Configure Azure objects

This topic assumes that you have completed the preparations and have configured the providers.

The cluster deployment on Azure depends on the following Azure objects:

  • A resource group, which will host all the Azure resources required for the cluster deployment, including a storage account and a container within the storage account, a managed identity, a virtual network and a subnet within the virtual network, a security group, and an SSH public key.

  • A storage account and a container within the storage account, which will be used to store your data.

  • A managed identity, to which you also need to grant the required permissions, so the cluster will be able to store query profiles to the container.

  • An app registration to authorize Terraform as a service principal, and a client secret for the registered application. You also need to add role assignments to the application, so Terraform can launch the resources necessary to deploy the cluster within your Azure service account.

  • An SSH public key, which gives access to your virtual machines (VMs) for automatic deployment, so Terraform can deploy the required service processes on your VMs.

    You need to create an SSH public key on your local computer, because you will need to fill the path in the public_key element of this object.

  • A virtual network and a subnet within the virtual network for the VMs on which the cluster depends.

  • A security group to which the subnet is assigned.

To create these Azure objects, you need to declare the following resources in the .tf file (for example, main.tf) in which you have configured the providers:

provider "azuread" {}
provider "azurerm" {
  features {}
  subscription_id = "<Microsoft_subscription_ID>"
}
# Create a resource group
resource "azurerm_resource_group" "example" {
  name     = "<resource_group_name>"
  location = local.azure_region
}
# Create a managed identity
resource "azurerm_user_assigned_identity" "example" {
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  name                = "<managed_identity_name>"
}
# Assign permissions to the managed identity
locals {
  managed_identity_roles = [
    "Reader",
    "Storage Blob Data Contributor",
  ]
}
resource "azurerm_role_assignment" "assignment_identity_roles" {
  count                = length(local.managed_identity_roles)
  role_definition_name = local.managed_identity_roles[count.index]
  scope                = azurerm_resource_group.example.id
  principal_id         = azurerm_user_assigned_identity.example.principal_id
}
# Create a storage account
resource "azurerm_storage_account" "example" {
  name                     = "<storage_account_name>"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
}
# Create a storage container
resource "azurerm_storage_container" "example" {
  name                  = "<storage_container_name>"
  storage_account_name  = azurerm_storage_account.example.name
  container_access_type = "private"
}
# Create an app registration and a client secret for it
resource "azuread_application_registration" "example" {
  display_name     = "<app_registration_name>"
  description      = "My example application"
  sign_in_audience = "AzureADMyOrg"
}
resource "azuread_application_password" "example" {
  application_id = azuread_application_registration.example.id
  display_name   = "<app_secret_name>"
}
resource "azuread_service_principal" "app_service_principal" {
  client_id = azuread_application_registration.example.client_id
}
# Add role assignments to the app application
locals {
  app_registration_roles = [
    "Reader",
    "Virtual Machine Contributor",
    "Network Contributor",
    "Managed Identity Operator"
  ]
}
resource "azurerm_role_assignment" "assignment_app_roles" {
  count                = length(local.app_registration_roles)
  role_definition_name = local.app_registration_roles[count.index]
  scope                = azurerm_resource_group.example.id
  principal_id         = azuread_service_principal.app_service_principal.object_id
}
# Create an SSH public key
resource "azurerm_ssh_public_key" "example" {
  name                = "<ssh_key_name>"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  public_key          = file("~/.ssh/id_rsa.pub")
}
# Create a virtual network
resource "azurerm_virtual_network" "example" {
  name                = "<network_name>"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  address_space       = ["10.0.0.0/16"]
}
# Create a subnet
resource "azurerm_subnet" "example" {
  name                 = "<subnet_name>"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]
}
# Create a network security group
resource "azurerm_network_security_group" "example" {
  name                = "<security_group_name>"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}
# Assign the subnet to the security group
resource "azurerm_subnet_network_security_group_association" "example" {
  subnet_id                 = azurerm_subnet.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

See the following documents for more information: