Merge branch 'HoussemDellai:main' into main

javedfaruquee1 · May 23, 2024 · eff9636 · eff9636
2 parents 4f5e0bc + 7c7cfb0
commit eff9636
Show file tree

Hide file tree

Showing 78 changed files with 2,707 additions and 4 deletions.
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: tfsec
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '28 14 * * 3'
+
+jobs:
+  tfsec:
+    name: Run tfsec sarif report
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v3
+
+      - name: Run tfsec
+        uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+        with:
+          sarif_file: tfsec.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: tfsec.sarif
diff --git a/.infracost/pricing.gob b/.infracost/pricing.gob
diff --git a/.infracost/terraform_modules/manifest-73eb4d77fdade6cec426a59518f5a40f.json b/.infracost/terraform_modules/manifest-73eb4d77fdade6cec426a59518f5a40f.json
@@ -0,0 +1 @@
+{"Path":"d:\\Projects\\terraform-course\\120_azapi_provider","Version":"2.0","Modules":[]}
diff --git a/.infracost/terraform_modules/manifest-9a64dbcd150fd1f2eeaa11141b4ca3c4.json b/.infracost/terraform_modules/manifest-9a64dbcd150fd1f2eeaa11141b4ca3c4.json
@@ -0,0 +1 @@
+{"Path":"d:\\Projects\\terraform-course\\93_import_terraform","Version":"2.0","Modules":[]}
diff --git a/.infracost/terraform_modules/manifest-c9df5a5e064cb112a7cef4f4fccd5118.json b/.infracost/terraform_modules/manifest-c9df5a5e064cb112a7cef4f4fccd5118.json
@@ -0,0 +1 @@
+{"Path":"d:\\Projects\\terraform-course\\121_appservice_domain","Version":"2.0","Modules":[]}
diff --git a/07_kubernetes_aks/main.tf b/07_kubernetes_aks/main.tf
@@ -16,7 +16,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
     node_count          = var.system_node_count
     vm_size             = "Standard_DS2_v2"
     type                = "VirtualMachineScaleSets"
-    availability_zones  = [1, 2, 3]
+    # availability_zones  = [1, 2, 3]
     enable_auto_scaling = false
   }
 
