terraform to deploy AKS cluster checkpoint #1

Author: Curtis Goolsby

terraform/aks/commands

@@ -0,0 +1,10 @@
+az aks get-credentials --resource-group fullStack-cluster-rg --name fullStack-cluster --overwrite-existing
+
+
+
+az aks nodepool update \
+  --resource-group fullStack-cluster-rg \
+  --cluster-name fullStack-cluster \
+  --name default \
+  --min-count 1 \
+  --max-count 10  --update-cluster-autoscaler

terraform/aks/csi-identity.tf

@@ -0,0 +1,49 @@
+# Managed Identity for Azure Disk CSI Driver
+resource "azurerm_user_assigned_identity" "azure_disk_csi" {
+  name                = "${var.cluster_name}-azure-disk-csi-identity"
+  resource_group_name = azurerm_resource_group.aks.name
+  location            = azurerm_resource_group.aks.location
+  tags                = var.tags
+}
+
+# Federated credential for Azure Disk CSI Driver
+resource "azurerm_federated_identity_credential" "azure_disk_csi" {
+  name                = "azure-disk-csi-federated"
+  resource_group_name = azurerm_resource_group.aks.name
+  audience            = ["api://AzureADTokenExchange"]
+  parent_id           = azurerm_user_assigned_identity.azure_disk_csi.id
+  issuer              = azurerm_kubernetes_cluster.aks.oidc_issuer_url
+  subject             = "system:serviceaccount:kube-system:csi-azuredisk-node-sa"
+}
+
+# Role assignment for Azure Disk CSI to manage disks
+resource "azurerm_role_assignment" "azure_disk_csi_contributor" {
+  scope                = azurerm_resource_group.aks.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_user_assigned_identity.azure_disk_csi.principal_id
+}
+
+# Managed Identity for Azure File CSI Driver
+resource "azurerm_user_assigned_identity" "azure_file_csi" {
+  name                = "${var.cluster_name}-azure-file-csi-identity"
+  resource_group_name = azurerm_resource_group.aks.name
+  location            = azurerm_resource_group.aks.location
+  tags                = var.tags
+}
+
+# Federated credential for Azure File CSI Driver
+resource "azurerm_federated_identity_credential" "azure_file_csi" {
+  name                = "azure-file-csi-federated"
+  resource_group_name = azurerm_resource_group.aks.name
+  audience            = ["api://AzureADTokenExchange"]
+  parent_id           = azurerm_user_assigned_identity.azure_file_csi.id
+  issuer              = azurerm_kubernetes_cluster.aks.oidc_issuer_url
+  subject             = "system:serviceaccount:kube-system:csi-azurefile-node-sa"
+}
+
+# Role assignment for Azure File CSI to manage storage accounts
+resource "azurerm_role_assignment" "azure_file_csi_contributor" {
+  scope                = azurerm_resource_group.aks.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_user_assigned_identity.azure_file_csi.principal_id
+}

terraform/aks/k8s-outputs.tf

@@ -0,0 +1,39 @@
+# Create a ConfigMap with Terraform outputs for use by Flux
+resource "kubernetes_config_map" "terraform_outputs" {
+  metadata {
+    name      = "terraform-outputs"
+    namespace = "flux-system"
+  }
+
+  data = {
+    # Azure tenant and subscription information
+    AZURE_TENANT_ID       = data.azurerm_client_config.current.tenant_id
+    AZURE_SUBSCRIPTION_ID = data.azurerm_client_config.current.subscription_id
+    
+    # Cluster information
+    CLUSTER_NAME          = var.cluster_name
+    RESOURCE_GROUP        = azurerm_resource_group.aks.name
+    LOCATION              = azurerm_resource_group.aks.location
+    
+    # Network information
+    VNET_ID               = azurerm_virtual_network.aks.id
+    VNET_NAME             = azurerm_virtual_network.aks.name
+    SUBNET_ID             = azurerm_subnet.aks.id
+    
+    # OIDC information for workload identity
+    OIDC_ISSUER_URL       = azurerm_kubernetes_cluster.aks.oidc_issuer_url
+    
+    # Managed Identity Client IDs (for workload identity)
+    AZURE_DISK_CSI_CLIENT_ID  = azurerm_user_assigned_identity.azure_disk_csi.client_id
+    AZURE_FILE_CSI_CLIENT_ID  = azurerm_user_assigned_identity.azure_file_csi.client_id
+    
+    # Key Vault information
+    KEY_VAULT_NAME        = azurerm_key_vault.main.name
+    KEY_VAULT_URI         = azurerm_key_vault.main.vault_uri
+  }
+
+  depends_on = [
+    azurerm_kubernetes_cluster.aks,
+    null_resource.create_flux_ns
+  ]
+}

