Merge pull request #92 from pluralsh/marcin/prod-3389-azure-cluster-pr-automation

feat: AKS module

Author: maciaszczykm

setup/pr-automation/cluster-creator.yaml

@@ -42,4 +42,11 @@ spec:
     documentation: what tier to place this cluster in
     values:
     - dev
-    - prd
+    - prod
+  - name: resourceGroup
+    type: STRING
+    documentation: Azure resource group that you would like to use.
+    condition:
+      field: cloud
+      operation: EQ
+      value: 'azure'

templates/clusters/stack.yaml

@@ -21,6 +21,14 @@ spec:
     cluster: {{ context.name }}
     fleet: {{ context.fleet }}
     tier: {{ context.tier }}
+  {% if context.cloud == 'azure' %}
+    resource_group_name: {{ context.resourceGroup }}
+  jobSpec:
+    namespace: plrl-deploy-operator
+    labels:
+      azure.workload.identity/use: "true"
+    serviceAccount: "stacks"
+  {% endif %}
   git:
     ref: main
     folder: terraform/modules/clusters/{{ context.cloud }}

terraform/modules/clusters/azure/aks.tf

@@ -0,0 +1,23 @@
+module "aks" {
+  source = "Azure/aks/azurerm"
+  version = "9.2.0"
+
+  kubernetes_version   = var.kubernetes_version
+  cluster_name         = var.cluster
+  resource_group_name  = data.azurerm_resource_group.default.name
+  prefix               = var.cluster
+  os_disk_size_gb      = 60
+  sku_tier             = "Standard"
+  rbac_aad             = false
+  vnet_subnet_id       = local.network.sn_subnet_id
+  node_pools           = {for name, pool in var.node_pools : name => merge(pool, {name = name, vnet_subnet_id = local.network.sn_subnet_id})}
+
+  ebpf_data_plane     = "cilium"
+  network_plugin_mode = "overlay"
+  network_plugin      = "azure"
+
+  role_based_access_control_enabled = true
+
+  workload_identity_enabled = var.workload_identity_enabled
+  oidc_issuer_enabled       = var.workload_identity_enabled
+}

terraform/modules/clusters/azure/azure.tf

@@ -0,0 +1,48 @@
+data "azurerm_resource_group" "default" {
+  name = var.resource_group_name
+}
+
+resource "azurerm_user_assigned_identity" "dns" {
+  name                = "${var.cluster}-dns"
+  resource_group_name = data.azurerm_resource_group.default.name
+  location            = data.azurerm_resource_group.default.location
+}
+
+resource "azurerm_role_assignment" "dns-reader" {
+  scope                = data.azurerm_resource_group.default.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_user_assigned_identity.dns.principal_id
+}
+
+resource "azurerm_role_assignment" "dns-zone-contributor" {
+  scope                = data.azurerm_resource_group.default.id
+  role_definition_name = "DNS Zone Contributor"
+  principal_id         = azurerm_user_assigned_identity.dns.principal_id
+}
+
+resource "azurerm_federated_identity_credential" "plural-runtime" {
+  name                = "${var.cluster}-plural-runtime"
+  resource_group_name = data.azurerm_resource_group.default.name
+  audience = ["api://AzureADTokenExchange"]
+  issuer              = module.aks.oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.dns.id
+  subject             = "system:serviceaccount:plural-runtime:external-dns"
+}
+
+resource "azurerm_federated_identity_credential" "external-dns" {
+  name                = "${var.cluster}-external-dns"
+  resource_group_name = data.azurerm_resource_group.default.name
+  audience = ["api://AzureADTokenExchange"]
+  issuer              = module.aks.oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.dns.id
+  subject             = "system:serviceaccount:external-dns:external-dns"
+}
+
+resource "azurerm_federated_identity_credential" "cert-manager" {
+  name                = "${var.cluster}-cert-manager"
+  resource_group_name = data.azurerm_resource_group.default.name
+  audience = ["api://AzureADTokenExchange"]
+  issuer              = module.aks.oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.dns.id
+  subject             = "system:serviceaccount:cert-manager:cert-manager"
+}

terraform/modules/clusters/azure/locals.tf

@@ -0,0 +1,4 @@
+locals {
+  identity = jsondecode(data.plural_service_context.identity.configuration)
+  network = jsondecode(data.plural_service_context.network.configuration)
+}

terraform/modules/clusters/azure/plural.tf

@@ -0,0 +1,33 @@
+data "plural_service_context" "identity" {
+  name = "plrl/azure/identity"
+}
+
+data "plural_service_context" "network" {
+  name = "plrl/network/${var.tier}"
+}
+
+resource "plural_service_context" "cluster" {
+  name = "plrl/clusters/${var.cluster}"
+
+  configuration = jsonencode({
+    cluster_name = var.cluster
+  })
+}
+
+resource "plural_cluster" "cluster" {
+    handle = var.cluster
+    name   = var.cluster
+  
+    tags   = {
+      tier = var.tier
+      fleet = var.fleet
+      role = "workload"
+    }
+
+    kubeconfig = {
+      host =  module.aks.cluster_fqdn
+      cluster_ca_certificate = base64decode(module.aks.cluster_ca_certificate)
+      client_certificate     = base64decode(module.aks.client_certificate)
+      client_key             = base64decode(module.aks.client_key)
+    }
+}

terraform/modules/clusters/azure/variables.tf

@@ -0,0 +1,40 @@
+variable "cluster" {
+  type = string
+  default = "plural"
+}
+
+variable "fleet" {
+  type = string
+}
+
+variable "tier" {
+  type = string
+}
+
+variable "kubernetes_version" {
+  type = string
+  default = "1.30.9"
+}
+
+variable "resource_group_name" {
+  type = string
+  default = "plural"
+}
+
+variable "workload_identity_enabled" {
+  type = bool
+  default = true
+}
+
+variable "node_pools" {
+  type = map(any)
+  default = {
+    plural = {
+      vm_size = "Standard_D2s_v3"
+      node_count = 3
+      min_count = 1
+      max_count = 20
+      enable_auto_scaling = true
+    }
+  }
+}

terraform/modules/clusters/azure/versions.tf

@@ -0,0 +1,51 @@
+terraform {
+  required_version = ">= 1.3"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.51.0, < 4.0"
+    }
+    azapi = {
+      source  = "azure/azapi"
+      version = ">= 1.4.0, < 2.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+    plural = {
+      source = "pluralsh/plural"
+      version = ">= 0.2.9"
+    }
+    local = {
+        source = "hashicorp/local"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+
+  use_cli = false
+  use_oidc = true
+  oidc_token_file_path = "/var/run/secrets/azure/tokens/azure-identity-token"
+  subscription_id = local.identity["subscription_id"]
+  tenant_id = local.identity["tenant_id"]
+  client_id = local.identity["client_id"]
+}
+
+provider "azapi" {
+  use_cli = false
+  use_oidc = true
+  oidc_token_file_path = "/var/run/secrets/azure/tokens/azure-identity-token"
+  subscription_id = local.identity["subscription_id"]
+  tenant_id = local.identity["tenant_id"]
+  client_id = local.identity["client_id"]
+}
+
+provider "plural" {}