This project automates the deployment and management of Azure Kubernetes Service (AKS) infrastructure using Terraform, with CI/CD pipelines powered primarily by GitHub Actions and optionally by Azure DevOps. The infrastructure is defined using modular Terraform code and supports multiple environments such as Dev and Stage, each maintaining its own Terraform state file stored securely in Azure Storage. Upon code commits to Git, GitHub Actions are triggered to run Terraform commands (init, plan, and apply) to provision or update resources. Authentication to Azure is handled through a Service Principal registered in Microsoft Entra ID, which is granted the Contributor role at the subscription level, ensuring secure access to create and manage resources. A Resource Group is provisioned to contain AKS clusters and Azure Key Vaults, with the AKS cluster managing secure interactions with the vault. Destructive actions like terraform destroy are restricted from DevOps users to prevent accidental deletions. While GitHub Actions is the primary automation tool, Azure DevOps is also integrated as an alternative pipeline option for infrastructure deployment.
Get your Azure infrastructure running in minutes with this automated GitHub Actions workflows.
- Clone this repository
- Configure Azure Service Principal credentials
- Add Azure secrets to GitHub (5 secrets)
- Push to main branch β Auto-deploy to development! π
π Complete Setup Guide | π€ Contributing
- β Production-ready AKS clusters with best practices
- β Automated CI/CD with GitHub Actions
- β Multi-environment support (development/staging/production)
- β Secure secret management with Azure Key Vault
- β Infrastructure validation and testing
- β Automated deployments with rollback capabilities
- β Safe destroy workflows with confirmation gates
- β Enterprise-grade project structure and documentation
graph TB
A[GitHub Repository] --> B[GitHub Actions]
B --> C[Azure Service Principal]
C --> D[Terraform State Storage]
C --> E[Development Environment]
C --> F[Staging Environment]
C --> G[Production Environment]
E --> H[AKS Cluster]
E --> I[Key Vault]
E --> J[Service Principal]
F --> K[AKS Cluster]
F --> L[Key Vault]
F --> M[Service Principal]
G --> N[AKS Cluster]
G --> O[Key Vault]
G --> P[Service Principal]
βββ π .github/workflows/ # π€ GitHub Actions CI/CD workflows
β βββ terraform-deploy.yml # π Main deployment workflow
β βββ terraform-destroy.yml # π₯ Infrastructure destruction workflow
βββ π .vscode/ # π οΈ VS Code workspace configuration
βββ π docs/ # π Documentation and diagrams
β βββ architecture.png # ποΈ Infrastructure architecture
β βββ infrastructure.md # π Infrastructure details
βββ π infrastructure/ # ποΈ Main Terraform infrastructure code
β βββ π environments/ # π Environment-specific configurations
β β βββ π development/ # π§ͺ Development environment
β β βββ π staging/ # π Staging environment
β β βββ π production/ # π Production environment
β βββ π modules/ # 𧩠Reusable Terraform modules
β β βββ π aks/ # βΈοΈ Kubernetes cluster module
β β βββ π keyvault/ # π Secret management module
β β βββ π ServicePrincipal/# π Authentication module
β βββ π shared/ # π€ Shared configurations
β βββ π README.md # π Infrastructure documentation
βββ π legacy/ # π Legacy Azure DevOps pipelines
βββ π scripts/ # π Setup and utility scripts
β βββ setup-azure-sp.sh # π§ Service Principal setup (Bash)
β βββ setup-azure-sp.ps1 # π§ Service Principal setup (PowerShell)
βββ π GITHUB_ACTIONS_SETUP.md # π Complete setup guide
βββ π CONTRIBUTING.md # π€ Contribution guidelines
βββ π SECURITY.md # π Security policy
βββ π CHANGELOG.md # π Version history
βββ π README.md # π This file
My project deploys a complete Azure infrastructure including:
- Resource Groups: Organized environment separation
- Storage Account: Terraform state backend with encryption
- Service Principals: Secure authentication for applications
- Azure Kubernetes Service (AKS): Managed Kubernetes clusters with best practices
- Node Pools: Auto-scaling compute resources
- RBAC Integration: Secure access controls
- Network Policies: Secure pod-to-pod communication
- Azure Key Vault: Centralized secret management
- Service Principal Authentication: Secure application access
- Role-Based Access Control: Least privilege principles
- TLS/SSL Certificates: Automated certificate management
| Environment | Resource Group | Purpose | Auto-Deploy | Location |
|---|---|---|---|---|
| Shared | terraform-state-rg |
Terraform state storage | β Always | infrastructure/shared/ |
| Development | dev-peter-rg |
Development workloads | β On main push | infrastructure/environments/development/ |
| Staging | stage-peter-rg |
Pre-production testing | π Manual approval | infrastructure/environments/staging/ |
| Production | prod-peter-rg |
Production workloads | π‘οΈ Protected branch | infrastructure/environments/production/ |
- Azure subscription (Get free account)
- GitHub account
- Basic understanding of Terraform and Azure
- Azure CLI installed (optional, for local development)
git clone https://github.com/YOUR_USERNAME/gitactions-terraform.git
cd gitactions-terraform# Run the setup script
./scripts/setup-azure-sp.sh
# Or use PowerShell version
./scripts/setup-azure-sp.ps1Add these 5 secrets to your GitHub repository settings:
AZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_SUBSCRIPTION_IDAZURE_TENANT_IDAZURE_BACKEND_STORAGE_ACCOUNT
# Push to main branch triggers automatic deployment
git add .
