diff --git a/src/aks-platform/.terraform.lock.hcl b/src/aks-platform/.terraform.lock.hcl index 7c94e56..c6cf758 100644 --- a/src/aks-platform/.terraform.lock.hcl +++ b/src/aks-platform/.terraform.lock.hcl @@ -142,22 +142,3 @@ provider "registry.terraform.io/hashicorp/null" { "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", ] } - -provider "registry.terraform.io/hashicorp/random" { - version = "3.6.0" - hashes = [ - "h1:p6WG1IPHnqx1fnJVKNjv733FBaArIugqy58HRZnpPCk=", - "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", - "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", - "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", - "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", - "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", - "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", - "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", - "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", - "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", - "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", - ] -} diff --git a/src/aks-platform/00_key_vault.tf b/src/aks-platform/00_key_vault.tf index 25213f2..96f924b 100644 --- a/src/aks-platform/00_key_vault.tf +++ b/src/aks-platform/00_key_vault.tf @@ -1,4 +1,4 @@ -data "azurerm_key_vault" "kv_core" { - name = "dvopla-d-neu-kv" - resource_group_name = "dvopla-d-sec-rg" +data "azurerm_key_vault" "kv_core_ita" { + name = "dvopla-d-itn-core-kv" + resource_group_name = "dvopla-d-itn-sec-rg" } diff --git a/src/aks-platform/00_network.tf b/src/aks-platform/00_network.tf index 5cf1a87..06ab051 100644 --- a/src/aks-platform/00_network.tf +++ b/src/aks-platform/00_network.tf @@ -34,25 +34,25 @@ data "azurerm_public_ip" "pip_aks_outboud" { # # Subnet # -data "azurerm_subnet" "private_endpoint_subnet" { - name = "${local.product}-private-endpoints-snet" - resource_group_name = data.azurerm_resource_group.vnet_core_rg.name - virtual_network_name = data.azurerm_virtual_network.vnet_core.name -} +# data "azurerm_subnet" "private_endpoint_subnet" { +# name = "${local.product}-private-endpoints-snet" +# resource_group_name = data.azurerm_resource_group.vnet_core_rg.name +# virtual_network_name = data.azurerm_virtual_network.vnet_core.name +# } -data "azurerm_subnet" "private_endpoint_italy_subnet" { - name = "${local.product}-private-endpoints-italy-snet" - resource_group_name = data.azurerm_resource_group.vnet_italy_rg.name - virtual_network_name = data.azurerm_virtual_network.vnet_italy.name -} +# data "azurerm_subnet" "private_endpoint_italy_subnet" { +# name = "${local.product}-private-endpoints-italy-snet" +# resource_group_name = data.azurerm_resource_group.vnet_italy_rg.name +# virtual_network_name = data.azurerm_virtual_network.vnet_italy.name +# } # # Dns # -data "azurerm_private_dns_zone" "storage_account_private_dns_zone" { - name = "privatelink.blob.core.windows.net" - resource_group_name = data.azurerm_resource_group.vnet_core_rg.name -} +# data "azurerm_private_dns_zone" "storage_account_private_dns_zone" { +# name = "privatelink.blob.core.windows.net" +# resource_group_name = data.azurerm_resource_group.vnet_core_rg.name +# } data "azurerm_private_dns_zone" "internal" { name = local.internal_dns_zone_name diff --git a/src/aks-platform/01_network_aks.tf b/src/aks-platform/01_network_aks.tf index 71a43aa..d731537 100644 --- a/src/aks-platform/01_network_aks.tf +++ b/src/aks-platform/01_network_aks.tf @@ -1,17 +1,18 @@ -# k8s cluster subnet -module "snet_aks" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.69.1" - - name = "${local.project}-aks-snet" +resource "azurerm_subnet" "system_aks_subnet" { + name = "${local.project}-system-aks" + resource_group_name = data.azurerm_resource_group.vnet_italy_rg.name + virtual_network_name = data.azurerm_virtual_network.vnet_italy.name + address_prefixes = var.cidr_subnet_system_aks + private_endpoint_network_policies_enabled = true + private_link_service_network_policies_enabled = true +} +resource "azurerm_subnet" "user_aks_subnet" { + name = "${local.project}-user-aks" resource_group_name = data.azurerm_resource_group.vnet_italy_rg.name virtual_network_name = data.azurerm_virtual_network.vnet_italy.name + address_prefixes = var.cidr_subnet_user_aks - address_prefixes = var.cidr_subnet_aks - private_endpoint_network_policies_enabled = var.aks_private_cluster_enabled - - service_endpoints = [ - "Microsoft.Web", - "Microsoft.Storage" - ] + private_endpoint_network_policies_enabled = true + private_link_service_network_policies_enabled = true } diff --git a/src/aks-platform/02_aks_0.tf b/src/aks-platform/02_aks_0.tf index d84bc3d..dd1e023 100644 --- a/src/aks-platform/02_aks_0.tf +++ b/src/aks-platform/02_aks_0.tf @@ -14,9 +14,7 @@ resource "azurerm_resource_group" "rg_aks_backup" { module "aks" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v7.70.1" - - count = var.aks_enabled ? 1 : 0 + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v8.14.0" name = local.aks_cluster_name resource_group_name = azurerm_resource_group.rg_aks.name @@ -37,50 +35,34 @@ module "aks" { system_node_pool_node_count_min = var.aks_system_node_pool.node_count_min system_node_pool_node_count_max = var.aks_system_node_pool.node_count_max ### K8s node configuration - system_node_pool_node_labels = var.aks_system_node_pool.node_labels - system_node_pool_tags = var.aks_system_node_pool.node_tags - - # - # 👤 User node pool - # - user_node_pool_enabled = var.aks_user_node_pool.enabled - user_node_pool_name = var.aks_user_node_pool.name - ### vm configuration - user_node_pool_vm_size = var.aks_user_node_pool.vm_size - user_node_pool_os_disk_type = var.aks_user_node_pool.os_disk_type - user_node_pool_os_disk_size_gb = var.aks_user_node_pool.os_disk_size_gb - user_node_pool_node_count_min = var.aks_user_node_pool.node_count_min - user_node_pool_node_count_max = var.aks_user_node_pool.node_count_max - ### K8s node configuration - user_node_pool_node_labels = var.aks_user_node_pool.node_labels - user_node_pool_node_taints = var.aks_user_node_pool.node_taints - user_node_pool_tags = var.aks_user_node_pool.node_tags - # end user node pool + system_node_pool_node_labels = var.aks_system_node_pool.node_labels + system_node_pool_tags = var.aks_system_node_pool.node_tags # # ☁️ Network # vnet_id = data.azurerm_virtual_network.vnet_italy.id - vnet_subnet_id = module.snet_aks.id + vnet_subnet_id = azurerm_subnet.system_aks_subnet.id outbound_ip_address_ids = [data.azurerm_public_ip.pip_aks_outboud.id] private_cluster_enabled = var.aks_private_cluster_enabled network_profile = { - docker_bridge_cidr = "172.17.0.1/16" - dns_service_ip = "10.250.0.10" - network_plugin = "azure" - network_policy = "azure" - outbound_type = "loadBalancer" - service_cidr = "10.250.0.0/16" + docker_bridge_cidr = "172.17.0.1/16" + dns_service_ip = "10.0.0.10" + network_plugin = "azure" + network_plugin_mode = "overlay" + network_policy = "azure" + outbound_type = "loadBalancer" + service_cidr = "10.0.0.0/16" } # end network oidc_issuer_enabled = true aad_admin_group_ids = var.env_short == "d" ? [data.azuread_group.adgroup_admin.object_id, data.azuread_group.adgroup_developers.object_id, data.azuread_group.adgroup_externals.object_id] : [data.azuread_group.adgroup_admin.object_id] - addon_azure_policy_enabled = var.aks_addons.azure_policy - addon_azure_key_vault_secrets_provider_enabled = var.aks_addons.azure_key_vault_secrets_provider - addon_azure_pod_identity_enabled = var.aks_addons.pod_identity_enabled + addon_azure_policy_enabled = true + addon_azure_key_vault_secrets_provider_enabled = true + addon_azure_pod_identity_enabled = true default_metric_alerts = var.aks_metric_alerts_default custom_metric_alerts = var.aks_metric_alerts_custom @@ -101,18 +83,57 @@ module "aks" { ] tags = var.tags +} - depends_on = [ - module.snet_aks, - data.azurerm_public_ip.pip_aks_outboud, - data.azurerm_virtual_network.vnet_italy - ] +resource "azurerm_kubernetes_cluster_node_pool" "user_nodepool_default" { + count = var.aks_user_node_pool.enabled ? 