From b18470228bd23167ffac8c9da391f17071fb3d12 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 16:34:31 +0200 Subject: [PATCH 01/11] Renaming resources and adding tags --- terraform/cluster/azure-aks/main.tf | 42 ++++++++++++++++----- terraform/cluster/azure-aks/variables.tf | 38 ++++++++++--------- terraform/network/azure-vnet/main.tf | 45 ++++++++++++++--------- terraform/network/azure-vnet/outputs.tf | 6 +-- terraform/network/azure-vnet/variables.tf | 8 ++-- 5 files changed, 87 insertions(+), 52 deletions(-) diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index 931b7c28..38b3792c 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -36,8 +36,8 @@ data "azurerm_client_config" "current" {} locals { kubeconfig_path = "${var.context_path}/.kube/config" - rg_name = var.resource_group_name == null ? "windsor-aks-rg-${var.context_id}" : var.resource_group_name - cluster_name = var.cluster_name == null ? "windsor-aks-cluster-${var.context_id}" : var.cluster_name + rg_name = var.resource_group_name == null ? "aks-${var.context_id}" : var.resource_group_name + cluster_name = var.cluster_name == null ? "aks-${var.context_id}" : var.cluster_name } #----------------------------------------------------------------------------------------------------------------------- @@ -47,6 +47,10 @@ locals { resource "azurerm_resource_group" "aks" { name = local.rg_name location = var.region + tags = { + WindsorContextID = var.context_id + Name = local.rg_name + } } #----------------------------------------------------------------------------------------------------------------------- @@ -61,7 +65,7 @@ resource "random_string" "key" { resource "azurerm_key_vault" "key_vault" { # checkov:skip=CKV2_AZURE_32: We are using a public cluster for testing, there is no need for private endpoints. - name = "keyvault-${var.context_id}-${random_string.key.result}" + name = "vault-${var.context_id}-${random_string.key.result}" location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name tenant_id = data.azurerm_client_config.current.tenant_id @@ -79,6 +83,10 @@ resource "azurerm_key_vault" "key_vault" { default_action = var.network_acls_default_action bypass = "AzureServices" } + tags = { + WindsorContextID = var.context_id + Name = "vault-${var.context_id}-${random_string.key.result}" + } } resource "azurerm_key_vault_access_policy" "key_vault_access_policy" { @@ -172,11 +180,15 @@ resource "azurerm_disk_encryption_set" "main" { #----------------------------------------------------------------------------------------------------------------------- resource "azurerm_log_analytics_workspace" "aks_logs" { - name = "aks-logs-${var.context_id}" + name = "aks-${var.context_id}" location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name sku = "PerGB2018" retention_in_days = 30 + tags = { + WindsorContextID = var.context_id + Name = "aks-${var.context_id}" + } } #----------------------------------------------------------------------------------------------------------------------- @@ -185,15 +197,19 @@ resource "azurerm_log_analytics_workspace" "aks_logs" { data "azurerm_subnet" "private" { count = var.vnet_subnet_id == null ? 1 : 0 - name = "${var.context_id}-private-1" - resource_group_name = var.vnet_resource_group_name == null ? "windsor-vnet-rg-${var.context_id}" : var.vnet_resource_group_name - virtual_network_name = var.vnet_name == null ? "windsor-vnet-${var.context_id}" : var.vnet_name + name = "private-1-${var.context_id}" + resource_group_name = var.vnet_resource_group_name == null ? "vnet-${var.context_id}" : var.vnet_resource_group_name + virtual_network_name = var.vnet_name == null ? "vnet-${var.context_id}" : var.vnet_name } resource "azurerm_user_assigned_identity" "cluster" { - name = "${var.context_id}-cluster-identity" + name = "cluster-${var.context_id}" location = var.region resource_group_name = azurerm_resource_group.aks.name + tags = { + WindsorContextID = var.context_id + Name = "cluster-${var.context_id}" + } } resource "azurerm_kubernetes_cluster" "main" { @@ -226,7 +242,7 @@ resource "azurerm_kubernetes_cluster" "main" { vm_size = var.default_node_pool.vm_size vnet_subnet_id = coalesce(var.vnet_subnet_id, try(data.azurerm_subnet.private[0].id, null)) orchestrator_version = var.kubernetes_version - only_critical_addons_enabled = true + only_critical_addons_enabled = var.default_node_pool.only_critical_addons_enabled # checkov:skip=CKV_AZURE_226: we are using the managed disk type to reduce costs os_disk_type = var.default_node_pool.os_disk_type host_encryption_enabled = var.default_node_pool.host_encryption_enabled @@ -280,6 +296,10 @@ resource "azurerm_kubernetes_cluster" "main" { workload_autoscaler_profile ] } + tags = { + WindsorContextID = var.context_id + Name = local.cluster_name + } } resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { @@ -304,6 +324,10 