diff --git a/README.md b/README.md index 162106c..ba3e135 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ terraform { } polaris = { source = "rubrikinc/polaris" - version = "0.9.0-beta.1" + version = ">=0.9.0-beta.8" } } } @@ -63,6 +63,7 @@ module "polaris-azure-cloud-native_subscription" { "Environment" = "Test" "Owner" = "Terraform" } + exocompute_details = { exocompute_config_1 = { region = "westus" @@ -71,6 +72,7 @@ module "polaris-azure-cloud-native_subscription" { vnet_resource_group_name = "vnet-rg" } } + polaris_credentials = "../.creds/customer-service-account.json" regions_to_protect = ["westus"] rsc_azure_features = [ @@ -86,8 +88,8 @@ module "polaris-azure-cloud-native_subscription" { ``` ```hcl -# Add a multiple subscriptions in the same tenant with multiple regions for Exocompute. -# Using shared Exocompute +# Add multiple subscriptions in the same tenant with multiple regions for Exocompute. +# (Using Centralized Exocompute: https://docs.rubrik.com/en-us/saas/saas/azr_centralized_exocompute.html) terraform { required_providers { @@ -96,7 +98,7 @@ terraform { } polaris = { source = "rubrikinc/polaris" - version = "0.9.0-beta.1" + version = ">=0.9.0-beta.8" } } } diff --git a/main.tf b/main.tf index 878c824..eea234b 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,9 @@ locals { - exocompute_regions = flatten([ - for exocompute_detail, details in var.exocompute_details : details.region - ]) + exocompute_regions = flatten( + [ + for exocompute_detail, details in var.exocompute_details : details.region + ] + ) } # The subscription the Azure RM is running with. @@ -11,6 +13,7 @@ data "azurerm_subscription" "current" { # Azure permissions required for Cloud Native Protection. data "polaris_azure_permissions" "default" { for_each = toset(var.rsc_azure_features) + feature = each.key } @@ -25,8 +28,9 @@ resource "azurerm_resource_group" "default" { # permissions. resource "azurerm_role_definition" "subscription" { for_each = toset(var.rsc_azure_features) - name = "Rubrik Polaris SubRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}" - description = "Rubrik Polaris Subscription role for ${each.key} - Terraform Generated" + + name = "Rubrik Security Cloud SubRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}" + description = "Rubrik Security Cloud Subscription role for ${each.key} - Terraform Generated" scope = data.azurerm_subscription.current.id permissions { @@ -41,15 +45,26 @@ resource "azurerm_role_definition" "subscription" { # permissions. resource "azurerm_role_definition" "resource_group" { for_each = toset(var.rsc_azure_features) - name = "Rubrik Polaris RGRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}" - description = "Rubrik Polaris Resource Group role for ${each.key} - Terraform Generated" + + name = "Rubrik Security Cloud RGRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}" + description = "Rubrik Security Cloud Resource Group role for ${each.key} - Terraform Generated" scope = azurerm_resource_group.default.id - permissions { - actions = data.polaris_azure_permissions.default[each.key].resource_group_actions - data_actions = data.polaris_azure_permissions.default[each.key].resource_group_data_actions - not_actions = data.polaris_azure_permissions.default[each.key].resource_group_not_actions - not_data_actions = data.polaris_azure_permissions.default[each.key].resource_group_not_data_actions + dynamic "permissions" { + for_each = length( + concat( + data.polaris_azure_permissions.default[each.value].resource_group_actions, + data.polaris_azure_permissions.default[each.value].resource_group_data_actions, + data.polaris_azure_permissions.default[each.value].resource_group_not_actions, + data.polaris_azure_permissions.default[each.value].resource_group_not_data_actions + ) + ) > 0 ? [1] : [] + content { + actions = data.polaris_azure_permissions.default[each.key].resource_group_actions + data_actions = data.polaris_azure_permissions.default[each.key].resource_group_data_actions + not_actions = data.polaris_azure_permissions.default[each.key].resource_group_not_actions + not_data_actions = data.polaris_azure_permissions.default[each.key].resource_group_not_data_actions + } } } @@ -57,6 +72,7 @@ resource "azurerm_role_definition" "resource_group" { # principal_id is the object id of the service principal. resource "azurerm_role_assignment" "subscription" { for_each = toset(var.rsc_azure_features) + principal_id = var.azure_service_principal_object_id role_definition_id = azurerm_role_definition.subscription[each.key].role_definition_resource_id scope = data.azurerm_subscription.current.id @@ -66,6 +82,7 @@ resource "azurerm_role_assignment" "subscription" { # principal_id is the object id of the service principal. resource "azurerm_role_assignment" "resource_group" { for_each = toset(var.rsc_azure_features) + principal_id = var.azure_service_principal_object_id role_definition_id = azurerm_role_definition.resource_group[each.key].role_definition_resource_id scope = azurerm_resource_group.default.id @@ -73,13 +90,13 @@ resource "azurerm_role_assignment" "resource_group" { resource "azurerm_user_assigned_identity" "default" { count = contains(var.rsc_azure_features, "CLOUD_NATIVE_ARCHIVAL_ENCRYPTION") ? 1 : 0 + location = azurerm_resource_group.default.location name = "RubrikManagedIdentity-terraform-${data.azurerm_subscription.current.subscription_id}" resource_group_name = azurerm_resource_group.default.name } # Add the Azure subscription to RSC enabling only the feature found in the rsc_features variable. - resource "polaris_azure_subscription" "default" { delete_snapshots_on_destroy = var.delete_snapshots_on_destroy == true ? true : false subscription_id = element(split("/", data.azurerm_subscription.current.id), 2) @@ -88,8 +105,9 @@ resource "polaris_azure_subscription" "default" { dynamic "cloud_native_archival" { for_each = contains(var.rsc_azure_features, "CLOUD_NATIVE_ARCHIVAL") ? [1] : [] + content { - permissions = data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL"].id + permissions = data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL"].id regions = var.regions_to_protect resource_group_name = var.azure_resource_group_name resource_group_region = var.azure_resource_group_region @@ -99,23 +117,25 @@ resource "polaris_azure_subscription" "default" { dynamic "cloud_native_archival_encryption" { for_each = contains(var.rsc_azure_features, "CLOUD_NATIVE_ARCHIVAL_ENCRYPTION") ? [1] : [] + content { - permissions = data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL_ENCRYPTION"].id + permissions = data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL_ENCRYPTION"].id regions = var.regions_to_protect resource_group_name = var.azure_resource_group_name resource_group_region = var.azure_resource_group_region resource_group_tags = var.azure_resource_group_tags - user_assigned_managed_identity_name = azurerm_user_assigned_identity.default[0].name + user_assigned_managed_identity_name = azurerm_user_assigned_identity.default[0].name user_assigned_managed_identity_principal_id = azurerm_user_assigned_identity.default[0].principal_id - user_assigned_managed_identity_region = var.azure_resource_group_region + user_assigned_managed_identity_region = var.azure_resource_group_region user_assigned_managed_identity_resource_group_name = azurerm_resource_group.default.name } } dynamic "cloud_native_protection" { for_each = contains(var.rsc_azure_features, "CLOUD_NATIVE_PROTECTION") ? [1] : [] + content { - permissions = data.polaris_azure_permissions.default["CLOUD_NATIVE_PROTECTION"].id + permissions = data.polaris_azure_permissions.default["CLOUD_NATIVE_PROTECTION"].id regions = var.regions_to_protect resource_group_name = var.azure_resource_group_name resource_group_region = var.azure_resource_group_region @@ -123,10 +143,11 @@ resource "polaris_azure_subscription" "default" { } } - dynamic "exocompute" { + dynamic "exocompute" { for_each = contains(var.rsc_azure_features, "EXOCOMPUTE") ? [1] : [] + content { - permissions = data.polaris_azure_permissions.default["EXOCOMPUTE"].id + permissions = data.polaris_azure_permissions.default["EXOCOMPUTE"].id regions = var.regions_to_protect resource_group_name = var.azure_resource_group_name resource_group_region = var.azure_resource_group_region @@ -134,25 +155,28 @@ resource "polaris_azure_subscription" "default" { } } - dynamic "sql_db_protection" { + dynamic "sql_db_protection" { for_each = contains(var.rsc_azure_features, "AZURE_SQL_DB_PROTECTION") ? [1] : [] + content { - permissions = data.polaris_azure_permissions.default["AZURE_SQL_DB_PROTECTION"].id - regions = var.regions_to_protect + permissions = data.polaris_azure_permissions.default["AZURE_SQL_DB_PROTECTION"].id + regions = var.regions_to_protect } } - dynamic "sql_mi_protection" { + dynamic "sql_mi_protection" { for_each = contains(var.rsc_azure_features, "AZURE_SQL_MI_PROTECTION") ? [1] : [] + content { - permissions = data.polaris_azure_permissions.default["AZURE_SQL_MI_PROTECTION"].id - regions = var.regions_to_protect + permissions = data.polaris_azure_permissions.default["AZURE_SQL_MI_PROTECTION"].id + regions = var.regions_to_protect } } } data "azurerm_subnet" "polaris" { - for_each = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") } + for_each = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") } + name = each.value["subnet_name"] virtual_network_name = each.value["vnet_name"] resource_group_name = each.value["vnet_resource_group_name"] @@ -160,9 +184,10 @@ data "azurerm_subnet" "polaris" { #Configure the subscription to host Exocompute. resource "polaris_azure_exocompute" "polaris" { - for_each = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") } + for_each = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") } + cloud_account_id = polaris_azure_subscription.default.id pod_overlay_network_cidr = each.value["pod_overlay_network_cidr"] region = each.value["region"] subnet = data.azurerm_subnet.polaris[each.key].id -} \ No newline at end of file +} diff --git a/providers.tf b/providers.tf index 0eb52b8..be80b5e 100644 --- a/providers.tf +++ b/providers.tf @@ -5,7 +5,7 @@ terraform { } polaris = { source = "rubrikinc/polaris" - version = "=0.9.0-beta.3" + version = ">=0.9.0-beta.8" } } } @@ -13,4 +13,4 @@ terraform { provider "azurerm" { features {} subscription_id = var.azure_subscription_id -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index 68ba724..ed12be8 100644 --- a/variables.tf +++ b/variables.tf @@ -1,7 +1,7 @@ variable "azure_resource_group_name" { type = string description = "Name of the Azure resource group to store snapshots and Exocompute artifacts." - default = "Rubrik-Backups-RG-Do-Not-Delete" + default = "Rubrik-Backups-RG-Do-Not-Delete" } variable "azure_resource_group_region" { @@ -12,7 +12,7 @@ variable "azure_resource_group_region" { variable "azure_resource_group_tags" { type = map(string) description = "Tags to apply to the Azure resource group to store snapshots and Exocompute artifacts." - default = {} + default = {} } variable "azure_subscription_id" { @@ -37,20 +37,24 @@ variable "delete_snapshots_on_destroy" { } variable "exocompute_details" { - description = "Region and subnet pair to run Exocompute in." - type = map(object({ - region = string - pod_overlay_network_cidr = string - subnet_name = string - vnet_name = string - vnet_resource_group_name = string - })) - default = {} + description = "Region, VNet, Subnet and pod CIDR for Exocompute." + type = map( + object( + { + region = string + pod_overlay_network_cidr = string + subnet_name = string + vnet_name = string + vnet_resource_group_name = string + } + ) + ) + default = {} } variable "polaris_credentials" { type = string - description = "Full path to credentials file for RSC/Polaris." + description = "Full path to credentials file for RSC." } variable "rsc_azure_features" {