hpcc-systems · gfortil · Sep 14, 2023 · Sep 20, 2023 · Mar 5, 2024 · Apr 22, 2024
diff --git a/.gitignore b/.gitignore
@@ -14,7 +14,7 @@ crash.log
 # version control.
 #
 # example.tfvars
-admin.tfvars
+*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Godson Fortil
+Copyright (c) 2023 HPCC Systems®
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
diff --git a/data.tf b/data.tf
@@ -1,6 +1,9 @@
 data "http" "host_ip" {
-  url = "http://ipv4.icanhazip.com"
+  url = "https://api.ipify.org"
 }
 
 data "azurerm_subscription" "current" {
 }
+
+data "azurerm_client_config" "current" {
+}
diff --git a/examples/admin.tfvars b/examples/admin.tfvars
diff --git a/examples/providers.tf b/examples/providers.tf
@@ -0,0 +1,7 @@
+provider "azurerm" {
+  features {}
+  use_cli             = true
+  storage_use_azuread = true
+}
+
+provider "azuread" {}
diff --git a/locals.tf b/locals.tf
@@ -3,7 +3,7 @@ locals {
     {
       business_unit     = var.metadata.business_unit
       environment       = var.metadata.environment
-      location          = var.storage.location
+      location          = var.metadata.location
       market            = var.metadata.market
       subscription_type = var.metadata.subscription_type
     },
@@ -12,8 +12,80 @@ locals {
     var.metadata.resource_group_type != "" ? { resource_group_type = var.metadata.resource_group_type } : {}
   ) : module.metadata.names
 
-  tags = var.disable_naming_conventions ? merge(var.tags, { "admin" = var.admin.name, "email" = var.admin.email, "workspace" = terraform.workspace }) : merge(module.metadata.tags, { "admin" = var.admin.name, "email" = var.admin.email, "workspace" = terraform.workspace }, try(var.tags))
+  tags = merge(var.metadata.additional_tags, { "owner" = var.owner.name, "owner_email" = var.owner.email })
 
-  storage_shares = { "dalishare" = var.storage.quotas.dali, "dllsshare" = var.storage.quotas.dll, "sashashare" = var.storage.quotas.sasha,
-  "datashare" = var.storage.quotas.data, "lzshare" = var.storage.quotas.lz }
+  location = var.metadata.location
+
+  resource_groups = {
+    storage_accounts = {
+      tags = { "enclosed resource" = "OSS storage accounts" }
+    }
+  }
+
+  azure_files_pv_protocol = "nfs"
+
+  planes = flatten([
+    for k, v in var.storage_accounts :
+    [
+      for x, y in v.planes : {
+        "container_name" : "${y.plane_name}"
+        "plane_name" : "${y.plane_name}"
+        "category" : "${y.category}"
+        "path" : "${y.sub_path}"
+        "size" : "${y.size}"
+        "storage_account_name" : v.storage_type == "azurefiles" ? "${v.storage_account_name_prefix}${random_string.random.result}af" : "${v.storage_account_name_prefix}${random_string.random.result}blob"
+        "storage_account_name_prefix" : v.storage_account_name_prefix
+        "resource_group" : "${module.resource_groups["storage_accounts"].name}"
+        "storage_type" : "${v.storage_type}"
+        "protocol" : v.storage_type == "azurefiles" ? "${upper(y.protocol)}" : null
+        "access_tier" : "${v.access_tier}"
+        "account_kind" : "${v.account_kind}"
+        "account_tier" : "${v.account_tier}"
+        "replication_type" : "${v.replication_type}"
+        "authorized_ip_ranges" : "${tomap(merge(var.authorized_ip_ranges, { host_ip = data.http.host_ip.response_body }))}"
+        "subnet_ids" : "${var.subnet_ids}"
+        "file_share_retention_days" : v.storage_type == "azurefiles" ? "${v.file_share_retention_days}" : null
+      }
+    ]
+  ])
+
+  azurefile_storage_accounts_args = {
+    for k, v in var.storage_accounts : k => merge({ storage_account_name = "${v.storage_account_name_prefix}${random_string.random.result}af" }, v, { "resource_group_name" = module.resource_groups["storage_accounts"].name }) if v.storage_type == "azurefiles"
+  }
+
+  blob_storage_accounts_args = {
+    for k, v in var.storage_accounts : k => merge({ storage_account_name = "${v.storage_account_name_prefix}${random_string.random.result}blob" }, v, { "resource_group_name" = module.resource_groups["storage_accounts"].name }) if v.storage_type == "blobnfs"
+  }
+
+  azurefile_planes = {
+    for k, v in local.planes : k => v if v.storage_type == "azurefiles"
+  }
+
+  blob_planes = {
+    for k, v in local.planes : k => v if v.storage_type == "blobnfs"
+  }
+
+  azurefile_storage_accounts_attrs = {
+    for k, v in azurerm_storage_account.azurefiles : k => {
+      storage_account_name     = v.name
+      resource_group_name      = v.resource_group_name
+      id                       = v.id
+      account_replication_type = v.account_replication_type
+      account_tier             = v.account_tier
+      primary_access_key       = v.primary_access_key
+      primary_location         = v.primary_location
+    }
+  }
+
+  blob_storage_accounts_attrs = {
+    for k, v in azurerm_storage_account.blobnfs : k => {
+      storage_account_name     = v.name
+      resource_group_name      = v.resource_group_name
+      id                       = v.id
+      account_replication_type = v.account_replication_type
+      account_tier             = v.account_tier
+      primary_access_key       = v.primary_access_key
+      primary_location         = v.primary_location
+    }
+  }
 }
diff --git a/main.tf b/main.tf
@@ -1,13 +1,8 @@
-resource "random_integer" "random" {
-  min = 1
-  max = 3
-}
-
 resource "random_string" "random" {
-  length  = 43
-  upper   = false
-  number  = false
+  length  = 4
   special = false
+  numeric = false
+  upper   = false
 }
 
