This Terraform module deploys the Braintrust data plane on Azure. It creates all the necessary core infrastructure to run Braintrust in your own Azure subscription.
This module creates the following resources by default:
- Virtual Network
- Azure Key Vault for encryption and secrets management
- Azure Database for PostgreSQL
- Azure Cache for Redis
- Azure Storage Account for blob storage
- AKS Kubernetes Cluster
- Azure Front Door for ingress to the API service
The VNet and AKS cluster can be optionally disabled so you can bring your own network and cluster.
cp -r terraform-azure-braintrust-data-plane/examples/default <path-in-your-git-repo>/braintrust-data-planeprovider.tfshould be modified to use your Azure subscription and tenant.terraform.tfshould be modified to use the remote backend that your company uses. Typically this is an Azure Blob Storage.main.tfshould be modified to match your environment and needs. It is preconfigured for a production-sized deployment.- Set
brainstore_license_keyinmain.tfto your Braintrust License Key. It isn't recommended that you commit this license key to your git repo. You can safely pass this key into terraform multiple ways:- Store it in an Azure Key Vault and use the azurerm_key_vault_secret to lookup the value
- Set TF_VAR_brainstore_license_key=your-key in your terraform environment
- Pass it into terraform as a flag terraform apply -var 'brainstore_license_key=your-key'
- Add it to an uncommitted terraform.tfvars or .auto.tfvars file.
- Set
enable_front_doorinmain.tfto false. Front Door will be enabled later below.
terraform init
terraform applyDeployment takes approximately 15-20 minutes.
az aks get-credentials --resource-group braintrust --name braintrust-aks
kubectl get nodesReview the Helm README.md and values.yaml. Create your own helm-values.yaml file with your own overrides as needed.
Set the api service to LoadBalancer type and set the annotations to create an internal load balancer for the API service.
api:
service:
type: LoadBalancer
annotations:
service:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"helm install braintrust \
oci://public.ecr.aws/braintrust/helm/braintrust \
--namespace braintrust \
--create-namespace \
--version <version> \
--values helm-values.yamlAfter the Helm chart is deployed, you will need to enable Front Door to allow external traffic to the API service.
# Find the IP address of the internal load balancer generated by AKS for the API service
lb_ip_address=$(
kubectl get service braintrust-api -n braintrust -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
)
# Find the resource ID of the internal load balancer frontend IP configuration
az network lb list \
--query "[?frontendIPConfigurations[?privateIPAddress=='$lb_ip_address']].{
LB_IPAddress: frontendIPConfigurations[0].privateIPAddress,
LB_FrontendIPConfigId: frontendIPConfigurations[0].id
}" -o tableUpdate main.tf to the values returned by the above command and enable Front Door.
enable_front_door = true
front_door_api_backend_address = "<LB_IPAddress>"
front_door_load_balancer_frontend_ip_config_id = "<LB_FrontendIPConfigId>"Unfortunately, due to a limitation of Azure Front Door and Terraform, you must manually approve the private link service in the Azure portal.
The private link service will be named <deployment-name>-aks-api-pls.
terraform applyFront Door will often take up to 45 minutes to be fully deployed and available even after your terraform apply is complete. Visiting https://<your-front-door-endpoint-hostname>/ should return a 200 OK response.