boris-ning-usds
commented
5 months ago My team's found setting up Storage Account as well as Keyvault - #21 initially to be tricky - because Storage Accounts are meant to be used with private endpoints for the dedicated connection, and the Azure VNET / subnet we're on using on-premise Domain Controllers to resolve DNS.
This means that initially, if the module sets the Storage Account up as "private with no public exposure" with a private endpoint, DNS won't naturally resolve in our environment until the AD team creates the A record for the private endpoint FQDN -> IP address and terraform apply could fail as a result if the Storage Account is private to begin with.
So in our account, we resort to doing this:
- Terraform public Storage Account.
- Ensure static IP is used for private endpoint (don't let Azure choose the IP address because Domain Controller A records are fixed).
- Submit the ticketing to get the A record for private endpoint FQDN -> IP address.
- Verify that this has been completed.
- Re-terraform with private networking.
With that said, this may be a non-issue if your environment is using Azure DNS resolver, which you control the DNS resolution process and the DNS record lifecycle.
Background
We would like to provide a self-service option that allows users to leverage pre-existing templates to aid in the conversion from AWS, Google Cloud, or on-premise resources to Azure-based Terraform.
Action requested
Create a template folder that contains the necessary files for creating an Storage Account object in Azure.
Acceptance Criteria
main,_var,_data, and_outputfiles should all be present.Additional context
This will enable the NBS team to leverage our files for guidance as they action the conversion to Azure.