Merge pull request #1 from Aguafrommars/user/ole

User/ole
Aguafrommars · Mar 19, 2022 · efb5ce0 · efb5ce0
2 parents 1ede6da + 871ac36
commit efb5ce0
Show file tree

Hide file tree

Showing 7 changed files with 508 additions and 254 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -1,2 +1,162 @@
-# Terraform
-TheidServer Terraform module
+# TheidServer Helm Terraform module
+
+This module create a [TheIdServer](https://github.com/Aguafrommars/TheIdServer) cluster using the [TheIdServer helm chart](https://artifacthub.io/packages/helm/aguafrommars/theidserver) with its MySql DB, Redis cluster and [Seq](https://datalust.co/) server.
+
+## Prerequises
+
+- DNS record pointing to [NGINX ingress controller](https://github.com/kubernetes/ingress-nginx) public IP.
+- [cert-manager](https://github.com/cert-manager/cert-manager)
+- A certificate issuer
+
+You can follow the [Create an HTTPS ingress controller on Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/ingress-tls?tabs=azure-cli#add-an-a-record-to-your-dns-zone) to install this prerequise on your kubernetes cluster.
+
+## Usage
+
+The module setup ingresses for [TheIdServer](https://github.com/Aguafrommars/TheIdServer) and [Seq](https://datalust.co/) using the **host** input variable.
+
+```
+provider "helm" {
+  kubernetes {
+    config_path = "C:/Users/LefebvreO/.kube/config"
+  }
+}
+
+module "theidserver" {
+  source = "terraform-helm-theidserver"
+
+  host = "theidserver.com"
+  tls_issuer_name = "letsencrypt"
+  tls_issuer_kind = "ClusterIssuer"
+}
+```
+
+This will setup [TheIdServer](https://github.com/Aguafrommars/TheIdServer) on **https://www.theidserver.com** with the admin user **admin@theidserver.com** and its [Seq](https://datalust.co/) server on **https://seq.theidserver.com**.  
+By default resouces are created in the *theidserver* namespace.
+
+> We recommande to protect the Seq server with a user/pwd.
+
+### Docker image
+
+By default the [TheIdServer helm chart](https://artifacthub.io/packages/helm/aguafrommars/theidserver) install the [IdentityServer4](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Aguacongas.TheIdServer.IS4/README.md) version.  
+If you prefer to use the [Duende IdentityServer](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Aguacongas.TheIdServer.Duende/README.md) version configure the **image** input to override the default docker image configuration.
+
+```
+module "theidserver" {
+  source = "terraform-helm-theidserver"
+
+  host = "theidserver.com"
+  tls_issuer_name = "letsencrypt"
+  tls_issuer_kind = "ClusterIssuer"
+
+  image = {
+    repository = "aguacongas/theidserver.duende"
+    pullPolicy = "Always"
+    tag = "next"
+  }
+}
+```
+
+> For a commercial use of [Duende IdentityServer](https://duendesoftware.com/products/identityserver) you need to [acquire a license](https://duendesoftware.com/products/identityserver#pricing).  
+
+### Initial admin user password
+
+The initial admin user passowrd is store in the configMap <release_name>-config at **InitialData__Users__0__Password** key.
+
+``` bash
+❯ kubectl get configMap theidserver-config -n theidserver -o jsonpath="{.data['InitialData__Users__0__Password']}"
+SE!OfFGOm}(5v3wF
+```
+
+> The admin user is stored if not exists, we recommande to change its password at 1st login or register a new one and disable this one. Don't delete it or it will be recreated.
+
+### Email server configuration
+
+[TheIdServer](https://github.com/Aguafrommars/TheIdServer) needs to send email to verify users emails or for CIBA. The default Email service implementation use [SendGrid](https://sendgrid.com/) and read user and API key from configuration.  
+The **env_settings** input can be use to pass environments variables to containers, so we can ovveride the configuration using environment variables. 
+
+```
+module "theidserver" {
+  source = "terraform-helm-theidserver"
+
+  host = "theidserver.com"
+  tls_issuer_name = "letsencrypt"
+  tls_issuer_kind = "ClusterIssuer"
+
+  env_settings = {
+    SendGridUser = "<SENDGRID_USER>"
+    SendGridKey = "<SENDGRID_API_KEY>"
+  }
+}
+```
+This sample setup [SendGrid](https://sendgrid.com/) environment variables used by [TheIdServer](https://github.com/Aguafrommars/TheIdServer).
+
+If you want to use your Email sender, you need to implement a web api and setup its url. [Read the doc](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Aguacongas.TheIdServer.Duende/README.md#use-your-api). 
+
+```
+module "theidserver" {
+  source = "terraform-helm-theidserver"
+
+  host = "theidserver.com"
+  tls_issuer_name = "letsencrypt"
+  tls_issuer_kind = "ClusterIssuer"
+
+  env_settings = {
+    EmailApiAuthentication__ApiUrl = "<YOUR_EMAIL_SENDER_WEB_API>"
+  }
+}
+```
+This sampel setup the Email Sender url using environment variable.
+
+
+### Override config
+
+You can use the **override_setting** input to override the [TheIdServer helm chart](https://artifacthub.io/packages/helm/aguafrommars/theidserver).
+
+```
+module "theidserver" {
+  source = "terraform-helm-theidserver"
+
+  host = "theidserver.com"
+  tls_issuer_name = "letsencrypt"
+  tls_issuer_kind = "ClusterIssuer"
+
+  override_setting = {
+    appSettings = {
+      file = {
+        EmailApiAuthentication = {
+          ApiUrl = "<YOUR_EMAIL_SENDER_WEB_API>"
+        }
+      }
+    }
+  }
+}
+```
+This sample setup the Email Sender url using the appsettings.json file.
+
+## Inputs
+
+|Name|Description|Type|Default|
+|-|-|-|-|
+|host|The host|string||
+|tls_issuer_name|The name of the certificat issuer to use|string||
+|tls_issuer_kind|The kind of the certificat issuer to use (Issuer or ClusterIssuer)|string||
+|chart_version|(Optional) The Helm chart version|string|"4.6.0"|
+|namespace|(Optional) Kubernetes namespace|string|"theidserver"|
+|create_namespace|(Optional) Creates the kubernetes namespace if not exists|bool|true|
+|release_name|(Optional) Helm release name|string|"theidserver"|
+|reuse_values|(Optional) reuse value for helm chart|bool|false|
+|recreate_pods|(Optional) recreate pods|bool|false|
+|wait|(Optional) Wait for helm release to be ready|bool|true|
+|replica_count|(Optional) Number of server pod|number|3|
+|env_settings|(Optional) Env var settings|map(string)|{}|
+|override_setting|(Optional) Override helm chart settings|map|{}|
+|image|(Optional) Override Helm chart image|map(string)|{}|
+
+## Outputs
+
+|Name|Description|Type|Sensitive|
+|-|-|-|-|
+|admin_name|The generated admin user name|string|false|
+|admin_password|The generated admin user password|string|true|
+
+
diff --git a/certificates.tf b/certificates.tf
@@ -1,8 +1,9 @@
-resource "tls_private_key" "ca_private_key" {
-  algorithm   = "RSA"
+locals {
+  common_name = "aguafommmars CA"
+  organization = "Agua from Mars"
 }
 