terraform/aks/key-vault.tf

@@ -0,0 +1,24 @@
+# Create a Key Vault for storing secrets
+resource "azurerm_key_vault" "main" {
+  name                = "${substr(replace(var.cluster_name, "-", ""), 0, 20)}kv"
+  resource_group_name = azurerm_resource_group.aks.name
+  location            = azurerm_resource_group.aks.location
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "standard"
+
+  # Enable RBAC authorization
+  enable_rbac_authorization = true
+
+  # Soft delete and purge protection
+  soft_delete_retention_days = 7
+  purge_protection_enabled   = false # Set to true in production
+
+  tags = var.tags
+}
+
+# Grant the current user/service principal access to manage secrets
+resource "azurerm_role_assignment" "current_user_key_vault_admin" {
+  scope                = azurerm_key_vault.main.id
+  role_definition_name = "Key Vault Administrator"
+  principal_id         = data.azurerm_client_config.current.object_id
+}

terraform/aks/main.tf

@@ -0,0 +1,81 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+  }
+
+  # You'll want to change this to your preferred backend
+  backend "local" {
+    path = "terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# Get current Azure client configuration
+data "azurerm_client_config" "current" {}
+
+# Configure the Kubernetes provider
+provider "kubernetes" {
+  host                   = azurerm_kubernetes_cluster.aks.kube_config.0.host
+  client_certificate     = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate)
+  client_key             = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_key)
+  cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate)
+}
+
+# Resource group
+resource "azurerm_resource_group" "aks" {
+  name     = "${var.cluster_name}-rg"
+  location = var.location
+  tags     = var.tags
+}
+
+# AKS Cluster
+resource "azurerm_kubernetes_cluster" "aks" {
+  name                = var.cluster_name
+  location            = azurerm_resource_group.aks.location
+  resource_group_name = azurerm_resource_group.aks.name
+  dns_prefix          = var.cluster_name
+  kubernetes_version  = var.kubernetes_version
+
+  # Enable workload identity and OIDC for pod authentication
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+
+  default_node_pool {
+    name       = "default"
+    node_count = var.node_count
+    vm_size    = var.node_size
+    
+    # Use Azure CNI for better integration
+    vnet_subnet_id = azurerm_subnet.aks.id
+    
+    enable_auto_scaling = true
+    min_count          = var.min_node_count
+    max_count          = var.max_node_count
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  network_profile {
+    network_plugin    = "azure"
+    network_policy    = "azure"
+    load_balancer_sku = "standard"
+    service_cidr      = var.service_cidr
+    dns_service_ip    = var.dns_service_ip
+  }
+
+  tags = var.tags
+}

terraform/aks/namespace.tf

@@ -0,0 +1,16 @@
+resource "null_resource" "create_flux_ns" {
+  provisioner "local-exec" {
+    command = <<-EOT
+      export KUBECONFIG="$(mktemp)"
+      echo '${azurerm_kubernetes_cluster.aks.kube_config_raw}' > "$KUBECONFIG"
+      kubectl get ns flux-system || kubectl create ns flux-system
+    EOT
+    interpreter = ["/bin/bash", "-c"]
+  }
+
+  triggers = {
+    cluster_endpoint = azurerm_kubernetes_cluster.aks.kube_config.0.host
+  }
+
+  depends_on = [azurerm_kubernetes_cluster.aks]
+}

