Add module for Azure CDW permissions (#73)

Signed-off-by: Jim Enright <[email protected]>

README.md

@@ -16,6 +16,7 @@ This repository contains a number of Terraform modules for creation of the pre-r
 | [terraform-aws-tgw](modules/terraform-aws-tgw/README.md) | Module for creation of AWS Transity Gateway (TGW) and attaching a specified list of VPCs via the TGW. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a CDP VPC and Networking VPC are connected using the Transit Gateway. |
 | [terraform-aws-proxy](modules/terraform-aws-proxy/README.md) | Module to create and configure and EC2 Auto-Scaling Group for a highly available Squid Proxy service with Network Load Balancer (NLB) to forward traffic to the proxy instances. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a the CDP Environments uses a proxy config via the NLB. |
 | [terraform-azure-nfs](modules/terraform-azure-nfs/README.md) | Module for creation of Azure NFS File Share required for Cloudera Machine Learning (CML) Public Cloud. Also optionally creates a Virtual Machine which can be used to mount and set the required ownership for CML workspace's projects folder.|
+| [terraform-azure-cdw-permissions](modules/terraform-azure-cdw-permissions/README.md) | Module for creation of the Azure Kubernetes Service (AKS) managed identity required for the Cloudera Data Warehouse (CDW) service.|
 
 Each module contains Terraform resource configuration and example variable definition files.
 

modules/terraform-azure-cdw-permissions/.terraform-docs.yaml

@@ -0,0 +1,21 @@
+formatter: markdown
+header-from: doc_fragments/header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace

modules/terraform-azure-cdw-permissions/README.md

@@ -0,0 +1,60 @@
+<!-- BEGIN_TF_DOCS -->
+# Terraform Module for Azure AKS Managed Identity for CDW
+
+This module contains resource files and example variable definition files for creation of the Azure Kubernetes Service (AKS) managed identity required for the Cloudera Data Warehouse (CDW) service. This requirement is described [in this section](https://docs.cloudera.com/data-warehouse/cloud/azure-environments/topics/dw-azure-environment-requirements-checklist.html#pnavId5) of the CDW documentation.
+
+## Usage
+
+The [examples](./examples) directory has example Azure AKS Managed Identity creation:
+
+* `ex01-aks_managed_identity` uses a set of inputs for the module.
+
+An example `terraform.tfvars.sample` values file is included to show input variable values.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.84.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.84.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_assignment.cdp_cdw_aks_cred_storage_assign](https://registry.terraform.io/providers/hashicorp/azurerm/3.84.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_cdw_aks_cred_subscription_assign](https://registry.terraform.io/providers/hashicorp/azurerm/3.84.0/docs/resources/role_assignment) | resource |
+| [azurerm_user_assigned_identity.cdp_cdw_aks_cred](https://registry.terraform.io/providers/hashicorp/azurerm/3.84.0/docs/resources/user_assigned_identity) | resource |
+| [azurerm_resource_group.cdp_ds_rmgp](https://registry.terraform.io/providers/hashicorp/azurerm/3.84.0/docs/data-sources/resource_group) | data source |
+| [azurerm_storage_account.data_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/3.84.0/docs/data-sources/storage_account) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.84.0/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_azure_aks_credential_managed_identity_name"></a> [azure\_aks\_credential\_managed\_identity\_name](#input\_azure\_aks\_credential\_managed\_identity\_name) | Name of the Managed Identity for the AKS Credential | `string` | n/a | yes |
+| <a name="input_azure_data_storage_account"></a> [azure\_data\_storage\_account](#input\_azure\_data\_storage\_account) | Name of the Azure Storage Account used for CDP Data | `string` | n/a | yes |
+| <a name="input_azure_resource_group_name"></a> [azure\_resource\_group\_name](#input\_azure\_resource\_group\_name) | Azrue Resource Group for CDP environment. | `string` | n/a | yes |
+| <a name="input_azure_region"></a> [azure\_region](#input\_azure\_region) | Region which Cloud resources will be created | `string` | `null` | no |
+| <a name="input_cdw_aks_cred_storage_role_assignments"></a> [cdw\_aks\_cred\_storage\_role\_assignments](#input\_cdw\_aks\_cred\_storage\_role\_assignments) | List of Role Assignments for the AKS Credential at Data Storage Account scope. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Owner assignment to CDP Data Storage Container to AKS Credential",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
+| <a name="input_cdw_aks_cred_subscription_role_assignments"></a> [cdw\_aks\_cred\_subscription\_role\_assignments](#input\_cdw\_aks\_cred\_subscription\_role\_assignments) | List of Role Assignments for the AKS Credential at subscription scope | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Contributor Role to AKS Credential",<br>    "role": "Contributor"<br>  }<br>]</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to provised resources | `map(any)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_azure_aks_managed_identity_id"></a> [azure\_aks\_managed\_identity\_id](#output\_azure\_aks\_managed\_identity\_id) | ID of the Azure AKS managed identity |
+| <a name="output_azure_subscription_id"></a> [azure\_subscription\_id](#output\_azure\_subscription\_id) | Subscription ID where the Azure AKS managed identity is created |
+<!-- END_TF_DOCS -->

