Merge pull request #61 from ClickHouse/azure/pl-example

Example for azure private link
ClickHouse · May 21, 2024 · d927ba0 · d927ba0
2 parents 35f0b5f + 340aaea
commit d927ba0
Show file tree

Hide file tree

Showing 4 changed files with 276 additions and 0 deletions.
diff --git a/examples/PrivateLinkAzure/README.md b/examples/PrivateLinkAzure/README.md
@@ -0,0 +1,29 @@
+## Azure Private Link example
+
+Tested with hashicorp/azurerm v3.104.2 Terraform provider. 
+
+The Terraform example code deploys the following resources:
+- VNET vnet-foo
+- Private DNS zone `"${var.clickhouse_service_location}.privatelink.azure.clickhouse.cloud"` & link to vnet-foo
+- Private Endpoint example-pl-foo in subnet vnet-foo/default
+- DNS wildcard record pointed to Private Endpoint "example-pl-foo"
+- VNET vent-bar
+- Private DNS zone `"${var.clickhouse_service_location}.privatelink.azure.clickhouse.cloud"` & link to vnet-bar
+- Private Endpoint example-pl-bar in subnet vnet-bar/default
+- DNS wildcard record pointed to Private Endpoint "example-pl-bar"
+- ClickHouse service red
+- ClickHouse service blue
+
+
+
+The ClickHouse service "red" is reachable via Private Link only from VNET bar, access from the internet is blocked.
+The ClickHouse service "blue" is available any IP; access via Private Link is allowed from VNET foo and bar.
+
+### Important note
+
+Azure's Terraform provider does not expose the Private Endpoint UUID, which means you need to run Terraform twice:
+1. First Run: run terraform without setting `private_endpoint_azure_bar_uuid` & `private_endpoint_azure_foo_uuid` variables. This step creates services / DNS zones / Private Endpoints.
+2. [Obtain Private Endpoint UUID](https://clickhouse.com/docs/en/cloud/security/azure-privatelink#obtaining-private-endpoint-resourceguid) for foo and bar endpoints.
+3. Second Run: set `private_endpoint_azure_bar_uuid` `private_endpoint_azure_foo_uuid`. This time Private Endpoints will be added to organization and instance allow list.
+
+There is [an open issue](https://github.com/hashicorp/terraform-provider-azurerm/issues/17011) to address this problem.
diff --git a/examples/PrivateLinkAzure/azure.tf b/examples/PrivateLinkAzure/azure.tf
@@ -0,0 +1,118 @@
+provider "azurerm" {
+  features {}
+}
+
+
+variable "resource_group_foo" {
+  type = string
+}
+
+variable "resource_group_bar" {
+  type = string
+}
+
+resource "azurerm_private_dns_zone" "clickhouse_cloud_private_link_zone_foo" {
+  name                = "${var.clickhouse_service_location}.privatelink.azure.clickhouse.cloud"
+  resource_group_name = var.resource_group_foo
+}
+
+resource "azurerm_private_dns_a_record" "wildcard_foo" {
+  name                = "*"
+  zone_name           = azurerm_private_dns_zone.clickhouse_cloud_private_link_zone_foo.name
+  resource_group_name = var.resource_group_foo
+  ttl                 = 300
+  records             = [data.azurerm_network_interface.pe_foo.private_ip_address]
+}
+
+
+resource "azurerm_private_dns_zone" "clickhouse_cloud_private_link_zone_bar" {
+  name = "${var.clickhouse_service_location}.privatelink.azure.clickhouse.cloud"
+  // azure does not allow creating 2 the same private DNS zones within the same resource group
+  resource_group_name = var.resource_group_bar
+}
+
+resource "azurerm_private_dns_a_record" "wildcard_bar" {
+  name                = "*"
+  zone_name           = azurerm_private_dns_zone.clickhouse_cloud_private_link_zone_foo.name
+  resource_group_name = var.resource_group_bar
+  ttl                 = 300
+  records             = [data.azurerm_network_interface.pe_foo.private_ip_address]
+}
+
+
+resource "azurerm_virtual_network" "vnet_foo" {
+  name                = "vnet-foo"
+  address_space       = ["10.0.0.0/16"]
+  location            = "eastus"
