added new version of full tf

denniszielke · Apr 29, 2019 · 8847499 · 8847499
1 parent f08ac6d
commit 8847499
Show file tree

Hide file tree

Showing 10 changed files with 204 additions and 98 deletions.
diff --git a/Terraform.md b/Terraform.md
@@ -1,8 +1,12 @@
+# Terraform
 
+0. Variables
+```
 TERRAFORM_STORAGE_NAME=
 SUBSCRIPTION_ID=
 TERRAFORM_RG_NAME=terraform
 LOCATION=westeurope
+```
 
 1. Create a sp for terraform
 
@@ -25,11 +29,11 @@ az storage container create -n tfstate --account-name $TERRAFORM_STORAGE_NAME --
 
 3. run terraform
 ```
-./../terraform init -backend-config="storage_account_name=$TERRAFORM_STORAGE_NAME" -backend-config="container_name=tfstate" -backend-config="access_key=$TERRAFORM_STORAGE_KEY" -backend-config="key=codelab.microsoft.tfstate" 
+terraform init -backend-config="storage_account_name=$TERRAFORM_STORAGE_NAME" -backend-config="container_name=tfstate" -backend-config="access_key=$TERRAFORM_STORAGE_KEY" -backend-config="key=codelab.microsoft.tfstate" 
 ```
 ```
-./../terraform plan -out out.plan
+terraform plan -out out.plan
 ```
 ```
-./../terraform apply out.plan
+terraform apply out.plan
 ```
diff --git a/getmekube.sh b/getmekube.sh
@@ -17,8 +17,10 @@ VM_COUNT=3
 KUBE_TEMPLATE_FILE=$PWD/terraform/azurecni.tf
 SUBSCRIPTION_FILE=$CONFIG_PATH/variables_$subscription.tf
 VARIABLE_FILE=$CONFIG_PATH/variables_common.tf
-APP_FILE=$CONFIG_PATH/kubernetes.tf
-ACR_FILE=$CONFIG_PATH/containerregistry.tf
+HELM_FILE=$PWD/terraform/helm.tf
+NGINX_FILE=$PWD/terraform/nginx.tf
+ACR_FILE=$PWD/terraform/containerregistry.tf
+SP_FILE=$PWD/terraform/serviceprincipal.tf
 
 if [ "$subscription" == "" ]; then
 echo "Subscription [int], [dev], [nin]?: "
@@ -89,6 +91,12 @@ read -n 1 helm
 echo
 fi
 
+if [ "$nginx" == "" ]; then
+echo "Install nginx [y/n]?: "
+read -n 1 nginx
+echo
+fi
+
 if [ "$acr" == "" ]; then
 echo "deploy acr [y/n]?: "
 read -n 1 acr
@@ -148,9 +156,14 @@ fi
 
 cp $SUBSCRIPTION_FILE $OUTPUT_PATH/$TERRAFORM_STORAGE_NAME/variables.tf
 cp $KUBE_TEMPLATE_FILE $OUTPUT_PATH/$TERRAFORM_STORAGE_NAME
+cp $SP_FILE $OUTPUT_PATH/$TERRAFORM_STORAGE_NAME
 
 if [ "$helm" == "y" ]; then
-cp $APP_FILE $OUTPUT_PATH/$TERRAFORM_STORAGE_NAME
+cp $HELM_FILE $OUTPUT_PATH/$TERRAFORM_STORAGE_NAME
+fi
+
+if [ "$nginx" == "y" ]; then
+cp $NGINX_FILE $OUTPUT_PATH/$TERRAFORM_STORAGE_NAME
 fi
 
 if [ "$acr" == "y" ]; then

diff --git a/terraform/azurecni.tf b/terraform/azurecni.tf
@@ -3,8 +3,8 @@
 
 provider "azurerm" {
     subscription_id = "${var.subscription_id}"
-    client_id       = "${var.client_id}"
-    client_secret   = "${var.client_secret}"
+    # client_id       = "${var.terraform_client_id}"
+    # client_secret   = "${var.terraform_client_secret}"
     tenant_id       = "${var.tenant_id}"
 }
 
@@ -78,6 +78,15 @@ resource "azurerm_subnet" "aksnet" {
   virtual_network_name      = "${azurerm_virtual_network.kubevnet.name}"
 }
 
