From 945ab1fba5c7e70e7acb4ca36c602d64af36eed8 Mon Sep 17 00:00:00 2001 From: dkool Date: Fri, 28 Jun 2024 12:50:57 +0200 Subject: [PATCH 1/2] fix: explicitly set fallback values for ssh key and admin password --- examples/authentication/README.md | 75 +++++++++++++++++++++++ examples/authentication/locals.tf | 8 +++ examples/authentication/main.tf | 90 ++++++++++++++++++++++++++++ examples/authentication/terraform.tf | 22 +++++++ main.tf | 4 +- 5 files changed, 197 insertions(+), 2 deletions(-) create mode 100644 examples/authentication/README.md create mode 100644 examples/authentication/locals.tf create mode 100644 examples/authentication/main.tf create mode 100644 examples/authentication/terraform.tf diff --git a/examples/authentication/README.md b/examples/authentication/README.md new file mode 100644 index 0000000..3159272 --- /dev/null +++ b/examples/authentication/README.md @@ -0,0 +1,75 @@ +This module enables flexible kubernetes cluster setup by supporting both auto generated and user supplied (bring your own) ssh keys and passwords for tailored access. + +## Usage: generated password or ssh key + +To utilize the generated password or ssh key, simply specify the key vault id in your configuration: + +```hcl +module "aks" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + keyvault = module.kv.vault.id + + cluster = { + name = module.naming.kubernetes_cluster.name_unique + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + depends_on = [module.kv] + profile = "linux" + dns_prefix = "demo" + } +} +``` + +## Usage: bringing your own password or ssh key + +To use your own password or SSH key, use the below properties in your configuration: + +```hcl +module "aks-linux" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + keyvault = module.kv.vault.id + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-02" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node02" + depends_on = [module.kv] + profile = "linux" + dns_prefix = "demo2" + sku_tier = "Standard" + + public_key = module.kv.tls_public_keys.tls.value + } +} +``` + +```hcl +module "aks-windows" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + keyvault = module.kv.vault.id + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-01" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node01" + depends_on = [module.kv] + profile = "windows" + dns_prefix = "demo1" + sku_tier = "Standard" + + network_profile = { + network_plugin = "azure" + } + + password = module.kv.secrets.password.value + } +} +``` diff --git a/examples/authentication/locals.tf b/examples/authentication/locals.tf new file mode 100644 index 0000000..ad9167a --- /dev/null +++ b/examples/authentication/locals.tf @@ -0,0 +1,8 @@ +locals { + naming = { + # lookup outputs to have consistent naming + for type in local.naming_types : type => lookup(module.naming, type).name + } + + naming_types = ["key_vault_secret"] +} diff --git a/examples/authentication/main.tf b/examples/authentication/main.tf new file mode 100644 index 0000000..2960aa6 --- /dev/null +++ b/examples/authentication/main.tf @@ -0,0 +1,90 @@ +module "naming" { + source = "cloudnationhq/naming/azure" + version = "~> 0.1" + + suffix = ["demo", "dev"] +} + +module "rg" { + source = "cloudnationhq/rg/azure" + version = "~> 0.1" + + groups = { + demo = { + name = module.naming.resource_group.name + region = "westeurope" + } + } +} + +module "kv" { + source = "cloudnationhq/kv/azure" + version = "~> 0.1" + + naming = local.naming + + vault = { + name = module.naming.key_vault.name_unique + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + + secrets = { + tls_keys = { + tls = { + algorithm = "RSA" + key_size = 2048 + } + } + random_string = { + password = { + length = 24 + special = false + } + } + } + } +} + +module "aks-windows" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + keyvault = module.kv.vault.id + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-01" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node01" + depends_on = [module.kv] + profile = "windows" + dns_prefix = "demo1" + sku_tier = "Standard" + + network_profile = { + network_plugin = "azure" + } + + password = module.kv.secrets.password.value + } +} + +module "aks-linux" { + source = "cloudnationhq/aks/azure" + version = "~> 0.1" + + keyvault = module.kv.vault.id + + cluster = { + name = "${module.naming.kubernetes_cluster.name}-02" + location = module.rg.groups.demo.location + resourcegroup = module.rg.groups.demo.name + node_resourcegroup = "${module.rg.groups.demo.name}-node02" + depends_on = [module.kv] + profile = "linux" + dns_prefix = "demo2" + sku_tier = "Standard" + + public_key = module.kv.tls_public_keys.tls.value + } +} diff --git a/examples/authentication/terraform.tf b/examples/authentication/terraform.tf new file mode 100644 index 0000000..4804059 --- /dev/null +++ b/examples/authentication/terraform.tf @@ -0,0 +1,22 @@ +terraform { + required_version = "~> 1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.61" + } + tls = { + source = "hashicorp/tls" + version = "~> 4.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.0" + } + } +} + +provider "azurerm" { + features {} +} diff --git a/main.tf b/main.tf index 75aa386..8d4afdb 100644 --- a/main.tf +++ b/main.tf @@ -197,7 +197,7 @@ resource "azurerm_kubernetes_cluster" "aks" { content { admin_username = try(var.cluster.username, "nodeadmin") - admin_password = try(var.cluster.password, azurerm_key_vault_secret.secret[windows_profile.key].value) + admin_password = try(var.cluster.password, null) != null ? var.cluster.password : azurerm_key_vault_secret.secret["default"].value } } @@ -209,7 +209,7 @@ resource "azurerm_kubernetes_cluster" "aks" { content { admin_username = try(var.cluster.username, "nodeadmin") ssh_key { - key_data = try(var.cluster.public_key, tls_private_key.tls_key[var.cluster.name].public_key_openssh) + key_data = try(var.cluster.public_key, null) != null ? var.cluster.public_key : tls_private_key.tls_key["default"].public_key_openssh } } } From fde451c0df79513b830d59804d463b759eca9dcb Mon Sep 17 00:00:00 2001 From: dkool Date: Mon, 1 Jul 2024 17:42:51 +0200 Subject: [PATCH 2/2] fix: make keyvault id optional --- examples/authentication/README.md | 4 ---- examples/authentication/main.tf | 4 ---- variables.tf | 1 + 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/examples/authentication/README.md b/examples/authentication/README.md index 3159272..dc64652 100644 --- a/examples/authentication/README.md +++ b/examples/authentication/README.md @@ -31,8 +31,6 @@ module "aks-linux" { source = "cloudnationhq/aks/azure" version = "~> 0.1" - keyvault = module.kv.vault.id - cluster = { name = "${module.naming.kubernetes_cluster.name}-02" location = module.rg.groups.demo.location @@ -53,8 +51,6 @@ module "aks-windows" { source = "cloudnationhq/aks/azure" version = "~> 0.1" - keyvault = module.kv.vault.id - cluster = { name = "${module.naming.kubernetes_cluster.name}-01" location = module.rg.groups.demo.location diff --git a/examples/authentication/main.tf b/examples/authentication/main.tf index 2960aa6..bf5bd7b 100644 --- a/examples/authentication/main.tf +++ b/examples/authentication/main.tf @@ -49,8 +49,6 @@ module "aks-windows" { source = "cloudnationhq/aks/azure" version = "~> 0.1" - keyvault = module.kv.vault.id - cluster = { name = "${module.naming.kubernetes_cluster.name}-01" location = module.rg.groups.demo.location @@ -73,8 +71,6 @@ module "aks-linux" { source = "cloudnationhq/aks/azure" version = "~> 0.1" - keyvault = module.kv.vault.id - cluster = { name = "${module.naming.kubernetes_cluster.name}-02" location = module.rg.groups.demo.location diff --git a/variables.tf b/variables.tf index cdb13b7..2dc8765 100644 --- a/variables.tf +++ b/variables.tf @@ -12,6 +12,7 @@ variable "cluster" { variable "keyvault" { description = "keyvault to store secrets" type = string + default = null } variable "location" {