From 0bf6e236a92e812cf0f3c0b186687053c268dde1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 21 Jan 2021 07:56:26 +0000 Subject: [PATCH 01/54] Added temp tf output --- terraform/helm_argocd.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 92f74e3..5bc8990 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -120,3 +120,12 @@ resource "null_resource" "argocd_apps" { null_resource.argocd_configure ] } + +# TODO: remove temp output +data "azuread_application" "argocd" { + display_name = "AR-Dev_ArgoCD" +} + +output "azure_ad_object_id" { + value = data.azuread_application.argocd +} From 61023acc2a54c5cc9c8ea316f297b7b08a652ded Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 23 Jan 2021 09:00:40 +0000 Subject: [PATCH 02/54] Bumped TF and chart versions --- terraform/providers.tf | 6 +++--- terraform/variables.tf | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 1205713..fce9029 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -11,10 +11,10 @@ terraform { # versioning syntax: https://www.terraform.io/docs/configuration/modules.html#module-versions required_providers { # https://github.com/hashicorp/terraform-provider-helm/releases - helm = "2.0.1" + helm = "2.0.2" # https://github.com/hashicorp/terraform-provider-kubernetes/releases - kubernetes = "1.13.3" + kubernetes = "2.0.1" # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = "1.2.2" @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.43.0" + version = "2.44.0" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index 4c8bedc..fbd9056 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -34,7 +34,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.14.5" + default = "2.14.7" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -67,7 +67,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.5.3" + default = "4.5.4" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -86,12 +86,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.11.0" + default = "2.11.3" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v1.8.2" + default = "v1.8.3" } #endregion Versions From 73da852ced5aba1c290ca8f260a6e031d1256943 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 23 Jan 2021 09:12:42 +0000 Subject: [PATCH 03/54] Removed load_config_file --- terraform/providers.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index fce9029..0bc8a5b 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -37,7 +37,6 @@ provider "azurerm" { # use statically defined credentials # https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#statically-defined-credentials provider "kubernetes" { - load_config_file = false # when you wish not to load the local config file host = module.aks.full_object.kube_admin_config[0].host client_certificate = base64decode(module.aks.full_object.kube_admin_config[0].client_certificate) client_key = base64decode(module.aks.full_object.kube_admin_config[0].client_key) From 5d4b5e42c8deb067d2fe503696142c2517035855 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 23 Jan 2021 09:15:23 +0000 Subject: [PATCH 04/54] Changed azuread_group name to display_name --- terraform/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/data.tf b/terraform/data.tf index 9a0dea9..fa09afd 100644 --- a/terraform/data.tf +++ b/terraform/data.tf @@ -2,7 +2,7 @@ data "azurerm_subscription" "current" {} data "azuread_group" "aks" { - name = var.aad_group_name + display_name = var.aad_group_name } data "azurerm_resource_group" "aks_node_rg" { From 48b41ad9a1575930d9cd44cb896bf3611ee39c53 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 25 Jan 2021 11:54:20 +0000 Subject: [PATCH 05/54] Removed unused data resource --- terraform/data.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/terraform/data.tf b/terraform/data.tf index fa09afd..d251f4d 100644 --- a/terraform/data.tf +++ b/terraform/data.tf @@ -1,10 +1,6 @@ # Data sources data "azurerm_subscription" "current" {} -data "azuread_group" "aks" { - display_name = var.aad_group_name -} - data "azurerm_resource_group" "aks_node_rg" { name = module.aks.node_resource_group } From 2c373eacacfb58618185f59d748f6122b1d752d6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 25 Jan 2021 12:26:07 +0000 Subject: [PATCH 06/54] Bumped AKS module to v0.5.0 --- terraform/aks.tf | 5 ++++- terraform/variables.tf | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 43d5548..dd8d5b8 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "0.4.2" + version = "0.5.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location @@ -80,4 +80,7 @@ module "aks" { # add-ons log_analytics_workspace_id = var.aks_container_insights_enabled == true ? azurerm_log_analytics_workspace.aks[0].id : "" + + # Add existing group to the new AKS cluster admin group + aks_admin_group_member_name = var.aks_admins_aad_group_name } diff --git a/terraform/variables.tf b/terraform/variables.tf index fbd9056..15bfc10 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -150,8 +150,8 @@ variable "azurerm_kubernetes_cluster_name" { default = "__AKS_CLUSTER_NAME__" } -variable "aad_group_name" { - description = "Name of the Azure AD group for cluster-admin access" +variable "aks_admins_aad_group_name" { + description = "Name an existing Azure AD group for AKS admins" type = string default = "AKS-Admins" } From 912c6a65355af43d3afe90ab29d08a3aab95e21f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 26 Jan 2021 08:26:41 +0000 Subject: [PATCH 07/54] Added azuread_application wip --- terraform/helm_argocd.tf | 91 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 5bc8990..bf349c5 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -129,3 +129,94 @@ data "azuread_application" "argocd" { output "azure_ad_object_id" { value = data.azuread_application.argocd } + +# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application +resource "azuread_application" "argocd" { + display_name = "ArgoCD" + prevent_duplicate_names = true + homepage = "https://argocd.${var.dns_zone_name}" + identifier_uris = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] + reply_urls = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] + available_to_other_tenants = false + oauth2_allow_implicit_flow = false + # type = "webapp/api" + # owners = ["00000004-0000-0000-c000-000000000000"] + group_membership_claims = "All" + + # TODO: are "required_resource_access" blocks needed? + # required_resource_access { + # # Microsoft Graph App ID + # resource_app_id = "00000003-0000-0000-c000-000000000000" + + # resource_access { + # id = "..." + # type = "Role" + # } + + # resource_access { + # id = "..." + # type = "Scope" + # } + + # resource_access { + # id = "..." + # type = "Scope" + # } + # } + + # required_resource_access { + # # AAD Graph API App ID + # resource_app_id = "00000002-0000-0000-c000-000000000000" + + # resource_access { + # id = "..." + # type = "Scope" + # } + # } + + # app_role { + # allowed_member_types = [ + # "User" + # ] + + # description = "User" + # display_name = "User" + # is_enabled = true + # value = "" + # } + + oauth2_permissions { + admin_consent_description = "Allow the application to access Argo CD on behalf of the signed-in user." + admin_consent_display_name = "Access Argo CD on behalf of the signed-in user" + is_enabled = true + type = "User" + user_consent_description = "Allow the application to access Argo CD on your behalf." + user_consent_display_name = "Access Argo CD" + value = "user_impersonation" + } + + # oauth2_permissions { + # admin_consent_description = "Administer the example application" + # admin_consent_display_name = "Administer" + # is_enabled = true + # type = "Admin" + # value = "administer" + # } + + # optional_claims { + # access_token { + # name = "myclaim" + # } + + # access_token { + # name = "otherclaim" + # } + + # id_token { + # name = "userclaim" + # source = "user" + # essential = true + # additional_properties = ["emit_as_roles"] + # } + # } +} From 9018f5cee3ce45335ab9cbcea0fd09a778c94f94 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 26 Jan 2021 08:54:29 +0000 Subject: [PATCH 08/54] Debug --- terraform/helm_argocd.tf | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index bf349c5..ca0ba1f 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -121,13 +121,17 @@ resource "null_resource" "argocd_apps" { ] } -# TODO: remove temp output -data "azuread_application" "argocd" { +# TODO: remove temp outputs +data "azuread_application" "argocd_manual" { display_name = "AR-Dev_ArgoCD" } -output "azure_ad_object_id" { - value = data.azuread_application.argocd +output "azure_ad_object_manual" { + value = data.azuread_application.argocd_manual +} + +output "azure_ad_object_argocd" { + value = azuread_application.argocd } # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application @@ -139,8 +143,8 @@ resource "azuread_application" "argocd" { reply_urls = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] available_to_other_tenants = false oauth2_allow_implicit_flow = false - # type = "webapp/api" - # owners = ["00000004-0000-0000-c000-000000000000"] + type = "webapp/api" + owners = ["00000004-0000-0000-c000-000000000000"] group_membership_claims = "All" # TODO: are "required_resource_access" blocks needed? From c7dfea4a74061331e730d265fd97e47db0d35b42 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 26 Jan 2021 09:02:56 +0000 Subject: [PATCH 09/54] Debug --- terraform/helm_argocd.