Skip to content

Commit 5f390fa

Browse files
jlorichjlorich
committed
update aks enterprise
1 parent 415e3ca commit 5f390fa

File tree

12 files changed

+1076
-17
lines changed

12 files changed

+1076
-17
lines changed

quickstart/201-aks-log-analytics/readme.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Azure Kubernetes Service
1+
# AKS with Log Analytics
22

33

44
This template deploys an [Azure Kubernetes Service](https://www.terraform.io/docs/providers/azurerm/r/kubernetes_cluster.html) instance which sends system and container logs to Azure Log Analytics, which can be visualized with the Container Monitoring solution.

quickstart/201-aks-rbac-dashboard-admin/readme.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Azure Kubernetes Service
1+
# AKS with an Admin Dashboard
22

33

44
This template deploys an [Azure Kubernetes Service](https://www.terraform.io/docs/providers/azurerm/r/kubernetes_cluster.html) instance with Role Based Access Control (RBAC) enabled. With this, by default the robust Kubernetes dashboard has no rights to view or make changes to the cluster. In this template we leverage the Kubernetes provider to provision a role binding for the Dashboard accoutn to give it `cluster-admin` rights - something we shoudl not do in production but can be very useful in development.

quickstart/301-aks-enterprise/aks.tf

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
resource "azurerm_kubernetes_cluster" "default" {
2+
name = "${var.name}-aks"
3+
location = "${azurerm_resource_group.default.location}"
4+
resource_group_name = "${azurerm_resource_group.default.name}"
5+
dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}"
6+
depends_on = ["azurerm_role_assignment.default"]
7+
8+
agent_pool_profile {
9+
name = "default"
10+
count = "${var.node_count}"
11+
vm_size = "${var.node_type}"
12+
os_type = "${var.node_os}"
13+
os_disk_size_gb = 30
14+
vnet_subnet_id = "${azurerm_subnet.aks.id}"
15+
}
16+
17+
service_principal {
18+
client_id = "${azuread_application.default.application_id}"
19+
client_secret = "${azuread_service_principal_password.default.value}"
20+
}
21+
22+
role_based_access_control {
23+
enabled = true
24+
}
25+
26+
network_profile {
27+
network_plugin = "azure"
28+
}
29+
30+
addon_profile {
31+
oms_agent {
32+
enabled = true
33+
log_analytics_workspace_id = "${azurerm_log_analytics_workspace.default.id}"
34+
}
35+
}
36+
}

quickstart/301-aks-enterprise/azuread.tf

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
resource "azuread_application" "default" {
2+
name = "${var.name}-${var.environment}"
3+
}
4+
5+
resource "azuread_service_principal" "default" {
6+
application_id = "${azuread_application.default.application_id}"
7+
}
8+
9+
resource "random_string" "password" {
10+
length = 32
11+
special = true
12+
}
13+
14+
resource "azuread_service_principal_password" "default" {
15+
service_principal_id = "${azuread_service_principal.default.id}"
16+
value = "${random_string.password.result}"
17+
end_date = "2099-01-01T01:00:00Z"
18+
}
19+
20+
resource "azurerm_role_assignment" "default" {
21+
scope = "${data.azurerm_subscription.current.id}/resourceGroups/${azurerm_resource_group.default.name}"
22+
role_definition_name = "Network Contributor"
23+
principal_id = "${azuread_service_principal.default.id}"
24+
}

quickstart/301-aks-enterprise/helm.tf

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# Define the helm provider to use the AKS cluster
2+
provider "helm" {
3+
kubernetes {
4+
host = "${azurerm_kubernetes_cluster.default.kube_config.0.host}"
5+
6+
client_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)}"
7+
client_key = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_key)}"
8+
cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)}"
9+
}
10+
11+
service_account = "tiller"
12+
}
13+
14+
# Install a load-balanced nginx-ingress controller onto the cluster
15+
resource "helm_release" "ingress" {
16+
name = "nginx-ingress"
17+
chart = "stable/nginx-ingress"
18+
namespace = "kube-system"
19+
20+
values = [<<EOF
21+
controller:
22+
replicaCount: 2
23+
service:
24+
loadBalancerIP: ${var.ingress_load_balancer_ip}
25+
annotations:
26+
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
27+
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "${azurerm_subnet.ingress.name}"
28+
EOF
29+
]
30+
31+
depends_on = ["kubernetes_cluster_role_binding.tiller"]
32+
}
33+
34+
resource "helm_release" "ghost" {
35+
name = "ghost-blog"
36+
chart = "bitnami/ghost"
37+
38+
depends_on = ["kubernetes_cluster_role_binding.tiller"]
39+
}

