MySql workspace service (#2476)

* Initial airlock manager role

* Initial implementation sql service

* add changelog comment

* fix provider

* cr comments

* change from sql to mysql

Co-authored-by: Anat Balzam <anatbalzam@microsoft.com>
Co-authored-by: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>

CHANGELOG.md

@@ -9,7 +9,7 @@
 
 FEATURES:
 
-*
+* MySql workspace service ([#2476](https://github.com/microsoft/AzureTRE/issues/2476))
 
 ENHANCEMENTS:
 

templates/workspace_services/mysql/.dockerignore

@@ -0,0 +1,7 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Put files here that you don't want copied into your bundle's invocation image
+.gitignore
+Dockerfile.tmpl
+
+# Local .terraform directories
+**/.terraform/*

templates/workspace_services/mysql/.env.sample

@@ -0,0 +1,5 @@
+ID="__CHANGE_ME__"
+WORKSPACE_ID="__CHANGE_ME__"
+SQL_SKU="__CHANGE_ME__"
+STORAGE_MB="__CHANGE_ME__"
+DB_NAME="__CHANGE_ME__"

templates/workspace_services/mysql/.gitignore

@@ -0,0 +1 @@
+.cnab/

templates/workspace_services/mysql/Dockerfile.tmpl

@@ -0,0 +1,25 @@
+FROM debian:buster-slim
+
+ARG BUNDLE_DIR
+
+# This is a template Dockerfile for the bundle's invocation image
+# You can customize it to use different base images, install tools and copy configuration files.
+#
+# Porter will use it as a template and append lines to it for the mixins
+# and to set the CMD appropriately for the CNAB specification.
+#
+# Add the following line to porter.yaml to instruct Porter to use this template
+# dockerfile: Dockerfile.tmpl
+
+# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
+# another location in this file. If you remove that line, the mixins generated content is appended to this file.
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY . $BUNDLE_DIR
+
+# Mirror plugins to prevent network access at runtime
+# Remove when available from https://github.com/getporter/terraform-mixin/issues/90
+WORKDIR $BUNDLE_DIR/terraform
+RUN terraform init -backend=false \
+  && terraform providers mirror /usr/local/share/terraform/plugins

templates/workspace_services/mysql/parameters.json

@@ -0,0 +1,56 @@
+{
+  "schemaVersion": "1.0.0-DRAFT+TODO",
+  "name": "base",
+  "created": "2021-06-04T13:37:29.5071039+03:00",
+  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "parameters": [
+    {
+      "name": "tre_id",
+      "source": {
+        "env": "TRE_ID"
+      }
+    },
+    {
+      "name": "id",
+      "source": {
+        "env": "ID"
+      }
+    },
+    {
+      "name": "tfstate_container_name",
+      "source": {
+        "env": "TERRAFORM_STATE_CONTAINER_NAME"
+      }
+    },
+    {
+      "name": "tfstate_resource_group_name",
+      "source": {
+        "env": "MGMT_RESOURCE_GROUP_NAME"
+      }
+    },
+    {
+      "name": "tfstate_storage_account_name",
+      "source": {
+        "env": "MGMT_STORAGE_ACCOUNT_NAME"
+      }
+    },
+    {
+      "name": "sql_sku",
+      "source": {
+        "env": "SQL_SKU"
+      }
+    },
+    {
+      "name": "storage_mb",
+      "source": {
+        "env": "STORAGE_MB"
+      }
+    },
+    {
+      "name": "db_name",
+      "source": {
+        "env": "DB_NAME"
+      }
+    }
+  ]
+}

