forked from patuzov/terraform-private-aks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
132 lines (116 loc) · 4.11 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
terraform {
required_version = ">= 0.12"
}
provider "azurerm" {
version = "~>2.5" //outbound_type https://github.com/terraform-providers/terraform-provider-azurerm/blob/v2.5.0/CHANGELOG.md
features {}
}
resource "azurerm_resource_group" "vnet" {
name = var.vnet_resource_group_name
location = var.location
}
resource "azurerm_resource_group" "kube" {
name = var.kube_resource_group_name
location = var.location
}
module "hub_network" {
source = "./modules/vnet"
resource_group_name = azurerm_resource_group.vnet.name
location = var.location
vnet_name = var.hub_vnet_name
address_space = ["10.0.0.0/22"]
subnets = [
{
name : "AzureFirewallSubnet"
address_prefixes : ["10.0.0.0/24"]
},
{
name : "jumpbox-subnet"
address_prefixes : ["10.0.1.0/24"]
}
]
}
module "kube_network" {
source = "./modules/vnet"
resource_group_name = azurerm_resource_group.kube.name
location = var.location
vnet_name = var.kube_vnet_name
address_space = ["10.0.4.0/22"]
subnets = [
{
name : "aks-subnet"
address_prefixes : ["10.0.5.0/24"]
}
]
}
module "vnet_peering" {
source = "./modules/vnet_peering"
vnet_1_name = var.hub_vnet_name
vnet_1_id = module.hub_network.vnet_id
vnet_1_rg = azurerm_resource_group.vnet.name
vnet_2_name = var.kube_vnet_name
vnet_2_id = module.kube_network.vnet_id
vnet_2_rg = azurerm_resource_group.kube.name
peering_name_1_to_2 = "HubToSpoke1"
peering_name_2_to_1 = "Spoke1ToHub"
}
module "firewall" {
source = "./modules/firewall"
resource_group = azurerm_resource_group.vnet.name
location = var.location
pip_name = "azureFirewalls-ip"
fw_name = "kubenetfw"
subnet_id = module.hub_network.subnet_ids["AzureFirewallSubnet"]
}
module "routetable" {
source = "./modules/route_table"
resource_group = azurerm_resource_group.vnet.name
location = var.location
rt_name = "kubenetfw_fw_rt"
r_name = "kubenetfw_fw_r"
firewal_private_ip = module.firewall.fw_private_ip
subnet_id = module.kube_network.subnet_ids["aks-subnet"]
}
data "azurerm_kubernetes_service_versions" "current" {
location = var.location
version_prefix = var.kube_version_prefix
}
resource "azurerm_kubernetes_cluster" "privateaks" {
name = "private-aks"
location = var.location
kubernetes_version = data.azurerm_kubernetes_service_versions.current.latest_version
resource_group_name = azurerm_resource_group.kube.name
dns_prefix = "private-aks"
private_cluster_enabled = true
default_node_pool {
name = "default"
node_count = var.nodepool_nodes_count
vm_size = var.nodepool_vm_size
vnet_subnet_id = module.kube_network.subnet_ids["aks-subnet"]
}
identity {
type = "SystemAssigned"
}
network_profile {
docker_bridge_cidr = var.network_docker_bridge_cidr
dns_service_ip = var.network_dns_service_ip
network_plugin = "azure"
outbound_type = "userDefinedRouting"
service_cidr = var.network_service_cidr
}
depends_on = [module.routetable]
}
resource "azurerm_role_assignment" "netcontributor" {
role_definition_name = "Network Contributor"
scope = module.kube_network.subnet_ids["aks-subnet"]
principal_id = azurerm_kubernetes_cluster.privateaks.identity[0].principal_id
}
module "jumpbox" {
source = "./modules/jumpbox"
location = var.location
resource_group = azurerm_resource_group.vnet.name
vnet_id = module.hub_network.vnet_id
subnet_id = module.hub_network.subnet_ids["jumpbox-subnet"]
dns_zone_name = join(".", slice(split(".", azurerm_kubernetes_cluster.privateaks.private_fqdn), 1, length(split(".", azurerm_kubernetes_cluster.privateaks.private_fqdn))))
dns_zone_resource_group = azurerm_kubernetes_cluster.privateaks.node_resource_group
}