git commit -m "feat: initial infrastructure deployment"
git push origin main- Development: Auto-deploys on push to
main - Staging: Manual approval required
- Production: Protected branch workflow
- Plan: Create execution plan for review
- Apply: Deploy infrastructure changes
- Destroy: Safely tear down infrastructure
- Terraform v1.5+ - Infrastructure provisioning and management
- Azure Provider v3.0+ - Azure resource management
- GitHub Actions - CI/CD automation and workflows
- Azure Kubernetes Service (AKS) - Container orchestration
- Azure Key Vault - Secret and certificate management
- Azure Active Directory - Identity and access management
- Azure Storage - Terraform state backend
- Azure Resource Manager - Resource organization and governance
- VS Code - Development environment with Terraform extensions
- Azure CLI - Local development and debugging
- Git - Version control and collaboration
# Production-ready Kubernetes cluster
- Auto-scaling node pools
- Azure CNI networking
- Azure RBAC integration
- Monitoring and logging
- Security hardening# Centralized secret management
- Certificate management
- Secret rotation policies
- Access policies and RBAC
- Network access restrictions
- Backup and recovery# Secure authentication
- Application registration
- Role assignments
- Certificate-based auth
- Least privilege access
- Credential rotation# Deploy to development
terraform -chdir=infrastructure/environments/development plan
terraform -chdir=infrastructure/environments/development apply
# Deploy to staging
terraform -chdir=infrastructure/environments/staging plan
terraform -chdir=infrastructure/environments/staging apply
# Deploy to production (requires approval)
terraform -chdir=infrastructure/environments/production plan
terraform -chdir=infrastructure/environments/production apply# Destroy development environment
terraform -chdir=infrastructure/environments/development destroy
# Use GitHub Actions destroy workflow for production
gh workflow run terraform-destroy.yml -f environment=production- Azure Monitor - Infrastructure and application metrics
- Log Analytics - Centralized logging and analysis
- Application Insights - Application performance monitoring
- Azure Alerts - Proactive issue detection
- Workflow Status - Real-time deployment tracking
- Resource Drift Detection - Configuration compliance
- Cost Tracking - Infrastructure cost monitoring
- Security Scanning - Vulnerability assessments
| Issue | Solution | Documentation |
|---|---|---|
| Authentication Failed | Check service principal credentials | Setup Guide |
| State Lock Conflicts | Release state lock manually | State Management |
| Resource Conflicts | Check resource naming conventions | Naming Guide |
| Permission Denied | Verify RBAC assignments | Security Guide |
- π Infrastructure Documentation
- π Security Best Practices
- π Issue Templates
- π¬ Discussion Forum
- β High Availability - Multi-zone AKS deployments
- β Auto Scaling - Horizontal and vertical pod autoscaling
- β Disaster Recovery - Cross-region backup strategies
- β Security Hardening - CIS benchmarks and security policies
- β Compliance Ready - SOC 2, ISO 27001 framework support
- β GitOps Workflows - Infrastructure as code versioning
- β Automated Testing - Infrastructure validation and testing
- β Rollback Capabilities - Safe deployment rollback mechanisms
- β Environment Parity - Consistent dev/staging/production environments
- β Change Management - Structured approval processes
- Spot Instances - Cost-effective compute for development
- Auto-shutdown - Automatic resource cleanup
- Resource Tagging - Detailed cost allocation and tracking
- Right-sizing - Optimal resource sizing recommendations
- Cost Alerts - Proactive spending notifications
- Resource Quotas - Environment-specific resource limits
- Policy Enforcement - Automated compliance and governance
- π GitHub Actions Setup - Complete CI/CD setup guide
- ποΈ Infrastructure Guide - Technical infrastructure details
- π Security Policy - Security best practices and policies
- π€ Contributing - How to contribute to this project
I welcome contributions! Please see the Contributing Guide for details.
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
Built with β€οΈ by Peter for the DevOps community. This platform demonstrates enterprise-grade infrastructure automation best practices.
Ready to deploy enterprise Azure infrastructure? Start with the GitHub Actions Setup Guide! π