Use resource group id & handle no witness storage account (#21)

* Use resource group id * update * update comment * handle no witness storage account --------- Co-authored-by: Hangyu Xu <[email protected]>
Azure · Oct 11, 2024 · 37b0390 · 37b0390
1 parent df23675
commit 37b0390
Show file tree

Hide file tree

Showing 10 changed files with 67 additions and 74 deletions.
diff --git a/README.md b/README.md
@@ -49,7 +49,6 @@ The following resources are used by this module:
 - [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
 - [azurerm_client_config.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
 - [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) (data source)
-- [azurerm_resource_group.rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) (data source)
 - [azurerm_storage_account.witness](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) (data source)
 - [modtm_module_source.telemetry](https://registry.terraform.io/providers/azure/modtm/latest/docs/data-sources/module_source) (data source)
 
@@ -142,9 +141,15 @@ Description: The name of the HCI cluster. Must be the same as the name when prep
 
 Type: `string`
 
-### <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)
+### <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id)
 
-Description: The resource group where the resources will be deployed.
+Description: The resource id of resource group.
+
+Type: `string`
+
+### <a name="input_resource_group_location"></a> [resource\_group\_location](#input\_resource\_group\_location)
+
+Description: The location of resource group.
 
 Type: `string`
 
@@ -511,28 +516,7 @@ list(object({
   }))
 ```
 
-Default:
-
-```json
-[
-  {
-    "eceSecretName": "AzureStackLCMUserCredential",
-    "secretSuffix": "AzureStackLCMUserCredential"
-  },
-  {
-    "eceSecretName": "LocalAdminCredential",
-    "secretSuffix": "LocalAdminCredential"
-  },
-  {
-    "eceSecretName": "DefaultARBApplication",
-    "secretSuffix": "DefaultARBApplication"
-  },
-  {
-    "eceSecretName": "WitnessStorageKey",
-    "secretSuffix": "WitnessStorageKey"
-  }
-]
-```
+Default: `[]`
 
 ### <a name="input_keyvault_soft_delete_retention_days"></a> [keyvault\_soft\_delete\_retention\_days](#input\_keyvault\_soft\_delete\_retention\_days)
 

diff --git a/examples/default/README.md b/examples/default/README.md
@@ -35,9 +35,10 @@ module "test" {
   # source             = "Azure/avm-res-azurestackhci-cluster/azurerm"
   # version = "~> 0.1.0"
 
-  location            = data.azurerm_resource_group.rg.location
-  name                = local.name
-  resource_group_name = data.azurerm_resource_group.rg.name
+  location                = data.azurerm_resource_group.rg.location
+  name                    = local.name
+  resource_group_id       = data.azurerm_resource_group.rg.id
+  resource_group_location = data.azurerm_resource_group.rg.location
 
   enable_telemetry = var.enable_telemetry # see variables.tf
 

diff --git a/examples/default/main.tf b/examples/default/main.tf
@@ -29,9 +29,10 @@ module "test" {
   # source             = "Azure/avm-res-azurestackhci-cluster/azurerm"
   # version = "~> 0.1.0"
 
-  location            = data.azurerm_resource_group.rg.location
-  name                = local.name
-  resource_group_name = data.azurerm_resource_group.rg.name
+  location                = data.azurerm_resource_group.rg.location
+  name                    = local.name
+  resource_group_id       = data.azurerm_resource_group.rg.id
+  resource_group_location = data.azurerm_resource_group.rg.location
 
   enable_telemetry = var.enable_telemetry # see variables.tf
 

diff --git a/keyvault.tf b/keyvault.tf
@@ -3,9 +3,9 @@ data "azurerm_client_config" "current" {}
 resource "azurerm_key_vault" "deployment_keyvault" {
   count = var.create_key_vault ? 1 : 0
 
-  location                        = var.key_vault_location == "" ? data.azurerm_resource_group.rg.location : var.key_vault_location
+  location                        = var.key_vault_location == "" ? var.resource_group_location : var.key_vault_location
   name                            = var.random_suffix ? "${var.keyvault_name}-${random_integer.random_suffix.result}" : var.keyvault_name
-  resource_group_name             = var.resource_group_name
+  resource_group_name             = local.resource_group_name
   sku_name                        = "standard"
   tenant_id                       = data.azurerm_client_config.current.tenant_id
   enable_rbac_authorization       = true
@@ -23,7 +23,7 @@ data "azurerm_key_vault" "key_vault" {
   count = var.create_key_vault ? 0 : 1
 
   name                = var.keyvault_name
