Updating azure capz-monitoring AKS terraform config

Signed-off-by: Mark Rossetti <[email protected]>

Author: marosset

infra/azure/terraform/capz/capz-monitoring/main.tf

@@ -58,6 +58,22 @@ resource "azurerm_role_assignment" "monitoring_reader" {
   depends_on = [ azurerm_user_assigned_identity.capz_monitoring_user_identity ]
 }
 
+# lookups for AKS-created user assigned identities and DNS zone (do not create new identities)
+data "azurerm_user_assigned_identity" "aks_akv" {
+  name                = "azurekeyvaultsecretsprovider-capz-monitoring"
+  resource_group_name = "MC_capz-monitoring_capz-monitoring_eastus"
+}
+
+data "azurerm_user_assigned_identity" "aks_webapp" {
+  name                = "webapprouting-capz-monitoring"
+  resource_group_name = "MC_capz-monitoring_capz-monitoring_eastus"
+}
+
+data "azurerm_dns_zone" "capz_monitoring" {
+  name                = "capz-monitoring.org"
+  resource_group_name = "capz-monitoring"
+}
+
 resource "azurerm_kubernetes_cluster" "capz-monitoring" {
   dns_prefix            = local.computed_dns_prefix
   location              = var.location
@@ -82,15 +98,39 @@ resource "azurerm_kubernetes_cluster" "capz-monitoring" {
       azurerm_user_assigned_identity.capz_monitoring_user_identity.id
     ]
   }
+
+  # keep AKS addon-managed identities and the DNS zone referenced via data sources
+  key_vault_secrets_provider {
+    secret_rotation_enabled  = false
+    secret_rotation_interval = "2m"
+
+    # secret_identity is computed by the AKS provider; do not set it here.
+  }
+
+  web_app_routing {
+    default_nginx_controller = "AnnotationControlled"
+    dns_zone_ids = [
+      data.azurerm_dns_zone.capz_monitoring.id,
+    ]
+
+    # web_app_routing_identity is created/linked by AKS and is computed; do not set it here.
+  }
+
   default_node_pool {
     name       = "nodepool1"
-    node_count = 1
+    node_count = 3
     vm_size    = "Standard_DS2_v2"
+
+    upgrade_settings {
+      drain_timeout_in_minutes      = 0
+      max_surge                     = "10%"
+      node_soak_duration_in_minutes = 0
+    }
   }
 
   lifecycle {
     ignore_changes = [
-      linux_profile,
+      linux_profile
     ]
   }
 }

infra/azure/terraform/capz/identities/main.tf

@@ -77,18 +77,6 @@ resource "azurerm_role_assignment" "gmsa_role_assignment" {
   depends_on     = [azurerm_user_assigned_identity.domain_vm_identity]
 }
 
-resource "azurerm_role_assignment" "cloud_provider_sub_contributor" {
-  principal_id         = azurerm_user_assigned_identity.cloud_provider_user_identity.principal_id
-  role_definition_name = "Contributor"
-  scope                = "/subscriptions/${var.subscription_id}"
-}
-
-resource "azurerm_role_assignment" "acr_pull" {
-  principal_id         = azurerm_user_assigned_identity.cloud_provider_user_identity.principal_id
-  role_definition_name = "AcrPull"
-  scope                = var.container_registry_scope
-}
-
 output "cloud_provider_user_identity_id" {
   value = azurerm_user_assigned_identity.cloud_provider_user_identity.principal_id
 }

infra/azure/terraform/capz/main.tf

@@ -37,10 +37,6 @@ resource "azurerm_resource_provider_registration" "provider-k8s-config" {
   }
 }
 
-resource "azurerm_resource_provider_registration" "provider-container-service" {
-  name = "Microsoft.ContainerService"
-}
-
 resource "azurerm_marketplace_agreement" "traefik-agreement" {
   publisher = "containous"
   offer     = "traefik-proxy"

infra/azure/terraform/capz/role-assignments/main.tf

@@ -74,6 +74,12 @@ resource "azurerm_role_assignment" "acr_pull_private" {
   scope                = var.e2eprivate_registry_scope
 }
 
+resource "azurerm_role_assignment" "acr_pull_cloud_provider" {
+  principal_id         = var.cloud_provider_user_identity_id
+  role_definition_name = "AcrPull"
+  scope                = var.container_registry_scope
+}
+
 resource "azurerm_role_definition" "custom_role" {
   name  = "WriteAccessOnly"
   scope = "/subscriptions/${var.subscription_id}"