├── .github ├── dependabot.yaml └── workflows │ ├── changelog.yaml │ ├── check.yaml │ ├── latest-version.yaml │ └── xkf-templates.yaml ├── .gitignore ├── CHANGELOG.md ├── CONTRIBUTING.md ├── HISTORY.md ├── LOCAL_DEVELOPMENT.md ├── Makefile ├── README.md ├── SECURITY.md ├── assets ├── diagram.drawio └── fluxcd-v2.jpg ├── modules ├── azure-ad │ ├── .tflint.hcl │ └── README.md ├── azure │ ├── .tflint.hcl │ ├── README.md │ ├── aks-global │ │ ├── README.md │ │ ├── acr.tf │ │ ├── dns.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── aks-regional │ │ ├── README.md │ │ ├── aad-pod-identity.tf │ │ ├── eventhub.tf │ │ ├── kv.tf │ │ ├── locals.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── outbound-ips.tf │ │ ├── outputs.tf │ │ ├── ssh.tf │ │ ├── variables.tf │ │ └── xenit.tf │ ├── aks │ │ ├── README.md │ │ ├── aad-group.tf │ │ ├── aks.tf │ │ ├── automation │ │ │ ├── main.tf │ │ │ ├── scripts │ │ │ │ └── aks-start-stop.ps1.tpl │ │ │ └── variables.tf │ │ ├── defender.tf │ │ ├── locals.tf │ │ ├── main.tf │ │ ├── modules.tf │ │ ├── nsg.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── workload-identity.tf │ ├── azure-pipelines-agent-vmss │ │ ├── README.md │ │ ├── locals.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── core │ │ ├── README.md │ │ ├── delegate-service-endpoint-join.tf │ │ ├── locals.tf │ │ ├── log.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── nsg.tf │ │ ├── outputs.tf │ │ ├── rg.tf │ │ ├── routes.tf │ │ ├── storage.tf │ │ ├── subnets.tf │ │ └── variables.tf │ ├── github-runner │ │ ├── README.md │ │ ├── locals.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── templates │ │ │ └── cloud-init.tpl │ │ └── variables.tf │ ├── governance-global │ │ ├── README.md │ │ ├── aad-group-rg.tf │ │ ├── aad-group-sub-delegation.tf │ │ ├── aad-group-sub.tf │ │ ├── delegate-acr.tf │ │ ├── delegate-kv-sp.tf │ │ ├── delegate-se.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── sp-sub-reader.tf │ │ ├── sp.tf │ │ └── variables.tf │ ├── governance-regional │ │ ├── README.md │ │ ├── aad-group-rg.tf │ │ ├── delegate-kv-sp.tf │ │ ├── delegate-kv.tf │ │ ├── locals.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── rg.tf │ │ ├── sp-sub-reader.tf │ │ ├── sp.tf │ │ └── variables.tf │ ├── hub │ │ ├── README.md │ │ ├── locals.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── names │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── xkf-governance-global-data │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── xkf-governance-global │ │ ├── README.md │ │ ├── aad-group.tf │ │ ├── delegate-xks-rg.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf └── kubernetes │ ├── .tflint.hcl │ ├── README.md │ ├── aad-pod-identity │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── aad-pod-identity.yaml.tpl │ └── variables.tf │ ├── aks-core │ ├── README.md │ ├── aks-core-extras.tf │ ├── charts │ │ └── aks-core-extras │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── priority-class.yaml │ │ │ └── spot-instances-hack.yaml │ │ │ └── values.yaml │ ├── k8s-cluster-role-binding-get-nodes.tf │ ├── k8s-cluster-role-binding-list-ns.tf │ ├── k8s-cluster-role-binding.tf │ ├── k8s-cluster-role.tf │ ├── k8s-role-binding.tf │ ├── locals.tf │ ├── main.tf │ ├── modules.tf │ ├── namespace.tf │ ├── networkpolicy.tf │ ├── outputs.tf │ ├── priority-expander.tf │ ├── storage-class.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── priority-expander.yaml.tpl │ │ └── values.yaml │ └── variables.tf │ ├── argocd │ ├── README.md │ ├── aad_application.tf │ ├── argocd-setup.tf │ ├── charts │ │ ├── argocd-hub-setup │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ └── templates │ │ │ │ ├── applications.yaml.tpl │ │ │ │ ├── clusters.yaml.tpl │ │ │ │ ├── namespaces.yaml.tpl │ │ │ │ ├── oci-repositories.yaml │ │ │ │ ├── projects.yaml.tpl │ │ │ │ └── repositories.yaml.tpl │ │ └── argocd-spoke-setup │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ └── templates │ │ │ └── rbac.yaml.tpl │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── argocd-values.yaml.tpl │ ├── variables.tf │ └── workload_identity.tf │ ├── azure-metrics │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── azure-metrics.yaml.tpl │ ├── variables.tf │ └── workload-identity.tf │ ├── azure-policy │ ├── README.md │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── azure-identity-format.yaml.tpl │ │ ├── azure-remove-node-spot-taints.yaml.tpl │ │ ├── container-disallow-privilege-escalation.yaml.tpl │ │ ├── container-drop-capabilities.yaml.tpl │ │ ├── container-read-only-root-fs.yaml.tpl │ │ ├── ephemeral-container-disallow-privilege-escalation.yaml.tpl │ │ ├── ephemeral-container-drop-capabilities.yaml.tpl │ │ ├── ephemeral-container-read-only-root-fs.yaml.tpl │ │ ├── flux-disable-cross-namespace-source.yaml.tpl │ │ ├── flux-require-service-account.yaml.tpl │ │ ├── init-container-disallow-privilege-escalation.yaml.tpl │ │ ├── init-container-drop-capabilities.yaml.tpl │ │ ├── init-container-read-only-root-fs.yaml.tpl │ │ ├── k8s-block-node-port.yaml.tpl │ │ ├── k8s-pod-default-seccomp.yaml.tpl │ │ ├── k8s-pod-priority-class.yaml.tpl │ │ ├── k8s-pod-serviceaccount-token-false.yaml.tpl │ │ ├── k8s-require-ingress-class.yaml.tpl │ │ └── k8s-secrets-store-csi-unique-volume.yaml.tpl │ └── variables.tf │ ├── azure-service-operator │ ├── README.md │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── azure-service-operator-app.yaml.tpl │ │ ├── azure-service-operator-cluster.yaml.tpl │ │ ├── azure-service-operator-manifests.yaml.tpl │ │ ├── azure-service-operator-tenants.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── cert-manager │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── cert-manager-app.yaml.tpl │ │ ├── cert-manager-extras.yaml.tpl │ │ ├── cert-manager-manifests.yaml.tpl │ │ ├── cert-manager.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── control-plane-logs │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── control-plane-logs-app.yaml.tpl │ │ ├── values.yaml │ │ ├── vector-extras.yaml.tpl │ │ ├── vector-manifests.yaml.tpl │ │ └── vector.yaml.tpl │ ├── variables.tf │ └── workload-identity.tf │ ├── datadog │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── datadog-agent.yaml.tpl │ │ ├── datadog-app.yaml.tpl │ │ ├── datadog-extras.yaml.tpl │ │ ├── datadog-manifests.yaml.tpl │ │ ├── datadog-operator.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── eck-operator │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── eck-operator.yaml.tpl │ └── variables.tf │ ├── envoy-gateway │ ├── README.md │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── envoy-gateway-require-tls.yaml.tpl │ │ └── envoy-gateway.yaml.tpl │ └── variables.tf │ ├── external-dns │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── external-dns-app.yaml.tpl │ │ ├── external-dns-extras.yaml.tpl │ │ ├── external-dns-manifests.yaml.tpl │ │ ├── external-dns.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── falco │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── falco-app.yaml.tpl │ │ ├── falco-exporter.yaml.tpl │ │ ├── falco.yaml.tpl │ │ └── values.yaml │ └── variables.tf │ ├── fluxcd │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── git-auth-proxy-values.yaml.tpl │ │ ├── kustomization-override.yaml.tpl │ │ └── tenant.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── gatekeeper │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── gatekeeper-app.yaml.tpl │ │ ├── gatekeeper-config-manifests.yaml.tpl │ │ ├── gatekeeper-config.yaml.tpl │ │ ├── gatekeeper-constraint-templates.yaml.tpl │ │ ├── gatekeeper-templates.yaml.tpl │ │ ├── gatekeeper.yaml.tpl │ │ └── values.yaml │ └── variables.tf │ ├── gateway-api │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── gateway-api-crds.yaml.tpl │ └── variables.tf │ ├── grafana-agent │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── grafana-agent-app.yaml.tpl │ │ ├── grafana-agent-extras.yaml.tpl │ │ ├── grafana-agent-manifests.yaml.tpl │ │ ├── grafana-agent.yaml.tpl │ │ ├── kube-state-metrics.yaml.tpl │ │ └── values.yaml │ └── variables.tf │ ├── grafana-alloy │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── grafana-alloy-app.yaml.tpl │ │ ├── grafana-alloy-extras.yaml.tpl │ │ ├── grafana-alloy-manifests.yaml.tpl │ │ ├── grafana-alloy.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── grafana-k8s-monitoring │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── grafana-k8s-monitoring-app.yaml.tpl │ │ ├── grafana-k8s-monitoring-extras.yaml.tpl │ │ ├── grafana-k8s-monitoring.yaml.tpl │ │ ├── monitors.yaml.tpl │ │ ├── secret-provider-class.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── ingress-nginx │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── ingress-nginx-app.yaml.tpl │ │ ├── ingress-nginx-extras.yaml.tpl │ │ ├── ingress-nginx-manifests.yaml.tpl │ │ ├── ingress-nginx.yaml.tpl │ │ └── values.yaml │ └── variables.tf │ ├── karpenter │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── node-classes.yaml.tpl │ │ ├── node-pools.yaml.tpl │ │ ├── secret.yaml.tpl │ │ └── values.yaml.tpl │ ├── variables.tf │ └── workload_identity.tf │ ├── linkerd │ ├── README.md │ ├── charts │ │ └── linkerd-extras │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── templates │ │ │ ├── linkerd-identity-issuer.yaml │ │ │ ├── linkerd-proxy-injector.yaml │ │ │ ├── linkerd-sp-validator.yaml │ │ │ ├── linkerd-trust-anchor.yaml │ │ │ └── webhook-issuer.yaml │ │ │ └── values.yaml │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── linkerd-app.yaml.tpl │ │ ├── linkerd-crds.yaml.tpl │ │ ├── linkerd-viz.yaml.tpl │ │ ├── linkerd.yaml.tpl │ │ └── values.yaml │ └── variables.tf │ ├── litmus │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── litmuschaos.yaml.tpl │ └── variables.tf │ ├── nginx-gateway-fabric │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── nginx-gateway-fabric.yaml.tpl │ └── variables.tf │ ├── node-ttl │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── node-ttl.yaml.tpl │ └── variables.tf │ ├── popeye │ ├── README.md │ ├── charts │ │ └── popeye │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── templates │ │ │ ├── cluster-role-binding.yaml │ │ │ ├── cluster-role.yaml │ │ │ ├── config-map.yaml │ │ │ ├── cronjob.yaml │ │ │ ├── pvc.yaml │ │ │ ├── secret.yaml │ │ │ ├── service-account.yaml │ │ │ └── storage-class.yaml │ │ │ └── values.yaml.tpl │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── popeye.yaml.tpl │ ├── variables.tf │ └── workload-identity.tf │ ├── prometheus │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── kube-prometheus-stack.yaml.tpl │ │ ├── monitors.yaml.tpl │ │ ├── prometheus-app.yaml.tpl │ │ ├── prometheus-extras.yaml.tpl │ │ ├── prometheus.yaml.tpl │ │ ├── rbac.yaml.tpl │ │ ├── values.yaml │ │ └── x509-certificate-exporter.yaml.tpl │ ├── variables.tf │ └── workload_identity.tf │ ├── promtail │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── promtail-app.yaml.tpl │ │ ├── promtail-extras.yaml.tpl │ │ ├── promtail-manifests.yaml.tpl │ │ ├── promtail.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── rabbitmq-operator │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── rabbitmq-operator.yaml.tpl │ └── variables.tf │ ├── reloader │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── reloader.yaml.tpl │ └── variables.tf │ ├── spegel │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── spegel.yaml.tpl │ └── variables.tf │ ├── telepresence │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ └── telepresence.yaml.tpl │ └── variables.tf │ ├── trivy │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── starboard-exporter.yaml.tpl │ │ ├── trivy-app.yaml.tpl │ │ ├── trivy-operator.yaml.tpl │ │ ├── trivy.yaml.tpl │ │ └── values.yaml │ ├── variables.tf │ └── workload-identity.tf │ ├── velero │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── storage.tf │ ├── templates │ │ ├── Chart.yaml │ │ ├── values.yaml │ │ ├── velero-app.yaml.tpl │ │ ├── velero-extras.yaml.tpl │ │ ├── velero-manifests.yaml.tpl │ │ └── velero.yaml.tpl │ ├── variables.tf │ └── workload-identity.tf │ └── vpa │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── templates │ ├── Chart.yaml │ ├── goldilocks.yaml.tpl │ ├── values.yaml │ ├── vpa-app.yaml.tpl │ └── vpa.yaml.tpl │ └── variables.tf ├── validation ├── azure │ ├── aks-global │ │ └── main.tf │ ├── aks-regional │ │ └── main.tf │ ├── aks │ │ └── main.tf │ ├── azure-pipelines-agent-vmss │ │ └── main.tf │ ├── core │ │ └── main.tf │ ├── github-runner │ │ └── main.tf │ ├── governance-global │ │ └── main.tf │ ├── governance-regional │ │ └── main.tf │ ├── hub │ │ └── main.tf │ ├── names │ │ └── main.tf │ ├── xkf-governance-global-data │ │ └── main.tf │ └── xkf-governance-global │ │ └── main.tf └── kubernetes │ ├── aad-pod-identity │ └── main.tf │ ├── aks-core │ └── main.tf │ ├── argocd │ └── main.tf │ ├── azure-metrics │ └── main.tf │ ├── azure-policy │ └── main.tf │ ├── azure-service-operator │ └── main.tf │ ├── cert-manager │ └── main.tf │ ├── control-plane-logs │ └── main.tf │ ├── datadog │ └── main.tf │ ├── eck-operator │ └── main.tf │ ├── envoy-gateway │ └── main.tf │ ├── external-dns │ └── main.tf │ ├── falco │ └── main.tf │ ├── fluxcd │ └── main.tf │ ├── gatekeeper │ └── main.tf │ ├── gateway-api │ └── main.tf │ ├── grafana-agent │ └── main.tf │ ├── grafana-alloy │ └── main.tf │ ├── grafana-k8s-monitoring │ └── main.tf │ ├── helm-crd-oci │ └── main.tf │ ├── helm-crd │ └── main.tf │ ├── ingress-nginx │ └── main.tf │ ├── karpenter │ └── main.tf │ ├── linkerd │ └── main.tf │ ├── litmus │ └── main.tf │ ├── nginx-gateway-fabric │ └── main.tf │ ├── node-ttl │ └── main.tf │ ├── popeye │ └── main.tf │ ├── prometheus │ └── main.tf │ ├── promtail │ └── main.tf │ ├── rabbitmq-operator │ └── main.tf │ ├── reloader │ └── main.tf │ ├── spegel │ └── main.tf │ ├── telepresence │ └── main.tf │ ├── trivy │ └── main.tf │ ├── velero │ └── main.tf │ └── vpa │ └── main.tf └── xenit-changelog.toml /.github/dependabot.yaml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "weekly" 7 | - package-ecosystem: "terraform" 8 | directory: "/" 9 | schedule: 10 | interval: "daily" 11 | -------------------------------------------------------------------------------- /.github/workflows/changelog.yaml: -------------------------------------------------------------------------------- 1 | name: changelog 2 | on: 3 | push: 4 | branches: 5 | - 'main' 6 | paths-ignore: 7 | - CHANGELOG.md 8 | jobs: 9 | changelog: 10 | name: Generate CHANGELOG 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v4 15 | with: 16 | fetch-depth: 0 17 | - name: Generate 18 | uses: orhun/git-cliff-action@v4 19 | id: git-cliff 20 | with: 21 | config: xenit-changelog.toml 22 | args: --verbose 2023.10.2.. 23 | env: 24 | GITHUB_REPO: ${{ github.repository }} 25 | GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 26 | OUTPUT: CHANGELOG.md 27 | - name: Create Pull Request 28 | uses: peter-evans/create-pull-request@v7 29 | with: 30 | token: "${{ secrets.GITHUB_TOKEN }}" 31 | committer: GitHub 32 | commit-message: "Update CHANGELOG" 33 | title: "doc: update CHANGELOG" 34 | delete-branch: true 35 | branch: update/CHANGELOG 36 | labels: | 37 | documentation 38 | add-paths: | 39 | CHANGELOG.md 40 | -------------------------------------------------------------------------------- /.github/workflows/xkf-templates.yaml: -------------------------------------------------------------------------------- 1 | on: 2 | release: 3 | types: [published] 4 | 5 | jobs: 6 | release: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Generate token 10 | uses: tibdex/github-app-token@v1 11 | id: generate_token 12 | with: 13 | app_id: ${{ secrets.GH_ACTION_APP_ID }} 14 | private_key: ${{ secrets.GH_ACTION_APP_PRIVATE_KEY }} 15 | 16 | - name: Workflow dispatch xkf-templates 17 | id: dispatch 18 | env: 19 | VERSION: ${{ inputs.version }} 20 | TOKEN: ${{ steps.generate_token.outputs.token }} 21 | run: | 22 | set -x 23 | VERSION=${GITHUB_REF#refs/*/} 24 | curl \ 25 | -X POST \ 26 | -H "Accept: application/vnd.github+json" \ 27 | -H "Authorization: Bearer $TOKEN"\ 28 | -H "X-GitHub-Api-Version: 2022-11-28" \ 29 | https://api.github.com/repos/XenitAB/xkf-templates/actions/workflows/upgrade.yaml/dispatches \ 30 | -d '{"ref":"main","inputs":{"version": "'"$VERSION"'"}}' 31 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | crash.*.log 11 | 12 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 13 | # .tfvars files are managed as part of configuration and so should be included in 14 | # version control. 15 | # 16 | # example.tfvars 17 | 18 | # Ignore override files as they are usually used to override resources locally and so 19 | # are not checked in 20 | override.tf 21 | override.tf.json 22 | *_override.tf 23 | *_override.tf.json 24 | 25 | # Include override files you do wish to add to version control using negated pattern 26 | # 27 | # !example_override.tf 28 | 29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 30 | # example: *tfplan* 31 | 32 | .terraform.lock.hcl 33 | .terraform.lock.hcl* 34 | 35 | # tflint plugins 36 | tflint/* 37 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Disclosure Policy 2 | 3 | See [xenit.se/vdp](https://xenit.se/vdp/) for more information. 4 | -------------------------------------------------------------------------------- /assets/fluxcd-v2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/assets/fluxcd-v2.jpg -------------------------------------------------------------------------------- /modules/azure-ad/.tflint.hcl: -------------------------------------------------------------------------------- 1 | config { 2 | force = false 3 | disabled_by_default = false 4 | } 5 | 6 | rule "terraform_deprecated_interpolation" { 7 | enabled = true 8 | } 9 | 10 | rule "terraform_deprecated_index" { 11 | enabled = true 12 | } 13 | 14 | rule "terraform_unused_declarations" { 15 | enabled = true 16 | } 17 | 18 | rule "terraform_comment_syntax" { 19 | enabled = true 20 | } 21 | 22 | rule "terraform_documented_outputs" { 23 | enabled = true 24 | } 25 | 26 | rule "terraform_documented_variables" { 27 | enabled = true 28 | } 29 | 30 | rule "terraform_typed_variables" { 31 | enabled = true 32 | } 33 | 34 | rule "terraform_module_pinned_source" { 35 | enabled = true 36 | } 37 | 38 | rule "terraform_naming_convention" { 39 | enabled = true 40 | } 41 | 42 | rule "terraform_required_version" { 43 | enabled = true 44 | } 45 | 46 | rule "terraform_required_providers" { 47 | enabled = true 48 | } 49 | 50 | rule "terraform_standard_module_structure" { 51 | enabled = true 52 | } 53 | 54 | rule "terraform_workspace_remote" { 55 | enabled = true 56 | } 57 | -------------------------------------------------------------------------------- /modules/azure-ad/README.md: -------------------------------------------------------------------------------- 1 | # Azure AD Terraform modules 2 | 3 | This directory contains all the Azure AD Terraform modules. 4 | 5 | ## Modules 6 | 7 | - [`azad-kube-proxy`](azad-kube-proxy/README.md) 8 | 9 | ## Style Guide 10 | 11 | TBD 12 | -------------------------------------------------------------------------------- /modules/azure/.tflint.hcl: -------------------------------------------------------------------------------- 1 | plugin "azurerm" { 2 | enabled = true 3 | version = "0.26.0" 4 | source = "github.com/terraform-linters/tflint-ruleset-azurerm" 5 | } 6 | 7 | config { 8 | force = false 9 | disabled_by_default = false 10 | } 11 | 12 | rule "terraform_deprecated_interpolation" { 13 | enabled = true 14 | } 15 | 16 | rule "terraform_deprecated_index" { 17 | enabled = true 18 | } 19 | 20 | rule "terraform_unused_declarations" { 21 | enabled = true 22 | } 23 | 24 | rule "terraform_comment_syntax" { 25 | enabled = true 26 | } 27 | 28 | rule "terraform_documented_outputs" { 29 | enabled = true 30 | } 31 | 32 | rule "terraform_documented_variables" { 33 | enabled = true 34 | } 35 | 36 | rule "terraform_typed_variables" { 37 | enabled = true 38 | } 39 | 40 | rule "terraform_module_pinned_source" { 41 | enabled = true 42 | } 43 | 44 | rule "terraform_naming_convention" { 45 | enabled = true 46 | } 47 | 48 | rule "terraform_required_version" { 49 | enabled = true 50 | } 51 | 52 | rule "terraform_required_providers" { 53 | enabled = true 54 | } 55 | 56 | rule "terraform_standard_module_structure" { 57 | enabled = true 58 | } 59 | 60 | rule "terraform_workspace_remote" { 61 | enabled = true 62 | } 63 | -------------------------------------------------------------------------------- /modules/azure/aks-global/dns.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_dns_zone" "this" { 2 | for_each = { 3 | for dns in var.dns_zone : 4 | dns => dns 5 | } 6 | name = each.key 7 | resource_group_name = azurerm_resource_group.this.name 8 | } 9 | -------------------------------------------------------------------------------- /modules/azure/aks-global/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.1.7" 3 | required_providers { 4 | azurerm = { 5 | version = "4.19.0" 6 | source = "hashicorp/azurerm" 7 | } 8 | azuread = { 9 | version = "2.50.0" 10 | source = "hashicorp/azuread" 11 | } 12 | } 13 | } 14 | 15 | resource "azurerm_resource_group" "this" { 16 | name = "rg-${var.environment}-${var.location_short}-global" 17 | location = var.location 18 | tags = { 19 | "Environment" = var.environment, 20 | "LocationShort" = var.location_short, 21 | "description" = "Global resources", 22 | } 23 | } 24 | 25 | resource "azurerm_management_lock" "rg" { 26 | for_each = { 27 | for l in ["rg-global"] : 28 | l => l 29 | if var.lock_resource_group 30 | } 31 | 32 | name = "DoNotDelete" 33 | scope = azurerm_resource_group.this.id 34 | lock_level = "CanNotDelete" 35 | notes = "This Resource Group can't be deleted without first removing the lock." 36 | } 37 | -------------------------------------------------------------------------------- /modules/azure/aks-global/outputs.tf: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /modules/azure/aks-regional/kv.