license" { } resource "azurerm_key_vault_secret" "graphdb-cluster-token" { - key_vault_id = data.azurerm_key_vault.graphdb.id + key_vault_id = var.key_vault_id name = var.graphdb_cluster_token_name value = base64encode(local.graphdb_cluster_token) @@ -39,7 +29,7 @@ resource "azurerm_key_vault_secret" "graphdb-cluster-token" { resource "azurerm_key_vault_secret" "graphdb-properties" { count = var.graphdb_properties_path != null ? 1 : 0 - key_vault_id = data.azurerm_key_vault.graphdb.id + key_vault_id = var.key_vault_id name = var.graphdb_properties_secret_name value = filebase64(var.graphdb_properties_path) @@ -50,7 +40,7 @@ resource "azurerm_key_vault_secret" "graphdb-properties" { resource "azurerm_key_vault_secret" "graphdb-java-options" { count = var.graphdb_java_options != null ? 1 : 0 - key_vault_id = data.azurerm_key_vault.graphdb.id + key_vault_id = var.key_vault_id name = var.graphdb_java_options_secret_name value = base64encode(var.graphdb_java_options) @@ -63,14 +53,14 @@ resource "azurerm_key_vault_secret" "graphdb-java-options" { # Give rights to the provided identity to be able to read it from the vault resource "azurerm_role_assignment" "graphdb-license-reader" { - principal_id = data.azurerm_user_assigned_identity.graphdb-instances.principal_id - scope = data.azurerm_key_vault.graphdb.id + principal_id = var.identity_principal_id + scope = var.key_vault_id role_definition_name = "Key Vault Reader" } # Give rights to the provided identity to actually get the secret value resource "azurerm_role_assignment" "graphdb-license-secret-reader" { - principal_id = data.azurerm_user_assigned_identity.graphdb-instances.principal_id - scope = data.azurerm_key_vault.graphdb.id + principal_id = var.identity_principal_id + scope = var.key_vault_id role_definition_name = "Key Vault Secrets User" } diff --git a/modules/configuration/variables.tf b/modules/configuration/variables.tf index 05e3598..0435a8d 100644 --- a/modules/configuration/variables.tf +++ b/modules/configuration/variables.tf @@ -6,20 +6,15 @@ variable "tags" { default = {} } -variable "resource_group_name" { - description = "Name of the resource group where GraphDB will be deployed." - type = string -} - # Security dependencies -variable "identity_name" { - description = "Name of a user assigned identity for assigning permissions" +variable "identity_principal_id" { + description = "Principal identifier of a user assigned identity for assigning permissions" type = string } -variable "key_vault_name" { - description = "Name of a Key Vault containing GraphDB configurations" +variable "key_vault_id" { + description = "Identifier of a Key Vault for storing GraphDB configurations" type = string } diff --git a/modules/gateway/main.tf b/modules/gateway/main.tf index fd91e2b..ab598c3 100644 --- a/modules/gateway/main.tf +++ b/modules/gateway/main.tf @@ -1,27 +1,4 @@ -data "azurerm_resource_group" "graphdb" { - name = var.resource_group_name -} - -data "azurerm_subnet" "graphdb-gateway" { - name = var.gateway_subnet_name - resource_group_name = var.resource_group_name - virtual_network_name = var.network_interface_name -} - -data "azurerm_public_ip" "graphdb-gateway" { - name = var.gateway_public_ip_name - resource_group_name = var.resource_group_name -} - -data "azurerm_user_assigned_identity" "graphdb-gateway-tls" { - name = var.gateway_identity_name - resource_group_name = var.resource_group_name -} - locals { - resource_group = data.azurerm_resource_group.graphdb.name - location = data.azurerm_resource_group.graphdb.location - gateway_ip_configuration_name = "${var.resource_name_prefix}-gateway-ip" gateway_frontend_http_port_name = "${var.resource_name_prefix}-gateway-http" gateway_frontend_https_port_name = "${var.resource_name_prefix}-gateway-https" @@ -39,8 +16,8 @@ locals { resource "azurerm_application_gateway" "graphdb" { name = var.resource_name_prefix - resource_group_name = local.resource_group - location = local.location + resource_group_name = var.resource_group_name + location = var.location autoscale_configuration { min_capacity = var.gateway_min_capacity @@ -58,7 +35,7 @@ resource "azurerm_application_gateway" "graphdb" { identity { type = "UserAssigned" - identity_ids = [data.azurerm_user_assigned_identity.graphdb-gateway-tls.id] + identity_ids = [var.gateway_identity_id] } ssl_certificate { @@ -68,7 +45,7 @@ resource "azurerm_application_gateway" "graphdb" { gateway_ip_configuration { name = local.gateway_ip_configuration_name - subnet_id = data.azurerm_subnet.graphdb-gateway.id + subnet_id = var.gateway_subnet_id } # HTTP @@ -85,7 +62,7 @@ resource "azurerm_application_gateway" "graphdb" { frontend_ip_configuration { name = local.gateway_frontend_ip_configuration_name - public_ip_address_id = data.azurerm_public_ip.graphdb-gateway.id + public_ip_address_id = var.gateway_public_ip_id } backend_address_pool { diff --git a/modules/gateway/variables.tf b/modules/gateway/variables.tf index 62c53be..8717834 100644 --- a/modules/gateway/variables.tf +++ b/modules/gateway/variables.tf @@ -5,6 +5,11 @@ variable "resource_name_prefix" { type = string } +variable "location" { + description = "Azure geographical location where resources will be deployed" + type = string +} + variable "tags" { description = "Common resource tags." type = map(string) @@ -18,18 +23,13 @@ variable "resource_group_name" { # Networking -variable "network_interface_name" { - description = "Network ID where GraphDB will be deployed" - type = string -} - -variable "gateway_subnet_name" { - description = "Subnet where the Application Gateway will be deployed" +variable "gateway_subnet_id" { + description = "Subnet identifier where the Application Gateway will be deployed" type = string } -variable "gateway_public_ip_name" { - description = "Name of the public IP address to be used by the Application Gateway" +variable "gateway_public_ip_id" { + description = "Identifier of the public IP address to be used by the Application Gateway" type = string } @@ -110,7 +110,7 @@ variable "gateway_tls_certificate_secret_id" { type = string } -variable "gateway_identity_name" { - description = "Name of a user assigned identity having access to the TLS certificate in the Key Vault" +variable "gateway_identity_id" { + description = "Identifier of a user assigned identity having access to the TLS certificate in the Key Vault" type = string } diff --git a/modules/identity/main.tf b/modules/identity/main.tf index ba835bd..ebccf14 100644 --- a/modules/identity/main.tf +++ b/modules/identity/main.tf @@ -1,11 +1,7 @@ -data "azurerm_resource_group" "graphdb" { - name = var.resource_group_name -} - resource "azurerm_user_assigned_identity" "graphdb-instances" { name = "${var.resource_name_prefix}-vmss" - resource_group_name = data.azurerm_resource_group.graphdb.name - location = data.azurerm_resource_group.graphdb.location + resource_group_name = var.resource_group_name + location = var.location tags = var.tags } diff --git a/modules/identity/output.tf b/modules/identity/output.tf index 5455e3d..60a5dd1 100644 --- a/modules/identity/output.tf +++ b/modules/identity/output.tf @@ -2,3 +2,13 @@ output "identity_name" { description = "Name of the user assigned identity" value = azurerm_user_assigned_identity.graphdb-instances.name } + +output "identity_id" { + description = "Identifier of the user assigned identity" + value = azurerm_user_assigned_identity.graphdb-instances.id +} + +output "identity_principal_id" { + description = "Principal identifier of the user assigned identity" + value = azurerm_user_assigned_identity.graphdb-instances.principal_id +} diff --git a/modules/identity/variables.tf b/modules/identity/variables.tf index 8dc871a..67c945f 100644 --- a/modules/identity/variables.tf +++ b/modules/identity/variables.tf @@ -3,6 +3,11 @@ variable "resource_name_prefix" { type = string } +variable "location" { + description = "Azure geographical location where resources will be deployed" + type = string +} + variable "tags" { description = "Common resource tags." type = map(string) diff --git a/modules/tls/main.tf b/modules/tls/main.tf index d55bd4a..4c730ad 100644 --- a/modules/tls/main.tf +++ b/modules/tls/main.tf @@ -1,21 +1,7 @@ -data "azurerm_resource_group" "graphdb" { - name = var.resource_group_name -} - -data "azurerm_key_vault" "graphdb" { - name = var.key_vault_name - resource_group_name = var.resource_group_name -} - -locals { - resource_group = data.azurerm_resource_group.graphdb.name - location = data.azurerm_resource_group.graphdb.location -} - resource "azurerm_user_assigned_identity" "graphdb-tls-certificate" { name = "${var.resource_name_prefix}-tls" - resource_group_name = local.resource_group - location = local.location + resource_group_name = var.resource_group_name + location = var.location tags = var.tags } @@ -24,16 +10,18 @@ resource "azurerm_user_assigned_identity" "graphdb-tls-certificate" { resource "azurerm_role_assignment" "graphdb-tls-certificate-reader" { principal_id = azurerm_user_assigned_identity.graphdb-tls-certificate.principal_id - scope = data.azurerm_key_vault.graphdb.id + scope = var.key_vault_id role_definition_name = "Key Vault Secrets