Skip to content

Commit 436fe66

Browse files
authored
Add support for Azure BYOK exocompute (#205)
1 parent 910581c commit 436fe66

20 files changed

+822
-100
lines changed

docs/data-sources/azure_permissions.md

+1
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ resource "polaris_azure_subscription" "subscription" {
103103

104104
- `feature` (String) RSC feature. Note that the feature name must be given in the `EXAMPLE_FEATURE_NAME` style. Possible values are `AZURE_SQL_DB_PROTECTION`, `AZURE_SQL_MI_PROTECTION`, `CLOUD_NATIVE_ARCHIVAL`, `CLOUD_NATIVE_ARCHIVAL_ENCRYPTION`, `CLOUD_NATIVE_BLOB_PROTECTION`, `CLOUD_NATIVE_PROTECTION` and `EXOCOMPUTE`.
105105
- `features` (Set of String, Deprecated) RSC features. Possible values are `AZURE_SQL_DB_PROTECTION`, `AZURE_SQL_MI_PROTECTION`, `CLOUD_NATIVE_ARCHIVAL`, `CLOUD_NATIVE_ARCHIVAL_ENCRYPTION`, `CLOUD_NATIVE_BLOB_PROTECTION`, `CLOUD_NATIVE_PROTECTION` and `EXOCOMPUTE`. **Deprecated:** use `feature` instead.
106+
- `permission_groups` (Set of String) Permission groups for the RSC feature. Possible values are `BASIC`, `EXPORT_AND_RESTORE`, `FILE_LEVEL_RECOVERY`, `CLOUD_CLUSTER_ES`, `SNAPSHOT_PRIVATE_ACCESS`, `PRIVATE_ENDPOINTS`, `CUSTOMER_MANAGED_BASIC`, `ENCRYPTION`, `SQL_ARCHIVAL`, `RECOVERY` and `BACKUP_V2`.
106107

107108
### Read-Only
108109

docs/resources/aws_private_container_registry.md

+2-11
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,7 @@ subcategory: ""
55
description: |-
66
The polaris_aws_private_container_registry resource enables the private container
77
registry (PCR) feature for the RSC customer account. This disables the standard
8-
Rubrik container registry. Once PCR has been enabled, it can only be disabled by
9-
Rubrik customer support.
10-
!> Note: Creating a polaris_aws_private_container_registry resource enables
11-
the PCR feature for the RSC customer account. Destroying the resource will not
12-
disabled PCR, it can only be disabled by contacting Rubrik customer support.
8+
Rubrik container registry.
139
~> Note: Even though the polaris_aws_private_container_registry resource ID
1410
is an RSC cloud account ID, there can only be a single PCR per RSC customer
1511
account.
@@ -70,12 +66,7 @@ description: |-
7066

7167
The `polaris_aws_private_container_registry` resource enables the private container
7268
registry (PCR) feature for the RSC customer account. This disables the standard
73-
Rubrik container registry. Once PCR has been enabled, it can only be disabled by
74-
Rubrik customer support.
75-
76-
!> **Note:** Creating a `polaris_aws_private_container_registry` resource enables
77-
the PCR feature for the RSC customer account. Destroying the resource will not
78-
disabled PCR, it can only be disabled by contacting Rubrik customer support.
69+
Rubrik container registry.
7970

