-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
412 lines (344 loc) · 17.2 KB
/
main.tf
File metadata and controls
412 lines (344 loc) · 17.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
locals {
vpc_size = split("/", var.vpc_cidrs[0])[1]
# Maps do not maintain order, so we need to create a list to track the order of subnets.
# Only include ADLS in subnet order if create_adls is true
base_subnet_order = [
"aks",
"private_endpoint_storage",
"azure_bastion",
"vm_bastion",
"database",
"app",
"app_gw"
]
subnet_order = var.create_adls ? concat(local.base_subnet_order, ["adls"]) : local.base_subnet_order
# Determine which subnets need to be calculated, maintaining order
subnets_to_calculate = [
for subnet in local.subnet_order : {
name = subnet
needs_calculation = length(lookup({
aks = var.aks_subnet_cidrs,
private_endpoint_storage = var.private_endpoint_storage_subnet_cidrs,
azure_bastion = var.azure_bastion_subnet_cidrs,
vm_bastion = var.vm_bastion_subnet_cidrs,
database = var.database_subnet_cidrs,
app = var.app_subnet_cidrs,
app_gw = var.app_gw_subnet_cidrs,
adls = var.create_adls ? var.private_endpoint_adls_subnet_cidrs : ["dummy"] # Only check ADLS if create_adls is true
}, subnet)) == 0
}
]
# newbits per subnet = (target_subnet_prefix) - (vpc_prefix)
# target_subnet_prefix = 32 - log2(desired_subnet_size_in_addresses)
# The previous expression (vpc_size - log2(size)) only produced correct values when
# vpc_size happened to equal 16; any other prefix would yield an invalid (>32-bit) subnet
# extension, which broke /21 deployments.
subnet_newbits = [
for subnet in local.subnets_to_calculate :
subnet.needs_calculation ?
(32 - ceil(log(lookup({
aks = var.aks_subnet_size,
private_endpoint_storage = var.private_endpoint_storage_subnet_size,
azure_bastion = var.azure_bastion_subnet_size,
vm_bastion = var.vm_bastion_subnet_size,
database = var.database_subnet_size,
app = var.app_subnet_size,
app_gw = var.app_gw_subnet_size,
adls = var.private_endpoint_adls_subnet_size
}, subnet.name), 2))) - local.vpc_size : null
]
# Remove null values
filtered_newbits = compact(local.subnet_newbits)
# Calculate only needed CIDRs
calculated_cidrs = length(local.filtered_newbits) > 0 ? cidrsubnets(var.vpc_cidrs[0], local.filtered_newbits...) : []
# Create a map to track which index to use for each subnet, based on position in filtered list
calculated_index = {
for idx, subnet in local.subnets_to_calculate :
subnet.name => subnet.needs_calculation ? index(
[for s in local.subnets_to_calculate : s.name if s.needs_calculation],
subnet.name
) : null
}
# Final subnet CIDRs
aks_subnet_cidrs = coalescelist(
var.aks_subnet_cidrs,
local.calculated_index.aks != null ? [local.calculated_cidrs[local.calculated_index.aks]] : []
)
private_endpoint_storage_subnet_cidrs = coalescelist(
var.private_endpoint_storage_subnet_cidrs,
local.calculated_index.private_endpoint_storage != null ? [local.calculated_cidrs[local.calculated_index.private_endpoint_storage]] : []
)
azure_bastion_subnet_cidrs = coalescelist(
var.azure_bastion_subnet_cidrs,
local.calculated_index.azure_bastion != null ? [local.calculated_cidrs[local.calculated_index.azure_bastion]] : []
)
vm_bastion_subnet_cidrs = coalescelist(
var.vm_bastion_subnet_cidrs,
local.calculated_index.vm_bastion != null ? [local.calculated_cidrs[local.calculated_index.vm_bastion]] : []
)
database_subnet_cidrs = coalescelist(
var.database_subnet_cidrs,
local.calculated_index.database != null ? [local.calculated_cidrs[local.calculated_index.database]] : []
)
app_subnet_cidrs = coalescelist(
var.app_subnet_cidrs,
local.calculated_index.app != null ? [local.calculated_cidrs[local.calculated_index.app]] : []
