renamed terraform variable, renamed AKS node resource group

Author: paullatzelsperger

.github/workflows/terraform.yaml

@@ -93,7 +93,7 @@ jobs:
 
       - name: Terraform Plan
         id: plan
-        run: terraform -chdir=scripts plan -no-color -var "resourcesuffix=dev" -var "backend_account_key=${{ secrets.TF_BACKEND_KEY }}"
+        run: terraform -chdir=scripts plan -no-color -var "environment=dev" -var "backend_account_key=${{ secrets.TF_BACKEND_KEY }}"
 
 
       - name: Taint the connector instance
@@ -105,4 +105,4 @@ jobs:
       - name: Terraform Apply
         id: apply
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-        run: terraform -chdir=scripts apply -var "resourcesuffix=dev" -var "backend_account_key=${{ secrets.TF_BACKEND_KEY }}" -auto-approve
+        run: terraform -chdir=scripts apply -var "environment=dev" -var "backend_account_key=${{ secrets.TF_BACKEND_KEY }}" -auto-approve

scripts/README.md

@@ -1,63 +1,86 @@
 # Deploy an example configuration with Terraform
 
 It is assumed that the reader has a basic understanding of the following topics:
+
 - Azure
 - Kubernetes + Helm Charts
 - Hashicorp Terraform
 
 ## Create a certificate for the main security principal
-The main security principal is the security context that is used to identify the connector agains Azure AD and uses OAuth2 Client Credentials flow.
-In order to make this as secure as possible the connector authenticates using a certificate. Thus, a `.pem` certificate is required.
 
-For development purposes a self-signed certificate can be created by executing the following commands on the command line:
+The main security principal is the security context that is used to identify the connector agains Azure AD and uses
+OAuth2 Client Credentials flow. In order to make this as secure as possible the connector authenticates using a
+certificate. Thus, a `.pem` certificate is required.
+
+For development purposes a self-signed certificate can be created by executing the following commands on the command
+line:
+
 ```bash
 openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
 openssl pkcs12 -inkey key.pem -in cert.pem -export -out cert.pfx
 ```
-This generates a certificate (`cert.pem`), a private key (`key.pem`) and it also converts the `*.pem` certificate to a "pixie" (=`*.pfx`) certificate, because the Azure
-libs require that.
+
+This generates a certificate (`cert.pem`), a private key (`key.pem`) and it also converts the `*.pem` certificate to a "
+pixie" (=`*.pfx`) certificate, because the Azure libs require that.
 
 **For now it is required that the certificate is named `"cert.pem"` and is located at the root directory `terraform/`.**
 
 ## Login to the Azure CLI
+
 Install Azure CLI and execute `az login` on a shell.
 
 ## Initialize Terraform
+
 Terraform must be installed. Then download the required providers by executing `terraform init`
 
 ## Deploy the cluster and associated resources
-Users can run `terraform plan` to create a "dry-run", which lists all resources that will be created in Azure. This is not required, but gives a good
-overview of what is going to happen.
 
-The actual deployment is triggered by running 
+Users can run `terraform plan` to create a "dry-run", which lists all resources that will be created in Azure. This is
+not required, but gives a good overview of what is going to happen.
+
+The actual deployment is triggered by running
+
 ```bash
 terraform apply
 ```
-which will prompt the user to enter a value for `resourcesuffix`. It is best to enter a short identifier without special characters, e.g. `test123`. 
- 
+
+which will prompt the user to enter a value for `environment`. It is best to enter a short identifier without special
+characters, e.g. `test123`.
+
 The terraform project will then deploy three resource groups in Azure:
--  `dagx-<suffix>-resources`: This is where the key vault and the blobstore will be
+
+- `dagx-<suffix>-resources`: This is where the key vault and the blobstore will be
 - `dagx-<suffix>-cluster`: will contain the AKS cluster
-- `MC-dagx-<suffix>-cluster_dagx-<suffix>-cluster_<region>`: will contain networking resources, virtual disks, scale sets, etc.
+- `MC-dagx-<suffix>-cluster_dagx-<suffix>-cluster_<region>`: will contain networking resources, virtual disks, scale
+  sets, etc.
 