 module "subscription" {
@@ -25,50 +20,25 @@ module "metadata" {
   naming_rules = module.naming.yaml
 
   market              = var.metadata.market
-  location            = var.resource_group.location
+  location            = local.location
   sre_team            = var.metadata.sre_team
   environment         = var.metadata.environment
   product_name        = var.metadata.product_name
   business_unit       = var.metadata.business_unit
   product_group       = var.metadata.product_group
   subscription_type   = var.metadata.subscription_type
   resource_group_type = var.metadata.resource_group_type
-  subscription_id     = data.azurerm_subscription.current.id
+  subscription_id     = module.subscription.output.subscription_id
   project             = var.metadata.project
 }
 
-module "resource_group" {
-  source = "github.com/Azure-Terraform/terraform-azurerm-resource-group.git?ref=v2.0.0"
-
-  unique_name = var.resource_group.unique_name
-  location    = var.resource_group.location
-  names       = local.names
-  tags        = local.tags
-}
-
-resource "azurerm_storage_account" "storage_account" {
-
-  name                     = lower(try("${var.admin.name}hpccsa${random_integer.random.result}", "hpccsa${random_integer.random.result}404"))
-  resource_group_name      = module.resource_group.name
-  location                 = module.resource_group.location
-  account_tier             = var.storage.account_tier
-  account_replication_type = var.storage.account_replication_type
-  min_tls_version          = "TLS1_2"
-  tags                     = local.tags
-}
-
-resource "azurerm_storage_share" "storage_shares" {
-  for_each = local.storage_shares
-
-  name                 = each.key
-  storage_account_name = azurerm_storage_account.storage_account.name
-  quota                = each.value
+module "resource_groups" {
+  source = "github.com/Azure-Terraform/terraform-azurerm-resource-group.git?ref=v2.1.0"
 
-  acl {
-    id = random_string.random.result
+  for_each = local.resource_groups
 
