Updating to support latest Provider functions

README.md

@@ -23,7 +23,7 @@ terraform {
     }
     polaris = {
       source  = "rubrikinc/polaris"
-      version = "0.9.0-beta.1"
+      version = ">=0.9.0-beta.8"
     } 
   }
 }
@@ -63,6 +63,7 @@ module "polaris-azure-cloud-native_subscription" {
     "Environment" = "Test"
     "Owner"       = "Terraform" 
   }
+
   exocompute_details                  = {
     exocompute_config_1 = {
       region                    = "westus"
@@ -71,6 +72,7 @@ module "polaris-azure-cloud-native_subscription" {
       vnet_resource_group_name  = "vnet-rg"
     }
   }
+
   polaris_credentials                 = "../.creds/customer-service-account.json"
   regions_to_protect                  = ["westus"]
   rsc_azure_features                  = [
@@ -86,8 +88,8 @@ module "polaris-azure-cloud-native_subscription" {
 ```
 
 ```hcl
-# Add a multiple subscriptions in the same tenant with multiple regions for Exocompute.
-# Using shared Exocompute 
+# Add multiple subscriptions in the same tenant with multiple regions for Exocompute.
+# (Using Centralized Exocompute: https://docs.rubrik.com/en-us/saas/saas/azr_centralized_exocompute.html)
 
 terraform {
   required_providers {
@@ -96,7 +98,7 @@ terraform {
     }
     polaris = {
       source  = "rubrikinc/polaris"
-      version = "0.9.0-beta.1"
+      version = ">=0.9.0-beta.8"
     } 
   }
 }

main.tf

@@ -1,7 +1,9 @@
 locals {
-  exocompute_regions = flatten([
-    for exocompute_detail, details in var.exocompute_details : details.region
-  ])
+  exocompute_regions = flatten(
+    [
+      for exocompute_detail, details in var.exocompute_details : details.region
+    ]
+  )
 }
 
 # The subscription the Azure RM is running with.
@@ -11,6 +13,7 @@ data "azurerm_subscription" "current" {
 # Azure permissions required for Cloud Native Protection.
 data "polaris_azure_permissions" "default" {
   for_each = toset(var.rsc_azure_features)
+
   feature = each.key
 }
 
@@ -25,8 +28,9 @@ resource "azurerm_resource_group" "default" {
 # permissions.
 resource "azurerm_role_definition" "subscription" {
   for_each = toset(var.rsc_azure_features)
-  name        = "Rubrik Polaris SubRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}"
-  description = "Rubrik Polaris Subscription role for ${each.key} - Terraform Generated"
+
+  name        = "Rubrik Security Cloud SubRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}"
+  description = "Rubrik Security Cloud Subscription role for ${each.key} - Terraform Generated"
   scope       = data.azurerm_subscription.current.id
 
   permissions {
@@ -41,22 +45,34 @@ resource "azurerm_role_definition" "subscription" {
 # permissions.
 resource "azurerm_role_definition" "resource_group" {
   for_each = toset(var.rsc_azure_features)
-  name        = "Rubrik Polaris RGRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}"
-  description = "Rubrik Polaris Resource Group role for ${each.key} - Terraform Generated"
+
+  name        = "Rubrik Security Cloud RGRole ${each.key} - terraform - ${data.azurerm_subscription.current.subscription_id}"
+  description = "Rubrik Security Cloud Resource Group role for ${each.key} - Terraform Generated"
   scope       = azurerm_resource_group.default.id
 
-  permissions {
-    actions          = data.polaris_azure_permissions.default[each.key].resource_group_actions
-    data_actions     = data.polaris_azure_permissions.default[each.key].resource_group_data_actions
-    not_actions      = data.polaris_azure_permissions.default[each.key].resource_group_not_actions
-    not_data_actions = data.polaris_azure_permissions.default[each.key].resource_group_not_data_actions
+  dynamic "permissions" {
+    for_each = length(
+      concat(
+        data.polaris_azure_permissions.default[each.value].resource_group_actions,
+        data.polaris_azure_permissions.default[each.value].resource_group_data_actions,
+        data.polaris_azure_permissions.default[each.value].resource_group_not_actions,
+        data.polaris_azure_permissions.default[each.value].resource_group_not_data_actions
+      )
+    ) > 0 ? [1] : []
+    content {
+      actions          = data.polaris_azure_permissions.default[each.key].resource_group_actions
+      data_actions     = data.polaris_azure_permissions.default[each.key].resource_group_data_actions
+      not_actions      = data.polaris_azure_permissions.default[each.key].resource_group_not_actions
+      not_data_actions = data.polaris_azure_permissions.default[each.key].resource_group_not_data_actions
+    }
   }
 }
 
 # Assign the Subscription level role to the service principal used by RSC. Note that the
 # principal_id is the object id of the service principal.
 resource "azurerm_role_assignment" "subscription" {
   for_each           = toset(var.rsc_azure_features)
+
   principal_id       = var.azure_service_principal_object_id
   role_definition_id = azurerm_role_definition.subscription[each.key].role_definition_resource_id
   scope              = data.azurerm_subscription.current.id
@@ -66,20 +82,21 @@ resource "azurerm_role_assignment" "subscription" {
 # principal_id is the object id of the service principal.
 resource "azurerm_role_assignment" "resource_group" {
   for_each           = toset(var.rsc_azure_features)
+
   principal_id       = var.azure_service_principal_object_id
   role_definition_id = azurerm_role_definition.resource_group[each.key].role_definition_resource_id
   scope              = azurerm_resource_group.default.id
 }
 
 resource "azurerm_user_assigned_identity" "default" {
   count = contains(var.rsc_azure_features, "CLOUD_NATIVE_ARCHIVAL_ENCRYPTION") ? 1 : 0
+
   location            = azurerm_resource_group.default.location
   name                = "RubrikManagedIdentity-terraform-${data.azurerm_subscription.current.subscription_id}"
   resource_group_name = azurerm_resource_group.default.name
 }
 
 # Add the Azure subscription to RSC enabling only the feature found in the rsc_features variable.
-
 resource "polaris_azure_subscription" "default" {
   delete_snapshots_on_destroy = var.delete_snapshots_on_destroy == true ? true : false
   subscription_id             = element(split("/", data.azurerm_subscription.current.id), 2)
@@ -88,8 +105,9 @@ resource "polaris_azure_subscription" "default" {
 
   dynamic "cloud_native_archival" {
     for_each = contains(var.rsc_azure_features, "CLOUD_NATIVE_ARCHIVAL") ? [1] : []
+
     content {
-      permissions           = data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL"].id      
+      permissions           =  data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL"].id
       regions               =  var.regions_to_protect
       resource_group_name   =  var.azure_resource_group_name
       resource_group_region =  var.azure_resource_group_region
@@ -99,70 +117,77 @@ resource "polaris_azure_subscription" "default" {
 
   dynamic "cloud_native_archival_encryption" {
     for_each = contains(var.rsc_azure_features, "CLOUD_NATIVE_ARCHIVAL_ENCRYPTION") ? [1] : []
+
     content {
-      permissions           = data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL_ENCRYPTION"].id      
+      permissions           =  data.polaris_azure_permissions.default["CLOUD_NATIVE_ARCHIVAL_ENCRYPTION"].id      
       regions               =  var.regions_to_protect
       resource_group_name   =  var.azure_resource_group_name
       resource_group_region =  var.azure_resource_group_region
       resource_group_tags   =  var.azure_resource_group_tags
-      user_assigned_managed_identity_name = azurerm_user_assigned_identity.default[0].name
+      user_assigned_managed_identity_name         = azurerm_user_assigned_identity.default[0].name
       user_assigned_managed_identity_principal_id = azurerm_user_assigned_identity.default[0].principal_id
-      user_assigned_managed_identity_region = var.azure_resource_group_region
+      user_assigned_managed_identity_region       = var.azure_resource_group_region
       user_assigned_managed_identity_resource_group_name = azurerm_resource_group.default.name
     }
   }
 
   dynamic "cloud_native_protection" {
     for_each = contains(var.rsc_azure_features, "CLOUD_NATIVE_PROTECTION") ? [1] : []
+
     content {
-      permissions           = data.polaris_azure_permissions.default["CLOUD_NATIVE_PROTECTION"].id      
+      permissions           =  data.polaris_azure_permissions.default["CLOUD_NATIVE_PROTECTION"].id      
       regions               =  var.regions_to_protect
       resource_group_name   =  var.azure_resource_group_name
       resource_group_region =  var.azure_resource_group_region
       resource_group_tags   =  var.azure_resource_group_tags
     }
   }
 
-    dynamic "exocompute" {
+  dynamic "exocompute" {
     for_each = contains(var.rsc_azure_features, "EXOCOMPUTE") ? [1] : []
+
     content {
-      permissions           = data.polaris_azure_permissions.default["EXOCOMPUTE"].id      
+      permissions           =  data.polaris_azure_permissions.default["EXOCOMPUTE"].id      
       regions               =  var.regions_to_protect
       resource_group_name   =  var.azure_resource_group_name
       resource_group_region =  var.azure_resource_group_region
       resource_group_tags   =  var.azure_resource_group_tags
     }
   }
 
-    dynamic "sql_db_protection" {
+  dynamic "sql_db_protection" {
     for_each = contains(var.rsc_azure_features, "AZURE_SQL_DB_PROTECTION") ? [1] : []
+
     content {
-      permissions           = data.polaris_azure_permissions.default["AZURE_SQL_DB_PROTECTION"].id      
-      regions               =  var.regions_to_protect
+      permissions =  data.polaris_azure_permissions.default["AZURE_SQL_DB_PROTECTION"].id      
+      regions     =  var.regions_to_protect
     }
   }
 
-      dynamic "sql_mi_protection" {
+  dynamic "sql_mi_protection" {
     for_each = contains(var.rsc_azure_features, "AZURE_SQL_MI_PROTECTION") ? [1] : []
+
     content {
-      permissions           = data.polaris_azure_permissions.default["AZURE_SQL_MI_PROTECTION"].id      
-      regions               =  var.regions_to_protect
+      permissions =  data.polaris_azure_permissions.default["AZURE_SQL_MI_PROTECTION"].id      
+      regions     =  var.regions_to_protect
     }
   }
 }
 
 data "azurerm_subnet" "polaris" {
-  for_each             = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") }
+  for_each = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") }
+
   name                 = each.value["subnet_name"]
   virtual_network_name = each.value["vnet_name"]
   resource_group_name  = each.value["vnet_resource_group_name"]
 }
 
 #Configure the subscription to host Exocompute.
 resource "polaris_azure_exocompute" "polaris" {
-  for_each                  = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") }
+  for_each = { for k, v in var.exocompute_details : k => v if contains(var.rsc_azure_features, "EXOCOMPUTE") }
+
   cloud_account_id          = polaris_azure_subscription.default.id
   pod_overlay_network_cidr  = each.value["pod_overlay_network_cidr"]
   region                    = each.value["region"]
   subnet                    = data.azurerm_subnet.polaris[each.key].id
-}
+}

providers.tf

@@ -5,12 +5,12 @@ terraform {
     }
     polaris = {
       source = "rubrikinc/polaris"
-      version = "=0.9.0-beta.3"
+      version = ">=0.9.0-beta.8"
     }
   }
 }
 
 provider "azurerm" {
   features {}
   subscription_id = var.azure_subscription_id
-}
+}

variables.tf

@@ -1,7 +1,7 @@
 variable "azure_resource_group_name" {
   type        = string
   description = "Name of the Azure resource group to store snapshots and Exocompute artifacts."
-  default = "Rubrik-Backups-RG-Do-Not-Delete"
+  default     = "Rubrik-Backups-RG-Do-Not-Delete"
 }
 
 variable "azure_resource_group_region" {
@@ -12,7 +12,7 @@ variable "azure_resource_group_region" {
 variable "azure_resource_group_tags" {
   type        = map(string)
   description = "Tags to apply to the Azure resource group to store snapshots and Exocompute artifacts."
-  default = {}
+  default     = {}
 }
 
 variable "azure_subscription_id" {
@@ -37,20 +37,24 @@ variable "delete_snapshots_on_destroy" {
 }
 
 variable "exocompute_details" {
-  description = "Region and subnet pair to run Exocompute in."
-  type = map(object({
-    region                   = string
-    pod_overlay_network_cidr = string
-    subnet_name              = string
-    vnet_name                = string
-    vnet_resource_group_name = string
-  }))
-  default = {}
+  description = "Region, VNet, Subnet and pod CIDR for Exocompute."
+  type        = map(
+    object(
+      {
+        region                   = string
+        pod_overlay_network_cidr = string
+        subnet_name              = string
+        vnet_name                = string
+        vnet_resource_group_name = string
+      }
+    )
+  )
+  default     = {}
 }
 
 variable "polaris_credentials" {
   type        = string
-  description = "Full path to credentials file for RSC/Polaris."
+  description = "Full path to credentials file for RSC."
 }
 
 variable "rsc_azure_features" {