modules/terraform-azure-cdw-permissions/data.tf

@@ -0,0 +1,22 @@
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Access information about Azure Subscription
+data "azurerm_subscription" "current" {}
+
+# Find details about the data storage account
+data "azurerm_storage_account" "data_storage_account" {
+  name                = var.azure_data_storage_account
+  resource_group_name = var.azure_resource_group_name
+}

modules/terraform-azure-cdw-permissions/doc_fragments/header.md

@@ -0,0 +1,11 @@
+# Terraform Module for Azure AKS Managed Identity for CDW
+
+This module contains resource files and example variable definition files for creation of the Azure Kubernetes Service (AKS) managed identity required for the Cloudera Data Warehouse (CDW) service. This requirement is described [in this section](https://docs.cloudera.com/data-warehouse/cloud/azure-environments/topics/dw-azure-environment-requirements-checklist.html#pnavId5) of the CDW documentation.
+
+## Usage
+
+The [examples](./examples) directory has example Azure AKS Managed Identity creation:
+
+* `ex01-aks_managed_identity` uses a set of inputs for the module.
+
+An example `terraform.tfvars.sample` values file is included to show input variable values.

modules/terraform-azure-cdw-permissions/examples/ex01-aks_managed_identity/main.tf

@@ -0,0 +1,87 @@
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.84.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.46.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0.5"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.5.1"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 3.2.1"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+
+}
+
+provider "azuread" {
+}
+
+module "cdp_azure_prereqs" {
+  source = "../../../terraform-cdp-azure-pre-reqs"
+
+  env_prefix   = var.env_prefix
+  azure_region = var.azure_region
+
+  deployment_template           = var.deployment_template
+  ingress_extra_cidrs_and_ports = var.ingress_extra_cidrs_and_ports
+
+  # Tags to apply resources (omitted by default)
+  env_tags = var.env_tags
+
+}
+
+module "cdp_azure_cdw_aks" {
+  source = "../.."
+
+  azure_resource_group_name = module.cdp_azure_prereqs.azure_resource_group_name
+  azure_region              = var.azure_region
+
+  azure_aks_credential_managed_identity_name = "${var.env_prefix}-aks-credential-identity"
+  azure_data_storage_account                 = module.cdp_azure_prereqs.azure_data_storage_account
+
+  tags = var.env_tags
+
+  depends_on = [
+    module.cdp_azure_prereqs
+  ]
+}
+
+output "azure_aks_managed_identity_id" {
+  value = module.cdp_azure_cdw_aks.azure_aks_managed_identity_id
+
+  description = "ID of the Azure AKS managed identity"
+}

modules/terraform-azure-cdw-permissions/examples/ex01-aks_managed_identity/terraform.tfvars.sample

