Add private link configuration for clickhouse

README.md

@@ -75,6 +75,8 @@ resources that lack official modules.
 | <a name="input_app_wandb_env"></a> [app\_wandb\_env](#input\_app\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
 | <a name="input_azuremonitor"></a> [azuremonitor](#input\_azuremonitor) | # To support otel azure monitor sql and redis metrics need operator-wandb chart minimum version 0.14.0 | `bool` | `false` | no |
 | <a name="input_blob_container"></a> [blob\_container](#input\_blob\_container) | Use an existing bucket. | `string` | `""` | no |
+| <a name="input_clickhouse_endpoint_service_id"></a> [clickhouse\_endpoint\_service\_id](#input\_clickhouse\_endpoint\_service\_id) | The service ID of the VPC endpoint service for Clickhouse | `string` | `""` | no |
+| <a name="input_clickhouse_service_location"></a> [clickhouse\_service\_location](#input\_clickhouse\_service\_location) | The region where ClickHouse service is located | `string` | `""` | no |
 | <a name="input_cluster_sku_tier"></a> [cluster\_sku\_tier](#input\_cluster\_sku\_tier) | The Azure AKS SKU Tier to use for this cluster (https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers) | `string` | `"Free"` | no |
 | <a name="input_create_private_link"></a> [create\_private\_link](#input\_create\_private\_link) | Use for the azure private link. | `bool` | `false` | no |
 | <a name="input_create_redis"></a> [create\_redis](#input\_create\_redis) | Boolean indicating whether to provision an redis instance (true) or not (false). | `bool` | `false` | no |
@@ -84,6 +86,7 @@ resources that lack official modules.
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | If the instance should have deletion protection enabled. The database / Bucket can't be deleted when this value is set to `true`. | `bool` | `true` | no |
 | <a name="input_disable_storage_vault_key_id"></a> [disable\_storage\_vault\_key\_id](#input\_disable\_storage\_vault\_key\_id) | Flag to disable the `customer_managed_key` block, the properties 'encryption.identity, encryption.keyvaultproperties' cannot be updated in a single operation. | `bool` | `false` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain for accessing the Weights & Biases UI. | `string` | `null` | no |
+| <a name="input_enable_clickhouse"></a> [enable\_clickhouse](#input\_enable\_clickhouse) | Provision clickhouse resources | `bool` | `false` | no |
 | <a name="input_enable_database_vault_key"></a> [enable\_database\_vault\_key](#input\_enable\_database\_vault\_key) | Flag to enable managed key encryption for the database. Once enabled, cannot be disabled. | `bool` | `false` | no |
 | <a name="input_enable_storage_vault_key"></a> [enable\_storage\_vault\_key](#input\_enable\_storage\_vault\_key) | Flag to enable managed key encryption for the storage account. | `bool` | `false` | no |
 | <a name="input_external_bucket"></a> [external\_bucket](#input\_external\_bucket) | config an external bucket | `any` | `null` | no |

main.tf

@@ -213,6 +213,19 @@ module "cert_manager" {
   depends_on = [module.app_aks]
 }
 
+module "clickhouse" {
+  count               = var.clickhouse_private_endpoint_service_name != "" ? 1 : 0
+  source              = "./modules/clickhouse"
+  namespace           = var.namespace
+  resource_group_name = azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
+  network_id          = module.networking.network.id
+  private_subnet_id   = module.networking.private_subnet.id
+
+  clickhouse_private_endpoint_service_name = var.clickhouse_private_endpoint_service_name
+  clickhouse_region                        = var.clickhouse_region
+}
+
 locals {
   use_customer_bucket = (
     var.storage_account != "" &&

modules/clickhouse/main.tf

@@ -0,0 +1,43 @@
+locals {
+  dns_name_suffix = "privatelink.azure.clickhouse.cloud"
+}
+
+resource "azurerm_private_endpoint" "clickhouse" {
+  name                = "${var.namespace}-clickhouse-pe"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.private_subnet_id
+  custom_network_interface_name = "${var.namespace}-clickhouse-nic"
+
+  private_service_connection {
+    name                              = "${var.namespace}-clickhouse-pl"
+    private_connection_resource_alias = var.clickhouse_private_endpoint_service_name
+    is_manual_connection              = true
+    request_message                   = "ClickHouse Private Link"
+  }
+}
+
+resource "azurerm_private_dns_zone" "clickhouse_cloud_private_link_zone" {
+  name                = "${var.clickhouse_region}.${local.dns_name_suffix}"
+  resource_group_name = var.resource_group_name
+}
+
+data "azurerm_network_interface" "clickhouse_nic" {
+  resource_group_name = var.resource_group_name
+  name                = azurerm_private_endpoint.clickhouse.network_interface[0].name
+}
+
+resource "azurerm_private_dns_a_record" "clickhouse_wildcard" {
+  name                = "*"
+  zone_name           = azurerm_private_dns_zone.clickhouse_cloud_private_link_zone.name
+  resource_group_name = var.resource_group_name
+  ttl                 = 300
+  records             = [data.azurerm_network_interface.clickhouse_nic.private_ip_address]
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "clickhouse_network" {
+  name                  = "network-link"
+  resource_group_name   = var.resource_group_name
+  private_dns_zone_name = azurerm_private_dns_zone.clickhouse_cloud_private_link_zone.name
+  virtual_network_id    = var.network_id
+}

modules/clickhouse/variables.tf

@@ -0,0 +1,46 @@
+variable "namespace" {
+  type        = string
+  description = "Friendly name prefix used for tagging and naming Azure resources."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which to create the network."
+}
+
+variable "location" {
+  type        = string
+  description = "Specifies the supported Azure location where the resource exists."
+}
+
+variable "network_id" {
+  type        = string
+  description = "The virtual network id used for all resources"
+}
+
+variable "private_subnet_id" {
+  type        = string
+  description = "Specifies the supported Azure subnet id where the resource exists."
+}
+
+variable "clickhouse_private_endpoint_service_name" {
+  type        = string
+  description = "ClickHouse private endpoint 'Service name' (ends in .azure.privatelinkservice)."
+  default     = ""
+
+  validation {
+    condition = can(regex("\\.azure\\.privatelinkservice$", var.clickhouse_private_endpoint_service_name))
+    error_message = "ClickHouse Service name must end in '.azure.privatelinkservice'."
+  }
+}
+
+variable "clickhouse_region" {
+  type        = string
+  description = "ClickHouse region (eastus2, westus3, etc)."
+  default     = ""
+
+  validation {
+    condition = length(var.clickhouse_region) > 0
+    error_message = "Clickhouse Region should always be set if the private endpoint service name is specified."
+  }
+}

modules/networking/variables.tf

@@ -63,4 +63,4 @@ variable "private_link" {
 variable "allowed_ip_ranges" {
   description = "allowed public IP addresses or CIDR ranges."
   type        = list(string)
-}
+}

variables.tf

@@ -282,3 +282,18 @@ variable "azuremonitor" {
   type    = bool
   default = false
 }
+
+###########################################
+# ClickHouse Endpoint (for weave-trace)   #
+###########################################
+variable "clickhouse_private_endpoint_service_name" {
+  type        = string
+  description = "ClickHouse private endpoint 'Service name' (ends in .azure.privatelinkservice)."
+  default     = ""
+}
+
+variable "clickhouse_region" {
+  type        = string
+  description = "ClickHouse region (eastus2, westus3, etc)."
+  default     = ""
+}