diff --git a/quickstart/301-aks-enterprise/aks.tf b/quickstart/301-aks-enterprise/aks.tf index 468f49aec..dbdd5a075 100644 --- a/quickstart/301-aks-enterprise/aks.tf +++ b/quickstart/301-aks-enterprise/aks.tf @@ -1,36 +1,36 @@ +data "azurerm_client_config" "current" {} + resource "azurerm_kubernetes_cluster" "default" { name = "${var.name}-aks" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name dns_prefix = "${var.dns_prefix}-${var.name}-aks-${var.environment}" depends_on = ["azurerm_role_assignment.default"] - agent_pool_profile { + default_node_pool { name = "default" - count = "${var.node_count}" - vm_size = "${var.node_type}" - os_type = "${var.node_os}" + node_count = var.node_count + vm_size = var.node_type os_disk_size_gb = 30 - vnet_subnet_id = "${azurerm_subnet.aks.id}" + vnet_subnet_id = azurerm_subnet.aks.id } service_principal { - client_id = "${azuread_application.default.application_id}" - client_secret = "${azuread_service_principal_password.default.value}" + client_id = azuread_application.default.application_id + client_secret = azuread_service_principal_password.default.value } - role_based_access_control { - enabled = true + azure_active_directory_role_based_access_control { + tenant_id = data.azurerm_client_config.current.tenant_id + managed = true + azure_rbac_enabled = true } network_profile { network_plugin = "azure" } - addon_profile { - oms_agent { - enabled = true - log_analytics_workspace_id = "${azurerm_log_analytics_workspace.default.id}" - } + oms_agent { + log_analytics_workspace_id = azurerm_log_analytics_workspace.default.id } } diff --git a/quickstart/301-aks-enterprise/azuread.tf b/quickstart/301-aks-enterprise/azuread.tf index 34f9bb331..eb7d03fdf 100644 --- a/quickstart/301-aks-enterprise/azuread.tf +++ b/quickstart/301-aks-enterprise/azuread.tf @@ -1,9 +1,9 @@ resource "azuread_application" "default" { - name = "${var.name}-${var.environment}" + display_name = "${var.name}-${var.environment}" } resource "azuread_service_principal" "default" { - application_id = "${azuread_application.default.application_id}" + application_id = azuread_application.default.application_id } resource "random_string" "password" { @@ -12,13 +12,12 @@ resource "random_string" "password" { } resource "azuread_service_principal_password" "default" { - service_principal_id = "${azuread_service_principal.default.id}" - value = "${random_string.password.result}" + service_principal_id = azuread_service_principal.default.id end_date = "2099-01-01T01:00:00Z" } resource "azurerm_role_assignment" "default" { scope = "${data.azurerm_subscription.current.id}/resourceGroups/${azurerm_resource_group.default.name}" role_definition_name = "Network Contributor" - principal_id = "${azuread_service_principal.default.id}" + principal_id = azuread_service_principal.default.id } diff --git a/quickstart/301-aks-enterprise/helm.tf b/quickstart/301-aks-enterprise/helm.tf index e06fde8f8..9db9abc3e 100644 --- a/quickstart/301-aks-enterprise/helm.tf +++ b/quickstart/301-aks-enterprise/helm.tf @@ -1,14 +1,12 @@ # Define the helm provider to use the AKS cluster provider "helm" { kubernetes { - host = "${azurerm_kubernetes_cluster.default.kube_config.0.host}" + host = azurerm_kubernetes_cluster.default.kube_config.0.host - client_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)}" - client_key = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_key)}" - cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)}" + client_certificate = base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_certificate) + client_key = base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_key) + cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate) } - - service_account = "tiller" } # Install a load-balanced nginx-ingress controller onto the cluster @@ -27,13 +25,9 @@ controller: service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "${azurerm_subnet.ingress.name}" EOF ] - - depends_on = ["kubernetes_cluster_role_binding.tiller"] } resource "helm_release" "ghost" { - name = "ghost-blog" - chart = "bitnami/ghost" - - depends_on = ["kubernetes_cluster_role_binding.tiller"] + name = "ghost-blog" + chart = "bitnami/ghost" } diff --git a/quickstart/301-aks-enterprise/kubernetes.tf b/quickstart/301-aks-enterprise/kubernetes.tf index 