diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index a1fa0bce..7f45b56b 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -48,24 +48,24 @@ provider "registry.terraform.io/hashicorp/azuread" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.113.0" + version = "4.5.0" hashes = [ - "h1:NUQQxGKOkSJL43N3vxh/mO6KyWbiKw797s87W/+fojo=", - "h1:SMgp1in4oxxVeICJMy8qg3WG00jDmLwUfgd9jlO3Ysw=", - "h1:SbNQLapCxbTbhM37LaRALPizAZMiA5sTRC09sUWgZOo=", - "h1:eEUtt0lrLdpVaF6FiDq8BGQPgEcykmhj0aNIL7hTOGw=", - "zh:12479f5664288943400447b55e50df675c28ae82ad8d373cc2e5682f3a3411f0", - "zh:1b42a14e80e568429d3b55fed753ca3ef0df9dcdfa107890d7264599c020940f", - "zh:381be6ca617f848de3baa3985a6e1788e91a803afe04a3c5c727453528b6310d", - "zh:3e70e2e07b6db1c363de3e5d0ca47f27fc956473df03329c7d2e54d3ac29176b", - "zh:87c7633aeaa828098c6055da9e67d4acaf4b46748b6b3f0267e105e55f05de25", - "zh:8d0d98226901f874770dd5220d4701a12ae8bd586994615aa7dcba12b9736bec", - "zh:9fd913acd42a60c3a90a18ce803567ef861db8779a59aacced91f2cbd86de9d9", - "zh:b6f3f7ae0a055437fb36c139af9bb3135e7f4dad172157ae1eb0177dc74d703f", - "zh:b927027ba2bf40d34e03d742fd2b6c5299023b5ab8e6f05e50aac76a46ad1094", - "zh:ceb5187b9d2a439f4e48944f3ffeeeaf47a03dbe6f3325ea1775bf659ce0aa88", + "h1:ZH2Lql/nl4SaJRqTCvpLDocysg1l1d2sVgd4rduwIaU=", + "h1:bAEb9HTc1Yl0ULs+WQAI6jAoKWv4I2LUGpoESf/iCyc=", + "h1:iIQmNl0NPEZsxS8pXTF+VGpxyfXtw5DOB4mW/kvrHy8=", + "h1:uZzo+Ek68F+e+bBad7v1P3Yaf/1w8Uctj0Zdj04B31M=", + "zh:27ac12977bdb7b82217a3fe35d3206e1e4261465d738aff93244ec90f2bd431a", + "zh:36a619af3767a92ee892c5de24604eeb9f23a5a01bb8455115a5eb4bd656f234", + "zh:45a374637b794427c5e07d23c6312d92d58bed3594789322c109d333ea1865e5", + "zh:538e501d313cfc0b61f3b2e5be9ae7755df3d3d9a3e4f14e0ea6a943d5102109", + "zh:64d8e4b94a1324292fe318bf27c6149aa345eabab8b89d9d78ce447ce5600e65", + "zh:7b3fcc0a724c5e00e6ce0e7da22010b6ae4bd2622544ef4d31fd4100f85985d7", + "zh:84876a614b010ae5dbef1b1edd9a22447cf57b9300b9eaf4321d587bfebf82dc", + "zh:850e3900fb2b55ad85b6def8b580fb851778bb470be5354cb0a0244d03acd5a4", + "zh:b6355d1eb7d165b246ad9c8f7c0ce7ccd5bbc58a01bd853c7ca896c71f4cd295", + "zh:bd4f1558f24af356d372937b810801555471eafbbc0552471bb6760f8ddd6b7e", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fb9d78dfeca7489bffca9b1a1f3abee7f16dbbcba31388aea1102062c1d6dce8", + "zh:f78eaaf507ab56041112b765f6ca1740221773f3b32710bb8d087f29a686f30f", ] } diff --git a/ci.jenkins.io-kubernetes-agents.tf b/ci.jenkins.io-kubernetes-agents.tf index 57460384..7d7baaa7 100644 --- a/ci.jenkins.io-kubernetes-agents.tf +++ b/ci.jenkins.io-kubernetes-agents.tf @@ -29,6 +29,8 @@ resource "azurerm_kubernetes_cluster" "cijenkinsio_agents_1" { kubernetes_version = local.kubernetes_versions["cijenkinsio_agents_1"] role_based_access_control_enabled = true # default value but made explicit to please trivy + image_cleaner_interval_hours = 48 + network_profile { network_plugin = "azure" network_plugin_mode = "overlay" @@ -54,7 +56,7 @@ resource "azurerm_kubernetes_cluster" "cijenkinsio_agents_1" { os_disk_size_gb = 150 # Ref. Cache storage size athttps://learn.microsoft.com/fr-fr/azure/virtual-machines/dasv5-dadsv5-series#dadsv5-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["cijenkinsio_agents_1"] kubelet_disk_type = "OS" - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 2 # for best practises max_count = 3 # for upgrade vnet_subnet_id = data.azurerm_subnet.ci_jenkins_io_kubernetes_sponsorship.id @@ -78,7 +80,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_arm64_n2_applications" { os_disk_size_gb = 150 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["cijenkinsio_agents_1"] kubernetes_cluster_id = azurerm_kubernetes_cluster.cijenkinsio_agents_1.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 1 max_count = 3 # 2 nodes always up for HA, a 3rd one is allowed for surge upgrades zones = local.cijenkinsio_agents_1_compute_zones @@ -112,7 +114,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_x86_64_n4_agents_1" { os_disk_size_gb = 600 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["cijenkinsio_agents_1"] kubernetes_cluster_id = azurerm_kubernetes_cluster.cijenkinsio_agents_1.