Merge pull request #1612 from aiven/byashimov-add-vnet-peering-azure-tf

add "Azure virtual network peering" howto for terraform
aiven · Dec 7, 2022 · 41327f4 · 41327f4
2 parents a21bf44 + 98202fa
commit 41327f4
Show file tree

Hide file tree

Showing 3 changed files with 225 additions and 0 deletions.
diff --git a/_toc.yml b/_toc.yml
@@ -200,6 +200,7 @@ entries:
             - file: docs/tools/terraform/howto/promote-to-master-pg-rr
               title: Promote PostgreSQL read replica to master
             - file: docs/tools/terraform/howto/upgrade-to-opensearch
+            - file: docs/tools/terraform/howto/vnet-peering-azure
         - file: docs/tools/terraform/concepts
           title: Concepts
           entries:

diff --git a/docs/platform/howto/vnet-peering-azure.rst b/docs/platform/howto/vnet-peering-azure.rst
@@ -11,6 +11,10 @@ instead of the Aiven cloud's public network.
 .. note:: 
    Microsoft Azure uses the term ``Virtual Network`` (VNet), which is the same as a ``Virtual Private Cloud`` (VPC). We use the terms interchangeably in this article.
 
+.. note::
+    You can create VPC peering using :doc:`Aiven Provider for Terraform </docs/tools/terraform/howto/vnet-peering-azure>` as well.
+
+
 Peer your network with the VPC
 ------------------------------
 

diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst
@@ -0,0 +1,220 @@
+Azure virtual network peering
+=============================
+
+This help article contains step-by-step instructions for setting up peering in Azure. See the `Using VPC
+peering <https://docs.aiven.io/docs/platform/howto/manage-vpc-peering.html>`__
+article for how to set up a Project VPC.
+
+While most Terraform manifestos can be applied in one go,
+we'll have to break this up into two steps:
+
+1. First, we'll create most of the necessary resources.
+
+2. Then, we'll configure the Azure provider using data from step 1
+   to create the last resource and connect the networks together.
+
+Before you start
+~~~~~~~~~~~~~~~~
+
+Create an :doc:`Aiven authentication token </docs/platform/howto/create_authentication_token>`.
+Then, set up `authentication for Azure <https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs>`_
+and `Azure Active Directory <https://registry.terraform.io/providers/hashicorp/azuread/latest/docs>`_.
+
+For example:
+
+.. code-block::
+
+    terraform {
+      required_providers {
+        aiven = {
+          source = "aiven/aiven"
+          verstion = ">= 3.8.0, < 4.0.0"
+        }
+        azuread = {
+          source  = "hashicorp/azuread"
+          version = "=2.30.0"
+        }
+        azurerm = {
+          source  = "hashicorp/azurerm"
+          version = "=3.30.0"
+        }
+      }
+    }
+
+    provider "aiven" {
+      api_token = var.aiven_api_token
+    }
+
+    provider "azuread" {
+      client_id     = "00000000-0000-0000-0000-000000000000"
+      client_secret = var.azure_client_secret
+      tenant_id     = "00000000-0000-0000-0000-000000000000"
+    }
+
+    provider "azurerm" {
+      features {}
+      subscription_id = "00000000-0000-0000-0000-000000000000"
+      client_id       = "00000000-0000-0000-0000-000000000000"
+      client_secret   = var.azure_client_secret
+      tenant_id       = "00000000-0000-0000-0000-000000000000"
+    }
+
+
+Step 1: Create or bind the resources
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Create or bind the existing resources using ``terraform import`` by following the steps in this example:
+
+.. code-block::
+
+    data "aiven_project" "avn_project" {
+      project = "aiven-ci-kubernetes-operator"
+    }
+
+    data "azurerm_subscription" "subscription" {
+      subscription_id = "00000000-0000-0000-0000-000000000000"
+    }
+
+    resource "aiven_project_vpc" "avn_vpc" {
+      project      = data.aiven_project.avn_project.project
+      cloud_name   = "azure-germany-westcentral"
+      network_cidr = "192.168.1.0/24"
+
+      timeouts {
+        create = "15m"
+      }
+    }
+
+    resource "azurerm_resource_group" "resource_group" {
+      location = "germanywestcentral"
+      name     = "my-azure-resource-group"
+    }
+
+    resource "azurerm_virtual_network" "virtual_network" {
+      name                = "my-azure-virtual-network"
+      address_space       = ["10.0.0.0/16"]
+      location            = azurerm_resource_group.resource_group.location
+      resource_group_name = azurerm_resource_group.resource_group.name
+    }
+
+    # 1. Log in with an Azure admin account
+    # Already done.
+
+    # 2. Create application object
+    resource "azuread_application" "app" {
+      display_name = "my-azure-application"
+      sign_in_audience = "AzureADandPersonalMicrosoftAccount"
+
+      api {
+        requested_access_token_version = 2
+      }
+    }
+
+    # 3. Create a service principal for your app object
+    resource "azuread_service_principal" "app_principal" {
+      application_id = azuread_application.app.application_id
+    }
+
+    # 4. Set a password for your app object
+    resource "azuread_application_password" "app_password" {
+      application_object_id = azuread_application.app.object_id
+    }
+
+    # 5. Find the id properties of your virtual network
+    # Skip, we have values in the state
+
+    # 6. Grant your service principal permissions to peer
+    resource "azurerm_role_assignment" "app_role" {
+      role_definition_name = "Network Contributor"
+      principal_id         = azuread_service_principal.app_principal.object_id
+      scope                = azurerm_virtual_network.virtual_network.id
+    }
+
+    # 7. Create a service principal for the Aiven application object
+    # Yes, application_id is hardcoded.
+    resource "azuread_service_principal" "aiven_app_principal" {
+      application_id = "55f300d4-fc50-4c5e-9222-e90a6e2187fb"
+    }
+
+    # 8. Create a custom role for the Aiven application object
+    resource "azurerm_role_definition" "role_definition" {
+      name        = "my-azure-role-definition"
+      description = "Allows creating a peering to vnets in scope (but not from)"
+      scope       = "/subscriptions/${data.azurerm_subscription.subscription.subscription_id}"
+
+      permissions {
+        actions = ["Microsoft.Network/virtualNetworks/peer/action"]
+      }
+
+      assignable_scopes = [
+        "/subscriptions/${data.azurerm_subscription.subscription.subscription_id}"
+      ]
+    }
+
+    # 9. Assign the custom role to the Aiven service principal
+    resource "azurerm_role_assignment" "aiven_role_assignment" {
+      role_definition_id = azurerm_role_definition.role_definition.role_definition_resource_id
+      principal_id       = azuread_service_principal.aiven_app_principal.object_id
+      scope              = azurerm_virtual_network.virtual_network.id
+
+      depends_on = [
+        azuread_service_principal.aiven_app_principal,
+        azurerm_role_assignment.app_role
+      ]
+    }
+
+    # 10. Find your AD tenant id
+    # Skip, it's in the env
+
+    # 11. Create a peering connection from the Aiven Project VPC
+    # 12. Wait for the Aiven platform to set up the connection
+    resource "aiven_azure_vpc_peering_connection" "peering_connection" {
+      vpc_id                = aiven_project_vpc.avn_vpc.id
+      peer_resource_group   = azurerm_resource_group.resource_group.name
+      azure_subscription_id = data.azurerm_subscription.subscription.subscription_id
+      vnet_name             = azurerm_virtual_network.virtual_network.name
+      peer_azure_app_id     = azuread_application.app.application_id
+      peer_azure_tenant_id  = "00000000-0000-0000-0000-000000000000"
+
+      depends_on = [
+        azurerm_role_assignment.aiven_role_assignment
+      ]
+    }
+
+
+Step 2: Create peering in Azure
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Now create the connection using the credentials from the previous step.
+
+.. note::
+
+  Terraform doesn't support dynamic provider configuration.
+
+In the same file, follow these steps to create the connection:
+
+
+.. code-block::
+
+    # 13. Create peering from your VNet to the Project VPC's VNet
+    provider "azurerm" {
+      features {}
+      alias                = "app"
+      client_id            = azuread_application.app.application_id
+      client_secret        = azuread_application_password.app_password.value
+      subscription_id      = data.azurerm_subscription.subscription.subscription_id
+      tenant_id            = "00000000-0000-0000-0000-000000000000"
+      auxiliary_tenant_ids = [azuread_service_principal.aiven_app_principal.application_tenant_id]
+    }
+
+    resource "azurerm_virtual_network_peering" "network_peering" {
+      provider                     = azurerm.app
+      name                         = "my-azure-virtual-network-peering"
+      remote_virtual_network_id    = aiven_azure_vpc_peering_connection.peering_connection.state_info["to-network-id"]
+      resource_group_name          = azurerm_resource_group.resource_group.name
+      virtual_network_name         = azurerm_virtual_network.virtual_network.name
+      allow_virtual_network_access = true
+    }
+
+    # 14. Wait until the Aiven peering connection is active
+