Merge pull request #16 from thomast1906/updates-sept-2024

Updates sept 2024

Author: thomast1906

.github/workflows/main.yml

@@ -1,4 +1,4 @@
-name: CI
+name: Terrform-Deploy
 
 on:
   push:
@@ -10,14 +10,12 @@ on:
   workflow_dispatch:
 
 jobs:
-  terraform-fmt-check:
-    if: github.event_name == 'pull_request'
+  terraform:
+    name: Terrform-Deploy
+    runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: "./Terraform-AZURE-Services-Creation/AKS"
-    name: Terraform
-    environment: production
-    runs-on: ubuntu-latest
+        working-directory: "./2-Terraform-AZURE-Services-Creation/4-aks"
     permissions:
       contents: write
     env:
@@ -29,58 +27,38 @@ jobs:
       tf_storage_account_name: "thomasthorntontfstate"
       tf_state_container: "devopsthehardwaygithub"
       tf_state_key: "terraform.tfstate"
+
     steps:
     - name: Checkout Code
       uses: actions/checkout@v4
 
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
-        terraform_version: 1.7.4
+        terraform_version: 1.9.6
         terraform_wrapper: true
 
+
     - name: Terraform Init
-      id: init
       run: terraform init
-      env:
-        ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
-        ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
-        ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-        ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
-      working-directory: "./Terraform-AZURE-Services-Creation/AKS"
 
-    - name: Terraform Fmt
-      id: fmt
+    - name: Terraform Format
+      if: github.event_name == 'pull_request'
       run: terraform fmt
-      working-directory: "./Terraform-AZURE-Services-Creation/AKS"
 
     - name: Auto Commit Changes
       uses: stefanzweifel/git-auto-commit-action@v5
+      if: github.event_name == 'pull_request'
       with:
         commit_message: "Terraform fmt"
         file_pattern: "*.tf *.tfvars"
         commit_user_name: "github-actions[bot]"
 
-    - name: Terraform Plan  
-      id: plan
+    - name: Terraform Plan
       run: terraform plan -no-color -input=false
       env:
-        ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
-        ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
-        ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-        ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
         DEPLOYMENT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      working-directory: "./Terraform-AZURE-Services-Creation/AKS"
-      continue-on-error: false
 
-    - name: Terraform Apply  
-      id: apply
-      run: terraform apply -auto-approve -input=false
-      if: github.ref == 'refs/heads/main'
-      env:
-        ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
-        ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
-        ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-        ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
-      working-directory: "./Terraform-AZURE-Services-Creation/AKS"
-      continue-on-error: false
+    - name: Terraform Apply
+      if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
+      run: terraform apply -auto-approve -input=false

1-Azure/1-Configure-Terraform-Remote-Storage.md

@@ -0,0 +1,57 @@
+# Configure Storage Account for Terraform State File
+
+## 🎯 Purpose
+In this lab, you'll create a secure location to store the remote Terraform State file. This is crucial for maintaining consistency and collaboration in your infrastructure-as-code projects.
+
+## 🛠️ Create Blob Storage for Terraform State File
+
+### Prerequisites
+- [ ] Azure CLI installed and configured
+- [ ] Basic understanding of Azure Storage concepts
+
+### Steps
+
+1. **Customise Variables**
+   - Open the [create-terraform-storage.sh](https://github.com/thomast1906/DevOps-The-Hard-Way-Azure/blob/main/1-Azure/scripts/create-terraform-storage.sh) script.
+   - Locate the following lines:
+   
+     ```bash
+      RESOURCE_GROUP_NAME="devopshardway-rg"
+      STORAGE_ACCOUNT_NAME="devopshardwaysa"
+     ```
+
+   - Replace the placeholders with your desired names.
+
+2. **Run the Script**
+
+   - Run the following command in your terminal:
+
+     ```bash
+     ./scripts/create-terraform-storage.sh
+     ```
+
+3. **What's Happening Behind the Scenes?**
+   The script performs these actions:
+   - [ ] Creates an Azure Resource Group
+   - [ ] Sets up an Azure Storage Account
+   - [ ] Establishes an Azure Blob storage container
+
+## 🔍 Verification
+To ensure everything was set up correctly:
+
+1. Log into the [Azure Portal](https://portal.azure.com).
+2. Navigate to your newly created Resource Group.
+3. Verify the presence of the Storage Account.
+4. Within the Storage Account, check for the Blob container.
+5. It should look similar to this:
+
+![](images/storage-account.png)
+
+## 🧠 Knowledge Check
+After running the script, try to answer these questions:
+1. Why is it important to use remote state storage for Terraform?
+2. What are the benefits of using Azure Blob Storage for this purpose?
+3. How would you access this state file in your Terraform configurations?
+
+## 💡 Pro Tip
+Consider setting up access policies and encryption for your storage account to enhance security. Azure provides several options for this, including Azure AD authentication and Azure Key Vault integration.

