Merge pull request #30 from thomast1906/updates-may-2025

Updates may 2025

Author: thomast1906

.github/workflows/main.yml

@@ -13,38 +13,55 @@ jobs:
   terraform:
     name: Terrform-Deploy
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: "./2-Terraform-AZURE-Services-Creation/4-aks"
     permissions:
       contents: write
+      id-token: write  # Required for OIDC
+      
     env:
       ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
       ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
+      ARM_USE_OIDC: true
       tf_resource_group_name: "thomasthorntoncloud"
       tf_storage_account_name: "thomasthorntontfstate"
       tf_state_container: "devopsthehardwaygithub"
       tf_state_key: "terraform.tfstate"
 
+
     steps:
     - name: Checkout Code
       uses: actions/checkout@v4
 
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
-        terraform_version: 1.9.6
+        terraform_version: 1.11.0
         terraform_wrapper: true
 
+    # Add in tutorial 6-Terarform-Docs
+    # - name: Render terraform docs and push changes back to PR
+    #   uses: terraform-docs/gh-actions@main
+    #   with:
+    #     working-dir: ./2-Terraform-AZURE-Services-Creation/1-acr, ./2-Terraform-AZURE-Services-Creation/2-vnet, ./2-Terraform-AZURE-Services-Creation/3-log-analytics, ./2-Terraform-AZURE-Services-Creation/4-aks
+    #     output-file: README.md
+    #     output-method: inject
+    #     git-push: "true"
 
     - name: Terraform Init
       run: terraform init
+      working-directory: ./2-Terraform-AZURE-Services-Creation/4-aks
+    
+    # Add in tutorial 5-Terraform-Static-Code-Analysis
+    # - name: tfsec
+    #   uses: aquasecurity/[email protected]
+    #   with:
+    #     tfsec_args: --soft-fail
+    #     github_token: ${{ github.token }}
 
     - name: Terraform Format
       if: github.event_name == 'pull_request'
       run: terraform fmt
+      working-directory: ./2-Terraform-AZURE-Services-Creation/4-aks
 
     - name: Auto Commit Changes
       uses: stefanzweifel/git-auto-commit-action@v5
@@ -56,9 +73,11 @@ jobs:
 
     - name: Terraform Plan
       run: terraform plan -no-color -input=false
+      working-directory: ./2-Terraform-AZURE-Services-Creation/4-aks
       env:
         DEPLOYMENT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Terraform Apply
       if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
-      run: terraform apply -auto-approve -input=false
+      run: terraform apply -auto-approve -input=false
+      working-directory: ./2-Terraform-AZURE-Services-Creation/4-aks

1-Azure/1-Configure-Terraform-Remote-Storage.md

@@ -6,7 +6,8 @@ In this lab, you'll create a secure location to store the remote Terraform State
 ## 🛠️ Create Blob Storage for Terraform State File
 
 ### Prerequisites
-- [ ] Azure CLI installed and configured
+- [ ] Azure CLI installed and configured (`az login` executed)
+- [ ] Contributor permissions on your Azure subscription
 - [ ] Basic understanding of Azure Storage concepts
 
 ### Steps
@@ -27,14 +28,18 @@ In this lab, you'll create a secure location to store the remote Terraform State
    - Run the following command in your terminal:
 
      ```bash
-     ./scripts/create-terraform-storage.sh
+     ./scripts/1-create-terraform-storage.sh
      ```
 
 3. **What's Happening Behind the Scenes?**
    The script performs these actions:
-   - [ ] Creates an Azure Resource Group
-   - [ ] Sets up an Azure Storage Account
+   - [ ] Creates an Azure Resource Group with appropriate tags
+   - [ ] Sets up an Azure Storage Account with enhanced security settings:
+     - Encryption enabled for blob storage
+     - TLS 1.2 enforced
+     - Public access to blobs disabled
    - [ ] Establishes an Azure Blob storage container
+   - [ ] Outputs configuration for your Terraform backend
 
 ## 🔍 Verification
 To ensure everything was set up correctly:
@@ -54,4 +59,17 @@ After running the script, try to answer these questions:
 3. How would you access this state file in your Terraform configurations?
 
