From fe231e8d9192ce1346d16ac2541d170387399388 Mon Sep 17 00:00:00 2001 From: Tom Archer Date: Fri, 26 May 2023 11:37:59 -0700 Subject: [PATCH 1/5] Removed Log Analytics resources from sample as not used in article --- .../azure-vote.yaml | 85 +++++++++++++++++++ .../201-k8s-cluster-with-tf-and-aks/main.tf | 24 ------ .../outputs.tf | 4 - .../variables.tf | 21 ----- 4 files changed, 85 insertions(+), 49 deletions(-) create mode 100644 quickstart/201-k8s-cluster-with-tf-and-aks/azure-vote.yaml diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/azure-vote.yaml b/quickstart/201-k8s-cluster-with-tf-and-aks/azure-vote.yaml new file mode 100644 index 00000000..b0713660 --- /dev/null +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/azure-vote.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: azure-vote-back +spec: + replicas: 1 + selector: + matchLabels: + app: azure-vote-back + template: + metadata: + labels: + app: azure-vote-back + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: azure-vote-back + image: mcr.microsoft.com/oss/bitnami/redis:6.0.8 + env: + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 250m + memory: 256Mi + ports: + - containerPort: 6379 + name: redis +--- +apiVersion: v1 +kind: Service +metadata: + name: azure-vote-back +spec: + ports: + - port: 6379 + selector: + app: azure-vote-back +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: azure-vote-front +spec: + replicas: 1 + selector: + matchLabels: + app: azure-vote-front + template: + metadata: + labels: + app: azure-vote-front + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: azure-vote-front + image: mcr.microsoft.com/azuredocs/azure-vote-front:v1 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 250m + memory: 256Mi + ports: + - containerPort: 80 + env: + - name: REDIS + value: "azure-vote-back" +--- +apiVersion: v1 +kind: Service +metadata: + name: azure-vote-front +spec: + type: LoadBalancer + ports: + - port: 80 + selector: + app: azure-vote-front \ No newline at end of file diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf index 5fc878bd..ee4cf410 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf @@ -14,30 +14,6 @@ locals { current_user_id = coalesce(var.msi_id, data.azurerm_client_config.current.object_id) } -resource "random_pet" "azurerm_log_analytics_workspace_name" { - prefix = "ws" -} - -resource "azurerm_log_analytics_workspace" "test" { - location = var.log_analytics_workspace_location - name = random_pet.azurerm_log_analytics_workspace_name.id - resource_group_name = azurerm_resource_group.rg.name - sku = var.log_analytics_workspace_sku -} - -resource "azurerm_log_analytics_solution" "test" { - location = azurerm_log_analytics_workspace.test.location - resource_group_name = azurerm_resource_group.rg.name - solution_name = "ContainerInsights" - workspace_name = azurerm_log_analytics_workspace.test.name - workspace_resource_id = azurerm_log_analytics_workspace.test.id - - plan { - product = "OMSGallery/ContainerInsights" - publisher = "Microsoft" - } -} - resource "random_pet" "azurerm_kubernetes_cluster_name" { prefix = "cluster" } diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/outputs.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/outputs.tf index ae021ac7..0d82c446 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/outputs.tf +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/outputs.tf @@ -6,10 +6,6 @@ output "kubernetes_cluster_name" { value = azurerm_kubernetes_cluster.k8s.name } -output "log_analytics_workspace_name" { - value = azurerm_log_analytics_workspace.test.name -} - output "client_certificate" { value = azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate sensitive = true diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf index 89d16be3..a6505850 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf @@ -16,27 +16,6 @@ variable "node_count" { default = 3 } -# For available Log Analytics regions, refer to: -# https://azure.microsoft.com/global-infrastructure/services/?products=monitor -variable "log_analytics_workspace_location" { - type = string - default = "eastus" - description = "Location of the Log Analytics workspace." -} - -# For Log Analytics pricing, refer to: -# https://azure.microsoft.com/pricing/details/monitor -variable "log_analytics_workspace_sku" { - type = string - description = "The SKU of the Log Analytics workspace. Choose from: Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018" - default = "PerGB2018" - - validation { - condition = contains(["Free", "PerNode", "Premium", "Standard", "Standalone", "Unlimited", "CapacityReservation", "PerGB2018"], var.log_analytics_workspace_sku) - error_message = "The Log Analytics workspace SKU must be one of the following: Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018" - } -} - variable "msi_id" { type = string description = "The Managed Service Identity ID used to create the service principal. If this value is null (the default), the AzureRM provider configuration Object ID is used.." From c3623b46bd25019c91d26bfe0dd5c4d1506096c5 Mon Sep 17 00:00:00 2001 From: Tom Archer Date: Fri, 26 May 2023 11:41:39 -0700 Subject: [PATCH 2/5] Updated readme --- quickstart/201-k8s-cluster-with-tf-and-aks/readme.