From da2472a399aa60212262230aef1d1d4b47fc7a83 Mon Sep 17 00:00:00 2001
From: Tom Archer <tom.archer@microsoft.com>
Date: Sun, 1 Aug 2021 19:42:50 -0700
Subject: [PATCH] 201-k8s-cluster-with-aks-applicationgateway-ingress

---
 .../main.tf                                   |  18 ++
 .../output.tf                                 |  36 +++
 .../resources.tf                              | 211 ++++++++++++++++++
 .../terraform.tfvars                          |   9 +
 .../variables.tf                              | 130 +++++++++++
 5 files changed, 404 insertions(+)
 create mode 100644 quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf
 create mode 100644 quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/output.tf
 create mode 100644 quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/resources.tf
 create mode 100644 quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars
 create mode 100644 quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/variables.tf

diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf
new file mode 100644
index 00000000..d5375bef
--- /dev/null
+++ b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf
@@ -0,0 +1,18 @@
+terraform {
+required_providers {
+  azurerm = {
+    source = "hashicorp/azurerm"
+    version = "~>2.0"
+  }
+}
+backend "azurerm" {
+  resource_group_name = var.resource_group_name
+  storage_account_name = var.storage_account_name
+  container_name = "tfstate"
+  key = "codelab.microsoft.tfstate"
+}
+}
+
+provider "azurerm" {
+features {}
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/output.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/output.tf
new file mode 100644
index 00000000..6d59e7fb
--- /dev/null
+++ b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/output.tf
@@ -0,0 +1,36 @@
+output "client_key" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_key
+}
+
+output "client_certificate" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate
+}
+
+output "cluster_ca_certificate" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate
+}
+
+output "cluster_username" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.username
+}
+
+output "cluster_password" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.password
+}
+
+output "kube_config" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config_raw
+    sensitive = true
+}
+
+output "host" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.host
+}
+
+output "identity_resource_id" {
+    value = azurerm_user_assigned_identity.testIdentity.id
+}
+
+output "identity_client_id" {
+    value = azurerm_user_assigned_identity.testIdentity.client_id
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/resources.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/resources.tf
new file mode 100644
index 00000000..f2ab9f0b
--- /dev/null
+++ b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/resources.tf
@@ -0,0 +1,211 @@
+# # Locals block for hardcoded names. 
+locals {
+    backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
+    frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
+    frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
+    http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
+    listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
+    request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
+    app_gateway_subnet_name = "appgwsubnet"
+}
+
+data "azurerm_resource_group" "rg" {
+    name = var.resource_group_name
+}
+
+# User Assigned Identities 
+resource "azurerm_user_assigned_identity" "testIdentity" {
+    resource_group_name = data.azurerm_resource_group.rg.name
+    location            = data.azurerm_resource_group.rg.location
+
+    name = "identity1"
+
+    tags = var.tags
+}
+
+resource "azurerm_virtual_network" "test" {
+    name                = var.virtual_network_name
+    location            = data.azurerm_resource_group.rg.location
+    resource_group_name = data.azurerm_resource_group.rg.name
+    address_space       = [var.virtual_network_address_prefix]
+
+    subnet {
+    name           = var.aks_subnet_name
+    address_prefix = var.aks_subnet_address_prefix
+    }
+
+    subnet {
+    name           = "appgwsubnet"
+    address_prefix = var.app_gateway_subnet_address_prefix
+    }
+
+    tags = var.tags
+}
+
+data "azurerm_subnet" "kubesubnet" {
+    name                 = var.aks_subnet_name
+    virtual_network_name = azurerm_virtual_network.test.name
+    resource_group_name  = data.azurerm_resource_group.rg.name
+    depends_on = [azurerm_virtual_network.test]
+}
+
+data "azurerm_subnet" "appgwsubnet" {
+    name                 = "appgwsubnet"
+    virtual_network_name = azurerm_virtual_network.test.name
+    resource_group_name  = data.azurerm_resource_group.rg.name
+    depends_on = [azurerm_virtual_network.test]
+}
+
+# Public Ip 
+resource "azurerm_public_ip" "test" {
+    name                         = "publicIp1"
+    location                     = data.azurerm_resource_group.rg.location
+    resource_group_name          = data.azurerm_resource_group.rg.name
+    allocation_method            = "Static"
+    sku                          = "Standard"
+
+    tags = var.tags
+}
+
+resource "azurerm_application_gateway" "network" {
+    name                = var.app_gateway_name
+    resource_group_name = data.azurerm_resource_group.rg.name
+    location            = data.azurerm_resource_group.rg.location
+
+    sku {
+    name     = var.app_gateway_sku
+    tier     = "Standard_v2"
+    capacity = 2
+    }
+
+    gateway_ip_configuration {
+    name      = "appGatewayIpConfig"
+    subnet_id = data.azurerm_subnet.appgwsubnet.id
+    }
+
+    frontend_port {
+    name = local.frontend_port_name
+    port = 80
+    }
+
+    frontend_port {
+    name = "httpsPort"
+    port = 443
+    }
+
+    frontend_ip_configuration {
+    name                 = local.frontend_ip_configuration_name
+    public_ip_address_id = azurerm_public_ip.test.id
+    }
+
+    backend_address_pool {
+    name = local.backend_address_pool_name
+    }
+
+    backend_http_settings {
+    name                  = local.http_setting_name
+    cookie_based_affinity = "Disabled"
+    port                  = 80
+    protocol              = "Http"
+    request_timeout       = 1
+    }
+
+    http_listener {
+    name                           = local.listener_name
+    frontend_ip_configuration_name = local.frontend_ip_configuration_name
+    frontend_port_name             = local.frontend_port_name
+    protocol                       = "Http"
+    }
+
+    request_routing_rule {
+    name                       = local.request_routing_rule_name
+    rule_type                  = "Basic"
+    http_listener_name         = local.listener_name
+    backend_address_pool_name  = local.backend_address_pool_name
+    backend_http_settings_name = local.http_setting_name
+    }
+
+    tags = var.tags
+
+    depends_on = [azurerm_virtual_network.test, azurerm_public_ip.test]
+}
+
+```hcl
+resource "azurerm_role_assignment" "ra1" {
+    scope                = data.azurerm_subnet.kubesubnet.id
+    role_definition_name = "Network Contributor"
+    principal_id         = var.aks_service_principal_object_id 
+
+    depends_on = [azurerm_virtual_network.test]
+}
+
+resource "azurerm_role_assignment" "ra2" {
+    scope                = azurerm_user_assigned_identity.testIdentity.id
+    role_definition_name = "Managed Identity Operator"
+    principal_id         = var.aks_service_principal_object_id
+    depends_on           = [azurerm_user_assigned_identity.testIdentity]
+}
+
+resource "azurerm_role_assignment" "ra3" {
+    scope                = azurerm_application_gateway.network.id
+    role_definition_name = "Contributor"
+    principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
+    depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
+}
+
+resource "azurerm_role_assignment" "ra4" {
+    scope                = data.azurerm_resource_group.rg.id
+    role_definition_name = "Reader"
+    principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
+    depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
+}
+```
+
+resource "azurerm_kubernetes_cluster" "k8s" {
+    name       = var.aks_name
+    location   = data.azurerm_resource_group.rg.location
+    dns_prefix = var.aks_dns_prefix
+
+    resource_group_name = data.azurerm_resource_group.rg.name
+
+    linux_profile {
+    admin_username = var.vm_user_name
+
+    ssh_key {
+        key_data = file(var.public_ssh_key_path)
+    }
+    }
+
+    addon_profile {
+    http_application_routing {
+        enabled = false
+    }
+    }
+
+    default_node_pool {
+    name            = "agentpool"
+    node_count      = var.aks_agent_count
+    vm_size         = var.aks_agent_vm_size
+    os_disk_size_gb = var.aks_agent_os_disk_size
+    vnet_subnet_id  = data.azurerm_subnet.kubesubnet.id
+    }
+
+    service_principal {
+    client_id     = var.aks_service_principal_app_id
+    client_secret = var.aks_service_principal_client_secret
+    }
+
+    network_profile {
+    network_plugin     = "azure"
+    dns_service_ip     = var.aks_dns_service_ip
+    docker_bridge_cidr = var.aks_docker_bridge_cidr
+    service_cidr       = var.aks_service_cidr
+    }
+
+    role_based_access_control {
+    enabled = var.aks_enable_rbac
+    }
+
+    depends_on = [azurerm_virtual_network.test, azurerm_application_gateway.network]
+    tags       = var.tags
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars
new file mode 100644
index 00000000..138c0712
--- /dev/null
+++ b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars
@@ -0,0 +1,9 @@
+resource_group_name = "<Name of the Resource Group already created>"
+
+location = "<Location of the Resource Group>"
+    
+aks_service_principal_app_id = "<Service Principal AppId>"
+    
+aks_service_principal_client_secret = "<Service Principal Client Secret>"
+    
+aks_service_principal_object_id = "<Service Principal Object Id>"
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/variables.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/variables.tf
new file mode 100644
index 00000000..db3d508e
--- /dev/null
+++ b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/variables.tf
@@ -0,0 +1,130 @@
+variable "resource_group_name" {
+    description = "Name of the resource group."
