├── .gitignore ├── LICENSE ├── README.md ├── aad-cluster-role-admin.tf ├── aks.tf ├── output.tf ├── providers.tf ├── scripts └── create-app.azcli ├── variables.tf ├── vars └── basic.tfvars └── vnet.tf /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | 11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 12 | # .tfvars files are managed as part of configuration and so should be included in 13 | # version control. 14 | # 15 | test.tfvars 16 | 17 | # Ignore override files as they are usually used to override resources locally and so 18 | # are not checked in 19 | override.tf 20 | override.tf.json 21 | *_override.tf 22 | *_override.tf.json 23 | 24 | # Include override files you do wish to add to version control using negated pattern 25 | # 26 | # !example_override.tf 27 | 28 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 29 | # example: *tfplan* -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2019 Sergio Sisternes Pla 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Enterprise-ready Azure Kubernetes Service Module 2 | 3 | This module creates an Azure Kubernetes Service with default options ready for enterprise deployments, including: 4 | 5 | * Azure CNI 6 | * Calico Network Policy 7 | * Node auto-scaler 8 | * Role-based access control enabled by default 9 | * Optional Azure Active Directory RBAC (+ Azure AD application setup script) 10 | 11 | ## How to use 12 | 13 | This module can make your life easier, but please read how to use it carefully: 14 | 15 | ### Plan your IP Address needs 16 | 17 | This [Microsoft Docs](https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster) contains everything you should do in terms of IP planning. 18 | 19 | By default, this module has been planned in the following way: 20 | 21 | * Pods per node: 60 22 | * Max nodes supported by the VNET: 133 23 | * Max pods: 60 * 133 = 7980 24 | * VNET CIDR: 172.16.0.0/18 (16,382 usable hosts) 25 | * Cluster subnet: 172.16.0.0/19 (8190 usable hosts / Nodes / Pods / External Load Balancers) 26 | * Service subnet: 172.16.32.0/19 (8190 usable hosts / Services) 27 | 28 | ### Request Azure Active Directory 29 | 30 | Most companies don't give admin rights over AzureAD to a Service Principal. This module assumes you should request the following to your Cloud Management: 31 | 32 | 1. (Required) Cluster Service Principal: The SP that runs the cluster 33 | 2. (Optional) Azure Active Direcgtory application to enable Azure AD Role-Based Access Control (RBAC) 34 | 35 | ### Use this module 36 | 37 | Please note that the resource group for this AKS should exist. The module won't create it for you. 38 | 39 | #### Deploy a cluster with Kubernetes RBAC 40 | 41 | The following module definition creates an AKS cluster with the following features: 42 | 43 | | Feature | Value | 44 | | ------------------------- | --------------------------------------------- | 45 | | Kubernetes | 1.15.1 | 46 | | Role-based Access Control | Yes (Kubernetes) | 47 | | Network plugin | Azure | 48 | | Network policy | Calico | 49 | | Virtual Machine Size | Standard_DS3_v2 (4 cores, 16 GB RAM) | 50 | | Auto-scaler | Yes (Min 2, Max 16) - Up to 64 cores, 256 RAM | 51 | | VNET Address space | 172.16.0.0/18 | 52 | | VNET NSG | Yes (Ingress) | 53 | | Subnets | 3 subnets | 54 | | Kubernetes Dashboard | No | 55 | 56 | ```tf 57 | module "kubernetes" { 58 | source = "cloudcommons/kubernetes/azure" 59 | version = "0.1.0" 60 | name = "akstest" 61 | location = "westeurope" 62 | resource_group = "terraform-aks-test" 63 | app = "aksapp" 64 | kubernetes_version = "1.15.5" 65 | client_id = "00000000-0000-0000-0000-000000000000" 66 | client_secret = "00000000000000000000000000000000" 67 | linux_ssh_key = "0000000000000000000000000000000000000000=" 68 | } 69 | ``` 70 | 71 | #### Deploy a cluster with Azure AD RBAC 72 | 73 | | Feature | Value | 74 | | ------------------------- | --------------------------------------------- | 75 | | Kubernetes | 1.15.1 | 76 | | Role-based Access Control | Yes (Azure Active Directory) | 77 | | Network plugin | Azure | 78 | | Network policy | Calico | 79 | | Virtual Machine Size | Standard_DS3_v2 (4 cores, 16 GB RAM) | 80 | | Auto-scaler | Yes (Min 2, Max 16) - Up to 64 cores, 256 RAM | 81 | | VNET Address space | 172.16.0.0/18 | 82 | | VNET NSG | Yes (Ingress) | 83 | | Subnets | 3 subnets | 84 | | Kubernetes Dashboard | No | 85 | 86 | ```tf 87 | module "kubernetes" { 88 | source = "cloudcommons/kubernetes/azure" 89 | version = "0.1.0" 90 | name = "akstest" 91 | location = "westeurope" 92 | resource_group = "terraform-aks-test" 93 | app = "aksapp" 94 | kubernetes_version = "1.15.5" 95 | client_id = "00000000-0000-0000-0000-000000000000" 96 | client_secret = "00000000000000000000000000000000" 97 | linux_ssh_key = "0000000000000000000000000000000000000000=" 98 | rbac_enabled = true 99 | rbac_aad = true 100 | rbac_aad_client_app_id = "00000000000000000000000000000000" 101 | rbac_aad_server_app_secret = "00000000000000000000000000000000" 102 | rbac_aad_server_app_id = "00000000000000000000000000000000" 103 | rbac_aad_admin = "admin@contoso.com" 104 | } 105 | ``` 106 | -------------------------------------------------------------------------------- /aad-cluster-role-admin.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_cluster_role_binding" "admin" { 2 | count = var.rbac_aad_admin == null ? 0 : 1 3 | metadata { 4 | name = "cluster-default-admin" 5 | } 6 | role_ref { 7 | api_group = "rbac.authorization.k8s.io" 8 | kind = "ClusterRole" 9 | name = "cluster-admin" 10 | } 11 | subject { 12 | kind = "User" 13 | name = var.rbac_aad_admin 14 | api_group = "rbac.authorization.k8s.io" 15 | } 16 | depends_on = [azurerm_kubernetes_cluster.cloudcommons] 17 | } 18 | -------------------------------------------------------------------------------- /aks.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | vnet_enabled = var.vnet_create && var.vnet_service_id == null 3 | node_resource_group = var.node_resource_group == "" ? "${var.name}-aks-${var.node_pool_name}-${var.location}" : var.node_resource_group 4 | cluster_subnet_id = local.vnet_enabled ? module.vnet.subnets.0.id : var.vnet_service_id // Assuming the cluster subnet is first in the Subnet list 5 | dns_service_ip = cidrhost(var.vnet_service_cidr, 2) 6 | oms_enabled = var.oms_log_analytics_workspace_id != null 7 | } 8 | 9 | resource "azurerm_kubernetes_cluster" "cloudcommons" { 10 | name = var.name 11 | location = var.location 12 | resource_group_name = var.resource_group 13 | dns_prefix = var.dns_prefix 14 | kubernetes_version = var.kubernetes_version 15 | node_resource_group = local.node_resource_group 16 | api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges 17 | enable_pod_security_policy = var.enable_pod_security_policy 18 | 19 | default_node_pool { 20 | name = var.node_pool_name 21 | node_count = var.node_pool_count 22 | enable_node_public_ip = var.node_public_ip_enable 23 | vm_size = var.node_pool_vm_size 24 | max_pods = var.node_pool_max_pods 25 | os_disk_size_gb = var.node_pool_os_disk_size_gb 26 | vnet_subnet_id = local.cluster_subnet_id 27 | enable_auto_scaling = var.auto_scaling_enable 28 | min_count = var.auto_scaling_enable == true ? var.auto_scaling_min_count : null 29 | max_count = var.auto_scaling_enable == true ? var.auto_scaling_max_count : null 30 | } 31 | 32 | linux_profile { 33 | admin_username = var.linux_admin_username 34 | ssh_key { 35 | key_data = var.linux_ssh_key 36 | } 37 | } 38 | 39 | network_profile { 40 | network_plugin = var.network_plugin 41 | network_policy = var.network_policy 42 | dns_service_ip = local.dns_service_ip 43 | docker_bridge_cidr = var.network_docker_bridge_cidr 44 | service_cidr = var.vnet_service_cidr 45 | load_balancer_sku = var.network_load_balancer_sku 46 | } 47 | 48 | role_based_access_control { 49 | enabled = var.rbac_enabled 50 | dynamic "azure_active_directory" { 51 | for_each = var.rbac_aad == true ? [1] : [] 52 | content { 53 | client_app_id = var.rbac_aad_client_app_id 54 | server_app_id = var.rbac_aad_server_app_id 55 | server_app_secret = var.rbac_aad_server_app_secret 56 | tenant_id = var.rbac_aad_tenant_id 57 | } 58 | } 59 | } 60 | 61 | service_principal { 62 | client_id = var.client_id 63 | client_secret = var.client_secret 64 | } 65 | 66 | addon_profile { 67 | http_application_routing { 68 | enabled = var.http_application_routing_enabled 69 | } 70 | kube_dashboard { 71 | enabled = var.kube_dashboard_enabled 72 | } 73 | oms_agent { 74 | enabled = local.oms_enabled 75 | log_analytics_workspace_id = var.oms_log_analytics_workspace_id 76 | } 77 | } 78 | 79 | tags = { 80 | app = var.app 81 | environment = var.environment 82 | creator = var.creator 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /output.tf: -------------------------------------------------------------------------------- 1 | output "id" { 2 | description = "The Kubernetes Managed Cluster ID." 3 | value = azurerm_kubernetes_cluster.cloudcommons.id 4 | } 5 | 6 | output "fqdn" { 7 | description = "The FQDN of the Azure Kubernetes Managed Cluster." 8 | value = azurerm_kubernetes_cluster.cloudcommons.fqdn 9 | } 10 | 11 | output "kube_admin_config" { 12 | description = "A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled." 13 | value = azurerm_kubernetes_cluster.cloudcommons.kube_admin_config 14 | sensitive = true 15 | } 16 | 17 | output "kube_admin_config_raw" { 18 | description = "Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled." 19 | value = azurerm_kubernetes_cluster.cloudcommons.kube_admin_config_raw 20 | sensitive = true 21 | } 22 | 23 | output "kube_config" { 24 | description = "Cluster Kubernetes Configuration object" 25 | value = azurerm_kubernetes_cluster.cloudcommons.kube_config 26 | sensitive = true 27 | } 28 | 29 | output "kube_config_raw" { 30 | description = "Cluster Kubernetes Configuration raw file" 31 | value = azurerm_kubernetes_cluster.cloudcommons.kube_config_raw 32 | sensitive = true 33 | } 34 | 35 | output "node_resource_group" { 36 | description = "The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster." 37 | value = azurerm_kubernetes_cluster.cloudcommons.node_resource_group 38 | } 39 | -------------------------------------------------------------------------------- /providers.tf: -------------------------------------------------------------------------------- 1 | provider "azurerm" { 2 | version = "~> 2.0" 3 | features {} 4 | } 5 | 6 | provider "kubernetes" { 7 | version = "~> 1.11.1" 8 | load_config_file = false 9 | host = azurerm_kubernetes_cluster.cloudcommons.kube_config.0.host 10 | client_certificate = base64decode(azurerm_kubernetes_cluster.cloudcommons.kube_config.0.client_certificate) 11 | client_key = base64decode(azurerm_kubernetes_cluster.cloudcommons.kube_config.0.client_key) 12 | cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.cloudcommons.kube_config.0.cluster_ca_certificate) 13 | } 14 | -------------------------------------------------------------------------------- /scripts/create-app.azcli: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # The MIT License (MIT) 4 | # 5 | # Copyright (c) 2019 Microsoft Azure 6 | # 7 | # Permission is hereby granted, free of charge, to any person obtaining a copy 8 | # of this software and associated documentation files (the "Software"), to deal 9 | # in the Software without restriction, including without limitation the rights 10 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | # copies of the Software, and to permit persons to whom the Software is 12 | # furnished to do so, subject to the following conditions: 13 | # 14 | # The above copyright notice and this permission notice shall be included in all 15 | # copies or substantial portions of the Software. 