Updated article (#239)

Azure · Aug 1, 2023 · d0f95da · d0f95da
1 parent 0cc90f4
commit d0f95da
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 620 deletions.
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/TestRecord.md b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/TestRecord.md
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf
@@ -24,8 +24,6 @@ resource "azurerm_user_assigned_identity" "testIdentity" {
   location            = azurerm_resource_group.rg.location
 
   name = "identity1"
-
-  tags = var.tags
 }
 
 resource "azurerm_virtual_network" "test" {
@@ -43,22 +41,18 @@ resource "azurerm_virtual_network" "test" {
     name           = "appgwsubnet"
     address_prefix = var.app_gateway_subnet_address_prefix
   }
-
-  tags = var.tags
 }
 
 data "azurerm_subnet" "kubesubnet" {
   name                 = var.aks_subnet_name
   virtual_network_name = azurerm_virtual_network.test.name
   resource_group_name  = azurerm_resource_group.rg.name
-  depends_on           = [azurerm_virtual_network.test]
 }
 
 data "azurerm_subnet" "appgwsubnet" {
   name                 = "appgwsubnet"
   virtual_network_name = azurerm_virtual_network.test.name
   resource_group_name  = azurerm_resource_group.rg.name
-  depends_on           = [azurerm_virtual_network.test]
 }
 
 # Public Ip 
@@ -68,8 +62,6 @@ resource "azurerm_public_ip" "test" {
   resource_group_name = azurerm_resource_group.rg.name
   allocation_method   = "Static"
   sku                 = "Standard"
-
-  tags = var.tags
 }
 
 resource "azurerm_application_gateway" "network" {
@@ -128,56 +120,28 @@ resource "azurerm_application_gateway" "network" {
     http_listener_name         = local.listener_name
     backend_address_pool_name  = local.backend_address_pool_name
     backend_http_settings_name = local.http_setting_name
+    priority                   = 1
   }
-
-  tags = var.tags
-
-  depends_on = [azurerm_virtual_network.test, azurerm_public_ip.test]
-}
-
-resource "azurerm_role_assignment" "ra1" {
-  scope                = data.azurerm_subnet.kubesubnet.id
-  role_definition_name = "Network Contributor"
-  principal_id         = var.aks_service_principal_object_id
-
-  depends_on = [azurerm_virtual_network.test]
-}
-
-resource "azurerm_role_assignment" "ra2" {
-  scope                = azurerm_user_assigned_identity.testIdentity.id
-  role_definition_name = "Managed Identity Operator"
-  principal_id         = var.aks_service_principal_object_id
-  depends_on           = [azurerm_user_assigned_identity.testIdentity]
-}
-
-resource "azurerm_role_assignment" "ra3" {
-  scope                = azurerm_application_gateway.network.id
-  role_definition_name = "Contributor"
-  principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
-  depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
-}
-
-resource "azurerm_role_assignment" "ra4" {
-  scope                = azurerm_resource_group.rg.id
-  role_definition_name = "Reader"
-  principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
-  depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
 }
 
 resource "azurerm_kubernetes_cluster" "k8s" {
-  name       = var.aks_name
+  name       = var.aks_cluster_name
   location   = azurerm_resource_group.rg.location
   dns_prefix = var.aks_dns_prefix
 
+  identity {
+    type = "SystemAssigned"
+  }
+
   resource_group_name = azurerm_resource_group.rg.name
 
   http_application_routing_enabled = false
 
   linux_profile {
-    admin_username = var.vm_user_name
+    admin_username = var.vm_username
 
     ssh_key {
-      key_data = file(var.public_ssh_key_path)
+      key_data = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
     }
   }
 
@@ -189,22 +153,10 @@ resource "azurerm_kubernetes_cluster" "k8s" {
     vnet_subnet_id  = data.azurerm_subnet.kubesubnet.id
   }
 
-  service_principal {
-    client_id     = var.aks_service_principal_app_id
-    client_secret = var.aks_service_principal_client_secret
-  }
-
   network_profile {
     network_plugin     = "azure"
     dns_service_ip     = var.aks_dns_service_ip
     docker_bridge_cidr = var.aks_docker_bridge_cidr
     service_cidr       = var.aks_service_cidr
   }
-
-  role_based_access_control {
-    enabled = var.aks_enable_rbac
-  }
-
-  depends_on = [azurerm_virtual_network.test, azurerm_application_gateway.network]
-  tags       = var.tags
 }
diff --git a/...-aks-applicationgateway-ingress/output.tf → ...aks-applicationgateway-ingress/outputs.tf b/...-aks-applicationgateway-ingress/output.tf → ...aks-applicationgateway-ingress/outputs.tf
@@ -2,24 +2,33 @@ output "resource_group_name" {
   value = azurerm_resource_group.rg.name
 }
 
+output "aks_cluster_name" {
+  value = azurerm_kubernetes_cluster.k8s.name
+}
+
 output "client_key" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_key
+  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.client_key
+  sensitive = true
 }
 
 output "client_certificate" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate
+  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate
+  sensitive = true
 }
 
 output "cluster_ca_certificate" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate
+  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate
+  sensitive = true
 }
 
 output "cluster_username" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config.0.username
+  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.username
+  sensitive = true
 }
 
 output "cluster_password" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config.0.password
+  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.password
+  sensitive = true
 }
 
 output "kube_config" {
@@ -28,7 +37,8 @@ output "kube_config" {
 }
 
 output "host" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config.0.host
+  value     = azurerm_kubernetes_cluster.k8s.kube_config.0.host
+  sensitive = true
 }
 
 output "identity_resource_id" {
@@ -41,4 +51,4 @@ output "identity_client_id" {
 
 output "application_ip_address" {
   value = azurerm_public_ip.test.ip_address
-}
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/providers.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/providers.tf
@@ -1,21 +1,22 @@
 terraform {
-
-  required_version = ">=0.12"
+  required_version = ">=1.0"
 
   required_providers {
+    azapi = {
+      source  = "azure/azapi"
+      version = "~>1.5"
+    }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>2.0"
+      version = "~>3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.0"
     }
-  }
-  backend "azurerm" {
-    resource_group_name  = "<storage_account_resource_group>"
-    storage_account_name = "<storage_account_name>"
-    container_name       = "tfstate"
-    key                  = "codelab.microsoft.tfstate"
   }
 }
 
 provider "azurerm" {
   features {}
-}
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/readme.md b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/readme.md
@@ -1,4 +1,4 @@
-# Create an Application Gateway Ingress Controller in Azure Kubernetes Service using Terraform
+# Application Gateway Ingress Controller in Azure Kubernetes Service using Terraform
 
 This template creates an Application Gateway Ingress Controller in Azure Kubernetes Service using Terraform.
 
@@ -11,18 +11,17 @@ This template creates an Application Gateway Ingress Controller in Azure Kuberne
 - [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
 - [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip)
 - [azurerm_application_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway)
-- [azurerm_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment)
 - [azurerm_kubernetes_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster)
 
+## Terraform data sources
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet)
+
 ## Variables
 
 | Name | Description | Default value |
 |-|-|-|
-| `resource_group_name_prefix` | (Optional) Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg |
-| `location` | (Optional) Azure region in which to deploy demo resources.| eastus |
-| `aks_service_principal_app_id` | Application ID/Client ID  of the service principal. Used by AKS to manage AKS related resources on Azure like vms, subnets.| |
-| `aks_service_principal_client_secret` | Secret of the service principal. Used by AKS to manage Azure. | |
-| `aks_service_principal_object_id` | Object ID of the service principal. | |
+| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg |
+| `resource_group_location` | Location of the resource group. | eastus |
 | `virtual_network_name` | Virtual network name. | aksVirtualNetwork |
 | `virtual_network_address_prefix` | VNET address prefix. | 192.168.0.0/16 |
 | `aks_subnet_name` | Subnet name. | kubesubnet |
@@ -41,6 +40,7 @@ This template creates an Application Gateway Ingress Controller in Azure Kuberne
 | `aks_dns_service_ip` | DNS server IP address. | 10.0.0.10 |
 | `aks_docker_bridge_cidr` | CIDR notation IP for Docker bridge. | 172.17.0.1/16 |
 | `aks_enable_rbac` | Enable RBAC on the AKS cluster. | false |
+| `msi_id` | The Managed Service Identity ID. Set this value if you're running this example using Managed Identity as the authentication method. | null |
 | `vm_user_name` | User name for the VM. | vmuser1 |
 | `public_ssh_key_path` | Public key path for SSH. | ~/.ssh/id_rsa.pub |
 

diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/ssh.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/ssh.tf
@@ -0,0 +1,24 @@
+resource "random_pet" "ssh_key_name" {
+  prefix    = "ssh"
+  separator = ""
+}
+
+resource "azapi_resource_action" "ssh_public_key_gen" {
+  type        = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  resource_id = azapi_resource.ssh_public_key.id
+  action      = "generateKeyPair"
+  method      = "POST"
+
+  response_export_values = ["publicKey", "privateKey"]
+}
+
+resource "azapi_resource" "ssh_public_key" {
+  type      = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  name      = random_pet.ssh_key_name.id
+  location  = azurerm_resource_group.rg.location
+  parent_id = azurerm_resource_group.rg.id
+}
+
+output "key_data" {
+  value = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars