diff --git a/terraform/cluster/azure-aks/.terraform.lock.hcl b/terraform/cluster/azure-aks/.terraform.lock.hcl index 5cf536fb2..13839bbe5 100644 --- a/terraform/cluster/azure-aks/.terraform.lock.hcl +++ b/terraform/cluster/azure-aks/.terraform.lock.hcl @@ -32,21 +32,40 @@ provider "registry.terraform.io/hashicorp/azurerm" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.2" + version = "2.5.3" hashes = [ - "h1:IyFbOIO6mhikFNL/2h1iZJ6kyN3U00jgkpCLUCThAfE=", - "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", - "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", - "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", - "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", - "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", - "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", + "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", + "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", + "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", + "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", - "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", - "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", - "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", - "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", + "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", + "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", + "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", + "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", + "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", + "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", + "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", + "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.7.2" + hashes = [ + "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", + "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", + "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", + "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", + "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", + "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", + "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", + "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", + "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", + "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", + "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", ] } diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index 3a4642825..df5d6cb56 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -53,16 +53,22 @@ resource "azurerm_resource_group" "aks" { # Key Vault #----------------------------------------------------------------------------------------------------------------------- +resource "random_string" "key" { + length = 3 + special = false + upper = false +} + resource "azurerm_key_vault" "key_vault" { # checkov:skip=CKV2_AZURE_32: We are using a public cluster for testing, there is no need for private endpoints. - name = "aks-keyvault-${var.context_id}" + name = "keyvault-${var.context_id}-${random_string.key.result}" location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" enabled_for_disk_encryption = true purge_protection_enabled = true - soft_delete_retention_days = 7 + soft_delete_retention_days = var.soft_delete_retention_days # checkov:skip=CKV_AZURE_189: We are using a public cluster for testing # private services are encouraged for production public_network_access_enabled = var.public_network_access_enabled @@ -73,26 +79,28 @@ resource "azurerm_key_vault" "key_vault" { default_action = var.network_acls_default_action bypass = "AzureServices" } +} - access_policy { - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azurerm_client_config.current.object_id - - key_permissions = [ - "Create", - "Delete", - "Get", - "Purge", - "Recover", - "Update", - "GetRotationPolicy", - "SetRotationPolicy" - ] +resource "azurerm_key_vault_access_policy" "key_vault_access_policy" { + key_vault_id = azurerm_key_vault.key_vault.id - secret_permissions = [ - "Set", - ] - } + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "Create", + "Delete", + "Get", + "Purge", + "Recover", + "Update", + "GetRotationPolicy", + "SetRotationPolicy" + ] + + secret_permissions = [ + "Set", + ] } resource "azurerm_key_vault_access_policy" "key_vault_access_policy_disk" { @@ -119,7 +127,7 @@ resource "azurerm_key_vault_access_policy" "key_vault_access_policy_disk" { resource "time_static" "expiry" {} resource "azurerm_key_vault_key" "key_vault_key" { - name = "aks-key-${var.context_id}" + name = "key-${var.context_id}-${random_string.key.result}" key_vault_id = azurerm_key_vault.key_vault.id key_type = "RSA-HSM" key_size = 2048 @@ -145,7 +153,7 @@ resource "azurerm_key_vault_key" "key_vault_key" { } resource "azurerm_disk_encryption_set" "main" { - name = "des-${var.context_id}" + name = "des-${var.context_id}-${random_string.key.result}" resource_group_name = azurerm_resource_group.aks.name location = azurerm_resource_group.aks.location key_vault_key_id = azurerm_key_vault_key.key_vault_key.id @@ -178,6 +186,12 @@ data "azurerm_subnet" "private" { virtual_network_name = var.vnet_name == null ? "windsor-vnet-${var.context_id}" : var.vnet_name } +resource "azurerm_user_assigned_identity" "cluster" { + name = "${var.context_id}-cluster-identity" + location = var.region + resource_group_name = azurerm_resource_group.aks.name +} + resource "azurerm_kubernetes_cluster" "main" { name = local.cluster_name location = azurerm_resource_group.aks.location @@ -243,12 +257,17 @@ resource "azurerm_kubernetes_cluster" "main" { } identity { - type = "SystemAssigned" + type = "UserAssigned" + identity_ids = concat( + [azurerm_user_assigned_identity.cluster.id], + var.additional_cluster_identity_ids + ) } lifecycle { ignore_changes = [ - default_node_pool[0].node_count + default_node_pool[0].upgrade_settings, + workload_autoscaler_profile ] } } @@ -269,6 +288,12 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { # checkov:skip=CKV_AZURE_168: This is set in the variable by default to 50 max_pods = var.autoscaled_node_pool.max_pods host_encryption_enabled = var.autoscaled_node_pool.host_encryption_enabled + + lifecycle { + ignore_changes = [ + upgrade_settings + ] + } } resource "local_file" "kube_config" { diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index d269fe5f9..a3b650256 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -197,3 +197,15 @@ variable "expiration_date" { description = "The expiration date for the AKS cluster's key vault" default = null } + +variable "additional_cluster_identity_ids" { + type = list(string) + description = "Additional user assigned identity IDs for the AKS cluster" + default = [] +} + +variable "soft_delete_retention_days" { + type = number + description = "The number of days to retain the AKS cluster's key vault" + default = 7 +}