8071
~> **Note:** Even though the `polaris_aws_private_container_registry` resource ID
8172
is an RSC cloud account ID, there can only be a single PCR per RSC customer
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "polaris_azure_exocompute_cluster_attachment Resource - terraform-provider-polaris"
4+
subcategory: ""
5+
description: |-
6+
The polaris_azure_exocompute_cluster_attachment resource attaches an Azure AKS
7+
cluster to a customer managed host Exocompute configuration, allowing RSC to use
8+
the cluster for Exocompute operations.
9+
The cluster name must be specified as <resource-group>/<cluster-name>, e.g.
10+
my-resource-group/my-cluster.
11+
---
12+
13+
# polaris_azure_exocompute_cluster_attachment (Resource)
14+
15+
The `polaris_azure_exocompute_cluster_attachment` resource attaches an Azure AKS
16+
cluster to a customer managed host Exocompute configuration, allowing RSC to use
17+
the cluster for Exocompute operations.
18+
19+
The cluster name must be specified as `<resource-group>/<cluster-name>`, e.g.
20+
`my-resource-group/my-cluster`.
21+
22+
23+
24+
<!-- schema generated by tfplugindocs -->
25+
## Schema
26+
27+
### Required
28+
29+
- `cluster_name` (String) Azure AKS cluster name. Changing this forces a new resource to be created.
30+
- `exocompute_id` (String) RSC exocompute configuration ID (UUID). Changing this forces a new resource to be created.
31+
32+
### Optional
33+
34+
- `token_refresh` (Number) To force a refresh of the authentication token, part of the connection command and manifest, increase the value of this field. The token is valid for 24 hours.
35+
36+
### Read-Only
37+
38+
- `id` (String) RSC cluster ID (UUID).
39+
- `manifest` (String) Kubernetes manifest which can be passed to `kubectl apply` to create a connection between the cluster and RSC. See `connection_command` for an alternative connection method.
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "polaris_azure_private_container_registry Resource - terraform-provider-polaris"
4+
subcategory: ""
5+
description: |-
6+
The polaris_azure_private_container_registry resource enables the private
7+
container registry (PCR) feature for the RSC customer account. This disables the
8+
standard Rubrik container registry.
9+
~> Note: Even though the polaris_azure_private_container_registry resource
10+
ID is an RSC cloud account ID, there can only be a single PCR per RSC
11+
customer account.
12+
Exocompute Image Bundles
13+
The following GraphQL query can be used to retrieve information about the image
14+
bundles used by RSC for exocompute:
15+
graphql
16+
query ExotaskImageBundle {
17+
exotaskImageBundle {
18+
bundleImages {
19+
name
20+
sha
21+
tag
22+
}
23+
bundleVersion
24+
eksVersion
25+
repoUrl
26+
}
27+
}
28+
29+
The repoUrl field holds the URL to the RSC container registry from where the
30+
RSC images can be pulled.
31+
The following GraphQL mutation can be used to set the approved bundle version
32+
for the RSC customer account:
33+
graphql
34+
mutation SetBundleApprovalStatus($input: SetBundleApprovalStatusInput!) {
35+
setBundleApprovalStatus(input: $input)
36+
}
37+
38+
The input is an object with the following structure:
39+
json
40+
{
41+
"input": {
42+
"approvalStatus": "APPROVED",
43+
"bundleVersion": "1.164",
44+
}
45+
}
46+
47+
Where approvalStatus can be either APPROVED or REJECTED. bundleVersion
48+
is the the bundle version being approved or rejected. bundleMetadata is
49+
optional.
50+
---
51+
52+
# polaris_azure_private_container_registry (Resource)
53+
54+
The `polaris_azure_private_container_registry` resource enables the private
55+
container registry (PCR) feature for the RSC customer account. This disables the
56+
standard Rubrik container registry.
57+
58+
~> **Note:** Even though the `polaris_azure_private_container_registry` resource
59+
ID is an RSC cloud account ID, there can only be a single PCR per RSC
60+
customer account.
61+
62+
## Exocompute Image Bundles
63+
The following GraphQL query can be used to retrieve information about the image
64+
bundles used by RSC for exocompute:
65+
```graphql
66+
query ExotaskImageBundle {
67+
exotaskImageBundle {
68+
bundleImages {
69+
name
70+
sha
71+
tag
72+
}
73+
bundleVersion
74+
eksVersion
75+
repoUrl
76+
}
77+
}
78+
```
79+
The `repoUrl` field holds the URL to the RSC container registry from where the
80+
RSC images can be pulled.
81+
82+
The following GraphQL mutation can be used to set the approved bundle version
83+
for the RSC customer account:
84+
```graphql
85+
mutation SetBundleApprovalStatus($input: SetBundleApprovalStatusInput!) {
86+
setBundleApprovalStatus(input: $input)
87+
}
88+
```
89+
The input is an object with the following structure:
90+
```json
91+
{
92+
"input": {
93+
"approvalStatus": "APPROVED",
94+
"bundleVersion": "1.164",
95+
}
96+
}
97+
```
98+
Where `approvalStatus` can be either `APPROVED` or `REJECTED`. `bundleVersion`
99+
is the the bundle version being approved or rejected. `bundleMetadata` is
100+
optional.
101+
102+
103+
104+
<!-- schema generated by tfplugindocs -->
105+
## Schema
106+
107+
### Required
108+
109+
- `app_id` (String) Azure app registration application ID. Also known as the client ID.
110+
- `cloud_account_id` (String) RSC cloud account ID (UUID). Changing this forces a new resource to be created.
111+
- `url` (String) URL for customer provided private container registry.
112+
113+
### Read-Only
114+
115+
- `id` (String) RSC cloud account ID (UUID).