)
app_gw_subnet_cidrs = coalescelist(
var.app_gw_subnet_cidrs,
local.calculated_index.app_gw != null ? [local.calculated_cidrs[local.calculated_index.app_gw]] : []
)
# Only calculate ADLS subnet CIDR if create_adls is true
private_endpoint_adls_subnet_cidrs = var.create_adls ? coalescelist(
var.private_endpoint_adls_subnet_cidrs,
local.calculated_index.adls != null ? [local.calculated_cidrs[local.calculated_index.adls]] : []
) : []
}
module "networking" {
source = "./modules/networking"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
vpc_cidrs = var.vpc_cidrs
virtual_network_tags = var.virtual_network_tags
aks_subnet_cidrs = local.aks_subnet_cidrs
private_endpoint_storage_subnet_cidrs = local.private_endpoint_storage_subnet_cidrs
azure_bastion_subnet_cidrs = local.azure_bastion_subnet_cidrs
vm_bastion_subnet_cidrs = local.vm_bastion_subnet_cidrs
database_subnet_cidrs = local.database_subnet_cidrs
app_subnet_cidrs = local.app_subnet_cidrs
app_gw_subnet_cidrs = local.app_gw_subnet_cidrs
private_endpoint_adls_subnet_cidrs = local.private_endpoint_adls_subnet_cidrs
jumpbox_custom_data = var.jumpbox_custom_data
lb_is_public = var.lb_is_public
k8s_public_access_cidrs = var.k8s_public_access_cidrs
# Resource name overrides
virtual_network_name_override = var.virtual_network_name_override
aks_subnet_name_override = var.aks_subnet_name_override
private_endpoint_storage_subnet_name_override = var.private_endpoint_storage_subnet_name_override
private_endpoint_adls_subnet_name_override = var.private_endpoint_adls_subnet_name_override
azure_bastion_subnet_name_override = var.azure_bastion_subnet_name_override
vm_bastion_subnet_name_override = var.vm_bastion_subnet_name_override
database_subnet_name_override = var.database_subnet_name_override
app_subnet_name_override = var.app_subnet_name_override
app_gw_subnet_name_override = var.app_gw_subnet_name_override
public_ip_name_override = var.public_ip_name_override
jumpbox_public_ip_name_override = var.jumpbox_public_ip_name_override
bastion_public_ip_name_override = var.bastion_public_ip_name_override
vnet_nsg_name_override = var.vnet_nsg_name_override
jumpbox_nsg_name_override = var.jumpbox_nsg_name_override
bastion_host_name_override = var.bastion_host_name_override
vm_nic_name_override = var.vm_nic_name_override
linux_vm_name_override = var.linux_vm_name_override
database_private_dns_zone_name_override = var.database_private_dns_zone_name_override
database_dns_link_name_override = var.database_dns_link_name_override
}
module "identity" {
source = "./modules/identity"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
# Resource name overrides
identity_name_override = var.identity_name_override
}
module "key_vault" {
source = "./modules/key_vault"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
identity = module.identity.identity
domain_name = var.domain_name
acme_provider = var.acme_provider
acme_config = var.acme_config
# Resource name overrides
key_vault_name_override = var.key_vault_name_override
etcd_key_name_override = var.etcd_key_name_override
ssl_certificate_name_override = var.ssl_certificate_name_override
}
module "load_balancer" {
count = var.deploy_lb ? 1 : 0
source = "./modules/load_balancer"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
app_gw_subnet = module.networking.app_gw_subnet
ssl_cert_id = module.key_vault.ssl_cert_id
public_ip_id = var.lb_is_public ? module.networking.public_ip_id : null
public_ip = module.networking.public_ip
identity = module.identity.identity
private_ip_address = var.gw_private_ip_address
domain_name = var.domain_name
ssl_cert_name = var.ssl_cert_name
lb_is_public = var.lb_is_public