-  resource_group_name = var.key_vault_resource_group == "" ? data.azurerm_resource_group.rg.name : var.key_vault_resource_group
+  resource_group_name = var.key_vault_resource_group == "" ? local.resource_group_name : var.key_vault_resource_group
 }
 
 resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {

diff --git a/locals.tf b/locals.tf
@@ -4,8 +4,24 @@ locals {
     networkDirect           = "Disabled"
     networkDirectTechnology = ""
   }
-  combined_adapters = setintersection(toset(var.management_adapters), toset(local.storage_adapters))
-  converged         = (length(local.combined_adapters) == length(var.management_adapters)) && (length(local.combined_adapters) == length(local.storage_adapters))
+  auto_generated_secrets = (var.witness_type == null || var.witness_type == "") ? local.base_secrets : concat(local.base_secrets, [local.witness_secret])
+  base_secrets = [
+    {
+      eceSecretName = "AzureStackLCMUserCredential"
+      secretSuffix  = "AzureStackLCMUserCredential"
+    },
+    {
+      eceSecretName = "LocalAdminCredential"
+      secretSuffix  = "LocalAdminCredential"
+    },
+    {
+      eceSecretName = "DefaultARBApplication"
+      secretSuffix  = "DefaultARBApplication"
+    }
+  ]
+  combined_adapters         = setintersection(toset(var.management_adapters), toset(local.storage_adapters))
+  combined_keyvault_secrets = length(var.keyvault_secrets) != 0 ? var.keyvault_secrets : local.auto_generated_secrets
+  converged                 = (length(local.combined_adapters) == length(var.management_adapters)) && (length(local.combined_adapters) == length(local.storage_adapters))
   converged_intents = [{
     name                               = var.intent_name,
     trafficType                        = var.traffic_type,
@@ -99,10 +115,10 @@ locals {
     "DefaultARBApplication"       = "DefaultARBApplication"
     "WitnessStorageKey"           = "WitnessStorageKey"
     } : {
-    for secret in var.keyvault_secrets : secret.eceSecretName => "${var.name}-${secret.secretSuffix}"
+    for secret in local.combined_keyvault_secrets : secret.eceSecretName => "${var.name}-${secret.secretSuffix}"
   }
   keyvault_secrets = [
-    for secret in var.keyvault_secrets : {
+    for secret in local.combined_keyvault_secrets : {
       secretName     = local.keyvault_secret_names[secret.eceSecretName]
       eceSecretName  = secret.eceSecretName
       secretLocation = "${local.secrets_location}secrets/${local.keyvault_secret_names[secret.eceSecretName]}"
@@ -114,6 +130,10 @@ locals {
     networkDirect           = "Enabled"
     networkDirectTechnology = var.rdma_protocol
   }
+  # The resource group name is the last element of the split result
+  resource_group_name = element(local.resource_group_parts, length(local.resource_group_parts) - 1)
+  # Split the resource group ID into parts based on '/'
+  resource_group_parts = split("/", var.resource_group_id)
   role_assignments = flatten([
     for server_key, arcserver in data.azurerm_arc_machine.arcservers : [
       for role_key, role_name in local.roles : {
@@ -169,5 +189,9 @@ locals {
       storageAdapterIPInfo = var.storage_adapter_ip_info[storageNetwork.name]
     }
   ]
-  witness_storage_account_resource_group_name = var.witness_storage_account_resource_group_name == "" ? var.resource_group_name : var.witness_storage_account_resource_group_name
+  witness_secret = {
+    eceSecretName = "WitnessStorageKey"
+    secretSuffix  = "WitnessStorageKey"
+  }
+  witness_storage_account_resource_group_name = var.witness_storage_account_resource_group_name == "" ? local.resource_group_name : var.witness_storage_account_resource_group_name
 }
diff --git a/main.tf b/main.tf
@@ -1,25 +1,21 @@
-data "azurerm_resource_group" "rg" {
-  name = var.resource_group_name
-}
-
 data "azapi_resource" "arcbridge" {
   type      = "Microsoft.ResourceConnector/appliances@2022-10-27"
   name      = "${var.name}-arcbridge"
-  parent_id = data.azurerm_resource_group.rg.id
+  parent_id = var.resource_group_id
 
   depends_on = [azapi_update_resource.deploymentsetting]
 }
 
 data "azapi_resource" "customlocation" {
   type      = "Microsoft.ExtendedLocation/customLocations@2021-08-15"
   name      = var.custom_location_name
-  parent_id = data.azurerm_resource_group.rg.id
+  parent_id = var.resource_group_id
 
   depends_on = [azapi_update_resource.deploymentsetting]
 }
 
 data "azapi_resource_list" "user_storages" {
-  parent_id              = data.azurerm_resource_group.rg.id
+  parent_id              = var.resource_group_id
   type                   = "Microsoft.AzureStackHCI/storagecontainers@2022-12-15-preview"
