Deploy Fusion Storage Endpoint Collection (SEC) in Azure with Terraform

Last updated
Save as PDF

Introduction

This document is for deploying Fusion Storage Endpoint Collection (SEC) in Microsoft Azure using Cloud Block Store Terraform Provider.

Software Version

The below are the required software version to deploy Fusion SEC in Azure.

Purity version 6.4.4 and above.
Terraform Provider for CBS 0.8.0 and above.

Terraform Requirement

Install Terraform

Download and install the appropriate Terraform package for your operating system and hardware architecture via the link below:

https://www.terraform.io/downloads.html

Azure Requirement

Authenticate to Azure

There are two ways to authenticate to an Azure account:

Option#1 -- Azure CLI

Download and install the latest version of the Azure CLI tool via this link.

#For authentication, log in to the Azure CLI
az login  
    
#And list the Subscriptions associated with the account:
az account list   

#if the user logging in has more than one Subscription. Specify the Subscription to be the default.
az account set --subscription="<SUBSCRIPTION_ID>"

Option#2-- Azure Service Principal

Terraform can be authenticated with a Service Principal in the provider configuration under main.tf file by adding the following:

provider "cbs" {
    azure {
        client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }
}

For step-by-step on how to create Azure Service Principle, follow this link: Creating a Service Principal in the Azure Portal

Create Resource Group

To create resource group, you can use Azure Portal, or pragmatically using Azure CLI or PowerShell module. See the Azure CLI example below:

az group create --name <resource-group-name> --location <azure-region>

Example:

az group create --name PureResourceGroup --location eastus

Create Virtual Network and Subnets

The Virtual Network (vNet) and its underlying subnets can be leveraged by both CBS and the Fusion SEC. CBS requires four subnets: System, iSCSI, Management and Replication. We recommend attaching the Fusion SEC to the iSCSI subnet.

az network vnet create --name <vnet-name> --resource-group <resource-group-name> --address-prefix <vnet-address-prefix> /
--subnet-name <subnet1-name> --subnet-prefix <subnet1-prefix> --subnet-name <subnet2-name> --subnet-prefix <subnet2-prefix> /
--subnet-name <subnet3-name> --subnet-prefix <subnet3-prefix> --subnet-name <subnet4-name> --subnet-prefix <subnet4-prefix>

Example:

az network vnet create --name PureVNet --resource-group PureResourceGroup --address-prefix 10.0.0.0/16 / 
--subnet-name SYSsubnet --subnet-prefix 10.0.1.0/24 --subnet-name MNGMsubnet --subnet-prefix 10.0.2.0/24 /
--subnet-name ISCSIsubnet --subnet-prefix 10.0.3.0/24 --subnet-name REPLsubnet --subnet-prefix 10.0.4.0/24

Find Azure Group ID

Part of create Fusion SEC Managed Application with Terraform is to assign a/the list of Azure Active Directory groups jit_group_ids that enable their users to approve JIT access requests. You can more about the JIT Access here.

To find the group object Id:

From the Azure portal go to Azure Active Directory > Users, Then select your user.
From the left-panle blade select Groups, then copy Object Ids.

Code Example

The below example is for deploying only SEC Managed Application without adding any Cloud Block Store array.

Step#1

Download the three files from this GitHub repo into a new directory.

Step#2

Edit the variables files with the required Azure resources and convenient naming.

#Variables
fusion_sec_name            = "terraform-example-instance"
location                   = "location_xxxx"
resource_group_name        = "resource_xxxx"
zone                       = 1
load_balancer_network_rg   = "xxxx"
load_balancer_network_name = "xxxx"
load_balancer_subnet       = "xxxx"
jit_group_ids              = ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]

Step#3

Save the changes to the file, and open a terminal window and navigate to the Terraform deployment directory that has been created, and Run terraform init command to initialize the working directory.

Step#4

Next, Run the terraform plan command to create the execution plan. If it lists all the resources without throwing any errors, Run terraform apply.

Output

The below are the output attributes for the deploying SEC with the code above:

application_name - The name of the managed application.
managed_resource_group_name - The name of the managed resource group of the managed application.
hmvip0 - Harbormaster IP address 0.
hmvip1 - Harbormaster IP address 1.
load_balancer_full_identity_id - Full identify of the load balancer.

As you can find in the code example, Outputs can be referenced at the main.tf,

output "fusion_sec_hmvip0" {
    value = fusion_sec_azure_instance.hmvip0
}
output "fusion_sec_hmvip1" {
    value = fusion_sec_azure_instance.hmvip1
}
output "fusion_sec_load_balancer_full_identity_id" {
    value = fusion_sec_azure_instance.load_balancer_full_identity_id
}

And load_balancer_full_identity_id can be used as an input variable within cbs_array_azure resource.

resource "cbs_array_azure" "azure_instance" {
    .
    .
    .
    fusion_sec_identity = cbs_fusion_sec_azure.fusion_sec_azure_instance.load_balancer_full_identity_id
}

Next Steps

With the storage endpoint collection configured, you can now deploy a CBS Array. Deployment for a Fusion-enabled CBS Array follows mostly the same process as outlined in this article, but with two key considerations.

1. Pass the fusion_sec_identity argument to the cbs_array_azureresource, similar to the example shown above in the previous section.

2. The CBS array iscsi_subnetargument of cbs_array_azureresource has to match theload_balancer_subnetof cbs_fusion_sec_azureresource.