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 40 # 3 pods per nodes, max 120 pods - due to quotas zones = local.cijenkinsio_agents_1_compute_zones @@ -146,7 +148,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_x86_64_n4_bom_1" { os_disk_size_gb = 600 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["cijenkinsio_agents_1"] kubernetes_cluster_id = azurerm_kubernetes_cluster.cijenkinsio_agents_1.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 50 zones = local.cijenkinsio_agents_1_compute_zones diff --git a/contributors.jenkins.io.tf b/contributors.jenkins.io.tf index 87f983d6..a4c4d0c6 100644 --- a/contributors.jenkins.io.tf +++ b/contributors.jenkins.io.tf @@ -5,14 +5,14 @@ resource "azurerm_resource_group" "contributors_jenkins_io" { } resource "azurerm_storage_account" "contributors_jenkins_io" { - name = "contributorsjenkinsio" - resource_group_name = azurerm_resource_group.contributors_jenkins_io.name - location = azurerm_resource_group.contributors_jenkins_io.location - account_tier = "Standard" - account_replication_type = "ZRS" - account_kind = "StorageV2" - enable_https_traffic_only = true - min_tls_version = "TLS1_2" + name = "contributorsjenkinsio" + resource_group_name = azurerm_resource_group.contributors_jenkins_io.name + location = azurerm_resource_group.contributors_jenkins_io.location + account_tier = "Standard" + account_replication_type = "ZRS" + account_kind = "StorageV2" + https_traffic_only_enabled = true + min_tls_version = "TLS1_2" network_rules { default_action = "Deny" diff --git a/docs.jenkins.io.tf b/docs.jenkins.io.tf index 6dfd9b31..494af742 100644 --- a/docs.jenkins.io.tf +++ b/docs.jenkins.io.tf @@ -5,14 +5,14 @@ resource "azurerm_resource_group" "docs_jenkins_io" { } resource "azurerm_storage_account" "docs_jenkins_io" { - name = "docsjenkinsio" - resource_group_name = azurerm_resource_group.docs_jenkins_io.name - location = azurerm_resource_group.docs_jenkins_io.location - account_tier = "Standard" - account_replication_type = "ZRS" - account_kind = "StorageV2" - enable_https_traffic_only = true - min_tls_version = "TLS1_2" + name = "docsjenkinsio" + resource_group_name = azurerm_resource_group.docs_jenkins_io.name + location = azurerm_resource_group.docs_jenkins_io.location + account_tier = "Standard" + account_replication_type = "ZRS" + account_kind = "StorageV2" + https_traffic_only_enabled = true + min_tls_version = "TLS1_2" network_rules { default_action = "Deny" diff --git a/infraci.jenkins.io-kubernetes-sponsored-agents.tf b/infraci.jenkins.io-kubernetes-sponsored-agents.tf index bcce8a83..5778d8b7 100644 --- a/infraci.jenkins.io-kubernetes-sponsored-agents.tf +++ b/infraci.jenkins.io-kubernetes-sponsored-agents.tf @@ -28,6 +28,8 @@ resource "azurerm_kubernetes_cluster" "infracijenkinsio_agents_1" { kubernetes_version = local.kubernetes_versions["infracijenkinsio_agents_1"] role_based_access_control_enabled = true # default value but made explicit to please trivy + image_cleaner_interval_hours = 48 + network_profile { network_plugin = "azure" network_plugin_mode = "overlay" @@ -53,7 +55,7 @@ resource "azurerm_kubernetes_cluster" "infracijenkinsio_agents_1" { os_disk_size_gb = 150 # Ref. Cache storage size athttps://learn.microsoft.com/fr-fr/azure/virtual-machines/dasv5-dadsv5-series#dadsv5-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["infracijenkinsio_agents_1"] kubelet_disk_type = "OS" - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 2 # for best practises max_count = 3 # for upgrade vnet_subnet_id = data.azurerm_subnet.infraci_jenkins_io_kubernetes_agent_sponsorship.id @@ -78,7 +80,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_x86_64_agents_1_sponsorsh os_disk_size_gb = 300 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["infracijenkinsio_agents_1"] kubernetes_cluster_id = azurerm_kubernetes_cluster.infracijenkinsio_agents_1.