adding init

robinmordasiewicz · Sep 17, 2024 · e2212c3 · e2212c3
1 parent 1aef0eb
commit e2212c3
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 28 deletions.
diff --git a/terraform/hub-nva.tf b/terraform/hub-nva.tf
@@ -94,17 +94,17 @@ resource "azurerm_linux_virtual_machine" "hub-nva_virtual_machine" {
   )
 }
 
-resource "azurerm_managed_disk" "disk" {
-  name                 = "hub-nva-disk1"
+resource "azurerm_managed_disk" "log_disk" {
+  name                 = "hub-nva-logs"
   location             = azurerm_resource_group.azure_resource_group.location
   resource_group_name  = azurerm_resource_group.azure_resource_group.name
   storage_account_type = "Standard_LRS"
   create_option        = "Empty"
-  disk_size_gb         = 10
+  disk_size_gb         = 30
 }
 
-resource "azurerm_virtual_machine_data_disk_attachment" "example" {
-  managed_disk_id    = azurerm_managed_disk.disk.id
+resource "azurerm_virtual_machine_data_disk_attachment" "log_disk" {
+  managed_disk_id    = azurerm_managed_disk.log_disk.id
   virtual_machine_id = azurerm_linux_virtual_machine.hub-nva_virtual_machine.id
   lun                = "0"
   caching            = "ReadWrite"

diff --git a/terraform/spoke-k8s_cluster.tf b/terraform/spoke-k8s_cluster.tf
@@ -1,3 +1,20 @@
+locals {
+  streams = [
+    "Microsoft-ContainerLog",
+    "Microsoft-ContainerLogV2",
+    "Microsoft-KubeEvents",
+    "Microsoft-KubePodInventory",
+    "Microsoft-KubeNodeInventory",
+    "Microsoft-KubePVInventory",
+    "Microsoft-KubeServices",
+    "Microsoft-KubeMonAgentEvents",
+    "Microsoft-InsightsMetrics",
+    "Microsoft-ContainerInventory",
+    "Microsoft-ContainerNodeInventory",
+    "Microsoft-Perf"
+  ]
+}
+
 data "http" "myip" {
   url = "https://ipv4.icanhazip.com"
 }
@@ -12,6 +29,7 @@ resource "azurerm_log_analytics_workspace" "log_analytics" {
   location            = azurerm_resource_group.azure_resource_group.location
   resource_group_name = azurerm_resource_group.azure_resource_group.name
   sku                 = "PerGB2018"
+  retention_in_days   = 30
 }
 
 resource "azurerm_user_assigned_identity" "my_identity" {
@@ -30,6 +48,7 @@ resource "azurerm_role_assignment" "route_table_network_contributor" {
   principal_id         = azurerm_user_assigned_identity.my_identity.principal_id
   role_definition_name = "Network Contributor"
   scope                = azurerm_resource_group.azure_resource_group.id
+  skip_service_principal_aad_check = true
 }
 
 resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
@@ -53,14 +72,16 @@ resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
   #}
   oms_agent {
     log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id
+    msi_auth_for_monitoring_enabled = true
   }
   default_node_pool {
     temporary_name_for_rotation = "rotation"
-    name                        = "default"
+    name                        = "system"
     node_count                  = 1
     vm_size                     = local.vm-image["aks"].size
     os_sku                      = "AzureLinux"
     max_pods                    = "75"
+    orchestrator_version        = "1.27"
     vnet_subnet_id              = azurerm_subnet.spoke_subnet.id
     upgrade_settings {
       max_surge = "10%"
@@ -103,6 +124,46 @@ resource "azurerm_kubernetes_cluster_node_pool" "node-pool" {
   vnet_subnet_id        = azurerm_subnet.spoke_subnet.id
 }
 