   response_export_values = ["*"]
 
@@ -41,7 +37,7 @@ resource "azapi_resource" "cluster" {
   }
   location  = var.location
   name      = var.name
-  parent_id = data.azurerm_resource_group.rg.id
+  parent_id = var.resource_group_id
   tags      = var.cluster_tags
 
   identity {

diff --git a/rolebindings.tf b/rolebindings.tf
@@ -8,7 +8,7 @@ resource "azurerm_role_assignment" "service_principal_role_assign" {
   for_each = local.rp_roles
 
   principal_id         = var.rp_service_principal_object_id == "" ? data.azuread_service_principal.hci_rp[0].object_id : var.rp_service_principal_object_id
-  scope                = data.azurerm_resource_group.rg.id
+  scope                = var.resource_group_id
   role_definition_name = each.value
 
   depends_on = [data.azuread_service_principal.hci_rp]

diff --git a/storageaccount.tf b/storageaccount.tf
@@ -3,7 +3,7 @@ resource "azurerm_storage_account" "witness" {
 
   account_replication_type         = var.account_replication_type
   account_tier                     = "Standard"
-  location                         = data.azurerm_resource_group.rg.location
+  location                         = var.resource_group_location
   name                             = var.random_suffix ? "${var.witness_storage_account_name}${random_integer.random_suffix.result}" : var.witness_storage_account_name
   resource_group_name              = local.witness_storage_account_resource_group_name
   allow_nested_items_to_be_public  = var.allow_nested_items_to_be_public

diff --git a/validate.tf b/validate.tf
@@ -5,7 +5,7 @@ data "azurerm_arc_machine" "arcservers" {
   }
 
   name                = each.key
-  resource_group_name = var.resource_group_name
+  resource_group_name = local.resource_group_name
 }
 
 resource "azapi_resource" "validatedeploymentsetting" {

diff --git a/variables.tf b/variables.tf
@@ -79,10 +79,14 @@ variable "name" {
   }
 }
 
-# This is required for most resource modules
-variable "resource_group_name" {
+variable "resource_group_id" {
   type        = string
-  description = "The resource group where the resources will be deployed."
+  description = "The resource id of resource group."
+}
+
+variable "resource_group_location" {
+  type        = string
+  description = "The location of resource group."
 }
 
 variable "servers" {
@@ -356,32 +360,15 @@ variable "keyvault_secrets" {
     eceSecretName = string
     secretSuffix  = string
   }))
-  default = [
-    {
-      eceSecretName = "AzureStackLCMUserCredential"
-      secretSuffix  = "AzureStackLCMUserCredential"
-    },
-    {
-      eceSecretName = "LocalAdminCredential"
-      secretSuffix  = "LocalAdminCredential"
-    },
-    {
-      eceSecretName = "DefaultARBApplication"
-      secretSuffix  = "DefaultARBApplication"
-    },
-    {
-      eceSecretName = "WitnessStorageKey"
-      secretSuffix  = "WitnessStorageKey"
-    }
-  ]
+  default     = []
   description = "A list of key vault secrets."
 
   validation {
-    condition     = var.use_legacy_key_vault_model || length(var.keyvault_secrets) == 4
-    error_message = "keyvault_secrets must be provided when use_legacy_key_vault_model is false. EceSecretNames are AzureStackLCMUserCredential, LocalAdminCredential, DefaultARBApplication, WitnessStorageKey."
+    condition     = var.use_legacy_key_vault_model || length(var.keyvault_secrets) == 0 || (var.witness_type == null || var.witness_type == "" && length(var.keyvault_secrets) == 3) || (var.witness_type != null && var.witness_type != "" && length(var.keyvault_secrets) == 4)
+    error_message = "When use_legacy_key_vault_model is false and keyvault_secrets is provided, it must contain exactly 3 secrets (AzureStackLCMUserCredential, LocalAdminCredential, DefaultARBApplication) if witness_type is not specified (null or empty), or 4 secrets (including WitnessStorageKey) if witness_type is specified."
   }
   validation {
-    condition     = var.use_legacy_key_vault_model || alltrue([for secret in var.keyvault_secrets : contains(["AzureStackLCMUserCredential", "LocalAdminCredential", "DefaultARBApplication", "WitnessStorageKey"], secret.eceSecretName)])
+    condition     = var.use_legacy_key_vault_model || length(var.keyvault_secrets) == 0 || alltrue([for secret in var.keyvault_secrets : contains(["AzureStackLCMUserCredential", "LocalAdminCredential", "DefaultARBApplication", "WitnessStorageKey"], secret.eceSecretName)])
     error_message = "keyvault_secrets must be provided when use_legacy_key_vault_model is false. EceSecretNames are AzureStackLCMUserCredential, LocalAdminCredential, DefaultARBApplication, WitnessStorageKey."
   }
 }