Merge pull request #1372 from aztfmod/AL-AROAzAPI

Adding Azure Red Hat OpenShift
aztfmod · Oct 3, 2022 · 925cd1d · 925cd1d
2 parents 710a17c + 606f600
commit 925cd1d
Show file tree

Hide file tree

Showing 26 changed files with 704 additions and 20 deletions.
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
@@ -6,7 +6,7 @@
   version: '3.7'
   services:
     rover:
-      image: aztfmod/rover:1.2.5-2208.0208
+      image: aztfmod/rover:1.3.1-2210.0303
       user: vscode
 
       labels:

diff --git a/.github/workflows/standalone-regressor-tf100.yaml b/.github/workflows/standalone-regressor-tf100.yaml
@@ -55,7 +55,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:1.2.5-2208.0208
+      image: aztfmod/rover:1.3.1-2210.0303
       options: --user 0
 
     steps:
@@ -165,7 +165,7 @@ jobs:
     needs: [testcases]
 
     container:
-      image: aztfmod/rover:1.2.5-2208.0208
+      image: aztfmod/rover:1.3.1-2210.0303
       options: --user 0
 
     steps:

diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
@@ -27,6 +27,8 @@
     "compute/availability_set/100-simple-availabilityset",
     "compute/availability_set/101-availabilityset-with-proximity-placement-group",
     "compute/azure_virtual_desktop/wvd_resources",
+    "compute/azure_redhat_openshift/101_basic_private_cluster",
+    "compute/azure_redhat_openshift/102_basic_public_cluster",
     "compute/batch/batch_account/100-batch-account-storage",
     "compute/batch/batch_account/100-batch-account",
     "compute/batch/batch_account/200-batch-account-private-endpoint",

diff --git a/.github/workflows/standalone-tf100.yaml b/.github/workflows/standalone-tf100.yaml
@@ -51,7 +51,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:1.2.5-2208.0208
+      image: aztfmod/rover:1.3.1-2210.0303
       options: --user 0
 
     steps:
@@ -136,7 +136,7 @@ jobs:
     needs: [testcases]
 
     container:
-      image: aztfmod/rover:1.2.5-2208.0208
+      image: aztfmod/rover:1.3.1-2210.0303
       options: --user 0
 
     steps:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@
 # See http://pre-commit.com/hooks.html for more hooks
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.74.1
+    rev: v1.75.0
     hooks:
     - id: terraform_fmt
     - id: terraform_docs

