Resource Provider¶
Resource Providers are a key concept of Dune. They are needed to know where resources are deployed and how to access this data centers or clouds.
Note
A resource is always assigned to one resource provider.
Dune core elements with Resource Providers
Tip
If a Resource Provider is either disabled or not initialized it will not be available for selection when creating Deployments
Allowed Environments¶
Every Resource Provider has a list of allowed environments. If the allowed environments are Dev and Test, Dune will only deploy Dev and Test resources whithin this Resource Provider.
More about Environments
Initialization¶
Resource Providers need to be Initialized (ready for Deployments). This intialization logic is performed through Dune when a Resource Provider gets created or if the user triggers the initialization directly. There are specific Resources which must exist with every Resource Provider in order for certain services to be working properly (e.g. Backup, Disk encryption). This workflow also detects and automatically sets certain configs.
Config¶
Each Resource Provider has different configs (Key / Value). The configs (e.g. Access secrets, defaults, etc) are stored in the Dune vault.
Resource Provider Types¶
Azure¶
Name: Azure
The Azure Resource Provider enables you to deploy and manage resources hosted in the Azure Cloud. A Resource Provider in Dune maps to a Subscription in Azure. So for each Azure Subscription which should be available to Dune there needs to be a Resource Provider.
Tip
1 Dune ResourceProvider maps to 1 Azure Subscription
Automatically detected config (during initialization):
- Virtual network (if only one vNet exists within the scope of this Resource Provider)
- Default location (location of the vNet, only if one vNet exists)
Created resources (during initialization):
- ResourceGroup for shared resources
- Key vault (Shared)
- Recovery Services vault (Shared)
Subscription Access¶
The service principle (SPI) to be used in dune to deploy and scan resources for a subscription can be different. They will be specified in the ResourceProvider Config
Deployment SPI¶
The SPI used to deploy azure resources as well as do operations (e.g. start/stop VM, configure patching) is defined in the AZ_CLIENT_ID. The password stored as secure value in AZ_CLIENT_SECRET.
The following rights are necessary on the subscription level:
- Contributor
- Key Vault Administrator
- Key Vault Data Access Administrator
Reader SPI (scan)¶
The SPI used for the infrastructure scan (update status & information / detect new resources) is defined in the AZ_READER_CLIENT_ID
The following rights is necessary on the sucscription level:
- Reader
Azure Config¶
| Name | Mandatory | IsSecure | Description |
|---|---|---|---|
| AZ_TENANT_ID | Yes | False | ID of Azure Tenant |
| AZ_SUBSCRIPTION_ID | Yes | False | ID of Azure Subscription |
| AZ_CLIENT_ID | Yes | False | Client ID of Deployment SPI |
| AZ_CLIENT_SECRET | Yes | True | Client Secret of Deployment SPI |
| AZ_READER_CLIENT_ID | Yes | False | Client ID of Reader SPI |
| AZ_READER_CLIENT_SECRET | Yes | True | Client Secret of Reader SPI |
| AZ_VNET_NAME | Yes (Init1) | False | Name of the VirtualNetwork, where Subnets will be created |
| AZ_VNET_RG_NAME | Yes (Init1) | False | ResourceGroupName of that VirtualNetwork |
| AZ_DEFAULT_LOCATION | Yes (Init1) | False | Default region for resources (RG, VM), if specified in template |
| AZ_SHARED_RG_NAME | Yes (Init1) | False | Name of the shared resourcegroup (for key vault, backup vault, disk encryption set) |
| AZ_KEY_VAULT_NAME | Yes (Init1) | False | Name of the Key vault |
| AZ_BACKUP_VAULT_NAME | Yes (Init1) | False | Name of the Backup vault |
| AZ_MAINTENANCE_PRE_HOOK | No | False | Webhook for Invoke-PrePatch runbook |
| AZ_MAINTENANCE_POST_HOOK | No | False | Webhook for Invoke-PostPatch runbook |
Active Directory Services¶
Name: ActiveDirectoryServices
Used for management of AD Accounts and Groups
Active Directory Services Config¶
| Name | Mandatory | IsSecure | Description |
|---|---|---|---|
| WORKER | Yes | False | runner host where Active Directory playbooks will be executed (required ActiveDirectory module installed) |
| AD_GROUP_RESOURCE_OU | Yes | False | OU path (DistinguishedName) for group creation |
| AD_USER_RESOURCE_OU | Yes | False | OU path (DistinguishedName) for account creation |
| AD_SERVICEACCOUNT_FORMAT | No | False | ServiceAccount Naming format using composite formatting ('{0}' replaces svcName), default is '{0}' |
| AD_RBACRESOURCEGROUP_FORMAT | No | False | RBAC ResourceGroup Naming format using composite formatting ('{0}' replaces groupName), default is '{0}' |
| AD_LOCALADMINACCESSGROUP_MEMBERS | No | False | Default members of each computenodes local admin access group |
Domain Name System¶
Name: DomainNameSystem
Dns Config (Provider: Azure)¶
| Name | Mandatory | IsSecure | Description |
|---|---|---|---|
| PROVIDER | Yes | False | specifies DNS provider type (Azure / WindowsDns) |
| AZ_TENANT_ID | Yes | False | ID of Azure Tenant of DNS Zone |
| AZ_SUBSCRIPTION_ID | Yes | False | ID of Azure Subscription of DNS Zone |
| AZ_CLIENT_ID | Yes | False | Client ID of SPI (used for DNS Zone access) |
| AZ_CLIENT_SECRET | Yes | True | Client Secret of SPI |
| AZ_DNS_RESOURCEGROUP_NAME | Yes | False | ResourceGroupName of DNS Zone |
| AZ_DNS_ZONE_NAME | Yes | False | DNS Zone Name |