+# assign virtual machine contributor on subnet to aks sp
+resource "azurerm_role_assignment" "aksvnetrole" {
+  scope                = "${azurerm_virtual_network.kubevnet.id}"
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id         = "${azuread_service_principal.aks_sp.id}"
+
+  depends_on = ["azurerm_subnet.aksnet"]
+}
+
 # https://www.terraform.io/docs/providers/azurerm/d/log_analytics_workspace.html
 resource "azurerm_log_analytics_workspace" "akslogs" {
   name                = "${var.dns_prefix}-lga"
@@ -138,8 +147,10 @@ resource "azurerm_kubernetes_cluster" "akstf" {
   }
 
   service_principal {
-    client_id     = "${var.aks_client_id}"
-    client_secret = "${var.aks_client_secret}"
+    client_id     = "${azuread_application.aks_app.application_id}"
+    client_secret = "${random_string.aks_sp_password.result}"
+    # client_id     = "${var.aks_client_id}"
+    # client_secret = "${var.aks_client_secret}"
   }
 
   addon_profile {
@@ -156,7 +167,7 @@ resource "azurerm_kubernetes_cluster" "akstf" {
     Policy = "calico"
   }
 
-  # depends_on = ["azurerm_azuread_service_principal.aks_sp"]
+  depends_on = ["azurerm_subnet.aksnet", "azuread_service_principal.aks_sp"]
 }
 
 # merge kubeconfig from the cluster

diff --git a/terraform/containerregistry.tf b/terraform/containerregistry.tf
@@ -1,10 +1,10 @@
 # https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html
 resource "azurerm_role_assignment" "aksacrrole" {
-  scope                = "${data.azurerm_subscription.primary.id}"
+  scope                = "${azurerm_container_registry.aksacr.id}"
   role_definition_name = "Reader"
-  principal_id         = "${data.azurerm_client_config.test.service_principal_object_id}"
+  principal_id         = "${azuread_service_principal.aks_sp.id}"
 
-  depends_on = ["azurerm_kubernetes_cluster.akstf"]
+  depends_on = ["azuread_service_principal.aks_sp", "azurerm_container_registry.aksacr", "azurerm_subnet.aksnet"]
 }
 
 # https://www.terraform.io/docs/providers/azurerm/r/container_registry.html

diff --git a/terraform/helm.tf b/terraform/helm.tf
@@ -0,0 +1,48 @@
+# https://www.terraform.io/docs/providers/kubernetes/index.html
+
+provider "kubernetes" {
+  host                   = "${azurerm_kubernetes_cluster.akstf.kube_config.0.host}"
+  client_certificate     = "${base64decode(azurerm_kubernetes_cluster.akstf.kube_config.0.client_certificate)}"
+  client_key             = "${base64decode(azurerm_kubernetes_cluster.akstf.kube_config.0.client_key)}"
+  cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.akstf.kube_config.0.cluster_ca_certificate)}"
+}
+
+resource "kubernetes_namespace" "example" {
+  metadata {
+    name = "my-first-namespace"
+  }
+
+  depends_on = ["azurerm_kubernetes_cluster.akstf"]
+}
+
+resource "kubernetes_service_account" "tiller_service_account" {
+  metadata {
+    name = "tiller"
+    namespace = "kube-system"
+  }
+
+  depends_on = ["azurerm_kubernetes_cluster.akstf"]
+}
+
+resource "kubernetes_cluster_role_binding" "tiller_cluster_role_binding" {
+  metadata {
+    name = "tiller"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "default"
+    namespace = "kube-system"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "${kubernetes_service_account.tiller_service_account.metadata.0.name}"
+    namespace = "kube-system"
+  }
+
+  depends_on = ["azurerm_kubernetes_cluster.akstf", "kubernetes_service_account.tiller_service_account"]
+}
diff --git a/terraform/kubenet.tf b/terraform/kubenet.tf
@@ -3,8 +3,8 @@
 
 provider "azurerm" {
     subscription_id = "${var.subscription_id}"
-    client_id       = "${var.client_id}"
-    client_secret   = "${var.client_secret}"
+    # client_id       = "${var.terraform_client_id}"
+    # client_secret   = "${var.terraform_client_secret}"
     tenant_id       = "${var.tenant_id}"
 }
 
@@ -78,6 +78,15 @@ resource "azurerm_subnet" "aksnet" {
   virtual_network_name      = "${azurerm_virtual_network.kubevnet.name}"
 }
 
+# assign virtual machine contributor on subnet to aks sp
+resource "azurerm_role_assignment" "aksvnetrole" {
+  scope                = "${azurerm_virtual_network.kubevnet.id}"
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id         = "${azuread_service_principal.aks_sp.id}"
+
+  depends_on = ["azurerm_subnet.aksnet"]
+}
+
 # https://www.terraform.io/docs/providers/azurerm/d/log_analytics_workspace.html
 resource "azurerm_log_analytics_workspace" "akslogs" {
   name                = "${var.dns_prefix}-lga"
@@ -137,8 +146,10 @@ resource "azurerm_kubernetes_cluster" "akstf" {
   }
 
   service_principal {
-    client_id     = "${var.aks_client_id}"
-    client_secret = "${var.aks_client_secret}"
+    client_id     = "${azuread_application.aks_app.application_id}"
+    client_secret = "${random_string.aks_sp_password.result}"
+    # client_id     = "${var.aks_client_id}"
+    # client_secret = "${var.aks_client_secret}"
   }
 
   addon_profile {
@@ -154,7 +165,7 @@ resource "azurerm_kubernetes_cluster" "akstf" {
     RBAC = "true"
   }
 
