Tips-Of-Mine/terraform-azure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update aks enterprise

Browse Source
This commit is contained in:
Joey Lorich
2019-11-06 16:36:10 -05:00
parent 415e3caa97
commit 5f390fa368
12 changed files with 1075 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

637
quickstart/301-aks-enterprise/readme.md
View File

@ -18,23 +18,634 @@ This template deploys an Azure Kubernetes Service cluster configured for common
| `environment` | The depolyment environment name (used for postfixing resource names) |
| `prefix` | A prefix for globally-unique dns-based resources |
| `location` | The Azure Region to deploy these resources in |
| `plan_tier` | The App Service Plan tier to deploy |
| `plan_sku` | The App Service Plan SKU to deploy|
| `azuread_application` | The Azure AD Application for the cluster |
| `azuread_service_principal` | The service principal for the AAD App |
| `azuread_service_principal_password` | The password for the AAD App SP |
| `azurerm_application_gateway` | The App Gateway that will front all traffic |
| `azurerm_application_insights` | An App Insights instance to collect application data |
| `azurerm_kubernetes_cluster` | The AKS Cluster |
| `azurerm_log_analytics_solution` | Enables the Log Analytics container monitoring solution |
| `azurerm_log_analytics_workspace` | A Log Analytics workspace to send all AKS telemetry to |
| `azurerm_network_security_group` | A network security group for AKS pods |
| `azurerm_network_security_group` | A network security group for our App Gateway |
| `azurerm_network_security_group` | A network security group for ingress services |
| `azurerm_public_ip` | A public IP for the App Gateway |
| `azurerm_role_assignment` | Assigns rights for AKS to be able to modify the networks |
| `azurerm_subnet` | A subnet for AKS Pods |
| `azurerm_subnet` | A subnet for our App Gateway |
| `azurerm_subnet` | A subnet for ingress services |
| `azurerm_virtual_network` | A Virtual network for our cluster |
| `helm_release` | Installs Ghost blogging software on the AKS cluster as a demo |
| `helm_release` | Installs nginx ingress on the AKS cluster |
| `kubernetes_cluster_role_binding` | Permissions for the Helm Timmer accoutn |
| `kubernetes_service_account` | A Service account for Helm |
## Usage
```bash
terraform plan \
-var 'name=demo-docker' \
-var 'environment=staging' \
-var 'location=West US 2'
-var 'prefix=tfquickstard' \
-var 'plan_tier=standard' \
-var 'plan_sku=s1' \
-out demo.tfplan
>terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
terraform apply demo.tfplan
data.azurerm_subscription.current: Refreshing state...
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# azuread_application.default will be created
+ resource "azuread_application" "default" {
+ application_id = (known after apply)
+ homepage = (known after apply)
+ id = (known after apply)
+ identifier_uris = (known after apply)
+ name = "demo-tfquickstart-dev"
+ object_id = (known after apply)
+ public_client = (known after apply)
+ reply_urls = (known after apply)
+ type = "webapp/api"
+ oauth2_permissions {
+ admin_consent_description = (known after apply)
+ admin_consent_display_name = (known after apply)
+ id = (known after apply)
+ is_enabled = (known after apply)
+ type = (known after apply)
+ user_consent_description = (known after apply)
+ user_consent_display_name = (known after apply)
+ value = (known after apply)
}
}
# azuread_service_principal.default will be created
+ resource "azuread_service_principal" "default" {
+ application_id = (known after apply)
+ display_name = (known after apply)
+ id = (known after apply)
+ object_id = (known after apply)
+ oauth2_permissions {
+ admin_consent_description = (known after apply)
+ admin_consent_display_name = (known after apply)