1 : 0 + + kubernetes_cluster_id = module.aks.id + + name = var.aks_user_node_pool.name + + ### vm configuration + vm_size = var.aks_user_node_pool.vm_size + # https://docs.microsoft.com/en-us/azure/virtual-machines/sizes-general + os_disk_type = var.aks_user_node_pool.os_disk_type # Managed or Ephemeral + os_disk_size_gb = var.aks_user_node_pool.os_disk_size_gb + zones = var.aks_user_node_pool.zones + ultra_ssd_enabled = var.aks_user_node_pool.ultra_ssd_enabled + enable_host_encryption = var.aks_user_node_pool.enable_host_encryption + os_type = "Linux" + + ### autoscaling + enable_auto_scaling = true + node_count = var.aks_user_node_pool.node_count_min + min_count = var.aks_user_node_pool.node_count_min + max_count = var.aks_user_node_pool.node_count_max + + ### K8s node configuration + max_pods = var.aks_user_node_pool.max_pods + node_labels = var.aks_user_node_pool.node_labels + node_taints = var.aks_user_node_pool.node_taints + + ### networking + vnet_subnet_id = azurerm_subnet.user_aks_subnet.id + enable_node_public_ip = false + + upgrade_settings { + max_surge = var.aks_user_node_pool.upgrade_settings_max_surge + } + + tags = merge(var.tags, var.aks_user_node_pool.node_tags) + + lifecycle { + ignore_changes = [ + node_count + ] + } } resource "azurerm_kubernetes_cluster_node_pool" "spot_node_pool" { count = var.aks_spot_user_node_pool.enabled ? 1 : 0 - kubernetes_cluster_id = module.aks[0].id + kubernetes_cluster_id = module.aks.id name = var.aks_spot_user_node_pool.name @@ -140,7 +161,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "spot_node_pool" { node_taints = var.aks_spot_user_node_pool.node_taints ### networking - vnet_subnet_id = module.snet_aks.id + vnet_subnet_id = azurerm_subnet.user_aks_subnet.id enable_node_public_ip = false tags = merge(var.tags, var.aks_spot_user_node_pool.node_tags) @@ -150,13 +171,15 @@ resource "azurerm_kubernetes_cluster_node_pool" "spot_node_pool" { node_count ] } + + depends_on = [module.aks] } resource "azurerm_role_assignment" "managed_identity_operator_vs_aks_managed_identity" { scope = azurerm_resource_group.rg_aks.id role_definition_name = "Managed Identity Operator" - principal_id = module.aks[0].identity_principal_id + principal_id = module.aks.identity_principal_id } # @@ -166,7 +189,7 @@ resource "azurerm_role_assignment" "managed_identity_operator_vs_aks_managed_ide resource "azurerm_role_assignment" "aks_to_acr" { scope = data.azurerm_container_registry.acr.id role_definition_name = "AcrPull" - principal_id = module.aks[0].kubelet_identity_id + principal_id = module.aks.kubelet_identity_id depends_on = [module.aks] } @@ -181,7 +204,7 @@ resource "null_resource" "create_vnet_core_aks_link" { count = var.aks_enabled && var.aks_private_cluster_enabled ? 1 : 0 triggers = { - cluster_name = module.aks[0].name + cluster_name = module.aks.name vnet_id = data.azurerm_virtual_network.vnet_core.id vnet_name = data.azurerm_virtual_network.vnet_core.name } diff --git a/src/aks-platform/02_aks_storage.tf b/src/aks-platform/02_aks_storage.tf index ec41a25..1eb21a8 100644 --- a/src/aks-platform/02_aks_storage.tf +++ b/src/aks-platform/02_aks_storage.tf @@ -1,3 +1,5 @@ module "aks_storage_class" { source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_storage_class?ref=v7.69.1" + + depends_on = [module.aks] } diff --git a/src/aks-platform/03_monitoring.tf b/src/aks-platform/03_monitoring.tf index 53f06cb..f11ef87 100644 --- a/src/aks-platform/03_monitoring.tf +++ b/src/aks-platform/03_monitoring.tf @@ -9,4 +9,6 @@ module "aks_prometheus_install" { source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_install?ref=v7.69.1" prometheus_namespace = kubernetes_namespace.monitoring.metadata[0].name storage_class_name = "default-zrs" + + depends_on = [module.aks_storage_class] } diff --git a/src/aks-platform/05_argocd.tf b/src/aks-platform/05_argocd.tf index aeb18c3..f679b88 100644 --- a/src/aks-platform/05_argocd.tf +++ b/src/aks-platform/05_argocd.tf @@ -1,103 +1,103 @@ -resource "kubernetes_namespace" "namespace_argocd" { - metadata { - name = "argocd" - } - - depends_on = [ - module.aks - ] -} - -resource "helm_release" "argocd" { - name = "argo" - chart = "https://github.com/argoproj/argo-helm/releases/download/argo-cd-6.7.11/argo-cd-6.7.11.tgz" - namespace = kubernetes_namespace.namespace_argocd.metadata[0].name - wait = false - - values = [ - file("argocd/argocd_helm_setup_values.yaml") - ] - - depends_on = [ - module.aks - ] -} - -resource "random_password" "argocd_admin_password" { - length = 12 - special = true - override_special = "_%@" - - depends_on = [helm_release.argocd] -} - -resource "null_resource" "argocd_change_admin_password" { - - triggers = { - helm_revision = helm_release.argocd.metadata[0].revision, - argocd_password = random_password.argocd_admin_password.result - } - - provisioner "local-exec" { - command = "kubectl -n argocd patch secret argocd-secret -p '{\"stringData\": {\"admin.password\": \"${bcrypt(random_password.argocd_admin_password.result)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'" - } -} - -resource "azurerm_key_vault_secret" "argocd_admin_password" { - key_vault_id = data.azurerm_key_vault.kv_core.id - name = "argocd-admin-password" - value = random_password.argocd_admin_password.result -} - -# -# tools -# - -module "argocd_pod_identity" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v7.69.1" - - cluster_name = module.aks[0].name - resource_group_name = azurerm_resource_group.rg_aks.name - location = var.location - tenant_id = data.azurerm_subscription.current.tenant_id - - identity_name = "argocd-pod-identity" - namespace = kubernetes_namespace.namespace_argocd.metadata[0].name - key_vault_id = data.azurerm_key_vault.kv_core.id - - secret_permissions = ["Get"] - certificate_permissions = ["Get"] -} - -resource "helm_release" "reloader_argocd" { - name = "reloader" - repository = "https://stakater.github.io/stakater-charts" - chart = "reloader" - version = "v1.0.30" - namespace = kubernetes_namespace.namespace_argocd.metadata[0].name - - set { - name = "reloader.watchGlobally" - value = "false" - } -} - -module "cert_mounter_argocd_internal" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v7.69.1" - namespace = "argocd" - certificate_name = replace(local.argocd_internal_url, ".", "-") - kv_name = data.azurerm_key_vault.kv_core.name - tenant_id = data.azurerm_subscription.current.tenant_id - - depends_on = [ - module.argocd_pod_identity - ] -} - -resource "azurerm_private_dns_a_record" "argocd_ingress" { - name = local.ingress_hostname_prefix - zone_name = data.azurerm_private_dns_zone.internal.name - resource_group_name = local.internal_dns_zone_resource_group_name - ttl = 3600 - records = [var.ingress_load_balancer_ip] -} +# resource "kubernetes_namespace" "namespace_argocd" { +# metadata { +# name = "argocd" +# } +# +# depends_on = [ +# module.aks +# ] +# } +# +# resource "helm_release" "argocd" { +# name = "argo" +# chart = "https://github.com/argoproj/argo-helm/releases/download/argo-cd-6.7.11/argo-cd-6.7.11.tgz" +# namespace = kubernetes_namespace.namespace_argocd.metadata[0].name +# wait = false +# +# values = [ +# file("argocd/argocd_helm_setup_values.yaml") +# ] +# +# depends_on = [ +# module.aks +# ] +# } +# +# resource "random_password" "argocd_admin_password" { +# length = 12 +# special = true +# override_special = "_%@" +# +# depends_on = [helm_release.argocd] +# } +# +# resource "null_resource" "argocd_change_admin_password" { +# +# triggers = { +# helm_revision = helm_release.argocd.metadata[0].revision, +# argocd_password = random_password.argocd_admin_password.result +# } +# +# provisioner "local-exec" { +# command = "kubectl -n argocd patch secret argocd-secret -p '{\"stringData\": {\"admin.password\": \"${bcrypt(random_password.argocd_admin_password.result)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'" +# } +# } +# +# resource "azurerm_key_vault_secret" "argocd_admin_password" { +# key_vault_id = data.azurerm_key_vault.kv_core_ita.id +# name = "argocd-admin-password" +# value = random_password.argocd_admin_password.result +# } +# +# # +# # tools +# # +# +# module "argocd_pod_identity" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v7.69.1" +# +# cluster_name = module.aks.name +# resource_group_name = azurerm_resource_group.rg_aks.name +# location = var.location +# tenant_id = data.azurerm_subscription.current.tenant_id +# +# identity_name = "argocd-pod-identity" +# namespace = kubernetes_namespace.namespace_argocd.metadata[0].name +# key_vault_id = data.azurerm_key_vault.kv_core_ita.id +# +# secret_permissions = ["Get"] +# certificate_permissions = ["Get"] +# } +# +# resource "helm_release" "reloader_argocd" { +# name = "reloader" +# repository = "https://stakater.github.io/stakater-charts" +# chart = "reloader" +# version = "v1.0.30" +# namespace = kubernetes_namespace.namespace_argocd.metadata[0].name +# +# set { +# name = "reloader.watchGlobally" +# value = "false" +# } +# } +# +# module "cert_mounter_argocd_internal" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v7.69.1" +# namespace = "argocd" +# certificate_name = replace(local.argocd_internal_url, ".", "-") +# kv_name = data.azurerm_key_vault.kv_core_ita.name +# tenant_id = data.azurerm_subscription.current.tenant_id +# +# depends_on = [ +# module.argocd_pod_identity +# ] +# } +# +# resource "azurerm_private_dns_a_record" "argocd_ingress" { +# name = local.ingress_hostname_prefix +# zone_name = data.azurerm_private_dns_zone.internal.name +# resource_group_name = local.internal_dns_zone_resource_group_name +# ttl = 3600 +# records = [var.ingress_load_balancer_ip] +# } diff --git a/src/aks-platform/05_ingress.tf b/src/aks-platform/05_ingress.tf index 8a3cf7e..fc7d744 100644 --- a/src/aks-platform/05_ingress.tf +++ b/src/aks-platform/05_ingress.tf @@ -27,7 +27,7 @@ module "nginx_ingress" { values = [ templatefile("${path.module}/ingress/loadbalancer.yaml.tpl", { load_balancer_ip = var.ingress_load_balancer_ip - private_subnet_name = module.snet_aks.name + private_subnet_name = azurerm_subnet.user_aks_subnet.name }) ] diff --git a/src/aks-platform/05_keda.tf b/src/aks-platform/05_keda.tf index eb0c89d..7c1c73d 100644 --- a/src/aks-platform/05_keda.tf +++ b/src/aks-platform/05_keda.tf @@ -21,7 +21,7 @@ module "keda_pod_identity" { identity_name = "${local.keda_namespace_name}-pod-identity" tenant_id = data.azurerm_subscription.current.tenant_id - cluster_name = module.aks[0].name + cluster_name = module.aks.name namespace = kubernetes_namespace.keda.metadata[0].name depends_on = [ diff --git a/src/aks-platform/99_locals.tf b/src/aks-platform/99_locals.tf index 784819c..380666c 100644 --- a/src/aks-platform/99_locals.tf +++ b/src/aks-platform/99_locals.tf @@ -1,5 +1,6 @@ locals { product = "${var.prefix}-${var.env_short}" + product_ita = "${var.prefix}-${var.env_short}-${var.location_short}" project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.env}" # AKS @@ -15,17 +16,16 @@ locals { ingress_hostname_prefix = "argocd" internal_dns_zone_name = "${var.dns_zone_internal_prefix}.