1-Azure/2-Create-Azure-AD-Group-AKS-Admins.md

@@ -0,0 +1,45 @@
+# Create Azure AD Group for AKS Admins
+
+## 🎯 Purpose
+In this lab, you'll create an Azure AD Group for AKS Admins. These "admins" will be the designated users who can access the AKS cluster using kubectl.
+
+## 🛠️ Create Azure AD AKS Admin Group
+
+### Prerequisites
+- [ ] Sufficient permissions to create Azure AD groups
+
+
+### Steps
+
+1. **Run the Script**
+   Execute the following command in your terminal:
+   ```bash
+   ./scripts/create-azure-ad-group.sh
+   ```
+2. What the Script Does
+
+    The script performs these actions:
+    - [ ] Creates an Azure AD Group named `devopsthehardway-aks-group`
+    - [ ] Adds the current user (logged into Az CLI) to the `devopsthehardway-aks-group`
+    - [ ] Outputs the Azure AD Group ID
+
+**Important Note**
+Make sure to note down the Azure AD Group ID displayed at the end of the script execution. You'll need this for AKS Terraform configurations later.
+
+## 🔍 Verification
+To ensure the group was created successfully:
+1. Log into the [Azure Portal](https://portal.azure.com)
+2. Navigate to **Azure Active Directory > Groups**
+3. Search for `devopsthehardway-aks-group`
+4. Verify that your user account is listed as a member:
+
+![](images/azure-ad-group.png)
+
+## 🧠 Knowledge Check
+After running the script, consider these questions:
+1. Why is it beneficial to use Azure AD groups for AKS admin access?
+2. How does this group-based access improve security compared to individual user access?
+3. In what ways might you further modify the AD group for different levels of access?
+
+## 💡 Pro Tip
+Consider setting up multiple AD groups with different levels of access (e.g., read-only, developer, admin) to implement a more granular access control strategy for your AKS clusters.

1-Azure/images/azure-ad-group.png

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+AZURE_AD_GROUP_NAME="devopsthehardway-aks-group"
+CURRENT_USER_OBJECTID=$(az ad signed-in-user show --query id -o tsv)
+
+# Check if Azure AD Group exists
+GROUP_EXISTS=$(az ad group list --filter "displayName eq '$AZURE_AD_GROUP_NAME'" --query "[].displayName" -o tsv)
+
+if [ "$GROUP_EXISTS" = "$AZURE_AD_GROUP_NAME" ]; then
+  echo "Azure AD group $AZURE_AD_GROUP_NAME already exists."
+else
+  # Create Azure AD Group
+  az ad group create --display-name $AZURE_AD_GROUP_NAME --mail-nickname $AZURE_AD_GROUP_NAME
+fi
+
+# Check if Current User is already a member of the Azure AD Group
+USER_IN_GROUP=$(az ad group member check --group $AZURE_AD_GROUP_NAME --member-id $CURRENT_USER_OBJECTID --query value -o tsv)
+
+if [ "$USER_IN_GROUP" = "true" ]; then
+  echo "Current user is already a member of the Azure AD group $AZURE_AD_GROUP_NAME."
+else
+  # Add Current az login user to Azure AD Group
+  az ad group member add --group $AZURE_AD_GROUP_NAME --member-id $CURRENT_USER_OBJECTID
+fi
+
+AZURE_GROUP_ID=$(az ad group show --group $AZURE_AD_GROUP_NAME --query id -o tsv)
+
+echo "AZURE AD GROUP ID IS: $AZURE_GROUP_ID"

1-Azure/images/storage-account.png

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+RESOURCE_GROUP_NAME="devopshardway-rg"
+STORAGE_ACCOUNT_NAME="devopshardwaysa"
+
+# Check if Resource Group exists
+RESOURCE_GROUP_EXISTS=$(az group exists --name $RESOURCE_GROUP_NAME)
+
+if [ "$RESOURCE_GROUP_EXISTS" = "true" ]; then
+  echo "Resource group $RESOURCE_GROUP_NAME already exists."
+else
+  # Create Resource Group
+  az group create -l uksouth -n $RESOURCE_GROUP_NAME
+fi
+
+# Check if Storage Account exists
+STORAGE_ACCOUNT_EXISTS=$(az storage account check-name --name $STORAGE_ACCOUNT_NAME --query 'nameAvailable' --output tsv)
+
+if [ "$STORAGE_ACCOUNT_EXISTS" = "false" ]; then
+  echo "Storage account $STORAGE_ACCOUNT_NAME is already created in resource group $RESOURCE_GROUP_NAME."
+else
+  # Create Storage Account
+  az storage account create -n $STORAGE_ACCOUNT_NAME -g $RESOURCE_GROUP_NAME -l uksouth --sku Standard_LRS
+
+  # Create Storage Account blob
+  az storage container create --name tfstate --account-name $STORAGE_ACCOUNT_NAME
+fi

