Merge pull request #89 from PerfectThymeTech/marvinbuss/add_synapse_p…

…l_hub Add Synapse Private Link Hub Module
PerfectThymeTech · Nov 18, 2024 · 0595de8 · 0595de8
2 parents 65a4aed + b0f0927
commit 0595de8
Showing 13 changed files with 333 additions and 181 deletions.
diff --git a/.github/workflows/terraform-synapseprivetlinkhub.yml b/.github/workflows/terraform-synapseprivetlinkhub.yml
@@ -0,0 +1,29 @@
+name: synapseprivetlinkhub tests
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "modules/synapseprivetlinkhub/**"
+      - ".github/workflows/terraform-synapseprivetlinkhub.yml"
+
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "modules/synapseprivetlinkhub/**"
+      - ".github/workflows/terraform-synapseprivetlinkhub.yml"
+
+jobs:
+  terraform_dev:
+    uses: ./.github/workflows/_terraformTestTemplate.yml
+    name: "Dev"
+    with:
+      environment: "dev"
+      config: "synapseprivetlinkhub"
+      terraform_version: "1.9.6"
+      node_version: 20
+      tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
+      subscription_id: "1fdab118-1638-419a-8b12-06c9543714a0"
+    secrets:
+      CLIENT_ID: ${{ secrets.CLIENT_ID }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -18,7 +18,8 @@ exclude: |
     modules/loganalytics/README.md|
     modules/storage/README.md|
     modules/userassignedidentity/README.md|
-    modules/aistudiooutboundrules/README.md
+    modules/aistudiooutboundrules/README.md|
+    modules/synapseprivetlinkhub/README.md
   )$
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -71,6 +72,8 @@ repos:
       args: ["-c", "./.terraform-docs.yml", "./modules/userassignedidentity"]
     - id: terraform-docs-go
       args: ["-c", "./.terraform-docs.yml", "./modules/aistudiooutboundrules"]
+    - id: terraform-docs-go
+      args: ["-c", "./.terraform-docs.yml", "./modules/synapseprivetlinkhub"]
 - repo: local
   hooks:
     - id: terraform-fmt

diff --git a/README.md b/README.md
@@ -19,5 +19,6 @@ This repository contains secure by default Terraform modules for Azure Services.
 - [Azure Log Analytics Workspace](/modules/loganalytics/)
 - [Azure Storage Account](/modules/storage/)
 - [Azure User Assigned Identity](/modules/userassignedidentity/)
+- [Azure Synapse Private Link Hub](/modules/synapseprivetlinkhub/)
 - [Microsoft Fabric Capacity](/modules/fabriccapacity/)
 - [Microsoft Fabric Workspace](/modules/fabricworkspace/)
diff --git a/modules/synapseprivetlinkhub/README.md b/modules/synapseprivetlinkhub/README.md
@@ -0,0 +1,112 @@
+<!-- BEGIN_TF_DOCS -->
+# Azure Synapse Private Link Hub Terraform Module
+
+## Documentation
+<!-- markdownlint-disable MD033 -->
+
+## Requirements
+
+The following requirements are needed by this module:
+
+- <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (>=0.12)
+
+- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (~> 4.0)
+
+- <a name="requirement_time"></a> [time](#requirement\_time) (~> 0.9)
+
+## Modules
+
+No modules.
+
+<!-- markdownlint-disable MD013 -->
+<!-- markdownlint-disable MD034 -->
+## Required Inputs
+
+The following input variables are required:
+
+### <a name="input_location"></a> [location](#input\_location)
+
+Description: Specifies the location of all resources.
+
+Type: `string`
+
+### <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)
+
+Description: Specifies the resource group name in which all resources will get deployed.
+
+Type: `string`
+
+### <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id)
+
+Description: Specifies the resource id of a subnet in which the private endpoints get created.
+
+Type: `string`
+
+### <a name="input_synapse_private_link_hub_name"></a> [synapse\_private\_link\_hub\_name](#input\_synapse\_private\_link\_hub\_name)
+
+Description: Specifies the name of the synapse private link hub.
+
+Type: `string`
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### <a name="input_connectivity_delay_in_seconds"></a> [connectivity\_delay\_in\_seconds](#input\_connectivity\_delay\_in\_seconds)
+
+Description: Specifies the delay in seconds after the private endpoint deployment (required for the DNS automation via Policies).
+
+Type: `number`
+
+Default: `120`
+
+### <a name="input_diagnostics_configurations"></a> [diagnostics\_configurations](#input\_diagnostics\_configurations)
+
+Description: Specifies the diagnostic configuration for the service.
