fix: obs and private endpoints creation for disabled storage network access

kristina-solovyova · kristina-solovyova · commit 1887ab3c0f40 · 2024-08-21T17:11:41.000+03:00
diff --git a/README.md b/README.md
@@ -463,7 +463,7 @@ proxy_url = VALUE
 | <a name="input_function_app_storage_account_prefix"></a> [function\_app\_storage\_account\_prefix](#input\_function\_app\_storage\_account\_prefix) | Weka storage account name prefix | `string` | `"weka"` | no |
 | <a name="input_function_app_subnet_delegation_cidr"></a> [function\_app\_subnet\_delegation\_cidr](#input\_function\_app\_subnet\_delegation\_cidr) | Subnet delegation enables you to designate a specific subnet for an Azure PaaS service. | `string` | `"10.0.1.0/25"` | no |
 | <a name="input_function_app_subnet_delegation_id"></a> [function\_app\_subnet\_delegation\_id](#input\_function\_app\_subnet\_delegation\_id) | Required to specify if subnet\_name were used to specify pre-defined subnets for weka. Function subnet delegation requires an additional subnet, and in the case of pre-defined networking this one also should be pre-defined | `string` | `""` | no |
-| <a name="input_function_app_version"></a> [function\_app\_version](#input\_function\_app\_version) | Function app code version (hash) | `string` | `"0154dfe987a700e0af9f3921aae63884"` | no |
+| <a name="input_function_app_version"></a> [function\_app\_version](#input\_function\_app\_version) | Function app code version (hash) | `string` | `"4eab432cb4789f37479cce953c636d10"` | no |
 | <a name="input_get_weka_io_token"></a> [get\_weka\_io\_token](#input\_get\_weka\_io\_token) | The token to download the Weka release from get.weka.io. | `string` | `""` | no |
 | <a name="input_hotspare"></a> [hotspare](#input\_hotspare) | Number of hotspares to set on weka cluster. Refer to https://docs.weka.io/overview/ssd-capacity-management#hot-spare | `number` | `1` | no |
 | <a name="input_install_cluster_dpdk"></a> [install\_cluster\_dpdk](#input\_install\_cluster\_dpdk) | Install weka cluster with DPDK | `bool` | `true` | no |
diff --git a/function-app/code/functions/clusterize/clusterize.go b/function-app/code/functions/clusterize/clusterize.go
@@ -48,6 +48,8 @@ type ClusterizationParams struct {
 	KeyVaultUri       string
 	SubnetId          string
 	PrivateDNSZoneId  string
+	// if network access is disabled and private endpoints do not exist, create them with obs
+	CreateBlobPrivateEndpoint bool
 
 	StateParams common.BlobObjParams
 	InstallDpdk bool
@@ -79,28 +81,45 @@ func GetShutdownScript() string {
 	return dedent.Dedent(s)
 }
 
-func CreateWekaObs(ctx context.Context, p *ClusterizationParams) (err error) {
+func PrepareWekaObs(ctx context.Context, p *ClusterizationParams) (err error) {
 	logger := logging.LoggerFromCtx(ctx)
 
-	if p.Obs.NetworkAccess == "Disabled" && p.PrivateDNSZoneId == "" {
+	if !p.Cluster.SetObs {
+		return
+	}
+
+	noExistingObs := p.Obs.AccessKey == ""
+
+	if p.Obs.NetworkAccess == "Disabled" && noExistingObs && !p.CreateBlobPrivateEndpoint {
+		ignoredErr := fmt.Errorf("private endpoint creation is required for obs when public access is disabled")
+		logger.Error().Err(ignoredErr).Send()
+
+		common.ReportMsg(ctx, p.Vm.Name, p.StateParams, "error", ignoredErr.Error())
+		p.Cluster.SetObs = false
+		return nil
+	}
+
+	if p.Obs.NetworkAccess == "Disabled" && p.CreateBlobPrivateEndpoint && p.PrivateDNSZoneId == "" {
 		ignoredErr := fmt.Errorf("private dns zone id is required for private endpoint creation when public access is disabled")
 		logger.Error().Err(ignoredErr).Send()
 
-		logger.Info().Msg("Skipping OBS creation")
+		common.ReportMsg(ctx, p.Vm.Name, p.StateParams, "error", ignoredErr.Error())
 		p.Cluster.SetObs = false
 		return nil
 	}
 
-	p.Obs.AccessKey, err = common.CreateStorageAccount(
-		ctx, p.SubscriptionId, p.ResourceGroupName, p.Location, p.Obs,
-	)
-	if err != nil {
-		err = fmt.Errorf("failed to create storage account: %w", err)
-		logger.Error().Err(err).Send()
-		return
+	if noExistingObs {
+		p.Obs.AccessKey, err = common.CreateStorageAccount(
+			ctx, p.SubscriptionId, p.ResourceGroupName, p.Location, p.Obs,
+		)
+		if err != nil {
+			err = fmt.Errorf("failed to create storage account: %w", err)
+			logger.Error().Err(err).Send()
+			return
+		}
 	}
 
-	if p.Obs.NetworkAccess == "Disabled" {
+	if p.Obs.NetworkAccess == "Disabled" && p.CreateBlobPrivateEndpoint {
 		endpointName := fmt.Sprintf("%s-pe", p.Obs.Name)
 		logger.Info().Msgf("public access is disabled for the storage account, creating private endpoint %s", endpointName)
 
