fix: do not create obs in function app if public access disabled

Author: kristina-solovyova

README.md

@@ -68,7 +68,7 @@ private_dns_rg_name               = "myResourceGroup"
 ## Using pre-created storage account with disabled public access
 To use secured storage account with function app, user should create private storage account first, and then upload our function code zip file to the container `<deployment_container_name>`.
 Zip file is accessible in our public storage acccount by this url:
-https://wekaeastus.blob.core.windows.net/weka-tf-functions-deployment-eastus/dev/c52522f254123df61cd906bbf3dce6af.zip
+https://wekaeastus.blob.core.windows.net/weka-tf-functions-deployment-eastus/dev/144dd946da08cb0cf72a8ce1947c1a71.zip
 
 ```hcl
 allow_sa_public_network_access    = false
@@ -441,7 +441,7 @@ proxy_url = VALUE
 | <a name="input_function_app_storage_account_prefix"></a> [function\_app\_storage\_account\_prefix](#input\_function\_app\_storage\_account\_prefix) | Weka storage account name prefix | `string` | `"weka"` | no |
 | <a name="input_function_app_subnet_delegation_cidr"></a> [function\_app\_subnet\_delegation\_cidr](#input\_function\_app\_subnet\_delegation\_cidr) | Subnet delegation enables you to designate a specific subnet for an Azure PaaS service. | `string` | `"10.0.1.0/25"` | no |
 | <a name="input_function_app_subnet_delegation_id"></a> [function\_app\_subnet\_delegation\_id](#input\_function\_app\_subnet\_delegation\_id) | Required to specify if subnet\_name were used to specify pre-defined subnets for weka. Function subnet delegation requires an additional subnet, and in the case of pre-defined networking this one also should be pre-defined | `string` | `""` | no |
-| <a name="input_function_app_version"></a> [function\_app\_version](#input\_function\_app\_version) | Function app code version (hash) | `string` | `"0e787ecc4b4936228cdb784e52ec408a"` | no |
+| <a name="input_function_app_version"></a> [function\_app\_version](#input\_function\_app\_version) | Function app code version (hash) | `string` | `"144dd946da08cb0cf72a8ce1947c1a71"` | no |
 | <a name="input_get_weka_io_token"></a> [get\_weka\_io\_token](#input\_get\_weka\_io\_token) | The token to download the Weka release from get.weka.io. | `string` | `""` | no |
 | <a name="input_hotspare"></a> [hotspare](#input\_hotspare) | Number of hotspares to set on weka cluster. Refer to https://docs.weka.io/overview/ssd-capacity-management#hot-spare | `number` | `1` | no |
 | <a name="input_install_cluster_dpdk"></a> [install\_cluster\_dpdk](#input\_install\_cluster\_dpdk) | Install weka cluster with DPDK | `bool` | `true` | no |

blob.tf

@@ -172,6 +172,43 @@ resource "azurerm_private_endpoint" "blob_endpoint" {
   }
 }
 
+data "azurerm_storage_account" "weka_obs" {
+  count               = var.tiering_obs_name != "" ? 1 : 0
+  name                = var.tiering_obs_name
+  resource_group_name = var.rg_name
+}
+
+resource "azurerm_private_endpoint" "weka_obs_blob_endpoint" {
+  count               = !var.allow_sa_public_network_access && var.create_storage_account_private_links && var.tiering_blob_obs_access_key != "" ? 1 : 0
+  name                = "${var.prefix}-${var.cluster_name}-obs-blob-endpoint"
+  location            = data.azurerm_resource_group.rg.location
+  resource_group_name = data.azurerm_resource_group.rg.name
+  subnet_id           = data.azurerm_subnet.subnet.id
+  tags                = merge(var.tags_map, { "weka_cluster" : var.cluster_name })
+
+  private_dns_zone_group {
+    name                 = "${var.prefix}-${var.cluster_name}-dns-zone-group-obs-blob"
+    private_dns_zone_ids = [azurerm_private_dns_zone.blob[0].id]
+  }
+  private_service_connection {
+    name                           = "${var.prefix}-${var.cluster_name}-private-obs-BlobSvcCon"
+    is_manual_connection           = false
+    private_connection_resource_id = data.azurerm_storage_account.weka_obs[0].id
+    subresource_names              = ["blob"]
+  }
+
+  lifecycle {
+    precondition {
+      condition     = var.tiering_obs_name != ""
+      error_message = "Tiering OBS is not provided"
+    }
+    precondition {
+      condition     = var.tiering_obs_container_name != ""
+      error_message = "Tiering OBS container name is not provided"
+    }
+  }
+}
+
 data "azurerm_storage_account_blob_container_sas" "function_app_code_sas" {
   count             = var.allow_sa_public_network_access ? 0 : 1
   connection_string = local.deployment_sa_connection_string

function-app/code/common/common.go

@@ -235,24 +235,6 @@ func ReadBlobObject(ctx context.Context, bl BlobObjParams) (state []byte, err er
 
 }
 
-// func getStorageAccountKey(ctx context.Context, credential *azidentity.TokenCredential, subscriptionId, resourceGroupName, storageName string) (string, error) {
