From 30ee2bf7f6a53764999c99c8d07725c0bbc6a673 Mon Sep 17 00:00:00 2001 From: Murad Biashimov Date: Tue, 29 Nov 2022 15:33:31 +0100 Subject: [PATCH 01/11] add "Azure virtual network peering" howto for terraform --- _toc.yml | 1 + docs/platform/howto/vnet-peering-azure.rst | 4 + .../terraform/howto/vnet-peering-azure.rst | 215 ++++++++++++++++++ 3 files changed, 220 insertions(+) create mode 100644 docs/tools/terraform/howto/vnet-peering-azure.rst diff --git a/_toc.yml b/_toc.yml index 1fe9f419e4..5c984141b3 100644 --- a/_toc.yml +++ b/_toc.yml @@ -198,6 +198,7 @@ entries: - file: docs/tools/terraform/howto/promote-to-master-pg-rr title: Promote PostgreSQL read replica to master - file: docs/tools/terraform/howto/upgrade-to-opensearch + - file: docs/tools/terraform/howto/vnet-peering-azure - file: docs/tools/terraform/concepts title: Concepts entries: diff --git a/docs/platform/howto/vnet-peering-azure.rst b/docs/platform/howto/vnet-peering-azure.rst index 12a28b4d88..00a5e4bcb5 100644 --- a/docs/platform/howto/vnet-peering-azure.rst +++ b/docs/platform/howto/vnet-peering-azure.rst @@ -11,6 +11,10 @@ instead of the Aiven cloud's public network. .. note:: Microsoft Azure uses the term ``Virtual Network`` (VNet), which is the same as a ``Virtual Private Cloud`` (VPC). We use the terms interchangeably in this article. +.. note:: + You can create VPC peering using :doc:`Aiven Provider for Terraform ` as well. + + Peer your network with the VPC ------------------------------ diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst new file mode 100644 index 0000000000..0d4ffa6850 --- /dev/null +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -0,0 +1,215 @@ +Azure virtual network peering +============================= + +This howto is based on original :doc:`article ` +made for Aiven and Azure cli. +It follows original chapter-by-chapter, +I will find every step signed with the very same title below in the example. + +And while most of terraform manifestos can be applied in one go, +we'll have to break it up into two: + +1. First, we will create most of the necessary resources +2. Then we will configure Azure provider using data from step one + to create the last resource and connect networks together + +Before we start +~~~~~~~~~~~~~~~ + +Please setup `Aiven `_ +and `Azure `_ +(and `this `_) providers using official documentation. +For example: + +.. code-block:: + + terraform { + required_providers { + aiven = { + source = "aiven/aiven" + verstion = ">= 3.8.0, < 4.0.0" + } + azuread = { + source = "hashicorp/azuread" + version = "=2.30.0" + } + azurerm = { + source = "hashicorp/azurerm" + version = "=3.30.0" + } + } + } + + provider "aiven" { + api_token = var.aiven_api_token + } + + provider "azuread" { + client_id = "00000000-0000-0000-0000-000000000000" + client_secret = var.azure_client_secret + tenant_id = "00000000-0000-0000-0000-000000000000" + } + + provider "azurerm" { + features {} + subscription_id = "00000000-0000-0000-0000-000000000000" + client_id = "00000000-0000-0000-0000-000000000000" + client_secret = var.azure_client_secret + tenant_id = "00000000-0000-0000-0000-000000000000" + } + + +Create necessary resources +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Create or bind existing (using ``terraform import``) resources. + +.. code-block:: + + data "aiven_project" "avn_project" { + project = "aiven-ci-kubernetes-operator" + } + + data "azurerm_subscription" "subscription" { + subscription_id = "00000000-0000-0000-0000-000000000000" + } + + resource "aiven_project_vpc" "avn_vpc" { + project = data.aiven_project.avn_project.project + cloud_name = "azure-germany-westcentral" + network_cidr = "192.168.1.0/24" + + timeouts { + create = "15m" + } + } + + resource "azurerm_resource_group" "resource_group" { + location = "germanywestcentral" + name = "my-azure-resource-group" + } + + resource "azurerm_virtual_network" "virtual_network" { + name = "my-azure-virtual-network" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.resource_group.location + resource_group_name = azurerm_resource_group.resource_group.name + } + + # 1. Log in with an Azure admin account + # Already done. + + # 2. Create application object + resource "azuread_application" "app" { + display_name = "my-azure-application" + sign_in_audience = "AzureADandPersonalMicrosoftAccount" + + api { + requested_access_token_version = 2 + } + } + + # 3. Create a service principal for your app object + resource "azuread_service_principal" "app_principal" { + application_id = azuread_application.app.application_id + } + + # 4. Set a password for your app object + resource "azuread_application_password" "app_password" { + application_object_id = azuread_application.app.object_id + } + + # 5. Find the id properties of your virtual network + # Skip, we have values in the state + + # 6. Grant your service principal permissions to peer + resource "azurerm_role_assignment" "app_role" { + role_definition_name = "Network Contributor" + principal_id = azuread_service_principal.app_principal.object_id + scope = azurerm_virtual_network.virtual_network.id + } + + # 7. Create a service principal for the Aiven application object + # Yes, application_id is hardcoded. + resource "azuread_service_principal" "aiven_app_principal" { + application_id = "55f300d4-fc50-4c5e-9222-e90a6e2187fb" + use_existing = true + } + + # 8. Create a custom role for the Aiven application object + resource "azurerm_role_definition" "role_definition" { + name = "my-azure-role-definition" + description = "Allows creating a peering to vnets in scope (but not from)" + scope = "/subscriptions/${data.azurerm_subscription.subscription.subscription_id}" + + permissions { + actions = ["Microsoft.Network/virtualNetworks/peer/action"] + } + + assignable_scopes = [ + "/subscriptions/${data.azurerm_subscription.subscription.subscription_id}" + ] + } + + # 9. Assign the custom role to the Aiven service principal + resource "azurerm_role_assignment" "aiven_role_assignment" { + role_definition_id = azurerm_role_definition.role_definition.role_definition_resource_id + principal_id = azuread_service_principal.aiven_app_principal.object_id + scope = azurerm_virtual_network.virtual_network.id + + depends_on = [ + azuread_service_principal.aiven_app_principal, + azurerm_role_assignment.app_role + ] + } + + # 10. Find your AD tenant id + # Skip, it's in the env + + # 11. Create a peering connection from the Aiven Project VPC + # 12. Wait for the Aiven platform to set up the connection + resource "aiven_azure_vpc_peering_connection" "peering_connection" { + vpc_id = aiven_project_vpc.avn_vpc.id + peer_resource_group = azurerm_resource_group.resource_group.name + azure_subscription_id = data.azurerm_subscription.subscription.subscription_id + vnet_name = azurerm_virtual_network.virtual_network.name + peer_azure_app_id = azuread_application.app.application_id + peer_azure_tenant_id = "00000000-0000-0000-0000-000000000000" + + depends_on = [ + azurerm_role_assignment.aiven_role_assignment + ] + } + + +Create peering in Azure +~~~~~~~~~~~~~~~~~~~~~~~ + +Now we need to create connection using credentials from the previous step. +Unfortunately terraform doesn't support `dynamic provider configuration `_. + +.. code-block:: + + # 13. Create peering from your VNet to the Project VPC's VNet + provider "azurerm" { + features {} + alias = "app" + client_id = azuread_application.app.application_id + client_secret = azuread_application_password.app_password.value + subscription_id = data.azurerm_subscription.subscription.subscription_id + tenant_id = "00000000-0000-0000-0000-000000000000" + auxiliary_tenant_ids = [azuread_service_principal.aiven_app_principal.application_tenant_id] + } + + resource "azurerm_virtual_network_peering" "network_peering" { + provider = azurerm.app + name = "my-azure-virtual-network-peering" + remote_virtual_network_id = aiven_azure_vpc_peering_connection.peering_connection.state_info["to-network-id"] + resource_group_name = azurerm_resource_group.resource_group.name + virtual_network_name = azurerm_virtual_network.virtual_network.name + allow_virtual_network_access = true + } + + # 14. Wait until the Aiven peering connection is active + +Done. From 12e754988fcf884b15e2dbbd1bd3a3270c86a779 Mon Sep 17 00:00:00 2001 From: Murad Biashimov Date: Tue, 29 Nov 2022 15:50:03 +0100 Subject: [PATCH 02/11] remove use_existing from aiven_app_principal --- docs/tools/terraform/howto/vnet-peering-azure.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index 0d4ffa6850..bf350b4e7d 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -1,7 +1,7 @@ Azure virtual network peering ============================= -This howto is based on original :doc:`article ` +This how-to is based on original :doc:`article ` made for Aiven and Azure cli. It follows original chapter-by-chapter, I will find every step signed with the very same title below in the example. @@ -133,7 +133,6 @@ Create or bind existing (using ``terraform import``) resources. # Yes, application_id is hardcoded. resource "azuread_service_principal" "aiven_app_principal" { application_id = "55f300d4-fc50-4c5e-9222-e90a6e2187fb" - use_existing = true } # 8. Create a custom role for the Aiven application object From 98be8f7dbea9432d7af3c5a9beb947597949513b Mon Sep 17 00:00:00 2001 From: Murad Biashimov Date: Mon, 5 Dec 2022 15:21:11 +0100 Subject: [PATCH 03/11] Apply suggestions from code review Co-authored-by: Stacey Salamon <111294980+staceysalamon-aiven@users.noreply.github.com> --- .../terraform/howto/vnet-peering-azure.rst | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index bf350b4e7d..3c0c291599 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -13,12 +13,12 @@ we'll have to break it up into two: 2. Then we will configure Azure provider using data from step one to create the last resource and connect networks together -Before we start +Before you start ~~~~~~~~~~~~~~~ -Please setup `Aiven `_ -and `Azure `_ -(and `this `_) providers using official documentation. +Create an `Aiven authentication token `. +Then set up `authentication for Azure `_ +and `Azure Active Directory `_. For example: .. code-block:: @@ -59,10 +59,10 @@ For example: } -Create necessary resources +1. Create or bind the resources ~~~~~~~~~~~~~~~~~~~~~~~~~~ -Create or bind existing (using ``terraform import``) resources. +Create or bind the existing resources using ``terraform import`` using the steps in this example: .. code-block:: @@ -181,10 +181,10 @@ Create or bind existing (using ``terraform import``) resources. } -Create peering in Azure -~~~~~~~~~~~~~~~~~~~~~~~ +2. Create peering in Azure +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Now we need to create connection using credentials from the previous step. +Now create the connection using the credentials from the previous step. Unfortunately terraform doesn't support `dynamic provider configuration `_. .. code-block:: @@ -211,4 +211,3 @@ Unfortunately terraform doesn't support `dynamic provider configuration Date: Mon, 5 Dec 2022 20:15:33 +0100 Subject: [PATCH 04/11] Update docs/tools/terraform/howto/vnet-peering-azure.rst Co-authored-by: Stacey Salamon <111294980+staceysalamon-aiven@users.noreply.github.com> --- docs/tools/terraform/howto/vnet-peering-azure.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index 3c0c291599..7d5e9e2957 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -186,6 +186,8 @@ Create or bind the existing resources using ``terraform import`` using the steps Now create the connection using the credentials from the previous step. Unfortunately terraform doesn't support `dynamic provider configuration `_. +In the same file, follow these steps to create the connection: + .. code-block:: From 918c656eb2e9fe65cd1ff6f30783dec4dc5e105b Mon Sep 17 00:00:00 2001 From: Murad Biashimov Date: Mon, 5 Dec 2022 20:20:38 +0100 Subject: [PATCH 05/11] Apply suggestions from code review Co-authored-by: Stacey Salamon <111294980+staceysalamon-aiven@users.noreply.github.com> --- docs/tools/terraform/howto/vnet-peering-azure.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index 7d5e9e2957..8032154d73 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -59,7 +59,7 @@ For example: } -1. Create or bind the resources +Step 1: Create or bind the resources ~~~~~~~~~~~~~~~~~~~~~~~~~~ Create or bind the existing resources using ``terraform import`` using the steps in this example: @@ -181,7 +181,7 @@ Create or bind the existing resources using ``terraform import`` using the steps } -2. Create peering in Azure +Step 2: Create peering in Azure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now create the connection using the credentials from the previous step. From bcde22bed41f8581e166e619587d95dc495194be Mon Sep 17 00:00:00 2001 From: Murad Biashimov Date: Tue, 6 Dec 2022 13:45:02 +0100 Subject: [PATCH 06/11] Update docs/tools/terraform/howto/vnet-peering-azure.rst Co-authored-by: Stacey Salamon <111294980+staceysalamon-aiven@users.noreply.github.com> --- docs/tools/terraform/howto/vnet-peering-azure.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index 8032154d73..589797b8a7 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -185,7 +185,9 @@ Step 2: Create peering in Azure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now create the connection using the credentials from the previous step. -Unfortunately terraform doesn't support `dynamic provider configuration `_. +.. note:: + +Terraform doesn't support dynamic provider configuration. In the same file, follow these steps to create the connection: From 84c761c3067977412b64fc2cffa0d13068934ffc Mon Sep 17 00:00:00 2001 From: Dewan Ishtiaque Ahmed Date: Tue, 6 Dec 2022 12:49:00 -0400 Subject: [PATCH 07/11] Fixing section underlines to avoid warnings. --- docs/tools/terraform/howto/vnet-peering-azure.