Skip to content

Commit

Permalink
fix:added private endpoiny
Browse files Browse the repository at this point in the history
  • Loading branch information
@vedant990
vedant990 committed Oct 21, 2024
1 parent 07c4df8 commit d432e7f
Show file tree
Hide file tree
Showing 4 changed files with 241 additions and 8 deletions.
154 changes: 154 additions & 0 deletions aks.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -427,3 +427,157 @@ resource "azurerm_kubernetes_cluster" "aks" {
tags = module.labels.tags
}

Check warning

Code scanning / defsec

Ensure AKS logging to Azure Monitoring is Configured Warning

Cluster does not have logging enabled via OMS Agent.


##-----------------------------------------------------------------------------
##Below resource will deploy private endpoint for AKS.
##-----------------------------------------------------------------------------
resource "azurerm_private_endpoint" "pep" {
provider = azurerm.main_sub
count = var.enabled && var.enable_private_endpoint ? 1 : 0

name = format("%s-pe-akc", module.labels.id)
location = var.location
resource_group_name = var.resource_group_name
subnet_id = var.subnet_id
tags = module.labels.tags
private_service_connection {
name = format("%s-psc-akc", module.labels.id)
is_manual_connection = false
private_connection_resource_id = azurerm_kubernetes_cluster.aks[0].id
subresource_names = ["aks"]
}
lifecycle {
ignore_changes = [
tags,
]
}
}

##-----------------------------------------------------------------------------
## Data block to retreive private ip of private endpoint.
##-----------------------------------------------------------------------------
data "azurerm_private_endpoint_connection" "private-ip" {
provider = azurerm.main_sub
count = var.enabled && var.enable_private_endpoint ? 1 : 0
name = azurerm_private_endpoint.pep[0].name
resource_group_name = var.resource_group_name
}

##-----------------------------------------------------------------------------
## Below resource will create private dns zone in your azure subscription.
## Will be created only when there is no existing private dns zone and private endpoint is enabled.
##-----------------------------------------------------------------------------
resource "azurerm_private_dns_zone" "dnszone" {
provider = azurerm.main_sub
count = var.enabled && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0
name = "privatelink.kubernates.cluster.windows.net"
resource_group_name = var.resource_group_name
tags = module.labels.tags
}

##-----------------------------------------------------------------------------
## Below resource will create vnet link in private dns.
## Vnet link will be created when there is no existing private dns zone or existing private dns zone is in same subscription.
##-----------------------------------------------------------------------------
resource "azurerm_private_dns_zone_virtual_network_link" "vent-link" {
provider = azurerm.main_sub
count = var.enabled && var.enable_private_endpoint && var.diff_sub == false ? 1 : 0

name = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-akc", module.labels.id) : format("%s-pdz-vnet-link-akc-1", module.labels.id)
resource_group_name = local.valid_rg_name
private_dns_zone_name = local.private_dns_zone_name
virtual_network_id = var.virtual_network_id
tags = module.labels.tags
}

##-----------------------------------------------------------------------------
## Below resource will create vnet link in existing private dns zone.
## Vnet link will be created when existing private dns zone is in different subscription.
##-----------------------------------------------------------------------------
resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-1" {
provider = azurerm.dns_sub
count = var.enabled && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0
name = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-akc", module.labels.id) : format("%s-pdz-vnet-link-akc-1", module.labels.id)
resource_group_name = local.valid_rg_name
private_dns_zone_name = local.private_dns_zone_name
virtual_network_id = var.virtual_network_id
tags = module.labels.tags
}

##-----------------------------------------------------------------------------
## Below resource will create vnet link in existing private dns zone.
## Vnet link will be created when existing private dns zone is in different subscription.
## This resource is deployed when more than 1 vnet link is required and module can be called again to do so without deploying other AKS resources.
##-----------------------------------------------------------------------------
resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff-subs" {
provider = azurerm.dns_sub
count = var.enabled && var.multi_sub_vnet_link && var.existing_private_dns_zone != null ? 1 : 0

name = format("%s-pdz-vnet-link-akc-1", module.labels.id)
resource_group_name = var.existing_private_dns_zone_resource_group_name
private_dns_zone_name = var.existing_private_dns_zone
virtual_network_id = var.virtual_network_id
tags = module.labels.tags
}

##-----------------------------------------------------------------------------
## Below resource will create vnet link in private dns zone.
## Below resource will be created when extra vnet link is required in dns zone in same subscription.
##-----------------------------------------------------------------------------
resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" {
provider = azurerm.main_sub
count = var.enabled && var.addon_vent_link ? 1 : 0

name = format("%s-pdz-vnet-link-akc-addon", module.labels.id)
resource_group_name = var.addon_resource_group_name
private_dns_zone_name = var.existing_private_dns_zone == null ? azurerm_private_dns_zone.dnszone[0].name : var.existing_private_dns_zone
virtual_network_id = var.addon_virtual_network_id
tags = module.labels.tags
}

##-----------------------------------------------------------------------------
## Below resource will create dns A record for private ip of private endpoint in private dns zone.
##-----------------------------------------------------------------------------
resource "azurerm_private_dns_a_record" "arecord" {
provider = azurerm.main_sub
count = var.enabled && var.enable_private_endpoint && var.diff_sub == false ? 1 : 0

name = azurerm_kubernetes_cluster.aks[0].name
zone_name = local.private_dns_zone_name
resource_group_name = local.valid_rg_name
ttl = 3600
records = [data.azurerm_private_endpoint_connection.private-ip[0].private_service_connection[0].private_ip_address]
tags = module.labels.tags
lifecycle {
ignore_changes = [
tags,
]
}
}

##-----------------------------------------------------------------------------
## Below resource will create dns A record for private ip of private endpoint in private dns zone.
## This resource will be created when private dns is in different subscription.
##-----------------------------------------------------------------------------
resource "azurerm_private_dns_a_record" "arecord-1" {
provider = azurerm.dns_sub
count = var.enabled && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0


name = azurerm_kubernetes_cluster.aks[0].name
zone_name = local.private_dns_zone_name
resource_group_name = local.valid_rg_name
ttl = 3600
records = [data.azurerm_private_endpoint_connection.private-ip[0].private_service_connection[0].private_ip_address]
tags = module.labels.tags
lifecycle {
ignore_changes = [
tags,
]
}
}

locals {
valid_rg_name = var.existing_private_dns_zone == null ? var.resource_group_name : var.existing_private_dns_zone_resource_group_name
private_dns_zone_name = var.enable_private_endpoint ? var.existing_private_dns_zone == null ? azurerm_private_dns_zone.dnszone[0].name : var.existing_private_dns_zone : null
}
32 changes: 26 additions & 6 deletions examples/complete/example.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ module "log-analytics" {
module "vault" {
source = "clouddrove/key-vault/azure"
version = "1.2.0"
name = "vjsn-738"
name = "vjsn-738112"
providers = {
azurerm.dns_sub = azurerm.peer, #change this to other alias if dns hosted in other subscription.
azurerm.main_sub = azurerm
Expand Down Expand Up @@ -102,11 +102,18 @@ module "vault" {
}

module "aks" {
source = "../../"
name = "app-yum"
environment = "test"
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
source = "../../"
providers = {
azurerm.dns_sub = azurerm.peer, #chagnge this to other alias if dns hosted in other subscription.
azurerm.main_sub = azurerm
}
name = "app-yum"
enable_private_endpoint = true
environment = "test"
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
virtual_network_id = module.vnet.vnet_id
subnet_id = module.subnet.default_subnet_id[0]

kubernetes_version = "1.28.9"
private_cluster_enabled = false
Expand Down Expand Up @@ -181,3 +188,16 @@ output "test1" {
output "test" {
value = module.aks.nodes_pools
}

########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone.

# diff_sub = true
# alias = ""
# alias_sub = ""

#########Following to be uncommmented when using DNS zone from different resource group or different subscription.
# existing_private_dns_zone = "privatelink.vaultcore.azure.net"
# existing_private_dns_zone_resource_group_name = "dns-rg"

#### enable diagnostic setting
## when diagnostic_setting_enable enable, add log analytics workspace id
58 changes: 58 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1057,3 +1057,61 @@ variable "flux_retry_interval_in_seconds" {
description = "The interval at which to re-reconcile the kustomization on the cluster in the event of failure on reconciliation."
default = 600
}

variable "addon_vent_link" {
type = bool
default = false
description = "The name of the addon vnet "
}

variable "multi_sub_vnet_link" {
type = bool
default = false
description = "Flag to control creation of vnet link for dns zone in different subscription"
}

variable "enable_private_endpoint" {
type = bool
default = true
description = "Manages a Private Endpoint to Azure database for MySQL"
}

variable "existing_private_dns_zone" {
type = string
default = null
description = "Name of the existing private DNS zone"
}

variable "diff_sub" {
# To be set true when hosted DNS zone is in different subnscription.
type = bool
default = false
description = "Flag to tell whether dns zone is in different sub or not."
}
variable "addon_virtual_network_id" {
type = string
default = ""
description = "The name of the addon vnet link vnet id"
}

variable "addon_resource_group_name" {
type = string
default = ""
description = "The name of the addon vnet resource group"
}
variable "subnet_id" {
type = string
default = ""
description = "The resource ID of the subnet"
}
variable "existing_private_dns_zone_resource_group_name" {
type = string
default = ""
description = "The name of the existing resource group"
}

variable "virtual_network_id" {
type = string
default = ""
description = "The name of the virtual network"
}
5 changes: 3 additions & 2 deletions versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,9 @@ terraform {
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 4.0.1"
source = "hashicorp/azurerm"
version = ">= 4.0.1"
configuration_aliases = [azurerm.main_sub, azurerm.dns_sub]
}
}
}

0 comments on commit d432e7f

Please sign in to comment.