enabling aks

Author: damienjburks

terraform/acr_aks.tf

@@ -12,31 +12,100 @@ resource "azurerm_container_registry" "this_container_registry" {
   depends_on = [azurerm_resource_group.this_resource_group]
 }
 
-# resource "azurerm_kubernetes_cluster" "this_aks_cluster" {
-#   name                = var.aks_name
-#   location            = var.location
-#   resource_group_name = azurerm_resource_group.this_resource_group.name
-#   dns_prefix          = "DSB"
-
-
-#   default_node_pool {
-#     name       = "default"
-#     node_count = 1
-#     vm_size    = "Standard_A2_v2"
-#   }
-
-#   identity {
-#     type         = "UserAssigned"
-#     identity_ids = [azurerm_user_assigned_identity.this_uaid.id]
-#   }
-
-#   tags = {
-#     Environment = "Production"
-#   }
-#   depends_on = [
-#     azurerm_role_assignment.uaid_contributor,
-#     azurerm_role_assignment.acr_pull,
-#     azurerm_role_assignment.acr_push
-#   ]
-# }
+resource "azuread_application" "sp_app" {
+  display_name = "ado-aks-deployer"
+}
+
+resource "azuread_service_principal" "sp" {
+  client_id = azuread_application.sp_app.client_id
+}
+
+resource "azuread_application_password" "sp_secret" {
+  application_id      = azuread_application.sp_app.object_id
+  display_name        = "ado-aks-deployer-secret"
+  rotate_when_changed = { rotation = timestamp() } # forces regen if you ever need
+}
+
+# Get the AKS and RG
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
+
+data "azurerm_kubernetes_cluster" "aks" {
+  name                = var.aks_name
+  resource_group_name = data.azurerm_resource_group.rg.name
+}
+
+# Look up built-in roles
+data "azurerm_role_definition" "contrib" {
+  name  = "Contributor"
+  scope = data.azurerm_kubernetes_cluster.aks.id
+}
+
+data "azurerm_role_definition" "aks_admin" {
+  name  = "Azure Kubernetes Service Cluster Admin Role"
+  scope = data.azurerm_kubernetes_cluster.aks.id
+}
+
+# Assign roles to the SPN
+resource "azurerm_role_assignment" "ra_contrib" {
+  scope              = data.azurerm_kubernetes_cluster.aks.id
+  role_definition_id = data.azurerm_role_definition.contrib.role_definition_id
+  principal_id       = azuread_service_principal.sp.object_id
+  principal_type     = "ServicePrincipal"
+}
+
+resource "azurerm_role_assignment" "ra_aks_admin" {
+  scope              = data.azurerm_kubernetes_cluster.aks.id
+  role_definition_id = data.azurerm_role_definition.aks_admin.role_definition_id
+  principal_id       = azuread_service_principal.sp.object_id
+  principal_type     = "ServicePrincipal"
+}
+
+resource "azuredevops_serviceendpoint_azurerm" "arm_sc" {
+  project_id            = azuredevops_project.this.id
+  service_endpoint_name = "ARM Service Connection"
+  description           = "ARM service connection for AKS deploys"
+
+  # Azure environment; use AzureCloud, AzureUSGovernment, AzureChinaCloud, etc.
+  environment = "AzureCloud"
+
+  # Subscription context shown in ADO UI
+  azurerm_spn_tenantid    = var.TFC_AZ_TENANT_ID
+  azurerm_subscription_id = var.TFC_AZ_SUBSCRIPTION_ID
+
+  # Auth with SP + secret
+  credentials {
+    serviceprincipalid  = azuread_application.sp_app.client_id
+    serviceprincipalkey = azuread_application_password.sp_secret.value
+  }
+}
+
+resource "azurerm_kubernetes_cluster" "this_aks_cluster" {
+  name                = var.aks_name
+  location            = var.location
+  resource_group_name = azurerm_resource_group.this_resource_group.name
+  dns_prefix          = "DSB"
+
+
+  default_node_pool {
+    name       = "default"
+    node_count = 1
+    vm_size    = "Standard_A2_v2"
+  }
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.this_uaid.id]
+  }
+
+  tags = {
+    Environment = "Production"
+  }
+  depends_on = [
+    azurerm_role_assignment.uaid_contributor,
+    azurerm_role_assignment.acr_pull,
+    azurerm_role_assignment.acr_push
+  ]
+}
 

terraform/outputs.tf

@@ -4,4 +4,16 @@ output "acr_name" {
 
 output "acr_url" {
   value = azurerm_container_registry.this_container_registry.login_server
-}
+}
+
+output "aks_name" {
+  value = azurerm_kubernetes_cluster.this_aks_cluster.name
+}
+
+output "azure_service_connection_name" {
+  value = azuredevops_serviceendpoint_azurerm.arm_sc.service_endpoint_name
+}
+
+output "azure_service_connection_id" {
+  value = azuredevops_serviceendpoint_azurerm.arm_sc.id
+}

terraform/variable-group.tf

@@ -14,4 +14,19 @@ resource "azuredevops_variable_group" "infra_variable_group" {
     name  = "ACR_SERVICE_CONNECTION"
     value = azuredevops_serviceendpoint_azurecr.acr_registry_endpoint.id
   }
+
+  variable {
+    name  = "AKS_CLUSTER_NAME"
+    value = azurerm_kubernetes_cluster.this_aks_cluster.name
+  }
+
+  variable {
+    name  = "AZURE_SERVICE_CONNECTION"
+    value = azuredevops_serviceendpoint_azurerm.arm_sc.id
+  }
+
+  variable {
+    name  = "RESOURCE_GROUP_NAME"
+    value = azurerm_resource_group.this_resource_group.name
+  }
 }