+ id = (known after apply)
+ is_enabled = (known after apply)
+ type = (known after apply)
+ user_consent_description = (known after apply)
+ user_consent_display_name = (known after apply)
+ value = (known after apply)
}
}
# azuread_service_principal_password.default will be created
+ resource "azuread_service_principal_password" "default" {
+ end_date = "2099-01-01T01:00:00Z"
+ id = (known after apply)
+ key_id = (known after apply)
+ service_principal_id = (known after apply)
+ start_date = (known after apply)
+ value = (sensitive value)
}
# azurerm_application_gateway.gateway will be created
+ resource "azurerm_application_gateway" "gateway" {
+ disabled_ssl_protocols = (known after apply)
+ id = (known after apply)
+ location = "westus2"
+ name = "mtcden-demo-tfquickstart-dev-gateway"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ tags = (known after apply)
+ backend_address_pool {
+ fqdn_list = (known after apply)
+ fqdns = (known after apply)
+ id = (known after apply)
+ ip_address_list = (known after apply)
+ ip_addresses = [
+ "10.2.0.10",
]
+ name = "demo-tfquickstart-gateway-bepool"
}
+ backend_http_settings {
+ cookie_based_affinity = "Disabled"
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-http"
+ pick_host_name_from_backend_address = false
+ port = 80
+ probe_id = (known after apply)
+ probe_name = "demo-tfquickstart-gateway-probe"
+ protocol = "http"
+ request_timeout = 1
}
+ frontend_ip_configuration {
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-feip"
+ private_ip_address = (known after apply)
+ private_ip_address_allocation = (known after apply)
+ public_ip_address_id = (known after apply)
+ subnet_id = (known after apply)
}
+ frontend_port {
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-feport-http"
+ port = 80
}
+ frontend_port {
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-feport-https"
+ port = 443
}
+ gateway_ip_configuration {
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-ipconfig"
+ subnet_id = (known after apply)
}
+ http_listener {
+ frontend_ip_configuration_id = (known after apply)
+ frontend_ip_configuration_name = "demo-tfquickstart-gateway-feip"
+ frontend_port_id = (known after apply)
+ frontend_port_name = "demo-tfquickstart-gateway-feport-http"
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-lstn-http"
+ protocol = "http"
+ ssl_certificate_id = (known after apply)
}
+ identity {
+ identity_ids = (known after apply)
+ type = (known after apply)
}
+ probe {
+ host = "10.2.0.10"
+ id = (known after apply)
+ interval = 30
+ minimum_servers = 0
+ name = "demo-tfquickstart-gateway-probe"
+ path = "/nginx-health"
+ pick_host_name_from_backend_http_settings = false
+ protocol = "http"
+ timeout = 30
+ unhealthy_threshold = 3
+ match {
+ body = (known after apply)
+ status_code = (known after apply)
}
}
+ request_routing_rule {
+ backend_address_pool_id = (known after apply)
+ backend_http_settings_id = (known after apply)
+ http_listener_id = (known after apply)
+ http_listener_name = "demo-tfquickstart-gateway-lstn-http"
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-router-http"
+ redirect_configuration_id = (known after apply)
+ rewrite_rule_set_id = (known after apply)
+ rule_type = "PathBasedRouting"
+ url_path_map_id = (known after apply)
+ url_path_map_name = "demo-tfquickstart-gateway-urlpath"
}
+ sku {
+ capacity = 1
+ name = "WAF_v2"
+ tier = "WAF_v2"
}
+ ssl_policy {
+ cipher_suites = (known after apply)
+ disabled_protocols = (known after apply)
+ min_protocol_version = (known after apply)
+ policy_name = (known after apply)
+ policy_type = (known after apply)
}
+ url_path_map {
+ default_backend_address_pool_id = (known after apply)
+ default_backend_address_pool_name = "demo-tfquickstart-gateway-bepool"
+ default_backend_http_settings_id = (known after apply)