# Resource name overrides
application_gateway_name_override = var.application_gateway_name_override
}
module "database" {
count = var.create_database ? 1 : 0
source = "./modules/database"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
database_subnet = module.networking.database_subnet
private_dns_zone_id = module.networking.database_private_dns_zone_id
database_username = var.database_username
database_name = var.database_name
database_sku = var.database_sku
database_backup_retention_days = var.database_backup_retention_days
database_storage_mb = var.database_storage_mb
postgresql_major_version = var.postgresql_major_version
# Resource name overrides
postgresql_server_name_override = var.postgresql_server_name_override
postgresql_database_name_override = var.postgresql_database_name_override
availability_zone = var.database_availability_zone
}
module "clickhouse_backup" {
source = "./modules/clickhouse_backup"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
vpc = module.networking.vpc
private_endpoint_storage_subnet = module.networking.private_endpoint_storage_subnet
identity = module.identity.identity
# Resource name overrides
storage_account_name_override = var.storage_account_name_override
clickhouse_backup_container_name_override = var.clickhouse_backup_container_name_override
storage_private_dns_zone_name_override = var.storage_private_dns_zone_name_override
storage_private_endpoint_name_override = var.storage_private_endpoint_name_override
storage_dns_link_name_override = var.storage_dns_link_name_override
backup_lifecycle_expiration_days = var.backup_lifecycle_expiration_days
}
module "data_lake" {
source = "./modules/data_lake"
count = var.create_adls ? 1 : 0
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
vpc = module.networking.vpc
private_endpoint_adls_subnet = module.networking.private_endpoint_adls_subnet
identity = module.identity.identity
# Resource name overrides
adls_storage_account_name_override = var.adls_storage_account_name_override
adls_filesystem_name_override = var.adls_filesystem_name_override
adls_private_dns_zone_name_override = var.adls_private_dns_zone_name_override
adls_dns_link_name_override = var.adls_dns_link_name_override
adls_private_endpoint_name_override = var.adls_private_endpoint_name_override
}
module "temporal_backup" {
count = var.deploy_temporal ? 1 : 0
source = "./modules/temporal_backup"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
location = data.azurerm_resource_group.default.location
backup_lifecycle_expiration_days = var.temporal_backup_lifecycle_expiration_days
storage_account_name_override = var.temporal_storage_account_name_override
container_name_override = var.temporal_backup_container_name_override
}
locals {
temporal_postgres_pod_service_account = var.deploy_temporal ? {
"postgres-pod" = {
namespace = var.temporal_postgres_namespace
create_azure_identity = true
identity_name = null
role_assignments = [{
role = "Storage Blob Data Contributor"
scope = module.temporal_backup[0].storage_account_id
}]
}
} : {}
merged_service_accounts = merge(var.service_accounts, local.temporal_postgres_pod_service_account)
}
module "aks" {
source = "./modules/aks"
deployment_name = var.deployment_name
resource_group_name = data.azurerm_resource_group.default.name
resource_group_id = data.azurerm_resource_group.default.id
location = data.azurerm_resource_group.default.location
aks_subnet = module.networking.aks_subnet
app_gw_subnet = module.networking.app_gw_subnet
gateway = var.deploy_lb ? module.load_balancer[0].gateway : null
identity = module.identity.identity
etcd_key_vault_key_id = module.key_vault.etcd_key_id
max_pods = var.max_pods
