Fixing broken AKS/AGIC sample (#240)

* Fixing broken sample and update --------- Co-authored-by: hezijie <lonegunmanb@hotmail.com>
Azure · Sep 4, 2023 · 7ec608c · 7ec608c
1 parent dd26a7d
commit 7ec608c
Show file tree

Hide file tree

Showing 6 changed files with 216 additions and 213 deletions.
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf
@@ -1,32 +1,42 @@
-resource "random_pet" "rg-name" {
+resource "random_pet" "rg_name" {
   prefix = var.resource_group_name_prefix
 }
 
 resource "azurerm_resource_group" "rg" {
-  name     = random_pet.rg-name.id
+  name     = random_pet.rg_name.id
   location = var.resource_group_location
 }
 
 # Locals block for hardcoded names
 locals {
-  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
-  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
-  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
-  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
-  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
-  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
-  app_gateway_subnet_name        = "appgwsubnet"
+  backend_address_pool_name      = "${azurerm_virtual_network.vnet.name}-beap"
+  frontend_port_name             = "${azurerm_virtual_network.vnet.name}-feport"
+  frontend_ip_configuration_name = "${azurerm_virtual_network.vnet.name}-feip"
+  http_setting_name              = "${azurerm_virtual_network.vnet.name}-be-htst"
+  listener_name                  = "${azurerm_virtual_network.vnet.name}-httplstn"
+  request_routing_rule_name      = "${azurerm_virtual_network.vnet.name}-rqrt"
 }
 
-# User Assigned Identities 
-resource "azurerm_user_assigned_identity" "testIdentity" {
-  resource_group_name = azurerm_resource_group.rg.name
-  location            = azurerm_resource_group.rg.location
+# Subnets
+data "azurerm_subnet" "kubesubnet" {
+  name                 = var.aks_subnet_name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = azurerm_resource_group.rg.name
+}
+
+data "azurerm_subnet" "appgwsubnet" {
+  name                 = var.appgw_subnet_name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = azurerm_resource_group.rg.name
+}
 
-  name = "identity1"
+data "azurerm_user_assigned_identity" "ingress" {
+  name                = "ingressapplicationgateway-${azurerm_kubernetes_cluster.aks.name}"
+  resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group
 }
 
-resource "azurerm_virtual_network" "test" {
+# Virtual network (vnet)
+resource "azurerm_virtual_network" "vnet" {
   name                = var.virtual_network_name
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
@@ -38,41 +48,74 @@ resource "azurerm_virtual_network" "test" {
   }
 
   subnet {
-    name           = "appgwsubnet"
+    name           = var.appgw_subnet_name
     address_prefix = var.app_gateway_subnet_address_prefix
   }
 }
 
-data "azurerm_subnet" "kubesubnet" {
-  name                 = var.aks_subnet_name
-  virtual_network_name = azurerm_virtual_network.test.name
-  resource_group_name  = azurerm_resource_group.rg.name
+resource "azurerm_user_assigned_identity" "aks" {
+  name                = "aks-${var.aks_cluster_name}"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
 }
 
-data "azurerm_subnet" "appgwsubnet" {
-  name                 = "appgwsubnet"
-  virtual_network_name = azurerm_virtual_network.test.name
-  resource_group_name  = azurerm_resource_group.rg.name
+# AKS cluster
+resource "azurerm_kubernetes_cluster" "aks" {
+  name                              = var.aks_cluster_name
+  location                          = azurerm_resource_group.rg.location
+  resource_group_name               = azurerm_resource_group.rg.name
+  dns_prefix                        = var.aks_cluster_name
+  private_cluster_enabled           = var.aks_private_cluster
+  role_based_access_control_enabled = var.aks_enable_rbac
+  sku_tier                          = var.aks_sku_tier
+
+  default_node_pool {
+    name            = "agentpool"
+    node_count      = var.aks_node_count
+    vm_size         = var.aks_vm_size
+    os_disk_size_gb = var.aks_os_disk_size
+    max_pods        = 100
+    vnet_subnet_id  = data.azurerm_subnet.kubesubnet.id
+  }
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.aks.id]
+  }
+
+
+  network_profile {
+    network_plugin = "azure"
+    dns_service_ip = var.aks_dns_service_ip
+    service_cidr   = var.aks_service_cidr
+  }
+
+  ingress_application_gateway {
+    gateway_id = azurerm_application_gateway.appgw.id
+  }
+
+  depends_on = [
+    azurerm_application_gateway.appgw
+  ]
 }
 
-# Public Ip 
-resource "azurerm_public_ip" "test" {
-  name                = "publicIp1"
-  location            = azurerm_resource_group.rg.location
+resource "azurerm_public_ip" "pip" {
+  name                = "appgw-pip"
   resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
   allocation_method   = "Static"
   sku                 = "Standard"
 }
 
-resource "azurerm_application_gateway" "network" {
+resource "azurerm_application_gateway" "appgw" {
   name                = var.app_gateway_name
   resource_group_name = azurerm_resource_group.rg.name
   location            = azurerm_resource_group.rg.location
 
   sku {
-    name     = var.app_gateway_sku
-    tier     = "Standard_v2"
-    capacity = 2
+    name     = var.app_gateway_tier
+    tier     = var.app_gateway_tier
+    capacity = 1
   }
 
   gateway_ip_configuration {
@@ -85,14 +128,9 @@ resource "azurerm_application_gateway" "network" {
     port = 80
   }
 
-  frontend_port {
-    name = "httpsPort"
-    port = 443
-  }
-
   frontend_ip_configuration {
     name                 = local.frontend_ip_configuration_name
-    public_ip_address_id = azurerm_public_ip.test.id
+    public_ip_address_id = azurerm_public_ip.pip.id
   }
 
   backend_address_pool {
@@ -116,47 +154,45 @@ resource "azurerm_application_gateway" "network" {
 
   request_routing_rule {
     name                       = local.request_routing_rule_name
+    priority                   = 1
     rule_type                  = "Basic"
     http_listener_name         = local.listener_name
     backend_address_pool_name  = local.backend_address_pool_name
     backend_http_settings_name = local.http_setting_name
-    priority                   = 1
   }
-}
-
-resource "azurerm_kubernetes_cluster" "k8s" {
-  name       = var.aks_cluster_name
-  location   = azurerm_resource_group.rg.location
-  dns_prefix = var.aks_dns_prefix
 
-  identity {
-    type = "SystemAssigned"
+  # Since this sample is creating an Application Gateway 
+  # that is later managed by an Ingress Controller, there is no need 
+  # to create a backend address pool (BEP). However, the BEP is still 
+  # required by the resource. Therefore, "lifecycle:ignore_changes" is 
+  # used to prevent TF from managing the gateway.
+  lifecycle {
+    ignore_changes = [
+      tags,
+      backend_address_pool,
+      backend_http_settings,
+      http_listener,
+      probe,
+      request_routing_rule,
+    ]
   }
+}
 
-  resource_group_name = azurerm_resource_group.rg.name
-
-  http_application_routing_enabled = false
-
-  linux_profile {
-    admin_username = var.vm_username
-
-    ssh_key {
-      key_data = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
-    }
-  }
+# Role assignments
+resource "azurerm_role_assignment" "ra1" {
+  scope                = azurerm_resource_group.rg.id
+  role_definition_name = "Reader"
+  principal_id         = data.azurerm_user_assigned_identity.ingress.principal_id
+}
 
-  default_node_pool {
-    name            = "agentpool"
-    node_count      = var.aks_agent_count
-    vm_size         = var.aks_agent_vm_size
-    os_disk_size_gb = var.aks_agent_os_disk_size
-    vnet_subnet_id  = data.azurerm_subnet.kubesubnet.id
-  }
+resource "azurerm_role_assignment" "ra2" {
+  scope                = azurerm_virtual_network.vnet.id
+  role_definition_name = "Network Contributor"
+  principal_id         = data.azurerm_user_assigned_identity.ingress.principal_id
+}
 
-  network_profile {
-    network_plugin     = "azure"
-    dns_service_ip     = var.aks_dns_service_ip
-    docker_bridge_cidr = var.aks_docker_bridge_cidr
-    service_cidr       = var.aks_service_cidr
-  }
+resource "azurerm_role_assignment" "ra3" {
+  scope                = azurerm_application_gateway.appgw.id
+  role_definition_name = "Contributor"
+  principal_id         = data.azurerm_user_assigned_identity.ingress.principal_id
 }
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/outputs.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/outputs.tf
@@ -3,52 +3,60 @@ output "resource_group_name" {
 }
 
 output "aks_cluster_name" {
-  value = azurerm_kubernetes_cluster.k8s.name
+  value = azurerm_kubernetes_cluster.aks.name
+}
+
+output "application_gateway_name" {
+  value = azurerm_application_gateway.appgw.name
+}
+
+output "identity_name" {
+  value = azurerm_user_assigned_identity.aks.name
+}
+
+output "identity_resource_id" {
+  value = azurerm_user_assigned_identity.aks.id
+}
+
+output "identity_client_id" {
+  value = azurerm_user_assigned_identity.aks.client_id
+}
+
+output "application_ip_address" {
+  value = azurerm_public_ip.pip.ip_address
 }
 
 output "client_key" {
-  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.client_key
+  value     = azurerm_kubernetes_cluster.aks.kube_config.0.client_key
   sensitive = true
 }
 
 output "client_certificate" {
-  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate
+  value     = azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate
   sensitive = true
 }
 
 output "cluster_ca_certificate" {
-  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate
+  value     = azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate
   sensitive = true
 }
 
 output "cluster_username" {
-  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.username
+  value     = azurerm_kubernetes_cluster.aks.kube_config.0.username
   sensitive = true
 }
 
 output "cluster_password" {
-  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.password
+  value     = azurerm_kubernetes_cluster.aks.kube_config.0.password
   sensitive = true
 }
 
 output "kube_config" {
-  value     = azurerm_kubernetes_cluster.k8s.kube_config_raw
+  value     = azurerm_kubernetes_cluster.aks.kube_config_raw
   sensitive = true
 }
 
 output "host" {
-  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.host
+  value     = azurerm_kubernetes_cluster.aks.kube_config.0.host
   sensitive = true
-}
-
-output "identity_resource_id" {
-  value = azurerm_user_assigned_identity.testIdentity.id
-}
-
-output "identity_client_id" {
-  value = azurerm_user_assigned_identity.testIdentity.client_id
-}
-
-output "application_ip_address" {
-  value = azurerm_public_ip.test.ip_address
 }
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/providers.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/providers.tf
@@ -2,18 +2,10 @@ terraform {
   required_version = ">=1.0"
 
   required_providers {
-    azapi = {
-      source  = "azure/azapi"
-      version = "~>1.5"
-    }
     azurerm = {
       source  = "hashicorp/azurerm"
       version = "~>3.0"
     }
-    random = {
-      source  = "hashicorp/random"
-      version = "~>3.0"
-    }
   }
 }