Merge pull request #1 from dodevops/feature/te/DO-779-improvements

feat(DO-779): Several little improvements and new features
dodevops · Aug 26, 2021 · 175aff3 · 175aff3
2 parents b0434c0 + d33d108
commit 175aff3
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 42 deletions.
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ The following resources are used by this module:
 - [azurerm_mysql_firewall_rule.firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_firewall_rule) (resource)
 - [azurerm_mysql_server.server](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server) (resource)
 - [azurerm_mysql_virtual_network_rule.virtualnetworks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_virtual_network_rule) (resource)
+- [azurerm_private_endpoint.mysql-private-endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) (resource)
 
 ## Required Inputs
 
@@ -49,6 +50,19 @@ Description: Admin password
 
 Type: `string`
 
+### charset
+
+Description: Charset for the databases, which needs to be a valid PostgreSQL charset
+
+Type: `string`
+
+### collation
+
+Description:     Collation for the databases, which needs to be a valid PostgreSQL collation. Note that Microsoft uses  
+    different notation - f.e. en-US instead of en\_US
+
+Type: `string`
+
 ### database\_suffixes
 
 Description: List of suffixes for databases to be created
@@ -94,7 +108,8 @@ Default: `"mysqladmin"`
 ### allowed\_ips
 
 Description:     A hash of permissions to access the database server by ip. The hash key is the name suffix and each value  
-    has a start and an end value.
+    has a start and an end value. For public access set start\_ip\_address to 0.0.0.0 and end\_ip\_address to  
+    255.255.255.255. This variable is not used if public\_access = false.
 
 Type:
 
@@ -141,27 +156,30 @@ Default: `"8.0"`
 
 ### public\_access
 
-Description: Wether to allow public access to the database server
+Description:     Wether to allow public access to the database server. True will create firewall rules for allowed\_ips and for subnets. False will  
+    create a private endpoint in each given subnet (allowed\_ips will not be used then) - you have to set  
+    enforce\_private\_link\_endpoint\_network\_policies = true on your subnet in this case (see  
+    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet#enforce_private_link_endpoint_network_policies).
 
 Type: `bool`
 
 Default: `false`
 
-### suffix
+### subnets
 
-Description: Naming suffix to allow multiple instances of this module
+Description: Maps of prefix => subnet id that has access to the server
 
-Type: `string`
+Type: `map(string)`
 
-Default: `""`
+Default: `{}`
 
-### virtual\_networks
+### suffix
 
-Description: Maps of prefix => virtual network id that has access to the server
+Description: Naming suffix to allow multiple instances of this module
 
-Type: `map(string)`
+Type: `string`
 
-Default: `{}`
+Default: `""`
 
 ## Outputs
 

diff --git a/databases.tf b/databases.tf
@@ -0,0 +1,8 @@
+resource "azurerm_mysql_database" "db" {
+  for_each            = toset(var.database_suffixes)
+  name                = "${var.project}${var.stage}db${each.value}"
+  resource_group_name = var.resource_group
+  server_name         = azurerm_mysql_server.server.name
+  charset             = var.charset
+  collation           = var.collation
+}
diff --git a/firewall.tf b/firewall.tf
@@ -1,5 +1,5 @@
 resource "azurerm_mysql_firewall_rule" "firewall" {
-  for_each            = var.allowed_ips
+  for_each            = var.public_access == true ? var.allowed_ips : {}
   start_ip_address    = each.value.start
   end_ip_address      = each.value.end
   name                = "${var.project}${var.stage}dbfw${each.key}"
@@ -8,9 +8,24 @@ resource "azurerm_mysql_firewall_rule" "firewall" {
 }
 
 resource "azurerm_mysql_virtual_network_rule" "virtualnetworks" {
-  for_each            = var.subnets
+  for_each            = var.public_access == true ? var.subnets : {}
   name                = "${var.project}${var.stage}dbfwnet${each.key}"
   resource_group_name = var.resource_group
   server_name         = azurerm_mysql_server.server.name
   subnet_id           = each.value
 }
+
+resource "azurerm_private_endpoint" "mysql-private-endpoint" {
+  for_each            = var.public_access == false ? var.subnets : {}
+  name                = "${each.value}-mysql-${azurerm_mysql_server.server.id}-endpoint"
+  location            = var.location
+  resource_group_name = var.resource_group
+  subnet_id           = each.value
+
+  private_service_connection {
+    name                           = "${each.value}-mysql-${azurerm_mysql_server.server.id}-privateserviceconnection"
+    private_connection_resource_id = azurerm_mysql_server.server.id
+    subresource_names              = ["mysqlServer"]
+    is_manual_connection           = false
+  }
+}
diff --git a/main.tf b/main.tf
diff --git a/server.tf b/server.tf
@@ -0,0 +1,17 @@
+resource "azurerm_mysql_server" "server" {
+  name                          = "${var.project}${var.stage}dbsrv"
+  location                      = var.location
+  resource_group_name           = var.resource_group
+  administrator_login           = var.admin_login
+  administrator_login_password  = var.admin_password
+  sku_name                      = var.database_host_sku
+  storage_mb                    = var.database_storage
+  version                       = var.database_version
+  backup_retention_days         = var.backup_retention_days
+  public_network_access_enabled = var.public_access
+
+  auto_grow_enabled                 = true
+  geo_redundant_backup_enabled      = false
+  infrastructure_encryption_enabled = true
+  ssl_enforcement_enabled           = true
+}
diff --git a/vars.tf b/vars.tf
@@ -35,6 +35,19 @@ variable "suffix" {
   default     = ""
 }
 
+variable "charset" {
+  type        = string
+  description = "Charset for the databases, which needs to be a valid PostgreSQL charset"
+}
+
+variable "collation" {
+  type        = string
+  description = <<EOF
+    Collation for the databases, which needs to be a valid PostgreSQL collation. Note that Microsoft uses
+    different notation - f.e. en-US instead of en_US
+  EOF
+}
+
 variable "backup_retention_days" {
   type        = number
   description = "Number of days to keep backups"
@@ -69,15 +82,21 @@ variable "database_storage" {
 }
 
 variable "public_access" {
-  description = "Wether to allow public access to the database server"
   type        = bool
+  description = <<EOF
+    Wether to allow public access to the database server. True will create firewall rules for allowed_ips and for subnets. False will
+    create a private endpoint in each given subnet (allowed_ips will not be used then) - you have to set
+    enforce_private_link_endpoint_network_policies = true on your subnet in this case (see
+    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet#enforce_private_link_endpoint_network_policies).
+  EOF
   default     = false
 }
 
 variable "allowed_ips" {
   description = <<EOF
     A hash of permissions to access the database server by ip. The hash key is the name suffix and each value
-    has a start and an end value.
+    has a start and an end value. For public access set start_ip_address to 0.0.0.0 and end_ip_address to
+    255.255.255.255. This variable is not used if public_access = false.
   EOF
   type = map(object({
     start = string,