This changes the configuration of the postgres master username and
password. Instead of committing to source (short term hack), this now
sources those secrets from KeyVault. Those secrets are generated and
populated via secrets-tool.
The terraform wrapper is now abstracted in to a utility class for
working with terraform. The terraform module was also updated to support
configurable keyvault servers. Logging for this new module was also
added, so the terraform output is seen on the console.
Adds admin_users map and keyvault policy
This adds an admin_users map as well as a new policy in the keyvault
module. When run, this will apply an administrator policy for users in
the admin_users map. With these permissions, the admin users will be
able to manage secrets and keys in keyvault.
169163334 - Initial secrets-tool commit
Adds admin_users map and keyvault policy
This adds an admin_users map as well as a new policy in the keyvault
module. When run, this will apply an administrator policy for users in
the admin_users map. With these permissions, the admin users will be
able to manage secrets and keys in keyvault.
170237669 - Makes the read only policy for keyvault optional and only create the policy if a principal_id is passed
170237669 - Adds new operator keyvault for secrets
This is a new keyvault specifically for storing operator secrets and
things that would not be accessible to applications. The primary use
case for this is for launching things like postgres (root postgres
creds) and other services which would require secrets to be added to the
terraform configuration. This approach avoids adding secrets to
terraform.
An accompanying script will be added to populate the new keyvault.
The SystemAssigned managed identity requires a preview feature to be
enabled.
```
rgil@rem5:~/atst/terraform/providers/dev$ az feature list|grep MSIPreview
"id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
"name": "Microsoft.ContainerService/MSIPreview",
rgil@rem5:~/atst/terraform/providers/dev$ az feature register --namespace Microsoft.ContainerService --name MSIPreview
Once the feature 'MSIPreview' is registered, invoking 'az provider register -n Microsoft.ContainerService' is required to get the change propagated
{
"id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
"name": "Microsoft.ContainerService/MSIPreview",
"properties": {
"state": "Registering"
},
"type": "Microsoft.Features/providers/features"
}
rgil@rem5:~/atst/terraform/providers/dev$ az provider register -n Microsoft.ContainerService
rgil@rem5:~/atst/terraform/providers/dev$
```
This also now integrates the policy for keyvault with the k8s managed
identity (system assigned).
Specifying the node count breaks the autoscaling min/max. When this
happens, the k8s cluster needs to be manually reconfigured. Terraform
does not remove the node count even when the node count option is
removed. The k8s cluster resource needed to be destroyed and re-created
in order to resolve the issue with node count and min/max options being
specified at the same time.
This adds the start of the identity module but also cleans up a bunch of
things like the LBs. Originally I was managing the LBs, but k8s manages
this for us so I disabled the LBs for now.
The Virtual Network Gateway is required for OpenVPN connectivity. The
change to the VPC module also adds a subnet which is exclusively used
for the Gateway.
Network diagrams are created with plantuml
Ex.
java -jar ~/plantuml.jar ./useast.txt
java -jar ~/plantuml.jar ./uswest.txt
Running this will create .png diagrams. PNG is the default but can be changed to
SVG, PDF, etc