+}
+
+variable "location" {
+    description = "Location of the cluster."
+}
+
+variable "aks_service_principal_app_id" {
+    description = "Application ID/Client ID  of the service principal. Used by AKS to manage AKS related resources on Azure like vms, subnets."
+}
+
+variable "aks_service_principal_client_secret" {
+    description = "Secret of the service principal. Used by AKS to manage Azure."
+}
+
+variable "aks_service_principal_object_id" {
+    description = "Object ID of the service principal."
+}
+
+variable "virtual_network_name" {
+    description = "Virtual network name"
+    default     = "aksVirtualNetwork"
+}
+
+variable "virtual_network_address_prefix" {
+    description = "VNET address prefix"
+    default     = "15.0.0.0/8"
+}
+
+variable "aks_subnet_name" {
+    description = "Subnet Name."
+    default     = "kubesubnet"
+}
+
+variable "aks_subnet_address_prefix" {
+    description = "Subnet address prefix."
+    default     = "15.0.0.0/16"
+}
+
+variable "app_gateway_subnet_address_prefix" {
+    description = "Subnet server IP address."
+    default     = "15.1.0.0/16"
+}
+
+variable "app_gateway_name" {
+    description = "Name of the Application Gateway"
+    default = "ApplicationGateway1"
+}
+
+variable "app_gateway_sku" {
+    description = "Name of the Application Gateway SKU"
+    default = "Standard_v2"
+}
+
+variable "app_gateway_tier" {
+    description = "Tier of the Application Gateway tier"
+    default = "Standard_v2"
+}
+
+variable "aks_name" {
+    description = "AKS cluster name"
+    default     = "aks-cluster1"
+}
+variable "aks_dns_prefix" {
+    description = "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+    default     = "aks"
+}
+
+variable "aks_agent_os_disk_size" {
+    description = "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 applies the default disk size for that agentVMSize."
+    default     = 40
+}
+
+variable "aks_agent_count" {
+    description = "The number of agent nodes for the cluster."
+    default     = 3
+}
+
+variable "aks_agent_vm_size" {
+    description = "VM size"
+    default     = "Standard_D3_v2"
+}
+
+variable "kubernetes_version" {
+    description = "Kubernetes version"
+    default     = "1.11.5"
+}
+
+variable "aks_service_cidr" {
+    description = "CIDR notation IP range from which to assign service cluster IPs"
+    default     = "10.0.0.0/16"
+}
+
+variable "aks_dns_service_ip" {
+    description = "DNS server IP address"
+    default     = "10.0.0.10"
+}
+
+variable "aks_docker_bridge_cidr" {
+    description = "CIDR notation IP for Docker bridge."
+    default     = "172.17.0.1/16"
+}
+
+variable "aks_enable_rbac" {
+    description = "Enable RBAC on the AKS cluster. Defaults to false."
+    default     = "false"
+}
+
+variable "vm_user_name" {
+    description = "User name for the VM"
+    default     = "vmuser1"
+}
+
+variable "public_ssh_key_path" {
+    description = "Public key path for SSH."
+    default     = "~/.ssh/id_rsa.pub"
+}
+
+variable "tags" {
+    type = map(string)
+
+    default = {
+    source = "terraform"
+    }
+}
+
+variable "storage_account_name" {
+    description = "Name of storage account"
+}