Skip to content

Commit

Permalink
Merge pull request #972 from jpflueger/cosmosdb-firewall-rules
Browse files Browse the repository at this point in the history
CosmosDB: allowing ip firewall rules
  • Loading branch information
Justin Pflueger authored Apr 21, 2020
2 parents 9e6909c + 5ab23a1 commit 48dc16c
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 12 deletions.
1 change: 1 addition & 0 deletions api/v1alpha1/cosmosdb_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ type CosmosDBSpec struct {
Properties CosmosDBProperties `json:"properties,omitempty"`
VirtualNetworkRules *[]CosmosDBVirtualNetworkRule `json:"virtualNetworkRules,omitempty"`
KeyVaultToStoreSecrets string `json:"keyVaultToStoreSecrets,omitempty"`
IPRules *[]string `json:"ipRules,omitempty"`
}

// CosmosDBKind enumerates the values for kind.
Expand Down
24 changes: 15 additions & 9 deletions config/samples/azure_v1alpha1_cosmosdb.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,22 @@ spec:
properties:
databaseAccountOfferType: Standard
enableMultipleWriteLocations: false

# optionally set the mongoDBVersion to "3.2" or "3.6", if omitted the default is "3.2"
# NOTE: kind must be set to MongoDB for this to take effect
#mongoDBVersion: "3.6"
# mongoDBVersion: "3.6"

# enable virtual network rules if configured below
# isVirtualNetworkFilterEnabled: true

#optional for network rule set
# isVirtualNetworkFilterEnabled: true
# virtualNetworkRules:
# - subnetId: /subscriptions/{subscription_id}/resourceGroups/{resourcegroup}/providers/Microsoft.Network/virtualNetworks/{vnet_name}/subnets/{subnet_name}
# ignoreMissingServiceEndpoint: false
# optionally restrict access to specific virtual networks
# virtualNetworkRules:
# - subnetId: /subscriptions/{subscription_id}/resourceGroups/{resourcegroup}/providers/Microsoft.Network/virtualNetworks/{vnet_name}/subnets/{subnet_name}
# ignoreMissingServiceEndpoint: false

# Use the field below to optionally specify a different keyvault
# to store the connectiong string secrets in
#keyVaultToStoreSecrets: asoSecretKeyVault
# optionally configure different CIDR IP ranges for allowed-list, omitting allows all or falls back to vNetRules
# ipRules:
# # the ips in this rule are needed to access your db from the portal
# - 104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26
# # add additional ips you would like to grant access
# - 73.153.28.188
9 changes: 9 additions & 0 deletions pkg/resourcemanager/cosmosdbs/cosmosdb.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"context"
"fmt"
"net/http"
"strings"

"github.com/Azure/azure-sdk-for-go/services/cosmos-db/mgmt/2015-04-08/documentdb"
"github.com/Azure/azure-service-operator/api/v1alpha1"
Expand Down Expand Up @@ -44,6 +45,7 @@ func (*AzureCosmosDBManager) CreateOrUpdateCosmosDB(
location string,
kind v1alpha1.CosmosDBKind,
networkRule *[]v1alpha1.CosmosDBVirtualNetworkRule,
ipRules *[]string,
properties v1alpha1.CosmosDBProperties,
tags map[string]*string) (*documentdb.DatabaseAccount, error) {
cosmosDBClient, err := getCosmosDBClient()
Expand Down Expand Up @@ -98,6 +100,12 @@ func (*AzureCosmosDBManager) CreateOrUpdateCosmosDB(
})
}
}

sIPRules := ""
if ipRules != nil {
sIPRules = strings.Join(*ipRules, ",")
}

createUpdateParams := documentdb.DatabaseAccountCreateUpdateParameters{
Location: to.StringPtr(location),
Tags: tags,
Expand All @@ -112,6 +120,7 @@ func (*AzureCosmosDBManager) CreateOrUpdateCosmosDB(
EnableMultipleWriteLocations: &bWriteLocal,
Locations: &locationsArray,
Capabilities: &capabilities,
IPRangeFilter: &sIPRules,
},
}
createUpdateFuture, err := cosmosDBClient.CreateOrUpdate(
Expand Down
2 changes: 1 addition & 1 deletion pkg/resourcemanager/cosmosdbs/cosmosdb_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ func NewAzureCosmosDBManager(secretClient secrets.SecretClient) *AzureCosmosDBMa
// CosmosDBManager client functions
type CosmosDBManager interface {
// CreateOrUpdateCosmosDB creates a new cosmos database account
CreateOrUpdateCosmosDB(ctx context.Context, groupName string, cosmosDBName string, location string, kind v1alpha1.CosmosDBKind, networkRule *[]v1alpha1.CosmosDBVirtualNetworkRule, properties v1alpha1.CosmosDBProperties, tags map[string]*string) (*documentdb.DatabaseAccount, error)
CreateOrUpdateCosmosDB(ctx context.Context, groupName string, cosmosDBName string, location string, kind v1alpha1.CosmosDBKind, networkRule *[]v1alpha1.CosmosDBVirtualNetworkRule, ipRules *[]string, properties v1alpha1.CosmosDBProperties, tags map[string]*string) (*documentdb.DatabaseAccount, error)

// GetCosmosDB gets a cosmos database account
GetCosmosDB(ctx context.Context, groupName string, cosmosDBName string) (*documentdb.DatabaseAccount, error)
Expand Down
5 changes: 3 additions & 2 deletions pkg/resourcemanager/cosmosdbs/cosmosdb_reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func (m *AzureCosmosDBManager) Ensure(ctx context.Context, obj runtime.Object, o
instance.Status.State = *db.ProvisioningState
}

if instance.Status.State == "Creating" {
if instance.Status.State == "Creating" || instance.Status.State == "Updating" {
// avoid multiple CreateOrUpdate requests while resource is already creating
return false, nil
}
Expand Down Expand Up @@ -95,6 +95,7 @@ func (m *AzureCosmosDBManager) Ensure(ctx context.Context, obj runtime.Object, o
location := instance.Spec.Location
kind := instance.Spec.Kind
networkRule := instance.Spec.VirtualNetworkRules
ipRules := instance.Spec.IPRules

cosmosDBProperties := v1alpha1.CosmosDBProperties{
DatabaseAccountOfferType: instance.Spec.Properties.DatabaseAccountOfferType,
Expand All @@ -103,7 +104,7 @@ func (m *AzureCosmosDBManager) Ensure(ctx context.Context, obj runtime.Object, o
IsVirtualNetworkFilterEnabled: instance.Spec.Properties.IsVirtualNetworkFilterEnabled,
}

db, err = m.CreateOrUpdateCosmosDB(ctx, groupName, accountName, location, kind, networkRule, cosmosDBProperties, tags)
db, err = m.CreateOrUpdateCosmosDB(ctx, groupName, accountName, location, kind, networkRule, ipRules, cosmosDBProperties, tags)
if err != nil {
azerr := errhelp.NewAzureErrorAzureError(err)
instance.Status.Message = err.Error()
Expand Down

0 comments on commit 48dc16c

Please sign in to comment.