-resource "tls_private_key" "ssl_private_key" {
+resource "tls_private_key" "ca_private_key" {
   algorithm   = "RSA"
 }
 
@@ -21,8 +22,8 @@ resource "tls_self_signed_cert" "ca" {
   is_ca_certificate = true
 
   subject {
-    common_name  = "${var.ca_common_name}"
-    organization = "${var.ca_organization}"
+    common_name  = local.common_name
+    organization = local.organization
   }
 
   validity_period_hours = 26280
@@ -34,57 +35,24 @@ resource "tls_self_signed_cert" "ca" {
   ]
 }
 
-resource "tls_cert_request" "cert_request" {
-  key_algorithm   = "RSA"
-  private_key_pem = fileexists("private_key.pem") ? "${file("private_key.pem")}" : "${tls_private_key.ssl_private_key.private_key_pem}"
-
-  subject {
-    common_name  = "${var.ssl_common_name}"
-    organization = "${var.ssl_organization}"
-  }
-
-  dns_names = var.cert_dns_names
-  uris = var.cert_uris
-}
-
 resource "tls_cert_request" "data_protection_cert_request" {
   key_algorithm   = "RSA"
   private_key_pem = fileexists("data_protection_private_key.pem") ? "${file("data_protection_private_key.pem")}" : "${tls_private_key.data_protection_private_key.private_key_pem}"
 
-  subject {
-    common_name  = "${var.ssl_common_name}"
-    organization = "${var.ssl_organization}"
+ subject {
+    common_name  = local.common_name
+    organization = local.organization
   }
-
-  dns_names = var.cert_dns_names
-  uris = var.cert_uris
 }
 
 resource "tls_cert_request" "signing_key_cert_request" {
   key_algorithm   = "RSA"
   private_key_pem = fileexists("signing_key_private_key.pem") ? "${file("signing_key_private_key.pem")}" : "${tls_private_key.signing_key_private_key.private_key_pem}"
 
   subject {
-    common_name  = "${var.ssl_common_name}"
-    organization = "${var.ssl_organization}"
+    common_name  = local.common_name
+    organization = local.organization
   }
-
-  dns_names = var.cert_dns_names
-  uris = var.cert_uris
-}
-
-resource "tls_locally_signed_cert" "ssl" {
-  cert_request_pem   = fileexists("cert_request.pem") ? "${file("cert_request.pem")}" : "${tls_cert_request.cert_request.cert_request_pem}"
-  ca_key_algorithm   = "RSA"
-  ca_private_key_pem = fileexists("cert_request.pem") ? "${file("ca_private_key.pem")}" : "${tls_private_key.ca_private_key.private_key_pem}"
-  ca_cert_pem        = fileexists("ca_cert.pem") ? "${file("ca_cert.pem")}" : "${tls_self_signed_cert.ca.cert_pem}"
-
-  validity_period_hours = 365
-
-  allowed_uses = [   
-    "client_auth", 
-    "server_auth"
-  ]
 }
 
 resource "tls_locally_signed_cert" "data_protection" {