+ default_backend_http_settings_name = "demo-tfquickstart-gateway-http"
+ default_redirect_configuration_id = (known after apply)
+ default_rewrite_rule_set_id = (known after apply)
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-urlpath"
+ path_rule {
+ backend_address_pool_id = (known after apply)
+ backend_address_pool_name = "demo-tfquickstart-gateway-bepool"
+ backend_http_settings_id = (known after apply)
+ backend_http_settings_name = "demo-tfquickstart-gateway-http"
+ id = (known after apply)
+ name = "demo-tfquickstart-gateway-urlrule"
+ paths = [
+ "/*",
]
+ redirect_configuration_id = (known after apply)
+ rewrite_rule_set_id = (known after apply)
}
}
}
# azurerm_application_insights.default will be created
+ resource "azurerm_application_insights" "default" {
+ app_id = (known after apply)
+ application_type = "Web"
+ id = (known after apply)
+ instrumentation_key = (sensitive value)
+ location = "westus2"
+ name = "demo-tfquickstart-dev-ai"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ tags = (known after apply)
}
# azurerm_kubernetes_cluster.default will be created
+ resource "azurerm_kubernetes_cluster" "default" {
+ dns_prefix = "mtcden-demo-tfquickstart-aks-dev"
+ enable_pod_security_policy = (known after apply)
+ fqdn = (known after apply)
+ id = (known after apply)
+ kube_admin_config = (known after apply)
+ kube_admin_config_raw = (sensitive value)
+ kube_config = (known after apply)
+ kube_config_raw = (sensitive value)
+ kubernetes_version = (known after apply)
+ location = "westus2"
+ name = "demo-tfquickstart-aks"
+ node_resource_group = (known after apply)
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ tags = (known after apply)
+ addon_profile {
+ oms_agent {
+ enabled = true
+ log_analytics_workspace_id = (known after apply)
}
}
+ agent_pool_profile {
+ count = 3
+ dns_prefix = (known after apply)
+ fqdn = (known after apply)
+ max_pods = (known after apply)
+ name = "default"
+ os_disk_size_gb = 30
+ os_type = "Linux"
+ type = "AvailabilitySet"
+ vm_size = "Standard_D1_v2"
+ vnet_subnet_id = (known after apply)
}
+ network_profile {
+ dns_service_ip = (known after apply)
+ docker_bridge_cidr = (known after apply)
+ load_balancer_sku = "basic"
+ network_plugin = "azure"
+ network_policy = (known after apply)
+ pod_cidr = (known after apply)
+ service_cidr = (known after apply)
}
+ role_based_access_control {
+ enabled = true
}
+ service_principal {
+ client_id = (known after apply)
+ client_secret = (sensitive value)
}
}
# azurerm_log_analytics_solution.default will be created
+ resource "azurerm_log_analytics_solution" "default" {
+ id = (known after apply)
+ location = "westus2"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ solution_name = "ContainerInsights"
+ workspace_name = "demo-tfquickstart-dev-law"
+ workspace_resource_id = (known after apply)
+ plan {
+ name = (known after apply)
+ product = "OMSGallery/ContainerInsights"
+ publisher = "Microsoft"
}
}
# azurerm_log_analytics_workspace.default will be created
+ resource "azurerm_log_analytics_workspace" "default" {
+ id = (known after apply)
+ location = "westus2"
+ name = "demo-tfquickstart-dev-law"
+ portal_url = (known after apply)
+ primary_shared_key = (sensitive value)
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ retention_in_days = 30
+ secondary_shared_key = (sensitive value)
+ sku = "PerGB2018"
+ tags = (known after apply)
+ workspace_id = (known after apply)
}
# azurerm_network_security_group.aks will be created
+ resource "azurerm_network_security_group" "aks" {
+ id = (known after apply)
+ location = "westus2"
+ name = "demo-tfquickstart-aks-nsg"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ security_rule = (known after apply)
+ tags = (known after apply)
}