16 | # 17 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | # SOFTWARE. 24 | 25 | 26 | # Is rather difficult to have a Service Principal with tenant rights. 27 | # Instead of automating this step in Terraform, the initial approach is provide this script that can be handed over to a person with the right level of permissions. 28 | # Source https://docs.microsoft.com/es-es/azure/aks/azure-ad-integration-cli 29 | 30 | aksname="CloudCommonsAksTest" 31 | 32 | # Create the Azure AD application 33 | echo Creating Azure AD application 34 | serverApplicationId=$(az ad app create \ 35 | --display-name "${aksname}Server" \ 36 | --identifier-uris "https://${aksname}Server" \ 37 | --query appId -o tsv) 38 | 39 | # Update the application group memebership claims 40 | echo Updating application group membership claims 41 | az ad app update --id $serverApplicationId --set groupMembershipClaims=All 42 | 43 | # Create a service principal for the Azure AD application 44 | echo Creating service principal 45 | az ad sp create --id $serverApplicationId 46 | 47 | # Get the service principal secret 48 | echo Getting service principal secret 49 | serverApplicationSecret=$(az ad sp credential reset \ 50 | --name $serverApplicationId \ 51 | --credential-description "AKSPassword" \ 52 | --query password -o tsv) 53 | 54 | # Add permissions for the Azure AD app to read directory data, sign in and read 55 | # user profile, and read directory data 56 | echo Adding permissions to server application 57 | az ad app permission add \ 58 | --id $serverApplicationId \ 59 | --api 00000003-0000-0000-c000-000000000000 \ 60 | --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role 61 | 62 | # Grant permissions for the permissions assigned in the previous step 63 | # You must be the Azure AD tenant admin for these steps to successfully complete 64 | echo Granting permissions for the server application 65 | sleep 10 66 | az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 67 | echo Adding admin consent to server application 68 | az ad app permission admin-consent --id $serverApplicationId 69 | 70 | # Create the Azure AD client application 71 | echo Creating client app 72 | clientApplicationId=$(az ad app create --display-name "${aksname}Client" --native-app --reply-urls "https://${aksname}Client" --query appId -o tsv) 73 | 74 | # Create a service principal for the client application 75 | echo Creating client service principal 76 | az ad sp create --id $clientApplicationId 77 | 78 | # Get the oAuth2 ID for the server app to allow authentication flow 79 | echo Getting OAuth2 permission id 80 | oAuthPermissionId=$(az ad app show --id $serverApplicationId --query "oauth2Permissions[0].id" -o tsv) 81 | 82 | # Assign permissions for the client and server applications to communicate with each other 83 | echo Assigning permission to client app 84 | az ad app permission add --id $clientApplicationId --api $serverApplicationId --api-permissions $oAuthPermissionId=Scope 85 | az ad app permission grant --id $clientApplicationId --api $serverApplicationId 86 | 87 | # Get the Azure AD tenant ID to integrate with the AKS cluster 88 | echo Getting tenant 89 | tenantId=$(az account show --query tenantId -o tsv) 90 | 91 | echo Completed! 92 | echo Please send this information back to the requester. It contains sensitive information. Protect in transport following your corporate standard rules for this kind of information 93 | echo --------- 94 | echo rbac_enabled=true 95 | echo rbac_aad=true 96 | echo rbac_aad_client_app_id=\"$clientApplicationId\" 97 | echo rbac_aad_server_app_secret=\"$serverApplicationSecret\" 98 | echo rbac_aad_server_app_id=\"$serverApplicationId\" 99 | echo rbac_aad_tenant_id=\"$tenantId\" 100 | echo --------- -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable name { 2 | type = string 3 | description = "(Required) The name of the Azure Kubernetes Service. Changing this forces a new resource to be created." 