From 2c4a84400d70ca8dc7fb55ba61c9f1a94545ae08 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 11:21:31 -0700 Subject: [PATCH 01/13] launchpad --- enterprise_scale/construction_sets/aks/scripts/launchpad.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh index bd36e984..ed4fb87f 100755 --- a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh +++ b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh @@ -6,6 +6,7 @@ if [ "${storage_name}" = "null" ]; then git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public /tf/rover/rover.sh -lz /tf/caf/public/landingzones/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].name) + ls -ltr fi export LAUNCHPAD_PREFIX=${storage_name%stlevel*} From 32c9432076e081c61ce2e7efeebd9f14ad42293b Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 11:28:20 -0700 Subject: [PATCH 02/13] caf/public --- enterprise_scale/construction_sets/aks/scripts/launchpad.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh index ed4fb87f..2e995b87 100755 --- a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh +++ b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh @@ -6,7 +6,7 @@ if [ "${storage_name}" = "null" ]; then git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public /tf/rover/rover.sh -lz /tf/caf/public/landingzones/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].name) - ls -ltr + ls -ltr /tf/caf/public fi export LAUNCHPAD_PREFIX=${storage_name%stlevel*} From 012dd93fb60917fc8c7226f8ac63388423112094 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 11:41:14 -0700 Subject: [PATCH 03/13] fix --- enterprise_scale/construction_sets/aks/scripts/launchpad.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh index 2e995b87..2eaf7486 100755 --- a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh +++ b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh @@ -4,7 +4,7 @@ storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags if [ "${storage_name}" = "null" ]; then git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public - /tf/rover/rover.sh -lz /tf/caf/public/landingzones/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad + /tf/rover/rover.sh -lz /tf/caf/public/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].name) ls -ltr /tf/caf/public fi From a48edbb45f849a6fab77b44dfc2f2f1d3b2db727 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 12:59:47 -0700 Subject: [PATCH 04/13] clean --- enterprise_scale/construction_sets/aks/flux.tf | 16 ++++++++-------- .../configuration/resource_groups.tfvars | 14 +++++++------- .../test/level1_foundation/ExpectedValues.yml | 2 +- .../level2_shared_services/ExpectedValues.yml | 2 +- .../aks/test/level3_aks/ExpectedValues.yml | 2 +- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/enterprise_scale/construction_sets/aks/flux.tf b/enterprise_scale/construction_sets/aks/flux.tf index 5c11e38f..5811d057 100644 --- a/enterprise_scale/construction_sets/aks/flux.tf +++ b/enterprise_scale/construction_sets/aks/flux.tf @@ -1,17 +1,17 @@ provider "flux" {} provider "kubectl" { - host = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host - client_key = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key) - client_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate) - cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate) + host = try(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host, null) + client_key = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key), null) + client_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate), null) + cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null) } provider "kubernetes" { - host = module.caf.aks_clusters == null ? null : module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host - client_key = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key) - client_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate) - cluster_ca_certificate = module.caf.aks_clusters == null ? null : base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate) + host = try(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host, null) + client_key = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key), null) + client_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate), null) + cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null) } provider "github" { diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars index 4eee767c..0ae43885 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/resource_groups.tfvars @@ -1,36 +1,36 @@ resource_groups = { aks_re1 = { - name = "ef-aks-re1" + name = "aks-re1" region = "region1" } agw_re1 = { - name = "ef-agw-re1" + name = "agw-re1" region = "region1" } vnet_hub_re1 = { - name = "ef-vnet-hub-re1" + name = "vnet-hub-re1" region = "region1" } aks_spoke_re1 = { - name = "ef-aks_spoke_re1" + name = "aks_spoke_re1" region = "region1" } ops_re1 = { - name = "ef-ops_re1" + name = "ops_re1" region = "region1" } devops_re1 = { - name = "ef-devops_re1" + name = "devops_re1" region = "region1" } jumpbox_re1 = { - name = "ef-jumpbox_re1" + name = "jumpbox_re1" region = "region1" } } diff --git a/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml index c012f14c..7ea07e36 100644 --- a/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml +++ b/enterprise_scale/construction_sets/aks/test/level1_foundation/ExpectedValues.yml @@ -1,2 +1,2 @@ keyVaultName: "kv-secrets" -keyVaultResourceGroupName: "rg-ef-aks-re1" +keyVaultResourceGroupName: "rg-aks-re1" diff --git a/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml index 6c6867ef..aaf13790 100644 --- a/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml +++ b/enterprise_scale/construction_sets/aks/test/level2_shared_services/ExpectedValues.yml @@ -1,2 +1,2 @@ logWorkspaceName: "log-logs" -logResourceGroupName: "rg-ef-ops_re1" +logResourceGroupName: "rg-ops_re1" diff --git a/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml b/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml index f8338bea..2ab25724 100644 --- a/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml +++ b/enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml @@ -1,5 +1,5 @@ ClusterName: "aks-akscluster-re1-001" -ResourceGroupName: "rg-ef-aks-re1" +ResourceGroupName: "rg-aks-re1" DefaultNodePoolName: "sharedsvc" UserNodepoolName: "npuser01" AgentCount: 3 From b54cb190cbb52ad50484c1f25d9c18353c6fbf7b Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 13:28:45 -0700 Subject: [PATCH 05/13] cleaning --- caf | 1 - .../aks/scripts/launchpad.sh | 1 - test | 58 ------------------- 3 files changed, 60 deletions(-) delete mode 120000 caf delete mode 100644 test diff --git a/caf b/caf deleted file mode 120000 index 2e137e33..00000000 --- a/caf +++ /dev/null @@ -1 +0,0 @@ -/tf/caf \ No newline at end of file diff --git a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh index 2eaf7486..d01c3ab4 100755 --- a/enterprise_scale/construction_sets/aks/scripts/launchpad.sh +++ b/enterprise_scale/construction_sets/aks/scripts/launchpad.sh @@ -6,7 +6,6 @@ if [ "${storage_name}" = "null" ]; then git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public /tf/rover/rover.sh -lz /tf/caf/public/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/launchpad storage_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].name) - ls -ltr /tf/caf/public fi export LAUNCHPAD_PREFIX=${storage_name%stlevel*} diff --git a/test b/test deleted file mode 100644 index 090e72ee..00000000 --- a/test +++ /dev/null @@ -1,58 +0,0 @@ -export TF_VAR_workspace=secureaks - --tfstate caf_foundations.tfstate \ --level level0 \ --launchpad \ - --launchpad \ - -az login --service-principal -u 8ccc504d-7fd0-4b2e-b6da-e2b04537d848 -p sbbj1iZZRq.PU8XtOQUFfQ_JQhu1h1wq2t --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 - -export ARM_CLIENT_ID=8ccc504d-7fd0-4b2e-b6da-e2b04537d848 -export ARM_CLIENT_SECRET=sbbj1iZZRq.PU8XtOQUFfQ_JQhu1h1wq2t -export ARM_SUBSCRIPTION_ID=0fe1cc35-0cfa-4152-97d7-5dfb45a8d4ba -export ARM_TENANT_ID=72f988bf-86f1-41af-91ab-2d7cd011db47 - -id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.launchpad=='launchpad']" -o json | jq -r .