From 636653a5ade773176e9c7163d53097820e260e23 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Mon, 20 Jan 2020 15:37:01 -0500 Subject: [PATCH 1/2] Additional quick steps on how to configure terraform --- terraform/README.md | 61 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 60 insertions(+), 1 deletion(-) diff --git a/terraform/README.md b/terraform/README.md index 7b875d70..b488be91 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -206,4 +206,63 @@ https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1 TODO ## Downloading a client profile -TODO \ No newline at end of file +TODO + +# Quick Steps +Copy paste (mostly) + +*Edit provider.tf and turn off remote bucket temporarily (comment out backend {} section)* +``` +provider "azurerm" { + version = "=1.40.0" +} + +provider "azuread" { + # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used + version = "=0.7.0" +} + +terraform { + #backend "azurerm" { + #resource_group_name = "cloudzero-dev-tfstate" + #storage_account_name = "cloudzerodevtfstate" + #container_name = "tfstate" + #key = "dev.terraform.tfstate" + #} +} +``` + +`terraform init` + +`terraform plan -target=module.tf_state` + +Ensure the state bucket is created. + +*create the container in the portal (or cli).* +This simply involves going to the bucket in the azure portal and creating the container. + +Now is the tricky part. For this, we will be switching from local state (files) to remote state (stored in the azure bucket) + +Uncomment the `backend {}` section in the `provider.tf` file. Once uncommented, we will re-run the init. This will attempt to copy the local state to the remote bucket. + +`terraform init` + +*Say `yes` to the question* + +Now we need to update the Update `variables.tf` with the principals for the users in `admin_users` variable map. If these are not defined yet, just leave it as an empty set. + +Next, we'll create the operator keyvault. + +`terraform plan -target=module.operator_keyvault` + +Lastly, we'll pre-populate some secrets using the secrets-tool. Follow the install/setup section in the README.md first. Then populate the secrets with a definition file as described in the following link. + + +https://github.com/dod-ccpo/atst/tree/staging/terraform/secrets-tool#populating-secrets-from-secrets-definition-file + +*Next we'll apply the rest of the TF configuration* + +`terraform plan` # Make sure this looks correct + +`terraform apply` + From 584b8853118a6b7111a07ea2e906e021a581c72c Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Mon, 20 Jan 2020 16:10:55 -0500 Subject: [PATCH 2/2] Adds notes on AKS service_principal and preview features that must be enabled --- terraform/README.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index b488be91..40460cb9 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -57,6 +57,7 @@ To create all the resources we need for this environment we'll need to enable so This registers the specific feature for _SystemAssigned_ principals ``` az feature register --namespace Microsoft.ContainerService --name MSIPreview +az feature register --namespace Microsoft.ContainerService --name NodePublicIPPreview ``` To apply the registration, run the following @@ -211,6 +212,9 @@ TODO # Quick Steps Copy paste (mostly) +*Register Preview features* +See [Registering Features](#Preview_Features) + *Edit provider.tf and turn off remote bucket temporarily (comment out backend {} section)* ``` provider "azurerm" { @@ -255,11 +259,22 @@ Next, we'll create the operator keyvault. `terraform plan -target=module.operator_keyvault` -Lastly, we'll pre-populate some secrets using the secrets-tool. Follow the install/setup section in the README.md first. Then populate the secrets with a definition file as described in the following link. - +Next, we'll pre-populate some secrets using the secrets-tool. Follow the install/setup section in the README.md first. Then populate the secrets with a definition file as described in the following link. https://github.com/dod-ccpo/atst/tree/staging/terraform/secrets-tool#populating-secrets-from-secrets-definition-file +*Create service principal for AKS* +``` +az ad sp create-for-rbac +``` +Take note of the output, you'll need it in the next step to store the secret and `client_id` in keyvault. + +This also involves using secrets-tool. Substitute your keyvault url. +``` +secrets-tool secrets --keyvault https://ops-jedidev-keyvault.vault.azure.net/ create --key k8s-client-id --value [value] +secrets-tool secrets --keyvault https://ops-jedidev-keyvault.vault.azure.net/ create --key k8s-client-secret --value [value] +``` + *Next we'll apply the rest of the TF configuration* `terraform plan` # Make sure this looks correct