14e139251..4dc757986 100644 --- a/quickstart/301-aks-enterprise/kubernetes.tf +++ b/quickstart/301-aks-enterprise/kubernetes.tf @@ -1,37 +1,14 @@ # Define Kubernetes provider to use the AKS cluster provider "kubernetes" { - host = "${azurerm_kubernetes_cluster.default.kube_config.0.host}" + host = azurerm_kubernetes_cluster.default.kube_config.0.host - client_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)}" - client_key = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_key)}" - cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)}" + client_certificate = base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_certificate) + client_key = base64decode(azurerm_kubernetes_cluster.default.kube_config.0.client_key) + cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate) } -# Create a service account for the Helm Tiller -resource "kubernetes_service_account" "tiller" { - metadata { - name = "tiller" - namespace = "kube-system" - } -} - -# Grant cluster-admin rights to the Tiller Service Account -resource "kubernetes_cluster_role_binding" "tiller" { - metadata { - name = "${kubernetes_service_account.tiller.metadata.0.name}" - } - - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = "cluster-admin" - } - - subject { - kind = "ServiceAccount" - name = "${kubernetes_service_account.tiller.metadata.0.name}" - namespace = "kube-system" - } +provider "azurerm" { + features {} } # Grant cluster-admin rights to the default service account diff --git a/quickstart/301-aks-enterprise/monitoring.tf b/quickstart/301-aks-enterprise/monitoring.tf index 169133fd5..732a90a11 100644 --- a/quickstart/301-aks-enterprise/monitoring.tf +++ b/quickstart/301-aks-enterprise/monitoring.tf @@ -1,24 +1,24 @@ resource "azurerm_application_insights" "default" { name = "${var.name}-${var.environment}-ai" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" - application_type = "Web" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + application_type = "web" } resource "azurerm_log_analytics_workspace" "default" { name = "${var.name}-${var.environment}-law" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name sku = "PerGB2018" retention_in_days = 30 } resource "azurerm_log_analytics_solution" "default" { solution_name = "ContainerInsights" - location = "${azurerm_log_analytics_workspace.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" - workspace_resource_id = "${azurerm_log_analytics_workspace.default.id}" - workspace_name = "${azurerm_log_analytics_workspace.default.name}" + location = azurerm_log_analytics_workspace.default.location + resource_group_name = azurerm_resource_group.default.name + workspace_resource_id = azurerm_log_analytics_workspace.default.id + workspace_name = azurerm_log_analytics_workspace.default.name plan { publisher = "Microsoft" diff --git a/quickstart/301-aks-enterprise/networking.tf b/quickstart/301-aks-enterprise/networking.tf index 6c18097a4..3541ae287 100644 --- a/quickstart/301-aks-enterprise/networking.tf +++ b/quickstart/301-aks-enterprise/networking.tf @@ -1,73 +1,78 @@ # Virtual Network to deploy resources into resource "azurerm_virtual_network" "default" { name = "${var.name}-vnet" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name address_space = ["${var.vnet_address_space}"] } # Subnets resource "azurerm_subnet" "aks" { name = "${var.name}-aks-subnet" - resource_group_name = "${azurerm_resource_group.default.name}" - address_prefix = "${var.vnet_aks_subnet_space}" - virtual_network_name = "${azurerm_virtual_network.default.name}" + resource_group_name = azurerm_resource_group.default.name + address_prefixes = [var.vnet_aks_subnet_space] + virtual_network_name = azurerm_virtual_network.default.name } resource "azurerm_subnet" "ingress" { name = "${var.name}-ingress-subnet" - resource_group_name = "${azurerm_resource_group.default.name}" - virtual_network_name = "${azurerm_virtual_network.default.name}" - address_prefix = "${var.vnet_ingress_subnet_space}" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = [var.vnet_ingress_subnet_space] } resource "azurerm_subnet" "gateway" { name = "${var.name}-gateway-subnet" - resource_group_name = "${azurerm_resource_group.default.name}" - virtual_network_name = "${azurerm_virtual_network.default.name}" - address_prefix = "${var.vnet_gateway_subnet_space}" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = [var.vnet_gateway_subnet_space] } # Network security groups -resource azurerm_network_security_group "aks" { +resource "azurerm_network_security_group" "aks" { name = "${var.name}-aks-nsg" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name } -resource azurerm_network_security_group "ingress" { +resource "azurerm_network_security_group" "ingress" { name = "${var.name}-ingress-nsg" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name } -resource azurerm_network_security_group "gateway" { +resource "azurerm_network_security_group" "gateway" { name = "${var.name}-gateway-nsg" - location = "${azurerm_resource_group.default.location}" - resource_group_name = "${azurerm_resource_group.default.name}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name } # Network security group associations resource "azurerm_subnet_network_security_group_association" "aks" { - subnet_id = "${azurerm_subnet.aks.id}" - network_security_group_id = "${azurerm_network_security_group.aks.id}" + subnet_id = azurerm_subnet.aks.id + network_security_group_id = azurerm_network_security_group.aks.id } resource "azurerm_subnet_network_security_group_association" "ingress" { - subnet_id = "${azurerm_subnet.ingress.id}" - network_security_group_id = "${azurerm_network_security_group.ingress.id}" + subnet_id = azurerm_subnet.ingress.id + network_security_group_id = azurerm_network_security_group.ingress.id } resource "azurerm_subnet_network_security_group_association" "gateway" { - subnet_id = "${azurerm_subnet.gateway.id}" - network_security_group_id = "${azurerm_network_security_group.gateway.id}" + subnet_id = azurerm_subnet.gateway.id + network_security_group_id = azurerm_network_security_group.gateway.id } +resource "random_string" "gw_prefix_name" { + length = 8 + special = false + numeric = false +} locals { - gateway_name = "${var.dns_prefix}-${var.name}-${var.environment}-gateway" - gateway_ip_name = "${var.dns_prefix}-${var.name}-${var.environment}-gateway-ip" + gateway_name = "${var.dns_prefix}-${random_string.gw_prefix_name.result}-gateway" + gateway_ip_name = "${random_string.gw_prefix_name.result}-gw-ip" gateway_ip_config_name = "${var.name}-gateway-ipconfig" frontend_port_name = "${var.name}-gateway-feport" frontend_ip_configuration_name = "${var.name}-gateway-feip" @@ -82,28 +87,28 @@ locals { } resource "azurerm_public_ip" "gateway" { - name = "${local.gateway_ip_name}" - resource_group_name = "${azurerm_resource_group.default.name}" - location = "${azurerm_resource_group.default.location}" - domain_name_label = "${local.gateway_name}" + name = local.gateway_ip_name + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location + domain_name_label = local.gateway_name allocation_method = "Static" sku = "Standard" } resource "azurerm_application_gateway" "gateway" { - name = "${local.gateway_name}" - resource_group_name = "${azurerm_resource_group.default.name}" - location = "${azurerm_resource_group.default.location}" + name = local.gateway_name + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location sku { name = "WAF_v2" tier = "WAF_v2" - capacity = "${var.gateway_instance_count}" + capacity = var.gateway_instance_count } gateway_ip_configuration { - name = "${local.gateway_ip_config_name}" - subnet_id = "${azurerm_subnet.gateway.id}" + name = local.gateway_ip_config_name + subnet_id = azurerm_subnet.gateway.id } frontend_port { @@ -117,60 +122,60 @@ resource "azurerm_application_gateway" "gateway" { } frontend_ip_configuration { - name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.gateway.id}" + name = local.frontend_ip_configuration_name + public_ip_address_id = azurerm_public_ip.gateway.id } backend_address_pool { - name = "${local.backend_address_pool_name}" + name = local.backend_address_pool_name ip_addresses = ["${var.ingress_load_balancer_ip}"] } backend_http_settings { - name = "${local.http_setting_name}" + name = local.http_setting_name cookie_based_affinity = "Disabled" port = 80 - protocol = "http" + protocol = "Http" request_timeout = 1 - probe_name = "${local.probe_name}" + probe_name = local.probe_name } http_listener { name = "${local.listener_name}-http" - frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" + frontend_ip_configuration_name = local.frontend_ip_configuration_name frontend_port_name = "${local.frontend_port_name}-http" - protocol = "http" + protocol = "Http" } probe { - name = "${local.probe_name}" - protocol = "http" + name = local.probe_name + protocol = "Http" path = "/nginx-health" interval = 30 timeout = 30 unhealthy_threshold = 3 - host = "${var.ingress_load_balancer_ip}" + host = var.ingress_load_balancer_ip } request_routing_rule { - name = "${local.request_routing_rule_name}-http" - rule_type = "PathBasedRouting" - http_listener_name = "${local.listener_name}-http" - url_path_map_name = "${local.url_path_map_name}" + name = "${local.request_routing_rule_name}-http" + rule_type = "PathBasedRouting" + http_listener_name = "${local.listener_name}-http" + url_path_map_name = local.url_path_map_name } url_path_map { - name = "${local.url_path_map_name}" - default_backend_address_pool_name = "${local.backend_address_pool_name}" - default_backend_http_settings_name = "${local.http_setting_name}" - + name = local.url_path_map_name + default_backend_address_pool_name = local.backend_address_pool_name + default_backend_http_settings_name = local.http_setting_name + path_rule { - name = "${local.url_path_map_rule_name}" - backend_address_pool_name = "${local.backend_address_pool_name}" - backend_http_settings_name = "${local.http_setting_name}" + name = local.url_path_map_rule_name + backend_address_pool_name = local.backend_address_pool_name + backend_http_settings_name = local.http_setting_name paths = [ "/*" ] } } -} \ No newline at end of file +} diff --git a/quickstart/301-aks-enterprise/readme.md b/quickstart/301-aks-enterprise/readme.md index 7b1916d34..dd0d9bd5d 100644 --- a/quickstart/301-aks-enterprise/readme.md +++ b/quickstart/301-aks-enterprise/readme.md @@ -302,7 +302,6 @@ Terraform will perform the following actions: + max_pods = (known after apply) + name = "default" + os_disk_size_gb = 30 - + os_type = "Linux" + type = "AvailabilitySet" + vm_size = "Standard_D1_v2" + vnet_subnet_id = (known after apply) diff --git a/quickstart/301-aks-enterprise/variables.tf b/quickstart/301-aks-enterprise/variables.tf index 6b3c4c792..0c19817bf 100644 --- a/quickstart/301-aks-enterprise/variables.tf +++ b/quickstart/301-aks-enterprise/variables.tf @@ -1,12 +1,12 @@ // Naming variable "name" { - type = "string" + type = string description = "Location of the azure resource group." default = "demo-tfquickstart" } variable "environment" { - type = "string" + type = string description = "Name of the deployment environment" default = "dev" } @@ -14,7 +14,7 @@ variable "environment" { // Resource information variable "location" { - type = "string" + type = string description = "Location of the azure resource group." default = "WestUS2" } @@ -22,25 +22,19 @@ variable "location" { // Node type information variable "node_count" { - type = "string" + type = string description = "The number of K8S nodes to provision." default = 3 } variable "node_type" { - type = "string" + type = string description = "The size of each node." - default = "Standard_D1_v2" -} - -variable "node_os" { - type = "string" - description = "Windows or Linux" - default = "Linux" + default = "Standard_DS2_v2" } variable "dns_prefix" { - type = "string" + type = string description = "DNS Prefix" default = "mtcden" } @@ -48,38 +42,38 @@ variable "dns_prefix" { // Network information variable "vnet_address_space" { - type = "string" + type = string description = "Address space for the vnet" default = "10.0.0.0/8" } variable "vnet_aks_subnet_space" { - type = "string" + type = string description = "Address space for the AKS subnet" default = "10.1.0.0/16" } variable "vnet_ingress_subnet_space" { - type = "string" + type = string description = "Address space for the gateway subnet" default = "10.2.0.0/24" } variable "vnet_gateway_subnet_space" { - type = "string" + type = string description = "Address space for the gateway subnet" default = "10.2.1.0/24" } variable "ingress_load_balancer_ip" { - type = "string" + type = string description = "Address for the ingress controller load balancer" default = "10.2.0.10" } variable "gateway_instance_count" { - type = "string" + type = string description = "The number of application gateways to deploy" default = "1" -} \ No newline at end of file +}