${var.external_domain}" - internal_dns_zone_resource_group_name = "${local.product}-vnet-rg" + internal_dns_zone_resource_group_name = "${local.product_ita}-vnet-rg" # ACR DOCKER - docker_rg_name = "dvopla-d-dockerreg-rg" - docker_registry_name = "dvopladneuacr" + docker_rg_name = "dvopla-d-docker-registry-rg" + docker_registry_name = "dvopladitnacr" # monitor - monitor_rg_name = "${local.product}-monitor-rg" - monitor_log_analytics_workspace_name = "${local.product}-law" - monitor_log_analytics_workspace_prometheus_name = "${local.product}-prometheus-law" - monitor_appinsights_name = "${local.product}-appinsights" + monitor_rg_name = "${local.product_ita}-monitor-rg" + monitor_log_analytics_workspace_name = "${local.product_ita}-law" + monitor_appinsights_name = "${local.product_ita}-appinsights" monitor_security_storage_name = replace("${local.product}-sec-monitor-st", "-", "") monitor_action_group_slack_name = "SlackPagoPA" diff --git a/src/aks-platform/99_variables.tf b/src/aks-platform/99_variables.tf index 376ba86..f564d95 100644 --- a/src/aks-platform/99_variables.tf +++ b/src/aks-platform/99_variables.tf @@ -83,7 +83,12 @@ variable "public_ip_aksoutbound_name" { description = "Public IP AKS outbound" } -variable "cidr_subnet_aks" { +variable "cidr_subnet_system_aks" { + type = list(string) + description = "Subnet cluster kubernetes." +} + +variable "cidr_subnet_user_aks" { type = list(string) description = "Subnet cluster kubernetes." } @@ -445,30 +450,37 @@ variable "aks_alerts_enabled" { variable "aks_system_node_pool" { type = object({ - name = string, - vm_size = string, - os_disk_type = string, - os_disk_size_gb = string, - node_count_min = number, - node_count_max = number, - node_labels = map(any), - node_tags = map(any) + name = string, + vm_size = string, + os_disk_type = string, + os_disk_size_gb = string, + node_count_min = number, + node_count_max = number, + node_labels = map(any), + node_tags = map(any), + only_critical_addons_enabled = optional(bool, true) + zones = optional(list(any), [1, 2, 3]) }) description = "AKS node pool system configuration" } variable "aks_user_node_pool" { type = object({ - enabled = bool, - name = string, - vm_size = string, - os_disk_type = string, - os_disk_size_gb = string, - node_count_min = number, - node_count_max = number, - node_labels = map(any), - node_taints = list(string), - node_tags = map(any), + enabled = optional(bool, true), + name = string, + vm_size = string, + os_disk_type = string, + os_disk_size_gb = string, + node_count_min = number, + node_count_max = number, + node_labels = map(any), + node_taints = list(string), + node_tags = map(any), + ultra_ssd_enabled = optional(bool, false), + enable_host_encryption = optional(bool, true), + max_pods = optional(number, 250), + upgrade_settings_max_surge = optional(string, "30%"), + zones = optional(list(any), [1, 2, 3]), }) description = "AKS node pool user configuration" } diff --git a/src/aks-platform/env/itn-dev/terraform.tfvars b/src/aks-platform/env/itn-dev/terraform.tfvars index 4f2dbce..a388682 100644 --- a/src/aks-platform/env/itn-dev/terraform.tfvars +++ b/src/aks-platform/env/itn-dev/terraform.tfvars @@ -28,13 +28,14 @@ key_vault_rg_name = "dvopla-d-sec-rg" ### Network -cidr_subnet_aks = ["10.3.0.0/23"] +cidr_subnet_system_aks = ["10.3.9.0/24"] +cidr_subnet_user_aks = ["10.3.10.0/24"] ### External resources -monitor_resource_group_name = "dvopla-d-monitor-rg" -log_analytics_workspace_name = "dvopla-d-law" -log_analytics_workspace_resource_group_name = "dvopla-d-monitor-rg" +monitor_resource_group_name = "dvopla-d-itn-monitor-rg" +log_analytics_workspace_name = "dvopla-d-itn-law" +log_analytics_workspace_resource_group_name = "dvopla-d-itn-monitor-rg" ### Aks @@ -118,7 +119,7 @@ aks_addons = { ingress_replica_count = "1" # This is the k8s ingress controller ip. It must be in the aks subnet range. -ingress_load_balancer_ip = "10.3.1.250" +ingress_load_balancer_ip = "10.3.10.250" nginx_helm_version = "4.10.0" keda_helm_version = "2.12.1"