feat: introduce azure-aks sandbox (#45)

feat: initial azure-aks sandbox

README.md

@@ -1,2 +1,32 @@
-# terraform-azure-aks-sandbox
-Azure AKS sandbox for Nuon apps.
+# Azure AKS
+
+Standard Azure sandbox that provisions the following:
+
+* VPN
+* AKS Cluster
+
+## Usage
+
+To use this in your BYOC app, please use the `azure-aks` runner type:
+
+```toml
+version = "v1"
+
+[runner]
+runner_type = "azure-aks"
+
+[sandbox]
+terraform_version = "1.5.4"
+[sandbox.public_repo]
+directory = "azure-aks"
+repo = "nuonco/sandboxes"
+branch = "main"
+```
+
+## Testing
+
+This sandbox can be tested outside of `nuon` by following these steps:
+
+1. Ensure you have an Azure account setup and `az` installed
+1. [Create Service Principal Credentials](https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-terraform?tabs=bash#create-a-service-principal)
+1. Create a `terraform.tfvars` with the correct variable inputs

aks.tf

@@ -0,0 +1,56 @@
+module "aks" {
+  source = "Azure/aks/azurerm"
+
+  prefix                    = var.nuon_id
+  resource_group_name = azurerm_resource_group.rg.name
+  kubernetes_version        = var.cluster_version
+  automatic_channel_upgrade = "patch"
+  agents_availability_zones = ["1", "2"]
+  agents_count              = null
+  agents_max_count          = 2
+  agents_max_pods           = 100
+  agents_min_count          = 1
+  agents_pool_name          = "agents"
+  agents_pool_linux_os_configs = [
+    {
+      transparent_huge_page_enabled = "always"
+      sysctl_configs = [
+        {
+          fs_aio_max_nr               = 65536
+          fs_file_max                 = 100000
+          fs_inotify_max_user_watches = 1000000
+        }
+      ]
+    }
+  ]
+  agents_type            = "VirtualMachineScaleSets"
+  azure_policy_enabled   = true
+  enable_auto_scaling    = true
+  enable_host_encryption = false
+
+  green_field_application_gateway_for_ingress = {
+    name        = "ingress"
+    subnet_cidr = local.appgw_cidr
+  }
+  create_role_assignments_for_application_gateway = true
+  local_account_disabled                          = false
+  log_analytics_workspace_enabled                 = false
+  net_profile_dns_service_ip                      = local.dns_service_ip
+  net_profile_service_cidr                        = local.service_cidr
+  network_plugin                                  = "azure"
+  network_policy                                  = "azure"
+  os_disk_size_gb                                 = 60
+  private_cluster_enabled                         = false
+  rbac_aad                                        = true
+  rbac_aad_managed                                = true
+  role_based_access_control_enabled               = true
+  sku_tier                                        = "Standard"
+  vnet_subnet_id                                  = module.network.vnet_subnets[0]
+  attached_acr_id_map = {
+    "${azurerm_container_registry.acr.name}" = azurerm_container_registry.acr.id
+  }
+
+  depends_on = [
+    module.network,
+  ]
+}

network.tf

@@ -0,0 +1,42 @@
+locals {
+  // we create a network with two address spaces - one for node pool subnets and one for services, gateways etc.
+  address_spaces = ["10.0.0.0/16", "10.2.0.0/16"]
+  // node pool subnets
+  subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  subnet_names = ["a", "b", "c"]
+
+  // app and services
+  appgw_cidr = "10.2.0.0/24"
+  service_cidr = "10.2.1.0/24"
+  dns_service_ip = "10.2.1.10"
+}
+
+module "network" {
+  source              = "Azure/network/azurerm"
+  resource_group_name = azurerm_resource_group.rg.name
+  address_spaces      = local.address_spaces
+
+  // we create three subnets - one for the nodes, one for ingresses and one for pods
+  subnet_prefixes     = local.subnet_cidrs
+  subnet_names        = local.subnet_names
+
+  subnet_service_endpoints = {
+    "subnet1" : ["Microsoft.Sql"],
+    "subnet2" : ["Microsoft.Sql"],
+    "subnet3" : ["Microsoft.Sql"]
+  }
+  use_for_each = true
+  tags = {
+    environment = "dev"
+    costcenter  = "it"
+  }
+
+  depends_on = [azurerm_resource_group.rg]
+}
+
+#resource "azurerm_subnet" "appgw" {
+  #address_prefixes     = [local.appgw_cidr]
+  #name                 = "${var.nuon_id}-gw"
+  #resource_group_name = azurerm_resource_group.rg.name
+  #virtual_network_name = module.network.vnet_name
+#}