quickstart/301-aks-enterprise/kubernetes.tf

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
# Define Kubernetes provider to use the AKS cluster
2+
provider "kubernetes" {
3+
host = "${azurerm_kubernetes_cluster.default.kube_config.0.host}"
4+
5+
client_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)}"
6+
client_key = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_key)}"
7+
cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)}"
8+
}
9+
10+
# Create a service account for the Helm Tiller
11+
resource "kubernetes_service_account" "tiller" {
12+
metadata {
13+
name = "tiller"
14+
namespace = "kube-system"
15+
}
16+
}
17+
18+
# Grant cluster-admin rights to the Tiller Service Account
19+
resource "kubernetes_cluster_role_binding" "tiller" {
20+
metadata {
21+
name = "${kubernetes_service_account.tiller.metadata.0.name}"
22+
}
23+
24+
role_ref {
25+
api_group = "rbac.authorization.k8s.io"
26+
kind = "ClusterRole"
27+
name = "cluster-admin"
28+
}
29+
30+
subject {
31+
kind = "ServiceAccount"
32+
name = "${kubernetes_service_account.tiller.metadata.0.name}"
33+
namespace = "kube-system"
34+
}
35+
}
36+
37+
# Grant cluster-admin rights to the default service account
38+
# This is a terrible idea in general, but a feature of the game is killing other pods
39+
resource "kubernetes_cluster_role_binding" "default" {
40+
metadata {
41+
name = "default"
42+
}
43+
44+
role_ref {
45+
api_group = "rbac.authorization.k8s.io"
46+
kind = "ClusterRole"
47+
name = "cluster-admin"
48+
}
49+
50+
subject {
51+
kind = "ServiceAccount"
52+
name = "default"
53+
namespace = "default"
54+
}
55+
}

quickstart/301-aks-enterprise/main.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
resource "azurerm_resource_group" "default" {
2+
name = "${var.name}-${var.environment}-rg"
3+
location = "${var.location}"
4+
}
5+
6+
data "azurerm_subscription" "current" {}

quickstart/301-aks-enterprise/monitoring.tf

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
resource "azurerm_application_insights" "default" {
2+
name = "${var.name}-${var.environment}-ai"
3+
location = "${azurerm_resource_group.default.location}"
4+
resource_group_name = "${azurerm_resource_group.default.name}"
5+
application_type = "Web"
6+
}
7+
8+
resource "azurerm_log_analytics_workspace" "default" {
9+
name = "${var.name}-${var.environment}-law"
10+
location = "${azurerm_resource_group.default.location}"
11+
resource_group_name = "${azurerm_resource_group.default.name}"
12+
sku = "PerGB2018"
13+
retention_in_days = 30
14+
}
15+
16+
resource "azurerm_log_analytics_solution" "default" {
17+
solution_name = "ContainerInsights"
18+
location = "${azurerm_log_analytics_workspace.default.location}"
19+
resource_group_name = "${azurerm_resource_group.default.name}"
20+
workspace_resource_id = "${azurerm_log_analytics_workspace.default.id}"
21+
workspace_name = "${azurerm_log_analytics_workspace.default.name}"
22+
23+
plan {
24+
publisher = "Microsoft"
25+
product = "OMSGallery/ContainerInsights"
26+
}
27+
}