-`<suffix>` refers to a parameter that can be specified when running `terraform apply`. It simply is a name that is used to identify resources.
-`<region>` is the geographical region of the cluster and associated resources. Can be specified by running `terraform apply -var 'region=eastus'`.
+`<suffix>` refers to a parameter that can be specified when running `terraform apply`. It simply is a name that is used
+to identify resources.
+`<region>` is the geographical region of the cluster and associated resources. Can be specified by
+running `terraform apply -var 'region=eastus'`.
 
 **It takes quite a long time to deploy all resources, 5-10 minutes at least!**
 
 ## Configure a DNS name (manually)
-At this point it is required that the DNS name for the cluster load balancer's ingress route (IP) is configured manually. 
-In the resource group whos name begins with `MC-dagx-<suffix>...` there should be a public ip address, whos name starts with `kubernetes_...`.
 
-Open that, open its Configuration and in the `DNS name label` field enter `dagx-<suffix>`, so for example `dagx-test123` so the resulting DNS name (=FQDN)
+At this point it is required that the DNS name for the cluster load balancer's ingress route (IP) is configured
+manually. In the resource group whos name begins with `MC-dagx-<suffix>...` there should be a public ip address, whos
+name starts with `kubernetes_...`.
+
+Open that, open its Configuration and in the `DNS name label` field enter `dagx-<suffix>`, so for example `dagx-test123`
+so the resulting DNS name (=FQDN)
 should be `dagx-test123.<region>.cloudapp.azure.com`.
 
 ## Re-using AKS credentials in kubernetes and helm
-After the AKS is deployed, we must obtain its credentials before we can deploy any kubernetes workloads. Normally we would do that by running 
+
+After the AKS is deployed, we must obtain its credentials before we can deploy any kubernetes workloads. Normally we
+would do that by running
 `az aks get-credentials -n <cluster-name> -g <resourcegroup>`.
 
-However, since both the AKS and Nifi get deployed in one command (i.e. `terraform apply`), there is no chance to obtain credentials manually. According to
-[this example from Hashicorp](https://github.com/hashicorp/terraform-provider-kubernetes/blob/main/_examples/aks/main.tf) it is good practice to deploy the AKS
-and the workload in two different Terraform _contexts_ (=modules), which in our case are named `aks-cluster` and `nifi-config`. Basically this deploys the AKS, stores the credentials in a 
-local file `kubeconfig` and the deploys Nifi re-using that config. 
+However, since both the AKS and Nifi get deployed in one command (i.e. `terraform apply`), there is no chance to obtain
+credentials manually. According to
+[this example from Hashicorp](https://github.com/hashicorp/terraform-provider-kubernetes/blob/main/_examples/aks/main.tf)
+it is good practice to deploy the AKS and the workload in two different Terraform _contexts_ (=modules), which in our
+case are named `aks-cluster` and `nifi-config`. Basically this deploys the AKS, stores the credentials in a local
+file `kubeconfig` and the deploys Nifi re-using that config. 
 

scripts/aks-cluster/main.tf

@@ -32,7 +32,7 @@ resource "azurerm_kubernetes_cluster" "default" {
   location            = var.location
   resource_group_name = azurerm_resource_group.clusterrg.name
   dns_prefix          = var.cluster_name
-
+  node_resource_group = "${var.cluster_name}-node-rg"
   default_node_pool {
     name               = "agentpool"
     node_count         = 2

scripts/atlas-deployment/main.tf

@@ -41,7 +41,7 @@ resource "tls_self_signed_cert" "atlas-ingress" {
 
 resource "kubernetes_namespace" "atlas" {
   metadata {
-    name = "${var.resourcesuffix}-atlas"
+    name = "${var.environment}-atlas"
   }
 }
 

scripts/atlas-deployment/variables.tf

@@ -16,7 +16,7 @@ variable "kubeconfig" {
   type = string
 }
 
-variable "resourcesuffix" {
+variable "environment" {
   type = string
 }
 

scripts/connector-deployment/main.tf

@@ -24,7 +24,7 @@ resource "tls_private_key" "connector-ingress-key" {
 
 resource "kubernetes_namespace" "connector" {
   metadata {
-    name = "${var.resourcesuffix}-cons"
+    name = "${var.environment}-cons"
   }
 }
 

scripts/connector-deployment/variables.tf

@@ -11,7 +11,7 @@ variable "kubeconfig" {
   type = string
 }
 
-variable "resourcesuffix" {
+variable "environment" {
   type = string
 }
 

scripts/main.tf

@@ -133,13 +133,13 @@ data "azurerm_kubernetes_cluster" "connector" {
 data "azurerm_client_config" "current" {}
 
 resource "azurerm_resource_group" "core-resourcegroup" {
-  name     = "${var.resourcesuffix}-resources"
+  name     = "${var.environment}-resources"
   location = var.location
 }
 