terraform/aks/outputs.tf

@@ -0,0 +1,77 @@
+output "cluster_name" {
+  description = "Name of the AKS cluster"
+  value       = azurerm_kubernetes_cluster.aks.name
+}
+
+output "cluster_id" {
+  description = "ID of the AKS cluster"
+  value       = azurerm_kubernetes_cluster.aks.id
+}
+
+output "kube_config" {
+  description = "Kubernetes config for connecting to the cluster"
+  value       = azurerm_kubernetes_cluster.aks.kube_config_raw
+  sensitive   = true
+}
+
+output "kube_config_host" {
+  description = "Kubernetes API server endpoint"
+  value       = azurerm_kubernetes_cluster.aks.kube_config.0.host
+  sensitive   = true
+}
+
+output "resource_group_name" {
+  description = "Name of the resource group"
+  value       = azurerm_resource_group.aks.name
+}
+
+output "vnet_id" {
+  description = "ID of the Virtual Network"
+  value       = azurerm_virtual_network.aks.id
+}
+
+output "vnet_name" {
+  description = "Name of the Virtual Network"
+  value       = azurerm_virtual_network.aks.name
+}
+
+output "aks_subnet_id" {
+  description = "ID of the AKS subnet"
+  value       = azurerm_subnet.aks.id
+}
+
+output "cluster_identity_principal_id" {
+  description = "Principal ID of the cluster managed identity"
+  value       = azurerm_kubernetes_cluster.aks.identity.0.principal_id
+}
+
+output "node_resource_group" {
+  description = "Name of the auto-generated resource group for AKS nodes"
+  value       = azurerm_kubernetes_cluster.aks.node_resource_group
+}
+
+# Workload Identity outputs
+output "oidc_issuer_url" {
+  description = "OIDC issuer URL for workload identity"
+  value       = azurerm_kubernetes_cluster.aks.oidc_issuer_url
+}
+
+output "azure_disk_csi_identity_client_id" {
+  description = "Client ID of the Azure Disk CSI managed identity"
+  value       = azurerm_user_assigned_identity.azure_disk_csi.client_id
+}
+
+output "azure_file_csi_identity_client_id" {
+  description = "Client ID of the Azure File CSI managed identity"
+  value       = azurerm_user_assigned_identity.azure_file_csi.client_id
+}
+
+output "key_vault_name" {
+  description = "Name of the Key Vault"
+  value       = azurerm_key_vault.main.name
+}
+
+output "key_vault_uri" {
+  description = "URI of the Key Vault"
+  value       = azurerm_key_vault.main.vault_uri
+}

terraform/aks/variables.tf

@@ -0,0 +1,69 @@
+variable "cluster_name" {
+  description = "Name of the AKS cluster"
+  type        = string
+  default     = "fullStack-cluster"
+}
+
+variable "location" {
+  description = "Azure region"
+  type        = string
+  default     = "eastus"
+}
+
+variable "vnet_cidr" {
+  description = "CIDR block for Virtual Network"
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "service_cidr" {
+  description = "CIDR block for Kubernetes services"
+  type        = string
+  default     = "10.1.0.0/16"
+}
+
+variable "dns_service_ip" {
+  description = "DNS service IP address (must be within service_cidr)"
+  type        = string
+  default     = "10.1.0.10"
+}
+
+variable "kubernetes_version" {
+  description = "Kubernetes version for AKS"
+  type        = string
+  default     = "1.31"
+}
+
+variable "node_count" {
+  description = "Initial number of nodes"
+  type        = number
+  default     = 2
+}
+
+variable "min_node_count" {
+  description = "Minimum number of nodes for autoscaling"
+  type        = number
+  default     = 1
+}
+
+variable "max_node_count" {
+  description = "Maximum number of nodes for autoscaling"
+  type        = number
+  default     = 3
+}
+
+variable "node_size" {
+  description = "Size of the nodes"
+  type        = string
+  default     = "Standard_D2_v3"
+}
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default = {
+    Environment = "dev"
+    Project     = "fullStack-cluster"
+    ManagedBy   = "terraform"
+  }
+}