updates july 2025

Author: thomast1906

.github/workflows/main.yml

@@ -35,12 +35,12 @@ jobs:
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
-        terraform_version: 1.11.0
+        terraform_version: 1.9.8
         terraform_wrapper: true
 
     # Add in tutorial 6-Terarform-Docs
     # - name: Render terraform docs and push changes back to PR
-    #   uses: terraform-docs/gh-actions@main
+    #   uses: terraform-docs/gh-actions@v1.3.0
     #   with:
     #     working-dir: ./2-Terraform-AZURE-Services-Creation/1-acr, ./2-Terraform-AZURE-Services-Creation/2-vnet, ./2-Terraform-AZURE-Services-Creation/3-log-analytics, ./2-Terraform-AZURE-Services-Creation/4-aks
     #     output-file: README.md
@@ -53,7 +53,7 @@ jobs:
 
     # Add in tutorial 5-Terraform-Static-Code-Analysis
     # - name: tfsec
-    #   uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
+    #   uses: aquasecurity/tfsec-pr-commenter-action@v1.3.0
     #   with:
     #     tfsec_args: --soft-fail
     #     github_token: ${{ github.token }}
@@ -70,6 +70,7 @@ jobs:
         commit_message: "Terraform fmt"
         file_pattern: "*.tf *.tfvars"
         commit_user_name: "github-actions[bot]"
+        commit_user_email: "41898282+github-actions[bot]@users.noreply.github.com"
 
     - name: Terraform Plan
       run: terraform plan -no-color -input=false

2-Terraform-AZURE-Services-Creation/1-acr/providers.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11"
+  required_version = ">= 1.9.8"
   backend "azurerm" {
     resource_group_name  = "devopshardway-rg"
     storage_account_name = "devopshardwaysa"
@@ -10,7 +10,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 4.27.0"
+      version = ">= 4.28.0"
     }
   }
 }

2-Terraform-AZURE-Services-Creation/2-vnet/providers.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11"
+  required_version = ">= 1.9.8"
   backend "azurerm" {
     resource_group_name  = "devopshardway-rg"
     storage_account_name = "devopshardwaysa"
@@ -10,7 +10,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 4.27.0"
+      version = ">= 4.28.0"
     }
   }
 }

2-Terraform-AZURE-Services-Creation/3-log-analytics/providers.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11"
+  required_version = ">= 1.9.8"
   backend "azurerm" {
     resource_group_name  = "devopshardway-rg"
     storage_account_name = "devopshardwaysa"
@@ -10,7 +10,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 4.27.0"
+      version = ">= 4.28.0"
     }
   }
 }

2-Terraform-AZURE-Services-Creation/4-Create-AKS-Cluster-IAM-Roles.md

@@ -19,8 +19,12 @@ In this lab, you'll create an Azure Kubernetes Service (AKS) cluster and set up
    Review the [AKS Terraform configuration](https://github.com/thomast1906/DevOps-The-Hard-Way-Azure/tree/main/2-Terraform-AZURE-Services-Creation/4-aks). The configuration includes:
 
    **aks.tf:**
-   - [ ] Creates AKS Cluster using `azurerm_kubernetes_cluster`
-   - [ ] Sets up role assignments using `azurerm_role_assignment`
+   - [ ] Creates AKS Cluster using `azurerm_kubernetes_cluster` with Kubernetes 1.33
+   - [ ] Enables auto-scaling (min: 1, max: 5 nodes) for cost optimization
+   - [ ] Configures availability zones for high availability
+   - [ ] Sets up Azure RBAC and managed identity integration
+   - [ ] Enables automatic patch upgrade channel
+   - [ ] Configures network policies for enhanced security
    - [ ] Uses the `uksouth` region (can change if desired)
 
    **managed_identity.tf:**
@@ -59,9 +63,26 @@ Example screenshot of created resources:
 
 After creating the AKS cluster and IAM roles, consider these questions:
 1. Why is it important to use managed identities with AKS?
-2. How does RBAC enhance the security of your AKS cluster?
+2. How does Azure RBAC enhance the security of your AKS cluster compared to basic RBAC?
 3. What are the benefits of using federated identity credentials?
-
-## 💡 Pro Tip
-
-Consider enabling Azure Policy for Kubernetes to enforce organisational standards and assess compliance at scale for your AKS clusters.
+4. How does auto-scaling help with cost optimization and performance?
+5. Why are availability zones important for production workloads?
+6. What security benefits do network policies provide?
+
+## 💡 Pro Tips
+
+1. **Migration from Existing Clusters**: If upgrading from a previous version of this tutorial:
+   - Kubernetes 1.33 requires a cluster upgrade procedure
+   - Azure RBAC is now enabled by default for enhanced security
+   - Auto-scaling may affect your cost structure but improves efficiency
+   - Network policies may require reviewing existing pod communication patterns
+
+2. **Security Best Practices**: 
+   - Enable Azure Policy for Kubernetes to enforce organisational standards and assess compliance at scale
+   - Regularly review and audit RBAC permissions
+   - Monitor cluster logs through the integrated Log Analytics workspace
+
+3. **Cost Optimization**:
+   - Auto-scaling will automatically adjust node count based on demand
+   - Use spot instances for non-critical workloads to reduce costs
+   - Monitor resource usage through Azure Monitor

