Add support for Azure shared exocompute (#160)

rubrikinc · May 1, 2024 · 06cf638 · 06cf638
1 parent 0e10db1
commit 06cf638
Show file tree

Hide file tree

Showing 17 changed files with 1,259 additions and 454 deletions.
diff --git a/docs/data-sources/azure_permissions.md b/docs/data-sources/azure_permissions.md
@@ -3,21 +3,23 @@
 page_title: "polaris_azure_permissions Data Source - terraform-provider-polaris"
 subcategory: ""
 description: |-
-  The polaris_azure_permissions data source is used to access information about the permissions required by RSC for a specified set of RSC features. The features currently supported for Azure subscriptions are:
+  The polaris_azure_permissions data source is used to access information about the permissions required by RSC for a specified RSC feature. The features currently supported for Azure subscriptions are:
     * AZURE_SQL_DB_PROTECTION
     * AZURE_SQL_MI_PROTECTION
     * CLOUD_NATIVE_ARCHIVAL
     * CLOUD_NATIVE_ARCHIVAL_ENCRYPTION
     * CLOUD_NATIVE_PROTECTION
     * EXOCOMPUTE
   See the subscription azure_subscription resource for more information on enabling features for an Azure subscription added to RSC.
-  The polaris_azure_permissions data source can be used with the azurerm_role_definition and the polaris_azure_service_principal resources to automatically update the permissions of roles and notify RSC about the updated permissions.
+  The polaris_azure_permissions data source can be used with the azurerm_role_definition and the permissions fields of the polaris_azure_subscription resources to automatically update the permissions of roles and notify RSC about the updated permissions.
+  -> Note: To better fit the RSC Azure permission model where each RSC feature have two Azure roles,    the features field has been deprecated and replaced with the feature field.
+  -> Note: Due to the RSC Azure permission model having been refined into subscription level permissions    and resource group level permissions, the actions, data_actions, not_actions and not_data_actions    fields have been deprecated and replaced with the corresponding subscription and resource group fields.
   -> Note: Due to backward compatibility, the features field allow the feature names to be given in    3 different styles: EXAMPLE_FEATURE_NAME, example-feature-name or example_feature_name. The    recommended style is EXAMPLE_FEATURE_NAME as it is what the RSC API itself uses.
 ---
 
 # polaris_azure_permissions (Data Source)
 
-The `polaris_azure_permissions` data source is used to access information about the permissions required by RSC for a specified set of RSC features. The features currently supported for Azure subscriptions are:
+The `polaris_azure_permissions` data source is used to access information about the permissions required by RSC for a specified RSC feature. The features currently supported for Azure subscriptions are:
   * `AZURE_SQL_DB_PROTECTION`
   * `AZURE_SQL_MI_PROTECTION`
   * `CLOUD_NATIVE_ARCHIVAL`
@@ -27,52 +29,64 @@ The `polaris_azure_permissions` data source is used to access information about
 
 See the [subscription](azure_subscription) resource for more information on enabling features for an Azure subscription added to RSC.
 
-The `polaris_azure_permissions` data source can be used with the `azurerm_role_definition` and the `polaris_azure_service_principal` resources to automatically update the permissions of roles and notify RSC about the updated permissions.
+The `polaris_azure_permissions` data source can be used with the `azurerm_role_definition` and the `permissions` fields of the `polaris_azure_subscription` resources to automatically update the permissions of roles and notify RSC about the updated permissions.
+
+-> **Note:** To better fit the RSC Azure permission model where each RSC feature have two Azure roles,    the `features` field has been deprecated and replaced with the `feature` field.
+
+-> **Note:** Due to the RSC Azure permission model having been refined into subscription level permissions    and resource group level permissions, the `actions`, `data_actions`, `not_actions` and `not_data_actions`    fields have been deprecated and replaced with the corresponding subscription and resource group fields.
 
 -> **Note:** Due to backward compatibility, the `features` field allow the feature names to be given in    3 different styles: `EXAMPLE_FEATURE_NAME`, `example-feature-name` or `example_feature_name`. The    recommended style is `EXAMPLE_FEATURE_NAME` as it is what the RSC API itself uses.
 
 ## Example Usage
 
 ```terraform
 # Permissions required for the Cloud Native Protection RSC feature.
-data "polaris_azure_permissions" "default" {
-  features = [
-    "CLOUD_NATIVE_PROTECTION",
-  ]
+data "polaris_azure_permissions" "cloud_native_protection" {
+  feature = "CLOUD_NATIVE_PROTECTION"
 }
 
-# Permissions required for the Cloud Native Protection and Exocompute
-# RSC features. The polaris_azure_service_principal is set up to notify
-# RSC when the permissions are updated.
-data "polaris_azure_permissions" "default" {
-  features = [
-    "CLOUD_NATIVE_PROTECTION",
-    "EXOCOMPUTE"
-  ]
+# Permissions required for the Exocompute RSC feature. The subscription
+# is set up to notify RSC when the permissions are updated for the feature.
+data "polaris_azure_permissions" "exocompute" {
+  feature = "EXOCOMPUTE"
 }
 
-resource "polaris_azure_service_principal" "default" {
-  app_id        = "25c2b42a-c76b-11eb-9767-6ff6b5b7e72b"
-  app_name      = "My App"
-  app_secret    = "<my-app-secret>"
-  tenant_domain = "mydomain.onmicrosoft.com"
-  tenant_id     = "2bfdaef8-c76b-11eb-8d3d-4706c14a88f0"
-  permissions   = data.polaris_azure_permissions.default.id
+resource "polaris_azure_subscription" "subscription" {
+  subscription_id = "31be1bb0-c76c-11eb-9217-afdffe83a002"
+  tenant_domain   = "my-domain.onmicrosoft.com"
+
+  exocompute {
+    permissions = data.polaris_azure_permissions.exocompute.id
+    regions = [
+      "eastus2",
+    ]
+    resource_group_name   = "my-east-resource-group"
+    resource_group_region = "eastus2"
+  }
 }
 ```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Required
+### Optional
 
-- `features` (Set of String) RSC features.
+- `feature` (String) RSC feature. Note that the feature name must be given in the `EXAMPLE_FEATURE_NAME` style.
+- `features` (Set of String, Deprecated) RSC features. **Deprecated:** use `feature` instead.
 
 ### Read-Only
 
-- `actions` (List of String) Azure allowed actions.
-- `data_actions` (List of String) Azure allowed data actions.
+- `actions` (List of String, Deprecated) Azure allowed actions. **Deprecated:** use `subscription_actions` and `resource_group_actions` instead.
+- `data_actions` (List of String, Deprecated) Azure allowed data actions. **Deprecated:** use `subscription_data_actions` and `resource_group_data_actions` instead.
 - `hash` (String, Deprecated) SHA-256 hash of the permissions, can be used to detect changes to the permissions. **Deprecated:** use `id` instead.
 - `id` (String) SHA-256 hash of the required permissions, will be updated as the required permissions changes.
-- `not_actions` (List of String) Azure disallowed actions.
-- `not_data_actions` (List of String) Azure disallowed data actions.
+- `not_actions` (List of String, Deprecated) Azure disallowed actions. **Deprecated:** use `subscription_not_actions` and `resource_group_not_actions` instead.
+- `not_data_actions` (List of String, Deprecated) Azure disallowed data actions. **Deprecated:** use `subscription_not_data_actions` and `resource_group_not_data_actions` instead.
+- `resource_group_actions` (List of String) Azure allowed actions on the resource group level.
+- `resource_group_data_actions` (List of String) Azure allowed data actions on the resource group level.
+- `resource_group_not_actions` (List of String) Azure disallowed actions on the resource group level.
+- `resource_group_not_data_actions` (List of String) Azure disallowed data actions on the resource group level.
+- `subscription_actions` (List of String) Azure allowed actions on the subscription level.
+- `subscription_data_actions` (List of String) Azure allowed data actions on the subscription level.
+- `subscription_not_actions` (List of String) Azure disallowed actions on the subscription level.
+- `subscription_not_data_actions` (List of String) Azure disallowed data actions on the subscription level.
diff --git a/docs/guides/upgrade_guide_beta.md b/docs/guides/upgrade_guide_beta.md
@@ -3,30 +3,43 @@ page_title: "Upgrade Guide: beta release"
 subcategory: "Upgrade"
 ---
 