4 | } 5 | 6 | variable location { 7 | type = string 8 | description = "(Required) The location where the resource group should be created. For a list of all Azure locations, please consult this link or run az account list-locations --output table." 9 | } 10 | 11 | variable resource_group { 12 | type = string 13 | description = "(Required) The name of the resource group in which to create the virtual network." 14 | } 15 | 16 | variable kubernetes_version { 17 | type = string 18 | description = "(Required) Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). NOTE: Upgrading your cluster may take up to 10 minutes per node." 19 | } 20 | 21 | variable app { 22 | type = string 23 | description = "(Optional) Adds a tag with the application name this resource group belogs to." 24 | default = "" 25 | } 26 | 27 | variable environment { 28 | type = string 29 | description = "(Optional) Environment name. If not specified, this module will use workspace as default value" 30 | default = "default" 31 | } 32 | 33 | variable creator { 34 | type = string 35 | description = "(Optional) Adds a tag indicating the creator of this resource" 36 | default = "cloudcommons" 37 | } 38 | 39 | variable client_id { 40 | type = string 41 | description = "client_id - (Required) The Client ID for the Service Principal." 42 | } 43 | 44 | variable client_secret { 45 | type = string 46 | description = "(Required) The Client Secret for the Service Principal." 47 | } 48 | 49 | variable node_resource_group { 50 | type = string 51 | description = "(Optional) The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created. If empty, this module will generate a friendly name" 52 | default = "" 53 | } 54 | 55 | variable node_public_ip_enable { 56 | type = bool 57 | description = "(Optional) Should nodes in this Node Pool have a Public IP Address? Defaults to false." 58 | default = false 59 | } 60 | 61 | variable dns_prefix { 62 | type = string 63 | description = "(Optional) DNS prefix to append to the cluster. Default: cloudcommons" 64 | default = "cloudcommons" 65 | } 66 | 67 | variable node_pool_name { 68 | type = string 69 | description = "(Optional) Node Pool name. Default: default" 70 | default = "default" 71 | } 72 | 73 | variable node_pool_count { 74 | type = number 75 | description = "(Optional) Number of pool virtual machines to create. Default: 3" 76 | default = 2 77 | } 78 | 79 | variable node_pool_os_disk_size_gb { 80 | type = number 81 | description = "(Optional) The size of the OS Disk which should be used for each agent in the Node Pool. Changing this forces a new resource to be created. Default: 60" 82 | default = 60 83 | } 84 | 85 | variable "node_pool_max_pods" { 86 | type = number 87 | description = "(Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created." 88 | default = 60 89 | } 90 | 91 | variable "node_pool_type" { 92 | type = string 93 | description = "(Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets." 94 | default = "VirtualMachineScaleSets" 95 | } 96 | 97 | variable "auto_scaling_enable" { 98 | type = bool 99 | description = "(Optional) Should the Kubernetes Auto Scaler be enabled for this Node Pool? Defaults to false." 100 | default = false 101 | } 102 | 103 | variable "auto_scaling_min_count" { 104 | type = number 105 | description = "(Optional) The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 100" 106 | default = 0 107 | } 108 | 109 | variable "auto_scaling_max_count" { 110 | type = number 111 | description = "(Optional) The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 100." 112 | default = 0 113 | } 114 | 115 | variable "kube_dashboard_enabled" { 116 | type = bool 117 | description = "(Optional) Is the Kubernetes Dashboard enabled?" 118 | default = false 119 | } 120 | 121 | variable node_pool_vm_size { 122 | type = string 123 | description = "(Optional) VM Size to create in the default node pool. Default: Standard_DS3_v2" 124 | default = "Standard_DS3_v2" 125 | } 126 | 127 | variable network_plugin { 128 | type = string 129 | description = "(Optional) Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created. Defaults to azure" 130 | default = "azure" 131 | } 132 | 133 | variable network_docker_bridge_cidr { 134 | type = string 135 | description = "(Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. This is required when network_plugin is set to azure. Changing this forces a new resource to be created. Defaults to 172.17.0.1/16" 136 | default = "172.17.0.1/16" 137 | } 138 | 139 | variable network_policy { 140 | type = string 141 | description = "(Optional) Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. This field can only be set when network_plugin is set to azure. Currently supported values are calico and azure. Changing this forces a new resource to be created. Defaults to calico" 142 | default = "calico" 143 | } 144 | 145 | variable network_load_balancer_sku { 146 | type = string 147 | description = "(Optional) Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to basic." 148 | default = "basic" 149 | } 150 | 151 | variable rbac_enabled { 152 | type = bool 153 | description = "(Required) Is Role Based Access Control Enabled? Changing this forces a new resource to be created. Defaults to true" 154 | default = true 155 | } 156 | 157 | variable rbac_aad { 158 | type = bool 159 | description = "(Optional) Use Azure Active Directory as RBAC system. If not client_app_id is provided, this module will try creating an Azure Application for you" 160 | default = false 161 | } 162 | 163 | variable rbac_aad_admin { 164 | type = string 165 | description = "(Optional) Default Azure Active Directory user assigned as cluster administrator" 166 | default = null 167 | } 168 | 169 | variable rbac_aad_client_app_id { 170 | type = string 171 | description = "(Optional) The Client ID of an Azure Active Directory Application. Changing this forces a new resource to be created." 172 | default = null 173 | } 174 | 175 | variable rbac_aad_server_app_id { 176 | type = string 177 | description = "(Optional) The Server ID of an Azure Active Directory Application. Changing this forces a new resource to be created." 178 | default = null 179 | } 180 | 181 | variable rbac_aad_server_app_secret { 182 | type = string 183 | description = "(Optional) The Server Secret of an Azure Active Directory Application. Changing this forces a new resource to be created." 184 | default = null 185 | } 186 | 187 | variable rbac_aad_tenant_id { 188 | type = string 189 | description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used. Changing this forces a new resource to be created." 190 | default = null 191 | } 192 | 193 | variable linux_admin_username { 194 | type = string 195 | description = "(Optional) The Admin Username for the Cluster. Changing this forces a new resource to be created. Defaults to cloudcommons" 196 | default = "cloudcommons" 197 | } 198 | 199 | variable linux_ssh_key { 200 | type = string 201 | description = "(Required) The Public SSH Key used to access the cluster. Changing this forces a new resource to be created." 202 | } 203 | 204 | variable vnet_create { 205 | type = bool 206 | description = "(Optional) Indicates if the module should create a VNET or use an existing one. Defaults to true" 207 | default = true 208 | } 209 | 210 | variable vnet_service_id { 211 | type = string 212 | description = "(Optional) If specified, uses an existing VNET instead of creating a new one" 213 | default = null 214 | } 215 | 216 | variable vnet_address_space { 217 | type = list(string) 218 | description = "(Optional) The address space that is used the virtual network. You can supply more than one address space. Changing this forces a new resource to be created." 219 | default = ["172.16.0.0/18"] 220 | } 221 | 222 | variable vnet_service_cidr { 223 | type = string 224 | description = "(Optional) The service cidr" 225 | default = "172.16.32.0/19" 226 | } 227 | 228 | variable vnet_dns_servers { 229 | type = list(string) 230 | description = "(Optional) List of DNS Servers configured in the VNET" 231 | default = null 232 | } 233 | 234 | variable vnet_ddos_enabled { 235 | type = bool 236 | description = "(Optional) Adds a DDOS protection to the VNET. Defaults to false" 237 | default = false 238 | } 239 | 240 | variable vnet_nsg_enabled { 241 | type = bool 242 | description = "(Optional) Adds NSG to the VNET." 243 | default = true 244 | } 245 | 246 | variable vnet_subnets { 247 | type = list(object({ 248 | name = string, 249 | address_prefix = string, 250 | security_group = bool 251 | })) 252 | description = "(Optional) Creates the given subnets in the VNET. IMPORTANT: Services subnet should be the second Subnet in this list, as the network_profile is assuming this." 253 | default = [ 254 | { 255 | name = "Cluster" 256 | address_prefix = "172.16.0.0/19" 257 | security_group = false 258 | } 259 | ] 260 | } 261 | 262 | variable oms_log_analytics_workspace_id { 263 | type = string 264 | description = "(Optional) The Log Analytics Workspace id where the OMS should store logs." 265 | default = null 266 | } 267 | 268 | variable api_server_authorized_ip_ranges { 269 | type = list(string) 270 | description = "(Optional) The IP ranges to whitelist for incoming traffic to the masters." 271 | default = [] 272 | } 273 | 274 | variable http_application_routing_enabled { 275 | type = bool 276 | description = "(Optional) Enables http application routing" 277 | default = false 278 | } 279 | 280 | # Feature is in preview so deafautl is disabled. 281 | variable enable_pod_security_policy { 282 | type = bool 283 | description = "(Optional) Enables http application routing" 284 | default = false 285 | } 286 | -------------------------------------------------------------------------------- /vars/basic.tfvars: -------------------------------------------------------------------------------- 1 | name = "akstest" 2 | location = "westeurope" 3 | resource_group = "cloudcommons-aks-cd-test" 4 | app = "aksapp" 5 | kubernetes_version = "1.15.5" 6 | client_id = "" 7 | client_secret = "" 8 | linux_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKH/Ri7zAJR5sZuxCH7Dser/z667UuAKmzlDrLsWTTybDZ9+Ob7Mzyj9/c03qM/6H5V4k4LaVAy2lw+giFwNDC7zKwpNbSB1Hw7g0gEW23jjRWmB1hUeoN4ciXIKLlj2QrfldBLZzFd2PULIXd4eByf41IjMqgHDT4dwnPVxoJVj/xA5aNxgcwnNaLHuawiqDL/e3oVLomw/BupYkwuRSUR7I0hN+1GjekxiuANWmdAeRudByN4bfjc/Kybd/fX/MsIuJQ8hxxnL8V/yK2HWuBBf1WmnGxIFTS83OXVZgods3wLu2zTVwCanzU666f4lkHcw7MF5Sj1UwGDly8m7aytLQt+Lx5IR2WD5vcUOxtzCsTh1Cx78wZsSWycoJJaf+PsRzoB+fY1Kz5FelI5W8wXb0RwrZPS2ByLiGGSVEmIvp9p35mPdFgzx28C5N5vHcp6DrZpfXPbPqQU5zAk6mP/YJoc7BZVU0vrIx4eeXTjOhvMP+ZjMXtLibTzYP6BHsSDqBDi1XTv9CbGH4B9IVegL9X4wgy7Dcxpxay/PkFEkao9VaH9Zd6rFXNTYgpnfyZ1Fsf9o603Bmi/tVRiUcDtMhdq9P/WlRx5FDLylfgFNb2plSGOCjPs/RJjy7hakll82ligj/f91Xw6pj+gooOPY3uDtS2TlqFYRsldLtoaw== sergio@MacBook-Pro.home" 9 | rbac_enabled = true 10 | rbac_aad = false 11 | -------------------------------------------------------------------------------- /vnet.tf: -------------------------------------------------------------------------------- 1 | module "vnet" { 2 | source = "cloudcommons/vnet/azure" 3 | version = "0.2.0" 4 | name = var.name 5 | enabled = local.vnet_enabled 6 | location = var.location 7 | resource_group = var.resource_group 8 | address_space = var.vnet_address_space 9 | dns_servers = var.vnet_dns_servers 10 | nsg_enabled = var.vnet_nsg_enabled 11 | ddos_enabled = var.vnet_ddos_enabled 12 | subnets = var.vnet_subnets 13 | } --------------------------------------------------------------------------------