 ## 💡 Pro Tip
-Consider setting up access policies and encryption for your storage account to enhance security. Azure provides several options for this, including Azure AD authentication and Azure Key Vault integration.
+Consider implementing these additional security measures for production environments:
+1. Enable soft delete and versioning for your blob storage to protect against accidental deletion
+2. Set up a resource lock to prevent accidental deletion of the storage account
+3. Use Managed Identities instead of storage account keys for authentication
+4. Configure network rules to restrict access to specific networks
+5. Set up Azure Key Vault to store sensitive backend configuration
+
+Example of adding a resource lock:
+```bash
+az lock create --name LockTerraformStorage --lock-type CanNotDelete \
+  --resource-group devopshardway-rg \
+  --resource-name devopshardwaysa \
+  --resource-type Microsoft.Storage/storageAccounts
+```

1-Azure/2-Create-Azure-AD-Group-AKS-Admins.md

@@ -1,33 +1,41 @@
 # Create Azure AD Group for AKS Admins
 
 ## 🎯 Purpose
+
 In this lab, you'll create an Azure AD Group for AKS Admins. These "admins" will be the designated users who can access the AKS cluster using kubectl.
 
 ## 🛠️ Create Azure AD AKS Admin Group
 
 ### Prerequisites
-- [ ] Sufficient permissions to create Azure AD groups
 
+- [ ] Azure CLI installed and configured (`az login` executed)
+- [ ] Sufficient permissions to create Azure AD groups (e.g., Global Administrator or User Administrator role)
 