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { upgrade_settings ] } + tags = { + WindsorContextID = var.context_id + Name = var.autoscaled_node_pool.name + } } resource "local_file" "kube_config" { diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index a3b65025..793b7471 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -83,26 +83,28 @@ variable "default_node_pool" { variable "autoscaled_node_pool" { description = "Configuration for the autoscaled node pool" type = object({ - enabled = bool - name = string - vm_size = string - mode = string - os_disk_type = string - max_pods = number - host_encryption_enabled = bool - min_count = number - max_count = number + enabled = bool + name = string + vm_size = string + mode = string + os_disk_type = string + max_pods = number + host_encryption_enabled = bool + min_count = number + max_count = number + only_critical_addons_enabled = bool }) default = { - enabled = true - name = "autoscaled" - vm_size = "Standard_D2s_v3" - mode = "User" - os_disk_type = "Managed" - max_pods = 30 - host_encryption_enabled = true - min_count = 1 - max_count = 3 + enabled = true + name = "autoscaled" + vm_size = "Standard_D2s_v3" + mode = "User" + os_disk_type = "Managed" + max_pods = 30 + host_encryption_enabled = true + min_count = 1 + max_count = 3 + only_critical_addons_enabled = true } } diff --git a/terraform/network/azure-vnet/main.tf b/terraform/network/azure-vnet/main.tf index 2e7754c4..f78c41f6 100644 --- a/terraform/network/azure-vnet/main.tf +++ b/terraform/network/azure-vnet/main.tf @@ -25,8 +25,8 @@ provider "azurerm" { #----------------------------------------------------------------------------------------------------------------------- locals { - vnet_name = var.vnet_name == null ? "windsor-vnet-${var.context_id}" : var.vnet_name - rg_name = var.resource_group_name == null ? "windsor-vnet-rg-${var.context_id}" : var.resource_group_name + vnet_name = var.vnet_name == null ? "vnet-${var.context_id}" : var.vnet_name + rg_name = var.resource_group_name == null ? "vnet-${var.context_id}" : var.resource_group_name } #----------------------------------------------------------------------------------------------------------------------- @@ -36,6 +36,10 @@ locals { resource "azurerm_resource_group" "main" { name = local.rg_name location = var.region + tags = { + WindsorContextID = var.context_id + Name = local.rg_name + } } #----------------------------------------------------------------------------------------------------------------------- @@ -47,6 +51,10 @@ resource "azurerm_virtual_network" "main" { address_space = [var.vnet_cidr] location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name + tags = { + WindsorContextID = var.context_id + Name = local.vnet_name + } } #----------------------------------------------------------------------------------------------------------------------- @@ -56,7 +64,7 @@ resource "azurerm_virtual_network" "main" { # Public subnets resource "azurerm_subnet" "public" { count = length(var.vnet_subnets["public"]) > 0 ? length(var.vnet_subnets["public"]) : var.vnet_zones - name = "${var.context_id}-public-${count.index + 1}" + name = "public-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = length(var.vnet_subnets["public"]) > 0 ? [var.vnet_subnets["public"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${count.index + 1}.0/24"] @@ -65,19 +73,19 @@ resource "azurerm_subnet" "public" { # Private subnets resource "azurerm_subnet" "private" { count = length(var.vnet_subnets["private"]) > 0 ? length(var.vnet_subnets["private"]) : var.vnet_zones - name = "${var.context_id}-private-${count.index + 1}" + name = "private-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = length(var.vnet_subnets["private"]) > 0 ? [var.vnet_subnets["private"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.1${count.index + 1}.0/24"] } -# Data subnets -resource "azurerm_subnet" "data" { - count = length(var.vnet_subnets["data"]) > 0 ? length(var.vnet_subnets["data"]) : var.vnet_zones - name = "${var.context_id}-data-${count.index + 1}" +# Isolated subnets +resource "azurerm_subnet" "isolated" { + count = length(var.vnet_subnets["isolated"]) > 0 ? length(var.vnet_subnets["isolated"]) : var.vnet_zones + name = "isolated-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["data"]) > 0 ? [var.vnet_subnets["data"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.2${count.index + 1}.0/24"] + address_prefixes = length(var.vnet_subnets["isolated"]) > 0 ? [var.vnet_subnets["isolated"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.2${count.index + 1}.0/24"] } #----------------------------------------------------------------------------------------------------------------------- @@ -87,20 +95,28 @@ resource "azurerm_subnet" "data" { # Public IP for NAT Gateway resource "azurerm_public_ip" "nat" { count = var.vnet_zones - name = "${var.context_id}-nat-gw-ip-${count.index + 1}" + name = "nat-gw-${count.index + 1}-${var.context_id}" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name allocation_method = "Static" sku = "Standard" + tags = { + WindsorContextID = var.context_id + Name = "nat-gw-${count.index + 1}-${var.context_id}" + } } # NAT Gateway resource "azurerm_nat_gateway" "main" { count = var.vnet_zones - name = "${var.context_id}-nat-gw-${count.index + 1}" + name = "nat-${count.index + 1}-${var.context_id}" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name sku_name = "Standard" + tags = { + WindsorContextID = var.context_id + Name = "nat-${count.index + 1}-${var.context_id}" + } } # Associate public IP with NAT Gateway @@ -116,10 +132,3 @@ resource "azurerm_subnet_nat_gateway_association" "private" { subnet_id = azurerm_subnet.private[count.index].id nat_gateway_id = azurerm_nat_gateway.main[count.index].id } - -# Associate NAT Gateway with data subnet -resource "azurerm_subnet_nat_gateway_association" "data" { - count = var.vnet_zones - subnet_id = azurerm_subnet.data[count.index].id - nat_gateway_id = azurerm_nat_gateway.main[count.index].id -} diff --git a/terraform/network/azure-vnet/outputs.tf b/terraform/network/azure-vnet/outputs.tf index d12453ef..7134121e 100644 --- a/terraform/network/azure-vnet/outputs.tf +++ b/terraform/network/azure-vnet/outputs.tf @@ -14,7 +14,7 @@ # value = azurerm_subnet.private[*].id # } -# output "data_subnet_ids" { -# description = "IDs of created data subnets" -# value = azurerm_subnet.data[*].id +# output "isolated_subnet_ids" { +# description = "IDs of created isolated subnets" +# value = azurerm_subnet.isolated[*].id # } diff --git a/terraform/network/azure-vnet/variables.tf b/terraform/network/azure-vnet/variables.tf index 39ad62e6..8aab98d9 100644 --- a/terraform/network/azure-vnet/variables.tf +++ b/terraform/network/azure-vnet/variables.tf @@ -36,12 +36,12 @@ variable "vnet_subnets" { # example: { # public = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"] # private = ["10.20.11.0/24", "10.20.12.0/24", "10.20.13.0/24"] - # data = ["10.20.21.0/24", "10.20.22.0/24", "10.20.23.0/24"] + # isolated = ["10.20.21.0/24", "10.20.22.0/24", "10.20.23.0/24"] # } default = { - public = [] - private = [] - data = [] + public = [] + private = [] + isolated = [] } } From 45499582aa21a7e7ce2d07b351034bee4ebec6b8 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 16:38:54 +0200 Subject: [PATCH 02/11] fix --- terraform/cluster/azure-aks/variables.tf | 58 ++++++++++++------------ 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index 793b7471..16dfdb9e 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -59,55 +59,55 @@ variable "context_id" { variable "default_node_pool" { description = "Configuration for the default node pool" type = object({ - name = string - vm_size = string - os_disk_type = string - max_pods = number - host_encryption_enabled = bool - min_count = number - max_count = number - node_count = number - }) - default = { - name = "system" - vm_size = "Standard_D2s_v3" - os_disk_type = "Managed" - max_pods = 30 - host_encryption_enabled = true - min_count = 1 - max_count = 3 - node_count = 1 - } -} - -variable "autoscaled_node_pool" { - description = "Configuration for the autoscaled node pool" - type = object({ - enabled = bool name = string vm_size = string - mode = string os_disk_type = string max_pods = number host_encryption_enabled = bool min_count = number max_count = number + node_count = number only_critical_addons_enabled = bool }) default = { - enabled = true - name = "autoscaled" + name = "system" vm_size = "Standard_D2s_v3" - mode = "User" os_disk_type = "Managed" max_pods = 30 host_encryption_enabled = true min_count = 1 max_count = 3 + node_count = 1 only_critical_addons_enabled = true } } +variable "autoscaled_node_pool" { + description = "Configuration for the autoscaled node pool" + type = object({ + enabled = bool + name = string + vm_size = string + mode = string + os_disk_type = string + max_pods = number + host_encryption_enabled = bool + min_count = number + max_count = number + }) + default = { + enabled = true + name = "autoscaled" + vm_size = "Standard_D2s_v3" + mode = "User" + os_disk_type = "Managed" + max_pods = 30 + host_encryption_enabled = true + min_count = 1 + max_count = 3 + } +} + variable "role_based_access_control_enabled" { type = bool description = "Whether to enable role-based access control for the AKS cluster" From 9fa6182370a077de49cb1c360c75a33e9f9fc82e Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 17:08:50 +0200 Subject: [PATCH 03/11] Renaming resources again --- terraform/cluster/azure-aks/main.tf | 21 ++++++------ terraform/cluster/azure-aks/variables.tf | 41 +++++++++++++---------- terraform/network/azure-vnet/main.tf | 12 +++---- terraform/network/azure-vnet/variables.tf | 27 +++++++++------ 4 files changed, 56 insertions(+), 45 deletions(-) diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index 38b3792c..120ff3dd 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -36,8 +36,8 @@ data "azurerm_client_config" "current" {} locals { kubeconfig_path = "${var.context_path}/.kube/config" - rg_name = var.resource_group_name == null ? "aks-${var.context_id}" : var.resource_group_name - cluster_name = var.cluster_name == null ? "aks-${var.context_id}" : var.cluster_name + rg_name = var.resource_group_name == null ? "${var.name}-${var.context_id}" : var.resource_group_name + cluster_name = var.cluster_name == null ? "${var.name}-${var.context_id}" : var.cluster_name } #----------------------------------------------------------------------------------------------------------------------- @@ -65,7 +65,7 @@ resource "random_string" "key" { resource "azurerm_key_vault" "key_vault" { # checkov:skip=CKV2_AZURE_32: We are using a public cluster for testing, there is no need for private endpoints. - name = "vault-${var.context_id}-${random_string.key.result}" + name = "${var.name}-${var.context_id}-${random_string.key.result}" location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name tenant_id = data.azurerm_client_config.current.tenant_id @@ -85,7 +85,7 @@ resource "azurerm_key_vault" "key_vault" { } tags = { WindsorContextID = var.context_id - Name = "vault-${var.context_id}-${random_string.key.result}" + Name = "${var.name}-${var.context_id}-${random_string.key.result}" } } @@ -135,7 +135,7 @@ resource "azurerm_key_vault_access_policy" "key_vault_access_policy_disk" { resource "time_static" "expiry" {} resource "azurerm_key_vault_key" "key_vault_key" { - name = "key-${var.context_id}-${random_string.key.result}" + name = "${var.name}-${var.context_id}-${random_string.key.result}" key_vault_id = azurerm_key_vault.key_vault.id key_type = "RSA-HSM" key_size = 2048 @@ -165,7 +165,7 @@ resource "azurerm_key_vault_key" "key_vault_key" { } resource "azurerm_disk_encryption_set" "main" { - name = "des-${var.context_id}-${random_string.key.result}" + name = "${var.name}-${var.context_id}-${random_string.key.result}" resource_group_name = azurerm_resource_group.aks.name location = azurerm_resource_group.aks.location key_vault_key_id = azurerm_key_vault_key.key_vault_key.id @@ -180,14 +180,14 @@ resource "azurerm_disk_encryption_set" "main" { #----------------------------------------------------------------------------------------------------------------------- resource "azurerm_log_analytics_workspace" "aks_logs" { - name = "aks-${var.context_id}" + name = "${var.name}-${var.context_id}" location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name sku = "PerGB2018" retention_in_days = 30 tags = { WindsorContextID = var.context_id - Name = "aks-${var.context_id}" + Name = "${var.name}-${var.context_id}" } } @@ -203,12 +203,12 @@ data "azurerm_subnet" "private" { } resource "azurerm_user_assigned_identity" "cluster" { - name = "cluster-${var.context_id}" + name = "${var.name}-${var.context_id}" location = var.region resource_group_name = azurerm_resource_group.aks.name tags = { WindsorContextID = var.context_id - Name = "cluster-${var.context_id}" + Name = "${var.name}-${var.context_id}" } } @@ -331,7 +331,6 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { } resource "local_file" "kube_config" { - count = var.context_path != "" ? 1 : 0 content = azurerm_kubernetes_cluster.main.kube_config_raw filename = local.kubeconfig_path } diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index 16dfdb9e..e4cb055f 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -1,6 +1,23 @@ #----------------------------------------------------------------------------------------------------------------------- # Variables #----------------------------------------------------------------------------------------------------------------------- +variable "context_path" { + type = string + description = "The path to the context folder, where kubeconfig is stored" + default = "" +} + +variable "context_id" { + description = "Context ID for the resources" + type = string + default = null +} + +variable "name" { + description = "Name of the resource" + type = string + default = "cluster" +} variable "resource_group_name" { description = "Name of the resource group" @@ -8,6 +25,12 @@ variable "resource_group_name" { default = null } +variable "cluster_name" { + description = "Name of the AKS cluster" + type = string + default = null +} + variable "vnet_resource_group_name" { description = "Name of the VNET resource group" type = string @@ -32,30 +55,12 @@ variable "region" { default = "eastus" } -variable "cluster_name" { - description = "Name of the AKS cluster" - type = string - default = null -} - variable "kubernetes_version" { description = "Version of Kubernetes to use" type = string default = "1.32" } -variable "context_path" { - type = string - description = "The path to the context folder, where kubeconfig is stored" - default = "" -} - -variable "context_id" { - description = "Context ID for the resources" - type = string - default = null -} - variable "default_node_pool" { description = "Configuration for the default node pool" type = object({ diff --git a/terraform/network/azure-vnet/main.tf b/terraform/network/azure-vnet/main.tf index f78c41f6..f5bf3be4 100644 --- a/terraform/network/azure-vnet/main.tf +++ b/terraform/network/azure-vnet/main.tf @@ -25,8 +25,8 @@ provider "azurerm" { #----------------------------------------------------------------------------------------------------------------------- locals { - vnet_name = var.vnet_name == null ? "vnet-${var.context_id}" : var.vnet_name - rg_name = var.resource_group_name == null ? "vnet-${var.context_id}" : var.resource_group_name + vnet_name = var.vnet_name == null ? "${var.name}-${var.context_id}" : var.vnet_name + rg_name = var.resource_group_name == null ? "${var.name}-${var.context_id}" : var.resource_group_name } #----------------------------------------------------------------------------------------------------------------------- @@ -95,27 +95,27 @@ resource "azurerm_subnet" "isolated" { # Public IP for NAT Gateway resource "azurerm_public_ip" "nat" { count = var.vnet_zones - name = "nat-gw-${count.index + 1}-${var.context_id}" + name = "${var.name}-${count.index + 1}-${var.context_id}" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name allocation_method = "Static" sku = "Standard" tags = { WindsorContextID = var.context_id - Name = "nat-gw-${count.index + 1}-${var.context_id}" + Name = "${var.name}-${count.index + 1}-${var.context_id}" } } # NAT Gateway resource "azurerm_nat_gateway" "main" { count = var.vnet_zones - name = "nat-${count.index + 1}-${var.context_id}" + name = "${var.name}-${count.index + 1}-${var.context_id}" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name sku_name = "Standard" tags = { WindsorContextID = var.context_id - Name = "nat-${count.index + 1}-${var.context_id}" + Name = "${var.name}-${count.index + 1}-${var.context_id}" } } diff --git a/terraform/network/azure-vnet/variables.tf b/terraform/network/azure-vnet/variables.tf index 8aab98d9..e03974f7 100644 --- a/terraform/network/azure-vnet/variables.tf +++ b/terraform/network/azure-vnet/variables.tf @@ -1,11 +1,23 @@ # Variables +variable "context_id" { + description = "Context ID for the resources" + type = string + default = null +} + variable "region" { description = "Region for the resources" type = string default = "eastus" } +variable "name" { + description = "Name of the resource" + type = string + default = "network" +} + variable "resource_group_name" { description = "Name of the resource group" type = string @@ -18,12 +30,6 @@ variable "vnet_name" { default = null } -variable "vnet_zones" { - description = "Number of availability zones to create" - type = number - default = 1 -} - variable "vnet_cidr" { description = "CIDR block for VNET" type = string @@ -45,8 +51,9 @@ variable "vnet_subnets" { } } -variable "context_id" { - description = "Context ID for the resources" - type = string - default = null +# Only used if vnet_subnets is not defined +variable "vnet_zones" { + description = "Number of availability zones to create" + type = number + default = 1 } From 57a4d5739d4252b5cfebeb155811b682119e10a4 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 17:20:59 +0200 Subject: [PATCH 04/11] Fix tags and adding a tags variable --- terraform/cluster/azure-aks/main.tf | 45 +++++++++++------------ terraform/cluster/azure-aks/variables.tf | 6 +++ terraform/network/azure-vnet/main.tf | 31 ++++++++-------- terraform/network/azure-vnet/variables.tf | 6 +++ 4 files changed, 48 insertions(+), 40 deletions(-) diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index 120ff3dd..054c96bc 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -38,6 +38,9 @@ locals { kubeconfig_path = "${var.context_path}/.kube/config" rg_name = var.resource_group_name == null ? "${var.name}-${var.context_id}" : var.resource_group_name cluster_name = var.cluster_name == null ? "${var.name}-${var.context_id}" : var.cluster_name + tags = merge({ + WindsorContextID = var.context_id + }, var.tags) } #----------------------------------------------------------------------------------------------------------------------- @@ -47,10 +50,9 @@ locals { resource "azurerm_resource_group" "aks" { name = local.rg_name location = var.region - tags = { - WindsorContextID = var.context_id - Name = local.rg_name - } + tags = merge({ + Name = local.rg_name + }, local.tags) } #----------------------------------------------------------------------------------------------------------------------- @@ -83,10 +85,9 @@ resource "azurerm_key_vault" "key_vault" { default_action = var.network_acls_default_action bypass = "AzureServices" } - tags = { - WindsorContextID = var.context_id - Name = "${var.name}-${var.context_id}-${random_string.key.result}" - } + tags = merge({ + Name = "${var.name}-${var.context_id}-${random_string.key.result}" + }, local.tags) } resource "azurerm_key_vault_access_policy" "key_vault_access_policy" { @@ -185,10 +186,9 @@ resource "azurerm_log_analytics_workspace" "aks_logs" { resource_group_name = azurerm_resource_group.aks.name sku = "PerGB2018" retention_in_days = 30 - tags = { - WindsorContextID = var.context_id - Name = "${var.name}-${var.context_id}" - } + tags = merge({ + Name = "${var.name}-${var.context_id}" + }, local.tags) } #----------------------------------------------------------------------------------------------------------------------- @@ -206,10 +206,9 @@ resource "azurerm_user_assigned_identity" "cluster" { name = "${var.name}-${var.context_id}" location = var.region resource_group_name = azurerm_resource_group.aks.name - tags = { - WindsorContextID = var.context_id - Name = "${var.name}-${var.context_id}" - } + tags = merge({ + Name = "${var.name}-${var.context_id}" + }, local.tags) } resource "azurerm_kubernetes_cluster" "main" { @@ -296,10 +295,9 @@ resource "azurerm_kubernetes_cluster" "main" { workload_autoscaler_profile ] } - tags = { - WindsorContextID = var.context_id - Name = local.cluster_name - } + tags = merge({ + Name = local.cluster_name + }, local.tags) } resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { @@ -324,10 +322,9 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { upgrade_settings ] } - tags = { - WindsorContextID = var.context_id - Name = var.autoscaled_node_pool.name - } + tags = merge({ + Name = var.autoscaled_node_pool.name + }, local.tags) } resource "local_file" "kube_config" { diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index e4cb055f..8b910555 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -216,3 +216,9 @@ variable "soft_delete_retention_days" { description = "The number of days to retain the AKS cluster's key vault" default = 7 } + +variable "tags" { + description = "Tags to apply to the resources" + type = map(string) + default = {} +} diff --git a/terraform/network/azure-vnet/main.tf b/terraform/network/azure-vnet/main.tf index f5bf3be4..73902dd6 100644 --- a/terraform/network/azure-vnet/main.tf +++ b/terraform/network/azure-vnet/main.tf @@ -27,6 +27,9 @@ provider "azurerm" { locals { vnet_name = var.vnet_name == null ? "${var.name}-${var.context_id}" : var.vnet_name rg_name = var.resource_group_name == null ? "${var.name}-${var.context_id}" : var.resource_group_name + tags = merge({ + WindsorContextID = var.context_id + }, var.tags) } #----------------------------------------------------------------------------------------------------------------------- @@ -36,10 +39,9 @@ locals { resource "azurerm_resource_group" "main" { name = local.rg_name location = var.region - tags = { - WindsorContextID = var.context_id - Name = local.rg_name - } + tags = merge({ + Name = local.rg_name + }, local.tags) } #----------------------------------------------------------------------------------------------------------------------- @@ -51,10 +53,9 @@ resource "azurerm_virtual_network" "main" { address_space = [var.vnet_cidr] location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name - tags = { - WindsorContextID = var.context_id - Name = local.vnet_name - } + tags = merge({ + Name = local.vnet_name + }, local.tags) } #----------------------------------------------------------------------------------------------------------------------- @@ -100,10 +101,9 @@ resource "azurerm_public_ip" "nat" { resource_group_name = azurerm_resource_group.main.name allocation_method = "Static" sku = "Standard" - tags = { - WindsorContextID = var.context_id - Name = "${var.name}-${count.index + 1}-${var.context_id}" - } + tags = merge({ + Name = "${var.name}-${count.index + 1}-${var.context_id}" + }, local.tags) } # NAT Gateway @@ -113,10 +113,9 @@ resource "azurerm_nat_gateway" "main" { location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name sku_name = "Standard" - tags = { - WindsorContextID = var.context_id - Name = "${var.name}-${count.index + 1}-${var.context_id}" - } + tags = merge({ + Name = "${var.name}-${count.index + 1}-${var.context_id}" + }, local.tags) } # Associate public IP with NAT Gateway diff --git a/terraform/network/azure-vnet/variables.tf b/terraform/network/azure-vnet/variables.tf index e03974f7..a23ab8ab 100644 --- a/terraform/network/azure-vnet/variables.tf +++ b/terraform/network/azure-vnet/variables.tf @@ -57,3 +57,9 @@ variable "vnet_zones" { type = number default = 1 } + +variable "tags" { + description = "Tags to apply to the resources" + type = map(string) + default = {} +} From 2f46a47be0835410b92d754837cf4fa92f76ac67 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 17:25:54 +0200 Subject: [PATCH 05/11] Fix network datasource --- terraform/cluster/azure-aks/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index 054c96bc..f1c7c2f1 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -198,8 +198,8 @@ resource "azurerm_log_analytics_workspace" "aks_logs" { data "azurerm_subnet" "private" { count = var.vnet_subnet_id == null ? 1 : 0 name = "private-1-${var.context_id}" - resource_group_name = var.vnet_resource_group_name == null ? "vnet-${var.context_id}" : var.vnet_resource_group_name - virtual_network_name = var.vnet_name == null ? "vnet-${var.context_id}" : var.vnet_name + resource_group_name = var.vnet_resource_group_name == null ? "network-${var.context_id}" : var.vnet_resource_group_name + virtual_network_name = var.vnet_name == null ? "network-${var.context_id}" : var.vnet_name } resource "azurerm_user_assigned_identity" "cluster" { From 10d1267df92552fb5691ad9930a0a62e58a5ab95 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 17:40:43 +0200 Subject: [PATCH 06/11] Fixes --- terraform/cluster/azure-aks/main.tf | 18 +++++++++++------- terraform/cluster/azure-aks/variables.tf | 12 +++--------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index f1c7c2f1..aab7f188 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -28,8 +28,19 @@ provider "azurerm" { } } +#----------------------------------------------------------------------------------------------------------------------- +# Data Sources +#----------------------------------------------------------------------------------------------------------------------- + data "azurerm_client_config" "current" {} +data "azurerm_subnet" "private" { + count = var.vnet_subnet_id == null ? 1 : 0 + name = "private-1-${var.context_id}" + resource_group_name = "${var.vnet_module_name}-${var.context_id}" + virtual_network_name = "${var.vnet_module_name}-${var.context_id}" +} + #----------------------------------------------------------------------------------------------------------------------- # Locals #----------------------------------------------------------------------------------------------------------------------- @@ -195,13 +206,6 @@ resource "azurerm_log_analytics_workspace" "aks_logs" { # AKS Cluster #----------------------------------------------------------------------------------------------------------------------- -data "azurerm_subnet" "private" { - count = var.vnet_subnet_id == null ? 1 : 0 - name = "private-1-${var.context_id}" - resource_group_name = var.vnet_resource_group_name == null ? "network-${var.context_id}" : var.vnet_resource_group_name - virtual_network_name = var.vnet_name == null ? "network-${var.context_id}" : var.vnet_name -} - resource "azurerm_user_assigned_identity" "cluster" { name = "${var.name}-${var.context_id}" location = var.region diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index 8b910555..f6895d8e 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -31,16 +31,10 @@ variable "cluster_name" { default = null } -variable "vnet_resource_group_name" { - description = "Name of the VNET resource group" +variable "vnet_module_name" { + description = "Name on the VNET module" type = string - default = null -} - -variable "vnet_name" { - description = "Name of the VNET" - type = string - default = null + default = "network" } variable "vnet_subnet_id" { From 0b76c75644eed0754e521811ebafe2f39fb93c04 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 17:45:44 +0200 Subject: [PATCH 07/11] Fix tests --- terraform/cluster/azure-aks/test.tftest.hcl | 29 ++++++++++++-------- terraform/network/azure-vnet/test.tftest.hcl | 4 ++- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index fb1e90d7..76bd476a 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -19,16 +19,17 @@ run "minimal_configuration" { variables { context_id = "test" + name = "windsor-aks" } assert { - condition = azurerm_kubernetes_cluster.main.name == "windsor-aks-cluster-test" - error_message = "Cluster name should default to 'windsor-aks-cluster-test' when cluster_name is omitted" + condition = azurerm_kubernetes_cluster.main.name == "windsor-aks-test" + error_message = "Cluster name should default to 'windsor-aks-test' when cluster_name is omitted" } assert { - condition = azurerm_resource_group.aks.name == "windsor-aks-rg-test" - error_message = "Resource group name should default to 'windsor-aks-rg-test' when resource_group_name is omitted" + condition = azurerm_resource_group.aks.name == "windsor-aks-test" + error_message = "Resource group name should default to 'windsor-aks-test' when resource_group_name is omitted" } assert { @@ -74,18 +75,20 @@ run "full_configuration" { variables { context_id = "test" + name = "windsor-aks" cluster_name = "test-cluster" resource_group_name = "test-rg" kubernetes_version = "1.32" default_node_pool = { - name = "system" - vm_size = "Standard_D2s_v3" - os_disk_type = "Managed" - max_pods = 30 - host_encryption_enabled = true - min_count = 1 - max_count = 3 - node_count = 1 + name = "system" + vm_size = "Standard_D2s_v3" + os_disk_type = "Managed" + max_pods = 30 + host_encryption_enabled = true + min_count = 1 + max_count = 3 + node_count = 1 + only_critical_addons_enabled = false } autoscaled_node_pool = { enabled = true @@ -187,6 +190,7 @@ run "private_cluster" { variables { context_id = "test" + name = "windsor-aks" cluster_name = "test-cluster" private_cluster_enabled = true } @@ -204,6 +208,7 @@ run "no_config_files" { variables { context_id = "test" + name = "windsor-aks" cluster_name = "test-cluster" context_path = "" } diff --git a/terraform/network/azure-vnet/test.tftest.hcl b/terraform/network/azure-vnet/test.tftest.hcl index 72658c8e..75189cd8 100644 --- a/terraform/network/azure-vnet/test.tftest.hcl +++ b/terraform/network/azure-vnet/test.tftest.hcl @@ -7,10 +7,11 @@ run "minimal_configuration" { variables { context_id = "test" + name = "windsor-vnet" } assert { - condition = azurerm_resource_group.main.name == "windsor-vnet-rg-test" + condition = azurerm_resource_group.main.name == "windsor-vnet-test" error_message = "Resource group name should follow default naming convention" } @@ -62,6 +63,7 @@ run "full_configuration" { data = ["10.30.21.0/24", "10.30.22.0/24"] } context_id = "test" + name = "custom" } assert { From 3a2ba2549434a5638ec37c517a3c8f0913f6b16d Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 17:51:37 +0200 Subject: [PATCH 08/11] Fixes some tests --- terraform/network/azure-vnet/test.tftest.hcl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/network/azure-vnet/test.tftest.hcl b/terraform/network/azure-vnet/test.tftest.hcl index 75189cd8..ea3572b2 100644 --- a/terraform/network/azure-vnet/test.tftest.hcl +++ b/terraform/network/azure-vnet/test.tftest.hcl @@ -36,8 +36,8 @@ run "minimal_configuration" { } assert { - condition = length(azurerm_subnet.data) == 1 - error_message = "One data subnet should be created by default" + condition = length(azurerm_subnet.isolated) == 1 + error_message = "One isolated subnet should be created by default" } assert { @@ -60,7 +60,7 @@ run "full_configuration" { vnet_subnets = { public = ["10.30.1.0/24", "10.30.2.0/24"] private = ["10.30.11.0/24", "10.30.12.0/24"] - data = ["10.30.21.0/24", "10.30.22.0/24"] + isolated = ["10.30.21.0/24", "10.30.22.0/24"] } context_id = "test" name = "custom" @@ -92,8 +92,8 @@ run "full_configuration" { } assert { - condition = length(azurerm_subnet.data) == 2 - error_message = "Two data subnets should be created" + condition = length(azurerm_subnet.isolated) == 2 + error_message = "Two isolated subnets should be created" } assert { From 0e5f11640e6f80a2fc04275ec721df7e034b08ab Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 18:41:36 +0200 Subject: [PATCH 09/11] chore: empty commit to trigger CI/CD From 1c0bf50eb26c20b9048fd2261e09fde0a19ded4e Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 18:44:29 +0200 Subject: [PATCH 10/11] Fix formatting --- terraform/network/azure-vnet/test.tftest.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/network/azure-vnet/test.tftest.hcl b/terraform/network/azure-vnet/test.tftest.hcl index ea3572b2..7483ba0c 100644 --- a/terraform/network/azure-vnet/test.tftest.hcl +++ b/terraform/network/azure-vnet/test.tftest.hcl @@ -58,8 +58,8 @@ run "full_configuration" { vnet_zones = 2 vnet_cidr = "10.30.0.0/16" vnet_subnets = { - public = ["10.30.1.0/24", "10.30.2.0/24"] - private = ["10.30.11.0/24", "10.30.12.0/24"] + public = ["10.30.1.0/24", "10.30.2.0/24"] + private = ["10.30.11.0/24", "10.30.12.0/24"] isolated = ["10.30.21.0/24", "10.30.22.0/24"] } context_id = "test" From 1179b6a93d2dd3bff672bdce380c1565425ca162 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 15 May 2025 18:55:01 +0200 Subject: [PATCH 11/11] Fix tests --- terraform/cluster/azure-aks/test.tftest.hcl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index 76bd476a..47c82b4c 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -201,20 +201,20 @@ run "private_cluster" { } } -# Verifies that no kubeconfig file is generated when context_path is empty, -# preventing unnecessary file creation in the root directory. -run "no_config_files" { +# Verifies that a kubeconfig file is generated, +# ensuring proper cluster access configuration. +run "config_file_created" { command = plan variables { context_id = "test" name = "windsor-aks" cluster_name = "test-cluster" - context_path = "" + context_path = "/tmp" } assert { - condition = length(local_file.kube_config) == 0 - error_message = "No kubeconfig file should be generated without context path" + condition = length(local_file.kube_config) >= 1 + error_message = "Kubeconfig file should be generated when context path is provided" } }