+resource "azurerm_monitor_data_collection_rule" "this" {
+  name                = "rule-${azurerm_resource_group.azure_resource_group.name}-${azurerm_resource_group.azure_resource_group.location}"
+  resource_group_name = azurerm_resource_group.azure_resource_group.name
+  location            = azurerm_resource_group.azure_resource_group.location
+
+  destinations {
+    log_analytics {
+      workspace_resource_id = azurerm_log_analytics_workspace.log_analytics.id
+      name                  = "ciworkspace"
+    }
+  }
+  data_flow {
+    streams      = local.streams
+    destinations = ["ciworkspace"]
+  }
+  data_sources {
+    extension {
+      streams        = local.streams
+      extension_name = "ContainerInsights"
+      extension_json = jsonencode({
+        "dataCollectionSettings" : {
+          "interval" : "1m"
+          "namespaceFilteringMode" : "Off",
+          "namespaces" : ["kube-system", "gatekeeper-system", "azure-arc"]
+          "enableContainerLogV2" : true
+        }
+      })
+      name = "ContainerInsightsExtension"
+    }
+  }
+  description = "DCR for Azure Monitor Container Insights"
+}
+
+resource "azurerm_monitor_data_collection_rule_association" "this" {
+  name                    = "ruleassoc-${azurerm_resource_group.azure_resource_group.name}-${azurerm_resource_group.azure_resource_group.location}"
+  target_resource_id      = azurerm_kubernetes_cluster.kubernetes_cluster.id
+  data_collection_rule_id = azurerm_monitor_data_collection_rule.this.id
+  description             = "Association of container insights data collection rule. Deleting this association will break the data collection for this AKS Cluster."
+}
+
 resource "null_resource" "kube_config" {
   #triggers = {
   #  always_run = timestamp()

diff --git a/terraform/terraform.auto.tfvars b/terraform/terraform.auto.tfvars
@@ -1,24 +1,7 @@
-location                             = "canadacentral"
-owner_email                          = "[email protected]"
 hub-nva-image                        = "fortiweb"
-hub-virtual-network_address_prefix   = "10.0.0.0/24"
-hub-external-subnet_name             = "hub-external_subnet"
-hub-external-subnet_prefix           = "10.0.0.0/27"
-hub-external-subnet-gateway          = "10.0.0.1"
-hub-internal-subnet_name             = "hub-internal_subnet"
-hub-internal-subnet_prefix           = "10.0.0.32/27"
 hub-nva-management-action            = "Allow"
-hub-nva-management-ip                = "10.0.0.4"
-hub-nva-vip                          = "10.0.0.5"
-hub-nva-gateway                      = "10.0.0.37"
-spoke-virtual-network_address_prefix = "10.1.0.0/16"
-spoke-subnet_name                    = "spoke_subnet"
-spoke-subnet_prefix                  = "10.1.1.0/24"
-spoke-aks-subnet_name                = "spoke_aks_subnet"
-spoke-aks-subnet_prefix              = "10.1.2.0/24"
-spoke-aks_dns_service_ip             = "10.1.2.10"
-spoke-check-internet-up-ip           = "8.8.8.8"
-spoke-aks-node-ip                    = "10.1.1.4"
+#spoke-virtual-network_address_prefix = "10.1.0.0/16"
+#spoke-aks_dns_service_ip             = "10.1.2.10"
 #spoke-aks-node-image-gpu             = false
 spoke-k8s-node-pool-gpu              = true
 subscription_id = "6dced100-9c31-416f-aed1-67e8cfc9fe5f"
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -246,7 +246,7 @@ variable "spoke-k8s-node-pool-image" {
 }
 
 variable "spoke-virtual-network_address_prefix" {
-  default     = "10.1.1.0/24"
+  default     = "10.1.0.0/16"
   description = "Spoke Virtual Network Address prefix."
   type        = string
   validation {
@@ -275,7 +275,7 @@ variable "spoke-subnet_prefix" {
   }
 }
 variable "spoke-aks-subnet_name" {
-  default     = "spoke-aks-subnet_name"
+  default     = "spoke-aks-subnet"
   description = "Spoke aks Subnet Name."
   type        = string
   validation {
@@ -315,7 +315,7 @@ variable "spoke-aks_pod_cidr" {
 }
 
 variable "spoke-aks_dns_service_ip" {
-  default     = "10.2.0.10"
+  default     = "10.1.2.10"
   description = "Spoke k8s dns service ip"
   type        = string
   validation {