Skip to content
This repository has been archived by the owner on Feb 1, 2024. It is now read-only.

Commit

Permalink
Merge pull request #82 from Azure/2107-refresh
Browse files Browse the repository at this point in the history
2107 refresh
  • Loading branch information
arnaudlh authored Jul 6, 2021
2 parents 14d3b87 + 73a7389 commit 978dfda
Show file tree
Hide file tree
Showing 36 changed files with 75 additions and 80 deletions.
3 changes: 1 addition & 2 deletions .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,7 @@
// "shutdownAction": "none",

// Uncomment the next line to run commands after the container is created.
"postCreateCommand": "cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chmod 600 ~/.ssh/* && pre-commit install && pre-commit autoupdate && sudo chown -R $(whoami) /tf/caf && git config --global core.editor vi",

"postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chown -R $(whoami):$(whoami) /tf/caf && sudo chmod 400 ~/.ssh/* && git config --global core.editor vi && pre-commit install && pre-commit autoupdate",
// Add the IDs of extensions you want installed when the container is created in the array below.
"extensions": [
"4ops.terraform",
Expand Down
2 changes: 1 addition & 1 deletion .devcontainer/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
version: '3.7'
services:
rover:
image: aztfmod/rover:0.15.4-2105.2603
image: aztfmod/rover:1.0.1-2106.3012
user: vscode

labels:
Expand Down
4 changes: 2 additions & 2 deletions configuration/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@ You can either click "Use this template" at the root of this GitHub repository,
First step is to get the landing zones logic in the same work space, so let's clone the environment locally:

```bash
git clone --branch 2106.1 https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/landingzones
git clone --branch 2107.1 https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/landingzones
# Or refresh an existing clone
cd /tf/caf/landingzones
git checkout 2106.1
git checkout 2107.1
git pull
```

Expand Down
2 changes: 1 addition & 1 deletion configuration/demo/level3/aks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ rover -lz /tf/caf/landingzones/caf_solution/ \
-level level3 \
-env ${environment} \
-a [plan|apply|destroy]

```

## Destroy an AKS landing zone deployment
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ az account set --subscription {SUBSCRIPTIONID}
# If you are running in Azure Cloud Shell, you need to run the following additional command:
export TF_VAR_logged_user_objectId=$(az ad signed-in-user show --query objectId -o tsv)

# Go to the AKS construction set folder
# Go to the AKS construction set folder
cd caf-terraform-landingzones-starter/enterprise_scale/construction_sets/aks

configuration_folder=online/aks_secure_baseline/configuration
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Make sure the current folder is "*enterprise_scale/construction_sets/aks*"
```bash
# Login to the AKS if in ESLZ
echo $(terraform output -json | jq -r .aks_clusters_kubeconfig.value.cluster_re1.aks_kubeconfig_cmd) | bash

# Otherwise use this to login
echo $(terraform output -json | jq -r .aks_clusters_kubeconfig.value.cluster_re1.aks_kubeconfig_admin_cmd) | bash

Expand Down Expand Up @@ -115,7 +115,7 @@ If there is a need to change the folder to your own folk, please modify [flux.ya
# Get the ingress controller subnet name
ingress_subnet_name=$(terraform output -json | jq -r .vnets.value.vnet_aks_re1.subnets.aks_ingress.name)
# Update the traefik yaml
# Mac UNIX:
# Mac UNIX:
sed -i "" "s/azure-load-balancer-internal-subnet:.*/azure-load-balancer-internal-subnet:\ ${ingress_subnet_name}/g" online/aks_secure_baseline/workloads/baseline/traefik.yaml
# Linux:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ This implementation is based on [Cloud Adoption Framework Landing Zones for Terr

## Applied Azure Policies for Online Landing zones

The list below details only notable Policies for this implementation, it is not exhaustive.
The list below details only notable Policies for this implementation, it is not exhaustive.
Please view Azure Policy portal or [List all assigned Azure Policies](#list-all-assigned-azure-policies) section to list out the details of assigned policies

| Policy | Config files |
Expand All @@ -30,7 +30,7 @@ Please view Azure Policy portal or [List all assigned Azure Policies](#list-all-
az policy assignment list --disable-scope-strict-match

# To view details of assigned Policies of the a resource
az policy assignment list --disable-scope-strict-match --scope {RESOURCEID}
az policy assignment list --disable-scope-strict-match --scope {RESOURCEID}
```

## Prerequisites
Expand Down Expand Up @@ -86,10 +86,10 @@ If you opt-in to setup a shell on your machine, there are required access and to
sudo apt install jq
```

kubectl: For more information visit [here](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
kubectl: For more information visit [here](https://kubernetes.io/docs/tasks/tools/install-kubectl/)

```bash
# kubectl:
# kubectl:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ application_gateways = {
trusted_root_certificate = {
wildcard_ingress = {
name = "wildcard-ingress"
# data =
# data =
keyvault_key = "secrets"
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ application_gateway_applications = {
front_end_port_key = "443"
# host_name = "www.y4plq60ubbbiop9w1dh36tlgfpxqctfj.com"
dns_zone = {
key = "dns_zone1"
key = "dns_zone1"
record_type = "a"
record_key = "agw"
record_key = "agw"
}

request_routing_rule_key = "default"
request_routing_rule_key = "default"
# key_vault_secret_id = ""
# keyvault_certificate = {
# certificate_key = "aspnetapp.cafdemo.com"
Expand All @@ -39,10 +39,10 @@ application_gateway_applications = {
protocol = "Https"
pick_host_name_from_backend_address = true
# trusted_root_certificate_names = ["wildcard-ingress"]
trusted_root_certificate_names = ["wildcard-ingress"]
trusted_root_certificate_names = ["wildcard-ingress"]
}



backend_pool = {
fqdns = [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,12 @@ dns_zones = {
records = {
a = {
agw = {
name = "@"
# records = ["10.0.0.0"]
name = "@"
# records = ["10.0.0.0"]
resource_id = {
public_ip_address = {
key = "agw_pip1_re1"
}
public_ip_address = {
key = "agw_pip1_re1"
}
}
}
}
Expand All @@ -24,7 +24,7 @@ dns_zones = {
domain_name_registrations = {
#
# Register for a random domain name
# As dnsType as not be set
# As dnsType as not be set
#
random_domain = {
name = "" // Set as empty for CI. this will creation a random_domain_name.com
Expand Down Expand Up @@ -70,4 +70,4 @@ domain_name_registrations = {
}
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ aks_clusters = {
name = "akscluster-re1-001"
resource_group_key = "aks_re1"
os_type = "Linux"

diagnostic_profiles = {
operations = {
name = "aksoperations"
Expand All @@ -18,7 +18,7 @@ aks_clusters = {
}

# kubernetes_version = "1.19.6"
vnet_key = "vnet_aks_re1"
vnet_key = "vnet_aks_re1"

network_profile = {
network_plugin = "azure"
Expand All @@ -41,7 +41,7 @@ aks_clusters = {

addon_profile = {
oms_agent = {
enabled = true
enabled = true
log_analytics_key = "central_logs_region1"
}
azure_policy = {
Expand Down Expand Up @@ -77,15 +77,15 @@ aks_clusters = {

node_pools = {
pool1 = {
name = "npuser01"
mode = "User"
subnet_key = "aks_nodepool_user1"
max_pods = 30
vm_size = "Standard_DS3_v2"
node_count = 3
os_disk_type = "Ephemeral"
enable_auto_scaling = false
os_disk_size_gb = 120
name = "npuser01"
mode = "User"
subnet_key = "aks_nodepool_user1"
max_pods = 30
vm_size = "Standard_DS3_v2"
node_count = 3
os_disk_type = "Ephemeral"
enable_auto_scaling = false
os_disk_size_gb = 120
# orchestrator_version = "1.19.6"
tags = {
"project" = "user services"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,22 +12,22 @@ keyvaults = {
creation_policies = {
logged_in_user = {
# if the key is set to "logged_in_user" add the user running terraform in the keyvault policy
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
certificate_permissions = ["Create", "Get", "List", "Delete", "Purge", "Recover"]
}

ingress_msi = {
managed_identity_key = "ingress"
secret_permissions = ["Get"]
managed_identity_key = "ingress"
secret_permissions = ["Get"]
certificate_permissions = ["Get"]
}

apgw_keyvault_secrets = {
managed_identity_key = "apgw_keyvault_secrets"
certificate_permissions = ["Get"]
secret_permissions = ["Get"]
}

}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ azurerm_firewall_application_rule_collection_definition = {
# source_addresses = [
# "*",
# ]

source_ip_groups_keys = [
"aks_ip_group1"
]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ azurerm_firewall_network_rule_collection_definition = {
"aks_ip_group1"
]
destination_ports = [
"443","9000","22"
"443", "9000", "22"
]
destination_addresses = [
"AzureCloud"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ azurerm_firewalls = {
resource_group_key = "vnet_hub_re1"
vnet_key = "vnet_hub_re1"
# public_ip_key = "firewall_re1" # if this is defined, public_ip_keys is ignored
public_ip_keys = ["firewall_re1","firewall_pip2_re1"]
public_ip_keys = ["firewall_re1", "firewall_pip2_re1"]

azurerm_firewall_network_rule_collections = [
"aks"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ ip_groups = {
name = "aks_ip_group1"
# cidrs = ["1.1.1.1/10"] # if cidrs is defined all vnet & subnet are ignored
resource_group_key = "aks_spoke_re1"
vnet_key = "vnet_aks_re1"
subnet_keys = ["aks_nodepool_system","aks_nodepool_user1"] # can be either unclared or empty, will take vnet cidr instead
vnet_key = "vnet_aks_re1"
subnet_keys = ["aks_nodepool_system", "aks_nodepool_user1"] # can be either unclared or empty, will take vnet cidr instead
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ network_security_group_definition = {
# This entry is applied to all subnets with no NSG defined
azure_kubernetes_cluster_nsg = {
nsg = [

]
}
azure_bastion_nsg = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,5 @@ public_ip_addresses = {
idle_timeout_in_minutes = "4"

}

}
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ resource_groups = {
name = "aks_spoke_re1"
region = "region1"
}

ops_re1 = {
name = "ops_re1"
region = "region1"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ export random_length=10
# Set the folder name of this example
example=101-single-cluster

rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate landingzone_aks.tfstate \
-var-folder /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example} \
-var tags={example=\"${example}\"} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ export environment=[YOUR_ENVIRONMENT]
# Set the folder name of this example
export example=102-multi-nodepools

rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate landingzone_aks.tfstate \
-var-folder /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example} \
-var tags={example=\"${example}\"} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ example=103-multi-clusters
### Run AKS landing zone deployment

