From ca1d26cc672434d7c6ddff3917737fd8e72548a5 Mon Sep 17 00:00:00 2001 From: dandds Date: Thu, 30 Jan 2020 16:28:02 -0500 Subject: [PATCH 1/2] Give the cluster perms to create load balancers. In order for the cluster app registration to create new load balancers, it needs to have the Network Contributor role for the virtual network. In the future, we should create a custom policy scoped to exactly the permissions the cluster needs, per: https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites --- terraform/modules/k8s/main.tf | 6 ++++++ terraform/modules/k8s/variables.tf | 7 ++++++- terraform/modules/vpc/outputs.tf | 6 +++++- terraform/providers/dev/k8s.tf | 1 + 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/k8s/main.tf index 8ecbb4cd..1d46fc4c 100644 --- a/terraform/modules/k8s/main.tf +++ b/terraform/modules/k8s/main.tf @@ -81,3 +81,9 @@ resource "azurerm_monitor_diagnostic_setting" "k8s_diagnostic-1" { } } } + +resource "azurerm_role_assignment" "k8s_network_contrib" { + scope = var.vnet_id + role_definition_name = "Network Contributor" + principal_id = azurerm_kubernetes_cluster.k8s.identity[0].principal_id +} diff --git a/terraform/modules/k8s/variables.tf b/terraform/modules/k8s/variables.tf index 79bac3de..1445bdae 100644 --- a/terraform/modules/k8s/variables.tf +++ b/terraform/modules/k8s/variables.tf @@ -66,4 +66,9 @@ variable "client_secret" { variable "workspace_id" { description = "Log Analytics workspace for this resource to log to" type = string -} \ No newline at end of file +} + +variable "vnet_id" { + description = "The ID of the VNET that the AKS cluster app registration needs to provision load balancers in" + type = string +} diff --git a/terraform/modules/vpc/outputs.tf b/terraform/modules/vpc/outputs.tf index baa32935..b1f0fe38 100644 --- a/terraform/modules/vpc/outputs.tf +++ b/terraform/modules/vpc/outputs.tf @@ -6,4 +6,8 @@ output "subnet_list" { value = { for k, id in azurerm_subnet.subnet : k => id } -} \ No newline at end of file +} + +output "id" { + value = azurerm_virtual_network.vpc.id +} diff --git a/terraform/providers/dev/k8s.tf b/terraform/providers/dev/k8s.tf index fe3dac18..33cbabe4 100644 --- a/terraform/providers/dev/k8s.tf +++ b/terraform/providers/dev/k8s.tf @@ -23,6 +23,7 @@ module "k8s" { client_id = data.azurerm_key_vault_secret.k8s_client_id.value client_secret = data.azurerm_key_vault_secret.k8s_client_secret.value workspace_id = module.logs.workspace_id + vnet_id = module.vpc.id } #module "main_lb" { From 10f8bf9503df15610a6770d53276d1f2898c7d1e Mon Sep 17 00:00:00 2001 From: dandds Date: Fri, 31 Jan 2020 06:18:54 -0500 Subject: [PATCH 2/2] Fix bug in setting Secure on session cookie. This fixes a bug I introduced with commit 6edc7b138b0745d0b3f9d99da76c445fe954c5a7 The value for SESSION_COOKIE_SECURE was being read in as a truthy string every time. In order for it to be interpreted correctly, we need to map it to a boolean. --- atst/app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/atst/app.py b/atst/app.py index 29476ed8..05578827 100644 --- a/atst/app.py +++ b/atst/app.py @@ -193,6 +193,7 @@ def map_config(config): "CONTRACT_END_DATE": datetime.strptime( config.get("default", "CONTRACT_END_DATE"), "%Y-%m-%d" ).date(), + "SESSION_COOKIE_SECURE": config.getboolean("default", "SESSION_COOKIE_SECURE"), }