templates/workspace_services/mysql/porter.yaml

@@ -0,0 +1,102 @@
+---
+name: tre-workspace-service-mysql
+version: 0.1.0
+description: "A MySQL workspace service"
+registry: azuretre
+dockerfile: Dockerfile.tmpl
+
+credentials:
+  - name: azure_tenant_id
+    env: ARM_TENANT_ID
+  - name: azure_subscription_id
+    env: ARM_SUBSCRIPTION_ID
+  - name: azure_client_id
+    env: ARM_CLIENT_ID
+  - name: azure_client_secret
+    env: ARM_CLIENT_SECRET
+parameters:
+  - name: workspace_id
+    type: string
+  - name: tre_id
+    type: string
+
+  # the following are added automatically by the resource processor
+  - name: id
+    type: string
+    description: "Resource ID"
+    env: id
+  - name: tfstate_resource_group_name
+    type: string
+    description: "Resource group containing the Terraform state storage account"
+  - name: tfstate_storage_account_name
+    type: string
+    description: "The name of the Terraform state storage account"
+  - name: tfstate_container_name
+    env: tfstate_container_name
+    type: string
+    default: "tfstate"
+    description: "The name of the Terraform state storage container"
+  - name: arm_use_msi
+    env: ARM_USE_MSI
+    default: false
+  - name: sql_sku
+    type: string
+    default: "GP | 5GB 2vCores"
+  - name: storage_mb
+    type: integer
+    default: 5120
+  - name: db_name
+    type: string
+    default: tredb
+
+mixins:
+  - exec
+  - terraform:
+      clientVersion: 1.2.6
+
+outputs:
+  - name: mysql_fqdn
+    type: string
+    applyTo:
+      - install
+
+install:
+  - terraform:
+      description: "Deploy MySQL workspace service"
+      input: false
+      vars:
+        workspace_id: "{{ bundle.parameters.workspace_id }}"
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        sql_sku: "{{ bundle.parameters.sql_sku }}"
+        storage_mb: "{{ bundle.parameters.storage_mb }}"
+        db_name: "{{ bundle.parameters.db_name }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "tre-workspace-service-mysql-{{ bundle.parameters.id }}"
+      outputs:
+        - name: mysql_fqdn
+upgrade:
+  - exec:
+      description: "Upgrade shared service"
+      command: echo
+      arguments:
+        - "This shared service does not implement upgrade action"
+uninstall:
+  - terraform:
+      description: "Tear down MySQL workspace service"
+      input: false
+      vars:
+        workspace_id: "{{ bundle.parameters.workspace_id }}"
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        sql_sku: "{{ bundle.parameters.sql_sku }}"
+        storage_mb: "{{ bundle.parameters.storage_mb }}"
+        db_name: "{{ bundle.parameters.db_name }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "tre-workspace-service-mysql-{{ bundle.parameters.id }}"

templates/workspace_services/mysql/template_schema.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/sql/template_schema.json",
+  "type": "object",
+  "title": "MySQL Workspace Service",
+  "description": "Provides MySQL within the workspace",
+  "required": [
+    "sql_sku",
+    "storage_mb",
+    "db_name"
+  ],
+  "properties": {
+    "sql_sku": {
+      "$id": "#/properties/sql_sku",
+      "type": "string",
+      "title": "MySQL server SKU",
+      "description": "MySQL server SKU",
+      "enum": [
+        "GP | 5GB 2vCores",
+        "GP | 5GB 4vCores",
+        "GP | 5GB 6vCores",
+        "GP | 5GB 8vCores"
+      ],
+      "default": "GP | 5GB 2vCores"
+    },
+    "storage_mb": {
+      "$id": "#/properties/storage_mb",
+      "type": "number",
+      "title": "Max storage allowed for a server",
+      "description": "Max storage allowed for a server",
+      "default": 5120
+    },
+    "db_name": {
+      "$id": "#/properties/db_name",
+      "type": "string",
+      "title": "Database name",
+      "description": "Database name"
+    }
+  }
+}

templates/workspace_services/mysql/terraform/locals.tf

@@ -0,0 +1,19 @@
+locals {
+  short_service_id               = substr(var.tre_resource_id, -4, -1)
+  short_workspace_id             = substr(var.workspace_id, -4, -1)
+  workspace_resource_name_suffix = "${var.tre_id}-ws-${local.short_workspace_id}"
+  service_resource_name_suffix   = "${var.tre_id}-ws-${local.short_workspace_id}-svc-${local.short_service_id}"
+  keyvault_name                  = lower("kv-${substr(local.workspace_resource_name_suffix, -20, -1)}")
+  core_resource_group_name       = "rg-${var.tre_id}"
+  sql_sku = {
+    "GP | 5GB 2vCores" = { value = "GP_Gen5_2" },
+    "GP | 5GB 4vCores" = { value = "GP_Gen5_4" },
+    "GP | 5GB 6vCores" = { value = "GP_Gen5_6" },
+    "GP | 5GB 8vCores" = { value = "GP_Gen5_8" }
+  }
+  workspace_service_tags = {
+    tre_id                   = var.tre_id
+    tre_workspace_id         = var.workspace_id
+    tre_workspace_service_id = var.tre_resource_id
+  }
+}