1-Azure/scripts/create-azure-ad-group.sh

@@ -0,0 +1,51 @@
+# Create an Azure Container Registry Repository
+
+## 🎯 Purpose
+In this lab, you'll create a repository in Azure Container Registry (ACR) to store the Docker image for the thomasthornton.cloud app.
+
+## 🛠️ Create the ACR Terraform Configuration
+
+### Prerequisites
+- [ ] Terraform installed
+- [ ] Basic understanding of Terraform and ACR concepts
+
+## Steps
+
+1. **Review and Change Terraform .tfvars**
+   - Open the [terraform.tfvars](https://github.com/thomast1906/DevOps-The-Hard-Way-Azure/tree/main/2-Terraform-AZURE-Services-Creation/1-acr/terraform.tfvars) file.
+   - Ensure all values are accurate for your environment and unique.
+
+2. **Understand the Terraform Configuration**
+   Review the [ACR Terraform configuration](https://github.com/thomast1906/DevOps-The-Hard-Way-Azure/tree/main/2-Terraform-AZURE-Services-Creation/1-acr). The `acr.tf` file will:
+   - [ ] Use a Terraform backend to store the `.tfstate` in an Azure Storage Account
+   - [ ] Use the `uksouth` region (can change if desired)
+   - [ ] Create a new Resource Group using `azurerm_resource_group`
+   - [ ] Create a new ACR using `azurerm_container_registry`
+
+3. **Create the ACR**
+   Run the following commands in your terminal:
+   ```bash
+   terraform init
+   terraform plan
+   terraform apply
+
+## 🔍 Verification
+To ensure the ACR was created successfully:
+1. Log into the [Azure Portal](https://portal.azure.com)
+2. Navigate to ACR in the [Azure Portal](https://portal.azure.com/#browse/Microsoft.ContainerRegistry%2Fregistries)
+3. Look for your newly created ACR
+4. Verify its properties match your Terraform configuration
+
+Example screenshot of the Terraform apply command:
+
+![](images/acr.png)
+
+## 🧠 Knowledge Check
+After creating the ACR, consider these questions:
+
+1. Why is it beneficial to use Terraform for creating cloud resources like ACR?
+2. How does storing the Terraform state in Azure Storage Account help in team environments?
+3. What are the advantages of using ACR over other container registry options?
+
+## 💡 Pro Tip
+Consider setting up replication for your ACR to improve pull performance in different regions. You can add this to your Terraform configuration for automated setup.

1-Azure/scripts/create-terraform-storage.sh

@@ -1,17 +1,3 @@
-terraform {
-  required_version = ">= 1.5.7"
-  backend "azurerm" {
-    resource_group_name  = "devopshardway-rg"
-    storage_account_name = "devopshardwaysa"
-    container_name       = "tfstate"
-    key                  = "acr-terraform.tfstate"
-  }
-}
-
-provider "azurerm" {
-  features {}
-}
-
 resource "azurerm_resource_group" "acr_resource_group" {
   name     = "${var.name}-rg"
   location = var.location
@@ -21,7 +7,7 @@ resource "azurerm_resource_group" "acr_resource_group" {
 }
 
 resource "azurerm_container_registry" "acr" {
-  name                = "${var.name}tamopsacracr"
+  name                = "${var.name}azurecr"
   resource_group_name = azurerm_resource_group.acr_resource_group.name
   location            = azurerm_resource_group.acr_resource_group.location
   sku                 = "Standard"

2-Terraform-AZURE-Services-Creation/1-Create-ACR.md

@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 1.9.6"
+  backend "azurerm" {
+    resource_group_name  = "devopshardway-rg"
+    storage_account_name = "devopshardwaysa"
+    container_name       = "tfstate"
+    key                  = "acr-terraform.tfstate"
+  }
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4.3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  subscription_id = "04109105-f3ca-44ac-a3a7-66b4936112c3"
+
+}