try to fix 223

Azure · Nov 16, 2023 · 7cd1829 · 7cd1829
1 parent 6ff8e2e
commit 7cd1829
Show file tree

Hide file tree

Showing 11 changed files with 571 additions and 126 deletions.
diff --git a/examples/application_gateway_ingress/k8s_workload.tf b/examples/application_gateway_ingress/k8s_workload.tf
@@ -0,0 +1,104 @@
+resource "kubernetes_namespace_v1" "example" {
+  metadata {
+    name = "example"
+  }
+}
+
+resource "kubernetes_pod" "aspnet_app" {
+  #checkov:skip=CKV_K8S_8:We don't need readiness probe for this simple example.
+  #checkov:skip=CKV_K8S_9:We don't need readiness probe for this simple example.
+  #checkov:skip=CKV_K8S_22:readOnlyRootFilesystem would block our pod from working
+  #checkov:skip=CKV_K8S_28:capabilities would block our pod from working
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+    labels = {
+      app = "aspnetapp"
+    }
+  }
+  spec {
+    container {
+      name              = "aspnetapp-image"
+      image             = "mcr.microsoft.com/dotnet/samples@sha256:7070894cc10d2b1e68e72057cca22040c5984cfae2ec3e079e34cf0a4da7fcea"
+      image_pull_policy = "Always"
+      security_context {}
+      port {
+        container_port = 80
+        protocol       = "TCP"
+      }
+      resources {
+        requests = {
+          cpu    = "250m"
+          memory = "256Mi"
+        }
+        limits = {
+          cpu    = "250m"
+          memory = "256Mi"
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "svc" {
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+  }
+  spec {
+    selector = {
+      app = "aspnetapp"
+    }
+    port {
+      port        = 80
+      target_port = 80
+      protocol    = "TCP"
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "ing" {
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+    annotations = {
+      "kubernetes.io/ingress.class" : "azure/application-gateway"
+    }
+  }
+  spec {
+    rule {
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "aspnetapp"
+              port {
+                number = 80
+              }
+            }
+          }
+          path_type = "Exact"
+        }
+      }
+    }
+  }
+  depends_on = [
+    module.aks,
+  ]
+}
+
+resource "time_sleep" "wait_one_minute" {
+  create_duration = "1m"
+
+  depends_on = [kubernetes_ingress_v1.ing]
+}
+
+data "kubernetes_ingress_v1" "ing" {
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+  }
+
+  depends_on = [time_sleep.wait_one_minute]
+}
diff --git a/examples/application_gateway_ingress/main.tf b/examples/application_gateway_ingress/main.tf
@@ -0,0 +1,176 @@
+resource "random_id" "prefix" {
+  byte_length = 8
+}
+
+resource "random_id" "name" {
+  byte_length = 8
+}
+
+resource "azurerm_resource_group" "main" {
+  count = var.create_resource_group ? 1 : 0
+
+  location = var.location
+  name     = coalesce(var.resource_group_name, "${random_id.prefix.hex}-rg")
+}
+
+locals {
+  resource_group = {
+    name     = var.create_resource_group ? azurerm_resource_group.main[0].name : var.resource_group_name
+    location = var.location
+  }
+}
+
+resource "azurerm_virtual_network" "test" {
+  address_space       = ["10.52.0.0/16"]
+  location            = local.resource_group.location
+  name                = "${random_id.prefix.hex}-vn"
+  resource_group_name = local.resource_group.name
+}
+
+resource "azurerm_subnet" "test" {
+  address_prefixes     = ["10.52.0.0/24"]
+  name                 = "${random_id.prefix.hex}-sn"
+  resource_group_name  = local.resource_group.name
+  virtual_network_name = azurerm_virtual_network.test.name
+}
+
+resource "azurerm_subnet" "appgw" {
+  address_prefixes     = ["10.52.1.0/24"]
+  name                 = "${random_id.prefix.hex}-gw"
+  resource_group_name  = local.resource_group.name
+  virtual_network_name = azurerm_virtual_network.test.name
+}
+
+# Locals block for hardcoded names
+locals {
+  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
+  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
+  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
+  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
+  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
+  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
+}
+