@@ -25,7 +25,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   }
 
   network_profile {
-    load_balancer_sku = "Standard"
+    load_balancer_sku = "standard"
     network_plugin    = "kubenet" # azure (CNI)
   }
 }
diff --git a/07_kubernetes_aks/providers.tf b/07_kubernetes_aks/providers.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     azurerm = {
       source = "hashicorp/azurerm"
-      version = "2.78.0"
+      version = "3.54.0"
     }
   }
 }
diff --git a/07_kubernetes_aks/terraform.tfvars b/07_kubernetes_aks/terraform.tfvars
@@ -1,6 +1,6 @@
 resource_group_name = "aks_terraform_rg"
 location            = "West Europe"
 cluster_name        = "terraform-aks"
-kubernetes_version  = "1.19.3"
+kubernetes_version  = "1.26.3"
 system_node_count   = 3
 node_resource_group = "aks_terraform_resources_rg"
diff --git a/120_azapi_provider/Readme.md b/120_azapi_provider/Readme.md
@@ -0,0 +1,38 @@
+# Using Azure Grafana and Prometheus workspace in AKS using Terraform
+
+## Introduction
+
+This lab shows how to use Terraform to provision an AKS cluster, Grafana and Monitor Workspace for Prometheus. All configured together to collect metrics from the cluster and expose it through Grafana dashboard.
+
+<img src="images\architecture.png">
+
+## Challenges
+
+Azure Monitor Workspace for Prometheus is a new service (in preview).
+It is not yet supported with ARM template or with Terraform resource.
+
+So, we'll use `azapi` terraform provider to create the Monitor Workspace for Prometheus.
+
+And we'll use a `local-exec` to run a command line to configure AKS with Prometheus.
+
+AKS, Grafana and Log Analytics are suported with ARM templates and Terraform.
+
+## Deploying the resources using Terraform
+
+To deploy the Terraform configuration files, run the following commands:
+
+```shell
+terraform init
+
+terraform plan -out tfplan
+
+terraform apply tfplan
+```
+
+## Cleanup resources
+
+To delete the creates resources, run the following command:
+
+```shell
+terraform destroy
+```
diff --git a/120_azapi_provider/aks.tf b/120_azapi_provider/aks.tf
@@ -0,0 +1,29 @@
+# aks cluster
+resource "azurerm_kubernetes_cluster" "aks" {
+  name                = "aks-cluster"
+  location            = "westeurope"
+  resource_group_name = "rg-aks-cluster"
+  dns_prefix          = "aks"
+  kubernetes_version  = "1.25.5"
+
+  default_node_pool {
+    name       = "default"
+    node_count = "3"
+    vm_size    = "Standard_DS2_v2"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  oms_agent {
+    log_analytics_workspace_id      = azurerm_log_analytics_workspace.workspace.id
+    msi_auth_for_monitoring_enabled = true
+  }
+
+  lifecycle {
+    ignore_changes = [
+      monitor_metrics
+    ]
+  }
+}
diff --git a/120_azapi_provider/commands.sh b/120_azapi_provider/commands.sh
@@ -0,0 +1,7 @@
+terraform init
+
+terraform plan -out tfplan
+
+terraform apply tfplan
+
+terraform destroy
diff --git a/120_azapi_provider/enable_prometheus.tf b/120_azapi_provider/enable_prometheus.tf
@@ -0,0 +1,22 @@
+resource "null_resource" "enable_azuremonitormetrics" {
+  # for windows
+  provisioner "local-exec" {
+    interpreter = ["PowerShell", "-Command"]
+    command     = <<-EOT
+
+      az aks update --enable-azuremonitormetrics `
+                    -g ${azurerm_kubernetes_cluster.aks.resource_group_name} `
+                    -n ${azurerm_kubernetes_cluster.aks.name} `
+                    --azure-monitor-workspace-resource-id ${azapi_resource.prometheus.id}
+    EOT
+  }
+
+  triggers = {
+    "key" = "value1"
+  }
+
+  # for linux
+  # provisioner "local-exec" {
+  #   command    = "az aks update --enable-azuremonitormetrics -g ${azurerm_kubernetes_cluster.aks.resource_group_name} -n ${azurerm_kubernetes_cluster.aks.name} --azure-monitor-workspace-resource-id ${azapi_resource.prometheus.id}"
+  # }
+}
diff --git a/120_azapi_provider/grafana.tf b/120_azapi_provider/grafana.tf
@@ -0,0 +1,47 @@
+resource "azurerm_dashboard_grafana" "grafana" {
+  name                              = var.grafana_name
+  resource_group_name               = azurerm_resource_group.rg_monitoring.name
+  location                          = azurerm_resource_group.rg_monitoring.location
+  api_key_enabled                   = true
+  deterministic_outbound_ip_enabled = true
+  public_network_access_enabled     = true
+  sku                               = "Standard"
+  zone_redundancy_enabled           = true
+
+  azure_monitor_workspace_integrations {
+    resource_id = azapi_resource.prometheus.id