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 20 zones = local.infracijenkinsio_agents_1_compute_zones @@ -113,7 +115,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_arm64_agents_1_sponsorshi os_disk_size_gb = 600 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/sizes/general-purpose/dpdsv5-series?tabs=sizebasic (depends on the instance size) orchestrator_version = local.kubernetes_versions["infracijenkinsio_agents_1"] kubernetes_cluster_id = azurerm_kubernetes_cluster.infracijenkinsio_agents_1.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 1 # Azure autoscaler with ARM64 is really slow when starting from zero nodes. max_count = 20 zones = local.infracijenkinsio_agents_1_compute_zones # need to be on zone 1 for arm availability diff --git a/privatek8s.tf b/privatek8s.tf index f95461c3..539ff86e 100644 --- a/privatek8s.tf +++ b/privatek8s.tf @@ -59,6 +59,8 @@ resource "azurerm_kubernetes_cluster" "privatek8s" { ) } + image_cleaner_interval_hours = 48 + network_profile { network_plugin = "azure" network_policy = "azure" @@ -82,7 +84,7 @@ resource "azurerm_kubernetes_cluster" "privatek8s" { os_disk_size_gb = 50 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dav4-dasv4-series#dasv4-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["privatek8s"] kubelet_disk_type = "OS" - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 1 max_count = 3 vnet_subnet_id = data.azurerm_subnet.privatek8s_tier.id @@ -111,7 +113,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "linuxpool" { os_disk_size_gb = 100 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["privatek8s"] kubernetes_cluster_id = azurerm_kubernetes_cluster.privatek8s.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 5 zones = [3] @@ -136,7 +138,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "infraci_controller" { os_disk_size_gb = 150 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dpsv5-dpdsv5-series#dpdsv5-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["privatek8s"] kubernetes_cluster_id = azurerm_kubernetes_cluster.privatek8s.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 1 max_count = 2 zones = [1] # Linux arm64 VMs are only available in the Zone 1 in this region (undocumented by Azure) @@ -165,7 +167,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "releaseci_controller" { os_disk_size_gb = 150 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dpsv5-dpdsv5-series#dpdsv5-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["privatek8s"] kubernetes_cluster_id = azurerm_kubernetes_cluster.privatek8s.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 1 max_count = 2 zones = [1] # Linux arm64 VMs are only available in the Zone 1 in this region (undocumented by Azure) @@ -191,7 +193,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "releasepool" { os_disk_size_gb = 200 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["privatek8s"] kubernetes_cluster_id = azurerm_kubernetes_cluster.privatek8s.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 3 zones = [3] @@ -219,7 +221,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "windows2019pool" { os_type = "Windows" os_sku = "Windows2019" kubernetes_cluster_id = azurerm_kubernetes_cluster.privatek8s.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 3 zones = [3] diff --git a/providers.tf b/providers.tf index 4b1190ca..bcdc4a58 100644 --- a/providers.tf +++ b/providers.tf @@ -1,13 +1,13 @@ # Configure the Microsoft Azure Provider provider "azurerm" { - subscription_id = "dff2ec18-6a8e-405c-8e45-b7df7465acf0" - skip_provider_registration = "true" + subscription_id = "dff2ec18-6a8e-405c-8e45-b7df7465acf0" + resource_provider_registrations = "none" features {} } provider "azurerm" { - alias = "jenkins-sponsorship" - subscription_id = "1311c09f-aee0-4d6c-99a4-392c2b543204" - skip_provider_registration = "true" + alias = "jenkins-sponsorship" + subscription_id = "1311c09f-aee0-4d6c-99a4-392c2b543204" + resource_provider_registrations = "none" features {} } diff --git a/public-redis.tf b/public-redis.tf index 863b9618..d384dbd9 100644 --- a/public-redis.tf +++ b/public-redis.tf @@ -15,7 +15,7 @@ resource "azurerm_redis_cache" "public_redis" { capacity = 2 family = "P" # Basic/Standard SKU family sku_name = "Premium" # A replicated cache in a two node Primary/Secondary configuration managed by Microsoft, with a high availability SLA. - enable_non_ssl_port = true + non_ssl_port_enabled = true minimum_tls_version = "1.2" public_network_access_enabled = false diff --git a/publick8s.tf b/publick8s.tf index 31fac3d5..27bb2760 100644 --- a/publick8s.tf +++ b/publick8s.tf @@ -57,6 +57,8 @@ resource "azurerm_kubernetes_cluster" "publick8s" { ) } + image_cleaner_interval_hours = 48 + #trivy:ignore:azure-container-configured-network-policy network_profile { network_plugin = "kubenet" @@ -84,7 +86,7 @@ resource "azurerm_kubernetes_cluster" "publick8s" { os_disk_type = "Ephemeral" os_disk_size_gb = 50 orchestrator_version = local.kubernetes_versions["publick8s"] - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 2 max_count = 4 vnet_subnet_id = data.azurerm_subnet.publick8s_tier.id @@ -116,7 +118,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "x86small" { os_disk_size_gb = 100 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series#dsv3-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["publick8s"] kubernetes_cluster_id = azurerm_kubernetes_cluster.publick8s.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 10 zones = local.publick8s_compute_zones @@ -139,7 +141,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "arm64small2" { os_disk_size_gb = 150 # Ref. Cache storage size at https://learn.microsoft.com/en-us/azure/virtual-machines/dpsv5-dpdsv5-series#dpdsv5-series (depends on the instance size) orchestrator_version = local.kubernetes_versions["publick8s"] kubernetes_cluster_id = azurerm_kubernetes_cluster.publick8s.id - enable_auto_scaling = true + auto_scaling_enabled = true min_count = 0 max_count = 10 zones = [1] @@ -302,7 +304,7 @@ resource "azurerm_storage_account" "publick8s" { account_replication_type = "ZRS" min_tls_version = "TLS1_2" # default value, needed for tfsec infrastructure_encryption_enabled = true - enable_https_traffic_only = true + https_traffic_only_enabled = true tags = local.default_tags diff --git a/reports.jenkins.io.tf b/reports.jenkins.io.tf index 29cdc993..8b3c85a2 100644 --- a/reports.jenkins.io.tf +++ b/reports.jenkins.io.tf @@ -9,14 +9,14 @@ resource "azurerm_resource_group" "prod_reports" { } resource "azurerm_storage_account" "prodjenkinsreports" { - name = "prodjenkinsreports" - resource_group_name = azurerm_resource_group.prod_reports.name - location = azurerm_resource_group.prod_reports.location - account_tier = "Standard" - account_replication_type = "GRS" - account_kind = "Storage" - enable_https_traffic_only = true - min_tls_version = "TLS1_2" + name = "prodjenkinsreports" + resource_group_name = azurerm_resource_group.prod_reports.name + location = azurerm_resource_group.prod_reports.location + account_tier = "Standard" + account_replication_type = "GRS" + account_kind = "Storage" + https_traffic_only_enabled = true + min_tls_version = "TLS1_2" custom_domain { name = "reports.jenkins.io" diff --git a/stats.jenkins.io.tf b/stats.jenkins.io.tf index c45ea224..1c06c5c5 100644 --- a/stats.jenkins.io.tf +++ b/stats.jenkins.io.tf @@ -5,14 +5,14 @@ resource "azurerm_resource_group" "stats_jenkins_io" { } resource "azurerm_storage_account" "stats_jenkins_io" { - name = "statsjenkinsio" - resource_group_name = azurerm_resource_group.stats_jenkins_io.name - location = azurerm_resource_group.stats_jenkins_io.location - account_tier = "Standard" - account_replication_type = "ZRS" - account_kind = "StorageV2" - enable_https_traffic_only = true - min_tls_version = "TLS1_2" + name = "statsjenkinsio" + resource_group_name = azurerm_resource_group.stats_jenkins_io.name + location = azurerm_resource_group.stats_jenkins_io.location + account_tier = "Standard" + account_replication_type = "ZRS" + account_kind = "StorageV2" + https_traffic_only_enabled = true + min_tls_version = "TLS1_2" network_rules { default_action = "Deny"