-  # depends_on = ["azurerm_azuread_service_principal.aks_sp"]
+  depends_on = ["azurerm_subnet.aksnet", "azuread_service_principal.aks_sp"]
 }
 
 # this is needed to fix https://github.com/Azure/AKS/issues/718
@@ -192,21 +203,21 @@ output "id" {
     value = "${azurerm_kubernetes_cluster.akstf.id}"
 }
 
-output "kube_config" {
-  value = "${azurerm_kubernetes_cluster.akstf.kube_config_raw}"
-}
+# output "kube_config" {
+#   value = "${azurerm_kubernetes_cluster.akstf.kube_config_raw}"
+# }
 
-output "client_key" {
-  value = "${azurerm_kubernetes_cluster.akstf.kube_config.0.client_key}"
-}
+# output "client_key" {
+#   value = "${azurerm_kubernetes_cluster.akstf.kube_config.0.client_key}"
+# }
 
-output "client_certificate" {
-  value = "${azurerm_kubernetes_cluster.akstf.kube_config.0.client_certificate}"
-}
+# output "client_certificate" {
+#   value = "${azurerm_kubernetes_cluster.akstf.kube_config.0.client_certificate}"
+# }
 
-output "cluster_ca_certificate" {
-  value = "${azurerm_kubernetes_cluster.akstf.kube_config.0.cluster_ca_certificate}"
-}
+# output "cluster_ca_certificate" {
+#   value = "${azurerm_kubernetes_cluster.akstf.kube_config.0.cluster_ca_certificate}"
+# }
 
 output "host" {
   value = "${azurerm_kubernetes_cluster.akstf.kube_config.0.host}"

diff --git a/terraform/kubernetes.tf b/terraform/kubernetes.tf
diff --git a/terraform/nginx.tf b/terraform/nginx.tf
@@ -0,0 +1,55 @@
+
+provider "helm" {
+  install_tiller = "true"
+  service_account = "${kubernetes_service_account.tiller_service_account.metadata.0.name}"
+
+  kubernetes {
+    host                   = "${azurerm_kubernetes_cluster.akstf.kube_config.0.host}"
+    client_certificate     = "${base64decode(azurerm_kubernetes_cluster.akstf.kube_config.0.client_certificate)}"
+    client_key             = "${base64decode(azurerm_kubernetes_cluster.akstf.kube_config.0.client_key)}"
+    cluster_ca_certificate = "${base64decode(azurerm_kubernetes_cluster.akstf.kube_config.0.cluster_ca_certificate)}"
+  }
+}
+
+# Create Static Public IP Address to be used by Nginx Ingress
+resource "azurerm_public_ip" "nginx_ingress" {
+  name                         = "nginx-ingress-pip"
+  location                     = "${azurerm_kubernetes_cluster.akstf.location}"
+  resource_group_name          = "${azurerm_kubernetes_cluster.akstf.node_resource_group}"
+  allocation_method            = "Static"
+  domain_name_label            = "${var.dns_prefix}"
+
+  depends_on = ["azurerm_kubernetes_cluster.akstf"]
+}
+
+# https://www.terraform.io/docs/providers/helm/repository.html
+data "helm_repository" "stable" {
+    name = "stable"
+    url  = "https://kubernetes-charts.storage.googleapis.com"
+}
+
+# Install Nginx Ingress using Helm Chart
+# https://www.terraform.io/docs/providers/helm/release.html
+resource "helm_release" "nginx_ingress" {
+  name       = "nginx-ingress"
+  repository = "${helm_repository.stable.metadata.0.name}"
+  chart      = "nginx-ingress"
+  namespace  = "kube-system"
+
+  set {
+    name  = "rbac.create"
+    value = "true"
+  }
+
+  set {
+    name  = "controller.service.externalTrafficPolicy"
+    value = "Local"
+  }
+
+  set {
+    name  = "controller.service.loadBalancerIP"
+    value = "${azurerm_public_ip.nginx_ingress.ip_address}"
+  }
+
+  depends_on = ["azurerm_kubernetes_cluster.akstf", "azurerm_public_ip.nginx_ingress"]
+}