+resource "azurerm_public_ip" "pip" {
+  allocation_method   = "Static"
+  location            = local.resource_group.location
+  name                = "appgw-pip"
+  resource_group_name = local.resource_group.name
+  sku                 = "Standard"
+}
+
+resource "azurerm_application_gateway" "appgw" {
+  location = local.resource_group.location
+  #checkov:skip=CKV_AZURE_120:We don't need the WAF for this simple example
+  name                = "ingress"
+  resource_group_name = local.resource_group.name
+
+  backend_address_pool {
+    name = local.backend_address_pool_name
+  }
+  backend_http_settings {
+    cookie_based_affinity = "Disabled"
+    name                  = local.http_setting_name
+    port                  = 80
+    protocol              = "Http"
+    request_timeout       = 1
+  }
+  frontend_ip_configuration {
+    name                 = local.frontend_ip_configuration_name
+    public_ip_address_id = azurerm_public_ip.pip.id
+  }
+  frontend_port {
+    name = local.frontend_port_name
+    port = 80
+  }
+  gateway_ip_configuration {
+    name      = "appGatewayIpConfig"
+    subnet_id = azurerm_subnet.appgw.id
+  }
+  http_listener {
+    frontend_ip_configuration_name = local.frontend_ip_configuration_name
+    frontend_port_name             = local.frontend_port_name
+    name                           = local.listener_name
+    protocol                       = "Http"
+  }
+  request_routing_rule {
+    http_listener_name         = local.listener_name
+    name                       = local.request_routing_rule_name
+    rule_type                  = "Basic"
+    backend_address_pool_name  = local.backend_address_pool_name
+    backend_http_settings_name = local.http_setting_name
+    priority                   = 1
+  }
+  sku {
+    name     = "Standard_v2"
+    tier     = "Standard_v2"
+    capacity = 1
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags,
+      backend_address_pool,
+      backend_http_settings,
+      http_listener,
+      probe,
+      request_routing_rule,
+      url_path_map,
+    ]
+  }
+}
+
+module "aks" {
+  #checkov:skip=CKV_AZURE_141:We enable admin account here so we can provision K8s resources directly in this simple example
+  source = "../.."
+
+  prefix                    = random_id.name.hex
+  resource_group_name       = local.resource_group.name
+  kubernetes_version        = "1.26" # don't specify the patch version!
+  automatic_channel_upgrade = "patch"
+  agents_availability_zones = ["1", "2"]
+  agents_count              = null
+  agents_max_count          = 2
+  agents_max_pods           = 100
+  agents_min_count          = 1
+  agents_pool_name          = "testnodepool"
+  agents_pool_linux_os_configs = [
+    {
+      transparent_huge_page_enabled = "always"
+      sysctl_configs = [
+        {
+          fs_aio_max_nr               = 65536
+          fs_file_max                 = 100000
+          fs_inotify_max_user_watches = 1000000
+        }
+      ]
+    }
+  ]
+  agents_type                         = "VirtualMachineScaleSets"
+  azure_policy_enabled                = true
+  enable_auto_scaling                 = true
+  enable_host_encryption              = true
+  http_application_routing_enabled    = true
+  ingress_application_gateway_enabled = true
+  application_gateway_for_ingress = {
+    id        = azurerm_application_gateway.appgw.id
+    subnet_id = azurerm_subnet.appgw.id
+  }
+  local_account_disabled            = false
+  log_analytics_workspace_enabled   = false
+  net_profile_dns_service_ip        = "10.0.0.10"
+  net_profile_service_cidr          = "10.0.0.0/16"
+  network_plugin                    = "azure"
+  network_policy                    = "azure"
+  os_disk_size_gb                   = 60
+  private_cluster_enabled           = false
+  public_network_access_enabled     = true
+  rbac_aad                          = true
+  rbac_aad_managed                  = true
+  role_based_access_control_enabled = true
+  sku_tier                          = "Standard"
+  vnet_subnet_id                    = azurerm_subnet.test.id
+  depends_on = [
+    azurerm_subnet.test,
+  ]
+}
diff --git a/examples/application_gateway_ingress/outputs.tf b/examples/application_gateway_ingress/outputs.tf