@@ -112,11 +131,13 @@ func CreateWekaObs(ctx context.Context, p *ClusterizationParams) (err error) {
 		}
 	}
 
-	err = common.CreateContainer(ctx, p.Obs.Name, p.Obs.ContainerName)
-	if err != nil {
-		err = fmt.Errorf("failed to create container: %w", err)
-		logger.Error().Err(err).Send()
-		return
+	if noExistingObs {
+		err = common.CreateContainer(ctx, p.Obs.Name, p.Obs.ContainerName)
+		if err != nil {
+			err = fmt.Errorf("failed to create container: %w", err)
+			logger.Error().Err(err).Send()
+			return
+		}
 	}
 	return
 }
@@ -127,11 +148,10 @@ func HandleLastClusterVm(ctx context.Context, state protocol.ClusterState, p Clu
 
 	vmScaleSetName := common.GetVmScaleSetName(p.Prefix, p.Cluster.ClusterName)
 
-	if p.Cluster.SetObs && p.Obs.AccessKey == "" {
-		err = CreateWekaObs(ctx, &p)
-		if err != nil {
-			return
-		}
+	err = PrepareWekaObs(ctx, &p)
+	if err != nil {
+		logger.Error().Err(err).Send()
+		return
 	}
 
 	logger.Info().Msg("setting weka admin password in secrets manager")
@@ -386,6 +406,7 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 	keyVaultUri := os.Getenv("KEY_VAULT_URI")
 	subnetId := os.Getenv("SUBNET_ID")
 	blobPrivateDnsZoneId := os.Getenv("BLOB_PRIVATE_DNS_ZONE_ID")
+	createblobPrivateEndpoint, _ := strconv.ParseBool(os.Getenv("CREATE_BLOB_PRIVATE_ENDPOINT"))
 	// data protection-related vars
 	stripeWidth, _ := strconv.Atoi(os.Getenv("STRIPE_WIDTH"))
 	protectionLevel, _ := strconv.Atoi(os.Getenv("PROTECTION_LEVEL"))
@@ -441,16 +462,17 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	params := ClusterizationParams{
-		SubscriptionId:    subscriptionId,
-		ResourceGroupName: resourceGroupName,
-		Location:          location,
-		Prefix:            prefix,
-		KeyVaultUri:       keyVaultUri,
-		SubnetId:          subnetId,
-		PrivateDNSZoneId:  blobPrivateDnsZoneId,
-		StateParams:       common.BlobObjParams{StorageName: stateStorageName, ContainerName: stateContainerName, BlobName: stateBlobName},
-		Vm:                vm,
-		InstallDpdk:       installDpdk,
+		SubscriptionId:            subscriptionId,
+		ResourceGroupName:         resourceGroupName,
+		Location:                  location,
+		Prefix:                    prefix,
+		KeyVaultUri:               keyVaultUri,
+		SubnetId:                  subnetId,
+		PrivateDNSZoneId:          blobPrivateDnsZoneId,
+		CreateBlobPrivateEndpoint: createblobPrivateEndpoint,
+		StateParams:               common.BlobObjParams{StorageName: stateStorageName, ContainerName: stateContainerName, BlobName: stateBlobName},
+		Vm:                        vm,
+		InstallDpdk:               installDpdk,
 		Cluster: clusterize.ClusterParams{
 			ClusterizationTarget: clusterizationTarget,
 			ClusterName:          clusterName,
diff --git a/functions.tf b/functions.tf
@@ -140,6 +140,7 @@ locals {
     "SUBNET"                       = local.subnet_range
     "SUBNET_ID"                    = data.azurerm_subnet.subnet.id
     "BLOB_PRIVATE_DNS_ZONE_ID"     = var.create_storage_account_private_links ? azurerm_private_dns_zone.blob[0].id : local.sa_public_access_disabled ? data.azurerm_private_dns_zone.blob[0].id : ""
+    "CREATE_BLOB_PRIVATE_ENDPOINT" = var.create_storage_account_private_links && local.sa_public_access_disabled
     FUNCTION_APP_NAME              = local.function_app_name
     PROXY_URL                      = var.proxy_url
     WEKA_HOME_URL                  = var.weka_home_url
diff --git a/variables.tf b/variables.tf
@@ -393,7 +393,7 @@ variable "function_app_storage_account_container_prefix" {
 variable "function_app_version" {
   type        = string
   description = "Function app code version (hash)"
-  default     = "0154dfe987a700e0af9f3921aae63884"
+  default     = "4eab432cb4789f37479cce953c636d10"
 }
 
 variable "function_app_dist" {

Original file line number	Diff line number	Diff line change
`@@ -393,7 +393,7 @@ variable "function_app_storage_account_container_prefix" {`
`393`	`393`	`variable "function_app_version" {`
`394`	`394`	`type = string`
`395`	`395`	`description = "Function app code version (hash)"`
`396`		`- default = "0154dfe987a700e0af9f3921aae63884"`
	`396`	`+ default = "4eab432cb4789f37479cce953c636d10"`
`397`	`397`	`}`
`398`	`398`
`399`	`399`	`variable "function_app_dist" {`