diff --git a/aks.tf b/aks.tf index 7ba1cbf..c93bbd6 100644 --- a/aks.tf +++ b/aks.tf @@ -3,7 +3,7 @@ # details: https://docs.microsoft.com/en-us/azure/aks/spot-node-pool locals { - aks_node_extra ={ + aks_node_extra = { Regular = { labels = {} taints = [] @@ -12,7 +12,7 @@ locals { labels = { "kubernetes.azure.com/scalesetpriority" = "spot" } - taints = [ + taints = [ "kubernetes.azure.com/scalesetpriority=spot:NoSchedule" ] } @@ -39,16 +39,16 @@ resource "azurerm_kubernetes_cluster" "main" { dynamic "ingress_application_gateway" { for_each = local.app_gateway.enabled == true ? ["ingress_application_gateway"] : [] content { - gateway_id = azurerm_application_gateway.main[0].id + gateway_id = azurerm_application_gateway.main[0].id } } key_vault_secrets_provider { - secret_rotation_enabled = false + secret_rotation_enabled = false } dynamic "oms_agent" { for_each = local.oms.enabled == true ? ["oms_agent"] : [] content { - log_analytics_workspace_id = local.oms.workspace_id + log_analytics_workspace_id = local.oms.workspace_id } } default_node_pool { @@ -70,7 +70,7 @@ resource "azurerm_kubernetes_cluster" "main" { identity_ids = [azurerm_user_assigned_identity.main.id] } network_profile { - network_plugin = "azure" + network_plugin = "azure" } tags = local.tags } diff --git a/diagnostics.tf b/diagnostics.tf index c102d34..52ba994 100644 --- a/diagnostics.tf +++ b/diagnostics.tf @@ -6,13 +6,12 @@ resource "azurerm_monitor_diagnostic_setting" "aks" { storage_account_id = local.oms.storage_account_id log_analytics_workspace_id = local.oms.workspace_id - dynamic "log" { + dynamic "enabled_log" { for_each = local.oms.aks_logs content { - category = log.key - enabled = log.value + category = enabled_log.key retention_policy { - enabled = log.value + enabled = enabled_log.value days = local.oms.retention_days } } @@ -36,13 +35,12 @@ resource "azurerm_monitor_diagnostic_setting" "agw" { storage_account_id = local.oms.storage_account_id log_analytics_workspace_id = local.oms.workspace_id - dynamic "log" { + dynamic "enabled_log" { for_each = local.oms.agw_logs content { - category = log.key - enabled = log.value + category = enabled_log.key retention_policy { - enabled = log.value + enabled = enabled_log.value days = local.oms.retention_days } } diff --git a/identity.tf b/identity.tf index 993a0df..430e97f 100644 --- a/identity.tf +++ b/identity.tf @@ -19,15 +19,15 @@ resource "azurerm_role_assignment" "attach_acr" { # grants rights to the built role as well as the subnet (only needed for kubenet, but added for completeness) resource "azurerm_role_assignment" "subnet" { - scope = local.subnet_id - role_definition_name = "Network Contributor" - principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id + scope = local.subnet_id + role_definition_name = "Network Contributor" + principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id } resource "azurerm_role_assignment" "identity" { - scope = azurerm_user_assigned_identity.main.id - role_definition_name = "Managed Identity Operator" - principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id + scope = azurerm_user_assigned_identity.main.id + role_definition_name = "Managed Identity Operator" + principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id } # This assigns permissions to the AGW using discovered Idenitity diff --git a/main.tf b/main.tf index cca64d3..c4848e7 100644 --- a/main.tf +++ b/main.tf @@ -7,7 +7,7 @@ locals { # ensure agw priority is set if sku is of type "v2" # if nothing is provided, we will set to 1 for v2, or -1 to omit detect_priority = length(regexall("v2$", var.app_gateway.sku_tier)) > 0 ? 10 : null - priority = coalesce(var.app_gateway.priority, local.detect_priority, -1) + priority = coalesce(var.app_gateway.priority, local.detect_priority, -1) # generate the resource names for everything based on the values offered names = { diff --git a/test/main.tf b/test/main.tf index 525d1ce..c703255 100644 --- a/test/main.tf +++ b/test/main.tf @@ -1,4 +1,4 @@ -provider azurerm { +provider "azurerm" { features { resource_group { prevent_deletion_if_contains_resources = false @@ -7,8 +7,8 @@ provider azurerm { } # resource group to place everything in -resource azurerm_resource_group "test" { - name = "test-aks-baseline" +resource "azurerm_resource_group" "test" { + name = "test-aks-baseline" location = "westus2" } @@ -36,26 +36,26 @@ resource "azurerm_storage_account" "main" { } resource "azurerm_log_analytics_solution" "containerinsights" { - solution_name = "ContainerInsights" - location = azurerm_log_analytics_workspace.main.location - resource_group_name = azurerm_resource_group.test.name - workspace_resource_id = azurerm_log_analytics_workspace.main.id - workspace_name = azurerm_log_analytics_workspace.main.name - plan { - publisher = "Microsoft" - product = "OMSGallery/ContainerInsights" - } + solution_name = "ContainerInsights" + location = azurerm_log_analytics_workspace.main.location + resource_group_name = azurerm_resource_group.test.name + workspace_resource_id = azurerm_log_analytics_workspace.main.id + workspace_name = azurerm_log_analytics_workspace.main.name + plan { + publisher = "Microsoft" + product = "OMSGallery/ContainerInsights" + } } module "myvnet" { source = "Justin-DynamicD/virtual_network/azurerm" - global_settings = { + global_settings = { name = "aks_vnet" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name } network = { - address_spaces = ["10.10.0.0/16"] + address_spaces = ["10.10.0.0/16"] } subnets = { agw = "10.10.10.0/26" @@ -67,7 +67,7 @@ module "myvnet" { private_link = true } subnet_service_endpoints = { - private_link = ["Microsoft.KeyVault","Microsoft.ContainerRegistry"] + private_link = ["Microsoft.KeyVault", "Microsoft.ContainerRegistry"] } tags = { Project = "AKS Baseline" @@ -101,7 +101,7 @@ module "aks" { node_count = 1 } oms = { - enabled = true + enabled = true # aks_logs = { # guard = true # } diff --git a/variables.tf b/variables.tf index 6fb2dcd..3fd62fa 100644 --- a/variables.tf +++ b/variables.tf @@ -2,36 +2,36 @@ # global variables ###### -variable app_gateway { - type = object ({ - enabled = optional(bool, false) - name = optional(string) - public_ip_id = optional(string, "") - priority = optional(number) - sku_capacity = optional(string, "2") - sku_name = optional(string, "WAF_v2") - sku_tier = optional(string, "WAF_v2") - subnet_id = optional(string, "") +variable "app_gateway" { + type = object({ + enabled = optional(bool, false) + name = optional(string) + public_ip_id = optional(string, "") + priority = optional(number) + sku_capacity = optional(string, "2") + sku_name = optional(string, "WAF_v2") + sku_tier = optional(string, "WAF_v2") + subnet_id = optional(string, "") }) description = "map of all agw variables" default = {} } -variable waf_configuration { - type = object ({ - enabled = optional(bool, true) - firewall_mode = optional(string, "Detection") - rule_set_type = optional(string, "OWASP") - rule_set_version = optional(string, "3.2") - file_upload_limit_mb = optional(number, 100) - request_body_check = optional(bool, true) - max_request_body_size_kb = optional(number, 128) +variable "waf_configuration" { + type = object({ + enabled = optional(bool, true) + firewall_mode = optional(string, "Detection") + rule_set_type = optional(string, "OWASP") + rule_set_version = optional(string, "3.2") + file_upload_limit_mb = optional(number, 100) + request_body_check = optional(bool, true) + max_request_body_size_kb = optional(number, 128) }) description = "map of all waf configuration setting required if WAF is enabled" default = {} } -variable node_default_pool { +variable "node_default_pool" { type = object({ enable_auto_scaling = optional(bool, true) max_count = optional(number, 4) @@ -47,7 +47,7 @@ variable node_default_pool { default = {} } -variable node_user_pool { +variable "node_user_pool" { type = object({ enable_auto_scaling = optional(bool, true) enabled = optional(bool, true) @@ -67,107 +67,107 @@ variable node_user_pool { default = {} } -variable oms { +variable "oms" { type = object({ - enabled = optional(bool, false) - agw_logs = optional(object({ + enabled = optional(bool, false) + agw_logs = optional(object({ ApplicationGatewayAccessLog = optional(bool, true) ApplicationGatewayPerformanceLog = optional(bool, true) ApplicationGatewayFirewallLog = optional(bool, true) })) - agw_metrics = optional(bool, true) - aks_logs = optional(object({ - cloud-controller-manager = optional(bool, false) - cluster-autoscaler = optional(bool, true) - csi-azuredisk-controller = optional(bool, false) - csi-azurefile-controller = optional(bool, false) - csi-snapshot-controller = optional(bool, false) - guard = optional(bool, false) - kube-apiserver = optional(bool, true) - kube-audit = optional(bool, true) - kube-audit-admin = optional(bool, true) - kube-controller-manager = optional(bool, true) - kube-scheduler = optional(bool, false) + agw_metrics = optional(bool, true) + aks_logs = optional(object({ + cloud-controller-manager = optional(bool, false) + cluster-autoscaler = optional(bool, true) + csi-azuredisk-controller = optional(bool, false) + csi-azurefile-controller = optional(bool, false) + csi-snapshot-controller = optional(bool, false) + guard = optional(bool, false) + kube-apiserver = optional(bool, true) + kube-audit = optional(bool, true) + kube-audit-admin = optional(bool, true) + kube-controller-manager = optional(bool, true) + kube-scheduler = optional(bool, false) })) - aks_metrics = optional(bool, true) - retention_days = optional(number, 30) - storage_account_id = optional(string) - workspace_id = optional(string) + aks_metrics = optional(bool, true) + retention_days = optional(number, 30) + storage_account_id = optional(string) + workspace_id = optional(string) }) description = "custom object defining OMS variables" - default = {} + default = {} } -variable acr_list { +variable "acr_list" { type = map(any) description = "key/value map of acr name = resource group" nullable = false default = {} } -variable automatic_channel_upgrade { +variable "automatic_channel_upgrade" { type = string description = "the upgrade channel for aks" nullable = false default = "" } -variable azure_policy { +variable "azure_policy" { type = bool description = "enable azure policies on this cluster" nullable = false default = true } -variable docker_bridge_cidr { +variable "docker_bridge_cidr" { type = string description = "IP address (in CIDR notation) used as the Docker bridge IP address on nodes." nullable = false default = "172.17.0.1/16" } -variable location { +variable "location" { type = string description = "region to build all resources in" } -variable name { +variable "name" { type = string description = "If defined, sets the name of the AKS cluster" default = "" } -variable name_prefix { +variable "name_prefix" { type = string description = "the prefix used in any generated resource name, if no overriding name is specified" nullable = false default = "aks-baseline" } -variable resource_group_name { +variable "resource_group_name" { type = string description = "name of the resource group to provision in" } -variable sku_tier { +variable "sku_tier" { type = string description = "Set the SKU for hte aks cluster" nullable = false default = "Free" } -variable tags { +variable "tags" { type = map(any) description = "map of tags to apply to all resources" default = null } -variable subnet_id { +variable "subnet_id" { type = string description = "ID of the subnet for all node pools" } -variable zones { +variable "zones" { type = list(string) description = "list of all supported AZs to deploy to, if available" nullable = false diff --git a/versions.tf b/versions.tf index 4405284..4445356 100644 --- a/versions.tf +++ b/versions.tf @@ -5,6 +5,6 @@ terraform { required_version = ">= 1.3.0" required_providers { azurerm = ">= 3.32.0" - random = ">= 3.4.0" + random = ">= 3.4.0" } }