User" } resource "azurerm_key_vault_certificate" "graphdb-tls-certificate" { name = "${var.resource_name_prefix}-tls" - key_vault_id = data.azurerm_key_vault.graphdb.id + key_vault_id = var.key_vault_id certificate { contents = var.tls_certificate password = var.tls_certificate_password } + + tags = var.tags } diff --git a/modules/tls/outputs.tf b/modules/tls/outputs.tf index f5201ef..5ad8bb6 100644 --- a/modules/tls/outputs.tf +++ b/modules/tls/outputs.tf @@ -7,3 +7,8 @@ output "tls_identity_name" { description = "Name of the user assigned identity having permissions for reading the TLS certificate secret" value = azurerm_user_assigned_identity.graphdb-tls-certificate.name } + +output "tls_identity_id" { + description = "Identifier of the user assigned identity having permissions for reading the TLS certificate secret" + value = azurerm_user_assigned_identity.graphdb-tls-certificate.id +} diff --git a/modules/tls/variables.tf b/modules/tls/variables.tf index 90f652c..e37d89c 100644 --- a/modules/tls/variables.tf +++ b/modules/tls/variables.tf @@ -5,6 +5,11 @@ variable "resource_name_prefix" { type = string } +variable "location" { + description = "Azure geographical location where resources will be deployed" + type = string +} + variable "tags" { description = "Common resource tags." type = map(string) @@ -18,8 +23,8 @@ variable "resource_group_name" { # Key Vault -variable "key_vault_name" { - description = "Name of a Key Vault containing GraphDB configurations" +variable "key_vault_id" { + description = "Identifier of a Key Vault for storing secrets and certificates" type = string } diff --git a/modules/vault/main.tf b/modules/vault/main.tf index 2d28a0c..cde78fb 100644 --- a/modules/vault/main.tf +++ b/modules/vault/main.tf @@ -1,7 +1,3 @@ -data "azurerm_resource_group" "graphdb" { - name = var.resource_group_name -} - data "azurerm_client_config" "current" { } @@ -20,8 +16,8 @@ locals { # TODO: Improve the security of the vault (non-public + nacl + network firewall) resource "azurerm_key_vault" "graphdb" { name = local.vault_name - resource_group_name = data.azurerm_resource_group.graphdb.name - location = data.azurerm_resource_group.graphdb.location + resource_group_name = var.resource_group_name + location = var.location tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "standard" diff --git a/modules/vault/output.tf b/modules/vault/output.tf index 51954f6..5afccbf 100644 --- a/modules/vault/output.tf +++ b/modules/vault/output.tf @@ -2,3 +2,8 @@ output "key_vault_name" { description = "Key vault name for storing GraphDB configurations and secrets" value = azurerm_key_vault.graphdb.name } + +output "key_vault_id" { + description = "Key vault identifier for storing GraphDB configurations and secrets" + value = azurerm_key_vault.graphdb.id +} diff --git a/modules/vault/variables.tf b/modules/vault/variables.tf index 8dc871a..67c945f 100644 --- a/modules/vault/variables.tf +++ b/modules/vault/variables.tf @@ -3,6 +3,11 @@ variable "resource_name_prefix" { type = string } +variable "location" { + description = "Azure geographical location where resources will be deployed" + type = string +} + variable "tags" { description = "Common resource tags." type = map(string) diff --git a/modules/vm/main.tf b/modules/vm/main.tf index 7860b32..8a8d498 100644 --- a/modules/vm/main.tf +++ b/modules/vm/main.tf @@ -1,41 +1,16 @@ -data "azurerm_resource_group" "graphdb" { - name = var.resource_group_name -} - -data "azurerm_subnet" "graphdb" { - name = var.graphdb_subnet_name - resource_group_name = var.resource_group_name - virtual_network_name = var.network_interface_name -} - -data "azurerm_user_assigned_identity" "graphdb-instances" { - name = var.identity_name - resource_group_name = var.resource_group_name -} - -locals { - resource_group = data.azurerm_resource_group.graphdb.name - location = data.azurerm_resource_group.graphdb.location - - subnet_id = data.azurerm_subnet.graphdb.id - subnet_cidr = data.azurerm_subnet.graphdb.address_prefix -} - -# TODO: Move out of here to a sg module ? # Create Network Security Group and rules resource "azurerm_network_security_group" "graphdb" { name = "${var.resource_name_prefix}-nic" - resource_group_name = local.resource_group - location = local.location + resource_group_name = var.resource_group_name + location = var.location tags = var.tags } -# TODO: This won't matter when we remove the public IPs of the machines. We'd have to use Bastion resource "azurerm_network_security_rule" "graphdb-inbound-ssh" { count = var.source_ssh_blocks != null ? 