Skip to main content
Pure Technical Services

Deploy Fusion Storage Endpoint Collection (SEC) with Terraform | Pure CBS on Azure

Currently viewing public documentation. Please login to access the full scope of documentation.


This document is for deploying Fusion Storage Endpoint Collection (SEC) in Microsoft Azure using Cloud Block Store Terraform Provider.

Software Version 

The below are the required software version to deploy Fusion SEC in Azure. 

  • Purity version 6.4.4 and above.
  • Terraform Provider for CBS 0.8.0  and above.

Terraform Requirement 

Install Terraform 

Download and install the appropriate Terraform package for your operating system and hardware architecture via the link below:

Azure Requirement

Authenticate to Azure 

There are two ways to authenticate to an Azure account:

Option#1 -- Azure CLI

Download and install the latest version of the Azure CLI tool via this link.

#For authentication, log in to the Azure CLI
az login  
#And list the Subscriptions associated with the account:
az account list   

#if the user logging in has more than one Subscription. Specify the Subscription to be the default.
az account set --subscription="<SUBSCRIPTION_ID>"

Option#2-- Azure Service Principal

Terraform can be authenticated with a Service Principal in the provider configuration under file by adding the following:

provider "cbs" {
    azure {
        client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

For step-by-step on how to create Azure Service Principle, follow this link:  Creating a Service Principal in the Azure Portal

Create Resource Group

To create resource group, you can use Azure Portal, or pragmatically using Azure CLI or PowerShell module. See the Azure CLI example below: 

az group create --name <resource-group-name> --location <azure-region>


az group create --name PureResourceGroup --location eastus

Create Virtual Network and Subnets

The Virtual Network (vNet) and its underlying subnets can be leveraged by both CBS and the Fusion SEC.  CBS requires four subnets:  System, iSCSI, Management and Replication.  We recommend attaching the Fusion SEC to the iSCSI subnet.

az network vnet create --name <vnet-name> --resource-group <resource-group-name> --address-prefix <vnet-address-prefix> /
--subnet-name <subnet1-name> --subnet-prefix <subnet1-prefix> --subnet-name <subnet2-name> --subnet-prefix <subnet2-prefix> /
--subnet-name <subnet3-name> --subnet-prefix <subnet3-prefix> --subnet-name <subnet4-name> --subnet-prefix <subnet4-prefix>


az network vnet create --name PureVNet --resource-group PureResourceGroup --address-prefix / 
--subnet-name SYSsubnet --subnet-prefix --subnet-name MNGMsubnet --subnet-prefix /
--subnet-name ISCSIsubnet --subnet-prefix --subnet-name REPLsubnet --subnet-prefix

Find Azure Group ID

Part of create Fusion SEC Managed Application with Terraform is to assign a/the list of Azure Active Directory groups jit_group_ids  that enable their users to approve JIT access requests. You can more about the JIT Access here

To find the group object Id:

  1. From the Azure portal go to Azure Active Directory > Users, Then select your user. 
  2. From the left-panle blade select Groups, then copy Object Ids.

Code Example

The below example is for deploying only SEC Managed Application without adding any Cloud Block Store array.


Download the three files from this GitHub repo  into a new directory. 



Edit the variables files with the required Azure resources and convenient naming. 

fusion_sec_name            = "terraform-example-instance"
location                   = "location_xxxx"
resource_group_name        = "resource_xxxx"
zone                       = 1
load_balancer_network_rg   = "xxxx"
load_balancer_network_name = "xxxx"
load_balancer_subnet       = "xxxx"
jit_group_ids              = ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]


Save the changes to the file, and open a terminal window and navigate to the Terraform deployment directory that has been created, and Run terraform init command to initialize the working directory.


Next, Run the terraform plan command to create the execution plan. If it lists all the resources without throwing any errors, Run terraform apply.


The below are the output attributes for the deploying SEC with the code above:

  • application_name - The name of the managed application.
  • managed_resource_group_name - The name of the managed resource group of the managed application.
  • hmvip0 - Harbormaster IP address 0.
  • hmvip1 - Harbormaster IP address 1.
  • load_balancer_full_identity_id - Full identify of the load balancer.

As you can find in the code example, Outputs can be referenced at the,

output "fusion_sec_hmvip0" {
    value = fusion_sec_azure_instance.hmvip0
output "fusion_sec_hmvip1" {
    value = fusion_sec_azure_instance.hmvip1
output "fusion_sec_load_balancer_full_identity_id" {
    value = fusion_sec_azure_instance.load_balancer_full_identity_id

And load_balancer_full_identity_id can be used as an input variable within cbs_array_azure resource.

resource "cbs_array_azure" "azure_instance" {
    fusion_sec_identity = cbs_fusion_sec_azure.fusion_sec_azure_instance.load_balancer_full_identity_id

Next Steps

With the storage endpoint collection configured, you can now deploy a CBS Array. Deployment for a Fusion-enabled CBS Array follows mostly the same process as outlined in this article, but with two key considerations. 

1. Pass the fusion_sec_identity argument to the cbs_array_azureresource, similar to the example shown above in the previous section. 

2. The CBS array iscsi_subnetargument of cbs_array_azureresource has to match theload_balancer_subnetof cbs_fusion_sec_azureresource.