66 Commits

Author SHA1 Message Date
dandds
058ee57527 Create database with separate script.
Creating the ATAT database requires a separate connection to one of the
default Postgres databases, like `postgres`. This updates the scripts
and secrets-tool command to handle creating the database. It also
removes database creation from Terraform and updates the documentation.
2020-01-27 13:17:09 -05:00
dandds
a8f6befc17 secrets-tool command for bootstrapping database.
This additional secrets-tool command can be used to run the database
bootsrapping script (`script/database_setup.py`) inside an ATAT docker
container against the Azure database. It sources the necessary keys from
Key Vault.
2020-01-27 13:17:09 -05:00
Rob Gil
76465e978a Remove k8s test tf 2020-01-24 07:36:24 -05:00
Rob Gil
7b2523254d Adds Dans home ip 2020-01-24 07:36:02 -05:00
Rob Gil
daa07f8631 Removes unnecessary locals in the bucket module 2020-01-23 20:26:27 -05:00
Rob Gil
e0d59eb166 Finally fixes subnet list output
This finally fixes the output coming from the vpc module so that it
returns a full list of subnets. Now they can be referenced just like the
redis module is using in this commit.
2020-01-23 20:22:53 -05:00
Rob Gil
3f5bbf2c5e Cleans out comments 2020-01-23 19:58:06 -05:00
Rob Gil
9f0904c201 Adds dedicated redis subnet 2020-01-23 19:57:45 -05:00
Rob Gil
0f5f5bd926 Converts redis to use service_endpoints
This is still a WIP.
2020-01-23 19:16:00 -05:00
Rob Gil
38ce1ef2b2 Adds list of users for access to storage and more service endpoints
This sets up the rest of the service endpoints on the subnets. It also
adds a variable map specifically to grant IP access to the storage
buckets. This new variable map is necessary since the azure storage ip
rules do not accept /32 CIDR ranges. The rest of the services do support
cidr ranges.
2020-01-23 18:41:29 -05:00
Rob Gil
536eccdb90 Container registry private networking and bucket cidr range fix 2020-01-23 13:13:56 -05:00
Rob Gil
dab6cdb7dc Locks down keyvaults to subnets and administrator ip addresses 2020-01-23 11:02:12 -05:00
Rob Gil
c31d68a18c Makes client vpn cidr range configurable 2020-01-23 10:50:16 -05:00
Rob Gil
48482785ac Adds IP whitelisting to storage buckets 2020-01-23 10:02:31 -05:00
Rob Gil
d22357e609 Adds step to manually configure MFA in AD 2020-01-22 19:37:04 -05:00
Rob Gil
635ccb0fd3 Fixes postgres character collation 2020-01-22 19:36:33 -05:00
Rob Gil
01703b1488 Configures storage buckets to be optionally exposed via service endpoints 2020-01-22 19:35:54 -05:00
Rob Gil
9042a960bb Adds configurable service endpoints to subnets in the vpc module 2020-01-22 19:35:19 -05:00
dandds
83de5d38d9 Terraform initial database.
This addes TF config for creating the initial database for the selected
ATAT environment. The datatase name format is [environment]-atat.
2020-01-21 19:52:09 -05:00
dandds
9f2bdd4a9f Updated dev environment for JEDI.
- Updated environment name.
- Updated variables.
- AKS service principal creds moved to the operator Key Vault.
2020-01-21 10:08:27 -05:00
dandds
fdd8e3dbba
Merge pull request #1340 from robgil-dds/additional-tf-docs
Additional quick steps on how to configure terraform
2020-01-20 19:27:10 -05:00
Rob Gil
584b885311 Adds notes on AKS service_principal and preview features that must be enabled 2020-01-20 16:10:55 -05:00
Rob Gil
636653a5ad Additional quick steps on how to configure terraform 2020-01-20 15:37:01 -05:00
Rob Gil
4eded23051 Adds keyvault outputs 2020-01-20 14:04:51 -05:00
dandds
ad70042774
Merge pull request #1333 from robgil-dds/170237669-updated-deploy-docs
Document process for adding secrets for redis and storage to keyvault…
2020-01-19 10:54:12 -05:00
Rob Gil
9684b608d4 Document process for adding secrets for redis and storage to keyvault with secrets-tool 2020-01-17 14:16:06 -05:00
Rob Gil
9c429e35da 170237669 - Converts postgres secrets to use keyvault
This changes the configuration of the postgres master username and
password. Instead of committing to source (short term hack), this now
sources those secrets from KeyVault. Those secrets are generated and
populated via secrets-tool.
2020-01-17 13:30:00 -05:00
Rob Gil
7aaad51f81 170268346 - Enables access for admins to manage certificates in keyvault
Grants access to the admins to manage certificates in keyvault
2020-01-17 09:28:42 -05:00
Rob Gil
55623028df Adds a secrets generator and loader
secrets-tool now has a feature to both generate secrets as well as load
the generated secrets in to KeyVault.
2020-01-16 21:40:26 -05:00
Rob Gil
b9a7efe6ba Revised Pipfiles 2020-01-16 18:19:33 -05:00
Rob Gil
aa89505650 169163334 - Abstracts terraform wrapper code
The terraform wrapper is now abstracted in to a utility class for
working with terraform. The terraform module was also updated to support
configurable keyvault servers. Logging for this new module was also
added, so the terraform output is seen on the console.
2020-01-16 17:27:49 -05:00
Rob Gil
deead852b5 169163334 - Initial secrets-tool commit
Adds admin_users map and keyvault policy

This adds an admin_users map as well as a new policy in the keyvault
module. When run, this will apply an administrator policy for users in
the admin_users map. With these permissions, the admin users will be
able to manage secrets and keys in keyvault.

169163334 - Initial secrets-tool commit

Adds admin_users map and keyvault policy

This adds an admin_users map as well as a new policy in the keyvault
module. When run, this will apply an administrator policy for users in
the admin_users map. With these permissions, the admin users will be
able to manage secrets and keys in keyvault.

170237669 - Makes the read only policy for keyvault optional and only create the policy if a principal_id is passed

170237669 - Adds new operator keyvault for secrets

This is a new keyvault specifically for storing operator secrets and
things that would not be accessible to applications. The primary use
case for this is for launching things like postgres (root postgres
creds) and other services which would require secrets to be added to the
terraform configuration. This approach avoids adding secrets to
terraform.

An accompanying script will be added to populate the new keyvault.
2020-01-16 17:27:49 -05:00
Rob Gil
a47ad24b90 Apply manual change for dev environment to gain access to keyvault from vmss nodes 2020-01-13 12:08:09 -05:00
Rob Gil
8416c18258 Document keyvault post terraform manual steps
This is to document and configure the post-terraform commands necessary
for k8s hosts in the vmss to access the keyvault through flexvol.
2020-01-13 12:05:52 -05:00
Rob Gil
53cf42103e Fix resource names for module.vpc 2020-01-13 10:29:12 -05:00
Rob Gil
316428a787 Adds screenshot of manual change to make for SystemAssigned identities 2020-01-13 10:29:12 -05:00
Rob Gil
f279e3d3c1 Docs updates to document manual steps 2020-01-13 10:29:12 -05:00
Rob Gil
1a9ff0e02b Updates docs with Preview features and how to enable them 2020-01-13 10:29:12 -05:00
Rob Gil
3986f3c91f 169163334 - Uses the k8s principal for access to keyvault from k8s nodes 2020-01-13 10:29:12 -05:00
Rob Gil
b233cb253f 169163334 - Updates provider for SystemAssigned MI policy for k8s 2020-01-13 10:29:12 -05:00
Rob Gil
623368b8dd 169163334 - Switches to SystemAssigned managed identity
The SystemAssigned managed identity requires a preview feature to be
enabled.

```
rgil@rem5:~/atst/terraform/providers/dev$ az feature list|grep MSIPreview
    "id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
    "name": "Microsoft.ContainerService/MSIPreview",
rgil@rem5:~/atst/terraform/providers/dev$ az feature register --namespace Microsoft.ContainerService --name MSIPreview
Once the feature 'MSIPreview' is registered, invoking 'az provider register -n Microsoft.ContainerService' is required to get the change propagated
{
  "id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
  "name": "Microsoft.ContainerService/MSIPreview",
  "properties": {
    "state": "Registering"
  },
  "type": "Microsoft.Features/providers/features"
}
rgil@rem5:~/atst/terraform/providers/dev$ az provider register -n Microsoft.ContainerService
rgil@rem5:~/atst/terraform/providers/dev$
```

This also now integrates the policy for keyvault with the k8s managed
identity (system assigned).
2020-01-13 10:29:12 -05:00
Rob Gil
11404a6e5b Adds IAM roles for the Managed Identity Module
This adds the ability to pass in a list of roles to be assigned to the
managed identity user.
2020-01-07 14:00:27 -05:00
Rob Gil
f76934eaaf Adds initial OpenVPN configuration docs and powershell instructions 2020-01-06 19:45:46 -05:00
Rob Gil
a5ea2e3757 Testing k8s config 2020-01-06 18:21:48 -05:00
Rob Gil
0b7ff0679a 170237476 - Autoscaling fix
Specifying the node count breaks the autoscaling min/max. When this
happens, the k8s cluster needs to be manually reconfigured. Terraform
does not remove the node count even when the node count option is
removed. The k8s cluster resource needed to be destroyed and re-created
in order to resolve the issue with node count and min/max options being
specified at the same time.
2019-12-30 12:57:57 -05:00
Rob Gil
62a02234a4 169163334 - Adds TF bucket module
Basic bucket module to create a bucket
2019-12-26 13:28:31 -05:00
Rob Gil
5eeb5f976a 169163334 - Adds autoscaling to k8s
This adds node autoscaling the k8s. Pod autoscaling needs to be
configured in the kubectl config.
2019-12-26 09:10:48 -05:00
Jay R. Newlin (PromptWorks)
1a89f73ca2
Merge branch 'staging' into 169163334-dns-fix 2019-12-24 13:40:13 -05:00
Rob Gil
b98bc5953f 169163334 - Adds public ips to k8s nodes for internet access
Temporary fix. This should be replaced with a NAT GW (which I need MSFT
to enable or fix the registry registration)
2019-12-23 18:39:55 -05:00
Rob Gil
ec5c3e0ce0 169163334 - Adds more configuration elements per call with Dan
This adds the start of the identity module but also cleans up a bunch of
things like the LBs. Originally I was managing the LBs, but k8s manages
this for us so I disabled the LBs for now.
2019-12-20 15:10:57 -05:00