+  resource_group_name = var.resource_group_foo
+
+  subnet {
+    name           = "default"
+    address_prefix = "10.0.0.0/24"
+  }
+}
+
+resource "azurerm_virtual_network" "vnet_bar" {
+  name                = "vnet-bar"
+  address_space       = ["10.0.0.0/16"]
+  location            = "eastus2"
+  resource_group_name = var.resource_group_bar
+
+  subnet {
+    name           = "default"
+    address_prefix = "10.0.0.0/24"
+  }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnet_foo" {
+  name                  = "test"
+  resource_group_name   = var.resource_group_foo
+  private_dns_zone_name = azurerm_private_dns_zone.clickhouse_cloud_private_link_zone_foo.name
+  virtual_network_id    = azurerm_virtual_network.vnet_foo.id
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnet_bar" {
+  name                  = "test"
+  resource_group_name   = var.resource_group_bar
+  private_dns_zone_name = azurerm_private_dns_zone.clickhouse_cloud_private_link_zone_bar.name
+  virtual_network_id    = azurerm_virtual_network.vnet_bar.id
+}
+
+resource "azurerm_private_endpoint" "foo_example_clickhouse_cloud" {
+  name = "example-pl-foo"
+  // make sure location of azurerm_private_endpoint matches of location of vnet_foo_private_link_subnet_id
+  location            = "eastus"
+  resource_group_name = var.resource_group_foo
+  subnet_id           = "${azurerm_virtual_network.vnet_foo.id}/subnets/default"
+  private_service_connection {
+    name                              = "example-pl-foo"
+    request_message                   = "please approve"
+    private_connection_resource_alias = data.clickhouse_private_endpoint_config.endpoint_config.endpoint_service_id
+    is_manual_connection              = true
+  }
+}
+
+resource "azurerm_private_endpoint" "bar_example_clickhouse_cloud" {
+  name = "example-pl-bar"
+  // make sure location of azurerm_private_endpoint matches of location of vnet_foo_private_link_subnet_id
+  location            = "eastus2"
+  resource_group_name = var.resource_group_bar
+  subnet_id           = "${azurerm_virtual_network.vnet_bar.id}/subnets/default"
+  private_service_connection {
+    name                              = "example-pl-bar"
+    request_message                   = "please approve"
+    private_connection_resource_alias = data.clickhouse_private_endpoint_config.endpoint_config.endpoint_service_id
+    is_manual_connection              = true
+  }
+}
+
+
+data "azurerm_network_interface" "pe_foo" {
+  resource_group_name = var.resource_group_foo
+  name                = azurerm_private_endpoint.foo_example_clickhouse_cloud.network_interface[0].name
+}
+
+data "azurerm_network_interface" "pe_bar" {
+  resource_group_name = var.resource_group_bar
+  name                = azurerm_private_endpoint.bar_example_clickhouse_cloud.network_interface[0].name
+}
diff --git a/examples/PrivateLinkAzure/main.tf b/examples/PrivateLinkAzure/main.tf
@@ -0,0 +1,120 @@
+terraform {
+  required_providers {
+    clickhouse = {
+      version = "0.0.9"
+      source  = "ClickHouse/clickhouse"
+    }
+  }
+}
+
+variable "organization_id" {
+  type = string
+}
+
+variable "token_key" {
+  type = string
+}
+
+variable "token_secret" {
+  type = string
+}
+
+variable "clickhouse_service_location" {
+  description = "azure location where ClickHouse cloud instance is created"
+  type        = string
+}
+
+variable "private_endpoint_azure_foo_uuid" {
+  type    = string
+  default = ""
+}
+
+variable "private_endpoint_azure_bar_uuid" {
+  type    = string
+  default = ""
+}
+
+provider "clickhouse" {
+  organization_id = var.organization_id
+  token_key       = var.token_key
+  token_secret    = var.token_secret
+}
+
+resource "clickhouse_service" "azure_red" {
+  name           = "red"