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_key_vault" "core" { 2 | name = join("-", compact(["kv-${var.environment}-${var.location_short}-${var.core_name}", var.unique_suffix])) 3 | resource_group_name = "rg-${var.environment}-${var.location_short}-${var.core_name}" 4 | } 5 | -------------------------------------------------------------------------------- /modules/azure/aks-regional/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | aks_public_ip_prefix_ids = [for prefix in azurerm_public_ip_prefix.aks : prefix.id] 3 | aks_public_ip_prefix_ips = [for prefix in azurerm_public_ip_prefix.aks : prefix.ip_prefix] 4 | aks_public_ip_preifx_name = var.public_ip_prefix_name_override == "" ? "pip-prefix-${var.environment}-${var.location_short}-${var.name}-aks" : var.public_ip_prefix_name_override 5 | aad_pod_identity = { 6 | for k, v in azurerm_user_assigned_identity.aad_pod_identity : 7 | k => { id = v.id, client_id = v.client_id } 8 | } 9 | 10 | key_vault_default_permissions = { 11 | key_permissions = [ 12 | "Backup", 13 | "Create", 14 | "Decrypt", 15 | "Delete", 16 | "Encrypt", 17 | "Get", 18 | "Import", 19 | "List", 20 | "Purge", 21 | "Recover", 22 | "Restore", 23 | "Sign", 24 | "UnwrapKey", 25 | "Update", 26 | "Verify", 27 | "WrapKey" 28 | ] 29 | secret_permissions = [ 30 | "Backup", 31 | "Delete", 32 | "Get", 33 | "List", 34 | "Purge", 35 | "Recover", 36 | "Restore", 37 | "Set" 38 | ] 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /modules/azure/aks-regional/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Azure Kubernetes Service - Global 3 | * 4 | * This module is used to create resources that are used by AKS clusters. 5 | */ 6 | 7 | terraform { 8 | required_version = ">= 1.3.0" 9 | 10 | required_providers { 11 | azurerm = { 12 | version = "4.19.0" 13 | source = "hashicorp/azurerm" 14 | } 15 | azuread = { 16 | version = "2.50.0" 17 | source = "hashicorp/azuread" 18 | } 19 | random = { 20 | source = "hashicorp/random" 21 | version = "3.5.1" 22 | } 23 | tls = { 24 | source = "hashicorp/tls" 25 | version = "4.0.4" 26 | } 27 | } 28 | } 29 | 30 | data "azurerm_client_config" "current" {} 31 | 32 | data "azurerm_resource_group" "this" { 33 | name = "rg-${var.environment}-${var.location_short}-${var.name}" 34 | } 35 | -------------------------------------------------------------------------------- /modules/azure/aks-regional/network.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_virtual_network" "vnet" { 2 | name = "vnet-${var.environment}-${var.location_short}-${var.core_name}" 3 | resource_group_name = "rg-${var.environment}-${var.location_short}-${var.core_name}" 4 | } 5 | 6 | resource "azurerm_role_assignment" "vnet" { 7 | scope = data.azurerm_virtual_network.vnet.id 8 | role_definition_name = "Contributor" 9 | principal_id = var.aks_managed_identity 10 | } 11 | -------------------------------------------------------------------------------- /modules/azure/aks-regional/outbound-ips.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_public_ip_prefix" "aks" { 2 | count = var.public_ip_prefix_configuration.count 3 | 4 | name = "${local.aks_public_ip_preifx_name}-${count.index}" 5 | resource_group_name = data.azurerm_resource_group.this.name 6 | location = data.azurerm_resource_group.this.location 7 | prefix_length = var.public_ip_prefix_configuration.prefix_length 8 | zones = ["1", "2", "3"] 9 | } 10 | -------------------------------------------------------------------------------- /modules/azure/aks-regional/ssh.tf: -------------------------------------------------------------------------------- 1 | resource "tls_private_key" "ssh_key" { 2 | algorithm = "RSA" 3 | rsa_bits = "4096" 4 | } 5 | 6 | #tfsec:ignore:AZU023 7 | resource "azurerm_key_vault_secret" "ssh_key" { 8 | name = "ssh-priv-aks-${var.environment}-${var.location_short}" 9 | value = jsonencode(tls_private_key.ssh_key) 10 | key_vault_id = data.azurerm_key_vault.core.id 11 | content_type = "application/json" 12 | } 13 | -------------------------------------------------------------------------------- /modules/azure/aks-regional/xenit.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "xenit" { 2 | resource_group_name = data.azurerm_resource_group.this.name 3 | location = data.azurerm_resource_group.this.location 4 | name = "uai-${var.environment}-${var.location_short}-${var.name}-xenit" 5 | } 6 | 7 | resource "azurerm_role_assignment" "xenit" { 8 | scope = azurerm_user_assigned_identity.xenit.id 9 | role_definition_name = "Managed Identity Operator" 10 | principal_id = var.aks_managed_identity 11 | } 12 | 13 | resource "azurerm_key_vault_access_policy" "xenit" { 14 | key_vault_id = data.azurerm_key_vault.core.id 15 | tenant_id = data.azurerm_client_config.current.tenant_id 16 | object_id = azurerm_user_assigned_identity.xenit.principal_id 17 | key_permissions = local.key_vault_default_permissions.key_permissions 18 | secret_permissions = local.key_vault_default_permissions.secret_permissions 19 | } 20 | -------------------------------------------------------------------------------- /modules/azure/aks/modules.tf: -------------------------------------------------------------------------------- 1 | module "automation" { 2 | depends_on = [azurerm_kubernetes_cluster.this] 3 | 4 | for_each = { 5 | for s in ["automation"] : 6 | s => s 7 | if var.aks_automation_enabled 8 | } 9 | 10 | source = "./automation" 11 | 12 | aks_managed_identity = var.aad_groups.aks_managed_identity.id 13 | aks_name = azurerm_kubernetes_cluster.this.name 14 | aks_automation_config = var.aks_automation_config 15 | aks_joblogs_retention_days = var.aks_joblogs_retention_days 16 | alerts_enabled = var.alerts_enabled 17 | alerts_resource_group_name = data.azurerm_resource_group.log.name 18 | alert_name = "audit log${var.environment}${var.location_short}${var.name}${var.unique_suffix} storage account missing data" 19 | location = var.location 20 | location_short = var.location_short 21 | notification_email = var.notification_email 22 | resource_group_name = data.azurerm_resource_group.this.name 23 | environment = var.environment 24 | storage_account_id = data.azurerm_storage_account.log.id 25 | } -------------------------------------------------------------------------------- /modules/azure/aks/outputs.tf: -------------------------------------------------------------------------------- 1 | output "kube_config" { 2 | description = "Kube config for the created AKS cluster" 3 | sensitive = true 4 | value = { 5 | host = azurerm_kubernetes_cluster.this.kube_config[0].host 6 | client_certificate = base64decode(azurerm_kubernetes_cluster.this.kube_admin_config[0].client_certificate) 7 | client_key = base64decode(azurerm_kubernetes_cluster.this.kube_admin_config[0].client_key) 8 | cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.this.kube_admin_config[0].cluster_ca_certificate) 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/azure/azure-pipelines-agent-vmss/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | resource_group_name = var.resource_group_name == "" ? "rg-${var.environment}-${var.location_short}-${var.name}" : var.resource_group_name 3 | keyvault_name = var.keyvault_name == "" ? join("-", compact(["kv-${var.environment}-${var.location_short}-${var.name}", var.unique_suffix])) : var.keyvault_name 4 | keyvault_resource_group_name = var.keyvault_resource_group_name == "" ? local.resource_group_name : var.keyvault_resource_group_name 5 | } 6 | -------------------------------------------------------------------------------- /modules/azure/azure-pipelines-agent-vmss/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/azure/azure-pipelines-agent-vmss/outputs.tf -------------------------------------------------------------------------------- /modules/azure/core/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Core 3 | * 4 | * This module is used to create core resources like virtual network for the subscription. 5 | * This module assumes that you have a RG called `rg---log`. 6 | * Easiest is to define this RG in the governance module. 7 | */ 8 | 9 | terraform { 10 | required_version = ">= 1.3.0" 11 | 12 | required_providers { 13 | azurerm = { 14 | version = "4.19.0" 15 | source = "hashicorp/azurerm" 16 | } 17 | azuread = { 18 | version = "2.50.0" 19 | source = "hashicorp/azuread" 20 | } 21 | azurecaf = { 22 | source = "aztfmod/azurecaf" 23 | version = "2.0.0-preview3" 24 | } 25 | } 26 | } 27 | 28 | module "names" { 29 | source = "../names" 30 | 31 | resource_name_overrides = var.resource_name_overrides 32 | subscription_name = var.subscription_name 33 | environment = var.environment 34 | location_short = var.location_short 35 | unique_suffix = var.unique_suffix 36 | azure_ad_group_prefix = var.azure_ad_group_prefix 37 | azure_role_definition_prefix = var.azure_role_definition_prefix 38 | } 39 | -------------------------------------------------------------------------------- /modules/azure/core/outputs.tf: -------------------------------------------------------------------------------- 1 | output "virtual_network" { 2 | description = "Output for Azure Virtual Network" 3 | value = azurerm_virtual_network.this 4 | } 5 | 6 | output "subnets" { 7 | description = "Output for Azure Virtual Network Subnets" 8 | value = { 9 | standard = azurerm_subnet.this 10 | aks = azurerm_subnet.aks 11 | } 12 | } 13 | 14 | output "route_tables" { 15 | description = "Output for Azure Routing Tables" 16 | value = azurerm_route_table.this 17 | } 18 | 19 | output "network_security_groups" { 20 | description = "Output for Azure Network Security Groups" 21 | value = azurerm_network_security_group.this 22 | } 23 | -------------------------------------------------------------------------------- /modules/azure/core/rg.tf: -------------------------------------------------------------------------------- 1 | # Add datasource for resource group 2 | data "azurecaf_name" "azurerm_resource_group_this" { 3 | name = var.name 4 | resource_type = "azurerm_resource_group" 5 | prefixes = module.names.this.azurerm_resource_group.prefixes 6 | suffixes = module.names.this.azurerm_resource_group.suffixes 7 | use_slug = false 8 | } 9 | 10 | data "azurerm_resource_group" "this" { 11 | name = data.azurecaf_name.azurerm_resource_group_this.result 12 | } 13 | -------------------------------------------------------------------------------- /modules/azure/core/storage.tf: -------------------------------------------------------------------------------- 1 | data "azurecaf_name" "azurerm_storage_account_this" { 2 | for_each = { 3 | for s in ["storage_account"] : 4 | s => s 5 | if var.enable_storage_account 6 | } 7 | 8 | name = var.name 9 | resource_type = "azurerm_storage_account" 10 | prefixes = module.names.this.azurerm_storage_account.prefixes 11 | suffixes = module.names.this.azurerm_storage_account.suffixes 12 | use_slug = false 13 | } 14 | 15 | resource "azurerm_storage_account" "this" { 16 | for_each = { 17 | for s in ["storage_account"] : # NOTE: We're not using underscore for this usually, should be "storage-account". 18 | s => s 19 | if var.enable_storage_account 20 | } 21 | 22 | name = data.azurecaf_name.azurerm_storage_account_this["storage_account"].result 23 | resource_group_name = data.azurerm_resource_group.this.name 24 | location = data.azurerm_resource_group.this.location 25 | account_tier = "Standard" 26 | account_replication_type = "GRS" 27 | account_kind = "StorageV2" 28 | min_tls_version = "TLS1_2" 29 | allow_nested_items_to_be_public = false 30 | } 31 | -------------------------------------------------------------------------------- /modules/azure/github-runner/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | resource_group_name = var.resource_group_name == "" ? "rg-${var.environment}-${var.location_short}-${var.name}" : var.resource_group_name 3 | keyvault_name = var.keyvault_name == "" ? join("-", compact(["kv-${var.environment}-${var.location_short}-${var.name}", var.unique_suffix])) : var.keyvault_name 4 | keyvault_resource_group_name = var.keyvault_resource_group_name == "" ? local.resource_group_name : var.keyvault_resource_group_name 5 | custom_data = templatefile("${path.module}/templates/cloud-init.tpl", { azure_keyvault_name = local.keyvault_name, github_organization_kvsecret = var.github_organization_kvsecret, github_app_id_kvsecret = var.github_app_id_kvsecret, github_installation_id_kvsecret = var.github_installation_id_kvsecret, github_private_key_kvsecret = var.github_private_key_kvsecret }) 6 | } 7 | -------------------------------------------------------------------------------- /modules/azure/github-runner/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/azure/github-runner/outputs.tf -------------------------------------------------------------------------------- /modules/azure/github-runner/templates/cloud-init.tpl: -------------------------------------------------------------------------------- 1 | #cloud-config 2 | write_files: 3 | - content: | 4 | { 5 | "AZURE_KEYVAULT_NAME": "${azure_keyvault_name}", 6 | "GITHUB_ORGANIZATION_KVSECRET": "${github_organization_kvsecret}", 7 | "GITHUB_APP_ID_KVSECRET": "${github_app_id_kvsecret}", 8 | "GITHUB_INSTALLATION_ID_KVSECRET": "${github_installation_id_kvsecret}", 9 | "GITHUB_PRIVATE_KEY_KVSECRET": "${github_private_key_kvsecret}" 10 | } 11 | path: /etc/github-runner/github-runner-config.json -------------------------------------------------------------------------------- /modules/azure/governance-global/delegate-kv-sp.tf: -------------------------------------------------------------------------------- 1 | data "azurecaf_name" "azuread_application_delegate_kv_aad" { 2 | for_each = { 3 | for rg in var.resource_group_configs : 4 | rg.common_name => rg 5 | if rg.delegate_key_vault == true 6 | } 7 | 8 | name = each.key 9 | resource_type = "general" 10 | separator = var.group_name_separator 11 | prefixes = module.names.this.azuread_application_rg.prefixes 12 | suffixes = concat(module.names.this.azuread_application_rg.suffixes, ["kvreader"]) 13 | use_slug = false 14 | } 15 | 16 | resource "azuread_application" "delegate_kv_aad" { 17 | for_each = { 18 | for rg in var.resource_group_configs : 19 | rg.common_name => rg 20 | if rg.delegate_key_vault == true 21 | } 22 | 23 | display_name = data.azurecaf_name.azuread_application_delegate_kv_aad[each.key].result 24 | } 25 | 26 | resource "azuread_service_principal" "delegate_kv_aad" { 27 | for_each = { 28 | for rg in var.resource_group_configs : 29 | rg.common_name => rg 30 | if rg.delegate_key_vault == true 31 | } 32 | 33 | client_id = azuread_application.delegate_kv_aad[each.key].client_id 34 | } 35 | -------------------------------------------------------------------------------- /modules/azure/governance-global/sp-sub-reader.tf: -------------------------------------------------------------------------------- 1 | data "azurecaf_name" "azuread_application_sub_reader_sp" { 2 | name = "reader" 3 | resource_type = "general" 4 | separator = var.group_name_separator 5 | prefixes = module.names.this.azuread_application_sub.prefixes 6 | suffixes = module.names.this.azuread_application_sub.suffixes 7 | use_slug = false 8 | } 9 | 10 | resource "azuread_application" "sub_reader_sp" { 11 | display_name = data.azurecaf_name.azuread_application_sub_reader_sp.result 12 | } 13 | 14 | resource "azuread_service_principal" "sub_reader_sp" { 15 | client_id = azuread_application.sub_reader_sp.client_id 16 | } 17 | 18 | resource "azurerm_role_assignment" "sub_reader_sp" { 19 | scope = data.azurerm_subscription.current.id 20 | role_definition_name = "Reader" 21 | principal_id = azuread_service_principal.sub_reader_sp.object_id 22 | } 23 | -------------------------------------------------------------------------------- /modules/azure/governance-regional/aad-group-rg.tf: -------------------------------------------------------------------------------- 1 | # AAD Group for Resource Group Owners 2 | resource "azurerm_role_assignment" "rg_owner" { 3 | for_each = { 4 | for rg in var.resource_group_configs : 5 | rg.common_name => rg 6 | } 7 | 8 | scope = azurerm_resource_group.rg[each.key].id 9 | role_definition_name = "Owner" 10 | principal_id = var.azuread_groups.rg_owner[each.value.common_name].id 11 | } 12 | 13 | # AAD Group for Resource Group Contributors 14 | resource "azurerm_role_assignment" "rg_contributor" { 15 | for_each = { 16 | for rg in var.resource_group_configs : 17 | rg.common_name => rg 18 | } 19 | 20 | scope = azurerm_resource_group.rg[each.key].id 21 | role_definition_name = "Contributor" 22 | principal_id = var.azuread_groups.rg_contributor[each.value.common_name].id 23 | } 24 | 25 | # AAD Group for Resource Group Readers 26 | resource "azurerm_role_assignment" "rg_reader" { 27 | for_each = { 28 | for rg in var.resource_group_configs : 29 | rg.common_name => rg 30 | } 31 | 32 | scope = azurerm_resource_group.rg[each.key].id 33 | role_definition_name = "Reader" 34 | principal_id = var.azuread_groups.rg_reader[each.value.common_name].id 35 | } 36 | -------------------------------------------------------------------------------- /modules/azure/governance-regional/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | key_vault_default_permissions = { 3 | key_permissions = [ 4 | "Backup", 5 | "Create", 6 | "Decrypt", 7 | "Delete", 8 | "Encrypt", 9 | "Get", 10 | "Import", 11 | "List", 12 | "Purge", 13 | "Recover", 14 | "Restore", 15 | "Sign", 16 | "UnwrapKey", 17 | "Update", 18 | "Verify", 19 | "WrapKey" 20 | ] 21 | secret_permissions = [ 22 | "Backup", 23 | "Delete", 24 | "Get", 25 | "List", 26 | "Purge", 27 | "Recover", 28 | "Restore", 29 | "Set" 30 | ] 31 | certificate_permissions = [ 32 | "Backup", 33 | "Create", 34 | "Delete", 35 | "DeleteIssuers", 36 | "Get", 37 | "GetIssuers", 38 | "Import", 39 | "List", 40 | "ListIssuers", 41 | "ManageContacts", 42 | "ManageIssuers", 43 | "Purge", 44 | "Recover", 45 | "Restore", 46 | "SetIssuers", 47 | "Update" 48 | ] 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /modules/azure/governance-regional/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Governance (Regional) 3 | * 4 | * This module is used for governance on a regional level and not using any specific resource groups. Replaces the old `governance` together with `governance-global`. 