quickstart/301-aks-enterprise/networking.tf

Lines changed: 176 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,176 @@
1+
# Virtual Network to deploy resources into
2+
resource "azurerm_virtual_network" "default" {
3+
name = "${var.name}-vnet"
4+
location = "${azurerm_resource_group.default.location}"
5+
resource_group_name = "${azurerm_resource_group.default.name}"
6+
address_space = ["${var.vnet_address_space}"]
7+
}
8+
9+
# Subnets
10+
resource "azurerm_subnet" "aks" {
11+
name = "${var.name}-aks-subnet"
12+
resource_group_name = "${azurerm_resource_group.default.name}"
13+
address_prefix = "${var.vnet_aks_subnet_space}"
14+
virtual_network_name = "${azurerm_virtual_network.default.name}"
15+
}
16+
17+
resource "azurerm_subnet" "ingress" {
18+
name = "${var.name}-ingress-subnet"
19+
resource_group_name = "${azurerm_resource_group.default.name}"
20+
virtual_network_name = "${azurerm_virtual_network.default.name}"
21+
address_prefix = "${var.vnet_ingress_subnet_space}"
22+
}
23+
24+
resource "azurerm_subnet" "gateway" {
25+
name = "${var.name}-gateway-subnet"
26+
resource_group_name = "${azurerm_resource_group.default.name}"
27+
virtual_network_name = "${azurerm_virtual_network.default.name}"
28+
address_prefix = "${var.vnet_gateway_subnet_space}"
29+
}
30+
31+
# Network security groups
32+
resource azurerm_network_security_group "aks" {
33+
name = "${var.name}-aks-nsg"
34+
location = "${azurerm_resource_group.default.location}"
35+
resource_group_name = "${azurerm_resource_group.default.name}"
36+
}
37+
38+
resource azurerm_network_security_group "ingress" {
39+
name = "${var.name}-ingress-nsg"
40+
location = "${azurerm_resource_group.default.location}"
41+
resource_group_name = "${azurerm_resource_group.default.name}"
42+
}
43+
44+
resource azurerm_network_security_group "gateway" {
45+
name = "${var.name}-gateway-nsg"
46+
location = "${azurerm_resource_group.default.location}"
47+
resource_group_name = "${azurerm_resource_group.default.name}"
48+
}
49+
50+
# Network security group associations
51+
resource "azurerm_subnet_network_security_group_association" "aks" {
52+
subnet_id = "${azurerm_subnet.aks.id}"
53+
network_security_group_id = "${azurerm_network_security_group.aks.id}"
54+
}
55+
56+
resource "azurerm_subnet_network_security_group_association" "ingress" {
57+
subnet_id = "${azurerm_subnet.ingress.id}"
58+
network_security_group_id = "${azurerm_network_security_group.ingress.id}"
59+
}
60+
61+
resource "azurerm_subnet_network_security_group_association" "gateway" {
62+
subnet_id = "${azurerm_subnet.gateway.id}"
63+
network_security_group_id = "${azurerm_network_security_group.gateway.id}"
64+
}
65+
66+
67+
locals {
68+
69+
gateway_name = "${var.dns_prefix}-${var.name}-${var.environment}-gateway"
70+
gateway_ip_name = "${var.dns_prefix}-${var.name}-${var.environment}-gateway-ip"
71+
gateway_ip_config_name = "${var.name}-gateway-ipconfig"
72+
frontend_port_name = "${var.name}-gateway-feport"
73+
frontend_ip_configuration_name = "${var.name}-gateway-feip"
74+
backend_address_pool_name = "${var.name}-gateway-bepool"
75+
http_setting_name = "${var.name}-gateway-http"
76+
probe_name = "${var.name}-gateway-probe"
77+
listener_name = "${var.name}-gateway-lstn"
78+
ssl_name = "${var.name}-gateway-ssl"
79+
url_path_map_name = "${var.name}-gateway-urlpath"
80+
url_path_map_rule_name = "${var.name}-gateway-urlrule"
81+
request_routing_rule_name = "${var.name}-gateway-router"
82+
}
83+
84+
resource "azurerm_public_ip" "gateway" {
85+
name = "${local.gateway_ip_name}"
86+
resource_group_name = "${azurerm_resource_group.default.name}"
87+
location = "${azurerm_resource_group.default.location}"
88+
domain_name_label = "${local.gateway_name}"
89+
allocation_method = "Static"
90+
sku = "Standard"
91+
}
92+
93+
resource "azurerm_application_gateway" "gateway" {
94+
name = "${local.gateway_name}"
95+
resource_group_name = "${azurerm_resource_group.default.name}"
96+
location = "${azurerm_resource_group.default.location}"
97+
98+
sku {
99+
name = "WAF_v2"
100+
tier = "WAF_v2"
101+
capacity = "${var.gateway_instance_count}"
102+
}
103+
104+
gateway_ip_configuration {
105+
name = "${local.gateway_ip_config_name}"
106+
subnet_id = "${azurerm_subnet.gateway.id}"
107+
}
108+
109+
frontend_port {
110+
name = "${local.frontend_port_name}-http"
111+
port = 80
112+
}
113+
114+
frontend_port {
115+
name = "${local.frontend_port_name}-https"
116+
port = 443
117+
}
118+
119+
frontend_ip_configuration {
120+
name = "${local.frontend_ip_configuration_name}"
121+
public_ip_address_id = "${azurerm_public_ip.gateway.id}"
122+
}
123+
124+
backend_address_pool {
125+
name = "${local.backend_address_pool_name}"
126+
ip_addresses = ["${var.ingress_load_balancer_ip}"]
127+
}
128+
129+
backend_http_settings {
130+
name = "${local.http_setting_name}"
131+
cookie_based_affinity = "Disabled"
132+
port = 80
133+
protocol = "http"
134+
request_timeout = 1
135+
probe_name = "${local.probe_name}"
136+
}
137+
138+
http_listener {
139+
name = "${local.listener_name}-http"
140+
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
141+
frontend_port_name = "${local.frontend_port_name}-http"
142+
protocol = "http"
143+
}
144+
145+
probe {
146+
name = "${local.probe_name}"
147+
protocol = "http"
148+
path = "/nginx-health"
149+
interval = 30
150+
timeout = 30
151+
unhealthy_threshold = 3
152+
host = "${var.ingress_load_balancer_ip}"
153+
}
154+
155+
request_routing_rule {
156+
name = "${local.request_routing_rule_name}-http"
157+
rule_type = "PathBasedRouting"
158+
http_listener_name = "${local.listener_name}-http"
159+
url_path_map_name = "${local.url_path_map_name}"
160+
}
161+
162+
url_path_map {
163+
name = "${local.url_path_map_name}"
164+
default_backend_address_pool_name = "${local.backend_address_pool_name}"
165+
default_backend_http_settings_name = "${local.http_setting_name}"
166+
167+
path_rule {
168+
name = "${local.url_path_map_rule_name}"
169+
backend_address_pool_name = "${local.backend_address_pool_name}"
170+
backend_http_settings_name = "${local.http_setting_name}"
171+
paths = [
172+
"/*"
173+
]
174+
}
175+
}
176+
}

0 commit comments

Comments
 (0)