+  cloud_provider = "azure"
+  region         = var.clickhouse_service_location
+  tier           = "production"
+  idle_scaling   = true
+  password_hash  = "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=" # base64 encoded sha256 hash of "test"
+
+  // keep it empty to block access from internet
+  ip_access = []
+
+  min_total_memory_gb  = 24
+  max_total_memory_gb  = 360
+  idle_timeout_minutes = 5
+
+  // allow connections via PrivateLink from VPC bar only
+  private_endpoint_ids = var.private_endpoint_azure_bar_uuid != "" ? [clickhouse_private_endpoint_registration.private_endpoint_azure_bar[0].id] : []
+}
+
+resource "clickhouse_service" "azure_blue" {
+  name           = "blue"
+  cloud_provider = "azure"
+  region         = var.clickhouse_service_location
+  tier           = "production"
+  idle_scaling   = true
+  password_hash  = "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=" # base64 encoded sha256 hash of "test"
+
+  ip_access = [
+    {
+      source      = "0.0.0.0/0"
+      description = "Any IP"
+    }
+  ]
+
+  min_total_memory_gb  = 24
+  max_total_memory_gb  = 360
+  idle_timeout_minutes = 5
+
+  // allow connecting via PrivateLink from VPC foo and bar
+  private_endpoint_ids = concat((var.private_endpoint_azure_foo_uuid != "" ? [clickhouse_private_endpoint_registration.private_endpoint_azure_foo[0].id] : []),
+  (var.private_endpoint_azure_bar_uuid != "" ? [clickhouse_private_endpoint_registration.private_endpoint_azure_bar[0].id] : []))
+}
+
+// Private Link Service name for azure/${var.clickhouse_service_location}
+data "clickhouse_private_endpoint_config" "endpoint_config" {
+  cloud_provider = "azure"
+  region         = var.clickhouse_service_location
+}
+
+resource "clickhouse_private_endpoint_registration" "private_endpoint_azure_foo" {
+  count          = var.private_endpoint_azure_foo_uuid != "" ? 1 : 0
+  cloud_provider = "azure"
+  // Private Endpoint GUID is not available in azurerm_private_endpoint object, it has to be specified manually
+  // open issue for azurem provider: https://github.com/hashicorp/terraform-provider-azurerm/issues/17011
+  id          = var.private_endpoint_azure_foo_uuid
+  region      = var.clickhouse_service_location
+  description = "Private Link from VNET foo"
+}
+
+resource "clickhouse_private_endpoint_registration" "private_endpoint_azure_bar" {
+  count          = var.private_endpoint_azure_bar_uuid != "" ? 1 : 0
+  cloud_provider = "azure"
+  // Private Endpoint GUID is not available in azurerm_private_endpoint object, it has to be specified manually
+  // open issue for azurem provider: https://github.com/hashicorp/terraform-provider-azurerm/issues/17011
+  id          = var.private_endpoint_azure_bar_uuid
+  region      = var.clickhouse_service_location
+  description = "Private Link from VNET foo"
+}
+
+// hostname for connecting to instance via Private Link from VPC foo
+output "red_private_link_endpoint" {
+  value = clickhouse_service.azure_red.private_endpoint_config.private_dns_hostname
+}
+
+// hostname for connecting to instance via Private Link from VPC foo & bar
+output "blue_private_link_endpoint" {
+  value = clickhouse_service.azure_blue.private_endpoint_config.private_dns_hostname
+}
diff --git a/examples/PrivateLinkAzure/variables.tfvars b/examples/PrivateLinkAzure/variables.tfvars
@@ -0,0 +1,9 @@
+# these keys are for example only and won't work when pointed to a deployed ClickHouse OpenAPI server
+organization_id = "aee076c1-3f83-4637-95b1-ad5a0a825b71"
+token_key       = "avhj1U5QCdWAE9CA9"
+token_secret    = "4b1dROiHQEuSXJHlV8zHFd0S7WQj7CGxz5kGJeJnca"
+
+# azure 
+clickhouse_service_location = "westus3"
+resource_group_foo          = "tf-test-rg-foo"
+resource_group_bar          = "tf-test-rg-bar"