Skip to content

Commit

Permalink
Merge pull request #298 from lonegunmanb/acr-support
Browse files Browse the repository at this point in the history 
Add support for acr attachment
  • Loading branch information
@jiaweitao001
jiaweitao001 authored Feb 10, 2023
2 parents 3ee0572 + b1571fd commit 69bcc82
Show file tree
Hide file tree
Showing 10 changed files with 151 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .checkov_config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,16 @@ quiet: true
secrets-scan-file-type: []
skip-check:
- CKV_GHA_3
- CKV_AZURE_5
- CKV_AZURE_112
- CKV_AZURE_115
- CKV_AZURE_116
- CKV_AZURE_168
- CKV_AZURE_170
- CKV_AZURE_139
- CKV_AZURE_165
- CKV_AZURE_166
- CKV_AZURE_164
skip-framework:
- dockerfile
summary-position: top
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,7 @@ No modules.
| [azurerm_kubernetes_cluster.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) | resource |
| [azurerm_log_analytics_solution.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) | resource |
| [azurerm_log_analytics_workspace.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
| [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |

Expand All @@ -284,6 +285,7 @@ No modules.
| <a name="input_agents_tags"></a> [agents\_tags](#input\_agents\_tags) | (Optional) A mapping of tags to assign to the Node Pool. | `map(string)` | `{}` | no |
| <a name="input_agents_type"></a> [agents\_type](#input\_agents\_type) | (Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. | `string` | `"VirtualMachineScaleSets"` | no |
| <a name="input_api_server_authorized_ip_ranges"></a> [api\_server\_authorized\_ip\_ranges](#input\_api\_server\_authorized\_ip\_ranges) | (Optional) The IP ranges to allow for incoming traffic to the server nodes. | `set(string)` | `null` | no |
| <a name="input_attached_acr_id_map"></a> [attached\_acr\_id\_map](#input\_attached\_acr\_id\_map) | Azure Container Registry ids that need an authentication mechanism with Azure Kubernetes Service (AKS). Map key must be static string as acr's name, the value is acr's resource id. Changing this forces some new resources to be created. | `map(string)` | `{}` | no |
| <a name="input_auto_scaler_profile_balance_similar_node_groups"></a> [auto\_scaler\_profile\_balance\_similar\_node\_groups](#input\_auto\_scaler\_profile\_balance\_similar\_node\_groups) | Detect similar node groups and balance the number of nodes between them. Defaults to `false`. | `bool` | `false` | no |
| <a name="input_auto_scaler_profile_empty_bulk_delete_max"></a> [auto\_scaler\_profile\_empty\_bulk\_delete\_max](#input\_auto\_scaler\_profile\_empty\_bulk\_delete\_max) | Maximum number of empty nodes that can be deleted at the same time. Defaults to `10`. | `number` | `10` | no |
| <a name="input_auto_scaler_profile_enabled"></a> [auto\_scaler\_profile\_enabled](#input\_auto\_scaler\_profile\_enabled) | Enable configuring the auto scaler profile | `bool` | `false` | no |
Expand Down
69 changes: 69 additions & 0 deletions examples/with_acr/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
resource "random_id" "prefix" {
byte_length = 8
}

resource "azurerm_resource_group" "main" {
count = var.create_resource_group ? 1 : 0

location = var.location
name = coalesce(var.resource_group_name, "${random_id.prefix.hex}-rg")
}

locals {
resource_group = {
name = var.create_resource_group ? azurerm_resource_group.main[0].name : var.resource_group_name
location = var.location
}
}

resource "azurerm_virtual_network" "test" {
address_space = ["10.52.0.0/16"]
location = local.resource_group.location
name = "${random_id.prefix.hex}-vn"
resource_group_name = local.resource_group.name
}

resource "azurerm_subnet" "test" {
address_prefixes = ["10.52.0.0/24"]
name = "${random_id.prefix.hex}-sn"
resource_group_name = local.resource_group.name
virtual_network_name = azurerm_virtual_network.test.name
enforce_private_link_endpoint_network_policies = true
}

resource "random_string" "acr_suffix" {
length = 8
upper = false
numeric = true
special = false
}

resource "azurerm_container_registry" "example" {
location = local.resource_group.location
name = "aksacrtest${random_string.acr_suffix.result}"
resource_group_name = local.resource_group.name
sku = "Premium"

retention_policy {
days = 7
enabled = true
}
}

module "aks" {
source = "../.."

