Merge pull request #27 from PerfectThymeTech/marvinbuss/add_ampls

Add Azure Monitor Private Link Scope
PerfectThymeTech · Feb 11, 2024 · 9727d16 · 9727d16
2 parents 3d0ee2e + 968462f
commit 9727d16
Show file tree

Hide file tree

Showing 4 changed files with 119 additions and 10 deletions.
diff --git a/code/infra/locals.tf b/code/infra/locals.tf
@@ -110,7 +110,7 @@ locals {
     "vscode006" = {
       type        = "FQDN"
       category    = "UserDefined"
-      destination = "raw.githubusercontent.com" // "/microsoft/vscode-tools-for-ai/master/azureml_remote_websocket_server/*"
+      destination = "raw.githubusercontent.com" # "/microsoft/vscode-tools-for-ai/master/azureml_remote_websocket_server/*"
       status      = "Active"
     },
     "vscode007" = {
@@ -272,7 +272,18 @@ locals {
         sparkEnabled      = true
         sparkStatus       = "Active"
       }
-    }
+    },
+    # "${azurerm_monitor_private_link_scope.mpls.name}-queue" = { # Not supported in AML today
+    #   type     = "PrivateEndpoint"
+    #   category = "UserDefined"
+    #   status   = "Active"
+    #   destination = {
+    #     serviceResourceId = azurerm_monitor_private_link_scope.mpls.id
+    #     subresourceTarget = "azuremonitor"
+    #     sparkEnabled      = true
+    #     sparkStatus       = "Active"
+    #   }
+    # }
   }
   search_service_machine_learning_workspace_outbound_rules = {
     "${var.search_service_enabled ? azurerm_search_service.search_service[0].name : ""}-searchService" = {

diff --git a/code/infra/monitorprivatelinkscope.tf b/code/infra/monitorprivatelinkscope.tf
@@ -0,0 +1,45 @@
+resource "azurerm_monitor_private_link_scope" "mpls" {
+  name                = "${local.prefix}-ampls001"
+  resource_group_name = data.azurerm_resource_group.resource_group.name
+  tags                = var.tags
+}
+
+resource "azurerm_monitor_private_link_scoped_service" "mpls_application_insights" {
+  name                = "ampls-${azurerm_application_insights.application_insights.name}"
+  resource_group_name = azurerm_monitor_private_link_scope.mpls.resource_group_name
+  scope_name          = azurerm_monitor_private_link_scope.mpls.name
+  linked_resource_id  = azurerm_application_insights.application_insights.id
+}
+
+resource "azurerm_monitor_private_link_scoped_service" "mpls_log_analytics_workspace" {
+  name                = "ampls-${azurerm_log_analytics_workspace.log_analytics_workspace.name}"
+  resource_group_name = azurerm_monitor_private_link_scope.mpls.resource_group_name
+  scope_name          = azurerm_monitor_private_link_scope.mpls.name
+  linked_resource_id  = azurerm_log_analytics_workspace.log_analytics_workspace.id
+}
+
+resource "azurerm_private_endpoint" "mpls_private_endpoint" {
+  name                = "${azurerm_monitor_private_link_scope.mpls.name}-pe"
+  location            = var.location
+  resource_group_name = azurerm_monitor_private_link_scope.mpls.resource_group_name
+  tags                = var.tags
+
+  custom_network_interface_name = "${azurerm_monitor_private_link_scope.mpls.name}-nic"
+  private_service_connection {
+    name                           = "${azurerm_monitor_private_link_scope.mpls.name}-pe"
+    is_manual_connection           = false
+    private_connection_resource_id = azurerm_monitor_private_link_scope.mpls.id
+    subresource_names              = ["azuremonitor"]
+  }
+  subnet_id = data.azurerm_subnet.subnet.id
+  private_dns_zone_group {
+    name = "${azurerm_monitor_private_link_scope.mpls.name}-arecord"
+    private_dns_zone_ids = [
+      var.private_dns_zone_id_monitor,
+      var.private_dns_zone_id_oms_opinsights,
+      var.private_dns_zone_id_ods_opinsights,
+      var.private_dns_zone_id_automation_agents,
+      var.private_dns_zone_id_blob
+    ]
+  }
+}
diff --git a/code/infra/variables.tf b/code/infra/variables.tf
@@ -49,7 +49,7 @@ variable "resource_group_name" {
   }
 }
 
-// ML variables
+# ML variables
 variable "machine_learning_compute_clusters" {
   type = map(object({
     vm_priority = optional(string, "Dedicated")
@@ -87,7 +87,7 @@ variable "machine_learning_compute_instances" {
   # }
 }
 