1 : 0 - resource_group_name = local.resource_group + resource_group_name = var.resource_group_name network_security_group_name = azurerm_network_security_group.graphdb.name name = "graphdb_ssh_inbound" @@ -47,13 +22,11 @@ resource "azurerm_network_security_rule" "graphdb-inbound-ssh" { source_port_range = "*" destination_port_range = 22 source_address_prefixes = var.source_ssh_blocks - destination_address_prefix = local.subnet_cidr + destination_address_prefix = var.graphdb_subnet_cidr } -# TODO: probably not the place for this to be here.. could create the NSG outside and pass it here and to the lb module? -# TODO: We need better segmentation of NSGs, traffic should be limited to the LB only resource "azurerm_network_security_rule" "graphdb-proxies-inbound" { - resource_group_name = local.resource_group + resource_group_name = var.resource_group_name network_security_group_name = azurerm_network_security_group.graphdb.name name = "graphdb_proxies_inbound" @@ -65,7 +38,7 @@ resource "azurerm_network_security_rule" "graphdb-proxies-inbound" { source_port_range = "*" destination_port_range = "7201" source_address_prefixes = ["0.0.0.0/0"] - destination_address_prefix = local.subnet_cidr + destination_address_prefix = var.graphdb_subnet_cidr } locals { @@ -80,15 +53,15 @@ locals { # Create virtual machine resource "azurerm_linux_virtual_machine_scale_set" "graphdb" { name = var.resource_name_prefix - resource_group_name = local.resource_group - location = local.location + resource_group_name = var.resource_group_name + location = var.location source_image_id = var.image_id user_data = base64encode(local.user_data_script) identity { type = "UserAssigned" - identity_ids = [data.azurerm_user_assigned_identity.graphdb-instances.id] + identity_ids = [var.identity_id] } sku = var.instance_type @@ -108,7 +81,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "graphdb" { ip_configuration { name = "${var.resource_name_prefix}-ip-config" primary = true - subnet_id = local.subnet_id + subnet_id = var.graphdb_subnet_id application_gateway_backend_address_pool_ids = var.application_gateway_backend_address_pool_ids # TODO: Temporary for testing. Remove after configuring the LB @@ -133,7 +106,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "graphdb" { resource "azurerm_role_definition" "managed_disk_manager" { name = "ManagedDiskManager" - scope = data.azurerm_resource_group.graphdb.id + scope = var.resource_group_id description = "This is a custom role created via Terraform required for creating data disks for GraphDB" permissions { @@ -151,14 +124,13 @@ resource "azurerm_role_definition" "managed_disk_manager" { } assignable_scopes = [ - data.azurerm_resource_group.graphdb.id + var.resource_group_id ] - depends_on = [data.azurerm_resource_group.graphdb] } resource "azurerm_role_assignment" "rg-contributor-role" { - principal_id = data.azurerm_user_assigned_identity.graphdb-instances.principal_id - scope = data.azurerm_resource_group.graphdb.id + principal_id = var.identity_principal_id + scope = var.resource_group_id role_definition_name = "ManagedDiskManager" depends_on = [azurerm_role_definition.managed_disk_manager] } diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf index 57d4ab4..dfafd26 100644 --- a/modules/vm/variables.tf +++ b/modules/vm/variables.tf @@ -5,6 +5,11 @@ variable "resource_name_prefix" { type = string } +variable "location" { + description = "Azure geographical location where resources will be deployed" + type = string +} + variable "zones" { description = "Availability zones" type = list(number) @@ -22,22 +27,32 @@ variable "resource_group_name" { type = string } +variable "resource_group_id" { + description = "Identifier of the resource group where GraphDB will be deployed." + type = string +} + # Networking -variable "network_interface_name" { - description = "Network interface where GraphDB will be deployed" +variable "graphdb_subnet_id" { + description = "Identifier of the subnet where GraphDB will be deployed" type = string } -variable "graphdb_subnet_name" { - description = "Name of the subnet where GraphDB will be deployed" +variable "graphdb_subnet_cidr" { + description = "CIDR of the subnet where GraphDB will be deployed" type = string } # Security -variable "identity_name" { - description = "Name of a user assigned identity with permissions" +variable "identity_id" { + description = "Identifier of a user assigned identity with permissions" + type = string +} + +variable "identity_principal_id" { + description = "Principal identifier of a user assigned identity with permissions" type = string }