fix: obs and private endpoints creation for disabled storage network access

Author: kristina-solovyova

README.md

@@ -463,7 +463,7 @@ proxy_url = VALUE
 | <a name="input_function_app_storage_account_prefix"></a> [function\_app\_storage\_account\_prefix](#input\_function\_app\_storage\_account\_prefix) | Weka storage account name prefix | `string` | `"weka"` | no |
 | <a name="input_function_app_subnet_delegation_cidr"></a> [function\_app\_subnet\_delegation\_cidr](#input\_function\_app\_subnet\_delegation\_cidr) | Subnet delegation enables you to designate a specific subnet for an Azure PaaS service. | `string` | `"10.0.1.0/25"` | no |
 | <a name="input_function_app_subnet_delegation_id"></a> [function\_app\_subnet\_delegation\_id](#input\_function\_app\_subnet\_delegation\_id) | Required to specify if subnet\_name were used to specify pre-defined subnets for weka. Function subnet delegation requires an additional subnet, and in the case of pre-defined networking this one also should be pre-defined | `string` | `""` | no |
-| <a name="input_function_app_version"></a> [function\_app\_version](#input\_function\_app\_version) | Function app code version (hash) | `string` | `"0154dfe987a700e0af9f3921aae63884"` | no |
+| <a name="input_function_app_version"></a> [function\_app\_version](#input\_function\_app\_version) | Function app code version (hash) | `string` | `"70129b9f8d813e6f87aeed9be4764327"` | no |
 | <a name="input_get_weka_io_token"></a> [get\_weka\_io\_token](#input\_get\_weka\_io\_token) | The token to download the Weka release from get.weka.io. | `string` | `""` | no |
 | <a name="input_hotspare"></a> [hotspare](#input\_hotspare) | Number of hotspares to set on weka cluster. Refer to https://docs.weka.io/overview/ssd-capacity-management#hot-spare | `number` | `1` | no |
 | <a name="input_install_cluster_dpdk"></a> [install\_cluster\_dpdk](#input\_install\_cluster\_dpdk) | Install weka cluster with DPDK | `bool` | `true` | no |

function-app/code/functions/clusterize/clusterize.go

@@ -48,6 +48,8 @@ type ClusterizationParams struct {
 	KeyVaultUri       string
 	SubnetId          string
 	PrivateDNSZoneId  string
+	// if network access is disabled and private endpoints do not exist, create them with obs
+	CreateBlobPrivateEndpoint bool
 
 	StateParams common.BlobObjParams
 	InstallDpdk bool
@@ -79,39 +81,52 @@ func GetShutdownScript() string {
 	return dedent.Dedent(s)
 }
 
-func CreateWekaObs(ctx context.Context, p *ClusterizationParams) (err error) {
+func PrepareWekaObs(ctx context.Context, p *ClusterizationParams) (err error) {
 	logger := logging.LoggerFromCtx(ctx)
 
-	if p.Obs.NetworkAccess == "Disabled" && p.PrivateDNSZoneId == "" {
-		ignoredErr := fmt.Errorf("private dns zone id is required for private endpoint creation when public access is disabled")
+	noExistingObs := p.Obs.AccessKey == ""
+
+	if p.Obs.NetworkAccess == "Disabled" && noExistingObs && !p.CreateBlobPrivateEndpoint {
+		ignoredErr := fmt.Errorf("private endpoint creation is required for obs when public access is disabled")
 		logger.Error().Err(ignoredErr).Send()
 
-		logger.Info().Msg("Skipping OBS creation")
+		common.ReportMsg(ctx, p.Vm.Name, p.StateParams, "error", ignoredErr.Error())
 		p.Cluster.SetObs = false
 		return nil
 	}
 
-	p.Obs.AccessKey, err = common.CreateStorageAccount(
-		ctx, p.SubscriptionId, p.ResourceGroupName, p.Location, p.Obs,
-	)
-	if err != nil {
-		err = fmt.Errorf("failed to create storage account: %w", err)
-		logger.Error().Err(err).Send()
-		return
-	}
+	if p.Obs.NetworkAccess == "Disabled" && p.CreateBlobPrivateEndpoint && p.PrivateDNSZoneId == "" {
+		ignoredErr := fmt.Errorf("private dns zone id is required for private endpoint creation when public access is disabled")
+		logger.Error().Err(ignoredErr).Send()
 
-	if p.Obs.NetworkAccess == "Disabled" {
-		endpointName := fmt.Sprintf("%s-pe", p.Obs.Name)
-		logger.Info().Msgf("public access is disabled for the storage account, creating private endpoint %s", endpointName)
+		common.ReportMsg(ctx, p.Vm.Name, p.StateParams, "error", ignoredErr.Error())
+		p.Cluster.SetObs = false
+		return nil
+	}
 