-// Service enablement variables
+# Service enablement variables
 variable "search_service_enabled" {
   description = "Specifies whether Azure Cognitive Search should be deployed."
   type        = bool
@@ -119,7 +119,7 @@ variable "cognitive_services" {
   }
 }
 
-// Network variables
+# Network variables
 variable "subnet_id" {
   description = "Specifies the resource ID of the subnet used for the Private Endpoints."
   type        = string
@@ -130,6 +130,7 @@ variable "subnet_id" {
   }
 }
 
+# DNS variables
 variable "private_dns_zone_id_container_registry" {
   description = "Specifies the resource ID of the private DNS zone for the container registry. Not required if DNS A-records get created via Azure Policy."
   type        = string
@@ -251,6 +252,50 @@ variable "private_dns_zone_id_cognitive_services" {
   }
 }
 
+variable "private_dns_zone_id_monitor" {
+  description = "Specifies the resource ID of the private DNS zone for Azure Monitor. Not required if DNS A-records get created via Azue Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_monitor == "" || (length(split("/", var.private_dns_zone_id_monitor)) == 9 && endswith(var.private_dns_zone_id_monitor, "privatelink.monitor.azure.com"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}
+
+variable "private_dns_zone_id_oms_opinsights" {
+  description = "Specifies the resource ID of the private DNS zone for Azure Monitor OMS Insights. Not required if DNS A-records get created via Azue Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_oms_opinsights == "" || (length(split("/", var.private_dns_zone_id_oms_opinsights)) == 9 && endswith(var.private_dns_zone_id_oms_opinsights, "privatelink.oms.opinsights.azure.com"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}
+
+variable "private_dns_zone_id_ods_opinsights" {
+  description = "Specifies the resource ID of the private DNS zone for Azure Monitor ODS Insights. Not required if DNS A-records get created via Azue Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_ods_opinsights == "" || (length(split("/", var.private_dns_zone_id_ods_opinsights)) == 9 && endswith(var.private_dns_zone_id_ods_opinsights, "privatelink.ods.opinsights.azure.com"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}
+
+variable "private_dns_zone_id_automation_agents" {
+  description = "Specifies the resource ID of the private DNS zone for Azure Monitor Automation Agents. Not required if DNS A-records get created via Azue Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_automation_agents == "" || (length(split("/", var.private_dns_zone_id_automation_agents)) == 9 && endswith(var.private_dns_zone_id_automation_agents, "privatelink.agentsvc.azure-automation.net"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}
+
 # Other resources
 variable "data_platform_subscription_ids" {
   description = "Specifies the list of subscription IDs of your data platform."

diff --git a/config/PerfectThymeTech/vars.tfvars b/config/PerfectThymeTech/vars.tfvars
@@ -6,7 +6,7 @@ prefix              = "dpml"
 tags                = {}
 resource_group_name = "myprod-dev-analytics-rg"
 
-// ML variables
+# ML variables
 machine_learning_compute_clusters = {
   # "cpu001" = {
   #   vm_priority = "Dedicated"
@@ -25,7 +25,7 @@ machine_learning_compute_instances = {
   # }
 }
 
-// Service enablement variables
+# Service enablement variables
 open_ai_enabled        = true
 search_service_enabled = true
 cognitive_services = {
@@ -35,8 +35,10 @@ cognitive_services = {
   # }
 }
 
-// Network variables
-subnet_id                                      = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-logic-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-logic-vnet001/subnets/PeSubnet"
+# Network variables
+subnet_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-dpml-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-dpml-vnet001/subnets/ServicesSubnet"
+
+# DNS variables
 private_dns_zone_id_blob                       = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
 private_dns_zone_id_file                       = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net"
 private_dns_zone_id_table                      = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net"
@@ -48,4 +50,10 @@ private_dns_zone_id_machine_learning_notebooks = "/subscriptions/8f171ff9-2b5b-4
 private_dns_zone_id_search_service             = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net"
 private_dns_zone_id_open_ai                    = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.openai.azure.com"
 private_dns_zone_id_cognitive_services         = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com"
-data_platform_subscription_ids                 = []
+private_dns_zone_id_monitor                    = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.monitor.azure.com"
+private_dns_zone_id_oms_opinsights             = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.oms.opinsights.azure.com"
+private_dns_zone_id_ods_opinsights             = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.ods.opinsights.azure.com"
+private_dns_zone_id_automation_agents          = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.agentsvc.azure-automation.net"
+
+# Other resources
+data_platform_subscription_ids = []