diff --git a/quickstart/201-aks-rbac-dashboard-admin/aks.tf b/quickstart/201-aks-rbac-dashboard-admin/aks.tf index de617e27..056d2701 100644 --- a/quickstart/201-aks-rbac-dashboard-admin/aks.tf +++ b/quickstart/201-aks-rbac-dashboard-admin/aks.tf @@ -1,24 +1,32 @@ -resource "azurerm_kubernetes_cluster" "default" { - name = "${var.name}-aks" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" - dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}" - depends_on = ["azurerm_role_assignment.default"] +resource "azurerm_user_assigned_identity" "aks_identity" { + location = azurerm_resource_group.default.location + name = "${var.name}-aks-identity" + resource_group_name = azurerm_resource_group.default.name +} - agent_pool_profile { +resource "azurerm_role_assignment" "default" { + scope = azurerm_resource_group.default.id + role_definition_name = "Network Contributor" + principal_id = azurerm_user_assigned_identity.aks_identity.principal_id +} + +resource "azurerm_kubernetes_cluster" "main" { + name = "${var.name}-aks" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}" + role_based_access_control_enabled = true + + default_node_pool { name = "default" - count = "${var.node_count}" - vm_size = "${var.node_type}" - os_type = "Linux" + node_count = var.node_count + vm_size = var.node_type os_disk_size_gb = 30 } - - service_principal { - client_id = "${azuread_application.default.application_id}" - client_secret = "${azuread_service_principal_password.default.value}" + identity { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.aks_identity.id] } - role_based_access_control { - enabled = true - } + depends_on = [azurerm_role_assignment.default] } \ No newline at end of file diff --git a/quickstart/201-aks-rbac-dashboard-admin/azuread.tf b/quickstart/201-aks-rbac-dashboard-admin/azuread.tf deleted file mode 100644 index de8cbd40..00000000 --- a/quickstart/201-aks-rbac-dashboard-admin/azuread.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "azuread_application" "default" { - name = "${var.name}-${var.environment}" -} - -resource "azuread_service_principal" "default" { - application_id = "${azuread_application.default.application_id}" -} - -resource "random_string" "password" { - length = 32 - special = true -} - -resource "azuread_service_principal_password" "default" { - service_principal_id = "${azuread_service_principal.default.id}" - value = "${random_string.password.result}" - end_date = "2099-01-01T01:00:00Z" -} - -resource "azurerm_role_assignment" "default" { - scope = "${data.azurerm_subscription.current.id}/resourceGroups/${azurerm_resource_group.default.name}" - role_definition_name = "Network Contributor" - principal_id = "${azuread_service_principal.default.id}" -} \ No newline at end of file diff --git a/quickstart/201-aks-rbac-dashboard-admin/kubernetes.tf b/quickstart/201-aks-rbac-dashboard-admin/kubernetes.tf index ba6724c7..c3c12754 100644 --- a/quickstart/201-aks-rbac-dashboard-admin/kubernetes.tf +++ b/quickstart/201-aks-rbac-dashboard-admin/kubernetes.tf @@ -1,14 +1,5 @@ -# Define Kubernetes provider to use the AKS cluster -provider "kubernetes" { - host = "${azurerm_kubernetes_cluster.default.kube_config.0.host}" - - client_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)}" - client_key = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_key)}" - cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)}" -} - -# Grant cluster-admin rights to the kubernetes-dashboard account. -# THIS IS NOT RECOMMENDED IN PRODUTION +## Grant cluster-admin rights to the kubernetes-dashboard account. +## THIS IS NOT RECOMMENDED IN PRODUTION resource "kubernetes_cluster_role_binding" "dashboard" { metadata { name = "kubernetes-dashboard" diff --git a/quickstart/201-aks-rbac-dashboard-admin/main.tf b/quickstart/201-aks-rbac-dashboard-admin/main.tf index a6cbe998..a970f35d 100644 --- a/quickstart/201-aks-rbac-dashboard-admin/main.tf +++ b/quickstart/201-aks-rbac-dashboard-admin/main.tf @@ -1,18 +1,14 @@ -# The Azure Active Resource Manager Terraform provider -provider "azurerm" { - version = "=1.36.1" -} - -# The Azure Active Directory Terraform provider -provider "azuread" { - version = "=0.6.0" -} - # Reference to the current subscription. Used when creating role assignments data "azurerm_subscription" "current" {} +resource "random_string" "rg" { + length = 8 + special = false + upper = false +} + # The main resource group for this deployment resource "azurerm_resource_group" "default" { - name = "${var.name}-${var.environment}-rg" - location = "${var.location}" + name = "${var.name}-${var.environment}-${random_string.rg.result}-rg" + location = var.location } diff --git a/quickstart/201-aks-rbac-dashboard-admin/variables.tf b/quickstart/201-aks-rbac-dashboard-admin/variables.tf index 06a7c398..69ea3229 100644 --- a/quickstart/201-aks-rbac-dashboard-admin/variables.tf +++ b/quickstart/201-aks-rbac-dashboard-admin/variables.tf @@ -1,12 +1,12 @@ // Naming variable "name" { - type = "string" + type = string description = "Location of the azure resource group." default = "quickstart-aks" } variable "environment" { - type = "string" + type = string description = "Name of the deployment environment" default = "dev" } @@ -14,7 +14,7 @@ variable "environment" { // Resource information variable "location" { - type = "string" + type = string description = "Location of the azure resource group." default = "WestUS2" } @@ -22,19 +22,19 @@ variable "location" { // Node type information variable "node_count" { - type = "string" + type = number description = "The number of K8S nodes to provision." default = 3 } variable "node_type" { - type = "string" + type = string description = "The size of each node." - default = "Standard_D1_v2" + default = "Standard_D2s_v3" } variable "dns_prefix" { - type = "string" + type = string description = "DNS Prefix" default = "tfquickstart" } diff --git a/quickstart/201-aks-rbac-dashboard-admin/versions.tf b/quickstart/201-aks-rbac-dashboard-admin/versions.tf new file mode 100644 index 00000000..5eb9fe1d --- /dev/null +++ b/quickstart/201-aks-rbac-dashboard-admin/versions.tf @@ -0,0 +1,36 @@ +terraform { + required_version = ">=1.2" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.0" + } + random = { + source = "hashicorp/random" + version = "3.3.2" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } +} + +provider "random" {} + +# Define Kubernetes provider to use the AKS cluster +provider "kubernetes" { + host = azurerm_kubernetes_cluster.main.kube_config[0].host + + client_certificate = base64decode(azurerm_kubernetes_cluster.main.kube_config.0.client_certificate) + client_key = base64decode(azurerm_kubernetes_cluster.main.kube_config.0.client_key) + cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.main.kube_config.0.cluster_ca_certificate) +} \ No newline at end of file