5 | */ 6 | 7 | terraform { 8 | required_version = ">= 1.3.0" 9 | 10 | required_providers { 11 | azurerm = { 12 | version = "4.19.0" 13 | source = "hashicorp/azurerm" 14 | } 15 | azuread = { 16 | version = "2.50.0" 17 | source = "hashicorp/azuread" 18 | } 19 | random = { 20 | version = "3.5.1" 21 | source = "hashicorp/random" 22 | } 23 | pal = { 24 | version = "0.2.5" 25 | source = "xenitab/pal" 26 | } 27 | azurecaf = { 28 | source = "aztfmod/azurecaf" 29 | version = "2.0.0-preview3" 30 | } 31 | } 32 | } 33 | 34 | data "azurerm_subscription" "current" {} 35 | data "azurerm_client_config" "current" {} 36 | 37 | module "names" { 38 | source = "../names" 39 | 40 | resource_name_overrides = var.resource_name_overrides 41 | environment = var.environment 42 | location_short = var.location_short 43 | unique_suffix = var.unique_suffix 44 | } 45 | -------------------------------------------------------------------------------- /modules/azure/governance-regional/outputs.tf: -------------------------------------------------------------------------------- 1 | output "key_vault_name" { 2 | description = "Output each keyvault name" 3 | value = { 4 | name = { 5 | for key, value in azurerm_key_vault.delegate_kv : 6 | key => { 7 | name = value.name 8 | } 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /modules/azure/governance-regional/sp-sub-reader.tf: -------------------------------------------------------------------------------- 1 | resource "azuread_application_password" "sub_reader_sp" { 2 | application_id = var.azuread_apps.sub_reader.application_object_id 3 | end_date = timeadd(timestamp(), "87600h") # 10 years 4 | 5 | lifecycle { 6 | ignore_changes = [ 7 | end_date 8 | ] 9 | } 10 | } 11 | 12 | #tfsec:ignore:AZU023 13 | resource "azurerm_key_vault_secret" "sub_reader_sp" { 14 | name = replace(var.azuread_apps.sub_reader.display_name, ".", "-") 15 | value = jsonencode({ 16 | tenantId = data.azurerm_subscription.current.tenant_id 17 | subscriptionId = data.azurerm_subscription.current.subscription_id 18 | clientId = var.azuread_apps.sub_reader.client_id 19 | clientSecret = azuread_application_password.sub_reader_sp.value 20 | }) 21 | key_vault_id = azurerm_key_vault.delegate_kv[var.core_name].id 22 | content_type = "application/json" 23 | 24 | depends_on = [ 25 | azurerm_key_vault_access_policy.ap_owner_spn 26 | ] 27 | } 28 | -------------------------------------------------------------------------------- /modules/azure/hub/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | subnets = [ 3 | for subnet in var.vnet_config.subnets : { 4 | vnet_resource = "${var.environment}-${var.location_short}-${var.name}" 5 | subnet_full_name = "sn-${var.environment}-${var.location_short}-${var.name}-${subnet.name}" 6 | subnet_short_name = subnet.name 7 | subnet_cidr = subnet.cidr 8 | subnet_service_endpoints = subnet.service_endpoints 9 | } 10 | ] 11 | 12 | peerings = [ 13 | for peering_config in var.peering_config : { 14 | name = "${var.environment}-${var.location_short}-${var.name}-${peering_config.name}" 15 | peering_config = peering_config 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /modules/azure/hub/outputs.tf: -------------------------------------------------------------------------------- 1 | output "subnets" { 2 | description = "Subnet information" 3 | value = azurerm_subnet.this 4 | } 5 | 6 | output "resource_groups" { 7 | description = "Resource group information" 8 | value = data.azurerm_resource_group.this 9 | } 10 | 11 | output "virtual_networks" { 12 | description = "Virtual network information" 13 | value = azurerm_virtual_network.this 14 | } 15 | 16 | output "public_ip_prefixes" { 17 | description = "Public IP prefix information" 18 | value = azurerm_public_ip_prefix.this 19 | } 20 | -------------------------------------------------------------------------------- /modules/azure/names/outputs.tf: -------------------------------------------------------------------------------- 1 | output "this" { 2 | description = "resource name configurations to be used with azurecaf_name" 3 | value = local.resource_names 4 | } 5 | -------------------------------------------------------------------------------- /modules/azure/xkf-governance-global-data/outputs.tf: -------------------------------------------------------------------------------- 1 | output "aad_groups" { 2 | description = "Azure AD groups" 3 | value = { 4 | view = { for k, v in data.azuread_group.view : k => { id = v.id, name = v.display_name } } 5 | edit = { for k, v in data.azuread_group.edit : k => { id = v.id, name = v.display_name } } 6 | cluster_admin = { id = data.azuread_group.cluster_admin.id, name = data.azuread_group.cluster_admin.display_name } 7 | cluster_view = { id = data.azuread_group.cluster_view.id, name = data.azuread_group.cluster_view.display_name } 8 | aks_managed_identity = { id = data.azuread_group.aks_managed_identity["aks"].id, name = data.azuread_group.aks_managed_identity["aks"].display_name } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/azure/xkf-governance-global-data/variables.tf: -------------------------------------------------------------------------------- 1 | variable "environment" { 2 | description = "The environemnt" 3 | type = string 4 | } 5 | 6 | variable "subscription_name" { 7 | description = "The commonName for the subscription" 8 | type = string 9 | } 10 | 11 | variable "namespaces" { 12 | description = "The Kubernetes namespaces to create Azure AD groups for" 13 | type = list( 14 | object({ 15 | name = string 16 | }) 17 | ) 18 | } 19 | 20 | variable "group_name_separator" { 21 | description = "Separator for group names" 22 | type = string 23 | default = "-" 24 | } 25 | 26 | variable "group_name_prefix" { 27 | description = "Prefix for Azure AD groups" 28 | type = string 29 | } 30 | -------------------------------------------------------------------------------- /modules/azure/xkf-governance-global/delegate-xks-rg.tf: -------------------------------------------------------------------------------- 1 | resource "azuread_group_member" "resource_group_owner" { 2 | for_each = { 3 | for ns in var.namespaces : 4 | ns.name => ns 5 | } 6 | group_object_id = azuread_group.edit[each.key].id 7 | member_object_id = var.azuread_groups.rg_owner[each.key].id 8 | } 9 | 10 | resource "azuread_group_member" "resource_group_contributor" { 11 | for_each = { 12 | for ns in var.namespaces : 13 | ns.name => ns 14 | } 15 | group_object_id = azuread_group.edit[each.key].id 16 | member_object_id = var.azuread_groups.rg_contributor[each.key].id 17 | } 18 | 19 | resource "azuread_group_member" "resource_group_reader" { 20 | for_each = { 21 | for ns in var.namespaces : 22 | ns.name => ns 23 | } 24 | group_object_id = azuread_group.view[each.key].id 25 | member_object_id = var.azuread_groups.rg_reader[each.key].id 26 | } 27 | -------------------------------------------------------------------------------- /modules/azure/xkf-governance-global/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.1.7" 3 | required_providers { 4 | azuread = { 5 | version = "2.50.0" 6 | source = "hashicorp/azuread" 7 | } 8 | azurerm = { 9 | version = "4.19.0" 10 | source = "hashicorp/azurerm" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /modules/azure/xkf-governance-global/outputs.tf: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /modules/kubernetes/.tflint.hcl: -------------------------------------------------------------------------------- 1 | plugin "azurerm" { 2 | enabled = true 3 | version = "0.26.0" 4 | source = "github.com/terraform-linters/tflint-ruleset-azurerm" 5 | } 6 | 7 | config { 8 | force = false 9 | disabled_by_default = false 10 | } 11 | 12 | rule "terraform_deprecated_interpolation" { 13 | enabled = true 14 | } 15 | 16 | rule "terraform_deprecated_index" { 17 | enabled = true 18 | } 19 | 20 | rule "terraform_unused_declarations" { 21 | enabled = true 22 | } 23 | 24 | rule "terraform_comment_syntax" { 25 | enabled = true 26 | } 27 | 28 | rule "terraform_documented_outputs" { 29 | enabled = true 30 | } 31 | 32 | rule "terraform_documented_variables" { 33 | enabled = true 34 | } 35 | 36 | rule "terraform_typed_variables" { 37 | enabled = true 38 | } 39 | 40 | rule "terraform_module_pinned_source" { 41 | enabled = true 42 | } 43 | 44 | rule "terraform_naming_convention" { 45 | enabled = true 46 | } 47 | 48 | rule "terraform_required_version" { 49 | enabled = true 50 | } 51 | 52 | rule "terraform_required_providers" { 53 | enabled = true 54 | } 55 | 56 | rule "terraform_standard_module_structure" { 57 | enabled = true 58 | } 59 | 60 | rule "terraform_workspace_remote" { 61 | enabled = true 62 | } 63 | -------------------------------------------------------------------------------- /modules/kubernetes/aad-pod-identity/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Azure AD POD Identity (AAD-POD-Identity) 3 | * 4 | * This module is used to add [`aad-pod-identity`](https://github.com/Azure/aad-pod-identity) to Kubernetes clusters (tested with AKS). 5 | */ 6 | 7 | terraform { 8 | required_version = ">= 1.3.0" 9 | 10 | required_providers { 11 | git = { 12 | source = "xenitab/git" 13 | version = ">=0.0.4" 14 | } 15 | } 16 | } 17 | 18 | resource "git_repository_file" "aad_pod_identity" { 19 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/aad-pod-identity.yaml" 20 | content = templatefile("${path.module}/templates/aad-pod-identity.yaml.tpl", { 21 | namespaces = var.namespaces, 22 | aad_pod_identity = var.aad_pod_identity 23 | tenant_name = var.tenant_name 24 | environment = var.environment 25 | project = var.fleet_infra_config.argocd_project_name 26 | server = var.fleet_infra_config.k8s_api_server_url 27 | }) 28 | } 29 | -------------------------------------------------------------------------------- /modules/kubernetes/aad-pod-identity/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/aad-pod-identity/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/aad-pod-identity/variables.tf: -------------------------------------------------------------------------------- 1 | variable "aad_pod_identity" { 2 | description = "Configuration for aad pod identity" 3 | type = map(object({ 4 | id = string 5 | client_id = string 6 | })) 7 | } 8 | 9 | variable "cluster_id" { 10 | description = "Unique identifier of the cluster across regions and instances." 11 | type = string 12 | } 13 | 14 | variable "environment" { 15 | description = "The environment name to use for the deploy" 16 | type = string 17 | } 18 | 19 | variable "fleet_infra_config" { 20 | description = "Fleet infra configuration" 21 | type = object({ 22 | git_repo_url = string 23 | argocd_project_name = string 24 | k8s_api_server_url = string 25 | }) 26 | } 27 | 28 | variable "namespaces" { 29 | description = "Namespaces to create AzureIdentity and AzureIdentityBindings in." 30 | type = list( 31 | object({ 32 | name = string 33 | }) 34 | ) 35 | } 36 | 37 | variable "tenant_name" { 38 | description = "The name of the tenant" 39 | type = string 40 | } 41 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/aks-core-extras.tf: -------------------------------------------------------------------------------- 1 | # Priority classes allows pods to be scheduled before other pods and evict pods from nodes. 2 | # There are two types of priority classes, platform and tenant. All platform priority classes 3 | # should have a higher priority value than the tenant priority classes. The platform-high 4 | # class is not set to the maximum value on purpose, as to leave space to create even more 5 | # prioritized classes in the future. It is preferred to use these classes rather than 6 | # system-cluster-critical and system-node-critical as they are used by AKS critical pods 7 | # which should have higher priority. 8 | # 9 | # Hot tip if you want to list all pods and their priority class in a cluster. 10 | # `kubectl get pods --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,PRIORITY:.spec.priorityClassName` 11 | 12 | resource "helm_release" "aks_core_extras" { 13 | chart = "${path.module}/charts/aks-core-extras" 14 | name = "aks-core-extras-extras" 15 | namespace = "default" 16 | max_history = 3 17 | 18 | set { 19 | name = "spotInstancesHack.enabled" 20 | value = var.platform_config.spot_instances_hack_enabled 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/charts/aks-core-extras/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/charts/aks-core-extras/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: aks-core-extras 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.16.0" 7 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/charts/aks-core-extras/values.yaml: -------------------------------------------------------------------------------- 1 | nameOverride: "" 2 | fullnameOverride: "" 3 | spotInstancesHack: 4 | enabled: false 5 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/k8s-cluster-role-binding-get-nodes.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_cluster_role_binding" "get_nodes" { 2 | depends_on = [kubernetes_namespace.tenant] 3 | for_each = { for ns in var.namespaces : ns.name => ns } 4 | 5 | metadata { 6 | name = "${each.value.name}-get-nodes" 7 | 8 | labels = { 9 | "aad-group-name" = var.aad_groups.view[each.key].name 10 | "xkf.xenit.io/kind" = "platform" 11 | } 12 | } 13 | role_ref { 14 | api_group = "rbac.authorization.k8s.io" 15 | kind = "ClusterRole" 16 | name = "get-nodes" 17 | } 18 | subject { 19 | kind = "Group" 20 | name = var.aad_groups.view[each.key].id 21 | api_group = "rbac.authorization.k8s.io" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/k8s-cluster-role-binding.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_cluster_role_binding" "cluster_admin" { 2 | metadata { 3 | name = "clusteradmin" 4 | labels = { 5 | "aad-group-name" = var.aad_groups.cluster_admin.name 6 | "xkf.xenit.io/kind" = "platform" 7 | } 8 | } 9 | role_ref { 10 | api_group = "rbac.authorization.k8s.io" 11 | kind = "ClusterRole" 12 | name = "cluster-admin" 13 | } 14 | subject { 15 | kind = "Group" 16 | name = var.aad_groups.cluster_admin.id 17 | api_group = "rbac.authorization.k8s.io" 18 | } 19 | } 20 | 21 | resource "kubernetes_cluster_role_binding" "cluster_view" { 22 | metadata { 23 | name = "clusterview" 24 | labels = { 25 | "aad-group-name" = var.aad_groups.cluster_view.name 26 | "xkf.xenit.io/kind" = "platform" 27 | } 28 | } 29 | role_ref { 30 | api_group = "rbac.authorization.k8s.io" 31 | kind = "ClusterRole" 32 | name = "view" 33 | } 34 | subject { 35 | kind = "Group" 36 | name = var.aad_groups.cluster_view.id 37 | api_group = "rbac.authorization.k8s.io" 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | exclude_namespaces = [ 3 | "aad-pod-identity", 4 | "azure-metrics", 5 | "azureserviceoperator-system", 6 | "calico-system", 7 | "cert-manager", 8 | "controle-plane-logs", 9 | "datadog", 10 | "external-dns", 11 | "falco", 12 | "flux-system", 13 | "grafana-k8s-monitoring", 14 | "ingress-nginx", 15 | "linkerd", 16 | "linkerd-cni", 17 | "linkerd-viz", 18 | "reloader", 19 | "trivy", 20 | "tigera-operator", 21 | "velero", 22 | "grafana-agent", 23 | "promtail", 24 | "prometheus", 25 | "node-ttl", 26 | "spegel", 27 | "vpa", 28 | ] 29 | cluster_id = "${var.location_short}-${var.environment}-${var.name}${local.aks_name_suffix}" 30 | dns_zones = var.external_dns_config.rbac_create ? { 31 | for zone in data.azurerm_dns_zone.this : 32 | zone.name => zone.id 33 | } : { 34 | for zone in var.dns_zones : 35 | zone => zone 36 | } 37 | aad_groups_view = [ 38 | for key, group in var.aad_groups.view : 39 | { 40 | namespace = key 41 | id = group.id 42 | name = group.name 43 | } 44 | ] 45 | } -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/aks-core/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/priority-expander.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | # Produces a map(string), e.g. {"10" : "[.*standard.*]", "20" : "[.*spot.*]"} 3 | priority_expander_config = var.priority_expander_config == null ? {} : { for k, v in var.priority_expander_config : k => format("%s%s%s", "[", join(",", v), "]") } 4 | } 5 | 6 | resource "kubectl_manifest" "priority_expander" { 7 | for_each = { 8 | for s in ["priority_expander"] : 9 | s => s 10 | if var.priority_expander_config != null 11 | } 12 | apply_only = true 13 | yaml_body = templatefile("${path.module}/templates/priority-expander.yaml.tpl", { 14 | priority_expander_config = local.priority_expander_config 15 | }) 16 | } 17 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: platform-app 3 | description: A Helm chart for deploying xks as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/templates/priority-expander.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cluster-autoscaler-priority-expander 5 | namespace: kube-system 6 | data: 7 | priorities: |- 8 | %{~ for prio,matches in priority_expander_config ~} 9 | ${prio}: ${matches} 10 | %{~ endfor ~} 11 | -------------------------------------------------------------------------------- /modules/kubernetes/aks-core/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/aks-core/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-hub-setup/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-hub-setup/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: argocd-hub-setup 3 | description: A Helm chart for ArgoCD declarative setup of a hub cluster 4 | type: application 5 | version: 0.1.3 6 | appVersion: "7.8.8" -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-hub-setup/templates/applications.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{- $git_repo_url := .Values.git_repo_url }} 2 | {{- range .Values.azure_tenants }} 3 | {{- $azure_tenant := . }} 4 | {{- range $azure_tenant.clusters }} 5 | {{- $cluster := . }} 6 | apiVersion: argoproj.io/v1alpha1 7 | kind: Application 8 | metadata: 9 | name: {{ printf "%s-%s-platform" $azure_tenant.tenant_name $cluster.environment }} 10 | namespace: {{ printf "%s-%s" $azure_tenant.tenant_name $cluster.environment }} 11 | spec: 12 | destination: 13 | namespace: {{ printf "%s-%s" $azure_tenant.tenant_name $cluster.environment }} 14 | server: https://kubernetes.default.svc 15 | project: {{ printf "%s-%s-platform" $azure_tenant.tenant_name $cluster.environment }} 16 | revisionHistoryLimit: 5 17 | source: 18 | path: {{ printf "platform/%s/%s" $azure_tenant.tenant_name $cluster.name }} 19 | repoURL: {{ $git_repo_url }} 20 | targetRevision: HEAD 21 | automated: 22 | prune: false 23 | selfHeal: true 24 | syncPolicy: 25 | syncOptions: 26 | - RespectIgnoreDifferences=true 27 | - ApplyOutOfSyncOnly=true 28 | --- 29 | {{- end }} 30 | {{- end }} -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-hub-setup/templates/namespaces.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{- range .Values.azure_tenants }} 2 | {{- $azure_tenant := . }} 3 | {{- range .clusters }} 4 | {{- $cluster := . }} 5 | apiVersion: v1 6 | kind: Namespace 7 | metadata: 8 | name: {{ printf "%s-%s" $azure_tenant.tenant_name $cluster.environment }} 9 | labels: 10 | xkf.xenit.io/kind: platform 11 | spec: 12 | finalizers: 13 | - kubernetes 14 | --- 15 | {{- end }} 16 | {{- end }} -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-hub-setup/templates/repositories.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{- $secrets := dict }} 2 | {{- range .Values.secrets }} 3 | {{- $_ := set $secrets .name .value }} 4 | {{- end }} 5 | {{- range .Values.azure_tenants }} 6 | {{- $azure_tenant := . }} 7 | {{- range .clusters }} 8 | {{- $cluster := . }} 9 | {{- range .tenants }} 10 | apiVersion: v1 11 | kind: Secret 12 | metadata: 13 | name: {{ printf "repo-%s-%s-%s" $azure_tenant.tenant_name $cluster.environment .name }} 14 | labels: 15 | argocd.argoproj.io/secret-type: repository 16 | type: Opaque 17 | data: 18 | name: {{ printf "%s-%s-%s" $azure_tenant.tenant_name $cluster.environment .name | b64enc }} 19 | type: Z2l0 20 | url: {{ .repo_url | b64enc }} 21 | username: Z2l0 22 | password: {{ get $secrets .secret_name | b64enc }} 23 | --- 24 | {{- end }} 25 | {{- end }} 26 | {{- end }} -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-spoke-setup/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-spoke-setup/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: argocd-hub-setup 3 | description: A Helm chart for ArgoCD declarative setup of a spoke cluster 4 | type: application 5 | version: 0.1.0 6 | appVersion: "7.8.8" -------------------------------------------------------------------------------- /modules/kubernetes/argocd/charts/argocd-spoke-setup/templates/rbac.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: argocd-clusteradmin 5 | subjects: 6 | - kind: User 7 | apiGroup: rbac.authorization.k8s.io 8 | name: {{ .Values.uai_id }} 9 | namespace: default 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: cluster-admin -------------------------------------------------------------------------------- /modules/kubernetes/argocd/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/argocd/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/azure-metrics/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # azure-metrics (azure-metrics) 3 | * 4 | * This module is used to query azure for metrics that we use to monitor our AKS clusters. 5 | * We are using: https://github.com/webdevops/azure-metrics-exporter to gather the metrics. 6 | */ 7 | 8 | terraform { 9 | required_version = ">= 1.3.0" 10 | 11 | required_providers { 12 | azurerm = { 13 | version = "4.19.0" 14 | source = "hashicorp/azurerm" 15 | } 16 | git = { 17 | source = "xenitab/git" 18 | version = ">=0.0.4" 19 | } 20 | } 21 | } 22 | 23 | resource "git_repository_file" "azure_metrics" { 24 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/azure-metrics.yaml" 25 | content = templatefile("${path.module}/templates/azure-metrics.yaml.tpl", { 26 | tenant_name = var.tenant_name 27 | environment = var.environment 28 | client_id = azurerm_user_assigned_identity.azure_metrics.client_id 29 | project = var.fleet_infra_config.argocd_project_name 30 | server = var.fleet_infra_config.k8s_api_server_url 31 | }) 32 | } 33 | -------------------------------------------------------------------------------- /modules/kubernetes/azure-metrics/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/azure-metrics/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/azure-policy/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/azure-identity-format.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: azureidentityformat 5 | spec: 6 | crd: 7 | spec: 8 | names: 9 | kind: AzureIdentityFormat 10 | targets: 11 | - rego: "package azureidentityformat\n\nviolation[{\"msg\": msg}] {\n\tinput.review.kind.kind 12 | == \"AzureIdentity\"\n\n\t# format of resourceId is checked only for user-assigned 13 | MSI\n\tinput.review.object.spec.type == 0\n\tresourceId := input.review.object.spec.resourceID\n\tresult 14 | := re_match(`(?i)/subscriptions/(.+?)/resourcegroups/(.+?)/providers/Microsoft.ManagedIdentity/(.+?)/(.+)`, 15 | resourceId)\n\tresult == false\n\tmsg := sprintf(`The identity resourceId '%v' 16 | is invalid.It must be of the following format: '/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/'`, 17 | [resourceId])\n}" 18 | target: admission.k8s.gatekeeper.sh -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/azure-remove-node-spot-taints.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: ModifySet 3 | metadata: 4 | name: remove-azure-node-spot-taints 5 | spec: 6 | location: "spec.taints" 7 | applyTo: 8 | - groups: [""] 9 | kinds: ["Node"] 10 | versions: ["v1"] 11 | parameters: 12 | operation: prune 13 | values: 14 | fromList: 15 | - effect: NoSchedule 16 | key: kubernetes.azure.com/scalesetpriority 17 | value: spot -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/container-disallow-privilege-escalation.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: container-disallow-privilege-escalation 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - vpa 23 | %{ for ns in exclude_namespaces } 24 | - ${ns} 25 | %{ endfor } 26 | scope: Namespaced 27 | kinds: 28 | - apiGroups: ["*"] 29 | kinds: ["Pod"] 30 | applyTo: 31 | - versions: ["v1"] 32 | groups: [""] 33 | kinds: ["Pod"] 34 | location: "spec.containers[name:*].securityContext.allowPrivilegeEscalation" 35 | parameters: 36 | assign: 37 | value: false 38 | pathTests: 39 | - subPath: "spec.containers[name:*].securityContext.allowPrivilegeEscalation" 40 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/container-drop-capabilities.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: container-drop-capabilities 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - trivy 23 | - vpa 24 | %{ for ns in exclude_namespaces } 25 | - ${ns} 26 | %{ endfor } 27 | scope: Namespaced 28 | kinds: 29 | - apiGroups: ["*"] 30 | kinds: ["Pod"] 31 | applyTo: 32 | - groups: [""] 33 | versions: ["v1"] 34 | kinds: ["Pod"] 35 | location: "spec.containers[name:*].securityContext.capabilities.drop" 36 | parameters: 37 | assign: 38 | value: 39 | - NET_RAW 40 | - CAP_SYS_ADMIN 41 | pathTests: 42 | - subPath: "spec.containers[name:*].securityContext.capabilities" 43 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/container-read-only-root-fs.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: container-read-only-root-fs 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - vpa 23 | %{ for ns in exclude_namespaces } 24 | - ${ns} 25 | %{ endfor } 26 | scope: Namespaced 27 | kinds: 28 | - apiGroups: ["*"] 29 | kinds: ["Pod"] 30 | applyTo: 31 | - groups: [""] 32 | versions: ["v1"] 33 | kinds: ["Pod"] 34 | location: "spec.containers[name:*].securityContext.readOnlyRootFilesystem" 35 | parameters: 36 | assign: 37 | value: true 38 | pathTests: 39 | - subPath: "spec.containers[name:*].securityContext.readOnlyRootFilesystem" 40 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/ephemeral-container-disallow-privilege-escalation.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: ephemeral-container-disallow-privilege-escalation 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - vpa 23 | %{ for ns in exclude_namespaces } 24 | - ${ns} 25 | %{ endfor } 26 | scope: Namespaced 27 | kinds: 28 | - apiGroups: ["*"] 29 | kinds: ["Pod"] 30 | applyTo: 31 | - versions: ["v1"] 32 | groups: [""] 33 | kinds: ["Pod"] 34 | location: "spec.ephemeralContainers[name:*].securityContext.allowPrivilegeEscalation" 35 | parameters: 36 | assign: 37 | value: false 38 | pathTests: 39 | - subPath: "spec.ephemeralContainers[name:*].securityContext.allowPrivilegeEscalation" 40 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/ephemeral-container-drop-capabilities.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: ephemeral-container-drop-capabilities 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - trivy 23 | - vpa 24 | %{ for ns in exclude_namespaces } 25 | - ${ns} 26 | %{ endfor } 27 | scope: Namespaced 28 | kinds: 29 | - apiGroups: ["*"] 30 | kinds: ["Pod"] 31 | applyTo: 32 | - groups: [""] 33 | versions: ["v1"] 34 | kinds: ["Pod"] 35 | location: "spec.ephemeralContainers[name:*].securityContext.capabilities.drop" 36 | parameters: 37 | assign: 38 | value: 39 | - NET_RAW 40 | - CAP_SYS_ADMIN 41 | pathTests: 42 | - subPath: "spec.ephemeralContainers[name:*].securityContext.capabilities" 43 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/ephemeral-container-read-only-root-fs.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: ephemeral-container-read-only-root-fs 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - cert-manager 16 | - datadog 17 | - external-dns 18 | - falco 19 | - ingress-nginx 20 | - prometheus 21 | - reloader 22 | - spegel 23 | - vpa 24 | %{ for ns in exclude_namespaces } 25 | - ${ns} 26 | %{ endfor } 27 | scope: Namespaced 28 | kinds: 29 | - apiGroups: ["*"] 30 | kinds: ["Pod"] 31 | applyTo: 32 | - groups: [""] 33 | versions: ["v1"] 34 | kinds: ["Pod"] 35 | location: "spec.ephemeralContainers[name:*].securityContext.readOnlyRootFilesystem" 36 | parameters: 37 | assign: 38 | value: true 39 | pathTests: 40 | - subPath: "spec.ephemeralContainers[name:*].securityContext.readOnlyRootFilesystem" 41 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/flux-disable-cross-namespace-source.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: fluxdisablecrossnamespacesource 5 | spec: 6 | crd: 7 | spec: 8 | names: 9 | kind: FluxDisableCrossNamespaceSource 10 | targets: 11 | - rego: "package fluxdisablecrossnamespacesource\n\nviolation[{\"msg\": msg}] {\n\tcheck_kind(input.review.kind.kind)\n\tinput.review.object.spec.sourceRef.namespace\n\tinput.review.object.spec.sourceRef.namespace 12 | != input.review.object.metadata.namespace\n\tmsg := sprintf(`'%v' in namespace 13 | '%v' cant use source in different namespace '%v'`, [input.review.kind.kind, 14 | input.review.object.metadata.namespace, input.review.object.spec.sourceRef.namespace])\n}\n\ncheck_kind(kind) 15 | {\n\tkind == \"HelmRelease\"\n}\n\ncheck_kind(kind) {\n\tkind == \"Kustomization\"\n}" 16 | target: admission.k8s.gatekeeper.sh -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/flux-require-service-account.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: fluxrequireserviceaccount 5 | spec: 6 | crd: 7 | spec: 8 | names: 9 | kind: FluxRequireServiceAccount 10 | targets: 11 | - rego: "package fluxrequireserviceaccount\n\nviolation[{\"msg\": msg}] {\n\tcheck_kind(input.review.kind.kind)\n\tcheck_service_account(input.review.object.spec)\n\tmsg 12 | := sprintf(`'%v' has to specify a serviceAccountName`, [input.review.kind.kind])\n}\n\ncheck_kind(kind) 13 | {\n\tkind == \"HelmRelease\"\n}\n\ncheck_kind(kind) {\n\tkind == \"Kustomization\"\n}\n\ncheck_service_account(spec) 14 | {\n\tspec.serviceAccountName == \"\"\n}\n\ncheck_service_account(spec) {\n\tnot 15 | spec.serviceAccountName\n}" 16 | target: admission.k8s.gatekeeper.sh -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/init-container-disallow-privilege-escalation.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: init-container-disallow-privilege-escalation 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - vpa 23 | %{ for ns in exclude_namespaces } 24 | - ${ns} 25 | %{ endfor } 26 | scope: Namespaced 27 | kinds: 28 | - apiGroups: ["*"] 29 | kinds: ["Pod"] 30 | applyTo: 31 | - versions: ["v1"] 32 | groups: [""] 33 | kinds: ["Pod"] 34 | location: "spec.initContainers[name:*].securityContext.allowPrivilegeEscalation" 35 | parameters: 36 | assign: 37 | value: false 38 | pathTests: 39 | - subPath: "spec.initContainers[name:*].securityContext.allowPrivilegeEscalation" 40 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/init-container-drop-capabilities.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: init-container-drop-capabilities 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - trivy 23 | - vpa 24 | %{ for ns in exclude_namespaces } 25 | - ${ns} 26 | %{ endfor } 27 | scope: Namespaced 28 | kinds: 29 | - apiGroups: ["*"] 30 | kinds: ["Pod"] 31 | applyTo: 32 | - groups: [""] 33 | versions: ["v1"] 34 | kinds: ["Pod"] 35 | location: "spec.initContainers[name:*].securityContext.capabilities.drop" 36 | parameters: 37 | assign: 38 | value: 39 | - NET_RAW 40 | - CAP_SYS_ADMIN 41 | pathTests: 42 | - subPath: "spec.initContainers[name:*].securityContext.capabilities" 43 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/init-container-read-only-root-fs.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: init-container-read-only-root-fs 5 | spec: 6 | match: 7 | excludedNamespaces: 8 | - calico-system 9 | - gatekeeper-system 10 | - kube-system 11 | - tigera-operator 12 | - aad-pod-identity 13 | - cert-manager 14 | - csi-secrets-store-provider-azure 15 | - datadog 16 | - external-dns 17 | - falco 18 | - ingress-nginx 19 | - prometheus 20 | - reloader 21 | - spegel 22 | - vpa 23 | %{ for ns in exclude_namespaces } 24 | - ${ns} 25 | %{ endfor } 26 | scope: Namespaced 27 | kinds: 28 | - apiGroups: ["*"] 29 | kinds: ["Pod"] 30 | applyTo: 31 | - groups: [""] 32 | versions: ["v1"] 33 | kinds: ["Pod"] 34 | location: "spec.initContainers[name:*].securityContext.readOnlyRootFilesystem" 35 | parameters: 36 | assign: 37 | value: true 38 | pathTests: 39 | - subPath: "spec.initContainers[name:*].securityContext.readOnlyRootFilesystem" 40 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/k8s-block-node-port.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: k8sblocknodeport 5 | annotations: 6 | metadata.gatekeeper.sh/title: "Block NodePort" 7 | metadata.gatekeeper.sh/version: 1.0.0 8 | description: >- 9 | Disallows all Services with type NodePort. 10 | 11 | https://kubernetes.io/docs/concepts/services-networking/service/#nodeport 12 | spec: 13 | crd: 14 | spec: 15 | names: 16 | kind: K8sBlockNodePort 17 | targets: 18 | - target: admission.k8s.gatekeeper.sh 19 | rego: | 20 | package k8sblocknodeport 21 | 22 | violation[{"msg": msg}] { 23 | input.review.kind.kind == "Service" 24 | input.review.object.spec.type == "NodePort" 25 | msg := "User is not allowed to create service of type NodePort" 26 | } -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/k8s-pod-default-seccomp.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: pod-default-seccomp 5 | spec: 6 | match: 7 | namespaceSelector: 8 | matchLabels: 9 | xkf.xenit.io/kind: tenant 10 | scope: Namespaced 11 | kinds: 12 | - apiGroups: ["*"] 13 | kinds: ["Pod"] 14 | applyTo: 15 | - versions: ["v1"] 16 | groups: [""] 17 | kinds: ["Pod"] 18 | location: "spec.securityContext.seccompProfile.type" 19 | parameters: 20 | assign: 21 | value: RuntimeDefault 22 | pathTests: 23 | - subPath: "spec.securityContext.seccompProfile" 24 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/k8s-pod-priority-class.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: k8spodpriorityclass 5 | spec: 6 | crd: 7 | spec: 8 | names: 9 | kind: K8sPodPriorityClass 10 | validation: 11 | openAPIV3Schema: 12 | properties: 13 | permittedClassNames: 14 | items: 15 | type: string 16 | type: array 17 | type: object 18 | targets: 19 | - rego: "package k8spodpriorityclass\n\nviolation[{\"msg\": msg}] {\n\tinput.review.kind.kind 20 | == \"Pod\"\n\tpermittedClassNames := get_class_names(input.parameters, [\"\"])\n\tnot 21 | contains(permittedClassNames, input.review.object.spec.priorityClassName)\n\tmsg 22 | := sprintf(`The priority class name '%v' is not allowed`, [input.review.object.spec.priorityClassName])\n}\n\nget_class_names(parameters, 23 | _default) = msg {\n\tnot parameters.permittedClassNames\n\tmsg := _default\n}\n\nget_class_names(parameters, 24 | _default) = msg {\n\tmsg := parameters.permittedClassNames\n}\n\ncontains(arr, 25 | elem) {\n\tarr[_] = elem\n}" 26 | target: admission.k8s.gatekeeper.sh -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/k8s-pod-serviceaccount-token-false.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: mutations.gatekeeper.sh/v1beta1 2 | kind: Assign 3 | metadata: 4 | name: pod-serviceaccount-token-false 5 | spec: 6 | match: 7 | namespaceSelector: 8 | matchLabels: 9 | xkf.xenit.io/kind: tenant 10 | scope: Namespaced 11 | kinds: 12 | - apiGroups: ["*"] 13 | kinds: ["Pod"] 14 | applyTo: 15 | - versions: ["v1"] 16 | groups: [""] 17 | kinds: ["Pod"] 18 | location: "spec.automountServiceAccountToken" 19 | parameters: 20 | assign: 21 | value: false 22 | pathTests: 23 | - subPath: "spec.automountServiceAccountToken" 24 | condition: MustNotExist -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/k8s-require-ingress-class.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: k8srequireingressclass 5 | spec: 6 | crd: 7 | spec: 8 | names: 9 | kind: K8sRequireIngressClass 10 | validation: 11 | openAPIV3Schema: 12 | properties: 13 | permittedClassNames: 14 | items: 15 | type: string 16 | type: array 17 | type: object 18 | targets: 19 | - rego: "package k8srequireingressclass\n\nviolation[{\"msg\": msg}] {\n\tinput.review.kind.kind 20 | == \"Ingress\"\n\tnot input.review.object.spec.ingressClassName\n\tmsg := \"Ingress 21 | class name has to be set\"\n}\n\nviolation[{\"msg\": msg}] {\n\tinput.review.kind.kind 22 | == \"Ingress\"\n\tinput.review.object.spec.ingressClassName == \"\"\n\tmsg := 23 | \"Ingress class name cannot be an emtpy string\"\n}" 24 | target: admission.k8s.gatekeeper.sh -------------------------------------------------------------------------------- /modules/kubernetes/azure-policy/templates/k8s-secrets-store-csi-unique-volume.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: secretsstorecsiuniquevolume 5 | spec: 6 | crd: 7 | spec: 8 | names: 9 | kind: SecretsStoreCSIUniqueVolume 10 | targets: 11 | - rego: "package secretsstorecsiuniquevolume\n\nviolation[{\"msg\": msg}] {\n\tvolumes 12 | := input.review.object.spec.volumes\n\tcount(volumes) > 0\n\tcsiVolumes = [x 13 | | x := volumes[_]; x.csi.driver = \"secrets-store.csi.k8s.io\"]\n\tuniqueNames 14 | := {x | x = csiVolumes[_].csi.volumeAttributes.secretProviderClass}\n\tcount(uniqueNames) 15 | != count(csiVolumes)\n\tmsg := sprintf(`'%v' cant have duplicate 'secretProviderClass'`, 16 | [input.review.kind.kind])\n}" 17 | target: admission.k8s.gatekeeper.sh -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | aks_name_suffix = var.aks_name_suffix != null ? var.aks_name_suffix : "" 3 | } -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/azure-service-operator/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: azure-service-operator-app 3 | description: A Helm chart for deploying azure-service-operator as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/templates/azure-service-operator-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: azure-service-operator-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/azure-service-operator -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/templates/azure-service-operator-cluster.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: azure-service-operator-cluster 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "0" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: azureserviceoperator-system 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | source: 24 | repoURL: https://raw.githubusercontent.com/Azure/azure-service-operator/main/v2/charts 25 | targetRevision: v2.11.0 26 | chart: azure-service-operator 27 | helm: 28 | valuesObject: 29 | azureSyncPeriod: "${sync_period}" 30 | crdPattern: "${crd_pattern}" 31 | metrics: 32 | enable: ${enable_metrics} 33 | networkPolicies: 34 | enable: false 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/templates/azure-service-operator-manifests.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: aso-credential 5 | namespace: ${tenant_namespace} 6 | stringData: 7 | AZURE_SUBSCRIPTION_ID: ${subscription_id} 8 | AZURE_TENANT_ID: ${tenant_id} 9 | AZURE_CLIENT_ID: ${client_id} -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/templates/azure-service-operator-tenants.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: azure-service-operator-tenants 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: azureserviceoperator-system 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - RespectIgnoreDifferences=true 21 | - ApplyOutOfSyncOnly=true 22 | - Replace=true 23 | source: 24 | repoURL: ${repo_url} 25 | targetRevision: HEAD 26 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/azure-service-operator/manifests -------------------------------------------------------------------------------- /modules/kubernetes/azure-service-operator/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/azure-service-operator/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/cert-manager/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/cert-manager/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/cert-manager/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cert-manager-app 3 | description: A Helm chart for deploying cert-manager as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/cert-manager/templates/cert-manager-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: cert-manager-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/cert-manager -------------------------------------------------------------------------------- /modules/kubernetes/cert-manager/templates/cert-manager-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: cert-manager-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: cert-manager 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - RespectIgnoreDifferences=true 21 | - ApplyOutOfSyncOnly=true 22 | - Replace=true 23 | source: 24 | repoURL: ${repo_url} 25 | targetRevision: HEAD 26 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/cert-manager/manifests -------------------------------------------------------------------------------- /modules/kubernetes/cert-manager/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/cert-manager/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/cert-manager/workload-identity.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "cert_manager" { 2 | resource_group_name = var.resource_group_name 3 | location = var.location 4 | name = "uai-${var.cluster_id}-cert-manager-wi" 5 | } 6 | 7 | resource "azurerm_role_assignment" "cert_manager_contributor" { 8 | for_each = { 9 | for dns in var.dns_zones : 10 | dns => dns 11 | if var.rbac_create 12 | } 13 | scope = each.key 14 | role_definition_name = "Contributor" 15 | principal_id = azurerm_user_assigned_identity.cert_manager.principal_id 16 | } 17 | 18 | resource "azurerm_federated_identity_credential" "cert_manager" { 19 | name = azurerm_user_assigned_identity.cert_manager.name 20 | resource_group_name = azurerm_user_assigned_identity.cert_manager.resource_group_name 21 | parent_id = azurerm_user_assigned_identity.cert_manager.id 22 | audience = ["api://AzureADTokenExchange"] 23 | issuer = var.oidc_issuer_url 24 | subject = "system:serviceaccount:cert-manager:cert-manager" 25 | } -------------------------------------------------------------------------------- /modules/kubernetes/control-plane-logs/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/control-plane-logs/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/control-plane-logs/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: control-plane-logs-app 3 | description: A Helm chart for deploying control-plane-logs as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/control-plane-logs/templates/control-plane-logs-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: control-plane-logs-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/control-plane-logs -------------------------------------------------------------------------------- /modules/kubernetes/control-plane-logs/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/control-plane-logs/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/control-plane-logs/templates/vector-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: vector-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "0" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: control-plane-logs 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: ${repo_url} 26 | targetRevision: HEAD 27 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/control-plane-logs/manifests -------------------------------------------------------------------------------- /modules/kubernetes/control-plane-logs/workload-identity.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_user_assigned_identity" "xenit" { 2 | resource_group_name = var.resource_group_name 3 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-xenit" 4 | } 5 | 6 | resource "azurerm_federated_identity_credential" "control_plane_logs" { 7 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-control-plane-logs-wi" 8 | resource_group_name = data.azurerm_user_assigned_identity.xenit.resource_group_name 9 | parent_id = data.azurerm_user_assigned_identity.xenit.id 10 | audience = ["api://AzureADTokenExchange"] 11 | issuer = var.oidc_issuer_url 12 | subject = "system:serviceaccount:control-plane-logs:vector" 13 | } -------------------------------------------------------------------------------- /modules/kubernetes/datadog/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/datadog/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/datadog/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: datadog-app 3 | description: A Helm chart for deploying datadog as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/datadog/templates/datadog-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: datadog-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/datadog -------------------------------------------------------------------------------- /modules/kubernetes/datadog/templates/datadog-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: datadog-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "0" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: datadog 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: ${repo_url} 26 | targetRevision: HEAD 27 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/datadog/manifests -------------------------------------------------------------------------------- /modules/kubernetes/datadog/templates/datadog-operator.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: datadog-operator 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: datadog 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: https://helm.datadoghq.com 26 | targetRevision: 1.0.2 27 | chart: datadog 28 | helm: 29 | valuesObject: 30 | apiKeyExistingSecret: datadog-operator-apikey 31 | appKeyExistingSecret: datadog-operator-appkey 32 | installCRDs: true 33 | image: 34 | tag: 1.0.2 35 | datadogMonitor: 36 | enabled: true 37 | resources: 38 | requests: 39 | cpu: 15m 40 | memory: 50Mi -------------------------------------------------------------------------------- /modules/kubernetes/datadog/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/datadog/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/datadog/workload-identity.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "datadog" { 2 | resource_group_name = var.resource_group_name 3 | location = var.location 4 | name = "uai-${var.cluster_id}-datadog-wi" 5 | } 6 | 7 | resource "azurerm_federated_identity_credential" "datadog" { 8 | name = azurerm_user_assigned_identity.datadog.name 9 | resource_group_name = azurerm_user_assigned_identity.datadog.resource_group_name 10 | parent_id = azurerm_user_assigned_identity.datadog.id 11 | audience = ["api://AzureADTokenExchange"] 12 | issuer = var.oidc_issuer_url 13 | subject = "system:serviceaccount:datadog:datadog-secret-mount" 14 | } 15 | 16 | resource "azurerm_key_vault_access_policy" "datadog" { 17 | key_vault_id = var.key_vault_id 18 | tenant_id = azurerm_user_assigned_identity.datadog.tenant_id 19 | object_id = azurerm_user_assigned_identity.datadog.principal_id 20 | secret_permissions = ["Get"] 21 | } -------------------------------------------------------------------------------- /modules/kubernetes/eck-operator/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # grafana-k8s-monitoring 3 | * 4 | * Adds [grafana-k8s-monitoring](https://github.com/grafana/k8s-monitoring-helm/tree/main/charts/k8s-monitoring) to a Kubernetes cluster. 