-		err = common.CreateStorageAccountBlobPrivateEndpoint(ctx, p.SubscriptionId, p.ResourceGroupName, p.Location, p.Obs.Name, endpointName, p.SubnetId, p.PrivateDNSZoneId)
+	if noExistingObs {
+		p.Obs.AccessKey, err = common.CreateStorageAccount(
+			ctx, p.SubscriptionId, p.ResourceGroupName, p.Location, p.Obs,
+		)
 		if err != nil {
-			err = fmt.Errorf("failed to create private endpoint: %w", err)
+			err = fmt.Errorf("failed to create storage account: %w", err)
 			logger.Error().Err(err).Send()
 			return
 		}
-	}
 
+		if p.Obs.NetworkAccess == "Disabled" && p.CreateBlobPrivateEndpoint {
+			endpointName := fmt.Sprintf("%s-pe", p.Obs.Name)
+			logger.Info().Msgf("public access is disabled for the storage account, creating private endpoint %s", endpointName)
+
+			err = common.CreateStorageAccountBlobPrivateEndpoint(ctx, p.SubscriptionId, p.ResourceGroupName, p.Location, p.Obs.Name, endpointName, p.SubnetId, p.PrivateDNSZoneId)
+			if err != nil {
+				err = fmt.Errorf("failed to create private endpoint: %w", err)
+				logger.Error().Err(err).Send()
+				return
+			}
+		}
+	}
+	// create container (if it doesn't exist)
 	err = common.CreateContainer(ctx, p.Obs.Name, p.Obs.ContainerName)
 	if err != nil {
 		err = fmt.Errorf("failed to create container: %w", err)
@@ -127,9 +142,10 @@ func HandleLastClusterVm(ctx context.Context, state protocol.ClusterState, p Clu
 
 	vmScaleSetName := common.GetVmScaleSetName(p.Prefix, p.Cluster.ClusterName)
 
-	if p.Cluster.SetObs && p.Obs.AccessKey == "" {
-		err = CreateWekaObs(ctx, &p)
+	if p.Cluster.SetObs {
+		err = PrepareWekaObs(ctx, &p)
 		if err != nil {
+			logger.Error().Err(err).Send()
 			return
 		}
 	}
@@ -386,6 +402,7 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 	keyVaultUri := os.Getenv("KEY_VAULT_URI")
 	subnetId := os.Getenv("SUBNET_ID")
 	blobPrivateDnsZoneId := os.Getenv("BLOB_PRIVATE_DNS_ZONE_ID")
+	createblobPrivateEndpoint, _ := strconv.ParseBool(os.Getenv("CREATE_BLOB_PRIVATE_ENDPOINT"))
 	// data protection-related vars
 	stripeWidth, _ := strconv.Atoi(os.Getenv("STRIPE_WIDTH"))
 	protectionLevel, _ := strconv.Atoi(os.Getenv("PROTECTION_LEVEL"))
@@ -441,16 +458,17 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	params := ClusterizationParams{
-		SubscriptionId:    subscriptionId,
-		ResourceGroupName: resourceGroupName,
-		Location:          location,
-		Prefix:            prefix,
-		KeyVaultUri:       keyVaultUri,
-		SubnetId:          subnetId,
-		PrivateDNSZoneId:  blobPrivateDnsZoneId,
-		StateParams:       common.BlobObjParams{StorageName: stateStorageName, ContainerName: stateContainerName, BlobName: stateBlobName},
-		Vm:                vm,
-		InstallDpdk:       installDpdk,
+		SubscriptionId:            subscriptionId,
+		ResourceGroupName:         resourceGroupName,
+		Location:                  location,
+		Prefix:                    prefix,
+		KeyVaultUri:               keyVaultUri,
+		SubnetId:                  subnetId,
+		PrivateDNSZoneId:          blobPrivateDnsZoneId,
+		CreateBlobPrivateEndpoint: createblobPrivateEndpoint,
+		StateParams:               common.BlobObjParams{StorageName: stateStorageName, ContainerName: stateContainerName, BlobName: stateBlobName},
+		Vm:                        vm,
+		InstallDpdk:               installDpdk,
 		Cluster: clusterize.ClusterParams{
 			ClusterizationTarget: clusterizationTarget,
 			ClusterName:          clusterName,

functions.tf

@@ -140,6 +140,7 @@ locals {
     "SUBNET"                       = local.subnet_range
     "SUBNET_ID"                    = data.azurerm_subnet.subnet.id
     "BLOB_PRIVATE_DNS_ZONE_ID"     = var.create_storage_account_private_links ? azurerm_private_dns_zone.blob[0].id : local.sa_public_access_disabled ? data.azurerm_private_dns_zone.blob[0].id : ""
+    "CREATE_BLOB_PRIVATE_ENDPOINT" = var.create_storage_account_private_links && local.sa_public_access_disabled
     FUNCTION_APP_NAME              = local.function_app_name
     PROXY_URL                      = var.proxy_url
     WEKA_HOME_URL                  = var.weka_home_url

variables.tf

@@ -393,7 +393,7 @@ variable "function_app_storage_account_container_prefix" {
 variable "function_app_version" {
   type        = string
   description = "Function app code version (hash)"
-  default     = "0154dfe987a700e0af9f3921aae63884"
+  default     = "70129b9f8d813e6f87aeed9be4764327"
 }
 
 variable "function_app_dist" {