feat: Inital release of terraform module #6
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
modules/app_aks/main.tf
Outdated
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group_name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-logging failed.
Description: Cluster does not have logging enabled via OMS Agent.
Severity: MEDIUM
For more information, see:
There was a problem hiding this comment.
Will definitely want logging enabled, but can punt for now.
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" |
There was a problem hiding this comment.
It would be ideal if we could use the Azure native identity solution here.
modules/app_aks/main.tf
Outdated
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group_name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
Will definitely want logging enabled, but can punt for now.
| variable "database_availability_mode" { | ||
| description = "" | ||
| type = string | ||
| default = "SameZone" |
There was a problem hiding this comment.
I imagine we want the default to be "ZoneRedundant". When ever possible we want our infra to weather a Zone going down. We won't support multi-region, but our official terraform should adhere to the cloud contract which says we should assume a single zone can just go away. Again, not necessarily required for MVP, but we should definitely think about and work towards multi zone operations for MySQL, k8s, and Redis
There was a problem hiding this comment.
With ZoneRedundant, the limitation we might have is the regions it's currently available at. There's very few regions that support ZoneRedundant today. In the US, it's only East US and South Central US only. If customers want their deployment in other regions we might have to default back to SameZone if not the deployment would fail.
variables.tf
Outdated
| # Most users will not need these settings. They are ment for users who want a | ||
| # bucket in a different account. | ||
|
|
||
| variable "bucket_name" { |
There was a problem hiding this comment.
In Azure land they call buckets "Blob Containers". Nit, but might want to align with their vocabulary.
modules/app_aks/main.tf
Outdated
| network_profile { | ||
| network_plugin = "azure" | ||
| load_balancer_sku = "standard" | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-configured-network-policy failed.
Description: Kubernetes cluster does not have a network policy set.
Severity: HIGH
For more information, see:
modules/app_aks/main.tf
Outdated
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group_name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| load_balancer_sku = "standard" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-limit-authorized-ips failed.
Description: Cluster does not limit API access to specific IP addresses.
Severity: CRITICAL
For more information, see:
modules/app_aks/main.tf
Outdated
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group_name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| load_balancer_sku = "standard" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-logging failed.
Description: Cluster does not have logging enabled via OMS Agent.
Severity: MEDIUM
For more information, see:
modules/storage/main.tf
Outdated
| resource "azurerm_storage_account" "default" { | ||
| name = replace("${var.namespace}-storage", "-", "") | ||
| resource_group_name = var.resource_group_name | ||
| location = var.location | ||
| account_tier = "Standard" | ||
| account_replication_type = "ZRS" | ||
| min_tls_version = "TLS1_2" | ||
|
|
||
| blob_properties { | ||
| cors_rule { | ||
| allowed_headers = ["*"] | ||
| allowed_methods = ["GET", "HEAD", "PUT"] | ||
| allowed_origins = ["*"] | ||
| exposed_headers = ["*"] | ||
| max_age_in_seconds = 3600 | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
tfsec check azure-storage-queue-services-logging-enabled failed.
Description: Queue services storage account does not have logging enabled.
Severity: MEDIUM
For more information, see:
modules/app_lb/main.tf
Outdated
| name = "Standard_v2" | ||
| tier = "Standard_v2" | ||
| name = "WAF_v2" | ||
| tier = "WAF_v2" |
There was a problem hiding this comment.
If we use WAF we have to disable a bunch of rules as it falsely flags a ton of requests. It's also pretty expensive. If we can find a way to avoid it, probably ideal.
There was a problem hiding this comment.
I've reverted to Standard_v2, we can punt on this
modules/app_aks/main.tf
Outdated
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group_name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
| http_application_routing_enabled = true | ||
|
|
||
| ingress_application_gateway { | ||
| gateway_id = var.gateway.id | ||
| } | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| network_policy = "azure" | ||
| load_balancer_sku = "standard" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-limit-authorized-ips failed.
Description: Cluster does not limit API access to specific IP addresses.
Severity: CRITICAL
For more information, see:
modules/app_aks/main.tf
Outdated
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group_name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
| http_application_routing_enabled = true | ||
|
|
||
| ingress_application_gateway { | ||
| gateway_id = var.gateway.id | ||
| } | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| network_policy = "azure" | ||
| load_balancer_sku = "standard" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-logging failed.
Description: Cluster does not have logging enabled via OMS Agent.
Severity: MEDIUM
For more information, see:
modules/database/main.tf
Outdated
| zone = "1" | ||
|
|
||
| # high_availability { | ||
| # mode = var.database_availability_mode |
modules/database/main.tf
Outdated
| geo_redundant_backup_enabled = false | ||
|
|
||
| zone = "1" | ||
|
|
There was a problem hiding this comment.
If the customer were to provide a region that doesn't support availability zones, this would fail.
Reference
variables.tf
Outdated
| variable "database_version" { | ||
| description = "Version for MySQL" | ||
| type = string | ||
| default = "8.0.21" |
There was a problem hiding this comment.
Should we default this MySQL 5.7 for now? (we could also do it in the core azure terraform)
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group.name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
| http_application_routing_enabled = false | ||
|
|
||
| ingress_application_gateway { | ||
| gateway_id = var.gateway.id | ||
| } | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| network_policy = "azure" | ||
| load_balancer_sku = "standard" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-limit-authorized-ips failed.
Description: Cluster does not limit API access to specific IP addresses.
Severity: CRITICAL
For more information, see:
| resource "azurerm_kubernetes_cluster" "default" { | ||
| name = "${var.namespace}-cluster" | ||
| location = var.location | ||
| resource_group_name = var.resource_group.name | ||
| dns_prefix = var.namespace | ||
|
|
||
| automatic_channel_upgrade = "stable" | ||
| role_based_access_control_enabled = true | ||
| http_application_routing_enabled = false | ||
|
|
||
| ingress_application_gateway { | ||
| gateway_id = var.gateway.id | ||
| } | ||
|
|
||
| default_node_pool { | ||
| name = "default" | ||
| node_count = 2 | ||
| vm_size = "Standard_D4s_v3" | ||
| vnet_subnet_id = var.cluster_subnet_id | ||
| type = "VirtualMachineScaleSets" | ||
| enable_auto_scaling = false | ||
| zones = ["1", "2"] | ||
| } | ||
|
|
||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
|
|
||
| network_profile { | ||
| network_plugin = "azure" | ||
| network_policy = "azure" | ||
| load_balancer_sku = "standard" | ||
| } | ||
|
|
||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
tfsec check azure-container-logging failed.
Description: Cluster does not have logging enabled via OMS Agent.
Severity: MEDIUM
For more information, see:
|
This PR is included in version 1.0.0 🎉 |
No description provided.