pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1295 from robgil-dds/testing-k8s-iam

Browse Source 
k8s IAM changes for keyvault access
This commit is contained in:
dandds 2020-01-08 06:23:12 -05:00 committed by GitHub
commit 821196e101
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 61 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
terraform/README.md
View File

@ -24,6 +24,7 @@ Requirements:
- Python pip - Python pip
- Python virtualenv # FIXME: Switch to `pipenv` - Python virtualenv # FIXME: Switch to `pipenv`
- [azure cli](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) - [azure cli](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
- [powershell](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-6) See below
# tfenv # tfenv
`tfenv` will allow you to install TF versions. For example. `tfenv` will allow you to install TF versions. For example.
@ -39,6 +40,17 @@ To select a version to use
tfenv use 0.12.18 tfenv use 0.12.18
``` ```
# Powershell
Some things you need to use powershell. Specifically getting client profiles for the VPN.
## Install powershell on Linux
Powershell on recent versions of Ubuntu is available through snap.
For Ubuntu 19.10
```
snap install powershell --classic
```
# Running Terraform # Running Terraform
First, you'll need to log in to Azure. With the Azure CLI installed, you can run the following. First, you'll need to log in to Azure. With the Azure CLI installed, you can run the following.
@ -82,3 +94,23 @@ terraform plan -target=module.vpc
``` ```
In the above example, this will only run a plan (plan/apply/destroy) on the specific module. This can be a module, or resource. You can get a list of module and resources by running `terraform show`. In the above example, this will only run a plan (plan/apply/destroy) on the specific module. This can be a module, or resource. You can get a list of module and resources by running `terraform show`.
# VPN Setup
[Configure OpenVPN clients for Azure VPN Gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients#before-you-begin)
[About P2S VPN client profiles](https://docs.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download)
[Configure a VPN client for P2S OpenVPN protocol connections: Azure AD authentication (Preview)](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client)
[Create an Azure Active Directory tenant for P2S OpenVPN protocol connections](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant)
The docs above should help with client configuration. The last doc (Create an Azure Active Directory..) is necessary to run the command to add the VPN app for AD.
Copied here for convenience. Just enter this in your browser.
```
# For Public Azure - Government has a different URL, see doc above
https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
```
## Adding a client
TODO
## Downloading a client profile
TODO

2
terraform/modules/keyvault/main.tf
View File

@ -23,7 +23,7 @@ resource "azurerm_key_vault_access_policy" "keyvault" {
key_vault_id = azurerm_key_vault.keyvault.id key_vault_id = azurerm_key_vault.keyvault.id
tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3" tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3"
object_id = "2ca63d41-d058-4e06-aef6-eb517a53b631" object_id = "ca8cfc48-9995-4973-a8cc-6c7f755e84de"
key_permissions = [ key_permissions = [
"get", "get",

11
terraform/modules/managed_identity/main.tf
View File

@ -8,4 +8,13 @@ resource "azurerm_user_assigned_identity" "identity" {
location = azurerm_resource_group.identity.location location = azurerm_resource_group.identity.location
name = "${var.name}-${var.environment}-${var.identity}" name = "${var.name}-${var.environment}-${var.identity}"
} }
data "azurerm_subscription" "primary" {}
resource "azurerm_role_assignment" "roles" {
count = length(var.roles)
scope = data.azurerm_subscription.primary.id
role_definition_name = var.roles[count.index]
principal_id = azurerm_user_assigned_identity.identity.principal_id
}

11
terraform/modules/managed_identity/outputs.tf
View File

@ -0,0 +1,11 @@
output "id" {
value = azurerm_user_assigned_identity.identity.id
}
output "principal_id" {
value = azurerm_user_assigned_identity.identity.principal_id
}
output "client_id" {
value = azurerm_user_assigned_identity.identity.client_id
}

5
terraform/modules/managed_identity/variables.tf
View File

@ -22,3 +22,8 @@ variable "identity" {
type = string type = string
description = "Name of the managed identity to create" description = "Name of the managed identity to create"
} }
variable "roles" {
type = list
description = "List of roles by name"
}

2
terraform/providers/dev/identities.tf
View File

@ -5,4 +5,6 @@ module "keyvault_reader_identity" {
environment = var.environment environment = var.environment
region = var.region region = var.region
identity = "${var.name}-${var.environment}-vault-reader" identity = "${var.name}-${var.environment}-vault-reader"
roles = ["Reader", "Managed Identity Operator"]
} }