-
Notifications
You must be signed in to change notification settings - Fork 3
/
acr.tf
84 lines (81 loc) · 4.31 KB
/
acr.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#########################################################################
################################# ACR ###################################
#########################################################################
# Create ACR registry for Domino images
resource "azurerm_container_registry" "domino" {
#checkov:skip=CKV_AZURE_237: "Ensure dedicated data endpoints are enabled."
name = replace("${data.azurerm_resource_group.aks.name}domino", "/[^a-zA-Z0-9]/", "")
resource_group_name = data.azurerm_resource_group.aks.name
location = data.azurerm_resource_group.aks.location
sku = var.private_acr_enabled == true ? "Premium" : var.registry_tier
admin_enabled = false
data_endpoint_enabled = (var.registry_tier == "Premium" || var.private_acr_enabled == true) ? true : null
public_network_access_enabled = (var.registry_tier == "Premium" || var.private_acr_enabled == true) ? false : true
zone_redundancy_enabled = (var.registry_tier == "Premium" || var.private_acr_enabled == true)
retention_policy {
enabled = (var.registry_tier == "Premium" || var.private_acr_enabled == true)
}
tags = var.tags
dynamic "network_rule_set" {
for_each = (var.registry_tier == "Premium" || var.private_acr_enabled == true) ? [1] : []
content {
default_action = "Deny"
}
}
}
#########################################################################
########################## Private DNS Zone #############################
#########################################################################
# create private dns zone for acr
resource "azurerm_private_dns_zone" "acr_private_dns_zone" {
count = var.private_acr_enabled ? 1 : 0
name = "privatelink.azurecr.io"
resource_group_name = data.azurerm_resource_group.aks.name
}
# link the dns private zone to the AKS VNET
resource "azurerm_private_dns_zone_virtual_network_link" "private_dns_zone_acr_vnet_link" {
count = var.private_acr_enabled ? 1 : 0
name = "acr-vnet-dns-link"
resource_group_name = data.azurerm_resource_group.aks.name
private_dns_zone_name = azurerm_private_dns_zone.acr_private_dns_zone[0].name
virtual_network_id = data.azurerm_virtual_network.aks_vnet[0].id
}
#########################################################################
########################## Private EndPoint #############################
#########################################################################
# Create a private endpoint for the ACR
module "domino_acr_ep" {
count = var.private_acr_enabled ? 1 : 0
source = "./modules/private_endpoint"
resource_id = azurerm_container_registry.domino.id
nic_name = "acr-${var.deploy_id}"
private_endpoint_name = "acr-${var.deploy_id}"
private_dns_zone = azurerm_private_dns_zone.acr_private_dns_zone[0].name
private_dns_zone_id = azurerm_private_dns_zone.acr_private_dns_zone[0].id
sub_resource = "registry"
location = data.azurerm_resource_group.aks.location
resource_group_name = data.azurerm_resource_group.aks.name
subnet_id = data.azurerm_subnet.aks_subnet[0].id
}
#########################################################################
########################### Role Assignment #############################
#########################################################################
# ACR Pull from AKS nodes
resource "azurerm_role_assignment" "aks_domino_acr" {
scope = azurerm_container_registry.domino.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}
# ACR Push from hepheastus
resource "azurerm_role_assignment" "hephaestus_acr" {
scope = azurerm_container_registry.domino.id
role_definition_name = "AcrPush"
principal_id = azurerm_user_assigned_identity.hephaestus.principal_id
}
# ACR Pull from private AKS nodes
resource "azurerm_role_assignment" "aks_domino_private_acr" {
count = var.private_cluster_enabled ? 1 : 0
scope = azurerm_container_registry.domino.id
role_definition_name = "AcrPull"
principal_id = azurerm_user_assigned_identity.aks_assigned_identity[0].principal_id
}