terraform-azure-braintrust-data-plane/main.tf at main · braintrustdata/terraform-azure-braintrust-data-plane · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
locals {
  key_vault_id                   = var.key_vault_id != null ? var.key_vault_id : module.kms[0].key_vault_id
  vnet_id                        = var.existing_vnet.id == "" ? module.main_vnet[0].vnet_id : var.existing_vnet.id
  services_subnet_id             = var.existing_vnet.id == "" ? module.main_vnet[0].services_subnet_id : var.existing_vnet.services_subnet_id
  private_endpoint_subnet_id     = var.existing_vnet.id == "" ? module.main_vnet[0].private_endpoint_subnet_id : var.existing_vnet.private_endpoint_subnet_id
  private_link_service_subnet_id = var.existing_vnet.id == "" ? module.main_vnet[0].private_link_service_subnet_id : null
  resource_group_name            = var.existing_resource_group_name == "" ? azurerm_resource_group.main[0].name : data.azurerm_resource_group.existing[0].name
  resource_group_id              = var.existing_resource_group_name == "" ? azurerm_resource_group.main[0].id : data.azurerm_resource_group.existing[0].id

  tags = merge(
    {
      BraintrustDeploymentName = var.deployment_name
    },
    var.custom_tags
  )
}

data "azurerm_resource_group" "existing" {
  count = var.existing_resource_group_name != "" ? 1 : 0
  name  = var.existing_resource_group_name
}

resource "azurerm_resource_group" "main" {
  count = var.existing_resource_group_name == "" ? 1 : 0

  name     = var.deployment_name
  location = var.location
  tags     = local.tags
}

module "kms" {
  source = "./modules/kms"
  count  = var.key_vault_id == null ? 1 : 0

  deployment_name            = var.deployment_name
  resource_group_name        = local.resource_group_name
  location                   = var.location
  virtual_network_id         = local.vnet_id
  private_endpoint_subnet_id = local.private_endpoint_subnet_id
  custom_tags                = var.custom_tags
}

module "main_vnet" {
  source = "./modules/vnet"
  count  = var.existing_vnet.id == "" ? 1 : 0

  deployment_name     = var.deployment_name
  resource_group_name = local.resource_group_name
  location            = var.location

  vnet_name                    = "main"
  vnet_address_space_cidr      = var.vnet_address_space_cidr
  services_subnet_cidr         = var.services_subnet_cidr
  private_endpoint_subnet_cidr = var.private_endpoint_subnet_cidr
  enable_front_door            = var.enable_front_door
  custom_tags                  = var.custom_tags
}

module "k8s" {
  source = "./modules/k8s"
  count  = var.create_aks_cluster ? 1 : 0

  deployment_name           = var.deployment_name
  resource_group_name       = local.resource_group_name
  resource_group_id         = local.resource_group_id
  services_subnet_id        = local.services_subnet_id
  brainstore_pool_vm_size   = var.aks_brainstore_pool_vm_size
  brainstore_pool_max_count = var.aks_brainstore_pool_max_count
  brainstore_pool_min_count = var.aks_brainstore_pool_min_count
  services_pool_vm_size     = var.aks_services_pool_vm_size
  services_pool_max_count   = var.aks_services_pool_max_count
  services_pool_min_count   = var.aks_services_pool_min_count
  system_pool_vm_size       = var.aks_system_pool_vm_size
  location                  = var.location
  key_vault_id              = local.key_vault_id
  storage_account_id        = module.storage.storage_account_id
  custom_tags               = var.custom_tags
}

module "database" {
  source = "./modules/database"

  deployment_name     = var.deployment_name
  resource_group_name = local.resource_group_name
  location            = var.location

  postgres_sku_name     = var.postgres_sku_name
  postgres_storage_mb   = var.postgres_storage_mb
  postgres_version      = var.postgres_version
  postgres_storage_tier = var.postgres_storage_tier

  vnet_id                    = local.vnet_id
  private_endpoint_subnet_id = local.private_endpoint_subnet_id
  key_vault_id               = local.key_vault_id

  existing_postgres_private_dns_zone_id = var.existing_postgres_private_dns_zone_id
  custom_tags                           = var.custom_tags
}

module "redis" {
  source = "./modules/redis"

  deployment_name     = var.deployment_name
  resource_group_name = local.resource_group_name
  location            = var.location

  redis_sku_name = var.redis_sku_name
  redis_family   = var.redis_family
  redis_capacity = var.redis_capacity
  redis_version  = var.redis_version

  virtual_network_id         = local.vnet_id
  private_endpoint_subnet_id = local.private_endpoint_subnet_id
  key_vault_id               = local.key_vault_id

  existing_redis_private_dns_zone_id = var.existing_redis_private_dns_zone_id
  custom_tags                        = var.custom_tags
}

module "storage" {
  source = "./modules/storage"

  resource_group_name        = local.resource_group_name
  deployment_name            = var.deployment_name
  location                   = var.location
  vnet_id                    = local.vnet_id
  private_endpoint_subnet_id = local.private_endpoint_subnet_id
  key_vault_id               = local.key_vault_id
  create_storage_container   = var.create_storage_container

  existing_blob_private_dns_zone_id = var.existing_blob_private_dns_zone_id
  custom_tags                       = var.custom_tags
}

module "front_door" {
  source = "./modules/front_door"
  count  = var.enable_front_door ? 1 : 0

  resource_group_name                 = local.resource_group_name
  deployment_name                     = var.deployment_name
  location                            = var.location
  api_backend_address                 = var.front_door_api_backend_address
  api_backend_port                    = var.front_door_api_backend_port
  load_balancer_frontend_ip_config_id = var.front_door_load_balancer_frontend_ip_config_id
  private_link_service_subnet_id      = local.private_link_service_subnet_id
  custom_tags                         = var.custom_tags
}

# Used for encrypting function env secrets. Function environment secrets can be specified
# per org, project, or function and are exposed to functions as environment variables.
resource "azurerm_key_vault_secret" "function_secret" {
  name         = "function-secret-key"
  value        = random_password.function_secret.result
  key_vault_id = local.key_vault_id
  tags         = local.tags
}

resource "random_password" "function_secret" {
  length  = 32
  special = true
}

resource "azurerm_key_vault_secret" "brainstore_license_key" {
  name         = "brainstore-license-key"
  value        = var.brainstore_license_key
  key_vault_id = local.key_vault_id
  tags         = local.tags
  # This is required because some customers can't support including secrets in CI
  # This lets them use "" and then later manually enter the secret directly into the key vault
  # If this ever needs to change it can be done by tainting the resource
  lifecycle {
    ignore_changes = [
      value
    ]
  }
}