Add network contributor role (for load balancers)

Author: chrisghill

README.md

@@ -209,12 +209,12 @@ Resources created by this bundle that can be connected to other bundles.
 
 - **`kubernetes_cluster`** *(object)*: Kubernetes cluster authentication and cloud-specific configuration. Cannot contain additional properties.
   - **`data`** *(object)*
-    - **`authentication`** *(object)*
-      - **`cluster`** *(object)*
-        - **`certificate-authority-data`** *(string)*
-        - **`server`** *(string)*
-      - **`user`** *(object)*
-        - **`token`** *(string)*
+    - **`authentication`** *(object)*: Authentication details required to access the Kubernetes cluster.
+      - **`cluster`** *(object)*: Information about the Kubernetes cluster you wish to connect to.
+        - **`certificate-authority-data`** *(string)*: Base64-encoded certificate authority data used to verify the Kubernetes API server's certificate.
+        - **`server`** *(string)*: The URL or endpoint of the Kubernetes API server.
+      - **`user`** *(object)*: User credentials for authenticating with the Kubernetes cluster.
+        - **`token`** *(string)*: Bearer token used for authenticating the user with the Kubernetes API server.
     - **`infrastructure`** *(object)*: Cloud specific Kubernetes configuration data.
       - **One of**
         - AWS EKS infrastructure config*object*: . Cannot contain additional properties.

core-services/_providers.tf

@@ -7,11 +7,11 @@ terraform {
     }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

custom-resources/_providers.tf

@@ -3,11 +3,11 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

massdriver.yaml

@@ -2,7 +2,6 @@ schema: draft-07
 name: azure-aks-cluster
 description: "Azure Kubernetes Service (AKS) is a fully managed container orchestration service. AKS offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance."
 source_url: github.com/massdriver-cloud/azure-aks-cluster
-access: public
 type: infrastructure
 
 NodeGroup: &node_group

src/_providers.tf

@@ -3,14 +3,10 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.0"
-    }
-    http = {
-      source  = "hashicorp/http"
       version = "~> 3.0"
     }
   }

src/feature.tf

@@ -8,7 +8,7 @@ resource "random_string" "temp_node_group" {
   lower   = true
   upper   = false
   special = false
-  number  = false
+  numeric = false
 }
 resource "azurerm_resource_group" "main" {
   name     = var.md_metadata.name_prefix
@@ -30,22 +30,31 @@ resource "azurerm_kubernetes_cluster" "main" {
   resource_group_name               = azurerm_resource_group.main.name
   dns_prefix                        = "${var.md_metadata.name_prefix}-dns"
   node_resource_group               = local.node_rg_name
-  automatic_channel_upgrade         = "stable"
+  automatic_upgrade_channel         = "stable"
   azure_policy_enabled              = true
   role_based_access_control_enabled = true
   workload_identity_enabled         = true
   oidc_issuer_enabled               = true
   tags                              = var.md_metadata.default_tags
 
   azure_active_directory_role_based_access_control {
-    managed            = true
-    azure_rbac_enabled = true
+    azure_rbac_enabled     = true
+    admin_group_object_ids = []
+  }
+
+  dynamic "monitor_metrics" {
+    for_each = var.cluster.enable_log_analytics ? toset(["enabled"]) : toset([])
+    content {
+      annotations_allowed = null
+      labels_allowed      = null
+    }
   }
 
   dynamic "oms_agent" {
     for_each = var.cluster.enable_log_analytics ? toset(["enabled"]) : toset([])
     content {
-      log_analytics_workspace_id = azurerm_log_analytics_workspace.main[0].id
+      log_analytics_workspace_id      = azurerm_log_analytics_workspace.main[0].id
+      msi_auth_for_monitoring_enabled = true
     }
   }
 
@@ -56,8 +65,11 @@ resource "azurerm_kubernetes_cluster" "main" {
     max_count                   = var.node_groups.default_node_group.max_size
     vnet_subnet_id              = var.vnet.data.infrastructure.default_subnet_id
     temporary_name_for_rotation = "${random_string.temp_node_group.result}temp"
-    enable_auto_scaling         = true
-    tags                        = var.md_metadata.default_tags
+    auto_scaling_enabled        = true
+    upgrade_settings {
+      max_surge = "10%"
+    }
+    tags = var.md_metadata.default_tags
   }
 
   identity {
@@ -68,15 +80,15 @@ resource "azurerm_kubernetes_cluster" "main" {
   the customer might set as their VNet CIDR. These are also the defaults for
   these parameters when deploying AKS in the Azure Portal. */
   network_profile {
-    network_plugin = "azure"
-    network_policy = "azure"
-    dns_service_ip = "172.20.0.10"
-    service_cidr   = "172.20.0.0/16"
+    network_plugin    = "azure"
+    network_policy    = "azure"
+    dns_service_ip    = "172.20.0.10"
+    service_cidr      = "172.20.0.0/16"
+    load_balancer_sku = "standard"
+    outbound_type     = "loadBalancer"
   }
 
-  depends_on = [
-    data.http.feature
-  ]
+
 }
 
 resource "azurerm_kubernetes_cluster_node_pool" "main" {
@@ -85,12 +97,15 @@ resource "azurerm_kubernetes_cluster_node_pool" "main" {
   kubernetes_cluster_id = azurerm_kubernetes_cluster.main.id
   vm_size               = each.value.node_size
   vnet_subnet_id        = var.vnet.data.infrastructure.default_subnet_id
-  enable_auto_scaling   = true
+  auto_scaling_enabled  = true
   mode                  = "User"
   max_count             = each.value.max_size
   min_count             = each.value.min_size
-  node_taints           = var.node_groups.additional_node_groups.0.compute_type == "GPU" ? ["sku=gpu:NoSchedule"] : []
-  tags                  = var.md_metadata.default_tags
+  node_taints           = each.value.compute_type == "GPU" ? ["sku=gpu:NoSchedule"] : []
+  upgrade_settings {
+    max_surge = "10%"
+  }
+  tags = var.md_metadata.default_tags
 }
 
 data "azurerm_client_config" "main" {
@@ -101,3 +116,10 @@ resource "azurerm_role_assignment" "aks_read_acr" {
   role_definition_name = "AcrPull"
   principal_id         = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id
 }
+
+# Network Contributor role for AKS cluster identity to manage load balancers and network resources
+resource "azurerm_role_assignment" "aks_network_contributor" {
+  scope                = var.vnet.data.infrastructure.id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_kubernetes_cluster.main.identity[0].principal_id
+}