```bash
rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate landingzone_aks.tfstate \
-var-folder /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example} \
-var tags={example=\"${example}\"} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ In this section we add the Azure Firewall in the regional hub.

example="104-private-cluster"

rover -lz /tf/caf/public/landingzones/caf_networking/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate networking_hub.tfstate \
-var-folder /tf/caf/configuration/${environment}/level2/networking/hub \
-var-folder /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example}/networking_hub/single_region \
Expand All @@ -65,7 +65,7 @@ rover -lz /tf/caf/public/landingzones/caf_networking/ \

```bash
example=104-private-cluster
rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate landingzone_aks.tfstate \
-var-folder /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example} \
-var tags={example=\"${example}\"} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ example=401-blue-green-nodepool
### Step 0: Deploy Blue Nodepool

```bash
rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate landingzone_aks.tfstate \
-var-file /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example}/configuration.tfvars \
-var-file /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example}/aks_step0.tfvars \
Expand All @@ -60,7 +60,7 @@ rover -lz /tf/caf/public/landingzones/caf_solutions/ \

### Step 1: Upgrade Control Plane, system Nodepool and adding Green Nodepool
```bash
rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate landingzone_aks.tfstate \
-var-file /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example}/configuration.tfvars \
-var-file /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example}/aks_step1.tfvars \
Expand All @@ -75,7 +75,7 @@ rover -lz /tf/caf/public/landingzones/caf_solutions/ \
Login to the cluster using *aks_kubeconfig_admin_cmd* or *aks_kubeconfig_cmd* output: *"az aks get-credentials..."*

```bash
rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/landingzones/caf_solution/ \
-tfstate landingzone_aks.tfstate \
-level level3 \
-a output \
Expand All @@ -98,7 +98,7 @@ kubectl drain -l agentpool=nodepool1 --ignore-daemonsets --delete-local-data

Delete Blue NodePool
```bash
rover -lz /tf/caf/public/landingzones/caf_solutions/ \
rover -lz /tf/caf/public/landingzones/caf_solution/ \
-tfstate ${example}_landingzone_aks.tfstate \
-var-file /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example}/configuration.tfvars \
-var-file /tf/caf/reference_implementations/azure_kubernetes_services/aks/${example}/aks_step2.tfvars \
Expand Down
Loading

0 comments on commit 978dfda

Please sign in to comment.