resource "random_pet" "rg_name" { prefix = var.resource_group_name_prefix } resource "azurerm_resource_group" "rg" { name = random_pet.rg_name.id location = var.resource_group_location } # Locals block for hardcoded names locals { backend_address_pool_name = "${azurerm_virtual_network.vnet.name}-beap" frontend_port_name = "${azurerm_virtual_network.vnet.name}-feport" frontend_ip_configuration_name = "${azurerm_virtual_network.vnet.name}-feip" http_setting_name = "${azurerm_virtual_network.vnet.name}-be-htst" listener_name = "${azurerm_virtual_network.vnet.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.vnet.name}-rqrt" } # Subnets data "azurerm_subnet" "kubesubnet" { name = var.aks_subnet_name virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = azurerm_resource_group.rg.name } data "azurerm_subnet" "appgwsubnet" { name = var.appgw_subnet_name virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = azurerm_resource_group.rg.name } data "azurerm_user_assigned_identity" "ingress" { name = "ingressapplicationgateway-${azurerm_kubernetes_cluster.aks.name}" resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group } # Virtual network (vnet) resource "azurerm_virtual_network" "vnet" { name = var.virtual_network_name location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name address_space = [var.virtual_network_address_prefix] subnet { name = var.aks_subnet_name address_prefix = var.aks_subnet_address_prefix } subnet { name = var.appgw_subnet_name address_prefix = var.app_gateway_subnet_address_prefix } } resource "azurerm_user_assigned_identity" "aks" { name = "aks-${var.aks_cluster_name}" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location } # AKS cluster resource "azurerm_kubernetes_cluster" "aks" { name = var.aks_cluster_name location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name dns_prefix = var.aks_cluster_name private_cluster_enabled = var.aks_private_cluster role_based_access_control_enabled = var.aks_enable_rbac sku_tier = var.aks_sku_tier default_node_pool { name = "agentpool" node_count = var.aks_node_count vm_size = var.aks_vm_size os_disk_size_gb = var.aks_os_disk_size max_pods = 100 vnet_subnet_id = data.azurerm_subnet.kubesubnet.id } identity { type = "UserAssigned" identity_ids = [azurerm_user_assigned_identity.aks.id] } network_profile { network_plugin = "azure" dns_service_ip = var.aks_dns_service_ip service_cidr = var.aks_service_cidr } ingress_application_gateway { gateway_id = azurerm_application_gateway.appgw.id } depends_on = [ azurerm_application_gateway.appgw ] } resource "azurerm_public_ip" "pip" { name = "appgw-pip" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location allocation_method = "Static" sku = "Standard" } resource "azurerm_application_gateway" "appgw" { name = var.app_gateway_name resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location sku { name = var.app_gateway_tier tier = var.app_gateway_tier capacity = 1 } gateway_ip_configuration { name = "appGatewayIpConfig" subnet_id = data.azurerm_subnet.appgwsubnet.id } frontend_port { name = local.frontend_port_name port = 80 } frontend_ip_configuration { name = local.frontend_ip_configuration_name public_ip_address_id = azurerm_public_ip.pip.id } backend_address_pool { name = local.backend_address_pool_name } backend_http_settings { name = local.http_setting_name cookie_based_affinity = "Disabled" port = 80 protocol = "Http" request_timeout = 1 } http_listener { name = local.listener_name frontend_ip_configuration_name = local.frontend_ip_configuration_name frontend_port_name = local.frontend_port_name protocol = "Http" } request_routing_rule { name = local.request_routing_rule_name priority = 1 rule_type = "Basic" http_listener_name = local.listener_name backend_address_pool_name = local.backend_address_pool_name backend_http_settings_name = local.http_setting_name } # Since this sample is creating an Application Gateway # that is later managed by an Ingress Controller, there is no need # to create a backend address pool (BEP). However, the BEP is still # required by the resource. Therefore, "lifecycle:ignore_changes" is # used to prevent TF from managing the gateway. lifecycle { ignore_changes = [ tags, backend_address_pool, backend_http_settings, http_listener, probe, request_routing_rule, ] } } # Role assignments resource "azurerm_role_assignment" "ra1" { scope = azurerm_resource_group.rg.id role_definition_name = "Reader" principal_id = data.azurerm_user_assigned_identity.ingress.principal_id } resource "azurerm_role_assignment" "ra2" { scope = azurerm_virtual_network.vnet.id role_definition_name = "Network Contributor" principal_id = data.azurerm_user_assigned_identity.ingress.principal_id } resource "azurerm_role_assignment" "ra3" { scope = azurerm_application_gateway.appgw.id role_definition_name = "Contributor" principal_id = data.azurerm_user_assigned_identity.ingress.principal_id }