integrated velero

pagopa · Sep 12, 2023 · c463be1 · c463be1
1 parent 63de6a1
commit c463be1
Show file tree

Hide file tree

Showing 9 changed files with 93 additions and 114 deletions.
diff --git a/src/aks-platform/00_network.tf b/src/aks-platform/00_network.tf
@@ -30,3 +30,16 @@ data "azurerm_public_ip" "pip_aks_outboud" {
   name                = var.public_ip_aksoutbound_name
   resource_group_name = data.azurerm_resource_group.vnet_aks_rg.name
 }
+
+
+
+
+data "azurerm_subnet" "private_endpoint_subnet" {
+  name                 = "${local.product}-private-endpoints-snet"
+  resource_group_name  = data.azurerm_resource_group.vnet_core_rg.name
+  virtual_network_name = data.azurerm_virtual_network.vnet_core.name
+}
+
+data "azurerm_private_dns_zone" "storage_account_private_dns_zone" {
+  name = "privatelink.blob.core.windows.net"
+}
diff --git a/src/aks-platform/02_aks.tf b/src/aks-platform/02_aks.tf
@@ -4,6 +4,15 @@ resource "azurerm_resource_group" "rg_aks" {
   tags     = var.tags
 }
 
+
+resource "azurerm_resource_group" "rg_aks_backup" {
+  name     = local.aks_backup_rg_name
+  location = var.location
+  tags     = var.tags
+}
+
+
+
 module "aks" {
   source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v7.2.0"
 
@@ -87,6 +96,9 @@ module "aks" {
       webhook_properties = null
     }
   ]
+
+
+
   tags = var.tags
 
   depends_on = [
@@ -96,6 +108,42 @@ module "aks" {
   ]
 }
 
+module "velero" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=8171afb"
+  count = var.aks_enabled ? 1 : 0
+  backup_storage_container_name = "velero-backup"
+  subscription_id = data.azurerm_subscription.current.subscription_id
+  tenant_id = data.azurerm_subscription.current.tenant_id
+  resource_group_name = azurerm_resource_group.rg_aks_backup.name
+  prefix = "devopla"
+  aks_cluster_name = module.aks[count.index].name
+  aks_cluster_rg = azurerm_resource_group.rg_aks.name
+  location = var.location
+  use_storage_private_endpoint = true
+  private_endpoint_subnet_id = data.azurerm_subnet.private_endpoint_subnet.id
+  storage_account_private_dns_zone_id = data.azurerm_private_dns_zone.storage_account_private_dns_zone.id
+
+  tags = var.tags
+}
+
+module "aks_namespace_backup" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_velero_backup?ref=f38e1ca"
+  count = var.aks_enabled ? 1 : 0
+  # required
+  backup_name = "daily-backup"
+  namespaces = ["ALL"]
+  aks_cluster_name = module.aks[count.index].name
+
+  # optional
+  ttl = "72h0m0s"
+  schedule = "0 3 * * *" #refers to UTC timezone
+  volume_snapshot = false
+
+  depends_on = [
+    module.velero
+  ]
+}
+
 resource "azurerm_role_assignment" "managed_identity_operator_vs_aks_managed_identity" {
   scope                = azurerm_resource_group.rg_aks.id
   role_definition_name = "Managed Identity Operator"

diff --git a/src/aks-platform/02_velero.tf b/src/aks-platform/02_velero.tf
diff --git a/src/aks-platform/99_locals.tf b/src/aks-platform/99_locals.tf
@@ -4,6 +4,7 @@ locals {
 
   # AKS
   aks_rg_name      = "${local.project}-aks-rg"
+  aks_backup_rg_name = "${local.project}-aks-backup-rg"
   aks_cluster_name = "${local.project}-aks"
   velero_rg_name   = "${local.project}-velero"
 

diff --git a/src/aks-platform/velero-credentials.tpl b/src/aks-platform/velero-credentials.tpl
diff --git a/src/core/02_dns_private.tf b/src/core/02_dns_private.tf
@@ -39,3 +39,19 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_d
 
   tags = var.tags
 }
+
+
+resource "azurerm_private_dns_zone" "storage_account" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "storage_account_vnet" {
+  name                  = "${local.project}-storage-account-vnet-private-dns-zone-link"
+  resource_group_name   = azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = azurerm_private_dns_zone.storage_account.name
+  virtual_network_id    = module.vnet.id
+}
+
+
+
diff --git a/src/coreplus/00_network.tf b/src/coreplus/00_network.tf
@@ -12,6 +12,11 @@ data "azurerm_private_dns_zone" "internal" {
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
 }
 
+data "azurerm_private_dns_zone" "storage" {
+  name                = local.dns_zone_private_name_storage
+  resource_group_name = data.azurerm_resource_group.rg_vnet.name
+}
+
 data "azurerm_private_dns_zone" "privatelink_postgres_database_azure_com" {
   name                = local.dns_zone_private_name_postgres
   resource_group_name = data.azurerm_resource_group.rg_vnet.name

diff --git a/src/coreplus/01_network_aks_platform.tf b/src/coreplus/01_network_aks_platform.tf
@@ -82,3 +82,12 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnet_aks" {
 
   tags = var.tags
 }
+
+
+resource "azurerm_private_dns_zone_virtual_network_link" "storage_account_vnet" {
+  for_each = { for n in var.aks_networks : n.domain_name => n }
+  name                  = module.vnet_aks[each.key].name
+  resource_group_name   = data.azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = data.azurerm_private_dns_zone.storage.name
+  virtual_network_id    = module.vnet_aks[each.key].id
+}
diff --git a/src/coreplus/99_variables.tf b/src/coreplus/99_variables.tf
@@ -33,6 +33,7 @@ locals {
   cosmosdb_enable = 1
 
   dns_zone_private_name          = "internal.${var.prod_dns_zone_prefix}.${var.external_domain}"
+  dns_zone_private_name_storage  = "privatelink.blob.core.windows.net"
   dns_zone_private_name_postgres = "privatelink.postgres.database.azure.com"
 
   #