node_pool_node_count = var.node_pool_node_count
min_node_count = var.min_node_count
max_node_count = var.max_node_count
node_pool_vm_size = var.node_pool_vm_size
node_pool_name = var.node_pool_name
sku_tier = var.aks_sku_tier
service_cidr = var.aks_service_cidr
dns_service_ip = var.aks_dns_service_ip
custom_node_pools = var.custom_node_pools
private_cluster_enabled = var.private_cluster_enabled
k8s_public_access_cidrs = var.k8s_public_access_cidrs
workload_identity_on = var.aks_workload_identity_enabled
service_accounts = local.merged_service_accounts
# Resource name overrides
aks_cluster_name_override = var.aks_cluster_name_override
aks_dns_prefix_override = var.aks_dns_prefix_override
}
locals {
clickhouse_data_disk_name = var.clickhouse_data_disk_name_override != "" ? var.clickhouse_data_disk_name_override : "${var.deployment_name}-clickhouse-data"
clickhouse_logs_disk_name = var.clickhouse_logs_disk_name_override != "" ? var.clickhouse_logs_disk_name_override : "${var.deployment_name}-clickhouse-logs"
redis_data_disk_name = var.redis_data_disk_name_override != "" ? var.redis_data_disk_name_override : "${var.deployment_name}-redis-data"
}
resource "azurerm_managed_disk" "clickhouse_data" {
name = local.clickhouse_data_disk_name
location = var.location
resource_group_name = module.aks.node_resource_group_id
storage_account_type = var.disk_sku
create_option = "Empty"
disk_size_gb = var.clickhouse_data_size
# Configure performance tier for Premium/Ultra disks
disk_iops_read_write = var.disk_sku == "Premium_LRS" || var.disk_sku == "UltraSSD_LRS" ? var.ch_data_disk_iops : null
disk_mbps_read_write = var.disk_sku == "Premium_LRS" || var.disk_sku == "UltraSSD_LRS" ? var.ch_data_disk_throughput : null
# Ultra SSD specific settings
disk_iops_read_only = var.disk_sku == "UltraSSD_LRS" ? var.ch_data_disk_iops : null
disk_mbps_read_only = var.disk_sku == "UltraSSD_LRS" ? var.ch_data_disk_throughput : null
tags = {
Name = local.clickhouse_data_disk_name
}
depends_on = [
module.aks
]
}
resource "azurerm_managed_disk" "clickhouse_logs" {
name = local.clickhouse_logs_disk_name
location = var.location
resource_group_name = module.aks.node_resource_group_id
storage_account_type = var.disk_sku
create_option = "Empty"
disk_size_gb = var.clickhouse_logs_size
# Configure performance tier for Premium/Ultra disks
disk_iops_read_write = var.disk_sku == "Premium_LRS" || var.disk_sku == "UltraSSD_LRS" ? var.ch_logs_disk_iops : null
disk_mbps_read_write = var.disk_sku == "Premium_LRS" || var.disk_sku == "UltraSSD_LRS" ? var.ch_logs_disk_throughput : null
# Ultra SSD specific settings
disk_iops_read_only = var.disk_sku == "UltraSSD_LRS" ? var.ch_logs_disk_iops : null
disk_mbps_read_only = var.disk_sku == "UltraSSD_LRS" ? var.ch_logs_disk_throughput : null
tags = {
Name = local.clickhouse_logs_disk_name
}
depends_on = [
module.aks
]
}
resource "azurerm_managed_disk" "redis_data" {
name = local.redis_data_disk_name
location = var.location
resource_group_name = module.aks.node_resource_group_id
storage_account_type = var.disk_sku
create_option = "Empty"
disk_size_gb = var.redis_data_size
# Configure performance tier for Premium/Ultra disks
disk_iops_read_write = var.disk_sku == "Premium_LRS" || var.disk_sku == "UltraSSD_LRS" ? var.redis_disk_iops : null
disk_mbps_read_write = var.disk_sku == "Premium_LRS" || var.disk_sku == "UltraSSD_LRS" ? var.redis_disk_throughput : null
# Ultra SSD specific settings
disk_iops_read_only = var.disk_sku == "UltraSSD_LRS" ? var.redis_disk_iops : null
disk_mbps_read_only = var.disk_sku == "UltraSSD_LRS" ? var.redis_disk_throughput : null
tags = {
Name = local.redis_data_disk_name
}
depends_on = [
module.aks
]
}