+  }
+
+  identity {
+    type = "SystemAssigned" # The only possible values is SystemAssigned
+  }
+}
+
+data "azurerm_client_config" "current" {}
+
+# assign current user as Grafana Admin
+resource "azurerm_role_assignment" "role_grafana_admin" {
+  scope                = azurerm_dashboard_grafana.grafana.id
+  role_definition_name = "Grafana Admin"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_role_assignment" "role_monitoring_data_reader" {
+  scope                = azapi_resource.prometheus.id
+  role_definition_name = "Monitoring Data Reader"
+  principal_id         = azurerm_dashboard_grafana.grafana.identity.0.principal_id
+}
+
+data "azurerm_subscription" "current" {}
+
+# https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/grafana-plugin
+# (Optional) Grafana to monitor all Azure resources
+resource "azurerm_role_assignment" "role_monitoring_reader" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Monitoring Reader"
+  principal_id         = azurerm_dashboard_grafana.grafana.identity.0.principal_id
+}
+
+output "garafana_endpoint" {
+  value = azurerm_dashboard_grafana.grafana.endpoint
+}
diff --git a/120_azapi_provider/images/architecture.png b/120_azapi_provider/images/architecture.png
diff --git a/120_azapi_provider/log_analytics.tf b/120_azapi_provider/log_analytics.tf
@@ -0,0 +1,20 @@
+resource "azurerm_log_analytics_workspace" "workspace" {
+  name                = "log-analytics-workspace"
+  resource_group_name = azurerm_resource_group.rg_monitoring.name
+  location            = var.resources_location
+  sku                 = "PerGB2018" # PerGB2018, Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation
+  retention_in_days   = 30          # possible values are either 7 (Free Tier only) or range between 30 and 730
+}
+
+resource "azurerm_log_analytics_solution" "solution" {
+  solution_name         = "ContainerInsights"
+  location              = azurerm_log_analytics_workspace.workspace.location
+  resource_group_name   = azurerm_log_analytics_workspace.workspace.resource_group_name
+  workspace_resource_id = azurerm_log_analytics_workspace.workspace.id
+  workspace_name        = azurerm_log_analytics_workspace.workspace.name
+
+  plan {
+    publisher = "Microsoft"
+    product   = "OMSGallery/ContainerInsights"
+  }
+}
diff --git a/120_azapi_provider/prometheus.tf b/120_azapi_provider/prometheus.tf
@@ -0,0 +1,7 @@
+# https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/azure-monitor-workspace-overview?tabs=resource-manager#create-an-azure-monitor-workspace
+resource "azapi_resource" "prometheus" {
+  type      = "microsoft.monitor/accounts@2021-06-03-preview"
+  name      = "monitor-workspace-aks"
+  parent_id = azurerm_resource_group.rg_monitoring.id
+  location  = azurerm_resource_group.rg_monitoring.location
+}
diff --git a/120_azapi_provider/provider.tf b/120_azapi_provider/provider.tf
@@ -0,0 +1,34 @@
+terraform {
+
+  required_version = ">= 1.2.8"
+
+  required_providers {
+
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "= 3.50.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "= 2.36.0"
+    }
+
+    azapi = {
+      source  = "Azure/azapi"
+      version = "1.4.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# Configure the Azure Active Directory Provider
+provider "azuread" { # default takes current user/identity tenant
+}
+
+provider "azapi" {
+  # Configuration options
+}
diff --git a/120_azapi_provider/resource_group.tf b/120_azapi_provider/resource_group.tf
@@ -0,0 +1,9 @@
+resource "azurerm_resource_group" "rg_aks_cluster" {
+  name     = var.rg_aks_cluster
+  location = var.resources_location
+}
+
+resource "azurerm_resource_group" "rg_monitoring" {
+  name     = var.rg_monitoring
+  location = var.resources_location
+}
diff --git a/120_azapi_provider/variables.tf b/120_azapi_provider/variables.tf
@@ -0,0 +1,29 @@
+variable "resources_location" {
+  type    = string
+  default = "westeurope"
+}
+
+variable "rg_aks_cluster" {
+  type    = string
+  default = "rg-aks-cluster"
+}
+
+variable "rg_monitoring" {
+  type    = string
+  default = "rg-monitoring"
+}
+
+variable "aks_name" {
+  type    = string
+  default = "aks-cluster"
+}
+
+variable "grafana_name" {
+  type    = string
+  default = "azure-grafana-13579"
+}
+
+variable "prometheus_name" {
+  type    = string
+  default = "azure-prometheus"
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"Path":"d:\\Projects\\terraform-course\\120_azapi_provider","Version":"2.0","Modules":[]}