This article on CBS Terraform Provider 0.9.0 originally appeard on Adam Mazouz’s blog. It has been republished here with the author’s credit and consent.
If you’re a public cloud user, you must have used or are planning to use automation to deploy infrastructure resources and services. Pure Storage has built a Terraform provider that can be used to deploy Pure Cloud Block Store™. I have been using this provider for internal testing and also for delivering demos and proof of concepts.
In this blog post, I will cover what is new with the latest version of the Pure Cloud Block Store Terraform Provider. If you haven’t used it before, no worries, I’ve got you covered in this previous blog post.
Supporting the New Pure Cloud Block Store Model
Pure Cloud Block Store Terraform Provider is released in parallel to Purity//FA version 6.4.7. This is an important release to Pure Cloud Block Store, as a new SKU model was added to the original two models: V10MUR1 and V20MUR1. The new V20MP2R2 is based on new Azure infrastructure, replacing Dsv3 Azure VMs with EbdsV5. This pumps the performance to 30% higher than V20MUR1 for IOPS and bandwidth. Also, replacing the Ultra SSD used as a backend storage in the old SKU to the relatively new Premium SSD v2 managed disk drives down the total price of running Pure Cloud Block Store Azure infrastructure by up to 70%.
The latest release of Pure Cloud Block Store is a significant milestone. It not only enhances cost savings for Pure customers but also amplifies their ability to achieve even greater savings through its enterprise-grade data reduction capabilities. I will cover the cost optimization in detail in a future blog post. For now, let’s stick to the changes in the Terraform Provider.
1 2 3 4 5 6 |
resource “cbs_array_azure” “azure_instance” { (...) array_model = “V20MP2R2” #<– CBS Models available are (V10MUR1, V20MUR1, V20MP2R2) } |
Before deploying Pure Cloud Block Store with the new SKU, make sure to check the regions supported. If the region you want to deploy to is not available, you can request it by contacting your Pure Storage account team.
Adding Support for User Managed Identity
Previously, Pure Cloud Block Store arrays were deployed with open access to Cosmos DB and Key Vault resources that are deployed within the managed application. This doesn’t particularly mean that the open access is a security vulnerability since both resources are using key-based authentication. Unless you get those keys, you cannot authenticate. The motive for this enhancement is to restrict access and to cover any security flags during auditing.
In order to reconfigure those resources and restrict access to only incoming traffic from array VNet/System Subnet, User Managed Identity is required and has to be assigned with joinViaServiceEndpoint/action permission over the Pure Cloud Block Store VNet. This is done with the Azure least privilege access rule.
cbs_array_azure has a new required argument. user_assigned_identity is where to pass the User Managed Identity ID.
1 2 3 4 5 6 7 |
resource “cbs_array_azure” “azure_instance” { . . . user_assigned_identity = “/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourcegroups/mock_resource_group_name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xxxxxxx” } |
If you would like to create and configure User Managed Identity with Terraform, check the module I have built here on GitHub or in the implementation guide.
Adding cbs_azure_plans
There’s another significant update pushed in 0.8.0 to mention. Previously, we had to fetch the Pure Cloud Block Store Marketplace plan for each version and hard code it or pass it as a variable to cbs_array_azure.plan block.
This release has a new data cbs_azure_plans block, where it programmatically fetches and provides a list of all Pure Cloud Block Store Azure plans available in the Marketplace. It is sorted by the version, the latest being on top [0]. See the example below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
data “cbs_azure_plans” “azure_plans” {} resource “cbs_array_azure” “azure_instance” { (...) plan { name = data.cbs_azure_plans.azure_plans.plans[0].name product = data.cbs_azure_plans.azure_plans.plans[0].product publisher = data.cbs_azure_plans.azure_plans.plans[0].publisher version = data.cbs_azure_plans.azure_plans.plans[0].version } lifecycle { ignore_changes = [ plan, ] } } # This will list all the available plans on the Marketplace, if you would like to output the deployed “latest” plan. add [0] at the end of the value. output “cbs_azure_available_plans” { value = data.cbs_azure_plans.azure_plans.plans } |
Useful Links
Here are a couple of useful links if you would like to read more or give it a spin yourself.
- Pure Cloud Block Store Terraform Registry
- Using Terraform to Deploy Pure Cloud Block Store – Knowledge Base
- Reusable Terraform Module – Quick Launch Pure Cloud Block Store
If you have a feature request or you run into an issue, I recommend raising an issue on the GitHub page.
Closing
Terraform remains the go-to tool for deploying cloud infrastructure, continuously proving its worth. The modifications introduced in this release not only align with the latest Pure Cloud Block Store updates but also focus on provider maintenance, incorporating new features, and resolving any issues.
Thank you for your readership, and happy coding with Terraform!