diff --git a/azure_redhat_openshift.tf b/azure_redhat_openshift.tf
@@ -0,0 +1,31 @@
+module "aro" {
+  source     = "./modules/compute/azure_redhat_openshift"
+  for_each   = local.compute.aro_clusters
+  depends_on = [time_sleep.azurerm_role_assignment_for]
+
+  location                 = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  resource_group_name      = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name
+  resource_group           = can(each.value.resource_group.id) || can(each.value.resource_group_id) ? try(each.value.resource_group.id, each.value.resource_group_id) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].id
+  base_tags                = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
+  client_config            = local.client_config
+  combined_diagnostics     = local.combined_diagnostics
+  diagnostic_profiles      = try(each.value.diagnostic_profiles, {})
+  global_settings          = local.global_settings
+  settings                 = each.value
+  dynamic_keyvault_secrets = try(local.security.dynamic_keyvault_secrets, {})
+
+  combined_resources = {
+    resource_groups      = local.combined_objects_resource_groups
+    keyvaults            = local.combined_objects_keyvaults
+    managed_identities   = local.combined_objects_managed_identities
+    vnets                = local.combined_objects_networking
+    virtual_subnets      = local.combined_objects_virtual_subnets
+    service_principals   = local.combined_objects_azuread_service_principals
+    disk_encryption_sets = local.combined_objects_disk_encryption_sets
+  }
+}
+
+output "aro" {
+  value = module.aro
+}
+
diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars
@@ -0,0 +1,99 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "eastus"
+    region2 = "australiacentral"
+  }
+}
+
+resource_groups = {
+  aro1 = {
+    name   = "aro-test"
+    region = "region1"
+  }
+}
+
+aro_clusters = {
+  aro1 = {
+    name               = "aro"
+    resource_group_key = "aro1"
+
+    service_principal = {
+      key = "sp1"
+      keyvault = {
+        key           = "test_client"
+        secret_prefix = "test-client"
+      }
+      ## support for litterals
+      # client_id = ""
+      # client_secret = ""
+      # # {
+    }
+
+    api_server_profile = {
+      visibility = "Private"
+    }
+
+    ingress_profiles = [
+      {
+        name       = "default"
+        visibility = "Private"
+      }
+    ]
+
+
+    cluster_profile = {
+      domain                 = "testcafaro43"
+      fips_validated_modules = "Disabled"
+      # pull_secret = {
+      #  secret           = "your_secret"
+      #  secret_id        = "resource_id_of_the_secret"
+      #}
+      version = "4.10.20"
+      resource_group = {
+        # cant be an existing RG, you can specify the name of the RG to create with id="" or just a name="" 
+        # id = "resource_group_id"
+        name = "test-aro"
+      }
+    }
+
+    master_profile = {
+      vm_size            = "Standard_D8s_v3"
+      encryption_at_host = "Disabled"
+      subnet = {
+        key = "subnet1"
+        vnet = {
+          key = "vnet1"
+        }
+        //id = "resource_id"
+      }
+      # disk_encryption_set = {
+      #   key = "disk-encryption-set1"
+      #   id = "resource_id"
+      # }
+    }
+
+    worker_profiles = [
+      {
+        name               = "worker"
+        vm_size            = "Standard_D4s_v3"
+        disk_size_gb       = "128"
+        node_count         = "4"
+        encryption_at_host = "Disabled"
+        subnet = {
+          key = "subnet2"
+          vnet = {
+            key = "vnet1"
+          }
+          //id = "resource_id"
+        }
+      }
+    ]
+
+    network_profile = {
+      pod_cidr     = "10.128.0.0/14"
+      service_cidr = "172.30.0.0/16"
+    }
+
+  }
+}
diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/principal.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/principal.tfvars
@@ -0,0 +1,106 @@
+keyvaults = {
+  test_client = {
+    name                = "testkv"
+    resource_group_key  = "aro1"
+    sku_name            = "standard"
+    soft_delete_enabled = true
+    creation_policies = {
+      logged_in_user = {
+        # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy
+        # More examples in /examples/keyvault
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+      }
+    }
+  }
+}
+
+keyvault_access_policies_azuread_apps = {
+  test_client = {
+    test_client = {
+      azuread_application_key = "test_client"
+      secret_permissions      = ["Set", "Get", "List", "Delete"]
+    }
+  }
+}
+
+azuread_applications = {
+  test_client = {
+    useprefix        = true
+    application_name = "aro-test"
+  }
+}
+
+azuread_service_principals = {
+  sp1 = {
+    azuread_application = {
+      key = "test_client"
+    }
+    tags = [
+      "AzureRedHatOpenShift"
+    ]
+  }
+}
+
+azuread_credential_policies = {
+  default_policy = {
+    # Length of the password
+    length  = 250
+    special = false
+    upper   = true
+    number  = true
+    # Password Expiration date
+    expire_in_days = 90
+    rotation_key0 = {
+      # Odd number
+      days = 33
+    }
+    rotation_key1 = {
+      # Even number
+      days = 58
+    }
+  }
+}
+
+azuread_credentials = {
+  test1 = {
+    type                          = "password"
+    azuread_credential_policy_key = "default_policy"
+    azuread_application = {
+      key = "test_client"
+    }
+    keyvaults = {
+      test_client = {
+        secret_prefix = "test-client"
+      }
+    }
+  }
+}
+
+#complete list of built-in-roles : https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+
+role_mapping = {
+  built_in_role_mapping = {
+    networking = {
+      # subcription level access
+      vnet1 = {
+        "Contributor" = {
+          azuread_service_principals = {
+            keys = ["sp1"]
+          }
+          object_ids = {
+            keys = ["004c3094-aa2e-47f3-87aa-f82a155ada54"]
+            // To get the value for your tenant use the following coommand: 
+            // az ad sp list --display-name "Azure Red Hat OpenShift RP" --query "[0].id" -o tsv
+            // Todo: get object ID from ARO RP ID
+            // add capability to specify SP by name: azuread_service_principal_names = {
+            // # keys = []
+            // cond data source to crack the names to GUID
+            //}
+          }
+        }
+      }
+    }
+
+  }
+}
+
diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars
@@ -0,0 +1,24 @@
+vnets = {
+  vnet1 = {
+    resource_group_key = "aro1"
+    vnet = {
+      name          = "aro-vnet"
+      address_space = ["10.1.0.0/16"]
+    }
+    subnets = {
+      subnet1 = {
+        name                                           = "master"
+        cidr                                           = ["10.1.1.0/24"]
+        service_endpoints                              = ["Microsoft.ContainerRegistry", "Microsoft.Storage"]
+        enforce_private_link_service_network_policies  = true
+        enforce_private_link_endpoint_network_policies = true
+      }
+      subnet2 = {
+        name              = "worker"
+        cidr              = ["10.1.2.0/24"]
+        service_endpoints = ["Microsoft.ContainerRegistry", "Microsoft.Storage"]
+      }
+
+    }
+  }
+}