5 | */ 6 | 7 | terraform { 8 | required_version = ">= 1.3.0" 9 | 10 | required_providers { 11 | git = { 12 | source = "xenitab/git" 13 | version = ">=0.0.4" 14 | } 15 | } 16 | } 17 | 18 | resource "git_repository_file" "eck_operator" { 19 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/eck-operator.yaml" 20 | content = templatefile("${path.module}/templates/eck-operator.yaml.tpl", { 21 | eck_managed_namespaces = var.eck_managed_namespaces 22 | tenant_name = var.tenant_name 23 | environment = var.environment 24 | project = var.fleet_infra_config.argocd_project_name 25 | server = var.fleet_infra_config.k8s_api_server_url 26 | }) 27 | } 28 | -------------------------------------------------------------------------------- /modules/kubernetes/eck-operator/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/eck-operator/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/eck-operator/templates/eck-operator.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: eck-operator 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "2" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: eck-system 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | managedNamespaceMetadata: 20 | labels: 21 | xkf.xenit.io/kind: platform 22 | syncOptions: 23 | - CreateNamespace=true 24 | - RespectIgnoreDifferences=true 25 | - ApplyOutOfSyncOnly=true 26 | - Replace=true 27 | source: 28 | repoURL: https://helm.elastic.co 29 | targetRevision: 2.16.1 30 | chart: eck-operator 31 | helm: 32 | valuesObject: 33 | managedNamespaces: 34 | %{ for ns in eck_managed_namespaces ~} 35 | - ${ns} 36 | %{ endfor } 37 | -------------------------------------------------------------------------------- /modules/kubernetes/eck-operator/variables.tf: -------------------------------------------------------------------------------- 1 | 2 | variable "eck_managed_namespaces" { 3 | description = "A list of namespaces where the operator will manage the ECK resources" 4 | type = list(string) 5 | } 6 | 7 | variable "cluster_id" { 8 | description = "Unique identifier of the cluster across regions and instances." 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "The environment name to use for the deploy" 14 | type = string 15 | } 16 | 17 | variable "fleet_infra_config" { 18 | description = "Fleet infra configuration" 19 | type = object({ 20 | git_repo_url = string 21 | argocd_project_name = string 22 | k8s_api_server_url = string 23 | }) 24 | } 25 | 26 | variable "tenant_name" { 27 | description = "The name of the tenant" 28 | type = string 29 | } -------------------------------------------------------------------------------- /modules/kubernetes/envoy-gateway/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | envoy_gateway_require_tls = base64encode( 3 | templatefile("${path.module}/templates/envoy-gateway-require-tls.yaml.tpl", { 4 | }) 5 | ) 6 | } 7 | -------------------------------------------------------------------------------- /modules/kubernetes/envoy-gateway/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/envoy-gateway/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/external-dns/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/external-dns/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/external-dns/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: external-dns-app 3 | description: A Helm chart for deploying external-dns as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/external-dns/templates/external-dns-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: external-dns-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/external-dns -------------------------------------------------------------------------------- /modules/kubernetes/external-dns/templates/external-dns-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: external-dns-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: external-dns 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - RespectIgnoreDifferences=true 21 | - ApplyOutOfSyncOnly=true 22 | - Replace=true 23 | source: 24 | repoURL: ${repo_url} 25 | targetRevision: HEAD 26 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/external-dns/manifests -------------------------------------------------------------------------------- /modules/kubernetes/external-dns/templates/external-dns-manifests.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: logs-external-dns 5 | labels: 6 | xkf.xenit.io/kind: platform 7 | rules: 8 | - verbs: 9 | - list 10 | - view 11 | - logs 12 | apiGroups: 13 | - '' 14 | resources: 15 | - pods 16 | --- 17 | %{ for group in aad_groups ~} 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | metadata: 21 | name: ${group.namespace}-logs-external-dns 22 | namespace: external-dns 23 | labels: 24 | aad-group-name: ${group.name} 25 | xkf.xenit.io/kind: platform 26 | subjects: 27 | - kind: Group 28 | apiGroup: rbac.authorization.k8s.io 29 | name: ${group.id} 30 | namespace: default 31 | roleRef: 32 | apiGroup: rbac.authorization.k8s.io 33 | kind: ClusterRole 34 | name: logs-external-dns 35 | --- 36 | %{ endfor } -------------------------------------------------------------------------------- /modules/kubernetes/external-dns/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/external-dns/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/falco/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/falco/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/falco/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: falco-app 3 | description: A Helm chart for deploying falco as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/falco/templates/falco-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: falco-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/falco -------------------------------------------------------------------------------- /modules/kubernetes/falco/templates/falco-exporter.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: falco-exporter 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: falco 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: https://falcosecurity.github.io/charts 26 | targetRevision: 0.12.2 27 | chart: falco-exporter 28 | helm: 29 | valuesObject: 30 | image: 31 | tag: "0.8.7" 32 | priorityClassName: platform-high 33 | -------------------------------------------------------------------------------- /modules/kubernetes/falco/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/falco/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/falco/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cilium_enabled" { 2 | description = "If enabled, will use Azure CNI with Cilium instead of kubenet" 3 | type = bool 4 | default = false 5 | } 6 | 7 | variable "cluster_id" { 8 | description = "Unique identifier of the cluster across regions and instances." 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "The environment name to use for the deploy" 14 | type = string 15 | } 16 | 17 | variable "fleet_infra_config" { 18 | description = "Fleet infra configuration" 19 | type = object({ 20 | git_repo_url = string 21 | argocd_project_name = string 22 | k8s_api_server_url = string 23 | }) 24 | } 25 | 26 | variable "tenant_name" { 27 | description = "The name of the tenant" 28 | type = string 29 | } -------------------------------------------------------------------------------- /modules/kubernetes/fluxcd/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/fluxcd/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/gatekeeper/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/gatekeeper/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/gatekeeper/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: gatekeeper-app 3 | description: A Helm chart for deploying gatekeeper as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/gatekeeper/templates/gatekeeper-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: gatekeeper-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/gatekeeper -------------------------------------------------------------------------------- /modules/kubernetes/gatekeeper/templates/gatekeeper-templates.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: gatekeeper-templates 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "-1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: gatekeeper-system 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | ignoreDifferences: 25 | - group: templates.gatekeeper.sh 26 | kind: ConstraintTemplate 27 | jqPathExpressions: 28 | - .metadata.labels 29 | source: 30 | repoURL: ${repo_url} 31 | targetRevision: HEAD 32 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/gatekeeper/manifests/templates -------------------------------------------------------------------------------- /modules/kubernetes/gatekeeper/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/gatekeeper/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/gateway-api/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Gateway API 3 | * 4 | * This module is used to add [`gateway-api`](https://github.com/kubernetes-sigs/gateway-api) CRDs from the experimental channel to Kubernetes clusters. 5 | */ 6 | 7 | terraform { 8 | required_version = ">= 1.3.0" 9 | 10 | required_providers { 11 | git = { 12 | source = "xenitab/git" 13 | version = ">=0.0.4" 14 | } 15 | } 16 | } 17 | 18 | resource "git_repository_file" "gateway_api_crds" { 19 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/gateway-api-crds.yaml" 20 | content = templatefile("${path.module}/templates/gateway-api-crds.yaml.tpl", { 21 | cluster_id = var.cluster_id 22 | environment = var.environment 23 | api_version = var.gateway_api_config.api_version 24 | api_channel = var.gateway_api_config.api_channel 25 | tenant_name = var.tenant_name 26 | project = var.fleet_infra_config.argocd_project_name 27 | server = var.fleet_infra_config.k8s_api_server_url 28 | }) 29 | } -------------------------------------------------------------------------------- /modules/kubernetes/gateway-api/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/gateway-api/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/gateway-api/templates/gateway-api-crds.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: gateway-api-crds 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "-1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: false 17 | selfHeal: true 18 | syncOptions: 19 | - RespectIgnoreDifferences=true 20 | - ApplyOutOfSyncOnly=true 21 | - Replace=true 22 | sources: 23 | - repoURL: https://github.com/kubernetes-sigs/gateway-api 24 | targetRevision: HEAD 25 | path: config/crd/${api_channel} 26 | ref: ${api_version} -------------------------------------------------------------------------------- /modules/kubernetes/gateway-api/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "gateway_api_config" { 21 | description = "The Gateway API configuration" 22 | type = object({ 23 | api_version = optional(string, "v1.2.0") 24 | api_channel = optional(string, "standard") 25 | gateway_name = optional(string, "") 26 | gateway_namespace = optional(string, "") 27 | }) 28 | default = {} 29 | 30 | validation { 31 | condition = contains(["standard", "experimental"], var.gateway_api_config.api_channel) 32 | error_message = "Invalid API channel: ${var.gateway_api_config.api_channel}. Allowed vallues: ['standard', 'experimental']" 33 | } 34 | } 35 | 36 | variable "tenant_name" { 37 | description = "The name of the tenant" 38 | type = string 39 | } -------------------------------------------------------------------------------- /modules/kubernetes/grafana-agent/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/grafana-agent/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/grafana-agent/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: grafana-agent-app 3 | description: A Helm chart for deploying grafana-agent as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/grafana-agent/templates/grafana-agent-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: grafana-agent-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/grafana-agent -------------------------------------------------------------------------------- /modules/kubernetes/grafana-agent/templates/grafana-agent-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: grafana-agent-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "2" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: grafana-agent 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - RespectIgnoreDifferences=true 21 | - ApplyOutOfSyncOnly=true 22 | - Replace=true 23 | source: 24 | repoURL: ${repo_url} 25 | targetRevision: HEAD 26 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/grafana-agent/manifests -------------------------------------------------------------------------------- /modules/kubernetes/grafana-agent/templates/grafana-agent.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: grafana-agent-operator 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: grafana-agent 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: https://grafana.github.io/helm-charts 26 | targetRevision: v0.3.21 27 | chart: grafana-agent-operator 28 | helm: 29 | valuesObject: 30 | resources: 31 | requests: 32 | cpu: 25m 33 | memory: 80Mi 34 | limits: 35 | memory: 256Mi 36 | kubeletService: 37 | namespace: grafana-agent 38 | serviceAccount: 39 | name: grafana-agent -------------------------------------------------------------------------------- /modules/kubernetes/grafana-agent/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/grafana-agent/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/grafana-alloy/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/grafana-alloy/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/grafana-alloy/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: grafana-alloy-app 3 | description: A Helm chart for deploying grafana-alloy as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/grafana-alloy/templates/grafana-alloy-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: grafana-alloy-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/grafana-alloy -------------------------------------------------------------------------------- /modules/kubernetes/grafana-alloy/templates/grafana-alloy-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: grafana-alloy-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: grafana-alloy 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: ${repo_url} 26 | targetRevision: HEAD 27 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/grafana-alloy/manifests -------------------------------------------------------------------------------- /modules/kubernetes/grafana-alloy/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/grafana-alloy/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/grafana-alloy/workload-identity.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_user_assigned_identity" "xenit" { 2 | resource_group_name = var.resource_group_name 3 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-xenit" 4 | } 5 | 6 | resource "azurerm_federated_identity_credential" "grafana_alloy" { 7 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-grafana-alloy-wi" 8 | resource_group_name = data.azurerm_user_assigned_identity.xenit.resource_group_name 9 | parent_id = data.azurerm_user_assigned_identity.xenit.id 10 | audience = ["api://AzureADTokenExchange"] 11 | issuer = var.oidc_issuer_url 12 | subject = "system:serviceaccount:grafana-alloy:grafana-alloy" 13 | } 14 | -------------------------------------------------------------------------------- /modules/kubernetes/grafana-k8s-monitoring/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/grafana-k8s-monitoring/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/grafana-k8s-monitoring/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: grafana-k8s-monitoring-app 3 | description: A Helm chart for deploying gravana-k8s-monitoring as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/grafana-k8s-monitoring/templates/grafana-k8s-monitoring-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: grafana-k8s-monitoring-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/grafana-k8s-monitoring -------------------------------------------------------------------------------- /modules/kubernetes/grafana-k8s-monitoring/templates/grafana-k8s-monitoring-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: grafana-k8s-monitoring-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: grafana-k8s-monitoring 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: ${repo_url} 26 | targetRevision: HEAD 27 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/grafana-k8s-monitoring/manifests -------------------------------------------------------------------------------- /modules/kubernetes/grafana-k8s-monitoring/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/grafana-k8s-monitoring/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/grafana-k8s-monitoring/workload-identity.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "grafana_k8s_monitor" { 2 | resource_group_name = var.resource_group_name 3 | location = var.location 4 | name = "uai-${var.cluster_id}-grafana-k8s-monitor-wi" 5 | } 6 | 7 | resource "azurerm_federated_identity_credential" "grafana_k8s_monitor" { 8 | name = azurerm_user_assigned_identity.grafana_k8s_monitor.name 9 | resource_group_name = azurerm_user_assigned_identity.grafana_k8s_monitor.resource_group_name 10 | parent_id = azurerm_user_assigned_identity.grafana_k8s_monitor.id 11 | audience = ["api://AzureADTokenExchange"] 12 | issuer = var.oidc_issuer_url 13 | subject = "system:serviceaccount:grafana-k8s-monitoring:grafana-k8s-monitoring-alloy-metrics" 14 | } 15 | 16 | resource "azurerm_key_vault_access_policy" "grafana_k8s_monitor" { 17 | key_vault_id = var.key_vault_id 18 | tenant_id = azurerm_user_assigned_identity.grafana_k8s_monitor.tenant_id 19 | object_id = azurerm_user_assigned_identity.grafana_k8s_monitor.principal_id 20 | secret_permissions = ["Get"] 21 | } -------------------------------------------------------------------------------- /modules/kubernetes/ingress-nginx/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/ingress-nginx/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/ingress-nginx/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: ingress-nginx-app 3 | description: A Helm chart for deploying ingress-nginx as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/ingress-nginx/templates/ingress-nginx-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: ${ingress_nginx_name}-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/ingress-nginx -------------------------------------------------------------------------------- /modules/kubernetes/ingress-nginx/templates/ingress-nginx-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: ${ingress_nginx_name}-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: ingress-nginx 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - RespectIgnoreDifferences=true 21 | - ApplyOutOfSyncOnly=true 22 | - Replace=true 23 | source: 24 | repoURL: ${repo_url} 25 | targetRevision: HEAD 26 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/ingress-nginx/manifests -------------------------------------------------------------------------------- /modules/kubernetes/ingress-nginx/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/ingress-nginx/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/karpenter/outputs.tf: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /modules/kubernetes/karpenter/templates/node-classes.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: karpenter.azure.com/v1beta1 2 | kind: AKSNodeClass 3 | metadata: 4 | name: ${class.name} 5 | annotations: 6 | kubernetes.io/description: "General purpose AKSNodeClass for running Ubuntu2204 nodes" 7 | spec: 8 | imageFamily: ${class.image_family} 9 | kubelet: 10 | containerLogMaxSize: ${class.kubelet.container_log_max_size} 11 | cpuCFSQuota: ${class.kubelet.cpu_cfs_quota} 12 | cpuCFSQuotaPeriod: ${class.kubelet.cpu_cfs_quota_period} 13 | cpuManagerPolicy: ${class.kubelet.cpu_manager_policy} 14 | topologyManagerPolicy: ${class.kubelet.topology_manager_policy} 15 | -------------------------------------------------------------------------------- /modules/kubernetes/karpenter/templates/secret.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: kubelet-bootstrap-token 5 | namespace: kube-system 6 | type: Opaque 7 | data: 8 | KUBELET_BOOTSTRAP_TOKEN: ${bootstrap_token} -------------------------------------------------------------------------------- /modules/kubernetes/karpenter/workload_identity.