User Story 90135

quickstart/201-k8s-cluster-with-tf-and-aks/main.tf

@@ -8,15 +8,19 @@ resource "azurerm_resource_group" "rg" {
   name     = random_pet.rg_name.id
 }
 
-resource "random_id" "log_analytics_workspace_name_suffix" {
-  byte_length = 8
+data "azurerm_client_config" "current" {}
+
+locals {
+  current_user_id = coalesce(var.msi_id, data.azurerm_client_config.current.object_id)
+}
+
+resource "random_pet" "azurerm_log_analytics_workspace_name" {
+  prefix = "ws"
 }
 
 resource "azurerm_log_analytics_workspace" "test" {
   location            = var.log_analytics_workspace_location
-  # The WorkSpace name has to be unique across the whole of azure;
-  # not just the current subscription/tenant.
-  name                = "${var.log_analytics_workspace_name}-${random_id.log_analytics_workspace_name_suffix.dec}"
+  name                = random_pet.azurerm_log_analytics_workspace_name.id
   resource_group_name = azurerm_resource_group.rg.name
   sku                 = var.log_analytics_workspace_sku
 }
@@ -34,33 +38,40 @@ resource "azurerm_log_analytics_solution" "test" {
   }
 }
 
+resource "random_pet" "azurerm_kubernetes_cluster_name" {
+  prefix = "cluster"
+}
+
+resource "random_pet" "azurerm_kubernetes_cluster_dns_prefix" {
+  prefix = "dns"
+}
+
 resource "azurerm_kubernetes_cluster" "k8s" {
   location            = azurerm_resource_group.rg.location
-  name                = var.cluster_name
+  name                = random_pet.azurerm_kubernetes_cluster_name.id
   resource_group_name = azurerm_resource_group.rg.name
-  dns_prefix          = var.dns_prefix
-  tags                = {
-    Environment = "Development"
-  }
+  dns_prefix          = random_pet.azurerm_kubernetes_cluster_dns_prefix.id
 
   default_node_pool {
     name       = "agentpool"
     vm_size    = "Standard_D2_v2"
-    node_count = var.agent_count
+    node_count = var.node_count
   }
   linux_profile {
     admin_username = "ubuntu"
 
     ssh_key {
-      key_data = file(var.ssh_public_key)
+      key_data = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
     }
   }
   network_profile {
     network_plugin    = "kubenet"
     load_balancer_sku = "standard"
   }
   service_principal {
-    client_id     = var.aks_service_principal_app_id
-    client_secret = var.aks_service_principal_client_secret
+    client_id     = azuread_service_principal.app.application_id
+    client_secret = azuread_service_principal_password.app.value
   }
-}
+
+  depends_on = [time_sleep.wait_30_seconds]
+}

quickstart/201-k8s-cluster-with-tf-and-aks/outputs.tf

@@ -1,3 +1,15 @@
+output "resource_group_name" {
+  value = azurerm_resource_group.rg.name
+}
+
+output "kubernetes_cluster_name" {
+  value = azurerm_kubernetes_cluster.k8s.name
+}
+
+output "log_analytics_workspace_name" {
+  value = azurerm_log_analytics_workspace.test.name
+}
+
 output "client_certificate" {
   value     = azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate
   sensitive = true
@@ -31,8 +43,4 @@ output "host" {
 output "kube_config" {
   value     = azurerm_kubernetes_cluster.k8s.kube_config_raw
   sensitive = true
-}
-
-output "resource_group_name" {
-  value = azurerm_resource_group.rg.name
 }

quickstart/201-k8s-cluster-with-tf-and-aks/providers.tf

@@ -2,6 +2,10 @@ terraform {
   required_version = ">=1.0"
 
   required_providers {
+    azapi = {
+      source  = "azure/azapi"
+      version = "~>1.5"
+    }
     azurerm = {
       source  = "hashicorp/azurerm"
       version = "~>3.0"
@@ -10,9 +14,13 @@ terraform {
       source  = "hashicorp/random"
       version = "~>3.0"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.9.1"
+    }
   }
 }
 
 provider "azurerm" {
   features {}
-}
+}

quickstart/201-k8s-cluster-with-tf-and-aks/readme.md

@@ -2,31 +2,31 @@
 
 This template provisions an [AKS / Azure Kubernetes service (also known as a Managed Kubernetes Cluster)](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster).
 
+- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)
+
 ## Terraform resource types
 
 - [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)
-- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)
 - [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_client_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config)
 - [azurerm_log_analytics_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace)
 - [azurerm_log_analytics_solution](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution)
 - [azurerm_kubernetes_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster)
+- [azuread_application](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application)
+- [azuread_service_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal)
+- [azuread_service_principal_password](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password)
+- [azapi_resource](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/azapi_resource)
+- [azapi_resource_action](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/azapi_resource_action)
 
 ## Variables
 
 | Name | Description | Default |
 |-|-|-|
 | `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg |
 | `resource_group_location` | Location of the resource group. | eastus |
-| `agent_count` | Initial number of nodes which should exist in this Node Pool. Value must be between 1 and 1000. | 3 | 
-| `ssh_public_key` | File containing the an ssh_key block. | ~/.ssh/id_rsa.pub |
-| `dns_prefix` | DNS prefix specified when creating the managed cluster. | k8stest |
-| `cluster_name` | Name of the Managed Kubernetes Cluster to create. | k8stest |
-| `log_analytics_workspace_name` | Prefix of the name of the Log Analytics Workspace. Random value is appended to ensure uniqueness across Azure. | testLogAnalyticsWorkspaceName |
-| `log_analytics_workspace_location` | Azure location where the resource exists. | eastus |
-| `log_analytics_workspace_sku` | SKU of the Log Analytics Workspace. | PerGB2018 |
-| `aks_service_principal_app_id` | Service principal app ID. | |
-| `aks_service_principal_client_secret` | Service principal password. | |
-| `aks_service_principal_object_id` | Service principal object ID. | |
+| `node_count` | Initial number of nodes which should exist in this Node Pool. Value must be between 1 and 1000. | 3 |
+| `log_analytics_workspace_location` | Location of the Log Analytics workspace. | eastus |
+| `log_analytics_workspace_sku` | SKU of the Log Analytics workspace. The SKU of the log analytics workspace. Choose from: Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018 | PerGB2018 |
 
 ## Example
 

quickstart/201-k8s-cluster-with-tf-and-aks/sp.tf

@@ -0,0 +1,37 @@
+# Create Azure AD App Registration
+resource "azuread_application" "app" {
+  display_name = "my-app"
+  owners       = [local.current_user_id]
+}
+
+# Create Service Principal
+resource "azuread_service_principal" "app" {
+  application_id               = azuread_application.app.application_id
+  app_role_assignment_required = true
+  owners                       = [local.current_user_id]
+}
+
+# Create Service Principal password
+resource "azuread_service_principal_password" "app" {
+  service_principal_id = azuread_service_principal.app.id
+}
+
+# Sleep for 30 seconds to allow for propagation
+# of the Service Principal creation before attempting
+# to create the AKS cluster.
+resource "time_sleep" "wait_30_seconds" {
+  create_duration = "30s"
+
+  depends_on = [azuread_service_principal_password.app]
+}
+
+# Output the Service Principal and password
+output "sp" {
+  value     = azuread_service_principal.app.id
+  sensitive = true
+}
+
+output "sp_password" {
+  value     = azuread_service_principal_password.app.value
+  sensitive = true
+}

quickstart/201-k8s-cluster-with-tf-and-aks/ssh.tf

@@ -0,0 +1,25 @@
+resource "random_pet" "ssh_key_name" {
+  prefix    = "ssh"
+  separator = ""
+}
+
+resource "azapi_resource" "ssh_public_key" {
+  type      = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  name      = random_pet.ssh_key_name.id
+  location  = "westus3"
+  parent_id = azurerm_resource_group.rg.id
+}
+
+resource "azapi_resource_action" "ssh_public_key_gen" {
+  type        = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  resource_id = azapi_resource.ssh_public_key.id
+  action      = "generateKeyPair"
+  method      = "POST"
+
+  response_export_values = ["publicKey"]
+}
+
+output "key_data" {
+  value     = azapi_resource.ssh_public_key.body
+  sensitive = true
+}

quickstart/201-k8s-cluster-with-tf-and-aks/variables.tf

@@ -1,49 +1,44 @@
-variable "agent_count" {
-  default = 3
-}
-
-# The following two variable declarations are placeholder references.
-# Set the values for these variable in terraform.tfvars
-variable "aks_service_principal_app_id" {
-  default = ""
-}
-
-variable "aks_service_principal_client_secret" {
-  default = ""
+variable "resource_group_location" {
+  type        = string
+  default     = "eastus"
+  description = "Location of the resource group."
 }
 
-variable "cluster_name" {
-  default = "k8stest"
+variable "resource_group_name_prefix" {
+  type        = string
+  default     = "rg"
+  description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
 }
 
-variable "dns_prefix" {
-  default = "k8stest"
+variable "node_count" {
+  type        = number
+  description = "The initial quantity of nodes for the node pool."
+  default     = 3
 }
 
-# Refer to https://azure.microsoft.com/global-infrastructure/services/?products=monitor for available Log Analytics regions.
+# For available Log Analytics regions, refer to:
+# https://azure.microsoft.com/global-infrastructure/services/?products=monitor
 variable "log_analytics_workspace_location" {
-  default = "eastus"
-}
-
-variable "log_analytics_workspace_name" {
-  default = "testLogAnalyticsWorkspaceName"
+  type        = string
+  default     = "eastus"
+  description = "Location of the Log Analytics workspace."
 }
 
-# Refer to https://azure.microsoft.com/pricing/details/monitor/ for Log Analytics pricing
+# For Log Analytics pricing, refer to:
+# https://azure.microsoft.com/pricing/details/monitor
 variable "log_analytics_workspace_sku" {
-  default = "PerGB2018"
-}
+  type        = string
+  description = "The SKU of the Log Analytics workspace. Choose from: Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018"
+  default     = "PerGB2018"
 
-variable "resource_group_location" {
-  default     = "eastus"
-  description = "Location of the resource group."
+  validation {
+    condition     = contains(["Free", "PerNode", "Premium", "Standard", "Standalone", "Unlimited", "CapacityReservation", "PerGB2018"], var.log_analytics_workspace_sku)
+    error_message = "The Log Analytics workspace SKU must be one of the following: Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018"
+  }
 }
 
-variable "resource_group_name_prefix" {
-  default     = "rg"
-  description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
-}
-
-variable "ssh_public_key" {
-  default = "~/.ssh/id_rsa.pub"
-}
+variable "msi_id" {
+  type        = string
+  description = "The Managed Service Identity ID used to create the service principal. If this value is null (the default), the AzureRM provider configuration Object ID is used.."
+  default     = null
+}