+
+Type:
+
+```hcl
+list(object({
+    log_analytics_workspace_id = optional(string, ""),
+    storage_account_id         = optional(string, "")
+  }))
+```
+
+Default: `[]`
+
+### <a name="input_private_dns_zone_id_synapse_portal"></a> [private\_dns\_zone\_id\_synapse\_portal](#input\_private\_dns\_zone\_id\_synapse\_portal)
+
+Description: Specifies the resource ID of the private DNS zone for Synapse PL Hub. Not required if DNS A-records get created via Azure Policy.
+
+Type: `string`
+
+Default: `""`
+
+### <a name="input_tags"></a> [tags](#input\_tags)
+
+Description: Specifies a key value map of tags to set on every taggable resources.
+
+Type: `map(string)`
+
+Default: `{}`
+
+## Outputs
+
+The following outputs are exported:
+
+### <a name="output_synapse_private_link_hub_id"></a> [synapse\_private\_link\_hub\_id](#output\_synapse\_private\_link\_hub\_id)
+
+Description: Specifies the key vault resource id.
+
+### <a name="output_synapse_private_link_hub_name"></a> [synapse\_private\_link\_hub\_name](#output\_synapse\_private\_link\_hub\_name)
+
+Description: Specifies the key vault resource name.
+
+### <a name="output_synapse_private_link_hub_setup_completed"></a> [synapse\_private\_link\_hub\_setup\_completed](#output\_synapse\_private\_link\_hub\_setup\_completed)
+
+Description: Specifies whether the connectivity and identity has been successfully configured.
+
+<!-- markdownlint-enable -->
+
+<!-- END_TF_DOCS -->
diff --git a/modules/synapseprivetlinkhub/README_footer.md b/modules/synapseprivetlinkhub/README_footer.md
diff --git a/modules/synapseprivetlinkhub/README_header.md b/modules/synapseprivetlinkhub/README_header.md
@@ -0,0 +1 @@
+# Azure Synapse Private Link Hub Terraform Module
diff --git a/modules/synapseprivetlinkhub/connectivity.tf b/modules/synapseprivetlinkhub/connectivity.tf
@@ -0,0 +1,38 @@
+resource "azurerm_private_endpoint" "private_endpoint_synapse_private_link_hub_web" {
+  name                = "${azurerm_synapse_private_link_hub.synapse_private_link_hub.name}-web-pe"
+  location            = azurerm_synapse_private_link_hub.synapse_private_link_hub.location
+  resource_group_name = azurerm_synapse_private_link_hub.synapse_private_link_hub.resource_group_name
+  tags                = var.tags
+
+  custom_network_interface_name = "${azurerm_synapse_private_link_hub.synapse_private_link_hub.name}-web-nic"
+  private_service_connection {
+    name                           = "${azurerm_synapse_private_link_hub.synapse_private_link_hub.name}-web-svc"
+    is_manual_connection           = false
+    private_connection_resource_id = azurerm_synapse_private_link_hub.synapse_private_link_hub.id
+    subresource_names              = ["web"]
+  }
+  subnet_id = var.subnet_id
+  dynamic "private_dns_zone_group" {
+    for_each = var.private_dns_zone_id_synapse_portal == "" ? [] : [1]
+    content {
+      name = "${azurerm_synapse_private_link_hub.synapse_private_link_hub.name}-arecord"
+      private_dns_zone_ids = [
+        var.private_dns_zone_id_synapse_portal
+      ]
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      private_dns_zone_group
+    ]
+  }
+}
+
+resource "time_sleep" "sleep_connectivity" {
+  create_duration = "${var.connectivity_delay_in_seconds}s"
+
+  depends_on = [
+    azurerm_private_endpoint.private_endpoint_synapse_private_link_hub_web,
+  ]
+}
diff --git a/modules/synapseprivetlinkhub/main.tf b/modules/synapseprivetlinkhub/main.tf
@@ -0,0 +1,6 @@
+resource "azurerm_synapse_private_link_hub" "synapse_private_link_hub" {
+  name                = var.synapse_private_link_hub_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  tags                = var.tags
+}
diff --git a/modules/synapseprivetlinkhub/outputs.tf b/modules/synapseprivetlinkhub/outputs.tf
@@ -0,0 +1,21 @@
+output "synapse_private_link_hub_id" {
+  description = "Specifies the key vault resource id."
+  value       = azurerm_synapse_private_link_hub.synapse_private_link_hub.id
+  sensitive   = false
+}
+
+output "synapse_private_link_hub_name" {
+  description = "Specifies the key vault resource name."
