Skip to content

Commit

Permalink
add keyvault_secrets to define secrets sequence and suffixes (#18)
Browse files Browse the repository at this point in the history 
* add keyvault_secrets to define secrets sequence and suffixes
add variables to customize rdma properties

* fix expression

* format
  • Loading branch information
@duzitong
duzitong authored Sep 30, 2024
1 parent 1533162 commit af70310
Show file tree
Hide file tree
Showing 4 changed files with 123 additions and 35 deletions.
52 changes: 52 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -482,6 +482,42 @@ Type: `bool`

Default: `true`

### <a name="input_keyvault_secrets"></a> [keyvault\_secrets](#input\_keyvault\_secrets)

Description: A list of key vault secrets.

Type:

```hcl
list(object({
eceSecretName = string
secretSuffix = string
}))
```

Default:

```json
[
{
"eceSecretName": "AzureStackLCMUserCredential",
"secretSuffix": "AzureStackLCMUserCredential"
},
{
"eceSecretName": "LocalAdminCredential",
"secretSuffix": "LocalAdminCredential"
},
{
"eceSecretName": "DefaultARBApplication",
"secretSuffix": "DefaultARBApplication"
},
{
"eceSecretName": "WitnessStorageKey",
"secretSuffix": "WitnessStorageKey"
}
]
```

### <a name="input_keyvault_soft_delete_retention_days"></a> [keyvault\_soft\_delete\_retention\_days](#input\_keyvault\_soft\_delete\_retention\_days)

Description: The number of days that items should be retained for soft delete.
Expand Down Expand Up @@ -604,6 +640,22 @@ Type: `bool`

Default: `false`

### <a name="input_rdma_jumbo_packet"></a> [rdma\_jumbo\_packet](#input\_rdma\_jumbo\_packet)

Description: The jumbo packet size for RDMA.

Type: `string`

Default: `"9014"`

### <a name="input_rdma_protocol"></a> [rdma\_protocol](#input\_rdma\_protocol)

Description: The RDMA protocol.

Type: `string`

Default: `"RoCEv2"`

### <a name="input_role_assignments"></a> [role\_assignments](#input\_role\_assignments)

Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
Expand Down
8 changes: 4 additions & 4 deletions keyvault.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ data "azurerm_key_vault" "key_vault" {

resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {
key_vault_id = local.key_vault.id
name = var.use_legacy_key_vault_model ? "AzureStackLCMUserCredential" : "${var.name}-AzureStackLCMUserCredential"
name = local.keyvault_secret_names["AzureStackLCMUserCredential"]
value = base64encode("${var.deployment_user}:${var.deployment_user_password}")
content_type = one(flatten([var.azure_stack_lcm_user_credential_content_type]))
tags = var.azure_stack_lcm_user_credential_tags
Expand All @@ -41,7 +41,7 @@ resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {

resource "azurerm_key_vault_secret" "local_admin_credential" {
key_vault_id = local.key_vault.id
name = var.use_legacy_key_vault_model ? "LocalAdminCredential" : "${var.name}-LocalAdminCredential"
name = local.keyvault_secret_names["LocalAdminCredential"]
value = base64encode("${var.local_admin_user}:${var.local_admin_password}")
content_type = one(flatten([var.local_admin_credential_content_type]))
tags = var.local_admin_credential_tags
Expand All @@ -54,7 +54,7 @@ resource "azurerm_key_vault_secret" "local_admin_credential" {

resource "azurerm_key_vault_secret" "default_arb_application" {
key_vault_id = local.key_vault.id
name = var.use_legacy_key_vault_model ? "DefaultARBApplication" : "${var.name}-DefaultARBApplication"
name = local.keyvault_secret_names["DefaultARBApplication"]
value = base64encode("${var.service_principal_id}:${var.service_principal_secret}")
content_type = one(flatten([var.default_arb_application_content_type]))
tags = var.default_arb_application_tags
Expand All @@ -67,7 +67,7 @@ resource "azurerm_key_vault_secret" "default_arb_application" {