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index ca0ba1f..9bc6351 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -144,7 +144,7 @@ resource "azuread_application" "argocd" { available_to_other_tenants = false oauth2_allow_implicit_flow = false type = "webapp/api" - owners = ["00000004-0000-0000-c000-000000000000"] + owners = ["cc9375df-8e64-4e24-8ab2-45e02c01a111"] group_membership_claims = "All" # TODO: are "required_resource_access" blocks needed? From 65209ca8152e7b8f88c8dc459b1a887124506324 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 27 Jan 2021 07:00:42 +0000 Subject: [PATCH 10/54] Removed AAD config --- terraform/helm_argocd.tf | 104 --------------------------------------- 1 file changed, 104 deletions(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 9bc6351..92f74e3 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -120,107 +120,3 @@ resource "null_resource" "argocd_apps" { null_resource.argocd_configure ] } - -# TODO: remove temp outputs -data "azuread_application" "argocd_manual" { - display_name = "AR-Dev_ArgoCD" -} - -output "azure_ad_object_manual" { - value = data.azuread_application.argocd_manual -} - -output "azure_ad_object_argocd" { - value = azuread_application.argocd -} - -# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application -resource "azuread_application" "argocd" { - display_name = "ArgoCD" - prevent_duplicate_names = true - homepage = "https://argocd.${var.dns_zone_name}" - identifier_uris = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] - reply_urls = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] - available_to_other_tenants = false - oauth2_allow_implicit_flow = false - type = "webapp/api" - owners = ["cc9375df-8e64-4e24-8ab2-45e02c01a111"] - group_membership_claims = "All" - - # TODO: are "required_resource_access" blocks needed? - # required_resource_access { - # # Microsoft Graph App ID - # resource_app_id = "00000003-0000-0000-c000-000000000000" - - # resource_access { - # id = "..." - # type = "Role" - # } - - # resource_access { - # id = "..." - # type = "Scope" - # } - - # resource_access { - # id = "..." - # type = "Scope" - # } - # } - - # required_resource_access { - # # AAD Graph API App ID - # resource_app_id = "00000002-0000-0000-c000-000000000000" - - # resource_access { - # id = "..." - # type = "Scope" - # } - # } - - # app_role { - # allowed_member_types = [ - # "User" - # ] - - # description = "User" - # display_name = "User" - # is_enabled = true - # value = "" - # } - - oauth2_permissions { - admin_consent_description = "Allow the application to access Argo CD on behalf of the signed-in user." - admin_consent_display_name = "Access Argo CD on behalf of the signed-in user" - is_enabled = true - type = "User" - user_consent_description = "Allow the application to access Argo CD on your behalf." - user_consent_display_name = "Access Argo CD" - value = "user_impersonation" - } - - # oauth2_permissions { - # admin_consent_description = "Administer the example application" - # admin_consent_display_name = "Administer" - # is_enabled = true - # type = "Admin" - # value = "administer" - # } - - # optional_claims { - # access_token { - # name = "myclaim" - # } - - # access_token { - # name = "otherclaim" - # } - - # id_token { - # name = "userclaim" - # source = "user" - # essential = true - # additional_properties = ["emit_as_roles"] - # } - # } -} From 23d32e905390159bc23907ee75c7caa1b21e589d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 27 Jan 2021 07:29:53 +0000 Subject: [PATCH 11/54] Added argo aad test config --- terraform/argocd_aad.tf | 166 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 terraform/argocd_aad.tf diff --git a/terraform/argocd_aad.tf b/terraform/argocd_aad.tf new file mode 100644 index 0000000..5331ffb --- /dev/null +++ b/terraform/argocd_aad.tf @@ -0,0 +1,166 @@ +# TODO: remove temp outputs +data "azuread_application" "argocd_manual" { + display_name = "AR-Dev_ArgoCD" +} + +output "azure_ad_object_manual" { + value = data.azuread_application.argocd_manual +} + +output "azure_ad_object_argocd" { + value = azuread_application.argocd +} + +# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application +resource "azuread_application" "argocd" { + display_name = "ArgoCD" + prevent_duplicate_names = true + homepage = "https://argocd.${var.dns_zone_name}" + identifier_uris = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] + reply_urls = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] + available_to_other_tenants = false + oauth2_allow_implicit_flow = false + type = "webapp/api" + # owners = ["00000004-0000-0000-c000-000000000000"] + group_membership_claims = "All" + + # TODO: are "required_resource_access" blocks needed? + # required_resource_access { + # # Microsoft Graph App ID + # resource_app_id = "00000003-0000-0000-c000-000000000000" + + # resource_access { + # id = "..." + # type = "Role" + # } + + # resource_access { + # id = "..." + # type = "Scope" + # } + + # resource_access { + # id = "..." + # type = "Scope" + # } + # } + + # required_resource_access { + # # AAD Graph API App ID + # resource_app_id = "00000002-0000-0000-c000-000000000000" + + # resource_access { + # id = "..." + # type = "Scope" + # } + # } + + app_role { + allowed_member_types = [ + "User" + ] + + description = "User" + display_name = "User" + is_enabled = true + # value = "" + } + + app_role { + allowed_member_types = [ + "User" + ] + + description = "msiam_access" + display_name = "msiam_access" + is_enabled = true + } + + + // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... + provisioner "local-exec" { + command = "sleep 20" + } + //https://github.com/Azure/azure-cli/issues/7579 + //Add metadata URL + // provisioner "local-exec" { + // command = "az ad app update --id ${self.application_id} --set samlMetadataUrl=${var.saml_metadata_url}" + // } + // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... + // provisioner "local-exec" { + // command = "sleep 5" + // } + //https://github.com/Azure/azure-cli/issues/12946 + //https://github.com/Azure/azure-cli/issues/11534 + //https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims + //Optional Claims for tokens + provisioner "local-exec" { + command = "az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/${self.object_id}' --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"groups\", \"additionalProperties\": [\"sam_account_name\"]}]}}'" + } + + + # oauth2_permissions { + # admin_consent_description = "Allow the application to access Argo CD on behalf of the signed-in user." + # admin_consent_display_name = "Access Argo CD on behalf of the signed-in user" + # is_enabled = true + # type = "User" + # user_consent_description = "Allow the application to access Argo CD on your behalf." + # user_consent_display_name = "Access Argo CD" + # value = "user_impersonation" + # } + + # oauth2_permissions { + # admin_consent_description = "Administer the example application" + # admin_consent_display_name = "Administer" + # is_enabled = true + # type = "Admin" + # value = "administer" + # } + + # optional_claims { + # access_token { + # name = "myclaim" + # } + + # access_token { + # name = "otherclaim" + # } + + # id_token { + # name = "userclaim" + # source = "user" + # essential = true + # additional_properties = ["emit_as_roles"] + # } + # } +} + +# Test adding SP to make an Enterprise App +# resource "azuread_service_principal" "this" { +# application_id = azuread_application.argocd.application_id +# tags = [ +# # "AppServiceIntegratedApp", +# "WindowsAzureActiveDirectoryIntegratedApp", +# ] +# } + +resource "azuread_service_principal" "this" { + //https://github.com/Azure/azure-cli/issues/9250 + application_id = azuread_application.argocd.application_id + tags = [ + "WindowsAzureActiveDirectoryIntegratedApp" + # "WindowsAzureActiveDirectoryCustomSingleSignOnApplication", + # "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1" + ] + // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... + provisioner "local-exec" { + command = "sleep 20" + } + provisioner "local-exec" { + command = "az ad sp update --id ${azuread_application.argocd.application_id} --set preferredSingleSignOnMode='saml'" + } + depends_on = [ + azuread_application.argocd + ] +} + From 7d9acebb15c0b601d6cef2c9a2275814cfd0231e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 27 Jan 2021 07:44:27 +0000 Subject: [PATCH 12/54] Debug --- terraform/argocd_aad.