[0].id) - -if [ "${id}" == "null" ]; then - git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/public - /tf/rover/rover.sh -lz /tf/caf/public/landingzones/caf_launchpad -a apply -launchpad -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/levels/launchpad -fi - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level1 \ - -tfstate secure-aks-foundations.tfstate \ - '-var-file online/aks_secure_baseline/configuration/global_settings.tfvars -var-file online/aks_secure_baseline/configuration/resource_groups.tfvars -var-file online/aks_secure_baseline/configuration/iam/iam_managed_identities.tfvars -var-file online/aks_secure_baseline/configuration/iam/iam_role_mappings.tfvars -var-file online/aks_secure_baseline/configuration/keyvault/keyvaults.tfvars' - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level2 \ - -tfstate secure-aks-foundations.tfstate \ - '-var-file online/aks_secure_baseline/configuration/monitor/diagnostics.tfvars -var-file online/aks_secure_baseline/configuration/monitor/log_analytics.tfvars' - - - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level2 \ - -tfstate secure-aks-shared-services.tfstate \ - '-var-file online/aks_secure_baseline/configuration/global_settings.tfvars -var-file online/aks_secure_baseline/configuration/resource_groups.tfvars -var-file online/aks_secure_baseline/configuration/monitor/diagnostics.tfvars -var-file online/aks_secure_baseline/configuration/monitor/log_analytics.tfvars' - -/tf/rover/rover.sh -lz /tf/caf/enterprise_scale/construction_sets/aks \ - -a apply \ - -level level2 \ - -tfstate 2_networking.tfstate \ - '-var-file online/aks_secure_baseline/configuration/global_settings.tfvars -var-file online/aks_secure_baseline/configuration/resource_groups.tfvars -var-file online/aks_secure_baseline/configuration/networking/firewall_application_rule_collection_definition.tfvars -var-file online/aks_secure_baseline/configuration/networking/firewall_network_rule_collection_definition.tfvars -var-file online/aks_secure_baseline/configuration/networking/firewalls.tfvars -var-file online/aks_secure_baseline/configuration/networking/ip_groups.tfvars -var-file online/aks_secure_baseline/configuration/networking/networking.tfvars -var-file online/aks_secure_baseline/configuration/networking/nsg.tfvars -var-file online/aks_secure_baseline/configuration/networking/peerings.tfvars -var-file online/aks_secure_baseline/configuration/networking/private_dns.tfvars -var-file online/aks_secure_baseline/configuration/networking/public_ips.tfvars -var-file online/aks_secure_baseline/configuration/networking/route_tables.tfvars -var-file online/aks_secure_baseline/configuration/agw/agw_application.tfvars -var-file online/aks_secure_baseline/configuration/agw/agw.tfvars -var-file online/aks_secure_baseline/configuration/agw/domain.tfvars -var-file online/aks_secure_baseline/configuration/keyvault/keyvaults.tfvars -var-file online/aks_secure_baseline/configuration/keyvault/certificate_requests.tfvars -var-file online/aks_secure_baseline/configuration/iam/iam_managed_identities.tfvars' - - - -for rgname in `az group list --query "[? contains(name,'launchpad')][].