forked from usri/private-aks
-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
154 lines (133 loc) · 4.48 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
terraform {
required_version = "= 0.15.3"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.58.0"
}
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "vnet" {
name = var.vnet_resource_group_name
location = var.location
tags = var.tags
}
resource "azurerm_resource_group" "kube" {
name = var.kube_resource_group_name
location = var.location
tags = var.tags
}
module "hub_network" {
source = "./modules/vnet"
resource_group_name = azurerm_resource_group.vnet.name
location = var.location
vnet_name = var.hub_vnet_name
address_space = ["10.0.0.0/22"]
subnets = [
{
name : "AzureFirewallSubnet"
address_prefixes : ["10.0.0.0/24"]
delegations : []
service_endpoints : []
},
{
name : "jumpbox-subnet"
address_prefixes : ["10.0.1.0/24"]
delegations : ["Microsoft.ContainerInstance/containerGroups"]
service_endpoints : ["Microsoft.Storage"]
}
]
tags = var.tags
}
module "kube_network" {
source = "./modules/vnet"
resource_group_name = azurerm_resource_group.kube.name
location = var.location
vnet_name = var.kube_vnet_name
address_space = ["10.0.4.0/22"]
subnets = [
{
name : "aks-subnet"
address_prefixes : ["10.0.5.0/24"]
delegations : []
service_endpoints : []
}
]
tags = var.tags
}
module "vnet_peering" {
source = "./modules/vnet_peering"
vnet_1_name = var.hub_vnet_name
vnet_1_id = module.hub_network.vnet_id
vnet_1_rg = azurerm_resource_group.vnet.name
vnet_2_name = var.kube_vnet_name
vnet_2_id = module.kube_network.vnet_id
vnet_2_rg = azurerm_resource_group.kube.name
peering_name_1_to_2 = "HubToSpoke1"
peering_name_2_to_1 = "Spoke1ToHub"
}
module "firewall" {
source = "./modules/firewall"
resource_group = azurerm_resource_group.vnet.name
location = var.location
pip_name = "azureFirewalls-ip"
fw_name = "kubenetfw"
subnet_id = module.hub_network.subnet_ids["AzureFirewallSubnet"]
}
module "routetable" {
source = "./modules/route_table"
resource_group = azurerm_resource_group.vnet.name
location = var.location
rt_name = "kubenetfw_fw_rt"
r_name = "kubenetfw_fw_r"
firewal_private_ip = module.firewall.fw_private_ip
subnet_id = module.kube_network.subnet_ids["aks-subnet"]
}
data "azurerm_kubernetes_service_versions" "current" {
location = var.location
version_prefix = var.kube_version_prefix
}
resource "azurerm_kubernetes_cluster" "privateaks" {
name = "private-aks"
location = var.location
kubernetes_version = data.azurerm_kubernetes_service_versions.current.latest_version
resource_group_name = azurerm_resource_group.kube.name
dns_prefix = "private-aks"
private_cluster_enabled = true
default_node_pool {
name = "default"
node_count = var.nodepool_nodes_count
vm_size = var.nodepool_vm_size
vnet_subnet_id = module.kube_network.subnet_ids["aks-subnet"]
}
identity {
type = "SystemAssigned"
}
network_profile {
docker_bridge_cidr = var.network_docker_bridge_cidr
dns_service_ip = var.network_dns_service_ip
network_plugin = "azure"
outbound_type = "userDefinedRouting"
service_cidr = var.network_service_cidr
}
depends_on = [module.routetable]
tags = var.tags
}
resource "azurerm_role_assignment" "netcontributor" {
role_definition_name = "Network Contributor"
scope = module.kube_network.subnet_ids["aks-subnet"]
principal_id = azurerm_kubernetes_cluster.privateaks.identity[0].principal_id
}
module "containergroup" {
source = "./modules/container_group"
resource_group = azurerm_resource_group.vnet.name
location = azurerm_resource_group.vnet.location
container_group_name = "mgmt-acg"
vnet_id = module.hub_network.vnet_id
subnet_id = module.hub_network.subnet_ids["jumpbox-subnet"]
dns_zone_resource_group = azurerm_kubernetes_cluster.privateaks.node_resource_group
dns_zone_name = join(".", slice(split(".", azurerm_kubernetes_cluster.privateaks.private_fqdn), 1, length(split(".", azurerm_kubernetes_cluster.privateaks.private_fqdn))))
}