@@ -0,0 +1,4 @@
+output "ingress_endpoint" {
+  depends_on = [time_sleep.wait_one_minute]
+  value      = "http://${data.kubernetes_ingress_v1.ing.status[0].load_balancer[0].ingress[0].ip}"
+}
diff --git a/examples/application_gateway_ingress/providers.tf b/examples/application_gateway_ingress/providers.tf
@@ -0,0 +1,38 @@
+terraform {
+  required_version = ">=1.3"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.51, < 4.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.22.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.3.2"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.9.1"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+}
+
+provider "kubernetes" {
+  host                   = module.aks.admin_host
+  client_certificate     = base64decode(module.aks.admin_client_certificate)
+  client_key             = base64decode(module.aks.admin_client_key)
+  cluster_ca_certificate = base64decode(module.aks.admin_cluster_ca_certificate)
+}
+
+provider "random" {}
diff --git a/examples/application_gateway_ingress/variables.tf b/examples/application_gateway_ingress/variables.tf
@@ -0,0 +1,14 @@
+variable "create_resource_group" {
+  type     = bool
+  default  = true
+  nullable = false
+}
+
+variable "location" {
+  default = "eastus"
+}
+
+variable "resource_group_name" {
+  type    = string
+  default = null
+}
diff --git a/locals.tf b/locals.tf
@@ -1,4 +1,14 @@
 locals {
+  # Application Gateway ID: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/applicationGateways/myGateway1
+  application_gateway_for_ingress_id             = var.application_gateway_for_ingress == null ? null : var.application_gateway_for_ingress.id
+  application_gateway_resource_group_for_ingress = var.application_gateway_for_ingress == null ? null : local.application_gateway_segments_for_ingress[4]
+  application_gateway_segments_for_ingress       = var.application_gateway_for_ingress == null ? null : split("/", local.application_gateway_for_ingress_id)
+  application_gateway_subnet_resource_group_name = try(local.application_gateway_subnet_segments[4], null)
+  # Subnet ID: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/virtualNetworks/myvnet1/subnets/mysubnet1
+  application_gateway_subnet_segments                    = try(split("/", var.application_gateway_for_ingress.subnet_id), [])
+  application_gateway_subnet_subscription_id_for_ingress = try(local.application_gateway_subnet_segments[2], null)
+  application_gateway_subnet_vnet_name                   = try(local.application_gateway_subnet_segments[8], null)
+  application_gateway_subscription_id_for_ingress        = var.application_gateway_for_ingress == null ? null : local.application_gateway_segments_for_ingress[2]
   # Abstract if auto_scaler_profile_scale_down_delay_after_delete is not set or null we should use the scan_interval.
   auto_scaler_profile_scale_down_delay_after_delete = var.auto_scaler_profile_scale_down_delay_after_delete == null ? var.auto_scaler_profile_scan_interval : var.auto_scaler_profile_scale_down_delay_after_delete
   # automatic upgrades are either:
@@ -10,8 +20,9 @@ locals {
     (contains(["rapid", "stable", "node-image"], var.automatic_channel_upgrade) && var.kubernetes_version == null && var.orchestrator_version == null)
   )
   # Abstract the decision whether to create an Analytics Workspace or not.
-  create_analytics_solution  = var.log_analytics_workspace_enabled && var.log_analytics_solution == null
-  create_analytics_workspace = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null
+  create_analytics_solution                       = var.log_analytics_workspace_enabled && var.log_analytics_solution == null
+  create_analytics_workspace                      = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null
+  create_role_assignments_for_application_gateway = try(var.application_gateway_for_ingress.create_role_assignments, false)
   # Abstract the decision whether to use an Analytics Workspace supplied via vars, provision one ourselves or leave it null.
   # This guarantees that local.log_analytics_workspace will contain a valid `id` and `name` IFF log_analytics_workspace_enabled
   # is set to `true`.