{name:name}" -o tsv`; do -echo Deleting ${rgname} -az group delete -n ${rgname} --yes --no-wait -done - - - -global_settings={"prfix":"yes"} \ No newline at end of file From 6e1d8b3792d180c7d5769481bf7e5a8951441770 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 13:51:47 -0700 Subject: [PATCH 06/13] aks version --- .../aks/online/aks_secure_baseline/configuration/aks.tfvars | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars index b55d8309..ec26ccaf 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars @@ -17,7 +17,7 @@ aks_clusters = { type = "SystemAssigned" } - kubernetes_version = "1.19.6" + kubernetes_version = "1.19.9" vnet_key = "vnet_aks_re1" network_profile = { @@ -67,7 +67,7 @@ aks_clusters = { node_count = 3 os_disk_type = "Ephemeral" os_disk_size_gb = 80 - orchestrator_version = "1.19.6" + orchestrator_version = "1.19.9" tags = { "project" = "system services" } @@ -86,7 +86,7 @@ aks_clusters = { os_disk_type = "Ephemeral" enable_auto_scaling = false os_disk_size_gb = 120 - orchestrator_version = "1.19.6" + orchestrator_version = "1.19.9" tags = { "project" = "user services" } From b51895f5d2223f38f42ded888454eddbd4b46935 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 14:42:14 -0700 Subject: [PATCH 07/13] clean --- .../cluster-baseline-settings/aad-pod-identity.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml index 6ea5544d..43df14b3 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/aad-pod-identity.yaml @@ -251,6 +251,7 @@ spec: memory: 256Mi nodeSelector: kubernetes.io/os: linux + agentpool: npuser01 --- apiVersion: apps/v1 kind: Deployment @@ -315,6 +316,7 @@ spec: path: /etc/kubernetes/azure.json nodeSelector: kubernetes.io/os: linux + agentpool: npuser01 --- apiVersion: aadpodidentity.k8s.io/v1 kind: AzurePodIdentityException @@ -361,4 +363,5 @@ metadata: namespace: kube-system spec: podLabels: - rsName: omsagent-rs \ No newline at end of file + rsName: omsagent-rs + \ No newline at end of file From 2f427cf1328603906c817a01405daafce4b7b7d8 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 14:46:22 -0700 Subject: [PATCH 08/13] clean --- .../aks_secure_baseline/cluster-baseline-settings/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md index 10902d07..7c0e0508 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/README.md @@ -10,6 +10,7 @@ This is the root of the GitOps configuration directory. These Kubernetes object * Kubernetes RBAC Role Assignments to Azure AD Principals * [Kured](#kured) * Ingress Network Policy +* Flux (self-managing) * Azure Monitor Prometheus Scraping * Azure KeyVault Secret Store CSI Provider * Azure AD Pod Identity From b3ee57b20ae538516c20bc3b53dec51c3dde34c4 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 15:09:29 -0700 Subject: [PATCH 09/13] aaaa --- configuration/sandpit/level3/aks/aks.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/sandpit/level3/aks/aks.tfvars b/configuration/sandpit/level3/aks/aks.tfvars index dd25e272..5b17e969 100644 --- a/configuration/sandpit/level3/aks/aks.tfvars +++ b/configuration/sandpit/level3/aks/aks.tfvars @@ -48,7 +48,7 @@ aks_clusters = { } } - node_resource_group_name = "aks-nodes-re1" + node_resource_group_name = "aks-ef-nodes-re1" diagnostic_profiles = { central_logs_region1 = { From 788903042d6f1185039c2a77940f6cc5a860109d Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 15:25:35 -0700 Subject: [PATCH 10/13] clean --- .../aks/podidentity-assignment.tf | 35 ------------------- 1 file changed, 35 deletions(-) diff --git a/enterprise_scale/construction_sets/aks/podidentity-assignment.tf b/enterprise_scale/construction_sets/aks/podidentity-assignment.tf index 729e11e8..c9388cca 100644 --- a/enterprise_scale/construction_sets/aks/podidentity-assignment.tf +++ b/enterprise_scale/construction_sets/aks/podidentity-assignment.tf @@ -1,37 +1,2 @@ -resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" { - for_each = module.caf.aks_clusters - scope = module.caf.managed_identities["ingress"].id - role_definition_name = "Managed Identity Operator" - principal_id = each.value.kubelet_identity[0].object_id -} - -data "azurerm_resource_group" "noderg" { - for_each = module.caf.aks_clusters - name = each.value.node_resource_group -} - -resource "azurerm_role_assignment" "kubelet_noderg_miop" { - for_each = module.caf.aks_clusters - - scope = data.azurerm_resource_group.noderg[each.key].id - role_definition_name = "Managed Identity Operator" - principal_id = each.value.kubelet_identity[0].object_id -} - -resource "azurerm_role_assignment" "kubelet_noderg_vmcontrib" { - for_each = module.caf.aks_clusters - - scope = data.azurerm_resource_group.noderg[each.key].id - role_definition_name = "Virtual Machine Contributor" - principal_id = each.value.kubelet_identity[0].object_id -} - -resource "azurerm_role_assignment" "kubelet_vnet_networkcontrib" { - for_each = module.caf.aks_clusters - - scope = module.caf.vnets[var.aks_clusters[each.key].vnet_key].id - role_definition_name = "Network Contributor" - principal_id = each.value.identity[0].principal_id -} # consider to narrow to ingress & nodepoll subnets \ No newline at end of file From e6b36cefac953f46f419b5a5a53397439dd387b6 Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 15:35:34 -0700 Subject: [PATCH 11/13] clean --- .../aks/podidentity-assignment.tf | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/enterprise_scale/construction_sets/aks/podidentity-assignment.tf b/enterprise_scale/construction_sets/aks/podidentity-assignment.tf index c9388cca..729e11e8 100644 --- a/enterprise_scale/construction_sets/aks/podidentity-assignment.tf +++ b/enterprise_scale/construction_sets/aks/podidentity-assignment.tf @@ -1,2 +1,37 @@ +resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" { + for_each = module.caf.aks_clusters + scope = module.caf.managed_identities["ingress"].id + role_definition_name = "Managed Identity Operator" + principal_id = each.value.kubelet_identity[0].object_id +} + +data "azurerm_resource_group" "noderg" { + for_each = module.caf.aks_clusters + name = each.value.node_resource_group +} + +resource "azurerm_role_assignment" "kubelet_noderg_miop" { + for_each = module.caf.aks_clusters + + scope = data.azurerm_resource_group.noderg[each.key].id + role_definition_name = "Managed Identity Operator" + principal_id = each.value.kubelet_identity[0].object_id +} + +resource "azurerm_role_assignment" "kubelet_noderg_vmcontrib" { + for_each = module.caf.aks_clusters + + scope = data.azurerm_resource_group.noderg[each.key].id + role_definition_name = "Virtual Machine Contributor" + principal_id = each.value.kubelet_identity[0].object_id +} + +resource "azurerm_role_assignment" "kubelet_vnet_networkcontrib" { + for_each = module.caf.aks_clusters + + scope = module.caf.vnets[var.aks_clusters[each.key].vnet_key].id + role_definition_name = "Network Contributor" + principal_id = each.value.identity[0].principal_id +} # consider to narrow to ingress & nodepoll subnets \ No newline at end of file From 231e2c6819d9829cd2460c1fbe8142c087b439ae Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 15:38:02 -0700 Subject: [PATCH 12/13] clean --- .../aks/online/aks_secure_baseline/configuration/aks.tfvars | 1 + 1 file changed, 1 insertion(+) diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars index ec26ccaf..50e98165 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars @@ -73,6 +73,7 @@ aks_clusters = { } } + node_resource_group_name = "aks-nodes-re1" node_pools = { From 8efdc95d00ae89c5b303ce5c998c6db688d2e7cd Mon Sep 17 00:00:00 2001 From: Eugene Date: Mon, 12 Apr 2021 15:38:54 -0700 Subject: [PATCH 13/13] clean --- configuration/sandpit/level3/aks/aks.tfvars | 2 +- .../aks/online/aks_secure_baseline/configuration/aks.tfvars | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/configuration/sandpit/level3/aks/aks.tfvars b/configuration/sandpit/level3/aks/aks.tfvars index 5b17e969..dd25e272 100644 --- a/configuration/sandpit/level3/aks/aks.tfvars +++ b/configuration/sandpit/level3/aks/aks.tfvars @@ -48,7 +48,7 @@ aks_clusters = { } } - node_resource_group_name = "aks-ef-nodes-re1" + node_resource_group_name = "aks-nodes-re1" diagnostic_profiles = { central_logs_region1 = { diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars index 50e98165..ec26ccaf 100644 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars @@ -73,7 +73,6 @@ aks_clusters = { } } - node_resource_group_name = "aks-nodes-re1" node_pools = {