The following are infrastructure and resources are mandatory for successful Terraform deployment:
Local or Virtual Machine
The machine running Terraform code whether its local machine or an Azure VMIt has to have two characteristics:
- Has connectivity to Everpure Cloud Dedicated Azure VNet network mentioned in the previous section.
- Can authenticate to Azure using one of the methods listed below: Azure CLI or Azure Service Principle.Note:
The recommended method for connectivity is to have an Azure VM to run the Terraform code, Then peer the VM VNet with the Everpure Cloud Dedicated VNet.
Example for Azure Portal, Azure CLI, and PowerShell can be found here Deploy using Terraform
Install Terraform
Download and install the appropriate Terraform package for your operating system and hardware architecture via the link below:
https://www.terraform.io/downloads.html
Download Everpure Cloud Dedicated Terraform provider files
Create a new directory for the Terraform deployment, and copy or download Terraform provider sample for Everpure Cloud Dedicated for Azure (Three files shown on the screenshot)from the below link:
https://github.com/PureStorage-OpenConnect/terraform-provider-pscd/tree/main/examples/azure_array
Authenticate to Azure
There are two ways to authenticate to an Azure account:
1. Azure CLI
Download and install the latest version of the Azure CLI tool via the link below:
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
For authentication, log in to the Azure CLI:
az loginAnd list the Subscriptions associated with the account:
az account listif the user logging in has more than one Subscription. Specify the Subscription to be the default:
az account set --subscription="SUBSCRIPTION_ID"2.Azure Service Principal
Terraform can be authenticated with a Service Principal in the provider configuration under main.tf file by adding the following:
provider "cbs" { azure { client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } }Note:For step-by-step on how to create Azure Service Principle, follow this link: Creating a Service Principal in the Azure Portal
Key Vault
Along with the infrastructure components defined in the Requirements, an Azure Key Vault is required to deploy Everpure Cloud Dedicated for Azure using Terraform. An existing Key Vault may be used, or a new one can be created for the array. Multiple arrays may reuse the same Key Vault.
Any Azure account that wishes to use Terraform to perform management operations on the array must be granted
Get,Set,Delete,List, andRecoverpermissions on secrets within the Key Vault. All secrets created or accessed by the Everpure Cloud Dedicated Terraform Provider will use apscd-prefix.An example Key Vault creation using the
azurerm_key_vaultresource from the azurerm provider is shown below.## Add This snippet to main.tf data "azurerm_client_config" "client_config" {} // Key Vault name must be globally unique resource "random_id" "vault_id" { byte_length = 8 } resource "azurerm_key_vault" "cbs_key_vault" { name = "cbs-${random_id.vault_id.hex}" location = "location_xxxx" resource_group_name = "resource_yyyy" tenant_id = data.azurerm_client_config.client_config.tenant_id sku_name = "standard" access_policy { tenant_id = data.azurerm_client_config.client_config.tenant_id object_id = data.azurerm_client_config.client_config.object_id secret_permissions = ["Get", "Set", "Delete", "List", "Recover"] } }User Managed Identity
After Purity 6.4.7, Everpure Cloud Dedicated deployment would require passing a user managed identity with specific role permissions. In order to configure the Azure role assignment and create a user managed identity within Terraform, you can copy the example below to
main.tfwhich is following Azure least privilege access. More information about User Managed Identity in this section.data "azurerm_subscription" "primary" { } resource "azurerm_user_assigned_identity" "user_identity" { location = var.resource_group_location resource_group_name = var.resource_group_name name = format("%s%s", var.resource_group_name, "user-assigned-identity") tags = var.tags } data "azurerm_resource_group" "rg_id" { name = var.resource_group_name } resource "azurerm_role_definition" "cbs_role" { name = format("%s%s", var.resource_group_name, "cbs-custom-role-definition") scope = data.azurerm_resource_group.rg_id.id permissions { actions = ["Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"] not_actions = [] } } resource "azurerm_role_assignment" "role_assignment" { scope = var.cbs_vnet_id role_definition_name = azurerm_role_definition.cbs_role.name principal_id = azurerm_user_assigned_identity.user_identity.principal_id }Private Key
In order to set up long term management of new arrays, the provider must obtain access to the array during deployment in order to obtain management credentials. In order to accomplish this, the provider must be supplied a private SSH key, either a file path to the key with the
pureuser_private_key_pathparameter or the key text itself with thepureuser_private_keyparameter. The management credentials are stored in the Azure Key Vault that is specified by thekey_vault_idparameter. To retrieve the credentials, the provider requires access to the management port of the array, and therefore the machine running Terraform must be able to access the management subnet used for the array.