templates/workspace_services/mysql/terraform/main.tf

@@ -0,0 +1,57 @@
+# Azure Provider source and version being used
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.18.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      # Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
+      purge_soft_delete_on_destroy               = false
+      purge_soft_deleted_secrets_on_destroy      = false
+      purge_soft_deleted_certificates_on_destroy = false
+      purge_soft_deleted_keys_on_destroy         = false
+      # When recreating an environment, recover any previously soft deleted secrets - set to true by default
+      recover_soft_deleted_key_vaults   = true
+      recover_soft_deleted_secrets      = true
+      recover_soft_deleted_certificates = true
+      recover_soft_deleted_keys         = true
+    }
+  }
+}
+
+data "azurerm_resource_group" "ws" {
+  name = "rg-${var.tre_id}-ws-${local.short_workspace_id}"
+}
+
+data "azurerm_virtual_network" "ws" {
+  name                = "vnet-${var.tre_id}-ws-${local.short_workspace_id}"
+  resource_group_name = "rg-${var.tre_id}-ws-${local.short_workspace_id}"
+}
+
+data "azurerm_key_vault" "ws" {
+  name                = local.keyvault_name
+  resource_group_name = data.azurerm_resource_group.ws.name
+}
+
+data "azurerm_subnet" "services" {
+  name                 = "ServicesSubnet"
+  virtual_network_name = data.azurerm_virtual_network.ws.name
+  resource_group_name  = data.azurerm_resource_group.ws.name
+}
+
+data "azurerm_private_dns_zone" "mysql" {
+  name                = "privatelink.mysql.database.azure.com"
+  resource_group_name = local.core_resource_group_name
+}

templates/workspace_services/mysql/terraform/mysql.tf

@@ -0,0 +1,64 @@
+resource "random_password" "password" {
+  length      = 20
+  min_upper   = 2
+  min_lower   = 2
+  min_numeric = 2
+  min_special = 2
+}
+
+resource "azurerm_mysql_server" "mysql" {
+  name                              = "mysql-${local.service_resource_name_suffix}"
+  resource_group_name               = data.azurerm_resource_group.ws.name
+  location                          = data.azurerm_resource_group.ws.location
+  administrator_login               = "mysqladmin"
+  administrator_login_password      = random_password.password.result
+  sku_name                          = local.sql_sku[var.sql_sku].value
+  storage_mb                        = var.storage_mb
+  version                           = "8.0"
+  auto_grow_enabled                 = true
+  backup_retention_days             = 7
+  geo_redundant_backup_enabled      = false
+  infrastructure_encryption_enabled = false
+  public_network_access_enabled     = false
+  ssl_enforcement_enabled           = true
+  ssl_minimal_tls_version_enforced  = "TLS1_2"
+  tags                              = local.workspace_service_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_mysql_database" "db" {
+  name                = var.db_name
+  resource_group_name = data.azurerm_resource_group.ws.name
+  server_name         = azurerm_mysql_server.mysql.name
+  charset             = "utf8"
+  collation           = "utf8_unicode_ci"
+}
+
+resource "azurerm_private_endpoint" "mysql_private_endpoint" {
+  name                = "pe-${azurerm_mysql_server.mysql.name}"
+  location            = data.azurerm_resource_group.ws.location
+  resource_group_name = data.azurerm_resource_group.ws.name
+  subnet_id           = data.azurerm_subnet.services.id
+  tags                = local.workspace_service_tags
+
+  private_service_connection {
+    private_connection_resource_id = azurerm_mysql_server.mysql.id
+    name                           = "psc-${azurerm_mysql_server.mysql.name}"
+    subresource_names              = ["mysqlServer"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "privatelink.mysql.database.azure.com"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.mysql.id]
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_key_vault_secret" "db_password" {
+  name         = "${azurerm_mysql_server.mysql.name}-administrator-password"
+  value        = random_password.password.result
+  key_vault_id = data.azurerm_key_vault.ws.id
+}

templates/workspace_services/mysql/terraform/outputs.tf

@@ -0,0 +1,3 @@
+output "mysql_fqdn" {
+  value = azurerm_mysql_server.mysql.fqdn
+}