Terraform Prerequisites

Everpure Cloud Dedicated for Azure

Audience
Public
Source Type
Documentation

The following are infrastructure and resources are mandatory for successful Terraform deployment:

Local or Virtual Machine

The machine running Terraform code whether its local machine or an Azure VMIt has to have two characteristics:

  1. Has connectivity to Everpure Cloud Dedicated Azure VNet network mentioned in the previous section.
  2. Can authenticate to Azure using one of the methods listed below: Azure CLI or Azure Service Principle.
    Note:

    The recommended method for connectivity is to have an Azure VM to run the Terraform code, Then peer the VM VNet with the Everpure Cloud Dedicated VNet.

    Example for Azure Portal, Azure CLI, and PowerShell can be found here Deploy using Terraform

    Install Terraform

    Download and install the appropriate Terraform package for your operating system and hardware architecture via the link below:

    https://www.terraform.io/downloads.html

    Download Everpure Cloud Dedicated Terraform provider files

    Create a new directory for the Terraform deployment, and copy or download Terraform provider sample for Everpure Cloud Dedicated for Azure (Three files shown on the screenshot)from the below link:

    https://github.com/PureStorage-OpenConnect/terraform-provider-pscd/tree/main/examples/azure_array

    Authenticate to Azure

    There are two ways to authenticate to an Azure account:

    1. Azure CLI

    Download and install the latest version of the Azure CLI tool via the link below:

    https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

    For authentication, log in to the Azure CLI:

    
    az login

    And list the Subscriptions associated with the account:

    
    az account list

    if the user logging in has more than one Subscription. Specify the Subscription to be the default:

    
    az account set --subscription="SUBSCRIPTION_ID"

    2.Azure Service Principal

    Terraform can be authenticated with a Service Principal in the provider configuration under main.tf file by adding the following:

    
    provider "cbs" {
        azure {
            client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
            client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
            subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
            tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        }
    }
    
    Note:

    For step-by-step on how to create Azure Service Principle, follow this link: Creating a Service Principal in the Azure Portal

    Key Vault

    Along with the infrastructure components defined in the Requirements, an Azure Key Vault is required to deploy Everpure Cloud Dedicated for Azure using Terraform. An existing Key Vault may be used, or a new one can be created for the array. Multiple arrays may reuse the same Key Vault.

    Any Azure account that wishes to use Terraform to perform management operations on the array must be granted Get, Set, Delete, List, and Recoverpermissions on secrets within the Key Vault. All secrets created or accessed by the Everpure Cloud Dedicated Terraform Provider will use a pscd- prefix.

    An example Key Vault creation using the azurerm_key_vault resource from the azurerm provider is shown below.

    
    ## Add This snippet to main.tf
    data "azurerm_client_config" "client_config" {}
    
    // Key Vault name must be globally unique
    resource "random_id" "vault_id" {
        byte_length = 8
    }
    
    resource "azurerm_key_vault" "cbs_key_vault" {
        name                        = "cbs-${random_id.vault_id.hex}"
        location                    = "location_xxxx"
        resource_group_name         = "resource_yyyy"
        tenant_id                   = data.azurerm_client_config.client_config.tenant_id
    
        sku_name = "standard"
    
        access_policy {
            tenant_id          = data.azurerm_client_config.client_config.tenant_id
            object_id          = data.azurerm_client_config.client_config.object_id
            secret_permissions = ["Get", "Set", "Delete", "List", "Recover"]
      }
    }
    

    User Managed Identity

    After Purity 6.4.7, Everpure Cloud Dedicated deployment would require passing a user managed identity with specific role permissions. In order to configure the Azure role assignment and create a user managed identity within Terraform, you can copy the example below to main.tf which is following Azure least privilege access. More information about User Managed Identity in this section.

    
    data "azurerm_subscription" "primary" {
    }
    
    
    resource "azurerm_user_assigned_identity" "user_identity" {
      location            = var.resource_group_location
      resource_group_name = var.resource_group_name
      name                = format("%s%s", var.resource_group_name, "user-assigned-identity")
      tags                = var.tags
    }
    
    
    data "azurerm_resource_group" "rg_id" {
      name = var.resource_group_name
    }
    
    resource "azurerm_role_definition" "cbs_role" {
      name  = format("%s%s", var.resource_group_name, "cbs-custom-role-definition")
      scope = data.azurerm_resource_group.rg_id.id
    
    
      permissions {
        actions     = ["Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"]
        not_actions = []
      }
    }
    
    
    resource "azurerm_role_assignment" "role_assignment" {
      scope                = var.cbs_vnet_id
      role_definition_name = azurerm_role_definition.cbs_role.name
      principal_id         = azurerm_user_assigned_identity.user_identity.principal_id
    }
    

    Private Key

    In order to set up long term management of new arrays, the provider must obtain access to the array during deployment in order to obtain management credentials. In order to accomplish this, the provider must be supplied a private SSH key, either a file path to the key with the pureuser_private_key_path parameter or the key text itself with the pureuser_private_key parameter. The management credentials are stored in the Azure Key Vault that is specified by the key_vault_id parameter. To retrieve the credentials, the provider requires access to the management port of the array, and therefore the machine running Terraform must be able to access the management subnet used for the array.