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md b/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md index f4a7ceeb..8a601397 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md @@ -9,8 +9,6 @@ This template provisions an [AKS / Azure Kubernetes service (also known as a Man - [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) - [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) - [azurerm_client_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) -- [azurerm_log_analytics_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) -- [azurerm_log_analytics_solution](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) - [azurerm_kubernetes_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) - [azuread_application](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application) - [azuread_service_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) @@ -25,8 +23,6 @@ This template provisions an [AKS / Azure Kubernetes service (also known as a Man | `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg | | `resource_group_location` | Location of the resource group. | eastus | | `node_count` | Initial number of nodes which should exist in this Node Pool. Value must be between 1 and 1000. | 3 | -| `log_analytics_workspace_location` | Location of the Log Analytics workspace. | eastus | -| `log_analytics_workspace_sku` | SKU of the Log Analytics workspace. The SKU of the log analytics workspace. Choose from: Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018 | PerGB2018 | ## Example From 99fa801597f74fcca13775260112f839ad7712cb Mon Sep 17 00:00:00 2001 From: Tom Archer Date: Fri, 26 May 2023 16:21:01 -0700 Subject: [PATCH 3/5] Moved code into sp.tf to make it more self-contained --- quickstart/201-k8s-cluster-with-tf-and-aks/main.tf | 6 ------ quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf | 14 ++++++++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf index ee4cf410..66f9facd 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf @@ -8,12 +8,6 @@ resource "azurerm_resource_group" "rg" { name = random_pet.rg_name.id } -data "azurerm_client_config" "current" {} - -locals { - current_user_id = coalesce(var.msi_id, data.azurerm_client_config.current.object_id) -} - resource "random_pet" "azurerm_kubernetes_cluster_name" { prefix = "cluster" } diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf index adde9182..8fdba63e 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf @@ -1,17 +1,23 @@ -# Create Azure AD App Registration +data "azurerm_client_config" "current" {} + +locals { + current_user_id = coalesce(var.msi_id, data.azurerm_client_config.current.object_id) +} + +# Create Azure AD app registration. resource "azuread_application" "app" { display_name = "my-app" owners = [local.current_user_id] } -# Create Service Principal +# Create service principal. resource "azuread_service_principal" "app" { application_id = azuread_application.app.application_id app_role_assignment_required = true owners = [local.current_user_id] } -# Create Service Principal password +# Create service principal password. resource "azuread_service_principal_password" "app" { service_principal_id = azuread_service_principal.app.id } @@ -25,7 +31,7 @@ resource "time_sleep" "wait_30_seconds" { depends_on = [azuread_service_principal_password.app] } -# Output the Service Principal and password +# Output the service principal and password. output "sp" { value = azuread_service_principal.app.id sensitive = true From 05bf429cbaae7aefa5784803348babb3e91ee01b Mon Sep 17 00:00:00 2001 From: Tom Archer Date: Sat, 27 May 2023 17:09:34 -0700 Subject: [PATCH 4/5] Replaced use of service principal with identity --- .../201-k8s-cluster-with-tf-and-aks/main.tf | 10 ++--- .../201-k8s-cluster-with-tf-and-aks/readme.md | 2 - .../201-k8s-cluster-with-tf-and-aks/sp.tf | 43 ------------------- 3 files changed, 4 insertions(+), 51 deletions(-) delete mode 100644 quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf index 66f9facd..9de93e36 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/main.tf @@ -22,6 +22,10 @@ resource "azurerm_kubernetes_cluster" "k8s" { resource_group_name = azurerm_resource_group.rg.name dns_prefix = random_pet.azurerm_kubernetes_cluster_dns_prefix.id + identity { + type = "SystemAssigned" + } + default_node_pool { name = "agentpool" vm_size = "Standard_D2_v2" @@ -38,10 +42,4 @@ resource "azurerm_kubernetes_cluster" "k8s" { network_plugin = "kubenet" load_balancer_sku = "standard" } - service_principal { - client_id = azuread_service_principal.app.application_id - client_secret = azuread_service_principal_password.app.value - } - - depends_on = [time_sleep.wait_30_seconds] } \ No newline at end of file diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md b/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md index 8a601397..efce1c2e 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md @@ -11,8 +11,6 @@ This template provisions an [AKS / Azure Kubernetes service (also known as a Man - [azurerm_client_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) - [azurerm_kubernetes_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) - [azuread_application](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application) -- [azuread_service_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) -- [azuread_service_principal_password](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) - [azapi_resource](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/azapi_resource) - [azapi_resource_action](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/azapi_resource_action) diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf deleted file mode 100644 index 8fdba63e..00000000 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf +++ /dev/null @@ -1,43 +0,0 @@ -data "azurerm_client_config" "current" {} - -locals { - current_user_id = coalesce(var.msi_id, data.azurerm_client_config.current.object_id) -} - -# Create Azure AD app registration. -resource "azuread_application" "app" { - display_name = "my-app" - owners = [local.current_user_id] -} - -# Create service principal. -resource "azuread_service_principal" "app" { - application_id = azuread_application.app.application_id - app_role_assignment_required = true - owners = [local.current_user_id] -} - -# Create service principal password. -resource "azuread_service_principal_password" "app" { - service_principal_id = azuread_service_principal.app.id -} - -# Sleep for 30 seconds to allow for propagation -# of the Service Principal creation before attempting -# to create the AKS cluster. -resource "time_sleep" "wait_30_seconds" { - create_duration = "30s" - - depends_on = [azuread_service_principal_password.app] -} - -# Output the service principal and password. -output "sp" { - value = azuread_service_principal.app.id - sensitive = true -} - -output "sp_password" { - value = azuread_service_principal_password.app.value - sensitive = true -} \ No newline at end of file From c55631aea89047364ef7cd0bb0bab82e2b1a8dbe Mon Sep 17 00:00:00 2001 From: Tom Archer Date: Wed, 31 May 2023 07:29:11 -0700 Subject: [PATCH 5/5] Wordsmithed description of msi_id variable --- quickstart/201-k8s-cluster-with-tf-and-aks/readme.md | 1 + quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md b/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md index efce1c2e..3d5d0a7e 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/readme.md @@ -21,6 +21,7 @@ This template provisions an [AKS / Azure Kubernetes service (also known as a Man | `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg | | `resource_group_location` | Location of the resource group. | eastus | | `node_count` | Initial number of nodes which should exist in this Node Pool. Value must be between 1 and 1000. | 3 | +| `msi_id` | The Managed Service Identity ID. Set this value if you're running this example using Managed Identity as the authentication method. | null | ## Example diff --git a/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf b/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf index a6505850..019c4d25 100644 --- a/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf +++ b/quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf @@ -18,6 +18,6 @@ variable "node_count" { variable "msi_id" { type = string - description = "The Managed Service Identity ID used to create the service principal. If this value is null (the default), the AzureRM provider configuration Object ID is used.." + description = "The Managed Service Identity ID. Set this value if you're running this example using Managed Identity as the authentication method." default = null } \ No newline at end of file