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/argocd_aad.tf b/terraform/argocd_aad.tf index 5331ffb..f695386 100644 --- a/terraform/argocd_aad.tf +++ b/terraform/argocd_aad.tf @@ -94,9 +94,9 @@ resource "azuread_application" "argocd" { //https://github.com/Azure/azure-cli/issues/11534 //https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims //Optional Claims for tokens - provisioner "local-exec" { - command = "az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/${self.object_id}' --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"groups\", \"additionalProperties\": [\"sam_account_name\"]}]}}'" - } + # provisioner "local-exec" { + # command = "az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/${self.object_id}' --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"groups\", \"additionalProperties\": [\"sam_account_name\"]}]}}'" + # } # oauth2_permissions { @@ -148,9 +148,9 @@ resource "azuread_service_principal" "this" { //https://github.com/Azure/azure-cli/issues/9250 application_id = azuread_application.argocd.application_id tags = [ - "WindowsAzureActiveDirectoryIntegratedApp" - # "WindowsAzureActiveDirectoryCustomSingleSignOnApplication", - # "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1" + "WindowsAzureActiveDirectoryIntegratedApp", + "WindowsAzureActiveDirectoryCustomSingleSignOnApplication", + "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1" ] // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... provisioner "local-exec" { From fa1b93f3776be91bb4a0ef59a9919ab1b7e4a0d7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 27 Jan 2021 08:17:15 +0000 Subject: [PATCH 13/54] Added email SSO claim --- terraform/argocd_aad.tf | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/terraform/argocd_aad.tf b/terraform/argocd_aad.tf index f695386..f05d5c7 100644 --- a/terraform/argocd_aad.tf +++ b/terraform/argocd_aad.tf @@ -117,22 +117,22 @@ resource "azuread_application" "argocd" { # value = "administer" # } - # optional_claims { - # access_token { - # name = "myclaim" - # } - - # access_token { - # name = "otherclaim" - # } - - # id_token { - # name = "userclaim" - # source = "user" - # essential = true - # additional_properties = ["emit_as_roles"] - # } - # } + optional_claims { + access_token { + name = "email" + } + + # access_token { + # name = "otherclaim" + # } + + id_token { + name = "userprincipalname" + source = "user" + essential = true + # additional_properties = ["emit_as_roles"] + } + } } # Test adding SP to make an Enterprise App From 1b0d85bddc49df764adf58aa6c6834d21d4c4963 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 27 Jan 2021 08:43:24 +0000 Subject: [PATCH 14/54] Added SP output --- terraform/argocd_aad.tf | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/terraform/argocd_aad.tf b/terraform/argocd_aad.tf index f05d5c7..be4a1eb 100644 --- a/terraform/argocd_aad.tf +++ b/terraform/argocd_aad.tf @@ -3,10 +3,18 @@ data "azuread_application" "argocd_manual" { display_name = "AR-Dev_ArgoCD" } -output "azure_ad_object_manual" { +output "azure_app_object_manual" { value = data.azuread_application.argocd_manual } +data "azuread_service_principal" "argocd_manual" { + display_name = "AR-Dev_ArgoCD" +} + +output "azure_sp_object_manual" { + value = data.azuread_service_principal.argocd_manual +} + output "azure_ad_object_argocd" { value = azuread_application.argocd } @@ -144,6 +152,7 @@ resource "azuread_application" "argocd" { # ] # } +# TODO: change id to argocd resource "azuread_service_principal" "this" { //https://github.com/Azure/azure-cli/issues/9250 application_id = azuread_application.argocd.application_id @@ -159,8 +168,8 @@ resource "azuread_service_principal" "this" { provisioner "local-exec" { command = "az ad sp update --id ${azuread_application.argocd.application_id} --set preferredSingleSignOnMode='saml'" } - depends_on = [ - azuread_application.argocd - ] + # depends_on = [ + # azuread_application.argocd + # ] } From bac7071d11fa13a809b7dfa2e5d1b511a5230454 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 31 Jan 2021 07:56:58 +0000 Subject: [PATCH 15/54] Bumped chart and tf provider versions --- terraform/providers.tf | 4 ++-- terraform/variables.tf | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 0bc8a5b..5823777 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -17,7 +17,7 @@ terraform { kubernetes = "2.0.1" # https://github.com/terraform-providers/terraform-provider-azuread/releases - azuread = "1.2.2" + azuread = "1.3.0" random = "~> 2.2" # ~> 2.2 = 2.X.Y tls = "~> 2.1" @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.44.0" + version = "2.45.1" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index 15bfc10..e0545d2 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,7 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - default = "3.20.1" + default = "3.22.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -54,7 +54,7 @@ variable "nexus_chart_version" { # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 # helm search repo spv-charts/akv2k8s variable "akv2k8s_chart_version" { - default = "1.1.26" + default = "1.1.28" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 @@ -67,7 +67,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.5.4" + default = "4.6.0" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -86,7 +86,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.11.3" + default = "2.11.6" } # https://hub.docker.com/r/argoproj/argocd/tags From b03ba0838a9c9124dc0ab798d0a8ae0e6a48d9df Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 31 Jan 2021 07:57:36 +0000 Subject: [PATCH 16/54] Removed argo AAD config --- terraform/argocd_aad.tf | 175 ---------------------------------------- 1 file changed, 175 deletions(-) delete mode 100644 terraform/argocd_aad.tf diff --git a/terraform/argocd_aad.tf b/terraform/argocd_aad.tf deleted file mode 100644 index be4a1eb..0000000 --- a/terraform/argocd_aad.tf +++ /dev/null @@ -1,175 +0,0 @@ -# TODO: remove temp outputs -data "azuread_application" "argocd_manual" { - display_name = "AR-Dev_ArgoCD" -} - -output "azure_app_object_manual" { - value = data.azuread_application.argocd_manual -} - -data "azuread_service_principal" "argocd_manual" { - display_name = "AR-Dev_ArgoCD" -} - -output "azure_sp_object_manual" { - value = data.azuread_service_principal.argocd_manual -} - -output "azure_ad_object_argocd" { - value = azuread_application.argocd -} - -# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application -resource "azuread_application" "argocd" { - display_name = "ArgoCD" - prevent_duplicate_names = true - homepage = "https://argocd.${var.dns_zone_name}" - identifier_uris = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] - reply_urls = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] - available_to_other_tenants = false - oauth2_allow_implicit_flow = false - type = "webapp/api" - # owners = ["00000004-0000-0000-c000-000000000000"] - group_membership_claims = "All" - - # TODO: are "required_resource_access" blocks needed? - # required_resource_access { - # # Microsoft Graph App ID - # resource_app_id = "00000003-0000-0000-c000-000000000000" - - # resource_access { - # id = "..." - # type = "Role" - # } - - # resource_access { - # id = "..." - # type = "Scope" - # } - - # resource_access { - # id = "..." - # type = "Scope" - # } - # } - - # required_resource_access { - # # AAD Graph API App ID - # resource_app_id = "00000002-0000-0000-c000-000000000000" - - # resource_access { - # id = "..." - # type = "Scope" - # } - # } - - app_role { - allowed_member_types = [ - "User" - ] - - description = "User" - display_name = "User" - is_enabled = true - # value = "" - } - - app_role { - allowed_member_types = [ - "User" - ] - - description = "msiam_access" - display_name = "msiam_access" - is_enabled = true - } - - - // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... - provisioner "local-exec" { - command = "sleep 20" - } - //https://github.com/Azure/azure-cli/issues/7579 - //Add metadata URL - // provisioner "local-exec" { - // command = "az ad app update --id ${self.application_id} --set samlMetadataUrl=${var.saml_metadata_url}" - // } - // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... - // provisioner "local-exec" { - // command = "sleep 5" - // } - //https://github.com/Azure/azure-cli/issues/12946 - //https://github.com/Azure/azure-cli/issues/11534 - //https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims - //Optional Claims for tokens - # provisioner "local-exec" { - # command = "az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/${self.object_id}' --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"groups\", \"additionalProperties\": [\"sam_account_name\"]}]}}'" - # } - - - # oauth2_permissions { - # admin_consent_description = "Allow the application to access Argo CD on behalf of the signed-in user." - # admin_consent_display_name = "Access Argo CD on behalf of the signed-in user" - # is_enabled = true - # type = "User" - # user_consent_description = "Allow the application to access Argo CD on your behalf." - # user_consent_display_name = "Access Argo CD" - # value = "user_impersonation" - # } - - # oauth2_permissions { - # admin_consent_description = "Administer the example application" - # admin_consent_display_name = "Administer" - # is_enabled = true - # type = "Admin" - # value = "administer" - # } - - optional_claims { - access_token { - name = "email" - } - - # access_token { - # name = "otherclaim" - # } - - id_token { - name = "userprincipalname" - source = "user" - essential = true - # additional_properties = ["emit_as_roles"] - } - } -} - -# Test adding SP to make an Enterprise App -# resource "azuread_service_principal" "this" { -# application_id = azuread_application.argocd.application_id -# tags = [ -# # "AppServiceIntegratedApp", -# "WindowsAzureActiveDirectoryIntegratedApp", -# ] -# } - -# TODO: change id to argocd -resource "azuread_service_principal" "this" { - //https://github.com/Azure/azure-cli/issues/9250 - application_id = azuread_application.argocd.application_id - tags = [ - "WindowsAzureActiveDirectoryIntegratedApp", - "WindowsAzureActiveDirectoryCustomSingleSignOnApplication", - "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1" - ] - // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... - provisioner "local-exec" { - command = "sleep 20" - } - provisioner "local-exec" { - command = "az ad sp update --id ${azuread_application.argocd.application_id} --set preferredSingleSignOnMode='saml'" - } - # depends_on = [ - # azuread_application.argocd - # ] -} - From 3f7e216ee264021513558337bafa7fd93a73bcb1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 31 Jan 2021 22:33:54 +0000 Subject: [PATCH 17/54] Update build.yml --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 16a6442..b52617c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -157,10 +157,10 @@ jobs: # env: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Terraform Lint - run: ./scripts/tflint.sh - env: - TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} + #- name: Terraform Lint + #run: ./scripts/tflint.sh + #env: + # TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} - name: Terraform Plan id: plan From 11a5943d15533e7da5055b929142783059f6f250 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 07:10:35 +0000 Subject: [PATCH 18/54] Added tflint versions --- .github/workflows/build.yml | 16 ++++------------ scripts/tflint.sh | 7 +++++-- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b52617c..d76c8f4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -149,18 +149,10 @@ jobs: # filter_mode: "nofilter" # Optional. Check all files, not just the diff # flags: "--module" # Optional. Add custom tflint flags - # - name: Terraform Lint - # uses: rickardl/tflint-action@v1.5 - # with: - # tflint_action_comment: true - # tflint_action_folder: ${{ env.TF_WORKING_DIR }} - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - #- name: Terraform Lint - #run: ./scripts/tflint.sh - #env: - # TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} + - name: Terraform Lint + run: ./scripts/tflint.sh + env: + TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} - name: Terraform Plan id: plan diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 26bfcf6..52d200b 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -8,15 +8,18 @@ trap "echo 'error: Script failed: see failed command above'" ERR # vars DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") +# Set local vars from env var, with default fallbacks +TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}" +TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" message="Downloading tflint and azurerm plugin" echo "STARTED: $message..." # download tflint -curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint.zip && unzip tflint.zip && rm tflint.zip +curl -L "https://github.com/terraform-linters/tflint/releases/download/$TFLINT_VERSION/tflint_linux_amd64.zip" -o tflint.zip && unzip tflint.zip && rm tflint.zip # download tflint-ruleset-azurerm plugin -curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint-ruleset-azurerm/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip +curl -L "https://github.com/terraform-linters/tflint-ruleset-azurerm/releases/download/$TFLINT_RULESET_AZURERM_VERSION/tflint-ruleset-azurerm_linux_amd64.zip" -o tflint-ruleset-azurerm_linux_amd64.zip && unzip tflint-ruleset-azurerm_linux_amd64.zip && rm tflint-ruleset-azurerm_linux_amd64.zip # move tflint-ruleset-azurerm plugin to correct path install -D -m 777 tflint-ruleset-azurerm ./.tflint.d/plugins/tflint-ruleset-azurerm From 944ab4395b6c9266e14a183c9142f661a1629cb3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 07:31:02 +0000 Subject: [PATCH 19/54] Added tflint version env vars --- .github/workflows/build.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d76c8f4..fa8c453 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,6 +59,10 @@ env: TF_PLAN: "tfplan" TF_VERSION: "0.12.30" # "latest" is supported TF_WORKING_DIR: ./terraform + # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases + TFLINT_RULESET_AZURERM_VERSION: "v0.8.1" + # https://github.com/terraform-linters/tflint/releases + TFLINT_VERSION: "v0.24.0" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 @@ -139,20 +143,12 @@ jobs: terraform validate working-directory: ${{ env.TF_WORKING_DIR }} - # - name: tflint - # uses: reviewdog/action-tflint@v1.4.2 - # with: - # github_token: ${{ secrets.github_token }} - # working_directory: ${{ env.TF_WORKING_DIR }} - # reporter: github-pr-check # Optional. Change reporter - # fail_on_error: "true" # Optional. Fail action if errors are found - # filter_mode: "nofilter" # Optional. Check all files, not just the diff - # flags: "--module" # Optional. Add custom tflint flags - - name: Terraform Lint run: ./scripts/tflint.sh env: TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} + TFLINT_RULESET_AZURERM_VERSION: ${{ env.TFLINT_RULESET_AZURERM_VERSION }} + TFLINT_VERSION: ${{ env.TFLINT_VERSION }} - name: Terraform Plan id: plan @@ -180,8 +176,8 @@ jobs: run: ./scripts/wait.sh + # Ansible # TODO: enable Ansible Lint once this issue has been resolved: https://github.com/ansible/ansible-lint-action/issues/36 - # # Ansible # - name: Lint Ansible Playbook # uses: ansible/ansible-lint-action@6c8c141 # with: From 38608252385b8cf1322ed6bb7dd8936989db9c53 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 07:31:08 +0000 Subject: [PATCH 20/54] Removed old code --- .github/workflows/destroy.