From ed79d1aa3bac4f57d7229d566a00237ca4846b32 Mon Sep 17 00:00:00 2001 From: hezijie Date: Tue, 21 Feb 2023 10:14:26 +0800 Subject: [PATCH 1/5] fix 201-aks-acr-identity --- quickstart/201-aks-acr-identity/acr.tf | 6 ++-- quickstart/201-aks-acr-identity/aks.tf | 4 +-- quickstart/201-aks-acr-identity/azuread.tf | 2 +- quickstart/201-aks-acr-identity/main.tf | 29 +++++++++++++------- quickstart/201-aks-acr-identity/variables.tf | 12 ++++---- 5 files changed, 31 insertions(+), 22 deletions(-) diff --git a/quickstart/201-aks-acr-identity/acr.tf b/quickstart/201-aks-acr-identity/acr.tf index 00b2edd7..d5a750c9 100644 --- a/quickstart/201-aks-acr-identity/acr.tf +++ b/quickstart/201-aks-acr-identity/acr.tf @@ -2,9 +2,9 @@ locals { acr_name = "${replace(var.dns_prefix, "-", "")}${replace(var.name, "-", "")}acr" } resource "azurerm_container_registry" "default" { - name = "${local.acr_name}" - resource_group_name = "${azurerm_resource_group.default.name}" - location = "${azurerm_resource_group.default.location}" + name = local.acr_name + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location sku = "Standard" admin_enabled = false } \ No newline at end of file diff --git a/quickstart/201-aks-acr-identity/aks.tf b/quickstart/201-aks-acr-identity/aks.tf index cd31ab21..0de91083 100644 --- a/quickstart/201-aks-acr-identity/aks.tf +++ b/quickstart/201-aks-acr-identity/aks.tf @@ -1,7 +1,7 @@ resource "azurerm_kubernetes_cluster" "default" { name = "${var.name}-aks" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}" depends_on = ["azurerm_role_assignment.aks_network", "azurerm_role_assignment.aks_acr"] diff --git a/quickstart/201-aks-acr-identity/azuread.tf b/quickstart/201-aks-acr-identity/azuread.tf index 28d463f5..e8f0fd2d 100644 --- a/quickstart/201-aks-acr-identity/azuread.tf +++ b/quickstart/201-aks-acr-identity/azuread.tf @@ -3,7 +3,7 @@ resource "azuread_application" "default" { } resource "azuread_service_principal" "default" { - application_id = "${azuread_application.default.application_id}" + application_id = azuread_application.default.application_id } resource "random_string" "password" { diff --git a/quickstart/201-aks-acr-identity/main.tf b/quickstart/201-aks-acr-identity/main.tf index 8e57b9e5..b45121ca 100644 --- a/quickstart/201-aks-acr-identity/main.tf +++ b/quickstart/201-aks-acr-identity/main.tf @@ -1,18 +1,27 @@ -# The Azure Active Resource Manager Terraform provider -provider "azurerm" { - version = "=1.36.0" -} - -# The Azure Active Directory Terraform provider -provider "azuread" { - version = "=0.6.0" +terraform { + required_version = ">= 1.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "1.36.0" + } + azuread = { + source = "hashicorp/azuread" + version = "0.6.0" + } + } } # Reference to the current subscription. Used when creating role assignments data "azurerm_subscription" "current" {} +resource "random_pet" "rg" { + length = 1 + prefix = var.name +} + # The main resource group for this deployment resource "azurerm_resource_group" "default" { - name = "${var.name}-${var.environment}-rg" - location = "${var.location}" + name = "${random_pet.rg.id}-${var.environment}-rg" + location = var.location } diff --git a/quickstart/201-aks-acr-identity/variables.tf b/quickstart/201-aks-acr-identity/variables.tf index b9d3b197..5ab747b8 100644 --- a/quickstart/201-aks-acr-identity/variables.tf +++ b/quickstart/201-aks-acr-identity/variables.tf @@ -1,12 +1,12 @@ // Naming variable "name" { - type = "string" + type = string description = "Location of the azure resource group." default = "demo-tfquickstart" } variable "environment" { - type = "string" + type = string description = "Name of the deployment environment" default = "dev" } @@ -14,7 +14,7 @@ variable "environment" { // Resource information variable "location" { - type = "string" + type = string description = "Location of the azure resource group." default = "WestUS2" } @@ -22,19 +22,19 @@ variable "location" { // Node type information variable "node_count" { - type = "string" + type = number description = "The number of K8S nodes to provision." default = 3 } variable "node_type" { - type = "string" + type = string description = "The size of each node." default = "Standard_D1_v2" } variable "dns_prefix" { - type = "string" + type = string description = "DNS Prefix" default = "tfq" } From a198987b19b6999239cb6d994dd988ee386bd6d5 Mon Sep 17 00:00:00 2001 From: hezijie Date: Tue, 21 Feb 2023 10:38:21 +0800 Subject: [PATCH 2/5] use identity --- quickstart/201-aks-acr-identity/aks.tf | 29 +++++++++------------- quickstart/201-aks-acr-identity/azuread.tf | 29 ++++++---------------- quickstart/201-aks-acr-identity/main.tf | 6 +---- 3 files changed, 21 insertions(+), 43 deletions(-) diff --git a/quickstart/201-aks-acr-identity/aks.tf b/quickstart/201-aks-acr-identity/aks.tf index 0de91083..adcd92ad 100644 --- a/quickstart/201-aks-acr-identity/aks.tf +++ b/quickstart/201-aks-acr-identity/aks.tf @@ -1,24 +1,19 @@ resource "azurerm_kubernetes_cluster" "default" { - name = "${var.name}-aks" - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}" - depends_on = ["azurerm_role_assignment.aks_network", "azurerm_role_assignment.aks_acr"] + name = "${var.name}-aks" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}" + depends_on = ["azure_role_assignment.aks_network", "azurerm_role_assignment.aks_acr"] + role_based_access_control_enabled = true - agent_pool_profile { + default_node_pool { name = "default" - count = "${var.node_count}" - vm_size = "${var.node_type}" - os_type = "Linux" + vm_size = var.node_type + node_count = var.node_count os_disk_size_gb = 30 } - - service_principal { - client_id = "${azuread_application.default.application_id}" - client_secret = "${azuread_service_principal_password.default.value}" - } - - role_based_access_control { - enabled = true + identity { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.aks.id] } } \ No newline at end of file diff --git a/quickstart/201-aks-acr-identity/azuread.tf b/quickstart/201-aks-acr-identity/azuread.tf index e8f0fd2d..92e3c056 100644 --- a/quickstart/201-aks-acr-identity/azuread.tf +++ b/quickstart/201-aks-acr-identity/azuread.tf @@ -1,30 +1,17 @@ -resource "azuread_application" "default" { - name = "${var.name}-${var.environment}" -} - -resource "azuread_service_principal" "default" { - application_id = azuread_application.default.application_id -} - -resource "random_string" "password" { - length = 32 - special = true -} - -resource "azuread_service_principal_password" "default" { - service_principal_id = "${azuread_service_principal.default.id}" - value = "${random_string.password.result}" - end_date = "2099-01-01T01:00:00Z" +resource "azurerm_user_assigned_identity" "aks" { + location = azurerm_resource_group.default.location + name = "${random_pet.rg.id}-uai" + resource_group_name = azurerm_resource_group.default.name } resource "azurerm_role_assignment" "aks_network" { - scope = "${data.azurerm_subscription.current.id}/resourceGroups/${azurerm_resource_group.default.name}" + scope = azurerm_resource_group.default.id role_definition_name = "Network Contributor" - principal_id = "${azuread_service_principal.default.id}" + principal_id = azurerm_user_assigned_identity.aks.principal_id } resource "azurerm_role_assignment" "aks_acr" { - scope = "${data.azurerm_subscription.current.id}/resourceGroups/${azurerm_resource_group.default.name}/providers/Microsoft.ContainerRegistry/registries/${azurerm_container_registry.default.name}" + scope = azurerm_container_registry.default.id role_definition_name = "AcrPull" - principal_id = "${azuread_service_principal.default.id}" + principal_id = azurerm_user_assigned_identity.aks.principal_id } diff --git a/quickstart/201-aks-acr-identity/main.tf b/quickstart/201-aks-acr-identity/main.tf index b45121ca..d2e91459 100644 --- a/quickstart/201-aks-acr-identity/main.tf +++ b/quickstart/201-aks-acr-identity/main.tf @@ -3,11 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "1.36.0" - } - azuread = { - source = "hashicorp/azuread" - version = "0.6.0" + version = "~> 3.0" } } } From 30427c1bf99161b7e7c0aa693961c3eb453c0895 Mon Sep 17 00:00:00 2001 From: hezijie Date: Tue, 21 Feb 2023 10:46:56 +0800 Subject: [PATCH 3/5] fix incorrect depends_on --- quickstart/201-aks-acr-identity/aks.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/quickstart/201-aks-acr-identity/aks.tf b/quickstart/201-aks-acr-identity/aks.tf index adcd92ad..a7b15bee 100644 --- a/quickstart/201-aks-acr-identity/aks.tf +++ b/quickstart/201-aks-acr-identity/aks.tf @@ -3,7 +3,6 @@ resource "azurerm_kubernetes_cluster" "default" { location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}" - depends_on = ["azure_role_assignment.aks_network", "azurerm_role_assignment.aks_acr"] role_based_access_control_enabled = true default_node_pool { @@ -16,4 +15,6 @@ resource "azurerm_kubernetes_cluster" "default" { type = "UserAssigned" identity_ids = [azurerm_user_assigned_identity.aks.id] } + + depends_on = [azurerm_role_assignment.aks_network, azurerm_role_assignment.aks_acr] } \ No newline at end of file From 559ba2cdf0b78793817dd90c29101df70f95f1b3 Mon Sep 17 00:00:00 2001 From: hezijie Date: Tue, 21 Feb 2023 11:27:41 +0800 Subject: [PATCH 4/5] amending azurerm provider block to fix this exmaple --- quickstart/201-aks-acr-identity/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/quickstart/201-aks-acr-identity/main.tf b/quickstart/201-aks-acr-identity/main.tf index d2e91459..9b57e397 100644 --- a/quickstart/201-aks-acr-identity/main.tf +++ b/quickstart/201-aks-acr-identity/main.tf @@ -8,6 +8,10 @@ terraform { } } +provider "azurerm" { + features {} +} + # Reference to the current subscription. Used when creating role assignments data "azurerm_subscription" "current" {} From 3028ca87db40394c43ffeed523a6e9fda9556a65 Mon Sep 17 00:00:00 2001 From: hezijie Date: Wed, 22 Feb 2023 09:42:01 +0800 Subject: [PATCH 5/5] upgrade default node pool type --- quickstart/201-aks-acr-identity/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/201-aks-acr-identity/variables.tf b/quickstart/201-aks-acr-identity/variables.tf index 5ab747b8..babfe277 100644 --- a/quickstart/201-aks-acr-identity/variables.tf +++ b/quickstart/201-aks-acr-identity/variables.tf @@ -30,7 +30,7 @@ variable "node_count" { variable "node_type" { type = string description = "The size of each node." - default = "Standard_D1_v2" + default = "Standard_D2s_v3" } variable "dns_prefix" {