-// 	saClient, err := armstorage.NewAccountsClient(subscriptionId, credential, nil)
-// 	if err != nil {
-// 		err = fmt.Errorf("failed to create storage account client: %v", err)
-// 		return "", err
-// 	}
-// 	resp, err := saClient.ListKeys(ctx, resourceGroupName, storageName, nil)
-// 	if err != nil {
-// 		err = fmt.Errorf("failed to list storage account keys: %v", err)
-// 		return "", err
-// 	}
-// 	if len(resp.Keys) == 0 {
-// 		err = fmt.Errorf("no storage account keys found")
-// 		return "", err
-// 	}
-// 	return *resp.Keys[0].Value, nil
-// }
-
 func containerExists(ctx context.Context, containerClient *container.Client, storageName, containerName string) (bool, error) {
 	_, err := containerClient.GetProperties(ctx, nil)
 	if err != nil {
@@ -514,16 +496,16 @@ func CreateStorageAccount(ctx context.Context, subscriptionId, resourceGroupName
 	}
 	skuName := armstorage.SKUNameStandardZRS
 	kind := armstorage.KindStorageV2
-	publicAccessDisabled := armstorage.PublicNetworkAccessDisabled
+	// publicAccessDisabled := armstorage.PublicNetworkAccessDisabled
 	_, err = client.BeginCreate(ctx, resourceGroupName, obsName, armstorage.AccountCreateParameters{
 		Kind:     &kind,
 		Location: &location,
 		SKU: &armstorage.SKU{
 			Name: &skuName,
 		},
-		Properties: &armstorage.AccountPropertiesCreateParameters{
-			PublicNetworkAccess: &publicAccessDisabled,
-		},
+		// Properties: &armstorage.AccountPropertiesCreateParameters{
+		// 	PublicNetworkAccess: &publicAccessDisabled,
+		// },
 	}, nil)
 
 	if err != nil {

function-app/code/functions/clusterize/clusterize.go

@@ -25,10 +25,11 @@ import (
 )
 
 type AzureObsParams struct {
-	Name              string
-	ContainerName     string
-	AccessKey         string
-	TieringSsdPercent string
+	Name                 string
+	ContainerName        string
+	AccessKey            string
+	TieringSsdPercent    string
+	PublicAccessDisabled bool
 }
 
 func GetObsScript(obsParams AzureObsParams) string {
@@ -93,6 +94,12 @@ func HandleLastClusterVm(ctx context.Context, state protocol.ClusterState, p Clu
 
 	if p.Cluster.SetObs {
 		if p.Obs.AccessKey == "" {
+			if p.Obs.PublicAccessDisabled {
+				err = fmt.Errorf("public access is disabled for the storage account, please provide pre-created storage account info in terraform")
+				logger.Error().Err(err).Send()
+				return
+			}
+
 			p.Obs.AccessKey, err = common.CreateStorageAccount(
 				ctx, p.SubscriptionId, p.ResourceGroupName, p.Obs.Name, p.Location,
 			)
@@ -348,6 +355,7 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 	obsName := os.Getenv("OBS_NAME")
 	obsContainerName := os.Getenv("OBS_CONTAINER_NAME")
 	obsAccessKey := os.Getenv("OBS_ACCESS_KEY")
+	obsPublicAccessDisabled, _ := strconv.ParseBool(os.Getenv("OBS_PUBLIC_ACCESS_DISABLED"))
 	location := os.Getenv("LOCATION")
 	tieringSsdPercent := os.Getenv("TIERING_SSD_PERCENT")
 	tieringTargetSsdRetention, _ := strconv.Atoi(os.Getenv("TIERING_TARGET_SSD_RETENTION"))
@@ -429,10 +437,11 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 			TieringStartDemote:        tieringStartDemote,
 		},
 		Obs: AzureObsParams{
-			Name:              obsName,
-			ContainerName:     obsContainerName,
-			AccessKey:         obsAccessKey,
-			TieringSsdPercent: tieringSsdPercent,
+			Name:                 obsName,
+			ContainerName:        obsContainerName,
+			AccessKey:            obsAccessKey,
+			TieringSsdPercent:    tieringSsdPercent,
+			PublicAccessDisabled: obsPublicAccessDisabled,
 		},
 		NFSStateParams:  common.BlobObjParams{StorageName: stateStorageName, ContainerName: nfsStateContainerName, BlobName: nfsStateBlobName},
 		FunctionAppName: functionAppName,

functions.tf

@@ -118,6 +118,7 @@ locals {
     "OBS_NAME"                     = local.obs_storage_account_name
     "OBS_CONTAINER_NAME"           = local.obs_container_name
     "OBS_ACCESS_KEY"               = var.tiering_blob_obs_access_key
+    "OBS_PUBLIC_ACCESS_DISABLED"   = !var.allow_sa_public_network_access
     DRIVE_CONTAINER_CORES_NUM      = var.containers_config_map[var.instance_type].drive
     COMPUTE_CONTAINER_CORES_NUM    = var.set_dedicated_fe_container == false ? var.containers_config_map[var.instance_type].compute + 1 : var.containers_config_map[var.instance_type].compute
     FRONTEND_CONTAINER_CORES_NUM   = var.set_dedicated_fe_container == false ? 0 : var.containers_config_map[var.instance_type].frontend

variables.tf

@@ -387,7 +387,7 @@ variable "function_app_storage_account_container_prefix" {
 variable "function_app_version" {
   type        = string
   description = "Function app code version (hash)"
-  default     = "c52522f254123df61cd906bbf3dce6af"
+  default     = "144dd946da08cb0cf72a8ce1947c1a71"
 }
 
 variable "function_app_dist" {