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index a9c5596..2018693 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -89,12 +89,6 @@ jobs: echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV - # # Show event info - # - name: Show triggered event data - # run: pwsh -command "./scripts/Get-EventData.ps1" - # env: - # GITHUB_CONTEXT: ${{ toJson(github) }} - # Login - name: Login to Azure run: ./scripts/azure_login.sh From 1ffd4332088c275eb6f7fb05a87d725797e3f133 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 07:31:23 +0000 Subject: [PATCH 21/54] Added versions in logs --- scripts/tflint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 52d200b..2b833ac 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -12,7 +12,7 @@ DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}" TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" -message="Downloading tflint and azurerm plugin" +message="Downloading tflint ($TFLINT_VERSION) and azurerm plugin ($TFLINT_RULESET_AZURERM_VERSION)" echo "STARTED: $message..." # download tflint From 15cb3879877673b5ef8647354f35062688fdca96 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 07:41:10 +0000 Subject: [PATCH 22/54] Removed tflint DISABLED_RULES --- scripts/tflint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 2b833ac..fd404af 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -7,7 +7,8 @@ set -euo pipefail trap "echo 'error: Script failed: see failed command above'" ERR # vars -DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") +# DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") +DISABLED_RULES=("") # Set local vars from env var, with default fallbacks TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}" TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" From 2a0293b8c0f61b9d64b6c82c76971eec305155c0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 08:08:43 +0000 Subject: [PATCH 23/54] Changed tflint versions --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fa8c453..afcca54 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,9 +60,9 @@ env: TF_VERSION: "0.12.30" # "latest" is supported TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.8.1" + TFLINT_RULESET_AZURERM_VERSION: "v0.7.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.24.0" + TFLINT_VERSION: "v0.23.1" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 From 553b6978de5c2fedbe6ea5e15de3a636597fc07d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 08:10:12 +0000 Subject: [PATCH 24/54] Added dynamic flags --- scripts/tflint.sh | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index fd404af..6ef10b6 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -7,8 +7,9 @@ set -euo pipefail trap "echo 'error: Script failed: see failed command above'" ERR # vars +export TFLINT_LOG=debug # DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") -DISABLED_RULES=("") +DISABLED_RULES=() # Set local vars from env var, with default fallbacks TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}" TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" @@ -38,6 +39,16 @@ plugin "azurerm" { EOF cat .tflint.hcl +# add dynamic flags +TF_FLAGS=("$TF_WORKING_DIR") + +if [ ${#DISABLED_RULES[@]} -gt 0 ]; then + echo "Adding DISABLED_RULES..." + + # expand array for disabled rules + TF_FLAGS+=(--disable-rule="${DISABLED_RULES[*]}") +fi + # run tflint -# expand array for disabled rules -TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule="${DISABLED_RULES[*]}" +# TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule="${DISABLED_RULES[*]}" +./tflint "${TF_FLAGS[@]}" From cdb5a0f86e65090314197f5fd22f42ef9fd14cfc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 08:16:59 +0000 Subject: [PATCH 25/54] Improved dynamic flags --- scripts/tflint.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 6ef10b6..8fd8aa1 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -13,6 +13,17 @@ DISABLED_RULES=() # Set local vars from env var, with default fallbacks TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}" TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" +TF_FLAGS=("$TF_WORKING_DIR") + +# use dynamic flags +if [ ${#DISABLED_RULES[@]} -gt 0 ]; then + echo "Excluding DISABLED_RULES [${DISABLED_RULES[*]}]..." + + # expand array for disabled rules + TF_FLAGS+=(--disable-rule="${DISABLED_RULES[*]}") +else + echo "DISABLED_RULES were not defined. Skipping." +fi message="Downloading tflint ($TFLINT_VERSION) and azurerm plugin ($TFLINT_RULESET_AZURERM_VERSION)" echo "STARTED: $message..." @@ -39,16 +50,6 @@ plugin "azurerm" { EOF cat .tflint.hcl -# add dynamic flags -TF_FLAGS=("$TF_WORKING_DIR") - -if [ ${#DISABLED_RULES[@]} -gt 0 ]; then - echo "Adding DISABLED_RULES..." - - # expand array for disabled rules - TF_FLAGS+=(--disable-rule="${DISABLED_RULES[*]}") -fi - # run tflint # TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule="${DISABLED_RULES[*]}" ./tflint "${TF_FLAGS[@]}" From 472de3c72fcf28126d8fd065bc908ce02acf89a6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 08:26:12 +0000 Subject: [PATCH 26/54] Testing single tflint rule to disable --- scripts/tflint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 8fd8aa1..e26ab25 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -7,13 +7,13 @@ set -euo pipefail trap "echo 'error: Script failed: see failed command above'" ERR # vars -export TFLINT_LOG=debug -# DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") -DISABLED_RULES=() # Set local vars from env var, with default fallbacks TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}" TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" TF_FLAGS=("$TF_WORKING_DIR") +export TFLINT_LOG=debug +# use empty array to skip adding disabled rules, eg: "DISABLED_RULES=()" +DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") # use dynamic flags if [ ${#DISABLED_RULES[@]} -gt 0 ]; then From e5279a7cfebf3a52b991fb9bb42997913a81db80 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 08:32:27 +0000 Subject: [PATCH 27/54] Added multiple rules to disable --- scripts/tflint.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index e26ab25..e03b0b4 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -1,6 +1,7 @@ #! /usr/bin/env bash # # installs and runs tflint with tflint-ruleset-azurerm plugin +# rules: https://github.com/terraform-linters/tflint-ruleset-azurerm/blob/master/docs/rules/ # ensure strict mode and predictable failure set -euo pipefail @@ -13,11 +14,11 @@ TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" TF_FLAGS=("$TF_WORKING_DIR") export TFLINT_LOG=debug # use empty array to skip adding disabled rules, eg: "DISABLED_RULES=()" -DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") +DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days" "azurerm_kubernetes_cluster_node_pool_invalid_vm_size") # use dynamic flags if [ ${#DISABLED_RULES[@]} -gt 0 ]; then - echo "Excluding DISABLED_RULES [${DISABLED_RULES[*]}]..." + echo "DISABLED_RULES were defined: [${DISABLED_RULES[*]}]." # expand array for disabled rules TF_FLAGS+=(--disable-rule="${DISABLED_RULES[*]}") From ad90ea8a281df40c87bffa4d8301c31456b3fc28 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 08:49:01 +0000 Subject: [PATCH 28/54] Testing multiple array elements --- scripts/tflint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index e03b0b4..46d037d 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -21,7 +21,7 @@ if [ ${#DISABLED_RULES[@]} -gt 0 ]; then echo "DISABLED_RULES were defined: [${DISABLED_RULES[*]}]." # expand array for disabled rules - TF_FLAGS+=(--disable-rule="${DISABLED_RULES[*]}") + TF_FLAGS+=(--disable-rule=${DISABLED_RULES[*]}) else echo "DISABLED_RULES were not defined. Skipping." fi From d4010d088ebe839696f5e1a679a357ce025b4653 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 08:53:26 +0000 Subject: [PATCH 29/54] Testing multiple array elements --- scripts/tflint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 46d037d..786ef86 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -21,7 +21,7 @@ if [ ${#DISABLED_RULES[@]} -gt 0 ]; then echo "DISABLED_RULES were defined: [${DISABLED_RULES[*]}]." # expand array for disabled rules - TF_FLAGS+=(--disable-rule=${DISABLED_RULES[*]}) + TF_FLAGS+=(--disable-rule=(${DISABLED_RULES[*]})) else echo "DISABLED_RULES were not defined. Skipping." fi From a4c60898c282c81cad6ab04755f308ba17ef52d1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 09:05:22 +0000 Subject: [PATCH 30/54] Added repeat flag multiple times --- scripts/tflint.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 786ef86..8d77523 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -21,7 +21,15 @@ if [ ${#DISABLED_RULES[@]} -gt 0 ]; then echo "DISABLED_RULES were defined: [${DISABLED_RULES[*]}]." # expand array for disabled rules - TF_FLAGS+=(--disable-rule=(${DISABLED_RULES[*]})) + # ! DOES NOT WORK + # TF_FLAGS+=(--disable-rule=(${DISABLED_RULES[*]})) + + # repeat flag multiple times + for rule in "${DISABLED_RULES[@]}"; do + echo "$rule" + TF_FLAGS+=(--disable-rule="$rule") + done + else echo "DISABLED_RULES were not defined. Skipping." fi @@ -53,4 +61,5 @@ cat .tflint.hcl # run tflint # TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule="${DISABLED_RULES[*]}" +echo "Running tflint with the following flags: [$TF_FLAGS]" ./tflint "${TF_FLAGS[@]}" From 972fe8910ce8a80fa08faffba38e0a7dab238159 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 09:29:19 +0000 Subject: [PATCH 31/54] Remove old comments --- scripts/tflint.