diff --git a/caf b/caf deleted file mode 120000 index 2e137e33..00000000 --- a/caf +++ /dev/null @@ -1 +0,0 @@ -/tf/caf \ No newline at end of file diff --git a/enterprise_scale/construction_sets/aks/flux.tf b/enterprise_scale/construction_sets/aks/flux.tf index 5c11e38f..5811d057 100644 --- a/enterprise_scale/construction_sets/aks/flux.tf +++ b/enterprise_scale/construction_sets/aks/flux.tf @@ -1,17 +1,17 @@ provider "flux" {} provider "kubectl" { - host = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host - client_key = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key) - client_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate) - cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate) + host = try(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host, null) + client_key = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key), null) + client_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate), null) + cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null) } provider "kubernetes" { - host = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host - client_key = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key) - client_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate) - cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate) + host = try(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host, null) + client_key = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key), null) + client_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate), null) + cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null) } provider "github" { diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md index 10902d07..7c0e0508 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md @@ -10,6 +10,7 @@ This is the root of the GitOps configuration directory. These Kubernetes object * Kubernetes RBAC Role Assignments to Azure AD Principals * [Kured](#kured) * Ingress Network Policy +* Flux (self-managing) * Azure Monitor Prometheus Scraping * Azure KeyVault Secret Store CSI Provider * Azure AD Pod Identity diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml index 6ea5544d..43df14b3 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml @@ -251,6 +251,7 @@ spec: memory: 256Mi nodeSelector: kubernetes.io/os: linux + agentpool: npuser01 --- apiVersion: apps/v1 kind: Deployment @@ -315,6 +316,7 @@ spec: path: /etc/kubernetes/azure.json nodeSelector: kubernetes.io/os: linux + agentpool: npuser01 --- apiVersion: aadpodidentity.k8s.io/v1 kind: AzurePodIdentityException @@ -361,4 +363,5 @@ metadata: namespace: kube-system spec: podLabels: - rsName: omsagent-rs \ No newline at end of file + rsName: omsagent-rs + \ No newline at end of file diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars index b55d8309..ec26ccaf 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars @@ -17,7 +17,7 @@ aks_clusters = { type = "SystemAssigned" } - kubernetes_version = "1.19.6" + kubernetes_version = "1.19.9" vnet_key = "vnet_aks_re1" network_profile = { @@ -67,7 +67,7 @@ aks_clusters = { node_count = 3 os_disk_type = "Ephemeral" os_disk_size_gb = 80 - orchestrator_version = "1.19.6" + orchestrator_version = "1.19.9" tags = { "project" = "system services" } @@ -86,7 +86,7 @@ aks_clusters = { os_disk_type = "Ephemeral" enable_auto_scaling = false os_disk_size_gb = 120 - orchestrator_version = "1.19.6" + orchestrator_version = "1.19.9" tags = { "project" = "user services" } diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars index 4eee767c..0ae43885 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars @@ -1,36 +1,36 @@ resource_groups = { aks_re1 = { - name = "ef-aks-re1" + name = "aks-re1" region = "region1" } agw_re1 = { - name = "ef-agw-re1" + name = "agw-re1" region = "region1" } vnet_hub_re1 = { - name = "ef-vnet-hub-re1" + name = "vnet-hub-re1" region = "region1" } aks_spoke_re1 = { - name = "ef-aks_spoke_re1" + name = "aks_spoke_re1" region = "region1" } ops_re1 = { - name = "ef-ops_re1" + name = "ops_re1" region = "region1" } devops_re1 = { - name = "ef-devops_re1" + name = "devops_re1" region = "region1" } jumpbox_re1 = { - name = "ef-jumpbox_re1" + name = "jumpbox_re1" region = "region1" } } diff --git a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh index bd36e984..d01c3ab4 100755 --- a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh +++ b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh @@ -4,7 +4,7 @@ storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags if [ "${storage_name}" = "null" ]; then git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public - /tf/rover/rover.sh -lz /tf/caf/public/landingzones/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad + /tf/rover/rover.sh -lz /tf/caf/public/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].name) fi diff --git a/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml index c012f14c..7ea07e36 100644 --- a/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml +++ b/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml @@ -1,2 +1,2 @@ keyVaultName: "kv-secrets" -keyVaultResourceGroupName: "rg-ef-aks-re1" +keyVaultResourceGroupName: "rg-aks-re1" diff --git a/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml index 6c6867ef..aaf13790 100644 --- a/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml +++ b/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml @@ -1,2 +1,2 @@ logWorkspaceName: "log-logs" -logResourceGroupName: "rg-ef-ops_re1" +logResourceGroupName: "rg-ops_re1" diff --git a/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml index f8338bea..2ab25724 100644 --- a/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml +++ b/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml @@ -1,5 +1,5 @@ ClusterName: "aks-akscluster-re1-001" -ResourceGroupName: "rg-ef-aks-re1" +ResourceGroupName: "rg-aks-re1" DefaultNodePoolName: "sharedsvc" UserNodepoolName: "npuser01" AgentCount: 3 diff --git a/test b/test deleted file mode 100644 index 090e72ee..00000000 --- a/test +++ /dev/null @@ -1,58 +0,0 @@ -export TF_VAR_workspace=secureaks - --tfstate caf_foundations.tfstate \ --level level0 \ --launchpad \ - --launchpad \ - -az login --service-principal -u 8ccc504d-7fd0-4b2e-b6da-e2b04537d848 -p sbbj1iZZRq.PU8XtOQUFfQ_JQhu1h1wq2t --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 - -export ARM_CLIENT_ID=8ccc504d-7fd0-4b2e-b6da-e2b04537d848 -export ARM_CLIENT_SECRET=sbbj1iZZRq.PU8XtOQUFfQ_JQhu1h1wq2t -export ARM_SUBSCRIPTION_ID=0fe1cc35-0cfa-4152-97d7-5dfb45a8d4ba -export ARM_TENANT_ID=72f988bf-86f1-41af-91ab-2d7cd011db47 - -id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].id) - -if [ "${id}" == "null" ]; then - git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public - /tf/rover/rover.sh -lz /tf/caf/public/landingzones/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/levels/launchpad -fi - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level1 \ - -tfstate secure-aks-foundations.tfstate \ - '-var-file online/aks_secure_baseline/configuration/global_settings.tfvars -var-file online/aks_secure_baseline/configuration/resource_groups.tfvars -var-file online/aks_secure_baseline/configuration/iam/iam_managed_identities.tfvars -var-file online/aks_secure_baseline/configuration/iam/iam_role_mappings.tfvars -var-file online/aks_secure_baseline/configuration/keyvault/keyvaults.tfvars' - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level2 \ - -tfstate secure-aks-foundations.tfstate \ - '-var-file online/aks_secure_baseline/configuration/monitor/diagnostics.tfvars -var-file online/aks_secure_baseline/configuration/monitor/log_analytics.tfvars' - - - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level2 \ - -tfstate secure-aks-shared-services.tfstate \ - '-var-file online/aks_secure_baseline/configuration/global_settings.tfvars -var-file online/aks_secure_baseline/configuration/resource_groups.tfvars -var-file online/aks_secure_baseline/configuration/monitor/diagnostics.tfvars -var-file online/aks_secure_baseline/configuration/monitor/log_analytics.tfvars' - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level2 \ - -tfstate 2_networking.tfstate \ - '-var-file online/aks_secure_baseline/configuration/global_settings.tfvars -var-file online/aks_secure_baseline/configuration/resource_groups.tfvars -var-file online/aks_secure_baseline/configuration/networking/firewall_application_rule_collection_definition.tfvars -var-file online/aks_secure_baseline/configuration/networking/firewall_network_rule_collection_definition.tfvars -var-file online/aks_secure_baseline/configuration/networking/firewalls.tfvars -var-file online/aks_secure_baseline/configuration/networking/ip_groups.tfvars -var-file online/aks_secure_baseline/configuration/networking/networking.tfvars -var-file online/aks_secure_baseline/configuration/networking/nsg.tfvars -var-file online/aks_secure_baseline/configuration/networking/peerings.tfvars -var-file online/aks_secure_baseline/configuration/networking/private_dns.tfvars -var-file online/aks_secure_baseline/configuration/networking/public_ips.tfvars -var-file online/aks_secure_baseline/configuration/networking/route_tables.tfvars -var-file online/aks_secure_baseline/configuration/agw/agw_application.tfvars -var-file online/aks_secure_baseline/configuration/agw/agw.tfvars -var-file online/aks_secure_baseline/configuration/agw/domain.tfvars -var-file online/aks_secure_baseline/configuration/keyvault/keyvaults.tfvars -var-file online/aks_secure_baseline/configuration/keyvault/certificate_requests.tfvars -var-file online/aks_secure_baseline/configuration/iam/iam_managed_identities.tfvars' - - - -for rgname in `az group list --query "[? contains(name,'launchpad')][].{name:name}" -o tsv`; do -echo Deleting ${rgname} -az group delete -n ${rgname} --yes --no-wait -done - - - -global_settings={"prfix":"yes"} \ No newline at end of file