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index 589797b8a7..2bb7e714f8 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -14,7 +14,7 @@ we'll have to break it up into two: to create the last resource and connect networks together Before you start -~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~ Create an `Aiven authentication token `. Then set up `authentication for Azure `_ @@ -60,7 +60,7 @@ For example: Step 1: Create or bind the resources -~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create or bind the existing resources using ``terraform import`` using the steps in this example: @@ -182,7 +182,7 @@ Create or bind the existing resources using ``terraform import`` using the steps Step 2: Create peering in Azure -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now create the connection using the credentials from the previous step. .. note:: From 5d325a2f6cee57fee89d863c23df02dce3f3e813 Mon Sep 17 00:00:00 2001 From: Murad Biashimov Date: Tue, 6 Dec 2022 18:31:18 +0100 Subject: [PATCH 08/11] remove link anchors to pass the linter --- docs/tools/terraform/howto/vnet-peering-azure.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index 2bb7e714f8..f6062a1b47 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -17,8 +17,8 @@ Before you start ~~~~~~~~~~~~~~~~ Create an `Aiven authentication token `. -Then set up `authentication for Azure `_ -and `Azure Active Directory `_. +Then set up `authentication for Azure `_ +and `Azure Active Directory `_. For example: .. code-block:: From fd53aadac339d57c8fddf40269ea96f8b4179acf Mon Sep 17 00:00:00 2001 From: Stacey Salamon Date: Wed, 7 Dec 2022 09:41:54 +0100 Subject: [PATCH 09/11] Reword introduction --- .../terraform/howto/vnet-peering-azure.rst | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index f6062a1b47..48b3c06e7d 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -1,22 +1,22 @@ Azure virtual network peering ============================= -This how-to is based on original :doc:`article ` -made for Aiven and Azure cli. -It follows original chapter-by-chapter, -I will find every step signed with the very same title below in the example. +This help article contains step-by-step instructions for setting up peering in Azure. See the `Using VPC +peering `__ +article for how to set up a Project VPC. -And while most of terraform manifestos can be applied in one go, -we'll have to break it up into two: +While most Terraform manifestos can be applied in one go, +we'll have to break this up into two steps: -1. First, we will create most of the necessary resources -2. Then we will configure Azure provider using data from step one - to create the last resource and connect networks together +1. First, we'll create most of the necessary resources. + +2. Then, we'll configure the Azure provider using data from step 1 + to create the last resource and connect the networks together. Before you start ~~~~~~~~~~~~~~~~ -Create an `Aiven authentication token `. +Create an `Aiven authentication token `. Then set up `authentication for Azure `_ and `Azure Active Directory `_. For example: From 42a4805f58347f512ed5b0627a50fcfaf73f9e2f Mon Sep 17 00:00:00 2001 From: Stacey Salamon Date: Wed, 7 Dec 2022 09:45:25 +0100 Subject: [PATCH 10/11] Fix link to Aiven auth token article --- docs/tools/terraform/howto/vnet-peering-azure.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index 48b3c06e7d..f2b5f20a52 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -16,9 +16,10 @@ we'll have to break this up into two steps: Before you start ~~~~~~~~~~~~~~~~ -Create an `Aiven authentication token `. -Then set up `authentication for Azure `_ +Create an :doc:`Aiven authentication token `. +Then, set up `authentication for Azure `_ and `Azure Active Directory `_. + For example: .. code-block:: From 98202fa25b9353c61b604ada6753f6fbf9eb9b9b Mon Sep 17 00:00:00 2001 From: Stacey Salamon Date: Wed, 7 Dec 2022 09:47:53 +0100 Subject: [PATCH 11/11] Fix note formatting --- docs/tools/terraform/howto/vnet-peering-azure.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/tools/terraform/howto/vnet-peering-azure.rst b/docs/tools/terraform/howto/vnet-peering-azure.rst index f2b5f20a52..ae276acd7f 100644 --- a/docs/tools/terraform/howto/vnet-peering-azure.rst +++ b/docs/tools/terraform/howto/vnet-peering-azure.rst @@ -63,7 +63,7 @@ For example: Step 1: Create or bind the resources ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Create or bind the existing resources using ``terraform import`` using the steps in this example: +Create or bind the existing resources using ``terraform import`` by following the steps in this example: .. code-block:: @@ -186,9 +186,11 @@ Step 2: Create peering in Azure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now create the connection using the credentials from the previous step. + .. note:: -Terraform doesn't support dynamic provider configuration. + Terraform doesn't support dynamic provider configuration. + In the same file, follow these steps to create the connection: