зеркало из https://github.com/microsoft/AzureTRE.git
Move non-core DNS zones outside network module (#3119)
* non core dns zone migration * tf fmt
This commit is contained in:
Tamir Kamara
GitHub
Родитель
d167dae861
Коммит
c9c66b8b24
|
|
@ -27,7 +27,9 @@ FEATURES:
|
|||
|
||||
ENHANCEMENTS:
|
||||
* Add support for referencing IP Groups from the Core Resource Group in firewall rules created via the pipeline [#3089](https://github.com/microsoft/AzureTRE/pull/3089)
|
||||
* Support for _Azure Firewall Basic_ SKU [#3107](https://github.com/microsoft/AzureTRE/pull/3107). This SKU doesn't support deallocation and for most non 24/7 scenarios will be more expensive than the Standard SKU.
|
||||
* Update Azure Machine Learning Workspace Service to support "no public IP" compute. This is a full rework so upgrades of existing Azure ML Workspace Service deployments are not supported. Requires `v0.8.0` or later of the TRE project. [#3052](https://github.com/microsoft/AzureTRE/pull/3052)
|
||||
* Move non-core DNS zones out of the network module to reduce dependencies [#3119](https://github.com/microsoft/AzureTRE/pull/3119)
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,22 @@
|
|||
# the zones defined in this file aren't used by the core system,
|
||||
# but are a preperation for shared/workspace services deployment.
|
||||
|
||||
resource "azurerm_private_dns_zone" "non_core" {
|
||||
for_each = local.private_dns_zone_names_non_core
|
||||
name = each.key
|
||||
resource_group_name = azurerm_resource_group.core.name
|
||||
tags = local.tre_core_tags
|
||||
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
# since shared services are in the core network, their dns link could exist once and must be defined here.
|
||||
resource "azurerm_private_dns_zone_virtual_network_link" "mysql" {
|
||||
resource_group_name = azurerm_resource_group.core.name
|
||||
virtual_network_id = module.network.core_vnet_id
|
||||
private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.mysql.database.azure.com"].name
|
||||
name = azurerm_private_dns_zone.non_core["privatelink.mysql.database.azure.com"].name
|
||||
registration_enabled = false
|
||||
tags = local.tre_core_tags
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
|
@ -12,4 +12,23 @@ locals {
|
|||
|
||||
# https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
|
||||
azure_portal_cosmos_ips = "104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26"
|
||||
|
||||
# we define some zones in core despite not used by the core infra because
|
||||
# it's the easier way to make them available to other services in the system.
|
||||
private_dns_zone_names_non_core = toset([
|
||||
"privatelink.purview.azure.com",
|
||||
"privatelink.purviewstudio.azure.com",
|
||||
"privatelink.sql.azuresynapse.net",
|
||||
"privatelink.dev.azuresynapse.net",
|
||||
"privatelink.azuresynapse.net",
|
||||
"privatelink.dfs.core.windows.net",
|
||||
"privatelink.azurehealthcareapis.com",
|
||||
"privatelink.dicom.azurehealthcareapis.com",
|
||||
"privatelink.api.azureml.ms",
|
||||
"privatelink.cert.api.azureml.ms",
|
||||
"privatelink.notebooks.azure.net",
|
||||
"privatelink.postgres.database.azure.com",
|
||||
"nexus-${var.tre_id}.${var.location}.cloudapp.azure.com",
|
||||
"privatelink.mysql.database.azure.com",
|
||||
])
|
||||
}
|
||||
|
|
|
|||
|
|
@ -189,6 +189,13 @@ if [ -n "${rp_subnet}" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# DNS Zones migration. We can't use a moved block due the the vars being used.
|
||||
nexus_dns_zone=$(echo "${terraform_show_json}" \
|
||||
| jq -r 'select(.values.root_module.child_modules != null) .values.root_module.child_modules[] | select (.address=="module.network") | .resources[] | select(.address=="module.network.azurerm_private_dns_zone.nexus") | .values.id')
|
||||
if [ -n "${nexus_dns_zone}" ]; then
|
||||
terraform state rm module.network.azurerm_private_dns_zone.nexus
|
||||
terraform import azurerm_private_dns_zone.non_core[\""nexus-${TRE_ID}.${LOCATION}.cloudapp.azure.com"\"] "${nexus_dns_zone}"
|
||||
fi
|
||||
|
||||
# this isn't a classic migration, but impacts how terraform handles the deployment in the next phase
|
||||
state_store_serverless=$(echo "${terraform_show_json}" \
|
||||
|
|
|
|||
|
|
@ -231,3 +231,80 @@ moved {
|
|||
from = module.airlock.azurerm_private_dns_zone.eventgrid
|
||||
to = module.network.azurerm_private_dns_zone.eventgrid
|
||||
}
|
||||
|
||||
|
||||
# DNS Zones
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.mysql
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.mysql.database.azure.com"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.azureml
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.api.azureml.ms"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.azuremlcert
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.cert.api.azureml.ms"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.notebooks
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.notebooks.azure.net"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.postgres
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.postgres.database.azure.com"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone_virtual_network_link.mysql
|
||||
to = azurerm_private_dns_zone_virtual_network_link.mysql
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.purview.azure.com"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.purview.azure.com"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.purviewstudio.azure.com"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.purviewstudio.azure.com"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.sql.azuresynapse.net"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.sql.azuresynapse.net"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.dev.azuresynapse.net"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.dev.azuresynapse.net"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.azuresynapse.net"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.azuresynapse.net"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.azuresynapse.net"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.azuresynapse.net"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.dfs.core.windows.net"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.dfs.core.windows.net"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.azurehealthcareapis.com"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.azurehealthcareapis.com"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.dicom.azurehealthcareapis.com"]
|
||||
to = azurerm_private_dns_zone.non_core["privatelink.dicom.azurehealthcareapis.com"]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -112,23 +112,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" {
|
|||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "mysql" {
|
||||
name = "privatelink.mysql.database.azure.com"
|
||||
resource_group_name = var.resource_group_name
|
||||
tags = local.tre_core_tags
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone_virtual_network_link" "mysql" {
|
||||
resource_group_name = var.resource_group_name
|
||||
virtual_network_id = azurerm_virtual_network.core.id
|
||||
private_dns_zone_name = azurerm_private_dns_zone.mysql.name
|
||||
name = "azurewebsites-link"
|
||||
registration_enabled = false
|
||||
tags = local.tre_core_tags
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "static_web" {
|
||||
name = "privatelink.web.core.windows.net"
|
||||
resource_group_name = var.resource_group_name
|
||||
|
|
@ -193,42 +176,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "acrlink" {
|
|||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "azureml" {
|
||||
name = "privatelink.api.azureml.ms"
|
||||
resource_group_name = var.resource_group_name
|
||||
tags = local.tre_core_tags
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "azuremlcert" {
|
||||
name = "privatelink.cert.api.azureml.ms"
|
||||
resource_group_name = var.resource_group_name
|
||||
tags = local.tre_core_tags
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "notebooks" {
|
||||
name = "privatelink.notebooks.azure.net"
|
||||
resource_group_name = var.resource_group_name
|
||||
tags = local.tre_core_tags
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "postgres" {
|
||||
name = "privatelink.postgres.database.azure.com"
|
||||
resource_group_name = var.resource_group_name
|
||||
tags = local.tre_core_tags
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "nexus" {
|
||||
name = "nexus-${var.tre_id}.${var.location}.cloudapp.azure.com"
|
||||
resource_group_name = var.resource_group_name
|
||||
tags = local.tre_core_tags
|
||||
|
||||
lifecycle { ignore_changes = [tags] }
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "eventgrid" {
|
||||
name = "privatelink.eventgrid.azure.net"
|
||||
resource_group_name = var.resource_group_name
|
||||
|
|
|
|||
|
|
@ -30,13 +30,5 @@ locals {
|
|||
private_dns_zone_names = toset([
|
||||
"privatelink.queue.core.windows.net",
|
||||
"privatelink.table.core.windows.net",
|
||||
"privatelink.purview.azure.com",
|
||||
"privatelink.purviewstudio.azure.com",
|
||||
"privatelink.sql.azuresynapse.net",
|
||||
"privatelink.dev.azuresynapse.net",
|
||||
"privatelink.azuresynapse.net",
|
||||
"privatelink.dfs.core.windows.net",
|
||||
"privatelink.azurehealthcareapis.com",
|
||||
"privatelink.dicom.azurehealthcareapis.com"
|
||||
])
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
__version__ = "0.6.0"
|
||||
__version__ = "0.7.0"
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче