diff --git a/examples/authentication/README.md b/examples/authentication/README.md new file mode 100644 index 0000000..dc64652 --- /dev/null +++ b/examples/authentication/README.md @@ -0,0 +1,71 @@ +This module enables flexible kubernetes cluster setup by supporting both auto generated and user supplied (bring your own) ssh keys and passwords for tailored access. + +## Usage: generated password or ssh key + +To utilize the generated password or ssh key, simply specify the key vault id in your configuration: + +```hcl +module "aks" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + keyvault = module.kv.vault.id + + cluster = { + name = module.naming.kubernetes_cluster.name_unique + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + depends_on = [module.kv] + profile = "linux" + dns_prefix = "demo" + } +} +``` + +## Usage: bringing your own password or ssh key + +To use your own password or SSH key, use the below properties in your configuration: + +```hcl +module "aks-linux" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-02" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node02" + depends_on = [module.kv] + profile = "linux" + dns_prefix = "demo2" + sku_tier = "Standard" + + public_key = module.kv.tls_public_keys.tls.value + } +} +``` + +```hcl +module "aks-windows" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-01" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node01" + depends_on = [module.kv] + profile = "windows" + dns_prefix = "demo1" + sku_tier = "Standard" + + network_profile = { + network_plugin = "azure" + } + + password = module.kv.secrets.password.value + } +} +``` diff --git a/examples/authentication/locals.tf b/examples/authentication/locals.tf new file mode 100644 index 0000000..ad9167a --- /dev/null +++ b/examples/authentication/locals.tf @@ -0,0 +1,8 @@ +locals { + naming = { + # lookup outputs to have consistent naming + for type in local.naming_types : type => lookup(module.naming, type).name + } + + naming_types = ["key_vault_secret"] +} diff --git a/examples/authentication/main.tf b/examples/authentication/main.tf new file mode 100644 index 0000000..bf5bd7b --- /dev/null +++ b/examples/authentication/main.tf @@ -0,0 +1,86 @@ +module "naming" { + source = "cloudnationhq/naming/azure" + version = "~> 0.1" + + suffix = ["demo", "dev"] +} + +module "rg" { + source = "cloudnationhq/rg/azure" + version = "~> 0.1" + + groups = { + demo = { + name = module.naming.resource_group.name + region = "westeurope" + } + } +} + +module "kv" { + source = "cloudnationhq/kv/azure" + version = "~> 0.1" + + naming = local.naming + + vault = { + name = module.naming.key_vault.name_unique + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + + secrets = { + tls_keys = { + tls = { + algorithm = "RSA" + key_size = 2048 + } + } + random_string = { + password = { + length = 24 + special = false + } + } + } + } +} + +module "aks-windows" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-01" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node01" + depends_on = [module.kv] + profile = "windows" + dns_prefix = "demo1" + sku_tier = "Standard" + + network_profile = { + network_plugin = "azure" + } + + password = module.kv.secrets.password.value + } +} + +module "aks-linux" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-02" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node02" + depends_on = [module.kv] + profile = "linux" + dns_prefix = "demo2" + sku_tier = "Standard" + + public_key = module.kv.tls_public_keys.tls.value + } +} diff --git a/examples/authentication/terraform.tf b/examples/authentication/terraform.tf new file mode 100644 index 0000000..4804059 --- /dev/null +++ b/examples/authentication/terraform.tf @@ -0,0 +1,22 @@ +terraform { + required_version = "~> 1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.61" + } + tls = { + source = "hashicorp/tls" + version = "~> 4.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.0" + } + } +} + +provider "azurerm" { + features {} +} diff --git a/main.tf b/main.tf index 75aa386..8d4afdb 100644 --- a/main.tf +++ b/main.tf @@ -197,7 +197,7 @@ resource "azurerm_kubernetes_cluster" "aks" { content { admin_username = try(var.cluster.username, "nodeadmin") - admin_password = try(var.cluster.password, azurerm_key_vault_secret.secret[windows_profile.key].value) + admin_password = try(var.cluster.password, null) != null ? var.cluster.password : azurerm_key_vault_secret.secret["default"].value } } @@ -209,7 +209,7 @@ resource "azurerm_kubernetes_cluster" "aks" { content { admin_username = try(var.cluster.username, "nodeadmin") ssh_key { - key_data = try(var.cluster.public_key, tls_private_key.tls_key[var.cluster.name].public_key_openssh) + key_data = try(var.cluster.public_key, null) != null ? var.cluster.public_key : tls_private_key.tls_key["default"].public_key_openssh } } } diff --git a/variables.tf b/variables.tf index cdb13b7..2dc8765 100644 --- a/variables.tf +++ b/variables.tf @@ -12,6 +12,7 @@ variable "cluster" { variable "keyvault" { description = "keyvault to store secrets" type = string + default = null } variable "location" {