+~> **Note:** The beta provider might have breaking changes between beta releases.
+
 # RSC provider beta changes
 The latest beta release introduces changes to the following data sources and resources:
 * `polaris_account` - New data source with 3 fields, `features`, `fqdn` and `name`. `features` holds the features
   enabled for the RSC account. `fqdn` holds the fully qualified domain name for the RSC account. `name` holds the RSC
   account name.
-* `polaris_azure_permissions` - The `hash` field has been deprecated and replaced with the `id` field. Both fields will
-  have same value until the `hash` field is removed, in a future release.
-* `polaris_azure_exocompute` - The `subscription_id` field has been deprecated and replaced with the `cloud_account_id`
-  field. The `subscription_id` field referred to the ID of the `polaris_azure_subscription` resource and not the Azure
-  subscription ID, which was confusing. Note, changing an existing `polaris_azure_exocompute` resource to use the
-  `cloud_account_id` field will recreate the resource.
+* `polaris_azure_permissions` - Add support for scoped permissions. Permissions are scoped to either the subscription
+  level or to resource group level. The `hash` field has been deprecated and replaced with the `id` field. Both fields
+  will have same value until the `hash` field is removed in a future release.
+* `polaris_azure_exocompute` - Add support for shared Exocompute, see the resource documentation for more information.
+  The `subscription_id` field has been deprecated and replaced with the `cloud_account_id` field. The `subscription_id`
+  field referred to the ID of the `polaris_azure_subscription` resource and not the Azure subscription ID, which was
+  confusing. Note, changing an existing `polaris_azure_exocompute` resource to use the `cloud_account_id` field will
+  recreate the resource.
 * `polaris_azure_service_principal` - The `permissions_hash` field has been deprecated and replaced with the
   `permissions` field. With the changes in the `polaris_azure_permissions` data source, use
   `permissions = data.polaris_azure_permissions.<name>.id` to connect the `polaris_azure_permissions` data source to
-  the permissions updated signal.
-* `polaris_azure_subscription` - Support for onboarding `cloud_native_archival`, `cloud_native_archival_encryption`,
+  the permissions updated signal. The `permissions` field has been deprecated and replaced with the `permissions` field
+  for each feature in the `polaris_azure_subscription` resource.
+* `polaris_azure_subscription` - Add support for onboarding `cloud_native_archival`, `cloud_native_archival_encryption`,
   `sql_db_protection` and `sql_mi_protection`. Note, there is no additional Terraform resources for managing the
-  features yet. Support for specifying an Azure resource group per RSC feature.
+  features yet. Add support for specifying an Azure resource group per RSC feature. Add the `permissions` field to each
+  feature, which can be use with the `polaris_azure_permissions` data source signal permissions updates.
 * `polaris_features` - The data source has been deprecated and replaced with the `features` field of the
   `polaris_deployment` data source. Note, the `features` field is a set and not a list.
 
 Deprecated fields will be removed in a future release, please migrate your configurations to use the replacement field
 as soon as possible.
 
+# Known issues
+* The user-assigned managed identity for `cloud_native_archival_encryption` is not refreshed when the
+  `polaris_azure_subscription` resource is updated. This will be fixed in a future release.
+
+In addition to the issues listed above, affecting this particular beta release of the provider, additional issues
+reported can be found on [GitHub](https://github.com/rubrikinc/terraform-provider-polaris/issues).
+
 # Upgrade to the latest beta release
 Start by assigning the version of the latest beta release to the `version` field in the `provider` block of the
 Terraform configuration:

diff --git a/docs/resources/azure_exocompute.md b/docs/resources/azure_exocompute.md
@@ -3,35 +3,62 @@
 page_title: "polaris_azure_exocompute Resource - terraform-provider-polaris"
 subcategory: ""
 description: |-
-  The polaris_azure_exocompute resource creates an RSC Exocompute configuration. When an Exocompute configuration is created, RSC will automatically deploy the necessary resources in the specified Azure region to run the Exocompute service.
+  The polaris_azure_exocompute resource creates an RSC Exocompute configuration.
+  There are 2 types of Exocompute configurations:
+   1. Host - When a host configuration is created, RSC will automatically deploy the necessary resources     in the specified Azure region to run the Exocompute service. A host configuration can be used by both     the host cloud account and application cloud accounts mapped to the host account.
+   2. Application - An application configuration is created by mapping the application cloud account to a     host cloud account. The application cloud account will leverage the Exocompute resources deployed for     the host configuration.
+  Since there are 2 types of Exocompute configurations, there are 2 ways to create a polaris_azure_exocompute resource:
+   1. Using the cloud_account_id, region, subnet and pod_overlay_network_cidr fields. This creates a     host configuration.
+   2. Using the cloud_account_id and host_cloud_account_id fields. This creates an application     configuration.
+  ~> Note: A host configuration can be created without specifying the pod_overlay_network_cidr field,    this is discouraged and should only be done for backwards compatibility reasons.
+  -> Note: Using both host and application Exocompute configurations is sometimes referred to as shared    Exocompute.
 ---
 
 # polaris_azure_exocompute (Resource)
 
-The `polaris_azure_exocompute` resource creates an RSC Exocompute configuration. When an Exocompute configuration is created, RSC will automatically deploy the necessary resources in the specified Azure region to run the Exocompute service.
+The `polaris_azure_exocompute` resource creates an RSC Exocompute configuration.
+
+There are 2 types of Exocompute configurations:
+ 1. *Host* - When a host configuration is created, RSC will automatically deploy the necessary resources     in the specified Azure region to run the Exocompute service. A host configuration can be used by both     the host cloud account and application cloud accounts mapped to the host account.
+ 2. *Application* - An application configuration is created by mapping the application cloud account to a     host cloud account. The application cloud account will leverage the Exocompute resources deployed for     the host configuration.
+
+Since there are 2 types of Exocompute configurations, there are 2 ways to create a `polaris_azure_exocompute` resource:
+ 1. Using the `cloud_account_id`, `region`, `subnet` and `pod_overlay_network_cidr` fields. This creates a     host configuration.
+ 2. Using the `cloud_account_id` and `host_cloud_account_id` fields. This creates an application     configuration.
+
+~> **Note:** A host configuration can be created without specifying the `pod_overlay_network_cidr` field,    this is discouraged and should only be done for backwards compatibility reasons.
+
+-> **Note:** Using both host and application Exocompute configurations is sometimes referred to as shared    Exocompute.
 
 ## Example Usage
 
 ```terraform
-resource "polaris_azure_exocompute" "default" {
-  cloud_account_id = polaris_azure_subscription.default.id
-  region           = "EASTUS2"
-  subnet_id        = "/subscriptions/65774f88-da6a-11eb-bc8f-e798f8b54eba/resourceGroups/test/providers/Microsoft.Network/virtualNetworks/test/subnets/default"
+# Host configuration.
+resource "polaris_azure_exocompute" "host_exocompute" {
+  cloud_account_id         = polaris_azure_subscription.host_subscription.id
+  pod_overlay_network_cidr = "10.244.0.0/16"
+  region                   = "eastus2"
+  subnet                   = "/subscriptions/65774f88-da6a-11eb-bc8f-e798f8b54eba/resourceGroups/test/providers/Microsoft.Network/virtualNetworks/test/subnets/default"
+}
+
+# Application configuration.
+resource "polaris_azure_exocompute" "app_exocompute" {
+  cloud_account_id      = polaris_azure_subscription.app_subscription.id
+  host_cloud_account_id = polaris_azure_subscription.host_subscription.id
 }
 ```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Required
-
-- `region` (String) Azure region to run the exocompute service in. Should be specified in the standard Azure style, e.g. `eastus`.
-- `subnet` (String) Azure subnet id.
-
 ### Optional
 
-- `cloud_account_id` (String) RSC cloud account ID. This is the ID of the `polaris_azure_subscription` resource for which the Exocompute service runs.
-- `subscription_id` (String, Deprecated) RSC cloud account ID. This is the ID of the `polaris_azure_subscription` resource for which the Exocompute service runs. **Deprecated:** use `cloud_account_id` instead.
+- `cloud_account_id` (String) RSC cloud account ID. This is the ID of the `polaris_azure_subscription` resource for which the Exocompute service runs. Changing this forces a new resource to be created.
+- `host_cloud_account_id` (String) RSC cloud account ID of the shared exocompute host account. Changing this forces a new resource to be created.
+- `pod_overlay_network_cidr` (String) The CIDR range assigned to pods when launching Exocompute with the CNI overlay network plugin mode. Changing this forces a new resource to be created.
+- `region` (String) Azure region to run the exocompute service in. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces a new resource to be created.
+- `subnet` (String) Azure subnet ID of the cluster subnet corresponding to the Exocompute configuration. This subnet will be used to allocate IP addresses to the nodes of the cluster. Changing this forces a new resource to be created.
+- `subscription_id` (String, Deprecated) RSC cloud account ID. This is the ID of the `polaris_azure_subscription` resource for which the Exocompute service runs. Changing this forces a new resource to be created. **Deprecated:** use `cloud_account_id` instead.
 
 ### Read-Only