# azurerm_network_security_group.gateway will be created
+ resource "azurerm_network_security_group" "gateway" {
+ id = (known after apply)
+ location = "westus2"
+ name = "demo-tfquickstart-gateway-nsg"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ security_rule = (known after apply)
+ tags = (known after apply)
}
# azurerm_network_security_group.ingress will be created
+ resource "azurerm_network_security_group" "ingress" {
+ id = (known after apply)
+ location = "westus2"
+ name = "demo-tfquickstart-ingress-nsg"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ security_rule = (known after apply)
+ tags = (known after apply)
}
# azurerm_public_ip.gateway will be created
+ resource "azurerm_public_ip" "gateway" {
+ allocation_method = "Static"
+ domain_name_label = "mtcden-demo-tfquickstart-dev-gateway"
+ fqdn = (known after apply)
+ id = (known after apply)
+ idle_timeout_in_minutes = 4
+ ip_address = (known after apply)
+ ip_version = "IPv4"
+ location = "westus2"
+ name = "mtcden-demo-tfquickstart-dev-gateway-ip"
+ public_ip_address_allocation = (known after apply)
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ sku = "Standard"
+ tags = (known after apply)
}
# azurerm_resource_group.default will be created
+ resource "azurerm_resource_group" "default" {
+ id = (known after apply)
+ location = "westus2"
+ name = "demo-tfquickstart-dev-rg"
+ tags = (known after apply)
}
# azurerm_role_assignment.default will be created
+ resource "azurerm_role_assignment" "default" {
+ id = (known after apply)
+ name = (known after apply)
+ principal_id = (known after apply)
+ principal_type = (known after apply)
+ role_definition_id = (known after apply)
+ role_definition_name = "Network Contributor"
+ scope = "/subscriptions/b0e04a4a-a321-4b66-b8fd-13715262ba3c/resourceGroups/demo-tfquickstart-dev-rg"
+ skip_service_principal_aad_check = (known after apply)
}
# azurerm_subnet.aks will be created
+ resource "azurerm_subnet" "aks" {
+ address_prefix = "10.1.0.0/16"
+ id = (known after apply)
+ ip_configurations = (known after apply)
+ name = "demo-tfquickstart-aks-subnet"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ virtual_network_name = "demo-tfquickstart-vnet"
}
# azurerm_subnet.gateway will be created
+ resource "azurerm_subnet" "gateway" {
+ address_prefix = "10.2.1.0/24"
+ id = (known after apply)
+ ip_configurations = (known after apply)
+ name = "demo-tfquickstart-gateway-subnet"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ virtual_network_name = "demo-tfquickstart-vnet"
}
# azurerm_subnet.ingress will be created
+ resource "azurerm_subnet" "ingress" {
+ address_prefix = "10.2.0.0/24"
+ id = (known after apply)
+ ip_configurations = (known after apply)
+ name = "demo-tfquickstart-ingress-subnet"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ virtual_network_name = "demo-tfquickstart-vnet"
}
# azurerm_subnet_network_security_group_association.aks will be created
+ resource "azurerm_subnet_network_security_group_association" "aks" {
+ id = (known after apply)
+ network_security_group_id = (known after apply)
+ subnet_id = (known after apply)
}
# azurerm_subnet_network_security_group_association.gateway will be created
+ resource "azurerm_subnet_network_security_group_association" "gateway" {
+ id = (known after apply)
+ network_security_group_id = (known after apply)
+ subnet_id = (known after apply)
}
# azurerm_subnet_network_security_group_association.ingress will be created
+ resource "azurerm_subnet_network_security_group_association" "ingress" {
+ id = (known after apply)
+ network_security_group_id = (known after apply)
+ subnet_id = (known after apply)
}
# azurerm_virtual_network.default will be created
+ resource "azurerm_virtual_network" "default" {
+ address_space = [
+ "10.0.0.0/8",
]
+ id = (known after apply)
+ location = "westus2"