 # App registration for the primary identity
 resource "azuread_application" "dagx-terraform-app" {
-  display_name               = "PrimaryIdentity-${var.resourcesuffix}"
+  display_name               = "PrimaryIdentity-${var.environment}"
   available_to_other_tenants = false
 }
 
@@ -160,7 +160,7 @@ resource "azuread_service_principal" "dagx-terraform-app-sp" {
 
 # Keyvault
 resource "azurerm_key_vault" "dagx-terraform-vault" {
-  name                        = "dagx-${var.resourcesuffix}-vault"
+  name                        = "dagx-${var.environment}-vault"
   location                    = azurerm_resource_group.core-resourcegroup.location
   resource_group_name         = azurerm_resource_group.core-resourcegroup.name
   enabled_for_disk_encryption = false
@@ -259,7 +259,7 @@ resource "azurerm_container_group" "dagx-nifi" {
   name                = "dagx-nifi-continst"
   os_type             = "Linux"
   resource_group_name = azurerm_resource_group.core-resourcegroup.name
-  dns_name_label      = "${var.resourcesuffix}-dagx-nifi"
+  dns_name_label      = "${var.environment}-dagx-nifi"
   container {
     cpu    = 4
     image  = "ghcr.io/microsoft/data-appliance-gx/nifi:latest"
@@ -303,15 +303,15 @@ module "atlas-cluster" {
   source       = "./aks-cluster"
   cluster_name = local.cluster_name_atlas
   location     = var.location
-  dnsPrefix    = "${var.resourcesuffix}-dagx-atlas"
+  dnsPrefix    = "${var.environment}-dagx-atlas"
 }
 module "atlas-deployment" {
   depends_on = [
   module.atlas-cluster]
   source         = "./atlas-deployment"
   cluster_name   = local.cluster_name_atlas
   kubeconfig     = data.azurerm_kubernetes_cluster.atlas.kube_config_raw
-  resourcesuffix = var.resourcesuffix
+  environment = var.environment
   tenant_id      = data.azurerm_client_config.current.tenant_id
   providers = {
     kubernetes = kubernetes.atlas
@@ -323,18 +323,18 @@ module "atlas-deployment" {
 module "connector-cluster" {
   source       = "./aks-cluster"
   cluster_name = local.cluster_name_connector
-  dnsPrefix    = "${var.resourcesuffix}-connector"
+  dnsPrefix    = "${var.environment}-connector"
   location     = var.location
 }
 
 module "connector-deployment" {
   depends_on = [
   module.connector-cluster]
-  source         = "./connector-deployment"
-  cluster_name   = local.cluster_name_connector
-  kubeconfig     = data.azurerm_kubernetes_cluster.connector.kube_config_raw
-  resourcesuffix = var.resourcesuffix
-  tenant_id      = data.azurerm_client_config.current.tenant_id
+  source       = "./connector-deployment"
+  cluster_name = local.cluster_name_connector
+  kubeconfig   = data.azurerm_kubernetes_cluster.connector.kube_config_raw
+  environment  = var.environment
+  tenant_id    = data.azurerm_client_config.current.tenant_id
   providers = {
     kubernetes = kubernetes.connector
     helm       = helm.connector

scripts/nifi-deployment/main.tf

@@ -13,7 +13,7 @@ terraform {
 
 resource "kubernetes_namespace" "nifi" {
   metadata {
-    name = "${var.resourcesuffix}-nifi"
+    name = "${var.environment}-nifi"
   }
 }
 
@@ -80,7 +80,7 @@ resource "kubernetes_ingress" "ingress-route" {
 
 # App registration for the loadbalancer
 resource "azuread_application" "dagx-terraform-nifi-app" {
-  display_name = "Dagx-${var.resourcesuffix}-Nifi"
+  display_name = "Dagx-${var.environment}-Nifi"
   available_to_other_tenants = false
   reply_urls = [
     "https://${var.public-ip.fqdn}/nifi-api/access/oidc/callback"]

scripts/nifi-deployment/variables.tf

@@ -16,7 +16,7 @@ variable "kubeconfig" {
   type = string
 }
 
-variable "resourcesuffix"{
+variable "environment"{
   type= string
 }