resource "azurerm_key_vault_secret" "witness_storage_key" {
key_vault_id = local.key_vault.id
name = var.use_legacy_key_vault_model ? "WitnessStorageKey" : "${var.name}-WitnessStorageKey"
name = local.keyvault_secret_names["WitnessStorageKey"]
value = base64encode(var.create_witness_storage_account ? azurerm_storage_account.witness[0].primary_access_key : data.azurerm_storage_account.witness[0].primary_access_key)
content_type = one(flatten([var.witness_storage_key_content_type]))
tags = var.witness_storage_key_tags
Expand Down
51 changes: 20 additions & 31 deletions locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,28 +72,7 @@ locals {
}
adouPath = var.adou_path
secretsLocation = var.use_legacy_key_vault_model ? local.secrets_location : (var.secrets_location == "" ? null : var.secrets_location)
secrets = var.use_legacy_key_vault_model ? null : [
{
secretName = "${var.name}-AzureStackLCMUserCredential"
eceSecretName = "AzureStackLCMUserCredential"
secretLocation = "${local.secrets_location}secrets/${var.name}-AzureStackLCMUserCredential"
},
{
secretName = "${var.name}-LocalAdminCredential"
eceSecretName = "LocalAdminCredential"
secretLocation = "${local.secrets_location}secrets/${var.name}-LocalAdminCredential"
},
{
secretName = "${var.name}-DefaultARBApplication"
eceSecretName = "DefaultARBApplication"
secretLocation = "${local.secrets_location}secrets/${var.name}-DefaultARBApplication"
},
{
secretName = "${var.name}-WitnessStorageKey"
eceSecretName = "WitnessStorageKey"
secretLocation = "${local.secrets_location}secrets/${var.name}-WitnessStorageKey"
}
]
secrets = var.use_legacy_key_vault_model ? null : local.keyvault_secrets
optionalServices = {
customLocation = var.custom_location_name
}
Expand All @@ -114,11 +93,26 @@ locals {
}
deployment_setting_properties_omit_null = { for k, v in local.deployment_setting_properties : k => v if v != null }
key_vault = var.create_key_vault ? azurerm_key_vault.deployment_keyvault[0] : data.azurerm_key_vault.key_vault[0]
owned_user_storages = [for storage in local.decoded_user_storages : storage if lower(storage.extendedLocation.name) == lower(data.azapi_resource.customlocation.id)]
keyvault_secret_names = var.use_legacy_key_vault_model ? {
"AzureStackLCMUserCredential" = "AzureStackLCMUserCredential"
"LocalAdminCredential" = "LocalAdminCredential"
"DefaultARBApplication" = "DefaultARBApplication"
"WitnessStorageKey" = "WitnessStorageKey"
} : {
for secret in var.keyvault_secrets : secret.eceSecretName => "${var.name}-${secret.secretSuffix}"
}
keyvault_secrets = [
for secret in var.keyvault_secrets : {
secretName = local.keyvault_secret_names[secret.eceSecretName]
eceSecretName = secret.eceSecretName
secretLocation = "${local.secrets_location}secrets/${local.keyvault_secret_names[secret.eceSecretName]}"
}
]
owned_user_storages = [for storage in local.decoded_user_storages : storage if lower(storage.extendedLocation.name) == lower(data.azapi_resource.customlocation.id)]
rdma_adapter_properties = {
jumboPacket = "9014"
jumboPacket = var.rdma_jumbo_packet
networkDirect = "Enabled"
networkDirectTechnology = "RoCEv2"
networkDirectTechnology = var.rdma_protocol
}
role_assignments = flatten([
for server_key, arcserver in data.azurerm_arc_machine.arcservers : [
Expand Down Expand Up @@ -164,7 +158,7 @@ locals {
loadBalancingAlgorithm = ""
},
qosPolicyOverrides = var.storage_qos_policy_overrides,
adapterPropertyOverrides = var.storage_rdma_enabled ? (var.storage_connectivity_switchless ? local.switchless_adapter_properties : local.rdma_adapter_properties) : local.adapter_properties
adapterPropertyOverrides = var.storage_rdma_enabled ? local.rdma_adapter_properties : local.adapter_properties
}]
storage_adapters = flatten([for storageNetwork in var.storage_networks : storageNetwork.networkAdapterName])
storage_networks = var.storage_adapter_ip_info == null ? flatten(var.storage_networks) : [
Expand All @@ -175,10 +169,5 @@ locals {
storageAdapterIPInfo = var.storage_adapter_ip_info[storageNetwork.name]
}
]
switchless_adapter_properties = {
jumboPacket = "9014"
networkDirect = "Enabled"
networkDirectTechnology = "iWARP"
}
witness_storage_account_resource_group_name = var.witness_storage_account_resource_group_name == "" ? var.resource_group_name : var.witness_storage_account_resource_group_name
}
47 changes: 47 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,41 @@ variable "keyvault_purge_protection_enabled" {
description = "Indicates whether purge protection is enabled."
}

variable "keyvault_secrets" {
type = list(object({
eceSecretName = string
secretSuffix = string
}))
default = [
{
eceSecretName = "AzureStackLCMUserCredential"
secretSuffix = "AzureStackLCMUserCredential"
},
{
eceSecretName = "LocalAdminCredential"
secretSuffix = "LocalAdminCredential"
},
{
eceSecretName = "DefaultARBApplication"
secretSuffix = "DefaultARBApplication"
},
{
eceSecretName = "WitnessStorageKey"
secretSuffix = "WitnessStorageKey"
}
]
description = "A list of key vault secrets."

validation {
condition = var.use_legacy_key_vault_model || length(var.keyvault_secrets) == 4
error_message = "keyvault_secrets must be provided when use_legacy_key_vault_model is false. EceSecretNames are AzureStackLCMUserCredential, LocalAdminCredential, DefaultARBApplication, WitnessStorageKey."
}
validation {
condition = var.use_legacy_key_vault_model || alltrue([for secret in var.keyvault_secrets : contains(["AzureStackLCMUserCredential", "LocalAdminCredential", "DefaultARBApplication", "WitnessStorageKey"], secret.eceSecretName)])
error_message = "keyvault_secrets must be provided when use_legacy_key_vault_model is false. EceSecretNames are AzureStackLCMUserCredential, LocalAdminCredential, DefaultARBApplication, WitnessStorageKey."
}
}

variable "keyvault_soft_delete_retention_days" {
type = number
default = 30
Expand Down Expand Up @@ -437,6 +472,18 @@ variable "rdma_enabled" {
description = "Enables RDMA when set to true. In a converged network configuration, this will make the network use RDMA. In a dedicated storage network configuration, enabling this will enable RDMA on the storage network."
}

variable "rdma_jumbo_packet" {
type = string
default = "9014"
description = "The jumbo packet size for RDMA."
}

variable "rdma_protocol" {
type = string
default = "RoCEv2"
description = "The RDMA protocol."
}

variable "role_assignments" {
type = map(object({
role_definition_id_or_name = string
Expand Down

0 comments on commit af70310

Please sign in to comment.