docs/resources/azure_subscription.md

+19-8
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,15 @@ description: |-
1212
for disaster recovery and long-term retention.
1313
2. cloud_native_archival_encryption - Allows cloud archival locations to be
1414
encrypted with customer managed keys.
15-
3. cloud_native_protection - Provides protection for Azure virtual machines and
15+
3. cloud_native_blob_protection - Provides protection for Azure Blob Storage
16+
through the rules and policies of SLA Domains.
17+
4. cloud_native_protection - Provides protection for Azure virtual machines and
1618
managed disks through the rules and policies of SLA Domains.
17-
4. exocompute - Provides snapshot indexing, file recovery, storage tiering, and
19+
5. exocompute - Provides snapshot indexing, file recovery, storage tiering, and
1820
application-consistent protection of Azure objects.
19-
5. sql_db_protection - Provides centralized database backup management and
21+
6. sql_db_protection - Provides centralized database backup management and
2022
recovery in an Azure SQL Database deployment.
21-
6. sql_mi_protection - Provides centralized database backup management and
23+
7. sql_mi_protection - Provides centralized database backup management and
2224
recovery for an Azure SQL Managed Instance deployment.
2325
Each feature's permissions field can be used with the polaris_azure_permissions
2426
data source to inform RSC about permission updates when the Terraform configuration
@@ -48,13 +50,15 @@ Any combination of different RSC features can be enabled for a subscription:
4850
for disaster recovery and long-term retention.
4951
2. `cloud_native_archival_encryption` - Allows cloud archival locations to be
5052
encrypted with customer managed keys.
51-
3. `cloud_native_protection` - Provides protection for Azure virtual machines and
53+
3. `cloud_native_blob_protection` - Provides protection for Azure Blob Storage
54+
through the rules and policies of SLA Domains.
55+
4. `cloud_native_protection` - Provides protection for Azure virtual machines and
5256
managed disks through the rules and policies of SLA Domains.
53-
4. `exocompute` - Provides snapshot indexing, file recovery, storage tiering, and
57+
5. `exocompute` - Provides snapshot indexing, file recovery, storage tiering, and
5458
application-consistent protection of Azure objects.
55-
5. `sql_db_protection` - Provides centralized database backup management and
59+
6. `sql_db_protection` - Provides centralized database backup management and
5660
recovery in an Azure SQL Database deployment.
57-
6. `sql_mi_protection` - Provides centralized database backup management and
61+
7. `sql_mi_protection` - Provides centralized database backup management and
5862
recovery for an Azure SQL Managed Instance deployment.
5963

6064
Each feature's `permissions` field can be used with the `polaris_azure_permissions`
@@ -173,6 +177,7 @@ Required:
173177

174178
Optional:
175179

180+
- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Archival feature. Possible values are `BASIC`, `ENCRYPTION` and `SQL_ARCHIVAL`.
176181
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
177182
- `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
178183
- `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -196,6 +201,7 @@ Required:
196201

197202
Optional:
198203

204+
- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Archival Encryption feature. Possible values are `BASIC` and `ENCRYPTION`.
199205
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
200206
- `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
201207
- `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -215,6 +221,7 @@ Required:
215221

216222
Optional:
217223

224+
- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Blob Protection feature. Possible values are `BASIC` and `RECOVERY`.
218225
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
219226

220227
Read-Only:
@@ -231,6 +238,7 @@ Required:
231238

232239
Optional:
233240

241+
- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Protection feature. Possible values are `BASIC`, `EXPORT_AND_RESTORE`, `FILE_LEVEL_RECOVERY`, `CLOUD_CLUSTER_ES` and `SNAPSHOT_PRIVATE_ACCESS`.
234242
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
235243
- `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
236244
- `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -250,6 +258,7 @@ Required:
250258

251259
Optional:
252260

261+
- `permission_groups` (Set of String) Permission groups to assign to the Exocompute feature. Possible values are `BASIC`, `PRIVATE_ENDPOINTS` and `CUSTOMER_MANAGED_BASIC`.
253262
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
254263
- `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
255264
- `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -269,6 +278,7 @@ Required:
269278

270279
Optional:
271280

281+
- `permission_groups` (Set of String) Permission groups to assign to the SQL DB Protection feature. Possible values are `BASIC`, `RECOVERY` and `BACKUP_V2`.
272282
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
273283

274284
Read-Only:
@@ -285,6 +295,7 @@ Required:
285295

286296
Optional:
287297

298+
- `permission_groups` (Set of String) Permission groups to assign to the SQL MI Protection feature. Possible values are `BASIC`, `RECOVERY` and `BACKUP_V2`.
288299
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
289300

