-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathk8s.tf
More file actions
128 lines (111 loc) · 4.31 KB
/
k8s.tf
File metadata and controls
128 lines (111 loc) · 4.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
data "azurerm_subscription" "primary" {
}
# tfsec:ignore:azure-container-limit-authorized-ips
resource "azurerm_kubernetes_cluster" "k8s" {
name = "aks-polinetwork"
dns_prefix = "aks-polinetwork"
location = var.rg_location
resource_group_name = var.rg_name
role_based_access_control_enabled = true
http_application_routing_enabled = false // replaced by az aks approuting enable -g <ResourceGroupName> -n <ClusterName>
key_vault_secrets_provider {
secret_rotation_enabled = true
}
azure_active_directory_role_based_access_control {
azure_rbac_enabled = true
admin_group_object_ids = [
"57561933-3873-400d-be92-cdad68d57c1f",
]
}
tags = {
Environment = "Development"
}
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "userpool"
vm_size = "Standard_B2ms"
os_disk_type = "Managed"
os_disk_size_gb = 30
orchestrator_version = var.kubernetes_orchestrator_version
auto_scaling_enabled = true
max_count = 1
min_count = 1
node_count = 1
temporary_name_for_rotation = "temp"
}
linux_profile {
admin_username = "ubuntu"
ssh_key {
key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDO6AkesVkidSg3a+iTC4BmoyIQIyy+3vYrJDraB1I1Uymd5DhLeDbOJbs10SWVXknRRkAJ/l5/A3oqSyq5dOyLpwx9QurrQE/r1MnqxhDEH85OfnF89UxKyZ73YQZOmh6oN794iQFu+OCsg1nI0TSDB2t/TatbyoW9ePTsLHzVPGdagHL8sDX6SS2blkDlHEJw5rNBDceUnBvUEKQr9dNvGKs2naJC5wE2tm2U1HYXnsKi7nl6Z+CY9b/g56lfWWIG6nte37fBymYBaUOsjqDbdFKVCIjC0fxgwS6GhMhkZe7mfKVOHp6zo6VMHSM3L2U4MW8xdibbi1+wMt+GPwvraGb+PSnJSeeWYGHs7Y8am9BMEmBTJdrovpa4lir9j1bsv/fCHXB78rH9tNXYKb5wxVIQTWw8+/9Y1qDD4jxpXS1xd4NAkzGeJCLb+x+eNDNRiHUknxvGJf7Z4Yek/zEp1kRdCDl1JwNL8zsBkZfbglQuyIHhhMZwMYwKSTpdG+TydfEao7t6cvjvAGajlEPBYo/bVQHhxD10+qFzD6xJbAIvS2zxDca2KXsAkQA5dDAVQSCCrZpnBJUD4yVltZYcXhX5fyESoai0L++RSQ10mHOoxB8jk6kkmLY+1PuqFeNH38keUNezJz8wTH93SfBROUm64TbsS63wgkzQhyGDLw== Azure Cluster SSH Key"
}
}
network_profile {
network_policy = "calico"
network_plugin = "kubenet"
load_balancer_sku = "standard"
}
kubernetes_version = var.kubernetes_orchestrator_version
}
resource "azurerm_kubernetes_cluster_node_pool" "systempool" {
for_each = { for i, v in var.additional_node_pools : i => v }
name = each.value.name
kubernetes_cluster_id = azurerm_kubernetes_cluster.k8s.id
vm_size = each.value.vm_size
node_count = each.value.node_count
mode = each.value.mode == null ? "User" : each.value.mode
tags = each.value.tags
orchestrator_version = var.kubernetes_orchestrator_version
auto_scaling_enabled = each.value.enable_auto_scaling
max_count = each.value.max_count
min_count = each.value.min_count
}
resource "helm_release" "nginx_ingress" {
name = "nginx-ingress"
repository = "https://kubernetes.github.io/ingress-nginx"
chart = "ingress-nginx"
namespace = "ingress-nginx"
version = "4.10.0"
create_namespace = true
values = [
templatefile("${path.module}/values/ingress.yaml.tftpl", {
resource_group = var.rg_name
})
]
}
resource "kubernetes_cluster_role_binding" "adminorg" {
metadata {
name = "admin-global"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "User"
name = "adminorg@polinetwork.org"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "User"
name = "57561933-3873-400d-be92-cdad68d57c1f"
api_group = "rbac.authorization.k8s.io"
}
}
resource "azurerm_role_definition" "aks_reader" {
name = "aks_reader"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"
permissions {
actions = [
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id
]
}