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "karpenter" { 2 | resource_group_name = var.resource_group_name 3 | location = var.location 4 | name = "uai-${var.aks_config.cluster_id}-karpenter-wi" 5 | } 6 | 7 | resource "azurerm_role_assignment" "karpenter_contributor" { 8 | for_each = { 9 | for role in ["Virtual Machine Contributor", "Network Contributor", "Managed Identity Operator"] : 10 | role => role 11 | } 12 | scope = "/subscriptions/${var.subscription_id}" 13 | role_definition_name = each.key 14 | principal_id = azurerm_user_assigned_identity.karpenter.principal_id 15 | } 16 | 17 | resource "azurerm_federated_identity_credential" "karpenter" { 18 | name = azurerm_user_assigned_identity.karpenter.name 19 | resource_group_name = azurerm_user_assigned_identity.karpenter.resource_group_name 20 | parent_id = azurerm_user_assigned_identity.karpenter.id 21 | audience = ["api://AzureADTokenExchange"] 22 | issuer = var.aks_config.oidc_issuer_url 23 | subject = "system:serviceaccount:kube-system:karpenter-sa" 24 | } -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: linkerd-extras 3 | type: application 4 | version: 0.1.2 5 | appVersion: 0.1.0 6 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/templates/linkerd-identity-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: linkerd-identity-issuer 5 | spec: 6 | secretName: linkerd-identity-issuer 7 | revisionHistoryLimit: 3 8 | duration: 8h 9 | renewBefore: 4h 10 | issuerRef: 11 | name: linkerd-trust-anchor 12 | kind: Issuer 13 | commonName: identity.linkerd.cluster.local 14 | dnsNames: 15 | - identity.linkerd.cluster.local 16 | isCA: true 17 | privateKey: 18 | algorithm: ECDSA 19 | usages: 20 | - cert sign 21 | - crl sign 22 | - server auth 23 | - client auth 24 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/templates/linkerd-proxy-injector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: linkerd-proxy-injector 5 | spec: 6 | secretName: linkerd-proxy-injector-k8s-tls 7 | revisionHistoryLimit: 3 8 | duration: 8h 9 | renewBefore: 4h 10 | issuerRef: 11 | name: webhook-issuer 12 | kind: Issuer 13 | commonName: linkerd-proxy-injector.linkerd.svc 14 | dnsNames: 15 | - linkerd-proxy-injector.linkerd.svc 16 | isCA: false 17 | privateKey: 18 | algorithm: ECDSA 19 | usages: 20 | - server auth 21 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/templates/linkerd-sp-validator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: linkerd-sp-validator 5 | spec: 6 | secretName: linkerd-sp-validator-k8s-tls 7 | revisionHistoryLimit: 3 8 | duration: 8h 9 | renewBefore: 4h 10 | issuerRef: 11 | name: webhook-issuer 12 | kind: Issuer 13 | commonName: linkerd-sp-validator.linkerd.svc 14 | dnsNames: 15 | - linkerd-sp-validator.linkerd.svc 16 | isCA: false 17 | privateKey: 18 | algorithm: ECDSA 19 | usages: 20 | - server auth 21 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/templates/linkerd-trust-anchor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: linkerd-trust-anchor 5 | spec: 6 | ca: 7 | secretName: linkerd-trust-anchor 8 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/templates/webhook-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: webhook-issuer 5 | spec: 6 | ca: 7 | secretName: webhook-issuer-tls 8 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/charts/linkerd-extras/values.yaml: -------------------------------------------------------------------------------- 1 | nameOverride: "" 2 | fullnameOverride: "" 3 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/linkerd/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: linkerd-app 3 | description: A Helm chart for deploying linkkerd as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/templates/linkerd-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: linkerd-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | server: https://kubernetes.default.svc 12 | revisionHistoryLimit: 5 13 | syncPolicy: 14 | automated: 15 | prune: true 16 | selfHeal: true 17 | managedNamespaceMetadata: 18 | labels: 19 | xkf.xenit.io/kind: platform 20 | syncOptions: 21 | - CreateNamespace=true 22 | - RespectIgnoreDifferences=true 23 | - ApplyOutOfSyncOnly=true 24 | - Replace=true 25 | source: 26 | repoURL: ${repo_url} 27 | targetRevision: HEAD 28 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/linkerd -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/templates/linkerd-crds.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: linkerd-crds 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "-1" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: linkerd 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: false 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=false 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - ServerSideApply=true 24 | source: 25 | repoURL: https://helm.linkerd.io/stable 26 | targetRevision: 1.8.0 27 | chart: linkerd-crds -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/templates/linkerd-viz.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: linkerd-viz 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "0" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: linkerd-viz 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=false 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: https://helm.linkerd.io/stable 26 | targetRevision: 30.3.4 27 | chart: linkerd-viz 28 | helm: 29 | valuesObject: 30 | installNamespace: false 31 | defaultRegistry: ghcr.io/linkerd 32 | -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/linkerd/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/linkerd/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "tenant_name" { 21 | description = "The name of the tenant" 22 | type = string 23 | } -------------------------------------------------------------------------------- /modules/kubernetes/litmus/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/litmus/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/litmus/templates/litmuschaos.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: litmuschaos 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "3" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: litmus 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | managedNamespaceMetadata: 20 | labels: 21 | xkf.xenit.io/kind: platform 22 | syncOptions: 23 | - CreateNamespace=true 24 | - RespectIgnoreDifferences=true 25 | - ApplyOutOfSyncOnly=true 26 | - Replace=true 27 | source: 28 | repoURL: https://litmuschaos.github.io/litmus-helm 29 | targetRevision: 3.12.0 30 | chart: litmus 31 | #helm: 32 | #valuesObject: 33 | #portal: 34 | # server: 35 | # waitForMongodb: 36 | # securityContext: 37 | # runAsNonRoot: true 38 | # readOnlyRootFilesystem: true -------------------------------------------------------------------------------- /modules/kubernetes/litmus/variables.tf: -------------------------------------------------------------------------------- 1 | variable "azure_key_vault_name" { 2 | description = "The name of the key vault where the root password for mongodb can be found" 3 | type = string 4 | } 5 | 6 | variable "cluster_id" { 7 | description = "Unique identifier of the cluster across regions and instances." 8 | type = string 9 | } 10 | 11 | variable "environment" { 12 | description = "The environment name to use for the deploy" 13 | type = string 14 | } 15 | 16 | variable "fleet_infra_config" { 17 | description = "Fleet infra configuration" 18 | type = object({ 19 | git_repo_url = string 20 | argocd_project_name = string 21 | k8s_api_server_url = string 22 | }) 23 | } 24 | 25 | variable "key_vault_resource_group_name" { 26 | description = "The resource group name where the core key vault is to be found" 27 | type = string 28 | } 29 | 30 | variable "tenant_name" { 31 | description = "The name of the tenant" 32 | type = string 33 | } -------------------------------------------------------------------------------- /modules/kubernetes/nginx-gateway-fabric/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/nginx-gateway-fabric/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/node-ttl/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Node TTL 3 | * 4 | * This module is used to add [`node-ttl`](https://github.com/XenitAB/node-ttl) to Kubernetes clusters. 5 | */ 6 | 7 | terraform { 8 | required_version = ">= 1.3.0" 9 | 10 | required_providers { 11 | git = { 12 | source = "xenitab/git" 13 | version = ">=0.0.4" 14 | } 15 | } 16 | } 17 | 18 | resource "git_repository_file" "node_ttl" { 19 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/node-ttl.yaml" 20 | content = templatefile("${path.module}/templates/node-ttl.yaml.tpl", { 21 | status_config_map_namespace = var.status_config_map_namespace 22 | tenant_name = var.tenant_name 23 | environment = var.environment 24 | project = var.fleet_infra_config.argocd_project_name 25 | server = var.fleet_infra_config.k8s_api_server_url 26 | }) 27 | } 28 | -------------------------------------------------------------------------------- /modules/kubernetes/node-ttl/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/node-ttl/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/node-ttl/templates/node-ttl.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: node-ttl 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "3" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: node-ttl 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | managedNamespaceMetadata: 20 | labels: 21 | xkf.xenit.io/kind: platform 22 | syncOptions: 23 | - CreateNamespace=true 24 | - RespectIgnoreDifferences=true 25 | - ApplyOutOfSyncOnly=true 26 | - Replace=true 27 | source: 28 | repoURL: ghcr.io/xenitab/helm-charts 29 | targetRevision: v0.0.9 30 | chart: node-ttl 31 | helm: 32 | valuesObject: 33 | resources: 34 | requests: 35 | cpu: 5m 36 | memory: 20Mi 37 | limits: 38 | memory: 50Mi 39 | nodeTtl: 40 | statusConfigMapNamespace: ${status_config_map_namespace} 41 | -------------------------------------------------------------------------------- /modules/kubernetes/node-ttl/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "status_config_map_namespace" { 21 | description = "Namespace where Cluster Autoscaler status ConfigMap is created" 22 | type = string 23 | } 24 | 25 | variable "tenant_name" { 26 | description = "The name of the tenant" 27 | type = string 28 | } 29 | -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: popeye 3 | description: A Helm chart for Popeye Kubernetes Live Cluster Linter 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.30.5" -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/templates/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: popeye 5 | labels: 6 | xkf.xenit.io/kind: "platform" 7 | subjects: 8 | - kind: ServiceAccount 9 | name: popeye 10 | namespace: popeye 11 | roleRef: 12 | kind: ClusterRole 13 | name: popeye 14 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/templates/config-map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: popeye 5 | namespace: popeye 6 | labels: 7 | xkf.xenit.io/kind: "platform" 8 | data: 9 | spinach: |- 10 | {{ with .Values.config }} 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: popeye-reports-pvc 5 | namespace: popeye 6 | labels: 7 | xkf.xenit.io/kind: "platform" 8 | spec: 9 | accessModes: 10 | - ReadWriteMany 11 | storageClassName: popeye-reports 12 | resources: 13 | requests: 14 | storage: {{ .Values.azure.pvc.size }} -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: popeye-secret 5 | namespace: popeye 6 | labels: 7 | xkf.xenit.io/kind: "platform" 8 | type: Opaque 9 | data: 10 | azurestorageaccountname: {{ .Values.azure.storageAccount.name | b64enc }} 11 | azurestorageaccountkey: {{ .Values.azure.storageAccount.key | b64enc }} -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/templates/service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: popeye 5 | namespace: popeye 6 | labels: 7 | xkf.xenit.io/kind: "platform" 8 | annotations: 9 | azure.workload.identity/client-id: {{ .Values.identity.id }} -------------------------------------------------------------------------------- /modules/kubernetes/popeye/charts/popeye/templates/storage-class.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: popeye-reports 5 | labels: 6 | xkf.xenit.io/kind: "platform" 7 | provisioner: kubernetes.io/azure-file 8 | parameters: 9 | location: {{ .Values.azure.storageAccount.location }} 10 | skuName: StandardSSD_ZRS 11 | resourceGroup: {{ .Values.azure.storageAccount.resourceGroup }} 12 | storageAccount: {{ .Values.azure.storageAccount.name }} 13 | shareName: popeye-reports 14 | secretName: popeye-secret -------------------------------------------------------------------------------- /modules/kubernetes/popeye/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/popeye/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/popeye/templates/popeye.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: popeye 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "3" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: popeye 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | managedNamespaceMetadata: 20 | labels: 21 | xkf.xenit.io/kind: platform 22 | syncOptions: 23 | - CreateNamespace=true 24 | - RespectIgnoreDifferences=true 25 | - ApplyOutOfSyncOnly=true 26 | - Replace=true 27 | source: 28 | repoURL: ${repo_url} 29 | targetRevision: HEAD 30 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/popeye/charts/popeye -------------------------------------------------------------------------------- /modules/kubernetes/popeye/workload-identity.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "popeye" { 2 | resource_group_name = var.resource_group_name 3 | location = var.location 4 | name = "uai-${var.cluster_id}-popeye-wi" 5 | } 6 | 7 | resource "azurerm_role_assignment" "aks_contributor" { 8 | scope = data.azurerm_storage_account.log.id 9 | role_definition_name = "Storage Account Contributor" 10 | principal_id = var.aks_managed_identity_id 11 | } 12 | 13 | resource "azurerm_role_assignment" "popeye_contributor" { 14 | scope = data.azurerm_storage_account.log.id 15 | role_definition_name = "Storage Account Contributor" 16 | principal_id = azurerm_user_assigned_identity.popeye.principal_id 17 | } 18 | 19 | resource "azurerm_federated_identity_credential" "popeye" { 20 | name = azurerm_user_assigned_identity.popeye.name 21 | resource_group_name = azurerm_user_assigned_identity.popeye.resource_group_name 22 | parent_id = azurerm_user_assigned_identity.popeye.id 23 | audience = ["api://AzureADTokenExchange"] 24 | issuer = var.oidc_issuer_url 25 | subject = "system:serviceaccount:popeye:popeye" 26 | } -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/prometheus/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: prometheus-app 3 | description: A Helm chart for deploying prometheus as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/templates/prometheus-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: prometheus-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | server: https://kubernetes.default.svc 12 | revisionHistoryLimit: 5 13 | syncPolicy: 14 | automated: 15 | prune: true 16 | selfHeal: true 17 | managedNamespaceMetadata: 18 | labels: 19 | xkf.xenit.io/kind: platform 20 | syncOptions: 21 | - CreateNamespace=true 22 | - RespectIgnoreDifferences=true 23 | - ApplyOutOfSyncOnly=true 24 | - Replace=true 25 | source: 26 | repoURL: ${repo_url} 27 | targetRevision: HEAD 28 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/prometheus -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/templates/prometheus-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: prometheus-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "3" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: https://kubernetes.default.svc 13 | namespace: prometheus 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - RespectIgnoreDifferences=true 21 | - ApplyOutOfSyncOnly=true 22 | - Replace=true 23 | source: 24 | repoURL: ${repo_url} 25 | targetRevision: HEAD 26 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/prometheus/manifests -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/templates/rbac.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: prometheus-xks 5 | namespace: prometheus 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: prometheus-xks 10 | subjects: 11 | - kind: ServiceAccount 12 | name: prometheus 13 | namespace: prometheus 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: ClusterRole 17 | metadata: 18 | name: prometheus-xks 19 | namespace: prometheus 20 | rules: 21 | - apiGroups: 22 | - "" 23 | resources: 24 | - nodes 25 | - nodes/metrics 26 | - services 27 | - endpoints 28 | - pods 29 | verbs: 30 | - get 31 | - list 32 | - watch 33 | - apiGroups: 34 | - "" 35 | resources: 36 | - configmaps 37 | verbs: 38 | - get 39 | - nonResourceURLs: 40 | - /metrics 41 | verbs: 42 | - get 43 | --- 44 | apiVersion: v1 45 | kind: ServiceAccount 46 | metadata: 47 | name: prometheus 48 | namespace: prometheus 49 | annotations: 50 | azure.workload.identity/client-id: ${client_id} 51 | -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/prometheus/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/templates/x509-certificate-exporter.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: x509-certificate-exporter 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "2" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: prometheus 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: https://charts.enix.io 26 | targetRevision: 3.8.0 27 | chart: x509-certificate-exporter 28 | helm: 29 | valuesObject: 30 | secretsExporter: 31 | includeNamespaces: 32 | - prometheus 33 | priorityClassName: platform-medium 34 | prometheusRules: 35 | # We don't manage prometheus rules per cluster. 36 | create: false 37 | prometheusServiceMonitor: 38 | # We use serviceMonitors from another helm chart. 39 | create: false 40 | -------------------------------------------------------------------------------- /modules/kubernetes/prometheus/workload_identity.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_user_assigned_identity" "xenit" { 2 | resource_group_name = var.resource_group_name 3 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-xenit" 4 | } 5 | 6 | resource "azurerm_federated_identity_credential" "prometheus" { 7 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-prometheus-wi" 8 | resource_group_name = data.azurerm_user_assigned_identity.xenit.resource_group_name 9 | parent_id = data.azurerm_user_assigned_identity.xenit.id 10 | audience = ["api://AzureADTokenExchange"] 11 | issuer = var.oidc_issuer_url 12 | subject = "system:serviceaccount:prometheus:prometheus" 13 | } -------------------------------------------------------------------------------- /modules/kubernetes/promtail/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/promtail/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/promtail/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: promtail-app 3 | description: A Helm chart for deploying promtail as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/promtail/templates/promtail-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: promtail-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | server: https://kubernetes.default.svc 12 | revisionHistoryLimit: 5 13 | syncPolicy: 14 | automated: 15 | prune: true 16 | selfHeal: true 17 | managedNamespaceMetadata: 18 | labels: 19 | xkf.xenit.io/kind: platform 20 | syncOptions: 21 | - CreateNamespace=true 22 | - RespectIgnoreDifferences=true 23 | - ApplyOutOfSyncOnly=true 24 | - Replace=true 25 | source: 26 | repoURL: ${repo_url} 27 | targetRevision: HEAD 28 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/promtail -------------------------------------------------------------------------------- /modules/kubernetes/promtail/templates/promtail-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: promtail-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "2" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: promtail 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: ${repo_url} 26 | targetRevision: HEAD 27 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/promtail/manifests -------------------------------------------------------------------------------- /modules/kubernetes/promtail/templates/promtail-manifests.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: secrets-store.csi.x-k8s.io/v1 2 | kind: SecretProviderClass 3 | metadata: 4 | name: promtail 5 | namespace: promtail 6 | spec: 7 | provider: "azure" 8 | parameters: 9 | clientID: ${client_id} 10 | keyvaultName: ${azure_config.azure_key_vault_name} 11 | tenantId: ${tenant_id} 12 | objects: | 13 | array: 14 | - | 15 | objectName: "${azure_config.keyvault_secret_name}" 16 | objectType: secret 17 | secretObjects: 18 | - secretName: "${k8s_secret_name}" 19 | type: kubernetes.io/tls 20 | data: 21 | - objectName: "${azure_config.keyvault_secret_name}" 22 | key: tls.key 23 | - objectName: "${azure_config.keyvault_secret_name}" 24 | key: tls.crt 25 | --- 26 | apiVersion: v1 27 | kind: Service 28 | metadata: 29 | name: promtail-metrics 30 | namespace: promtail 31 | labels: 32 | app.kubernetes.io/instance: promtail 33 | app.kubernetes.io/name: promtail 34 | spec: 35 | clusterIP: None 36 | ports: 37 | - name: http-metrics 38 | port: 3101 39 | targetPort: http-metrics 40 | protocol: TCP 41 | selector: 42 | app.kubernetes.io/instance: promtail 43 | app.kubernetes.io/name: promtail -------------------------------------------------------------------------------- /modules/kubernetes/promtail/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/promtail/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/promtail/workload-identity.