290301
Read-Only:

go.mod

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ require (
88
github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
99
github.com/hashicorp/terraform-plugin-docs v0.16.0
1010
github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
11-
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.7
11+
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8
1212
)
1313

1414
require (

go.sum

+2-2
Original file line numberDiff line numberDiff line change
@@ -270,8 +270,8 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
270270
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
271271
github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
272272
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
273-
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.7 h1:n3tfrj61TLoKKkywcboFjEb/sd+G53vJV13dfV14k3Q=
274-
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.7/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
273+
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8 h1:dU2PQJUQ4G0FcdivN2Y0/vYsu/9hZRvAYld2I9Tqvro=
274+
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
275275
github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
276276
github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
277277
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=

internal/provider/data_source_azure_permissions.go

+24-2
Original file line numberDiff line numberDiff line change
@@ -159,6 +159,23 @@ func dataSourceAzurePermissions() *schema.Resource {
159159
"`resource_group_not_data_actions` instead.",
160160
Deprecated: "use `subscription_not_data_actions` and `resource_group_not_data_actions` instead.",
161161
},
162+
keyPermissionGroups: {
163+
Type: schema.TypeSet,
164+
Elem: &schema.Schema{
165+
Type: schema.TypeString,
166+
ValidateFunc: validation.StringInSlice([]string{
167+
"BASIC", "EXPORT_AND_RESTORE", "FILE_LEVEL_RECOVERY", "CLOUD_CLUSTER_ES",
168+
"SNAPSHOT_PRIVATE_ACCESS", "PRIVATE_ENDPOINTS", "CUSTOMER_MANAGED_BASIC",
169+
"ENCRYPTION", "SQL_ARCHIVAL", "RECOVERY", "BACKUP_V2",
170+
}, false),
171+
},
172+
Optional: true,
173+
ConflictsWith: []string{keyFeatures},
174+
Description: "Permission groups for the RSC feature. Possible values are `BASIC`, " +
175+
"`EXPORT_AND_RESTORE`, `FILE_LEVEL_RECOVERY`, `CLOUD_CLUSTER_ES`, `SNAPSHOT_PRIVATE_ACCESS`, " +
176+
"`PRIVATE_ENDPOINTS`, `CUSTOMER_MANAGED_BASIC`, `ENCRYPTION`, `SQL_ARCHIVAL`, `RECOVERY` and " +
177+
"`BACKUP_V2`.",
178+
},
162179
keyResourceGroupActions: {
163180
Type: schema.TypeList,
164181
Elem: &schema.Schema{
@@ -238,8 +255,13 @@ func azurePermissionsRead(ctx context.Context, d *schema.ResourceData, m any) di
238255
// Check both feature and features.
239256
var perms []azure.Permissions
240257
var groups []azure.PermissionGroupWithVersion
241-
if f := d.Get(keyFeature).(string); f != "" {
242-
perms, groups, err = azure.Wrap(client).ScopedPermissions(ctx, core.Feature{Name: f})
258+
if featureName := d.Get(keyFeature).(string); featureName != "" {
259+
var permGroups []core.PermissionGroup
260+
for _, permGroup := range d.Get(keyPermissionGroups).(*schema.Set).List() {
261+
permGroups = append(permGroups, core.PermissionGroup(permGroup.(string)))
262+
}
263+
feature := core.Feature{Name: featureName, PermissionGroups: permGroups}
264+
perms, groups, err = azure.Wrap(client).ScopedPermissions(ctx, feature)
243265
} else {
244266
var features []core.Feature
245267
for _, f := range d.Get(keyFeatures).(*schema.Set).List() {

internal/provider/names.go

+2
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,9 @@ const (
111111
keyPolarisAWSPrivateContainerRegistry = "polaris_aws_private_container_registry"
112112
keyPolarisAzureArchivalLocation = "polaris_azure_archival_location"
113113
keyPolarisAzureExocompute = "polaris_azure_exocompute"
114+
keyPolarisAzureExocomputeClusterAttachment = "polaris_azure_exocompute_cluster_attachment"
114115
keyPolarisAzurePermissions = "polaris_azure_permissions"
116+
keyPolarisAzurePrivateContainerRegistry = "polaris_azure_private_container_registry"
115117
keyPolarisAzureServicePrincipal = "polaris_azure_service_principal"
116118
keyPolarisAzureSubscription = "polaris_azure_subscription"
117119
keyPolarisCustomRole = "polaris_custom_role"

0 commit comments

Comments
 (0)