prefix = "prefix-${random_id.prefix.hex}"
resource_group_name = local.resource_group.name
kubernetes_version = "1.24" # don't specify the patch version!
automatic_channel_upgrade = "patch"
attached_acr_id_map = {
example = azurerm_container_registry.example.id
}
network_plugin = "azure"
network_policy = "azure"
os_disk_size_gb = 60
sku_tier = "Paid"
rbac_aad = false
vnet_subnet_id = azurerm_subnet.test.id
}
Empty file added examples/with_acr/outputs.tf
View file
Empty file.
23 changes: 23 additions & 0 deletions examples/with_acr/providers.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
terraform {
required_version = ">=1.2"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.40, < 4.0"
}
random = {
source = "hashicorp/random"
version = "3.3.2"
}
}
}

provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}

provider "random" {}
14 changes: 14 additions & 0 deletions examples/with_acr/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
variable "create_resource_group" {
type = bool
default = true
nullable = false
}

variable "location" {
default = "eastus"
}

variable "resource_group_name" {
type = string
default = null
}
9 changes: 9 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,3 +336,12 @@ resource "azurerm_log_analytics_solution" "main" {
publisher = "Microsoft"
}
}

resource "azurerm_role_assignment" "acr" {
for_each = var.attached_acr_id_map

principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id
scope = each.value
role_definition_name = "AcrPull"
skip_service_principal_aad_check = true
}
6 changes: 6 additions & 0 deletions test/e2e/terraform_aks_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,9 @@ func TestExamplesNamedCluster(t *testing.T) {
assert.Regexp(t, regexp.MustCompile("/subscriptions/.+/resourceGroups/.+/providers/Microsoft.ManagedIdentity/userAssignedIdentities/.+"), identityIdsArray[0])
})
}

func TestExamplesWithACR(t *testing.T) {
test_helper.RunE2ETest(t, "../../", "examples/with_acr", terraform.Options{
Upgrade: true,
}, nil)
}
14 changes: 14 additions & 0 deletions test/upgrade/upgrade_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,17 @@ func TestExampleUpgrade_named_cluster(t *testing.T) {
Vars: vars,
}, currentMajorVersion)
}

func TestExampleUpgrade_withACR(t *testing.T) {
currentRoot, err := test_helper.GetCurrentModuleRootPath()
if err != nil {
t.FailNow()
}
currentMajorVersion, err := test_helper.GetCurrentMajorVersionFromEnv()
if err != nil {
t.FailNow()
}
test_helper.ModuleUpgradeTest(t, "Azure", "terraform-azurerm-aks", "examples/with_acr", currentRoot, terraform.Options{
Upgrade: true,
}, currentMajorVersion)
}
7 changes: 7 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,13 @@ variable "api_server_authorized_ip_ranges" {
default = null
}

variable "attached_acr_id_map" {
type = map(string)
description = "Azure Container Registry ids that need an authentication mechanism with Azure Kubernetes Service (AKS). Map key must be static string as acr's name, the value is acr's resource id. Changing this forces some new resources to be created."
default = {}
nullable = false
}

variable "auto_scaler_profile_balance_similar_node_groups" {
description = "Detect similar node groups and balance the number of nodes between them. Defaults to `false`."
type = bool
Expand Down

0 comments on commit 69bcc82

Please sign in to comment.