Last week while working for a client, I had a requirement to create a deployment of Greenplum, a database engine based on PostgreSQL. Thankfully a template existed in the gallery but did not meet our requirements. This post talks about ensuring the deployment works in an existing Azure environment.
As I mentioned in the introduction, we already had a template from the Azure Marketplace for this deployment. However, when executing the template, you don’t have the option to deploy to a virtual network which already exists. You only have the option to create a new one.
Secondly, one other option was the level of permissions needed to deploy the template. During the deployment in the lab, I noticed that a security object is created which grants the master node of the Greenplum deployment with Contributor access to the resource group you are deploying the template to. This is to enable the master node to control the secondary nodes and shut them down when not required.
This is fine, but in our CSP setup, using Azure Plan and Azure Lighthouse, engineers only have Contributor access and to be able to grant the virtual machine principle access you need security rights to be able to do this.
Working through permissions
With the permissions issues above, I decided that when editing the template to allow for an existing virtual network, I would remove the permissions section thinking that I could add that on later as it wouldn’t affect the deployment.
However, when executing the template, I noticed that the custom script extension failed, this runs the setup of Greenplum on both the master and slave nodes. I put the section back in which does the permissions in the lab and it went through and worked. I can only assume during the custom script extension running, something happens in the setup which requires those permissions in place to control one of the secondary nodes.
Deploying to an existing virtual network
I took a copy of the template from the marketplace and have set about editing it to allow us to deploy to an existing virtual network and subnet. This makes the template much more flexible for enterprise clients who will no doubt already have network topology already defined.
I have published up the template for this on our company GitHub account so it’s available for everyone. The template has three lines which need editing, I plan to clean it up in the future and make it easier to use.
First of all, on line 234, you will need to enter the name of your virtual network, then on line 236 the name of your subnet. Finally on line 238, you will need to enter the same details again, virtual network first, then subnet in the resource ID function.
After those changes are made, you should be able to deploy the template as required to your existing virtual network.