-    access_policy {
-      permissions = "rwdl"
-    }
-  }
+  unique_name = true
+  location    = module.metadata.location
+  names       = module.metadata.names
+  tags        = merge(local.tags, each.value.tags)
 }
diff --git a/output.tf b/output.tf
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,19 @@
+output "azurefile_storage_accounts_attrs" {
+  value = local.azurefile_storage_accounts_attrs
+}
+
+output "blob_storage_accounts_attrs" {
+  value = local.blob_storage_accounts_attrs
+}
+
+output "storage_planes" {
+  value = local.planes
+}
+
+output "azurefile_planes" {
+  value = local.azurefile_planes
+}
+
+output "blob_planes" {
+  value = local.blob_planes
+}
diff --git a/storage.tf b/storage.tf
@@ -0,0 +1,106 @@
+resource "azurerm_management_lock" "protect_azurefile_storage_accounts" {
+  for_each = {
+    for k, v in var.storage_accounts : k => v if v.storage_type == "azurefiles" && v.delete_protection
+  }
+
+  name       = "protect-storage-${azurerm_storage_account.azurefiles[each.key].name}"
+  scope      = azurerm_storage_account.azurefiles[each.key].id
+  lock_level = "CanNotDelete"
+}
+
+resource "azurerm_management_lock" "protect_blobnfs_storage_accounts" {
+  for_each = {
+    for k, v in var.storage_accounts : k => v if v.storage_type == "blobnfs" && v.delete_protection
+  }
+
+  name       = "protect-storage-${azurerm_storage_account.blobnfs[each.key].name}"
+  scope      = azurerm_storage_account.blobnfs[each.key].id
+  lock_level = "CanNotDelete"
+}
+
+resource "azurerm_storage_account" "azurefiles" {
+  for_each = local.azurefile_storage_accounts_args
+
+  name                = each.value.storage_account_name
+  resource_group_name = module.resource_groups["storage_accounts"].name
+  location            = local.location
+  tags                = local.tags
+
+  access_tier                     = each.value.access_tier
+  account_kind                    = each.value.account_kind
+  account_tier                    = each.value.account_tier
+  allow_nested_items_to_be_public = false
+  min_tls_version                 = "TLS1_2"
+  shared_access_key_enabled       = true
+  https_traffic_only_enabled      = false
+  account_replication_type        = each.value.replication_type
+
+  network_rules {
+    default_action             = "Deny"
+    ip_rules                   = var.use_authorized_ip_ranges_only ? values(var.authorized_ip_ranges) : values(merge(var.authorized_ip_ranges, { host_ip = data.http.host_ip.response_body }))
+    virtual_network_subnet_ids = var.subnet_ids //values(each.value.subnet_ids)
+    bypass                     = ["AzureServices"]
+  }
+  share_properties {
+    retention_policy {
+      days = each.value.file_share_retention_days
+    }
+  }
+
+  depends_on = [random_string.random]
+}
+
+resource "azurerm_storage_account" "blobnfs" {
+  for_each = local.blob_storage_accounts_args
+
+  name                = each.value.storage_account_name
+  resource_group_name = module.resource_groups["storage_accounts"].name
+  location            = local.location
+  tags                = local.tags
+
+  access_tier                     = each.value.access_tier
+  account_kind                    = each.value.account_kind
+  account_tier                    = each.value.account_tier
+  allow_nested_items_to_be_public = false
+  is_hns_enabled                  = true
+  min_tls_version                 = "TLS1_2"
+  shared_access_key_enabled       = true
+  nfsv3_enabled                   = true
+  https_traffic_only_enabled      = true
+  account_replication_type        = each.value.replication_type
+
+  network_rules {
+    default_action             = "Deny"
+    ip_rules                   = var.use_authorized_ip_ranges_only ? values(var.authorized_ip_ranges) : values(merge(var.authorized_ip_ranges, { host_ip = data.http.host_ip.response_body }))
+    virtual_network_subnet_ids = var.subnet_ids //values(each.value.subnet_ids)
+    bypass                     = ["AzureServices"]
+  }
+
+  blob_properties {
+    delete_retention_policy {
+      days = each.value.blob_soft_delete_retention_days
+    }
+    container_delete_retention_policy {
+      days = each.value.container_soft_delete_retention_days
+    }
+  }
+
+  depends_on = [random_string.random]
+}
+
+resource "azurerm_storage_share" "azurefiles" {
+  for_each = local.azurefile_planes
+
+  name                 = each.value.container_name
+  storage_account_name = azurerm_storage_account.azurefiles[each.value.storage_account_name_prefix].name
+  quota                = each.value.size
+  enabled_protocol     = each.value.protocol
+}
+
+resource "azurerm_storage_container" "blobnfs" {
+  for_each = local.blob_planes
+
+  name                  = each.value.container_name
+  storage_account_name  = azurerm_storage_account.blobnfs[each.value.storage_account_name_prefix].name
+  container_access_type = "private"
+}