+  value       = azurerm_synapse_private_link_hub.synapse_private_link_hub.name
+  sensitive   = false
+}
+
+output "synapse_private_link_hub_setup_completed" {
+  description = "Specifies whether the connectivity and identity has been successfully configured."
+  value       = true
+  sensitive   = false
+
+  depends_on = [
+    time_sleep.sleep_connectivity,
+  ]
+}
diff --git a/modules/synapseprivetlinkhub/terraform.tf b/modules/synapseprivetlinkhub/terraform.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">=0.12"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "~> 0.9"
+    }
+  }
+}
diff --git a/modules/synapseprivetlinkhub/tests/test.tftest.hcl b/modules/synapseprivetlinkhub/tests/test.tftest.hcl
@@ -0,0 +1,21 @@
+run "create_synapse_private_link_hub" {
+  command = apply
+
+  variables {
+    location            = "northeurope"
+    resource_group_name = "tfmodule-test-rg"
+    tags = {
+      test = "synapse-pl-hub"
+    }
+    synapse_private_link_hub_name      = "tftstr001"
+    diagnostics_configurations         = []
+    subnet_id                          = "/subscriptions/1fdab118-1638-419a-8b12-06c9543714a0/resourceGroups/ptt-dev-networking-rg/providers/Microsoft.Network/virtualNetworks/spoke-ptt-dev-vnet001/subnets/TerraformTestSubnet"
+    connectivity_delay_in_seconds      = 0
+    private_dns_zone_id_synapse_portal = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-privatedns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azuresynapse.net"
+  }
+
+  assert {
+    condition     = azurerm_synapse_private_link_hub.synapse_private_link_hub.resource_group_name == "tfmodule-test-rg"
+    error_message = "Failed to deploy."
+  }
+}
diff --git a/modules/synapseprivetlinkhub/variables.tf b/modules/synapseprivetlinkhub/variables.tf
@@ -0,0 +1,86 @@
+# General variables
+variable "location" {
+  description = "Specifies the location of all resources."
+  type        = string
+  sensitive   = false
+  nullable    = false
+}
+
+variable "resource_group_name" {
+  description = "Specifies the resource group name in which all resources will get deployed."
+  type        = string
+  sensitive   = false
+  nullable    = false
+  validation {
+    condition     = length(var.resource_group_name) >= 2
+    error_message = "Please specify a valid resource group name."
+  }
+}
+
+variable "tags" {
+  description = "Specifies a key value map of tags to set on every taggable resources."
+  type        = map(string)
+  sensitive   = false
+  nullable    = false
+  default     = {}
+}
+
+# Synapse private link hub variables
+variable "synapse_private_link_hub_name" {
+  description = "Specifies the name of the synapse private link hub."
+  type        = string
+  sensitive   = false
+  nullable    = false
+}
+
+# Diagnostics variables
+variable "diagnostics_configurations" {
+  description = "Specifies the diagnostic configuration for the service."
+  type = list(object({
+    log_analytics_workspace_id = optional(string, ""),
+    storage_account_id         = optional(string, "")
+  }))
+  sensitive = false
+  default   = []
+  validation {
+    condition = alltrue([
+      length([for diagnostics_configuration in toset(var.diagnostics_configurations) : diagnostics_configuration if diagnostics_configuration.log_analytics_workspace_id == "" && diagnostics_configuration.storage_account_id == ""]) <= 0
+    ])
+    error_message = "Please specify a valid resource ID."
+  }
+}
+
+# Network variables
+variable "subnet_id" {
+  description = "Specifies the resource id of a subnet in which the private endpoints get created."
+  type        = string
+  sensitive   = false
+  validation {
+    condition     = length(split("/", var.subnet_id)) == 11
+    error_message = "Please specify a valid subnet id."
+  }
+}
+
+variable "connectivity_delay_in_seconds" {
+  description = "Specifies the delay in seconds after the private endpoint deployment (required for the DNS automation via Policies)."
+  type        = number
+  sensitive   = false
+  nullable    = false
+  default     = 120
+  validation {
+    condition     = var.connectivity_delay_in_seconds >= 0
+    error_message = "Please specify a valid non-negative number."
+  }
+}
+
+# DNS variables
+variable "private_dns_zone_id_synapse_portal" {
+  description = "Specifies the resource ID of the private DNS zone for Synapse PL Hub. Not required if DNS A-records get created via Azure Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_synapse_portal == "" || (length(split("/", var.private_dns_zone_id_synapse_portal)) == 9 && endswith(var.private_dns_zone_id_synapse_portal, "privatelink.azuresynapse.net"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# Azure Synapse Private Link Hub Terraform Module