Merge pull request microsoft#81 from TomArcherMsft/UserStory1871520-2

User Story 1871520 (Code)

Author: grayzu

quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf

@@ -1,21 +1,210 @@
-terraform {
+resource "random_pet" "rg-name" {
+  prefix = var.resource_group_name_prefix
+}
 
-  required_version = ">=0.12"
+resource "azurerm_resource_group" "rg" {
+  name     = random_pet.rg-name.id
+  location = var.resource_group_location
+}
 
-  required_providers {
-    azurerm = {
-      source = "hashicorp/azurerm"
-      version = "~>2.0"
-    }
+# Locals block for hardcoded names
+locals {
+  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
+  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
+  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
+  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
+  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
+  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
+  app_gateway_subnet_name        = "appgwsubnet"
+}
+
+# User Assigned Identities 
+resource "azurerm_user_assigned_identity" "testIdentity" {
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+
+  name = "identity1"
+
+  tags = var.tags
+}
+
+resource "azurerm_virtual_network" "test" {
+  name                = var.virtual_network_name
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  address_space       = [var.virtual_network_address_prefix]
+
+  subnet {
+    name           = var.aks_subnet_name
+    address_prefix = var.aks_subnet_address_prefix
+  }
+
+  subnet {
+    name           = "appgwsubnet"
+    address_prefix = var.app_gateway_subnet_address_prefix
+  }
+
+  tags = var.tags
+}
+
+data "azurerm_subnet" "kubesubnet" {
+  name                 = var.aks_subnet_name
+  virtual_network_name = azurerm_virtual_network.test.name
+  resource_group_name  = azurerm_resource_group.rg.name
+  depends_on           = [azurerm_virtual_network.test]
+}
+
+data "azurerm_subnet" "appgwsubnet" {
+  name                 = "appgwsubnet"
+  virtual_network_name = azurerm_virtual_network.test.name
+  resource_group_name  = azurerm_resource_group.rg.name
+  depends_on           = [azurerm_virtual_network.test]
+}
+
+# Public Ip 
+resource "azurerm_public_ip" "test" {
+  name                = "publicIp1"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+
+  tags = var.tags
+}
+
+resource "azurerm_application_gateway" "network" {
+  name                = var.app_gateway_name
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+
+  sku {
+    name     = var.app_gateway_sku
+    tier     = "Standard_v2"
+    capacity = 2
+  }
+
+  gateway_ip_configuration {
+    name      = "appGatewayIpConfig"
+    subnet_id = data.azurerm_subnet.appgwsubnet.id
+  }
+
+  frontend_port {
+    name = local.frontend_port_name
+    port = 80
+  }
+
+  frontend_port {
+    name = "httpsPort"
+    port = 443
+  }
+
+  frontend_ip_configuration {
+    name                 = local.frontend_ip_configuration_name
+    public_ip_address_id = azurerm_public_ip.test.id
   }
-  backend "azurerm" {
-    resource_group_name = var.resource_group_name
-    storage_account_name = var.storage_account_name
-    container_name = "tfstate"
-    key = "codelab.microsoft.tfstate"
+
+  backend_address_pool {
+    name = local.backend_address_pool_name
+  }
+
+  backend_http_settings {
+    name                  = local.http_setting_name
+    cookie_based_affinity = "Disabled"
+    port                  = 80
+    protocol              = "Http"
+    request_timeout       = 1
+  }
+
+  http_listener {
+    name                           = local.listener_name
+    frontend_ip_configuration_name = local.frontend_ip_configuration_name
+    frontend_port_name             = local.frontend_port_name
+    protocol                       = "Http"
   }
+
+  request_routing_rule {
+    name                       = local.request_routing_rule_name
+    rule_type                  = "Basic"
+    http_listener_name         = local.listener_name
+    backend_address_pool_name  = local.backend_address_pool_name
+    backend_http_settings_name = local.http_setting_name
   }
 
-  provider "azurerm" {
-  features {}
+  tags = var.tags
+
+  depends_on = [azurerm_virtual_network.test, azurerm_public_ip.test]
+}
+
+resource "azurerm_role_assignment" "ra1" {
+  scope                = data.azurerm_subnet.kubesubnet.id
+  role_definition_name = "Network Contributor"
+  principal_id         = var.aks_service_principal_object_id
+
+  depends_on = [azurerm_virtual_network.test]
+}
+
+resource "azurerm_role_assignment" "ra2" {
+  scope                = azurerm_user_assigned_identity.testIdentity.id
+  role_definition_name = "Managed Identity Operator"
+  principal_id         = var.aks_service_principal_object_id
+  depends_on           = [azurerm_user_assigned_identity.testIdentity]
+}
+
+resource "azurerm_role_assignment" "ra3" {
+  scope                = azurerm_application_gateway.network.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
+  depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
+}
+
+resource "azurerm_role_assignment" "ra4" {
+  scope                = azurerm_resource_group.rg.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
+  depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
 }
+
+resource "azurerm_kubernetes_cluster" "k8s" {
+  name       = var.aks_name
+  location   = azurerm_resource_group.rg.location
+  dns_prefix = var.aks_dns_prefix
+
+  resource_group_name = azurerm_resource_group.rg.name
+
+  http_application_routing_enabled = false
+
+  linux_profile {
+    admin_username = var.vm_user_name
+
+    ssh_key {
+      key_data = file(var.public_ssh_key_path)
+    }
+  }
+
+  default_node_pool {
+    name            = "agentpool"
+    node_count      = var.aks_agent_count
+    vm_size         = var.aks_agent_vm_size
+    os_disk_size_gb = var.aks_agent_os_disk_size
+    vnet_subnet_id  = data.azurerm_subnet.kubesubnet.id
+  }
+
+  service_principal {
+    client_id     = var.aks_service_principal_app_id
+    client_secret = var.aks_service_principal_client_secret
+  }
+
+  network_profile {
+    network_plugin     = "azure"
+    dns_service_ip     = var.aks_dns_service_ip
+    docker_bridge_cidr = var.aks_docker_bridge_cidr
+    service_cidr       = var.aks_service_cidr
+  }
+
+  role_based_access_control {
+    enabled = var.aks_enable_rbac
+  }
+
+  depends_on = [azurerm_virtual_network.test, azurerm_application_gateway.network]
+  tags       = var.tags
+}

quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/output.tf

@@ -1,36 +1,44 @@
+output "resource_group_name" {
+  value = azurerm_resource_group.rg.name
+}
+
 output "client_key" {
-    value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_key
+  value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_key
 }
 
 output "client_certificate" {
-    value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate
+  value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate
 }
 
 output "cluster_ca_certificate" {
-    value = azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate
+  value = azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate
 }
 
 output "cluster_username" {
-    value = azurerm_kubernetes_cluster.k8s.kube_config.0.username
+  value = azurerm_kubernetes_cluster.k8s.kube_config.0.username
 }
 
 output "cluster_password" {
-    value = azurerm_kubernetes_cluster.k8s.kube_config.0.password
+  value = azurerm_kubernetes_cluster.k8s.kube_config.0.password
 }
 
 output "kube_config" {
-    value = azurerm_kubernetes_cluster.k8s.kube_config_raw
-    sensitive = true
+  value     = azurerm_kubernetes_cluster.k8s.kube_config_raw
+  sensitive = true
 }
 
 output "host" {
-    value = azurerm_kubernetes_cluster.k8s.kube_config.0.host
+  value = azurerm_kubernetes_cluster.k8s.kube_config.0.host
 }
 
 output "identity_resource_id" {
-    value = azurerm_user_assigned_identity.testIdentity.id
+  value = azurerm_user_assigned_identity.testIdentity.id
 }
 
 output "identity_client_id" {
-    value = azurerm_user_assigned_identity.testIdentity.client_id
+  value = azurerm_user_assigned_identity.testIdentity.client_id
+}
+
+output "application_ip_address" {
+  value = azurerm_public_ip.test.ip_address
 }

quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/providers.tf

@@ -0,0 +1,21 @@
+terraform {
+
+  required_version = ">=0.12"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>2.0"
+    }
+  }
+  backend "azurerm" {
+    resource_group_name  = "<storage_account_resource_group>"
+    storage_account_name = "<storage_account_name>"
+    container_name       = "tfstate"
+    key                  = "codelab.microsoft.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {}
+}

quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/readme.md

@@ -0,0 +1,50 @@
+# Create an Application Gateway Ingress Controller in Azure Kubernetes Service using Terraform
+
+This template creates an Application Gateway Ingress Controller in Azure Kubernetes Service using Terraform.
+
+## Terraform resource types
+
+- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_user_assigned_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity)
+- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
+- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip)
+- [azurerm_application_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway)
+- [azurerm_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment)
+- [azurerm_kubernetes_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster)
+
+## Variables
+
+| Name | Description | Default value |
+|-|-|-|
+
+| `resource_group_name_prefix` | (Optional) Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg |
+| `location` | (Optional) Azure region in which to deploy demo resources.| eastus |
+| `aks_service_principal_app_id` | Application ID/Client ID  of the service principal. Used by AKS to manage AKS related resources on Azure like vms, subnets.| |
+| `aks_service_principal_client_secret` | Secret of the service principal. Used by AKS to manage Azure. | |
+| `aks_service_principal_object_id` | Object ID of the service principal. | |
+| `virtual_network_name` | Virtual network name. | aksVirtualNetwork |
+| `virtual_network_address_prefix` | VNET address prefix. | 192.168.0.0/16 |
+| `aks_subnet_name` | Subnet name. | kubesubnet |
+| `aks_subnet_address_prefix` | Subnet address prefix. | 192.168.0.0/24 |
+| `app_gateway_subnet_address_prefix` | Subnet server IP address. | 192.168.1.0/24 |
+| `app_gateway_name` | Name of the Application Gateway. | ApplicationGateway1 |
+| `app_gateway_sku` | Name of the Application Gateway SKU. | Standard_v2 |
+| `app_gateway_tier` | Tier of the Application Gateway tier. | Standard_v2 |
+| `aks_name` | AKS cluster name. | aks-cluster1 |
+| `aks_dns_prefix` | (Optional) DNS prefix to use with hosted Kubernetes API server FQDN. | aks |
+| `aks_agent_os_disk_size` | Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Value of 0 applies the default disk size for that agentVMSize. | 40 |
+| `aks_agent_count` | The number of agent nodes for the cluster. | 3 |
+| `aks_agent_vm_size` | VM size. | Standard_D3_v2 |
+| `kubernetes_version` | Kubernetes version | 1.11.5 |
+| `aks_service_cidr` | CIDR notation IP range from which to assign service cluster IPs. | 10.0.0.0/16 |
+| `aks_dns_service_ip` | DNS server IP address. | 10.0.0.10 |
+| `aks_docker_bridge_cidr` | CIDR notation IP for Docker bridge. | 172.17.0.1/16 |
+| `aks_enable_rbac` | Enable RBAC on the AKS cluster. | false |
+| `vm_user_name` | User name for the VM. | vmuser1 |
+| `public_ssh_key_path` | Public key path for SSH. | ~/.ssh/id_rsa.pub |
+
+## Example
+
+To see how to run this example, see [Create an Application Gateway Ingress Controller in Azure Kubernetes Service using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-aks-applicationgateway-ingress).