-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
77 lines (68 loc) · 2.45 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
terraform {
required_version = "~> 1.7.5"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
}
}
resource "azurerm_user_assigned_identity" "demoapp" {
resource_group_name = var.aks.rg.name
location = var.aks.rg.location
name = "mi-demoapp"
}
resource "azurerm_role_assignment" "demoapp_keyvault" {
scope = var.demoapp.key_vault.id
role_definition_name = "Key Vault Secrets User"
// role_definition_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6"
principal_id = azurerm_user_assigned_identity.demoapp.principal_id
}
resource "azurerm_federated_identity_credential" "dempapp" {
name = "ficred-demoapp"
resource_group_name = var.aks.rg.name
audience = ["api:https://AzureADTokenExchange"]
issuer = var.aks.oidc_issuer_url
parent_id = azurerm_user_assigned_identity.demoapp.id
subject = "system:serviceaccount:${local.demoapp.service_account.namespace}:${local.demoapp.service_account.name}"
}
resource "azurerm_kubernetes_cluster_extension" "flux" {
name = "ext-flux"
cluster_id = var.aks.cluster_id
extension_type = "microsoft.flux"
configuration_settings = {
"multiTenancy.enforce" = "false",
"image-automation-controller.enabled" = "true",
"image-reflector-controller.enabled" = "true",
}
provisioner "local-exec" {
command = <<-EOT
${path.module}/scripts/pass-values.sh \
${var.aks.rg.name} \
${var.aks.cluster_name} \
${local.tenant_id} \
${azurerm_user_assigned_identity.demoapp.client_id} \
${var.demoapp.key_vault.name} \
${var.demoapp.ingress_svc.subnet} \
${var.demoapp.ingress_svc.ip}
EOT
}
}
resource "azurerm_kubernetes_flux_configuration" "base" {
depends_on = [
azurerm_kubernetes_cluster_extension.flux,
]
name = "flux-system"
cluster_id = var.aks.cluster_id
namespace = "flux-system"
git_repository {
url = var.flux.git_repository.url
reference_type = var.flux.git_repository.reference_type
reference_value = var.flux.git_repository.reference_value
https_user = var.flux_git_user
https_key_base64 = base64encode(var.flux_git_token)
}
kustomizations {
name = "base"
path = "./flux/clusters/${var.aks.switch}-${var.suffix}"
}
}