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_user_assigned_identity" "xenit" { 2 | resource_group_name = var.resource_group_name 3 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-xenit" 4 | } 5 | 6 | resource "azurerm_federated_identity_credential" "promtail" { 7 | name = "uai-${var.environment}-${var.location_short}-${var.aks_name}-promtail-wi" 8 | resource_group_name = data.azurerm_user_assigned_identity.xenit.resource_group_name 9 | parent_id = data.azurerm_user_assigned_identity.xenit.id 10 | audience = ["api://AzureADTokenExchange"] 11 | issuer = var.oidc_issuer_url 12 | subject = "system:serviceaccount:promtail:promtail" 13 | } -------------------------------------------------------------------------------- /modules/kubernetes/rabbitmq-operator/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/rabbitmq-operator/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/rabbitmq-operator/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "rabbitmq_config" { 21 | description = "The RabbitMQ operator configuration" 22 | type = object({ 23 | min_available = optional(number, 0) 24 | replica_count = optional(number, 1) 25 | network_policy_enabled = optional(bool, false) 26 | spot_instances_enabled = optional(bool, true) 27 | tology_operator_enabled = optional(bool, false) 28 | watch_namespaces = optional(list(string), []) 29 | }) 30 | default = {} 31 | } 32 | 33 | variable "tenant_name" { 34 | description = "The name of the tenant" 35 | type = string 36 | } -------------------------------------------------------------------------------- /modules/kubernetes/reloader/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Reloader 3 | * 4 | * Adds [`Reloader`](https://github.com/stakater/Reloader) to a Kubernetes clusters. 5 | * 6 | */ 7 | 8 | terraform { 9 | required_version = ">= 1.3.0" 10 | 11 | required_providers { 12 | git = { 13 | source = "xenitab/git" 14 | version = ">=0.0.4" 15 | } 16 | } 17 | } 18 | 19 | resource "git_repository_file" "reloader" { 20 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/reloader.yaml" 21 | content = templatefile("${path.module}/templates/reloader.yaml.tpl", { 22 | tenant_name = var.tenant_name 23 | environment = var.environment 24 | project = var.fleet_infra_config.argocd_project_name 25 | server = var.fleet_infra_config.k8s_api_server_url 26 | }) 27 | } 28 | -------------------------------------------------------------------------------- /modules/kubernetes/reloader/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/reloader/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/reloader/templates/reloader.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: reloader 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "3" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: reloader 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | managedNamespaceMetadata: 20 | labels: 21 | xkf.xenit.io/kind: platform 22 | syncOptions: 23 | - CreateNamespace=true 24 | - RespectIgnoreDifferences=true 25 | - ApplyOutOfSyncOnly=true 26 | - Replace=true 27 | source: 28 | repoURL: https://stakater.github.io/stakater-charts 29 | targetRevision: 2.0.0 30 | chart: reloader 31 | helm: 32 | valuesObject: 33 | deployment: 34 | priorityClassName: platform-low 35 | resources: 36 | requests: 37 | cpu: 15m 38 | memory: 50Mi 39 | -------------------------------------------------------------------------------- /modules/kubernetes/reloader/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "tenant_name" { 21 | description = "The name of the tenant" 22 | type = string 23 | } 24 | -------------------------------------------------------------------------------- /modules/kubernetes/spegel/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Spegel 3 | * 4 | * This module is used to add [spegel](https://github.com/XenitAB/spegel) to Kubernetes clusters. 5 | */ 6 | 7 | terraform { 8 | required_version = ">= 1.3.0" 9 | 10 | required_providers { 11 | git = { 12 | source = "xenitab/git" 13 | version = ">=0.0.4" 14 | } 15 | } 16 | } 17 | 18 | resource "git_repository_file" "spegel" { 19 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/spegel.yaml" 20 | content = templatefile("${path.module}/templates/spegel.yaml.tpl", { 21 | private_registry = var.private_registry 22 | tenant_name = var.tenant_name 23 | environment = var.environment 24 | project = var.fleet_infra_config.argocd_project_name 25 | server = var.fleet_infra_config.k8s_api_server_url 26 | }) 27 | } 28 | -------------------------------------------------------------------------------- /modules/kubernetes/spegel/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/spegel/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/spegel/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "private_registry" { 21 | description = "Private registry to add to Spegels mirror list." 22 | type = string 23 | default = "" 24 | } 25 | 26 | variable "tenant_name" { 27 | description = "The name of the tenant" 28 | type = string 29 | } 30 | -------------------------------------------------------------------------------- /modules/kubernetes/telepresence/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Telepresence 3 | * 4 | * Adds [`Telepresence`](https://github.com/telepresenceio/telepresence) to a Kubernetes cluster. 5 | * 6 | */ 7 | 8 | terraform { 9 | required_version = ">= 1.3.0" 10 | 11 | required_providers { 12 | git = { 13 | source = "xenitab/git" 14 | version = ">=0.0.4" 15 | } 16 | } 17 | } 18 | 19 | resource "git_repository_file" "telepresence" { 20 | path = "platform/${var.tenant_name}/${var.cluster_id}/templates/telepresence.yaml" 21 | content = templatefile("${path.module}/templates/telepresence.yaml.tpl", { 22 | telepresence_config = var.telepresence_config 23 | tenant_name = var.tenant_name 24 | environment = var.environment 25 | project = var.fleet_infra_config.argocd_project_name 26 | server = var.fleet_infra_config.k8s_api_server_url 27 | }) 28 | } 29 | -------------------------------------------------------------------------------- /modules/kubernetes/telepresence/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/telepresence/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/telepresence/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "telepresence_config" { 21 | description = "Config to use when deploying traffic manager to the cluster" 22 | type = object({ 23 | allow_conflicting_subnets = optional(list(string), []) 24 | client_rbac = object({ 25 | create = bool 26 | namespaced = bool 27 | namespaces = optional(list(string), ["ambassador"]) 28 | subjects = optional(list(string), []) 29 | }) 30 | manager_rbac = object({ 31 | create = bool 32 | namespaced = bool 33 | namespaces = optional(list(string), []) 34 | }) 35 | }) 36 | } 37 | 38 | variable "tenant_name" { 39 | description = "The name of the tenant" 40 | type = string 41 | } 42 | -------------------------------------------------------------------------------- /modules/kubernetes/trivy/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/trivy/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/trivy/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: trivy-app 3 | description: A Helm chart for deploying trivy as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/trivy/templates/starboard-exporter.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: starboard-exporter 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "2" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: trivy 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | source: 24 | repoURL: https://giantswarm.github.io/giantswarm-catalog 25 | targetRevision: v0.8.1 26 | chart: starboard-exporter 27 | helm: 28 | valuesObject: 29 | global: 30 | podSecurityStandards: 31 | # Don't create a psp 32 | enforced: true 33 | monitoring: 34 | grafanaDashboard: 35 | # Don't create Grafana dashboard ConfigMap 36 | enabled: false 37 | networkpolicy: 38 | enabled: false 39 | -------------------------------------------------------------------------------- /modules/kubernetes/trivy/templates/trivy-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: trivy-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/trivy -------------------------------------------------------------------------------- /modules/kubernetes/trivy/templates/trivy.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: trivy 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "2" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: trivy 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: https://aquasecurity.github.io/helm-charts/ 26 | targetRevision: v0.13.0 27 | chart: trivy 28 | helm: 29 | valuesObject: 30 | trivy: 31 | labels: 32 | azure.workload.identity/use: "true" 33 | serviceAccount: 34 | annotations: 35 | azure.workload.identity/client-id: ${client_id} 36 | persistence: 37 | storageClass: ${volume_claim_storage_class_name} 38 | -------------------------------------------------------------------------------- /modules/kubernetes/trivy/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/trivy/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/velero/outputs.tf: -------------------------------------------------------------------------------- 1 | output "velero" { 2 | description = "Velero configuration" 3 | value = { 4 | azure_storage_account_name = azurerm_storage_account.velero.name 5 | azure_storage_account_container = azurerm_storage_container.velero.name 6 | identity = { 7 | client_id = azurerm_user_assigned_identity.velero.client_id 8 | resource_id = azurerm_user_assigned_identity.velero.id 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /modules/kubernetes/velero/storage.tf: -------------------------------------------------------------------------------- 1 | #tfsec:ignore:azure-storage-queue-services-logging-enabled 2 | resource "azurerm_storage_account" "velero" { 3 | name = var.azure_config.storage_account_name == "" ? "strg${var.environment}velero${var.unique_suffix}" : var.azure_config.storage_account_name 4 | resource_group_name = var.resource_group_name 5 | location = var.location 6 | account_tier = "Standard" 7 | account_replication_type = "GRS" 8 | account_kind = "StorageV2" 9 | min_tls_version = "TLS1_2" 10 | allow_nested_items_to_be_public = false 11 | } 12 | 13 | resource "azurerm_storage_container" "velero" { 14 | storage_account_name = azurerm_storage_account.velero.name 15 | name = var.azure_config.storage_account_container == "" ? "backup" : var.azure_config.storage_account_container 16 | container_access_type = "private" 17 | } -------------------------------------------------------------------------------- /modules/kubernetes/velero/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: velero-app 3 | description: A Helm chart for deploying velero as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/velero/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/velero/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/velero/templates/velero-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: velero-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/velero -------------------------------------------------------------------------------- /modules/kubernetes/velero/templates/velero-extras.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: velero-extras 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | argocd.argoproj.io/sync-wave: "3" 9 | spec: 10 | project: ${project} 11 | destination: 12 | server: ${server} 13 | namespace: velero 14 | revisionHistoryLimit: 5 15 | syncPolicy: 16 | automated: 17 | prune: true 18 | selfHeal: true 19 | syncOptions: 20 | - CreateNamespace=true 21 | - RespectIgnoreDifferences=true 22 | - ApplyOutOfSyncOnly=true 23 | - Replace=true 24 | source: 25 | repoURL: ${repo_url} 26 | targetRevision: HEAD 27 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/velero/manifests -------------------------------------------------------------------------------- /modules/kubernetes/velero/templates/velero-manifests.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: velero.io/v1 2 | kind: Schedule 3 | metadata: 4 | name: daily-full-backups 5 | namespace: velero 6 | labels: 7 | frequency: daily 8 | full: "true" 9 | spec: 10 | schedule: "0 2 * * *" 11 | template: 12 | ttl: 960h0m0s 13 | --- 14 | apiVersion: velero.io/v1 15 | kind: Schedule 16 | metadata: 17 | name: hourly-minimal-backups 18 | namespace: velero 19 | labels: 20 | frequency: hourly 21 | full: "false" 22 | spec: 23 | schedule: "15 */1 * * *" 24 | template: 25 | snapshotVolumes: false 26 | ttl: 96h0m0s 27 | 28 | -------------------------------------------------------------------------------- /modules/kubernetes/vpa/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/vpa/outputs.tf -------------------------------------------------------------------------------- /modules/kubernetes/vpa/templates/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: vpa-app 3 | description: A Helm chart for deploying vpa as an app-of-app 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.0.0" -------------------------------------------------------------------------------- /modules/kubernetes/vpa/templates/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XenitAB/terraform-modules/f4cc055697de9d6f82db28f04919bd67f606bc76/modules/kubernetes/vpa/templates/values.yaml -------------------------------------------------------------------------------- /modules/kubernetes/vpa/templates/vpa-app.yaml.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: vpa-app 5 | namespace: ${tenant_name}-${environment} 6 | annotations: 7 | argocd.argoproj.io/manifest-generate-paths: . 8 | spec: 9 | project: ${project} 10 | destination: 11 | namespace: ${tenant_name}-${environment} 12 | server: https://kubernetes.default.svc 13 | revisionHistoryLimit: 5 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | managedNamespaceMetadata: 19 | labels: 20 | xkf.xenit.io/kind: platform 21 | syncOptions: 22 | - CreateNamespace=true 23 | - RespectIgnoreDifferences=true 24 | - ApplyOutOfSyncOnly=true 25 | - Replace=true 26 | source: 27 | repoURL: ${repo_url} 28 | targetRevision: HEAD 29 | path: platform/${tenant_name}/${cluster_id}/argocd-applications/vpa -------------------------------------------------------------------------------- /modules/kubernetes/vpa/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | description = "Unique identifier of the cluster across regions and instances." 3 | type = string 4 | } 5 | 6 | variable "environment" { 7 | description = "The environment name to use for the deploy" 8 | type = string 9 | } 10 | 11 | variable "fleet_infra_config" { 12 | description = "Fleet infra configuration" 13 | type = object({ 14 | git_repo_url = string 15 | argocd_project_name = string 16 | k8s_api_server_url = string 17 | }) 18 | } 19 | 20 | variable "tenant_name" { 21 | description = "The name of the tenant" 22 | type = string 23 | } 24 | -------------------------------------------------------------------------------- /validation/azure/aks-global/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | module "aks_global" { 8 | source = "../../../modules/azure/aks-global" 9 | 10 | environment = "dev" 11 | location = "West Europe" 12 | location_short = "we" 13 | name = "xks" 14 | dns_zone = ["example.io"] 15 | subscription_name = "xks" 16 | unique_suffix = "1234" 17 | aks_managed_identity = "id" 18 | } 19 | -------------------------------------------------------------------------------- /validation/azure/aks-regional/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | provider "azuread" {} 8 | 9 | provider "random" {} 10 | 11 | provider "tls" {} 12 | 13 | module "aks_regional" { 14 | source = "../../../modules/azure/aks-regional" 15 | 16 | environment = "dev" 17 | location_short = "we" 18 | name = "xks" 19 | subscription_name = "xks" 20 | core_name = "core" 21 | unique_suffix = "1234" 22 | namespaces = [ 23 | { 24 | name = "team1" 25 | labels = { 26 | "test" = "test" 27 | } 28 | flux = { 29 | enabled = true 30 | repo = "repo" 31 | } 32 | } 33 | ] 34 | aks_managed_identity = "id" 35 | 36 | dns_zone = ["example.io"] 37 | aks_authorized_ips = ["0.0.0.0/0"] 38 | } 39 | -------------------------------------------------------------------------------- /validation/azure/azure-pipelines-agent-vmss/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | module "azpagent" { 8 | source = "../../../modules/azure/azure-pipelines-agent-vmss" 9 | 10 | environment = "dev" 11 | location_short = "we" 12 | unique_suffix = "1234" 13 | name = "azpagent" 14 | source_image_id = "/communityGalleries/xenit-d09d1810-7622-4864-9236-1a32035d35f0/images/azdo-agent/versions/1.0.0" 15 | vmss_sku = "Standard_B2s" 16 | vmss_subnet_id = "some_id" 17 | } 18 | -------------------------------------------------------------------------------- /validation/azure/github-runner/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | module "github_runner" { 8 | source = "../../../modules/azure/github-runner" 9 | 10 | environment = "dev" 11 | location_short = "we" 12 | name = "ghrunner" 13 | source_image_id = "/communityGalleries/xenit-d09d1810-7622-4864-9236-1a32035d35f0/images/githu-runner/versions/1.0.0" 14 | vmss_sku = "Standard_B2s" 15 | vmss_subnet_config = { 16 | name = "sn-dev-we-hub-servers" 17 | virtual_network_name = "vnet-dev-we-hub" 18 | resource_group_name = "rg-dev-we-hub" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /validation/azure/hub/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | provider "azuread" {} 8 | 9 | module "hub" { 10 | source = "../../../modules/azure/hub" 11 | 12 | environment = "dev" 13 | location_short = "we" 14 | subscription_name = "sub" 15 | name = "hub" 16 | vnet_config = { 17 | address_space = ["172.16.0.0/22"] 18 | subnets = [ 19 | { 20 | name = "servers" 21 | cidr = "172.16.0.0/25" 22 | service_endpoints = [] 23 | }, 24 | ] 25 | } 26 | peering_config = [ 27 | { 28 | name = "core-dev" 29 | remote_virtual_network_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-dev-we-core/providers/Microsoft.Network/virtualNetworks/vnet-dev-we-core" 30 | allow_forwarded_traffic = true 31 | use_remote_gateways = false 32 | allow_virtual_network_access = true 33 | }, 34 | ] 35 | } 36 | -------------------------------------------------------------------------------- /validation/azure/names/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "names" { 4 | source = "../../../modules/azure/names" 5 | } 6 | -------------------------------------------------------------------------------- /validation/azure/xkf-governance-global-data/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azuread" {} 4 | 5 | module "xks_global" { 6 | source = "../../../modules/azure/xkf-governance-global-data" 7 | 8 | environment = "dev" 9 | subscription_name = "xks" 10 | 11 | namespaces = [ 12 | { 13 | name = "team1" 14 | labels = { 15 | "test" = "test" 16 | } 17 | flux = { 18 | enabled = true 19 | repo = "repo" 20 | } 21 | } 22 | ] 23 | 24 | group_name_prefix = "aks" 25 | } 26 | -------------------------------------------------------------------------------- /validation/kubernetes/aad-pod-identity/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "aad_pod_identity" { 8 | source = "../../../modules/kubernetes/aad-pod-identity" 9 | 10 | cluster_id = "foobar" 11 | aad_pod_identity = { 12 | "test" = { 13 | id = "id" 14 | client_id = "id" 15 | } 16 | } 17 | 18 | namespaces = [ 19 | { 20 | name = "team1" 21 | } 22 | ] 23 | 24 | tenant_name = "foo" 25 | environment = "dev" 26 | fleet_infra_config = { 27 | argocd_project_name = "foo-fleet-infra" 28 | git_repo_url = "http://some-git-repo.git" 29 | k8s_api_server_url = "http://kubernetes.default.svc" 30 | 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /validation/kubernetes/argocd/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "argocd" { 8 | source = "../../../modules/kubernetes/argocd" 9 | 10 | aks_cluster_id = "/subscriptions/...." 