outputs.tf

@@ -0,0 +1,34 @@
+output "runner" {
+  value = {}
+}
+
+output "vpn" {
+  value = {
+    name = module.network.vnet_name
+    subnet_ids = module.network.vnet_subnets
+  }
+}
+
+output "acr" {
+  value = {
+    id = azurerm_container_registry.acr.id
+    login_server = azurerm_container_registry.acr.login_server
+    token_id = azurerm_container_registry_token.runner.id
+    password = nonsensitive(azurerm_container_registry_token_password.runner.password1[0].value)
+  }
+}
+
+output "cluster" {
+  value = {
+    "id" = module.aks.aks_id
+    "name" = module.aks.aks_name
+    "client_certificate" = nonsensitive(module.aks.client_certificate)
+    "client_key" = nonsensitive(module.aks.client_key)
+    "cluster_ca_certificate" = nonsensitive(module.aks.cluster_ca_certificate)
+    "cluster_fqdn" = module.aks.cluster_fqdn
+    "oidc_issuer_url" = module.aks.oidc_issuer_url
+    "location" = module.aks.location
+    "kube_config_raw" = nonsensitive(module.aks.kube_config_raw)
+    "kube_admin_config_raw" = nonsensitive(module.aks.kube_admin_config_raw)
+  }
+}

providers.tf

@@ -0,0 +1,5 @@
+provider "azurerm" {
+  features {}
+}
+
+provider "azapi" {}

registry.tf

@@ -0,0 +1,35 @@
+resource "azurerm_container_registry" "acr" {
+  name                = var.nuon_id
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  sku                 = "Premium"
+  admin_enabled       = false
+}
+
+resource "azurerm_container_registry_scope_map" "acr" {
+  name                    = var.nuon_id
+  container_registry_name = azurerm_container_registry.acr.name
+  resource_group_name     = azurerm_resource_group.rg.name
+  actions = [
+    "repositories/${var.nuon_id}/content/read",
+    "repositories/${var.nuon_id}/content/write"
+  ]
+}
+
+resource "random_pet" "token_name" {
+  prefix    = "runner"
+  separator = ""
+}
+
+resource "azurerm_container_registry_token" "runner" {
+  name                    = random_pet.token_name.id
+  container_registry_name = azurerm_container_registry.acr.name
+  resource_group_name     = azurerm_resource_group.rg.name
+  scope_map_id            = azurerm_container_registry_scope_map.acr.id
+}
+
+resource "azurerm_container_registry_token_password" "runner" {
+  container_registry_token_id = azurerm_container_registry_token.runner.id
+
+  password1 {}
+}

resource_group.tf

@@ -0,0 +1,4 @@
+resource "azurerm_resource_group" "rg" {
+  location = var.location
+  name = var.nuon_id
+}

ssh.tf

@@ -0,0 +1,20 @@
+resource "random_pet" "ssh_key_name" {
+  prefix    = "ssh"
+  separator = ""
+}
+
+resource "azapi_resource_action" "ssh_public_key_gen" {
+  type        = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  resource_id = azapi_resource.ssh_public_key.id
+  action      = "generateKeyPair"
+  method      = "POST"
+
+  response_export_values = ["publicKey", "privateKey"]
+}
+
+resource "azapi_resource" "ssh_public_key" {
+  type      = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  name      = random_pet.ssh_key_name.id
+  location  = azurerm_resource_group.rg.location
+  parent_id = azurerm_resource_group.rg.id
+}

terraform.tfvars

@@ -0,0 +1,7 @@
+internal_root_domain = "foo.nuon.run"
+public_root_domain = "public.nuon.run"
+nuon_id = "plzxletmtwkqzizk"
+location = "eastus"
+tags = {
+  "managed_by" = "nuon"
+}