-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added complete example with aks (#3)
* added complete example with aks * docs: fmt * docs : make docs and fmt
- Loading branch information
Showing
11 changed files
with
285 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
include ../Makefile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Introduction | ||
|
||
This example show the example of using the module to create multiple user-managed identities and also create kubernetes resources (optional) in AKS. | ||
The AKS creation and dependent resources are out of this module scope. This example assumes that AKS cluster and other dependent resources are already created. | ||
|
||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 | | ||
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.85.0 | | ||
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~>2.24 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.85.0 | | ||
|
||
## Modules | ||
|
||
| Name | Source | Version | | ||
|------|--------|---------| | ||
| <a name="module_complete_with_aks"></a> [complete\_with\_aks](#module\_complete\_with\_aks) | ../../ | n/a | | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | | ||
| [azurerm_dns_zone.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | | ||
| [azurerm_kubernetes_cluster.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | | ||
| [azurerm_resource_group.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | ||
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_dns_zone_name"></a> [dns\_zone\_name](#input\_dns\_zone\_name) | DNS Zone name | `string` | `"example.learndevops.in"` | no | | ||
| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for all resources in this example | `string` | `"wi-tf-mod"` | no | | ||
|
||
## Outputs | ||
|
||
No outputs. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
locals { | ||
tags = { | ||
managed_by = "terraform" | ||
github_repo = "ishuar/terraform-azure-workload-identity" | ||
} | ||
|
||
## Workload Identities | ||
external-dns = [ | ||
{ | ||
service_account_name = "${var.prefix}-sa-external-dns" | ||
namespace = "${var.prefix}-external-dns" | ||
role_assignments = [ | ||
{ | ||
role_definition_name = "DNS Zone Contributor" | ||
scope = data.azurerm_dns_zone.example.id | ||
}, | ||
] | ||
}, | ||
] | ||
## This example will also create a new namespace and service account kubernetes resources for cert-manager. | ||
cert-manager = [ | ||
{ | ||
service_account_name = "${var.prefix}-sa-cert-manager" | ||
namespace = "${var.prefix}-cert-manager" | ||
create_kubernetes_namespace = true | ||
create_service_account = true | ||
role_assignments = [ | ||
{ | ||
role_definition_name = "DNS Zone Contributor" | ||
scope = data.azurerm_dns_zone.example.id | ||
}, | ||
] | ||
}, | ||
] | ||
|
||
## Example to create custom role for velero | ||
velero = [ | ||
{ | ||
service_account_name = "${var.prefix}-sa-velero" | ||
namespace = "${var.prefix}-velero" | ||
role_assignments = [ | ||
{ | ||
role_definition_name = "velero" | ||
create_custom_role = true | ||
scope = data.azurerm_subscription.current.id | ||
custom_role_description = "Role Required for velero to manage snapshots, backups and restores." | ||
custom_role_actions = [ | ||
"Microsoft.Compute/disks/read", | ||
"Microsoft.Compute/disks/write", | ||
"Microsoft.Compute/disks/endGetAccess/action", | ||
"Microsoft.Compute/disks/beginGetAccess/action", | ||
"Microsoft.Compute/snapshots/read", | ||
"Microsoft.Compute/snapshots/write", | ||
"Microsoft.Compute/snapshots/delete", | ||
"Microsoft.Storage/storageAccounts/listkeys/action", | ||
"Microsoft.Storage/storageAccounts/regeneratekey/action", | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/delete", | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/read", | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/write", | ||
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" | ||
] | ||
custom_role_data_actions = [ | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", | ||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" | ||
] | ||
} | ||
] | ||
} | ||
] | ||
|
||
identities = concat( | ||
local.external-dns, | ||
local.cert-manager, | ||
local.velero | ||
) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
data "azurerm_client_config" "current" {} | ||
|
||
data "azurerm_subscription" "current" {} | ||
|
||
data "azurerm_resource_group" "example" { | ||
name = "rg-${var.prefix}" | ||
} | ||
|
||
data "azurerm_kubernetes_cluster" "example" { | ||
name = "${var.prefix}-aks" | ||
resource_group_name = data.azurerm_resource_group.example.name | ||
} | ||
|
||
data "azurerm_dns_zone" "example" { | ||
name = var.dns_zone_name | ||
resource_group_name = data.azurerm_resource_group.example.name | ||
} | ||
|
||
module "complete_with_aks" { | ||
for_each = { for identity in local.identities : identity.service_account_name => identity } | ||
|
||
source = "../../" | ||
resource_group_name = data.azurerm_resource_group.example.name | ||
location = data.azurerm_resource_group.example.location | ||
oidc_issuer_url = data.azurerm_kubernetes_cluster.example.oidc_issuer_url | ||
service_account_name = each.value.service_account_name | ||
namespace = each.value.namespace | ||
role_assignments = each.value.role_assignments | ||
|
||
## Create Kubernetes resources | ||
create_kubernetes_namespace = try(each.value.create_kubernetes_namespace, false) | ||
create_service_account = try(each.value.create_service_account, false) | ||
|
||
depends_on = [ | ||
data.azurerm_kubernetes_cluster.example, | ||
data.azurerm_dns_zone.example | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
variable "prefix" { | ||
type = string | ||
description = "Prefix for all resources in this example" | ||
default = "wi-tf-mod" | ||
} | ||
|
||
variable "dns_zone_name" { | ||
type = string | ||
description = "DNS Zone name" | ||
default = "example.learndevops.in" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
/** | ||
* # Introduction | ||
* | ||
* This example show the example of using the module to create multiple user-managed identities and also create kubernetes resources (optional) in AKS. | ||
* The AKS creation and dependent resources are out of this module scope. This example assumes that AKS cluster and other dependent resources are already created. | ||
*/ | ||
|
||
terraform { | ||
required_providers { | ||
azurerm = { | ||
source = "hashicorp/azurerm" | ||
version = "~> 3.85.0" | ||
} | ||
kubernetes = { | ||
source = "hashicorp/kubernetes" | ||
version = "~>2.24" | ||
} | ||
} | ||
required_version = ">= 1.3" | ||
} | ||
|
||
provider "azurerm" { | ||
features {} | ||
} | ||
|
||
|
||
provider "kubernetes" { | ||
host = data.azurerm_kubernetes_cluster.example.kube_config.0.host | ||
cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.example.kube_config.0.cluster_ca_certificate) | ||
|
||
# Using kubelogin to get an AAD token for the cluster. works with AAD enabled AKS clusters | ||
exec { | ||
api_version = "client.authentication.k8s.io/v1beta1" | ||
command = "kubelogin" ## need kubelogin installed on the machine where terraform is running | ||
args = [ | ||
"get-token", | ||
"--environment", | ||
"AzurePublicCloud", | ||
"--server-id", | ||
"6dae42f8-4368-4678-94ff-3960e28e3630", # (application used by the server side) https://azure.github.io/kubelogin/concepts/aks.html | ||
"--client-id", | ||
"80faf920-1908-4b52-b5ef-a8e7bedfc67a", # (public client application used by kubelogin) https://azure.github.io/kubelogin/concepts/aks.html | ||
"--tenant-id", | ||
"${data.azurerm_client_config.current.tenant_id}", # AAD Tenant Id | ||
"--login", | ||
"devicecode" ## expected to work only from local machine ( NO CI/CD ) | ||
] | ||
} | ||
} |