11 | argocd_config = { 12 | global_domain = "example.com" 13 | ingress_whitelist_ip = "10.0.2.0" 14 | tenant = "example.onmicrosoft.com" 15 | oidc_issuer_url = "https://issuer-url" 16 | } 17 | cluster_id = "cluster-id" 18 | resource_group_name = "rg_name" 19 | location = "location" 20 | core_resource_group_name = "rg-core" 21 | key_vault_name = "my-keyvault" 22 | fleet_infra_config = { 23 | git_repo_url = "https://some-git-repo.git" 24 | argocd_project_name = "default" 25 | k8s_api_server_url = "https://kubernetes.default.svc" 26 | } 27 | } -------------------------------------------------------------------------------- /validation/kubernetes/azure-metrics/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "azure_metrics" { 4 | source = "../../../modules/kubernetes/azure-metrics" 5 | 6 | aks_managed_identity = "id" 7 | aks_name = "aks" 8 | aks_name_suffix = 1 9 | environment = "dev" 10 | cluster_id = "foo" 11 | location = "location" 12 | location_short = "we" 13 | oidc_issuer_url = "url" 14 | resource_group_name = "rg-name" 15 | subscription_id = "0987" 16 | tenant_name = "foo" 17 | fleet_infra_config = { 18 | argocd_project_name = "foo-fleet-infra" 19 | git_repo_url = "http://some-git-repo.git" 20 | k8s_api_server_url = "http://kubernetes.default.svc" 21 | 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /validation/kubernetes/azure-policy/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | module "azure_policy" { 8 | source = "../../../modules/kubernetes/azure-policy" 9 | 10 | aks_name = "aks" 11 | aks_name_suffix = 1 12 | azure_policy_config = { 13 | exclude_namespaces = [] 14 | mutations = [] 15 | } 16 | environment = "dev" 17 | location_short = "we" 18 | tenant_namespaces = [] 19 | } -------------------------------------------------------------------------------- /validation/kubernetes/azure-service-operator/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | module "azure_service_operator" { 8 | source = "../../../modules/kubernetes/azure-service-operator" 9 | 10 | aks_name = "aks" 11 | aks_name_suffix = "1" 12 | azure_service_operator_config = { 13 | cluster_config = { 14 | crd_pattern = "keyvault.azure.com/*;resources.azure.com/*" 15 | } 16 | tenant_namespaces = [ 17 | { name = "mimforum" } 18 | ] 19 | } 20 | cluster_id = "id" 21 | environment = "env" 22 | location = "location" 23 | location_short = "we" 24 | oidc_issuer_url = "url" 25 | subscription_id = "id" 26 | tenant_id = "id" 27 | tenant_name = "foo" 28 | fleet_infra_config = { 29 | argocd_project_name = "foo-fleet-infra" 30 | git_repo_url = "http://some-git-repo.git" 31 | k8s_api_server_url = "http://kubernetes.default.svc" 32 | 33 | } 34 | } -------------------------------------------------------------------------------- /validation/kubernetes/cert-manager/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "cert_manager" { 8 | source = "../../../modules/kubernetes/cert-manager" 9 | 10 | aad_groups = [ 11 | { 12 | namespace = "foo" 13 | id = "id" 14 | name = "name" 15 | } 16 | ] 17 | cluster_id = "foobar" 18 | dns_zones = { 19 | "a.com" = "id" 20 | } 21 | global_resource_group_name = "global" 22 | location = "location" 23 | namespaces = [ 24 | { 25 | name = "namespace-1" 26 | labels = { 27 | "terraform" = "true" 28 | } 29 | } 30 | ] 31 | notification_email = "example@example.com" 32 | oidc_issuer_url = "url" 33 | resource_group_name = "rg-name" 34 | subscription_id = "id" 35 | gateway_api_enabled = true 36 | gateway_api_config = {} 37 | tenant_name = "foo" 38 | environment = "dev" 39 | fleet_infra_config = { 40 | argocd_project_name = "foo-fleet-infra" 41 | git_repo_url = "http://some-git-repo.git" 42 | k8s_api_server_url = "http://kubernetes.default.svc" 43 | 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /validation/kubernetes/control-plane-logs/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "control-plane-logs" { 8 | source = "../../../modules/kubernetes/control-plane-logs" 9 | 10 | aks_name = "aks" 11 | cluster_id = "foo" 12 | environment = "dev" 13 | location_short = "we" 14 | oidc_issuer_url = "url" 15 | resource_group_name = "rg-name" 16 | tenant_name = "foo" 17 | fleet_infra_config = { 18 | argocd_project_name = "foo-fleet-infra" 19 | git_repo_url = "http://some-git-repo.git" 20 | k8s_api_server_url = "http://kubernetes.default.svc" 21 | 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /validation/kubernetes/datadog/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "datadog" { 4 | source = "../../../modules/kubernetes/datadog" 5 | 6 | apm_ignore_resources = ["foo"] 7 | cluster_id = "foo" 8 | environment = "dev" 9 | key_vault_id = "id" 10 | location = "location" 11 | location_short = "we" 12 | namespace_include = ["ns1", "ns2"] 13 | oidc_issuer_url = "url" 14 | resource_group_name = "rg-name" 15 | tenant_name = "foo" 16 | fleet_infra_config = { 17 | argocd_project_name = "foo-fleet-infra" 18 | git_repo_url = "http://some-git-repo.git" 19 | k8s_api_server_url = "http://kubernetes.default.svc" 20 | 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /validation/kubernetes/eck-operator/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "eck-operator" { 8 | source = "../../../modules/kubernetes/eck-operator" 9 | cluster_id = "yabadabadoo" 10 | eck_managed_namespaces = [] 11 | tenant_name = "foo" 12 | environment = "dev" 13 | fleet_infra_config = { 14 | argocd_project_name = "foo-fleet-infra" 15 | git_repo_url = "http://some-git-repo.git" 16 | k8s_api_server_url = "http://kubernetes.default.svc" 17 | 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /validation/kubernetes/envoy-gateway/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "envoy-gateway" { 8 | source = "../../../modules/kubernetes/envoy-gateway" 9 | 10 | cluster_id = "foo" 11 | envoy_gateway_config = { 12 | cluster_name = "awesome_cluster" 13 | logging_level = "debug" 14 | replicas_count = 42 15 | resources_memory_limit = "30g" 16 | resources_cpu_requests = "5000mi" 17 | resources_memory_requests = "50g" 18 | envoy_tls_policy_enabled = true 19 | } 20 | azure_policy_enabled = true 21 | tenant_name = "foo" 22 | environment = "dev" 23 | fleet_infra_config = { 24 | argocd_project_name = "foo-fleet-infra" 25 | git_repo_url = "http://some-git-repo.git" 26 | k8s_api_server_url = "http://kubernetes.default.svc" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /validation/kubernetes/external-dns/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "external_dns" { 4 | source = "../../../modules/kubernetes/external-dns" 5 | 6 | aad_groups = [ 7 | { 8 | namespace = "foo" 9 | id = "id" 10 | name = "name" 11 | } 12 | ] 13 | cluster_id = "foo" 14 | dns_provider = "azure" 15 | dns_zones = { 16 | "a.com" = "id" 17 | } 18 | environment = "dev" 19 | global_resource_group_name = "global" 20 | location = "location" 21 | location_short = "we" 22 | namespaces = [ 23 | { 24 | name = "namespace-1" 25 | labels = { 26 | "terraform" = "true" 27 | } 28 | } 29 | ] 30 | oidc_issuer_url = "url" 31 | resource_group_name = "rg-name" 32 | subscription_id = "id" 33 | txt_owner_id = "dev-aks1" 34 | sources = ["ingress", "service"] 35 | extra_args = [] 36 | tenant_name = "foo" 37 | fleet_infra_config = { 38 | argocd_project_name = "foo-fleet-infra" 39 | git_repo_url = "http://some-git-repo.git" 40 | k8s_api_server_url = "http://kubernetes.default.svc" 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /validation/kubernetes/falco/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "falco" { 8 | source = "../../../modules/kubernetes/falco" 9 | 10 | cluster_id = "foo" 11 | tenant_name = "foo" 12 | environment = "dev" 13 | fleet_infra_config = { 14 | argocd_project_name = "foo-fleet-infra" 15 | git_repo_url = "http://some-git-repo.git" 16 | k8s_api_server_url = "http://kubernetes.default.svc" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /validation/kubernetes/fluxcd/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "fluxcd" { 4 | source = "../../../modules/kubernetes/fluxcd" 5 | 6 | oidc_issuer_url = "azure.https.issuer" 7 | resource_group_name = "rg-ilove-you" 8 | acr_name_override = "IDK" 9 | aks_managed_identity = "someid" 10 | aks_name = "foo" 11 | location = "westuerope" 12 | location_short = "idk" 13 | environment = "dev" 14 | cluster_id = "foobar" 15 | git_provider = { 16 | organization = "acme" 17 | type = "azuredevops" 18 | azure_devops = { 19 | pat = "string" 20 | } 21 | } 22 | bootstrap = { 23 | repository = "my-repo" 24 | } 25 | namespaces = [ 26 | { 27 | name = "tenant-1" 28 | fluxcd = { 29 | provider = "azuredevops" 30 | project = "project-1" 31 | repository = "repo-2" 32 | create_crds = false 33 | } 34 | } 35 | ] 36 | } -------------------------------------------------------------------------------- /validation/kubernetes/gatekeeper/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "gatekeeper" { 4 | source = "../../../modules/kubernetes/gatekeeper" 5 | azure_service_operator_enabled = false 6 | cluster_id = "foobar" 7 | exclude_namespaces = [] 8 | tenant_name = "foo" 9 | environment = "dev" 10 | fleet_infra_config = { 11 | argocd_project_name = "foo-fleet-infra" 12 | git_repo_url = "http://some-git-repo.git" 13 | k8s_api_server_url = "http://kubernetes.default.svc" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /validation/kubernetes/gateway-api/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "gateway_api" { 8 | source = "../../../modules/kubernetes/gateway-api" 9 | cluster_id = "foo" 10 | gateway_api_config = { 11 | api_version = "v1.1.0" 12 | api_channel = "experimental" 13 | } 14 | tenant_name = "foo" 15 | environment = "dev" 16 | fleet_infra_config = { 17 | argocd_project_name = "foo-fleet-infra" 18 | git_repo_url = "http://some-git-repo.git" 19 | k8s_api_server_url = "http://kubernetes.default.svc" 20 | } 21 | } -------------------------------------------------------------------------------- /validation/kubernetes/grafana-agent/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "grafana_agent" { 8 | source = "../../../modules/kubernetes/grafana-agent" 9 | 10 | cluster_id = "foo" 11 | cluster_name = "aks1" 12 | credentials = { 13 | metrics_username = "foo" 14 | metrics_password = "bar" 15 | logs_username = "foo" 16 | logs_password = "bar" 17 | traces_username = "foo" 18 | traces_password = "bar" 19 | } 20 | environment = "dev" 21 | namespace_include = ["foobar"] 22 | remote_write_urls = { 23 | metrics = "foo" 24 | logs = "bar" 25 | traces = "baz" 26 | } 27 | tenant_name = "foo" 28 | fleet_infra_config = { 29 | argocd_project_name = "foo-fleet-infra" 30 | git_repo_url = "http://some-git-repo.git" 31 | k8s_api_server_url = "http://kubernetes.default.svc" 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /validation/kubernetes/grafana-alloy/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "grafana_alloy" { 8 | source = "../../../modules/kubernetes/grafana-alloy" 9 | 10 | cluster_id = "foo" 11 | oidc_issuer_url = "url" 12 | resource_group_name = "rg-name" 13 | environment = "dev" 14 | aks_name = "fooburrito" 15 | location_short = "foob" 16 | grafana_alloy_config = { 17 | cluster_name = "awesome_cluster" 18 | azure_key_vault_name = "foobar" 19 | keyvault_secret_name = "barfoo" 20 | grafana_otelcol_auth_basic_username = "some-integers" 21 | grafana_otelcol_exporter_endpoint = "some-url" 22 | } 23 | tenant_name = "foo" 24 | fleet_infra_config = { 25 | argocd_project_name = "foo-fleet-infra" 26 | git_repo_url = "http://some-git-repo.git" 27 | k8s_api_server_url = "http://kubernetes.default.svc" 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /validation/kubernetes/grafana-k8s-monitoring/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "grafana-k8s-monitoring" { 8 | source = "../../../modules/kubernetes/grafana-k8s-monitoring" 9 | cluster_id = "yabadabadoo" 10 | cluster_name = "foobar123" 11 | key_vault_id = "secretstuff" 12 | resource_group_name = "foo" 13 | location = "narnia" 14 | oidc_issuer_url = "gimme safe auth" 15 | grafana_k8s_monitor_config = { 16 | grafana_cloud_prometheus_host = "barfoo" 17 | grafana_cloud_loki_host = "foobar" 18 | grafana_cloud_tempo_host = "bar123" 19 | azure_key_vault_name = "boobooyaba" 20 | include_namespaces = "one,two,three" 21 | exclude_namespaces = ["threetwoone"] 22 | } 23 | tenant_name = "foo" 24 | environment = "dev" 25 | fleet_infra_config = { 26 | argocd_project_name = "foo-fleet-infra" 27 | git_repo_url = "http://some-git-repo.git" 28 | k8s_api_server_url = "http://kubernetes.default.svc" 29 | } 30 | subscription_id = "subscription-id" 31 | } 32 | -------------------------------------------------------------------------------- /validation/kubernetes/helm-crd-oci/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "helm_crd" { 4 | source = "../../../modules/kubernetes/helm-crd-oci" 5 | 6 | chart = "oci://ghcr.io/example/helm-charts/example" 7 | chart_name = "bar" 8 | chart_version = "baz" 9 | } 10 | -------------------------------------------------------------------------------- /validation/kubernetes/helm-crd/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "helm_crd" { 4 | source = "../../../modules/kubernetes/helm-crd" 5 | 6 | chart_repository = "foo" 7 | chart_name = "bar" 8 | chart_version = "baz" 9 | } 10 | -------------------------------------------------------------------------------- /validation/kubernetes/ingress-nginx/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "ingress_nginx" { 8 | source = "../../../modules/kubernetes/ingress-nginx" 9 | 10 | aad_groups = [ 11 | { 12 | namespace = "foo" 13 | id = "id" 14 | name = "name" 15 | } 16 | ] 17 | cluster_id = "bar" 18 | namespaces = [ 19 | { 20 | name = "namespace-1" 21 | labels = { 22 | "terraform" = "true" 23 | } 24 | } 25 | ] 26 | replicas = 3 27 | min_replicas = 2 28 | nginx_healthz_ingress_hostname = "yabadabadee.com" 29 | nginx_healthz_ingress_whitelist_ips = "a string" 30 | tenant_name = "foo" 31 | environment = "dev" 32 | fleet_infra_config = { 33 | argocd_project_name = "foo-fleet-infra" 34 | git_repo_url = "http://some-git-repo.git" 35 | k8s_api_server_url = "http://kubernetes.default.svc" 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /validation/kubernetes/karpenter/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | provider "kubernetes" {} 8 | 9 | provider "helm" {} 10 | 11 | module "karpenter" { 12 | source = "../../../modules/kubernetes/karpenter" 13 | 14 | aks_config = { 15 | cluster_id = "id1" 16 | cluster_name = "aks-dust-we-aks1" 17 | cluster_endpoint = "https://foo.com:443" 18 | bootstrap_token = "123.456" 19 | default_node_pool_size = 2 20 | node_identities = "some-identity" 21 | node_resource_group = "some-group_id" 22 | oidc_issuer_url = "https://some-url" 23 | ssh_public_key = "some-key" 24 | vnet_subnet_id = "subnet1" 25 | } 26 | 27 | karpenter_config = {} 28 | location = "westeurope" 29 | resource_group_name = "rg-dust-we-aks1" 30 | subscription_id = "id1" 31 | } -------------------------------------------------------------------------------- /validation/kubernetes/linkerd/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "linkerd" { 8 | source = "../../../modules/kubernetes/linkerd" 9 | 10 | providers = { 11 | kubernetes = kubernetes 12 | helm = helm 13 | } 14 | tenant_name = "foo" 15 | environment = "dev" 16 | cluster_id = "aks-unique-name" 17 | fleet_infra_config = { 18 | argocd_project_name = "foo-fleet-infra" 19 | git_repo_url = "http://some-git-repo.git" 20 | k8s_api_server_url = "http://kubernetes.default.svc" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /validation/kubernetes/litmus/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | module "litmus" { 6 | source = "../../../modules/kubernetes/litmus" 7 | 8 | azure_key_vault_name = "my-key-vault" 9 | cluster_id = "aks1" 10 | key_vault_resource_group_name = "my-resource-group" 11 | tenant_name = "foo" 12 | environment = "dev" 13 | fleet_infra_config = { 14 | argocd_project_name = "foo-fleet-infra" 15 | git_repo_url = "http://some-git-repo.git" 16 | k8s_api_server_url = "http://kubernetes.default.svc" 17 | } 18 | } -------------------------------------------------------------------------------- /validation/kubernetes/nginx-gateway-fabric/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "nginx_gateway_fabric" { 4 | source = "../../../modules/kubernetes/nginx-gateway-fabric" 5 | cluster_id = "bar" 6 | gateway_config = {} 7 | nginx_config = {} 8 | tenant_name = "foo" 9 | environment = "dev" 10 | fleet_infra_config = { 11 | argocd_project_name = "foo-fleet-infra" 12 | git_repo_url = "http://some-git-repo.git" 13 | k8s_api_server_url = "http://kubernetes.default.svc" 14 | } 15 | } -------------------------------------------------------------------------------- /validation/kubernetes/node-ttl/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "node_ttl" { 8 | source = "../../../modules/kubernetes/node-ttl" 9 | cluster_id = "foobar" 10 | status_config_map_namespace = "kube-system" 11 | tenant_name = "foo" 12 | environment = "dev" 13 | fleet_infra_config = { 14 | argocd_project_name = "foo-fleet-infra" 15 | git_repo_url = "http://some-git-repo.git" 16 | k8s_api_server_url = "http://kubernetes.default.svc" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /validation/kubernetes/popeye/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "azurerm" { 4 | features {} 5 | } 6 | 7 | provider "helm" {} 8 | 9 | module "popeye" { 10 | source = "../../../modules/kubernetes/popeye" 11 | 12 | popeye_config = { 13 | storage_account = { 14 | resource_group_name = "my-resource-group-name" 15 | account_name = "my-storage-account-name" 16 | } 17 | cron_jobs = [ 18 | { 19 | namespace = "namespace-1" 20 | schedule = "15 * * * 1" 21 | }, 22 | { 23 | namespace = "namespace-2" 24 | schedule = "20 * * * 1" 25 | } 26 | ] 27 | } 28 | 29 | aks_managed_identity_id = "some-UUID" 30 | cluster_id = "my-cluster-id" 31 | location = "westeurope" 32 | oidc_issuer_url = "https://some-url" 33 | resource_group_name = "aks-resource-group-name" 34 | tenant_name = "foo" 35 | environment = "dev" 36 | fleet_infra_config = { 37 | argocd_project_name = "foo-fleet-infra" 38 | git_repo_url = "http://some-git-repo.git" 39 | k8s_api_server_url = "http://kubernetes.default.svc" 40 | } 41 | } -------------------------------------------------------------------------------- /validation/kubernetes/prometheus/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "prometheus" { 4 | source = "../../../modules/kubernetes/prometheus" 5 | 6 | aks_name = "aks" 7 | cluster_id = "foo" 8 | cluster_name = "aks1" 9 | environment = "dev" 10 | location_short = "we" 11 | oidc_issuer_url = "url" 12 | region = "sc" 13 | remote_write_url = "https://my-remote-writer.com" 14 | resource_group_name = "rg-name" 15 | tenant_name = "foo" 16 | fleet_infra_config = { 17 | argocd_project_name = "foo-fleet-infra" 18 | git_repo_url = "http://some-git-repo.git" 19 | k8s_api_server_url = "http://kubernetes.default.svc" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /validation/kubernetes/promtail/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "promtail" { 8 | source = "../../../modules/kubernetes/promtail" 9 | 10 | aks_name = "aks" 11 | cluster_id = "foo" 12 | cluster_name = "c1" 13 | environment = "dev" 14 | excluded_namespaces = ["ns1", "ns2"] 15 | location_short = "we" 16 | loki_address = "http://loki-gateway/loki/api/v1/push" 17 | oidc_issuer_url = "url" 18 | region = "sc" 19 | resource_group_name = "rg-name" 20 | tenant_name = "foo" 21 | fleet_infra_config = { 22 | argocd_project_name = "foo-fleet-infra" 23 | git_repo_url = "http://some-git-repo.git" 24 | k8s_api_server_url = "http://kubernetes.default.svc" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /validation/kubernetes/rabbitmq-operator/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "rabbitmq-operator" { 8 | source = "../../../modules/kubernetes/rabbitmq-operator" 9 | cluster_id = "aks-prod-sdc-aks1" 10 | rabbitmq_config = { 11 | min_available = 1 12 | replica_count = 2 13 | spot_instances_enabled = false 14 | watch_namespaces = [] 15 | } 16 | tenant_name = "foo" 17 | environment = "dev" 18 | fleet_infra_config = { 19 | argocd_project_name = "foo-fleet-infra" 20 | git_repo_url = "http://some-git-repo.git" 21 | k8s_api_server_url = "http://kubernetes.default.svc" 22 | } 23 | } -------------------------------------------------------------------------------- /validation/kubernetes/reloader/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | 4 | module "reloader" { 5 | source = "../../../modules/kubernetes/reloader" 6 | 7 | cluster_id = "foobar" 8 | tenant_name = "foo" 9 | environment = "dev" 10 | fleet_infra_config = { 11 | argocd_project_name = "foo-fleet-infra" 12 | git_repo_url = "http://some-git-repo.git" 13 | k8s_api_server_url = "http://kubernetes.default.svc" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /validation/kubernetes/spegel/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "spegel" { 8 | source = "../../../modules/kubernetes/spegel" 9 | cluster_id = "foobar" 10 | tenant_name = "foo" 11 | environment = "dev" 12 | fleet_infra_config = { 13 | argocd_project_name = "foo-fleet-infra" 14 | git_repo_url = "http://some-git-repo.git" 15 | k8s_api_server_url = "http://kubernetes.default.svc" 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /validation/kubernetes/telepresence/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "telepresence" { 4 | source = "../../../modules/kubernetes/telepresence" 5 | 6 | cluster_id = "we-dev-aks" 7 | telepresence_config = { 8 | allow_conflicting_subnets = [] 9 | client_rbac = { 10 | create = true 11 | namespaced = true 12 | namespaces = ["ambassador"] 13 | subjects = [] 14 | } 15 | manager_rbac = { 16 | create = true 17 | namespaced = true 18 | namespaces = [] 19 | } 20 | } 21 | tenant_name = "foo" 22 | environment = "dev" 23 | fleet_infra_config = { 24 | argocd_project_name = "foo-fleet-infra" 25 | git_repo_url = "http://some-git-repo.git" 26 | k8s_api_server_url = "http://kubernetes.default.svc" 27 | } 28 | } -------------------------------------------------------------------------------- /validation/kubernetes/trivy/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "trivy" { 4 | source = "../../../modules/kubernetes/trivy" 5 | 6 | aks_managed_identity = "id" 7 | aks_name = "aks" 8 | cluster_id = "foo" 9 | environment = "dev" 10 | location = "location" 11 | location_short = "we" 12 | oidc_issuer_url = "url" 13 | resource_group_name = "rg-name" 14 | unique_suffix = "1234" 15 | volume_claim_storage_class_name = "name" 16 | tenant_name = "foo" 17 | fleet_infra_config = { 18 | argocd_project_name = "foo-fleet-infra" 19 | git_repo_url = "http://some-git-repo.git" 20 | k8s_api_server_url = "http://kubernetes.default.svc" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /validation/kubernetes/velero/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | provider "kubernetes" {} 4 | 5 | provider "helm" {} 6 | 7 | module "velero" { 8 | source = "../../../modules/kubernetes/velero" 9 | 10 | aks_managed_identity = "id" 11 | azure_config = { 12 | storage_account_name = "name" 13 | storage_account_container = "name" 14 | } 15 | cluster_id = "we-dev-aks1" 16 | environment = "dev" 17 | location = "we" 18 | oidc_issuer_url = "url" 19 | resource_group_name = "rg-name" 20 | subscription_id = "id" 21 | unique_suffix = "1234" 22 | tenant_name = "foo" 23 | fleet_infra_config = { 24 | argocd_project_name = "foo-fleet-infra" 25 | git_repo_url = "http://some-git-repo.git" 26 | k8s_api_server_url = "http://kubernetes.default.svc" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /validation/kubernetes/vpa/main.tf: -------------------------------------------------------------------------------- 1 | terraform {} 2 | 3 | module "vpa" { 4 | source = "../../../modules/kubernetes/vpa" 5 | 6 | cluster_id = "foobar" 7 | tenant_name = "foo" 8 | environment = "dev" 9 | fleet_infra_config = { 10 | argocd_project_name = "foo-fleet-infra" 11 | git_repo_url = "http://some-git-repo.git" 12 | k8s_api_server_url = "http://kubernetes.default.svc" 13 | } 14 | } 15 | --------------------------------------------------------------------------------