@@ -0,0 +1,37 @@
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+env_prefix = "<ENTER_VALUE>" # Required name prefix for cloud and CDP resources, e.g. cldr1
+
+# ------- Cloud Settings -------
+azure_region = "<ENTER_VALUE>" # Change this to specify Cloud Provider region, e.g. eastus
+
+# ------- CDP Environment Deployment -------
+deployment_template = "<ENTER_VALUE>"  # Specify the deployment pattern below. Options are public, semi-private or private
+
+# ------- Resource Tagging -------
+# **NOTE: An example of how to specify tags is below; uncomment & edit if required
+# env_tags = {
+#     owner   = "<ENTER_VALUE>"
+#     project = "<ENTER_VALUE>"
+#     enddate = "<ENTER_VALUE>"
+# }
+
+# ------- Network Settings -------
+# **NOTE: If required change the values below any additional CIDRs to add the the AWS Security Groups**
+ingress_extra_cidrs_and_ports = {
+ cidrs = ["<ENTER_IP_VALUE>/32", "<ENTER_IP_VALUE>/32"],
+ ports = [443, 22]
+}

modules/terraform-azure-cdw-permissions/examples/ex01-aks_managed_identity/variables.tf

@@ -0,0 +1,48 @@
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+variable "env_prefix" {
+  type        = string
+  description = "Shorthand name for the environment. Used in resource descriptions"
+}
+
+variable "azure_region" {
+  type        = string
+  description = "Region which Cloud resources will be created"
+}
+
+variable "env_tags" {
+  type        = map(any)
+  description = "Tags applied to pvovisioned resources"
+
+  default = null
+}
+
+# ------- CDP Environment Deployment -------
+variable "deployment_template" {
+  type = string
+
+  description = "Deployment Pattern to use for Cloud resources and CDP"
+}
+
+# ------- Network Resources -------
+variable "ingress_extra_cidrs_and_ports" {
+  type = object({
+    cidrs = list(string)
+    ports = list(number)
+  })
+  description = "List of extra CIDR blocks and ports to include in Security Group Ingress rules"
+}
+

modules/terraform-azure-cdw-permissions/main.tf

@@ -0,0 +1,36 @@
+# Create Azure Managed Identity
+resource "azurerm_user_assigned_identity" "cdp_cdw_aks_cred" {
+
+  location            = var.azure_region
+  name                = var.azure_aks_credential_managed_identity_name
+  resource_group_name = var.azure_resource_group_name
+
+  tags = merge(var.tags, { Name = var.azure_aks_credential_managed_identity_name })
+}
+
+# Assign the required roles to the AKS credential managed identity
+resource "azurerm_role_assignment" "cdp_cdw_aks_cred_subscription_assign" {
+
+  for_each = {
+    for idx, role in var.cdw_aks_cred_subscription_role_assignments : idx => role
+  }
+
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = each.value.role
+  principal_id         = azurerm_user_assigned_identity.cdp_cdw_aks_cred.principal_id
+
+  description = each.value.description
+}
+
+resource "azurerm_role_assignment" "cdp_cdw_aks_cred_storage_assign" {
+
+  for_each = {
+    for idx, role in var.cdw_aks_cred_storage_role_assignments : idx => role
+  }
+
+  scope                = data.azurerm_storage_account.data_storage_account.id
+  role_definition_name = each.value.role
+  principal_id         = azurerm_user_assigned_identity.cdp_cdw_aks_cred.principal_id
+
+  description = each.value.description
+}

modules/terraform-azure-cdw-permissions/outputs.tf

@@ -0,0 +1,25 @@
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "azure_subscription_id" {
+  value = data.azurerm_subscription.current.subscription_id
+
+  description = "Subscription ID where the Azure AKS managed identity is created"
+}
+
+output "azure_aks_managed_identity_id" {
+  value = azurerm_user_assigned_identity.cdp_cdw_aks_cred.id
+
+  description = "ID of the Azure AKS managed identity"
+}

modules/terraform-azure-cdw-permissions/provider.tf

@@ -0,0 +1,23 @@
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.84.0"
+    }
+  }
+}