forked from bcochofel/terraform-azurerm-aks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
195 lines (159 loc) · 6.31 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
data "azurerm_resource_group" "rg" {
name = var.resource_group_name
}
module "ssh-key" {
source = "./modules/ssh-key"
public_ssh_key = var.public_ssh_key == "" ? "" : var.public_ssh_key
}
resource "random_string" "main" {
length = 8
special = false
upper = false
}
resource "azurerm_kubernetes_cluster" "aks" {
# ignore node_count in case we are using AutoScaling
lifecycle {
ignore_changes = [
default_node_pool[0].node_count,
default_node_pool[0].tags
]
}
name = var.name
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
dns_prefix = var.dns_prefix
default_node_pool {
name = var.default_pool_name
vm_size = var.vm_size
availability_zones = var.availability_zones
enable_auto_scaling = var.enable_auto_scaling
enable_host_encryption = var.enable_host_encryption
enable_node_public_ip = var.enable_node_public_ip
max_pods = var.max_pods
node_labels = var.node_labels
only_critical_addons_enabled = var.only_critical_addons_enabled
orchestrator_version = var.orchestrator_version
os_disk_size_gb = var.os_disk_size_gb
os_disk_type = var.os_disk_type
type = var.agent_type
vnet_subnet_id = var.vnet_subnet_id
max_count = var.enable_auto_scaling == true ? var.max_count : null
min_count = var.enable_auto_scaling == true ? var.min_count : null
node_count = var.node_count
dynamic "upgrade_settings" {
for_each = var.max_surge == null ? [] : ["upgrade_settings"]
content {
max_surge = var.max_surge
}
}
tags = var.agent_tags
}
identity {
type = var.user_assigned_identity_id == "" ? "SystemAssigned" : "UserAssigned"
user_assigned_identity_id = var.user_assigned_identity_id == "" ? null : var.user_assigned_identity_id
}
linux_profile {
admin_username = var.admin_username
ssh_key {
# remove any new lines using the replace interpolation function
key_data = replace(var.public_ssh_key == "" ? module.ssh-key.public_ssh_key : var.public_ssh_key, "\n", "")
}
}
addon_profile {
aci_connector_linux {
enabled = var.enable_aci_connector_linux
subnet_name = var.enable_aci_connector_linux ? var.aci_connector_linux_subnet_name : null
}
azure_policy {
enabled = var.enable_azure_policy
}
http_application_routing {
enabled = var.enable_http_application_routing
}
kube_dashboard {
enabled = var.enabled_kube_dashboard
}
oms_agent {
enabled = var.enable_log_analytics_workspace
log_analytics_workspace_id = var.enable_log_analytics_workspace ? azurerm_log_analytics_workspace.main[0].id : null
}
}
role_based_access_control {
enabled = var.enable_role_based_access_control
dynamic "azure_active_directory" {
for_each = var.enable_role_based_access_control && var.enable_azure_active_directory && var.rbac_aad_managed ? ["rbac"] : []
content {
managed = true
admin_group_object_ids = var.rbac_aad_admin_group_object_ids
}
}
dynamic "azure_active_directory" {
for_each = var.enable_role_based_access_control && var.enable_azure_active_directory && !var.rbac_aad_managed ? ["rbac"] : []
content {
managed = false
client_app_id = var.rbac_aad_client_app_id
server_app_id = var.rbac_aad_server_app_id
server_app_secret = var.rbac_aad_server_app_secret
}
}
}
network_profile {
network_plugin = var.network_plugin
network_policy = var.network_policy
dns_service_ip = var.dns_service_ip
docker_bridge_cidr = var.docker_bridge_cidr
outbound_type = var.outbound_type
pod_cidr = var.pod_cidr
service_cidr = var.service_cidr
load_balancer_sku = var.load_balancer_sku
}
automatic_channel_upgrade = var.automatic_channel_upgrade
kubernetes_version = var.kubernetes_version
api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges
disk_encryption_set_id = var.disk_encryption_set_id
private_cluster_enabled = var.private_cluster_enabled
private_dns_zone_id = var.private_dns_zone_id
node_resource_group = var.node_resource_group
sku_tier = var.sku_tier
tags = var.tags
}
resource "azurerm_log_analytics_workspace" "main" {
count = var.enable_log_analytics_workspace ? 1 : 0
name = "${var.dns_prefix}-workspace-${random_string.main.result}"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
sku = var.log_analytics_workspace_sku
retention_in_days = var.log_retention_in_days
tags = var.tags
}
resource "azurerm_log_analytics_solution" "main" {
count = var.enable_log_analytics_workspace ? 1 : 0
solution_name = "ContainerInsights"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
workspace_resource_id = azurerm_log_analytics_workspace.main[0].id
workspace_name = azurerm_log_analytics_workspace.main[0].name
plan {
publisher = "Microsoft"
product = "OMSGallery/ContainerInsights"
}
tags = var.tags
}
module "node-pools" {
source = "./modules/node-pools"
kubernetes_cluster_id = azurerm_kubernetes_cluster.aks.id
vnet_subnet_id = var.vnet_subnet_id
node_pools = var.node_pools
}
resource "azurerm_role_assignment" "attach_acr" {
count = var.enable_attach_acr ? 1 : 0
scope = var.acr_id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}
resource "azurerm_role_assignment" "aks" {
count = var.enable_log_analytics_workspace ? 1 : 0
scope = azurerm_kubernetes_cluster.aks.id
role_definition_name = "Monitoring Metrics Publisher"
principal_id = azurerm_kubernetes_cluster.aks.addon_profile[0].oms_agent[0].oms_agent_identity[0].object_id
}