added complete example with aks (#3)

* added complete example with aks * docs: fmt * docs : make docs and fmt
ishuar · Jan 3, 2024 · 68f5510 · 68f5510
1 parent 49a5adf
commit 68f5510
Show file tree

Hide file tree

Showing 11 changed files with 285 additions and 2 deletions.
diff --git a/.config/header.md b/.config/header.md
@@ -93,5 +93,7 @@ module "simple" {
 Examples are availabe in `examples` directory.
 
 - [simple](/examples/simple)
+- [multiple-identities](/examples/multiple-identities/)
+- [complete-with-aks](/examples/complete-with-aks/)
 
 **⭐️ Don't forget to give the project a star! Thanks again! ⭐️**
diff --git a/.github/release-version.yaml b/.github/release-version.yaml
@@ -1,6 +1,6 @@
 ## Update this file for a new release version.
 
-module_version: "0.2.0"
+module_version: "0.3.0"
 
 ## Example for manual release notes.
 # release_notes: |

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 -->
 
+## v0.3.0
+
+### Added
+- Added complete example for creating multiple identities and kubernetes resources in azure kubernetes service.
+
+### Fixed
+- Fix typos in the readme.
+
 ## v0.2.0
 
 ### Added
@@ -38,7 +46,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 - First version of Module.
   -  Available Features
-     - Multiple [Azure built-i00n roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) assignments.
+     - Multiple [Azure built-in roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) assignments.
      - Multiple [Azure custom roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles) assignment.
      - Combination of Azure built-in and custom roles on the same identity.
      - Optional Kubernetes Service Account and Namespace creation when using with Azure Kubernetes Service.

diff --git a/README.md b/README.md
@@ -92,6 +92,8 @@ module "simple" {
 Examples are availabe in `examples` directory.
 
 - [simple](/examples/simple)
+- [multiple-identities](/examples/multiple-identities/)
+- [complete-with-aks](/examples/complete-with-aks/)
 
 **⭐️ Don't forget to give the project a star! Thanks again! ⭐️**
 

diff --git a/examples/complete-with-aks/.terraform.lock.hcl b/examples/complete-with-aks/.terraform.lock.hcl
diff --git a/examples/complete-with-aks/Makefile b/examples/complete-with-aks/Makefile
@@ -0,0 +1 @@
+include ../Makefile
diff --git a/examples/complete-with-aks/README.md b/examples/complete-with-aks/README.md
@@ -0,0 +1,45 @@
+# Introduction
+
+This example show the example of using the module to create multiple user-managed identities and also create kubernetes resources (optional) in AKS.
+The AKS creation and dependent resources are out of this module scope. This example assumes that AKS cluster and other dependent resources are already created.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.85.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~>2.24 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.85.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_complete_with_aks"></a> [complete\_with\_aks](#module\_complete\_with\_aks) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_dns_zone.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source |
+| [azurerm_kubernetes_cluster.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source |
+| [azurerm_resource_group.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dns_zone_name"></a> [dns\_zone\_name](#input\_dns\_zone\_name) | DNS Zone name | `string` | `"example.learndevops.in"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for all resources in this example | `string` | `"wi-tf-mod"` | no |
+
+## Outputs
+
+No outputs.
diff --git a/examples/complete-with-aks/local.tf b/examples/complete-with-aks/local.tf
@@ -0,0 +1,79 @@
+locals {
+  tags = {
+    managed_by  = "terraform"
+    github_repo = "ishuar/terraform-azure-workload-identity"
+  }
+
+  ## Workload Identities
+  external-dns = [
+    {
+      service_account_name = "${var.prefix}-sa-external-dns"
+      namespace            = "${var.prefix}-external-dns"
+      role_assignments = [
+        {
+          role_definition_name = "DNS Zone Contributor"
+          scope                = data.azurerm_dns_zone.example.id
+        },
+      ]
+    },
+  ]
+  ## This example will also create a new namespace and service account kubernetes resources for cert-manager.
+  cert-manager = [
+    {
+      service_account_name        = "${var.prefix}-sa-cert-manager"
+      namespace                   = "${var.prefix}-cert-manager"
+      create_kubernetes_namespace = true
+      create_service_account      = true
+      role_assignments = [
+        {
+          role_definition_name = "DNS Zone Contributor"
+          scope                = data.azurerm_dns_zone.example.id
+        },
+      ]
+    },
+  ]
+
+  ## Example to create custom role for velero
+  velero = [
+    {
+      service_account_name = "${var.prefix}-sa-velero"
+      namespace            = "${var.prefix}-velero"
+      role_assignments = [
+        {
+          role_definition_name    = "velero"
+          create_custom_role      = true
+          scope                   = data.azurerm_subscription.current.id
+          custom_role_description = "Role Required for velero to manage snapshots, backups and restores."
+          custom_role_actions = [
+            "Microsoft.Compute/disks/read",
+            "Microsoft.Compute/disks/write",
+            "Microsoft.Compute/disks/endGetAccess/action",
+            "Microsoft.Compute/disks/beginGetAccess/action",
+            "Microsoft.Compute/snapshots/read",
+            "Microsoft.Compute/snapshots/write",
+            "Microsoft.Compute/snapshots/delete",
+            "Microsoft.Storage/storageAccounts/listkeys/action",
+            "Microsoft.Storage/storageAccounts/regeneratekey/action",
+            "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+            "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+            "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+            "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
+          ]
+          custom_role_data_actions = [
+            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
+            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
+          ]
+        }
+      ]
+    }
+  ]
+
+  identities = concat(
+    local.external-dns,
+    local.cert-manager,
+    local.velero
+  )
+}
diff --git a/examples/complete-with-aks/main.tf b/examples/complete-with-aks/main.tf
@@ -0,0 +1,38 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_resource_group" "example" {
+  name = "rg-${var.prefix}"
+}
+
+data "azurerm_kubernetes_cluster" "example" {
+  name                = "${var.prefix}-aks"
+  resource_group_name = data.azurerm_resource_group.example.name
+}
+
+data "azurerm_dns_zone" "example" {
+  name                = var.dns_zone_name
+  resource_group_name = data.azurerm_resource_group.example.name
+}
+
+module "complete_with_aks" {
+  for_each = { for identity in local.identities : identity.service_account_name => identity }
+
+  source               = "../../"
+  resource_group_name  = data.azurerm_resource_group.example.name
+  location             = data.azurerm_resource_group.example.location
+  oidc_issuer_url      = data.azurerm_kubernetes_cluster.example.oidc_issuer_url
+  service_account_name = each.value.service_account_name
+  namespace            = each.value.namespace
+  role_assignments     = each.value.role_assignments
+
+  ## Create Kubernetes resources
+  create_kubernetes_namespace = try(each.value.create_kubernetes_namespace, false)
+  create_service_account      = try(each.value.create_service_account, false)
+
+  depends_on = [
+    data.azurerm_kubernetes_cluster.example,
+    data.azurerm_dns_zone.example
+  ]
+}
diff --git a/examples/complete-with-aks/variables.tf b/examples/complete-with-aks/variables.tf
@@ -0,0 +1,11 @@
+variable "prefix" {
+  type        = string
+  description = "Prefix for all resources in this example"
+  default     = "wi-tf-mod"
+}
+
+variable "dns_zone_name" {
+  type        = string
+  description = "DNS Zone name"
+  default     = "example.learndevops.in"
+}
diff --git a/examples/complete-with-aks/versions.tf b/examples/complete-with-aks/versions.tf
@@ -0,0 +1,49 @@
+/**
+* # Introduction
+*
+* This example show the example of using the module to create multiple user-managed identities and also create kubernetes resources (optional) in AKS.
+* The AKS creation and dependent resources are out of this module scope. This example assumes that AKS cluster and other dependent resources are already created.
+*/
+
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.85.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~>2.24"
+    }
+  }
+  required_version = ">= 1.3"
+}
+
+provider "azurerm" {
+  features {}
+}
+
+
+provider "kubernetes" {
+  host                   = data.azurerm_kubernetes_cluster.example.kube_config.0.host
+  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.example.kube_config.0.cluster_ca_certificate)
+
+  # Using kubelogin to get an AAD token for the cluster. works with AAD enabled AKS clusters
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "kubelogin" ## need kubelogin installed on the machine where terraform is running
+    args = [
+      "get-token",
+      "--environment",
+      "AzurePublicCloud",
+      "--server-id",
+      "6dae42f8-4368-4678-94ff-3960e28e3630", # (application used by the server side) https://azure.github.io/kubelogin/concepts/aks.html
+      "--client-id",
+      "80faf920-1908-4b52-b5ef-a8e7bedfc67a", # (public client application used by kubelogin) https://azure.github.io/kubelogin/concepts/aks.html
+      "--tenant-id",
+      "${data.azurerm_client_config.current.tenant_id}", # AAD Tenant Id
+      "--login",
+      "devicecode" ## expected to work only from local machine ( NO CI/CD )
+    ]
+  }
+}