 ### Steps
 
 1. **Run the Script**
+
    Execute the following command in your terminal:
+
    ```bash
-   ./scripts/create-azure-ad-group.sh
+   ./scripts/2-create-azure-ad-group.sh
    ```
 2. What the Script Does
 
     The script performs these actions:
-    - [ ] Creates an Azure AD Group named `devopsthehardway-aks-group`
-    - [ ] Adds the current user (logged into Az CLI) to the `devopsthehardway-aks-group`
-    - [ ] Outputs the Azure AD Group ID
+
+   - [ ] Creates an Azure AD Group named `devopsthehardway-aks-group` with a descriptive purpose
+   - [ ] Adds the current user (logged into Az CLI) to the `devopsthehardway-aks-group`
+   - [ ] Outputs the Azure AD Group ID in a clear, formatted way for later use
 
 **Important Note**
-Make sure to note down the Azure AD Group ID displayed at the end of the script execution. You'll need this for AKS Terraform configurations later.
+
+Make sure to save the Azure AD Group ID displayed at the end of the script execution. You'll need this for AKS Terraform configurations in the following sections.
 
 ## 🔍 Verification
+
 To ensure the group was created successfully:
+
 1. Log into the [Azure Portal](https://portal.azure.com)
 2. Navigate to **Azure Active Directory > Groups**
 3. Search for `devopsthehardway-aks-group`
@@ -36,10 +44,28 @@ To ensure the group was created successfully:
 ![](images/azure-ad-group.png)
 
 ## 🧠 Knowledge Check
+
 After running the script, consider these questions:
+
 1. Why is it beneficial to use Azure AD groups for AKS admin access?
 2. How does this group-based access improve security compared to individual user access?
 3. In what ways might you further modify the AD group for different levels of access?
 
 ## 💡 Pro Tip
-Consider setting up multiple AD groups with different levels of access (e.g., read-only, developer, admin) to implement a more granular access control strategy for your AKS clusters.
+
+Consider implementing these best practices for production environments:
+
+1. Create multiple AD groups with different levels of access (e.g., read-only, developer, admin)
+2. Integrate with Privileged Identity Management (PIM) for just-in-time access
+3. Implement regular access reviews to ensure appropriate access
+4. Use Conditional Access policies to enforce multi-factor authentication
+
+Example of adding another user to the group:
+
+```bash
+# Get object ID of user to add
+USER_OBJECTID=$(az ad user show --id [email protected] --query id -o tsv)
+
+# Add user to the AKS admin group
+az ad group member add --group devopsthehardway-aks-group --member-id $USER_OBJECTID
+```

1-Azure/README.md

@@ -0,0 +1,35 @@
+# Azure Setup for DevOps The Hard Way
+
+## Overview
+This directory contains the foundational Azure setup needed for the DevOps The Hard Way - Azure project. These steps establish the core Azure resources that will be used throughout the tutorial.
+
+## Labs in this Section
+
+### [1. Configure Terraform Remote Storage](./1-Configure-Terraform-Remote-Storage.md)
+Set up an Azure Storage Account to securely store your Terraform state files, which is essential for team collaboration and state management.
+
+### [2. Create Azure AD Group for AKS Admins](./2-Create-Azure-AD-Group-AKS-Admins.md)
+Create an Azure Active Directory group to manage administrative access to your Kubernetes clusters with proper RBAC controls.
+
+## Scripts
+
+The `scripts` directory contains shell scripts that automate the setup process:
+
+- [`create-terraform-storage.sh`](./scripts/create-terraform-storage.sh): Creates a resource group, storage account, and blob container for Terraform state
+- [`create-azure-ad-group.sh`](./scripts/create-azure-ad-group.sh): Creates an Azure AD Group for AKS administrators
+
+## Pre-requisites
+
+Before starting these labs, ensure you have:
+
+1. An Azure account with appropriate permissions
+2. Azure CLI installed and configured (`az login`)
+3. Basic familiarity with Azure services and Terraform concepts
+
+## Best Practices Applied
+
+- Resource naming conventions
+- Security-enhanced storage configuration
+- RBAC-based access control
+- Infrastructure as Code for reproducibility
+- Proper error handling in scripts

1-Azure/scripts/1-create-terraform-storage.sh

@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Configuration
+RESOURCE_GROUP_NAME="devopshardway-rg"
+STORAGE_ACCOUNT_NAME="devopshardwaysa"
+LOCATION="uksouth"
+CONTAINER_NAME="tfstate"
+
+# Error handling function
+handle_error() {
+    echo "ERROR: $1"
+    exit 1
+}
+
+# Verify Azure CLI is installed and user is logged in
+if ! command -v az &> /dev/null; then
+    handle_error "Azure CLI is not installed. Please install it first: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli"
+fi
+
+# Check if user is logged in
+echo "Verifying Azure CLI login status..."
+az account show &> /dev/null || handle_error "You are not logged in to Azure CLI. Please run 'az login' first."
+
+# Check if Resource Group exists
+echo "Checking if resource group $RESOURCE_GROUP_NAME exists..."
+RESOURCE_GROUP_EXISTS=$(az group exists --name $RESOURCE_GROUP_NAME)
+
+if [ "$RESOURCE_GROUP_EXISTS" = "true" ]; then
+  echo "Resource group $RESOURCE_GROUP_NAME already exists."
+else
+  # Create Resource Group
+  echo "Creating resource group $RESOURCE_GROUP_NAME in $LOCATION..."
+  az group create -l $LOCATION -n $RESOURCE_GROUP_NAME --tags "Purpose=azure-devops-hardway" || handle_error "Failed to create resource group"
+fi
+
+# Check if Storage Account exists
+echo "Checking if storage account $STORAGE_ACCOUNT_NAME exists..."
+STORAGE_ACCOUNT_EXISTS=$(az storage account check-name --name $STORAGE_ACCOUNT_NAME --query 'nameAvailable' --output tsv)
+
+if [ "$STORAGE_ACCOUNT_EXISTS" = "false" ]; then
+  echo "Storage account $STORAGE_ACCOUNT_NAME is already created in resource group $RESOURCE_GROUP_NAME."
+else
+  # Create Storage Account with improved security settings
+  echo "Creating storage account $STORAGE_ACCOUNT_NAME..."
+  az storage account create \
+    -n $STORAGE_ACCOUNT_NAME \
+    -g $RESOURCE_GROUP_NAME \
+    -l $LOCATION \
+    --sku Standard_LRS \
+    --encryption-services blob \
+    --min-tls-version TLS1_2 \
+    --allow-blob-public-access false \
+    --tags "Purpose=azure-devops-hardway" || handle_error "Failed to create storage account"
+
+  # Create Storage Account blob container
+  echo "Creating blob container $CONTAINER_NAME..."
+  az storage container create \
+    --name $CONTAINER_NAME \
+    --account-name $STORAGE_ACCOUNT_NAME \
+    --auth-mode login || handle_error "Failed to create blob container"
+
+  # Output the access key (in a real environment, consider using managed identities instead)
+  echo "Retrieving storage account key..."
+  ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' -o tsv)
+  
+  echo "Configuration for terraform backend:"
+  echo "terraform {"
+  echo "  backend \"azurerm\" {"
+  echo "    resource_group_name  = \"$RESOURCE_GROUP_NAME\""
+  echo "    storage_account_name = \"$STORAGE_ACCOUNT_NAME\""
+  echo "    container_name       = \"$CONTAINER_NAME\""
+  echo "    key                  = \"terraform.tfstate\""
+  echo "  }"
+  echo "}"
+  
+  echo "Setup complete!"
+fi

1-Azure/scripts/2-create-azure-ad-group.sh

@@ -0,0 +1,58 @@
+#!/bin/sh
+
+# Configuration
+AZURE_AD_GROUP_NAME="devopsthehardway-aks-group"
+
+# Error handling function
+handle_error() {
+    echo "ERROR: $1"
+    exit 1
+}
+
+# Verify Azure CLI is installed and user is logged in
+if ! command -v az &> /dev/null; then
+    handle_error "Azure CLI is not installed. Please install it first: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli"
+fi
+
+# Check if user is logged in
+echo "Verifying Azure CLI login status..."
+az account show &> /dev/null || handle_error "You are not logged in to Azure CLI. Please run 'az login' first."
+
+echo "Retrieving current user Object ID..."
+CURRENT_USER_OBJECTID=$(az ad signed-in-user show --query id -o tsv) || handle_error "Failed to retrieve current user Object ID"
+
+# Check if Azure AD Group exists
+echo "Checking if Azure AD Group $AZURE_AD_GROUP_NAME exists..."
+GROUP_EXISTS=$(az ad group list --filter "displayName eq '$AZURE_AD_GROUP_NAME'" --query "[].displayName" -o tsv)
+
+if [ "$GROUP_EXISTS" = "$AZURE_AD_GROUP_NAME" ]; then
+  echo "Azure AD group $AZURE_AD_GROUP_NAME already exists."
+else
+  # Create Azure AD Group with description
+  echo "Creating Azure AD group $AZURE_AD_GROUP_NAME..."
+  az ad group create \
+    --display-name $AZURE_AD_GROUP_NAME \
+    --mail-nickname $AZURE_AD_GROUP_NAME \
+    --description "Administrators for AKS clusters with full kubectl access" || handle_error "Failed to create Azure AD group"
+fi
+
+# Check if Current User is already a member of the Azure AD Group
+echo "Checking if current user is a member of $AZURE_AD_GROUP_NAME..."
+USER_IN_GROUP=$(az ad group member check --group $AZURE_AD_GROUP_NAME --member-id $CURRENT_USER_OBJECTID --query value -o tsv)
+
+if [ "$USER_IN_GROUP" = "true" ]; then
+  echo "Current user is already a member of the Azure AD group $AZURE_AD_GROUP_NAME."
+else
+  # Add Current az login user to Azure AD Group
+  echo "Adding current user to Azure AD group $AZURE_AD_GROUP_NAME..."
+  az ad group member add --group $AZURE_AD_GROUP_NAME --member-id $CURRENT_USER_OBJECTID || handle_error "Failed to add current user to Azure AD group"
+fi
+
+echo "Retrieving Azure AD Group ID..."
+AZURE_GROUP_ID=$(az ad group show --group $AZURE_AD_GROUP_NAME --query id -o tsv) || handle_error "Failed to retrieve Azure AD Group ID"
+
+echo "✅ Setup complete!"
+echo "==========================================================================="
+echo "  AZURE AD GROUP ID: $AZURE_GROUP_ID"
+echo "  You'll need this ID for AKS Terraform configurations"
+echo "==========================================================================="