2-Terraform-AZURE-Services-Creation/4-aks/aks.tf

@@ -7,6 +7,8 @@ resource "azurerm_kubernetes_cluster" "k8s" {
   oidc_issuer_enabled       = true
   workload_identity_enabled = true
   node_resource_group       = "${var.name}-node-rg"
+  automatic_upgrade_channel = "patch"
+  local_account_disabled    = false
 
   linux_profile {
     admin_username = "ubuntu"
@@ -17,12 +19,18 @@ resource "azurerm_kubernetes_cluster" "k8s" {
   }
 
   default_node_pool {
-    name                 = "agentpool"
-    node_count           = var.agent_count
-    vm_size              = var.vm_size
-    vnet_subnet_id       = data.azurerm_subnet.akssubnet.id
-    type                 = "VirtualMachineScaleSets"
-    orchestrator_version = var.kubernetes_version
+    name                   = "agentpool"
+    node_count             = var.agent_count
+    vm_size                = var.vm_size
+    vnet_subnet_id         = data.azurerm_subnet.akssubnet.id
+    type                   = "VirtualMachineScaleSets"
+    orchestrator_version   = var.kubernetes_version
+    auto_scaling_enabled   = true
+    min_count              = 1
+    max_count              = 5
+    max_pods               = 110
+    os_disk_size_gb        = 30
+    zones                  = ["1", "2", "3"]
   }
 
   identity {
@@ -36,10 +44,13 @@ resource "azurerm_kubernetes_cluster" "k8s" {
   network_profile {
     load_balancer_sku = "standard"
     network_plugin    = "azure"
+    network_policy    = "azure"
+    dns_service_ip    = "10.2.0.10"
+    service_cidr      = "10.2.0.0/24"
   }
 
   azure_active_directory_role_based_access_control {
-    azure_rbac_enabled     = false
+    azure_rbac_enabled     = true
     admin_group_object_ids = [var.aks_admins_group_object_id]
   }
 

2-Terraform-AZURE-Services-Creation/4-aks/providers.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11"
+  required_version = ">= 1.9.8"
   backend "azurerm" {
     resource_group_name  = "devopshardway-rg"
     storage_account_name = "devopshardwaysa"
@@ -10,7 +10,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 4.27.0"
+      version = ">= 4.28.0"
     }
   }
 }

2-Terraform-AZURE-Services-Creation/4-aks/terraform.tfvars

@@ -1,7 +1,7 @@
 name     = "devopsthehardway"
 location = "uksouth"
 
-kubernetes_version         = "1.32"
+kubernetes_version         = "1.33"
 agent_count                = 3
 vm_size                    = "Standard_DS2_v2"
 ssh_public_key             = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrt/GYkYpuQYRxM3lgjOr3Wqx8g5nQIbrg6Mr53wZGb35+ft+PibDMqxXZ7xq7fC3YuLnnO022IPgEjkF9fP03ZmfUeLjJJvw8YcutN9DD/2cx93BpKFPNUsqEB+za1iJ16kMsCojy35c1R64O+rw20D6iP96rmDAyIc5FR03y00eyAzQ8vo7/u9+VPwpdGEI7QCokZROcj6iNVz1V/1t6G4AEufPLokdj8J0gla/dN+tvnSLRQVBTDiD4jmVGImpWFqqKaH6R9SSXmRzj0uhvJUmSiZAZCb1caPEYgPEvNITuGQFdykPoY/4Z/3B+x/ipEQbWy8yL7bDFSXZTYhVKlPVyPbUtN5QFt7QtCtg84xDAZ6GA6AnONTtMxX2jvdzB9yh1ZsteNrOZ/Jo3ecuie573syQfG23Tu6qTqak8O7ZTOLY9iPx2ego3KvTWH/Q3lIvjnlpfCQtFtSgkNxjalMBk+NwwEgZHWRREOHwJmQIKVN0gSitN1KXobrqwxNk= tamops@Synth"

2-Terraform-AZURE-Services-Creation/README.md

@@ -34,7 +34,7 @@ Each component is organised in its own directory with a consistent structure:
 Before starting these labs, ensure you have:
 
 1. Completed the steps in the [1-Azure](../1-Azure) section
-2. Terraform installed (version 1.9.6 or higher)
+2. Terraform installed (version 1.9.8 or higher)
 3. Azure CLI installed and configured (`az login` executed)
 4. Basic familiarity with Terraform and Azure infrastructure concepts
 

3-Docker/1-Create-Docker-Image.md

@@ -20,9 +20,9 @@ In this lab, you'll create a Docker image to containerise the Thomasthornton.clo
 2. **Review the Dockerfile**
 
    Open the Dockerfile and note its key components:
-- [ ] Uses the latest Python image as base
-- [ ] Creates a `/build` directory for the app
-- [ ] Copies the `app` directory and `requirements.txt` into `/build`
+- [ ] Uses Python 3.13-slim image as base
+- [ ] Creates a `/app` directory for the application
+- [ ] Copies the `app` directory and `requirements.txt` into `/app`
 - [ ] Configures the container to run the app on startup
 
 3. **Build the Docker Image**