+ name = "demo-tfquickstart-vnet"
+ resource_group_name = "demo-tfquickstart-dev-rg"
+ tags = (known after apply)
+ subnet {
+ address_prefix = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ security_group = (known after apply)
}
}
# helm_release.ghost will be created
+ resource "helm_release" "ghost" {
+ chart = "bitnami/ghost"
+ disable_webhooks = false
+ force_update = false
+ id = (known after apply)
+ metadata = (known after apply)
+ name = "ghost-blog"
+ namespace = "default"
+ recreate_pods = false
+ reuse = false
+ reuse_values = false
+ status = "DEPLOYED"
+ timeout = 300
+ verify = false
+ version = (known after apply)
+ wait = true
}
# helm_release.ingress will be created
+ resource "helm_release" "ingress" {
+ chart = "stable/nginx-ingress"
+ disable_webhooks = false
+ force_update = false
+ id = (known after apply)
+ metadata = (known after apply)
+ name = "nginx-ingress"
+ namespace = "kube-system"
+ recreate_pods = false
+ reuse = false
+ reuse_values = false
+ status = "DEPLOYED"
+ timeout = 300
+ values = [
+ "controller:\r\n replicaCount: 2\r\n service:\r\n loadBalancerIP: 10.2.0.10\r\n annotations:\r\n service.beta.kubernetes.io/azure-load-balancer-internal: \"true\"\r\n service.beta.kubernetes.io/azure-load-balancer-internal-subnet: \"demo-tfquickstart-ingress-subnet\"\r\n",
]
+ verify = false
+ version = "1.24.7"
+ wait = true
}
# kubernetes_cluster_role_binding.dashboard will be created
+ resource "kubernetes_cluster_role_binding" "dashboard" {
+ id = (known after apply)
+ metadata {
+ generation = (known after apply)
+ name = "kubernetes-dashboard"
+ resource_version = (known after apply)
+ self_link = (known after apply)
+ uid = (known after apply)
}
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = "cluster-admin"
}
+ subject {
+ api_group = (known after apply)
+ kind = "ServiceAccount"
+ name = "kubernetes-dashboard"
+ namespace = "kube-system"
}
}
# kubernetes_cluster_role_binding.default will be created
+ resource "kubernetes_cluster_role_binding" "default" {
+ id = (known after apply)
+ metadata {
+ generation = (known after apply)
+ name = "default"
+ resource_version = (known after apply)
+ self_link = (known after apply)
+ uid = (known after apply)
}
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = "cluster-admin"
}
+ subject {
+ api_group = (known after apply)
+ kind = "ServiceAccount"
+ name = "default"
+ namespace = "default"
}
}
# kubernetes_cluster_role_binding.tiller will be created
+ resource "kubernetes_cluster_role_binding" "tiller" {
+ id = (known after apply)
+ metadata {
+ generation = (known after apply)
+ name = "tiller"
+ resource_version = (known after apply)
+ self_link = (known after apply)
+ uid = (known after apply)
}
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = "cluster-admin"
}
+ subject {
+ api_group = (known after apply)
+ kind = "ServiceAccount"
+ name = "tiller"
+ namespace = "kube-system"
}
}
# kubernetes_service_account.tiller will be created
+ resource "kubernetes_service_account" "tiller" {
+ default_secret_name = (known after apply)
+ id = (known after apply)
+ metadata {
+ generation = (known after apply)
+ name = "tiller"
+ namespace = "kube-system"
+ resource_version = (known after apply)
+ self_link = (known after apply)
+ uid = (known after apply)
}
}
# random_string.password will be created
+ resource "random_string" "password" {
+ id = (known after apply)
+ length = 32
+ lower = true
+ min_lower = 0
+ min_numeric = 0
+ min_special = 0
+ min_upper = 0
+ number = true
+ result = (known after apply)
+ special = true
+ upper = true
}
Plan: 28 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
```
\* Example shown with [Bash](https://www.gnu.org/software/bash/). For [Powershell](https://docs.microsoft.com/en-us/powershell/) replace backslashes with backticks.