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 8d77523..2d90772 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -14,16 +14,12 @@ TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" TF_FLAGS=("$TF_WORKING_DIR") export TFLINT_LOG=debug # use empty array to skip adding disabled rules, eg: "DISABLED_RULES=()" -DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days" "azurerm_kubernetes_cluster_node_pool_invalid_vm_size") +DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") # use dynamic flags if [ ${#DISABLED_RULES[@]} -gt 0 ]; then echo "DISABLED_RULES were defined: [${DISABLED_RULES[*]}]." - # expand array for disabled rules - # ! DOES NOT WORK - # TF_FLAGS+=(--disable-rule=(${DISABLED_RULES[*]})) - # repeat flag multiple times for rule in "${DISABLED_RULES[@]}"; do echo "$rule" @@ -60,6 +56,5 @@ EOF cat .tflint.hcl # run tflint -# TFLINT_LOG=debug ./tflint "$TF_WORKING_DIR" --disable-rule="${DISABLED_RULES[*]}" -echo "Running tflint with the following flags: [$TF_FLAGS]" +echo "Running tflint with the following flags: [${TF_FLAGS[*]}]" ./tflint "${TF_FLAGS[@]}" From 11fd7470a75171f232ba531624022069c46f3fbe Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 09:36:58 +0000 Subject: [PATCH 32/54] Added array count --- scripts/tflint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 2d90772..9426e60 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -18,7 +18,7 @@ DISABLED_RULES=("azurerm_log_analytics_workspace_invalid_retention_in_days") # use dynamic flags if [ ${#DISABLED_RULES[@]} -gt 0 ]; then - echo "DISABLED_RULES were defined: [${DISABLED_RULES[*]}]." + echo "${#DISABLED_RULES[@]} DISABLED_RULES were defined: [${DISABLED_RULES[*]}]." # repeat flag multiple times for rule in "${DISABLED_RULES[@]}"; do From cf44f305acf6507ea7ffc9485aec09b9bd776cc5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 1 Feb 2021 09:40:51 +0000 Subject: [PATCH 33/54] Changed logging --- scripts/tflint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 9426e60..77e5ea1 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -22,7 +22,7 @@ if [ ${#DISABLED_RULES[@]} -gt 0 ]; then # repeat flag multiple times for rule in "${DISABLED_RULES[@]}"; do - echo "$rule" + echo "Adding [$rule] to flags" TF_FLAGS+=(--disable-rule="$rule") done From 64fbf097033e68f94e039810fb1422047c192a8b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 2 Feb 2021 07:04:33 +0000 Subject: [PATCH 34/54] Bumped TFLINT versions --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index afcca54..d6f06a5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,9 +60,9 @@ env: TF_VERSION: "0.12.30" # "latest" is supported TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.7.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.8.2" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.23.1" + TFLINT_VERSION: "v0.24.1" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 From 6438b4e7ba102330e72f03d8c2445dd8d73eab6e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 7 Feb 2021 07:54:01 +0000 Subject: [PATCH 35/54] Added Argo CD SSO example --- .gitignore | 4 +- terraform/argocd_sso/README.md | 208 +++++++++++++++++++++++++++++ terraform/argocd_sso/argocd_aad.tf | 145 ++++++++++++++++++++ terraform/argocd_sso/sso_claims.sh | 62 +++++++++ terraform/argocd_sso/tf_test.ps1 | 16 +++ 5 files changed, 434 insertions(+), 1 deletion(-) create mode 100644 terraform/argocd_sso/README.md create mode 100644 terraform/argocd_sso/argocd_aad.tf create mode 100644 terraform/argocd_sso/sso_claims.sh create mode 100644 terraform/argocd_sso/tf_test.ps1 diff --git a/.gitignore b/.gitignore index 07fe551..b07bc59 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,11 @@ # Misc -terraform/.terraform +.terraform +terraform.tfstate* localonly credentials* /temp *.egg-info +*.cer # Azure Functions artifacts bin diff --git a/terraform/argocd_sso/README.md b/terraform/argocd_sso/README.md new file mode 100644 index 0000000..72d2d84 --- /dev/null +++ b/terraform/argocd_sso/README.md @@ -0,0 +1,208 @@ + +# Argo CD Notes + +A collection of notes whilst testing Argo CD. + +Full SSO configuration currently cannot be done with Terraform, so I've partial automated the Application Registration, +and it's Service Principle (which makes an "Enterprise App"), but there are manual steps afterwards: + +- Add `Sign on URL` +- Add `email` User Claim +- Create `SAML Signing Cert` +- Download SAML cert (base64), ready for the ConfigMap yaml +- Create yaml ConfigMaps for SSO and RBAC +- Apply ConfigMaps + + +## Contents + +- [Reference](#reference) +- [Getting Started](#getting-started) +- [Add Repository](#add-repository) +- [Configure SSO for Argo CD](#configure-sso-for-argo-cd) + +## Reference + +- https://github.com/argoproj/argo-cd/blob/master/docs/faq.md#i-forgot-the-admin-password-how-do-i-reset-it + +## Getting Started + +Use `--grpc-web` if you get the `argocd transport: received the unexpected content-type "text/plain; charset=utf-8"` error + +```bash +# vars +ARGO_SERVER="argocd.thehypepipe.co.uk" + +# install +VERSION=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') +sudo curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64 +sudo chmod +x /usr/local/bin/argocd + +# show version +argocd version --grpc-web --server "$ARGO_SERVER" + +# get admin password +# default password is server pod name, eg: "argocd-server-89c6cd7d4-h7vmn" +ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2) + +# login +argocd logout -h +argocd logout "$ARGO_SERVER" +argocd login -h +argocd login "$ARGO_SERVER" --grpc-web --username admin --password "$ARGO_ADMIN_PASSWORD" + +# change password +read -s NEW_ARGO_ADMIN_PASSWORD +# echo "$NEW_ARGO_ADMIN_PASSWORD" +argocd account update-password --grpc-web -h +argocd account update-password --grpc-web --account admin --current-password "$ARGO_ADMIN_PASSWORD" --new-password "$NEW_ARGO_ADMIN_PASSWORD" + +# test new admin password +argocd logout "$ARGO_SERVER" +argocd login "$ARGO_SERVER" --grpc-web --username admin --password "$NEW_ARGO_ADMIN_PASSWORD" + +# account tasks +argocd account list +argocd account -h + +# misc +argocd -h +``` + +## Add Repository + +```bash +# Add a Git repository via SSH using a private key for authentication, ignoring the server's host key +# argocd repo add git@github.com:adamrushuk/charts-private.git --insecure-ignore-host-key --ssh-private-key-path ~/.ssh/id_ed25519 +argocd repo add -h +argocd repo add git@github.com:adamrushuk/charts-private.git --ssh-private-key-path ~/.ssh/id_ed25519 + +# add known_host entries for private git server +ssh-keyscan gitlab.thehypepipe.co.uk | argocd cert add-ssh --batch + +# create ssh key for private git repo access +# ~/.ssh/id_ed25519 +ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_argocd -C "argocd@gitlab.thehypepipe.co.uk" +ll ~/.ssh + +# check public key fingerprint +ssh-keygen -lf ~/.ssh/id_ed25519_argocd.pub + +# copy public key and enter into source git repo settings +# eg, GitLab repo deploy key: https://gitlab.thehypepipe.co.uk/helm-charts/-/settings/repository > Deploy Keys +cat ~/.ssh/id_ed25519_argocd.pub + +# add helm chart repository +argocd repo add git@gitlab.thehypepipe.co.uk/helm-charts.git --ssh-private-key-path ~/.ssh/id_ed25519_argocd + +# show repo +argocd repo list +``` + +## Configure SSO for Argo CD + +https://argoproj.github.io/argo-cd/operator-manual/user-management/microsoft/ + +```bash +# subscription where ArgoCD is deployed +AR-Dev + +# created new AAD groups, eg: +AR-Dev_ArgoCD_Admin +AR-Dev_ArgoCD_ReadOnly + +# created argo enterprise app +AR-Dev_ArgoCD + + +# Basic SAML Configuration +# Identifier (Entity ID) +https://argocd.thehypepipe.co.uk/api/dex/callback +# Reply URL (Assertion Consumer Service URL) +https://argocd.thehypepipe.co.uk/api/dex/callback +# Sign on URL +https://argocd.thehypepipe.co.uk/auth/login + +# User Attributes & Claims +# + Add new claim | Name: email | Source: Attribute | Source attribute: user.userprincipalname ++ Add new claim | Name: email | Source: Attribute | Source attribute: user.primaryauthoritativeemail + ++ Add group claim | Which groups: All groups | Source attribute: Group ID | Customize: True | Name: Group | Namespace: | Emit groups as role claims: False + +# Create a "Sign SAML assertion" SAML Signing Cert (SHA-256) +# Download and base64 the cert, ready for the ConfigMap yaml +cat /mnt/c/Users/adamr/code/devops-lab/terraform/argocd_sso/ArgoCD.cer | base64 | clip.exe + +# Login URL (ssoURL) +https://login.microsoftonline.com//saml2 +# Azure AD Identifier +https://sts.windows.net// +# Logout URL +https://login.microsoftonline.com//saml2 + + +# SSO: User Attributes & Claims +# select user.userprincipalname instead of user.mail ++ Add new claim | Name: email | Source: Attribute | Source attribute: user.userprincipalname + + + + +## Create RBAC patch ## +# RBAC vars +ARGO_ADMIN_GROUP_NAME="AR-Dev_ArgoCD_Admins" +ARGO_ADMIN_GROUP_ID=$(az ad group show --group "$ARGO_ADMIN_GROUP_NAME" --query "objectId" --output tsv) + +# Create RBAC patch yaml +cat > argocd-rbac-cm-patch.yaml << EOF +# Patch ConfigMap to add RBAC config +data: + policy.default: role:readonly + + # Map AAD Group Object Id to an Argo CD role + # (Nested groups work fine) + # g, , role:admin + policy.csv: | + g, $ARGO_ADMIN_GROUP_ID, role:admin +EOF + +# Apply RBAC patch for default admin and readonly roles +kubectl patch configmap/argocd-rbac-cm --namespace argocd --type merge --patch "$(cat argocd-rbac-cm-patch.yaml)" + + + +## Create SSO patch yaml ## +# SSO vars +ARGO_FQDN="argocd.thehypepipe.co.uk" +TENANT_ID=$(az account show --query "tenantId" --output tsv) +# assumes SAML Signing Certificate has been downloaded/saved as "ArgoCD.cer" (choosing Certificate (Base64) option) +SAML_CERT_BASE64=$(cat ArgoCD.cer | base64) +echo $SAML_CERT_BASE64 + +cat > argocd-cm-sso-patch.yaml << EOF +# Patch ConfigMap to add dex SSO config +# source: https://argoproj.github.io/argo-cd/operator-manual/user-management/microsoft/ +data: + dex.config: | + logger: + level: debug + format: json + connectors: + - type: saml + id: saml + name: saml + config: + entityIssuer: https://$ARGO_FQDN/api/dex/callback + ssoURL: https://login.microsoftonline.com/$TENANT_ID/saml2 + caData: | + $SAML_CERT_BASE64 + redirectURI: https://$ARGO_FQDN/api/dex/callback + usernameAttr: email + emailAttr: email + groupsAttr: Group +EOF + +# Apply SSO patch +kubectl patch configmap/argocd-cm --namespace argocd --type merge --patch "$(cat argocd-cm-sso-patch.yaml)" + +``` diff --git a/terraform/argocd_sso/argocd_aad.tf b/terraform/argocd_sso/argocd_aad.tf new file mode 100644 index 0000000..e413157 --- /dev/null +++ b/terraform/argocd_sso/argocd_aad.tf @@ -0,0 +1,145 @@ +provider "azurerm" { + version = "2.44.0" + features {} +} + +variable "dns_zone_name" { + default = "thehypepipe.co.uk" +} + +variable "admin_consent" { + default = true +} + + +# TODO: remove temp outputs +# data "azuread_application" "argocd_manual" { +# display_name = "AR-Dev_ArgoCD" +# } + +# output "azure_app_object_manual" { +# value = data.azuread_application.argocd_manual +# } + +# data "azuread_service_principal" "argocd_manual" { +# display_name = "AR-Dev_ArgoCD" +# } + +# output "azure_sp_object_manual" { +# value = data.azuread_service_principal.argocd_manual +# } + +output "azure_ad_object_argocd" { + value = azuread_application.argocd +} +output "azure_sp_object_argocd" { + value = azuread_service_principal.argocd +} + +# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application +# source: https://github.com/hashicorp/terraform-provider-azuread/issues/173#issuecomment-663727531 +resource "azuread_application" "argocd" { + display_name = "ArgoCD" + prevent_duplicate_names = true + homepage = "https://argocd.${var.dns_zone_name}" + identifier_uris = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] + reply_urls = ["https://argocd.${var.dns_zone_name}/api/dex/callback"] + available_to_other_tenants = false + oauth2_allow_implicit_flow = true + # type = "webapp/api" + # owners = ["00000004-0000-0000-c000-000000000000"] + group_membership_claims = "All" + + required_resource_access { + //https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent + resource_app_id = "00000003-0000-0000-c000-000000000000" + resource_access { + id = "5f8c59db-677d-491f-a6b8-5f174b11ec1d" + type = "Scope" + } + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" + type = "Scope" + } + } + + app_role { + allowed_member_types = [ + "User" + ] + + description = "User" + display_name = "User" + is_enabled = true + } + + app_role { + allowed_member_types = [ + "User" + ] + + description = "msiam_access" + display_name = "msiam_access" + is_enabled = true + } + + // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... + provisioner "local-exec" { + command = "sleep 20" + } + + //https://github.com/Azure/azure-cli/issues/7579 + //Add metadata URL + // provisioner "local-exec" { + // command = "az ad app update --id ${self.application_id} --set samlMetadataUrl=${var.saml_metadata_url}" + // } + // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... + // provisioner "local-exec" { + // command = "sleep 5" + // } + //https://github.com/Azure/azure-cli/issues/12946 + //https://github.com/Azure/azure-cli/issues/11534 + //https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims + //Optional Claims for tokens + provisioner "local-exec" { + command = "az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/${self.object_id}' --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"groups\", \"additionalProperties\": []}]}}'" + } +} + +resource "azuread_service_principal" "argocd" { + //https://github.com/Azure/azure-cli/issues/9250 + application_id = azuread_application.argocd.application_id + tags = [ + "WindowsAzureActiveDirectoryIntegratedApp", + "WindowsAzureActiveDirectoryCustomSingleSignOnApplication", + "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1" + ] + + // We need to wait because Azure Graph API returns a 200 before its call-able #eventualconsistancy... + provisioner "local-exec" { + command = "sleep 20" + } + + # https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api?tabs=http#set-single-sign-on-mode + provisioner "local-exec" { + command = "az ad sp update --id ${azuread_application.argocd.application_id} --set preferredSingleSignOnMode='saml'" + } + + # depends_on = [ + # azuread_application.argocd + # ] +} + +resource "null_resource" "grant_admin_constent" { + count = var.admin_consent ? 1 : 0 + // https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#code-try-3 + provisioner "local-exec" { + command = "sleep 20" + } + provisioner "local-exec" { + command = "az ad app permission admin-consent --id ${azuread_application.argocd.application_id}" + } + depends_on = [ + azuread_service_principal.argocd + ] +} diff --git a/terraform/argocd_sso/sso_claims.sh b/terraform/argocd_sso/sso_claims.sh new file mode 100644 index 0000000..8b09dbe --- /dev/null +++ b/terraform/argocd_sso/sso_claims.sh @@ -0,0 +1,62 @@ +# Adding extra SSO claim +# Set "ArgoCD" app reg () +ARGO_APP_OBJECT_ID="" +az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"test\", \"additionalProperties\": [\"sam_account_name\"]}]}}' + +az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"userprincipalname\", \"source\": \"user\", \"additionalProperties\": [\"email\"]}]}}' + +# works via PS +$ARGO_APP_OBJECT_ID = "" +az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"groups\", \"additionalProperties\": [\"sam_account_name\"]}]}}' + +# add custom email claim +az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"userprincipalname\", \"source\": \"user\", \"additionalProperties\": [\"email\"]}]}}' + +# add custom group claim +az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" --body '{\"optionalClaims\": {\"saml2Token\": [{\"name\": \"groups\", \"source\": null}]}}' + + + +# Get +az rest --method GET --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" +az rest --method GET --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" | clip.exe + + "optionalClaims": { + "accessToken": [], + "idToken": [], + "saml2Token": [ + { + "additionalProperties": [], + "essential": false, + "name": "groups", + "source": null + } + ] + }, + + +# TF created "ArgoCD" App Reg +az rest --method GET --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" + + "optionalClaims": { + "accessToken": [], + "idToken": [], + "saml2Token": [ + { + "additionalProperties": [ + "sam_account_name" + ], + "essential": false, + "name": "test", + "source": null + } + ] + }, + +# AR-Dev_ArgoCD - App reg +az rest --method GET --uri "https://graph.microsoft.com/v1.0/applications/$ARGO_APP_OBJECT_ID" + +# manual "AR-Dev_ArgoCD" Enterprise App +SERVICE_PRINCIPLE_ID="" +az rest --method GET --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SERVICE_PRINCIPLE_ID" +az rest --method GET --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SERVICE_PRINCIPLE_ID" | clip.exe diff --git a/terraform/argocd_sso/tf_test.ps1 b/terraform/argocd_sso/tf_test.ps1 new file mode 100644 index 0000000..7251a13 --- /dev/null +++ b/terraform/argocd_sso/tf_test.ps1 @@ -0,0 +1,16 @@ +# testing Terraform config for Enterprise App +# use WSL +cd ./terraform/argocd_sso + +# login +az login +az account show + +# init +terraform init + +# apply +terraform apply + +# destroy +terraform destroy From bdea2fca381335bfd450ba7ffbd99f3c1b97ea0b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 7 Feb 2021 07:54:29 +0000 Subject: [PATCH 36/54] Added SSO templates --- .../argocd-cm-sso-patch.TEMPLATE.yaml | 25 +++++++++++++++++++ .../argocd-rbac-cm-patch.TEMPLATE.yaml | 16 ++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 terraform/argocd_sso/argocd-cm-sso-patch.TEMPLATE.yaml create mode 100644 terraform/argocd_sso/argocd-rbac-cm-patch.TEMPLATE.yaml diff --git a/terraform/argocd_sso/argocd-cm-sso-patch.TEMPLATE.yaml b/terraform/argocd_sso/argocd-cm-sso-patch.TEMPLATE.yaml new file mode 100644 index 0000000..b32c731 --- /dev/null +++ b/terraform/argocd_sso/argocd-cm-sso-patch.TEMPLATE.yaml @@ -0,0 +1,25 @@ +# Patch ConfigMap to add dex SSO config +# source: https://argoproj.github.io/argo-cd/operator-manual/user-management/microsoft/ +# +# After following steps above, modify content and run command below to apply patch: +# kubectl patch configmap/argocd-cm --namespace argocd --type merge --patch "$(cat argocd-cm-patch-dev.yaml)" + +# TEMPLATE +data: + dex.config: | + logger: + level: debug + format: json + connectors: + - type: saml + id: saml + name: saml + config: + entityIssuer: https://$ARGO_FQDN/api/dex/callback + ssoURL: https://login.microsoftonline.com/$TENANT_ID/saml2 + caData: | + $SAML_CERT_BASE64 + redirectURI: https://$ARGO_FQDN/api/dex/callback + usernameAttr: email + emailAttr: email + groupsAttr: Group diff --git a/terraform/argocd_sso/argocd-rbac-cm-patch.TEMPLATE.yaml b/terraform/argocd_sso/argocd-rbac-cm-patch.TEMPLATE.yaml new file mode 100644 index 0000000..2a55d75 --- /dev/null +++ b/terraform/argocd_sso/argocd-rbac-cm-patch.TEMPLATE.yaml @@ -0,0 +1,16 @@ +# Patch ConfigMap to add RBAC config +# source: +# - https://argoproj.github.io/argo-cd/operator-manual/rbac/ +# +# Run command below to apply patch for default admin and readonly roles: +# kubectl patch configmap/argocd-rbac-cm --namespace argocd --type merge --patch-file "argocd-rbac-cm-patch.yaml" + +# TEMPLATE +data: + policy.default: role:readonly + + # Map AAD Group Object Id to an Argo CD role + # (Nested groups work fine) + # g, , role:admin + policy.csv: | + g, $ARGO_ADMIN_GROUP_ID, role:admin From 724aa29ac21662a731b37895f29444d78c5465fe Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 7 Feb 2021 17:22:19 +0000 Subject: [PATCH 37/54] Bumped AKS version to 1.17.16 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index e0545d2..e1878c4 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location uksouth --output table variable "kubernetes_version" { - default = "1.16.15" + default = "1.17.16" } # Helm charts From 5b983adb5becbfb680afc77d607e40b00bad2378 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 7 Feb 2021 17:33:11 +0000 Subject: [PATCH 38/54] Bumped AKS orchestrator_version to 1.17.16 --- terraform/aks.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index dd8d5b8..14e335d 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -67,15 +67,15 @@ module "aks" { # override defaults default_node_pool = { - name = var.agent_pool_profile_name - count = var.agent_pool_node_count - # availability_zones = null - vm_size = var.agent_pool_profile_vm_size - enable_auto_scaling = var.agent_pool_enable_auto_scaling - max_count = var.agent_pool_node_max_count - max_pods = 90 - min_count = var.agent_pool_node_min_count - os_disk_size_gb = var.agent_pool_profile_disk_size_gb + name = var.agent_pool_profile_name + count = var.agent_pool_node_count + orchestrator_version = var.kubernetes_version + vm_size = var.agent_pool_profile_vm_size + enable_auto_scaling = var.agent_pool_enable_auto_scaling + max_count = var.agent_pool_node_max_count + max_pods = 90 + min_count = var.agent_pool_node_min_count + os_disk_size_gb = var.agent_pool_profile_disk_size_gb } # add-ons From 568e09e1e77f93150ccf1f58407db1d0e0c15a99 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 7 Feb 2021 18:11:03 +0000 Subject: [PATCH 39/54] Bumped AKS TF module to v0.6.0 --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 14e335d..ca2fe62 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "0.5.0" + version = "0.6.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location From 5d02c023ef9ed89dc29b3c62cb638163a2a29e74 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 7 Feb 2021 18:53:57 +0000 Subject: [PATCH 40/54] Bumped versions / providers --- terraform/providers.tf | 4 ++-- terraform/variables.tf | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 5823777..2a2032c 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -14,7 +14,7 @@ terraform { helm = "2.0.2" # https://github.com/hashicorp/terraform-provider-kubernetes/releases - kubernetes = "2.0.1" + kubernetes = "2.0.2" # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = "1.3.0" @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.45.1" + version = "2.46.1" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index e1878c4..ac3cdbd 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -34,7 +34,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.14.7" + default = "2.14.8" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -60,7 +60,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "3.0.0" + default = "3.0.2" } # https://bitnami.com/stack/external-dns/helm @@ -78,7 +78,7 @@ variable "kured_chart_version" { # https://github.com/weaveworks/kured#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.4.4" + default = "1.5.1" } @@ -86,12 +86,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.11.6" + default = "2.12.0" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v1.8.3" + default = "v1.8.4" } #endregion Versions From 04ea99a8594a184894252ed2a5fba6c43a116012 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 8 Feb 2021 07:46:17 +0000 Subject: [PATCH 41/54] Removed pypi_repo ansible role --- ansible/site.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/site.yml b/ansible/site.yml index e24c10e..1854036 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -40,7 +40,7 @@ name: docker_repo - import_role: name: helm_repo - - import_role: - name: pypi_repo +# - import_role: +# name: pypi_repo - import_role: name: raw_repo From b24289f6463fa15e437907bcd82e51e93a0280cd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 12 Feb 2021 07:36:31 +0000 Subject: [PATCH 42/54] Bumped versions / providers --- terraform/providers.tf | 2 +- terraform/variables.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 2a2032c..2f2c10a 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.46.1" + version = "2.47.0" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index ac3cdbd..b4deda3 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -27,7 +27,7 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.1.0" + default = "v1.2.0" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -60,7 +60,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "3.0.2" + default = "3.0.3" } # https://bitnami.com/stack/external-dns/helm @@ -86,7 +86,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.12.0" + default = "2.14.0" } # https://hub.docker.com/r/argoproj/argocd/tags From be182743783e8128cc3d226e9615a82fea7db6f4 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 12 Feb 2021 07:53:13 +0000 Subject: [PATCH 43/54] Changed argocd_config timeout to 10m --- terraform/helm_argocd.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index 92f74e3..f94a6cf 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -93,7 +93,7 @@ resource "null_resource" "argocd_configure" { command = <<-EOT chmod -R +x ./files/scripts - timeout 5m ./files/scripts/argocd_config.sh + timeout 10m ./files/scripts/argocd_config.sh EOT } From 52ae466b3004be360c58f89790f7f9ea981c21bf Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 14 Feb 2021 08:33:51 +0000 Subject: [PATCH 44/54] Added indentation to multiline string --- terraform/argocd_sso/README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/terraform/argocd_sso/README.md b/terraform/argocd_sso/README.md index 72d2d84..8152b38 100644 --- a/terraform/argocd_sso/README.md +++ b/terraform/argocd_sso/README.md @@ -131,7 +131,6 @@ https://argocd.thehypepipe.co.uk/auth/login # Create a "Sign SAML assertion" SAML Signing Cert (SHA-256) # Download and base64 the cert, ready for the ConfigMap yaml -cat /mnt/c/Users/adamr/code/devops-lab/terraform/argocd_sso/ArgoCD.cer | base64 | clip.exe # Login URL (ssoURL) https://login.microsoftonline.com//saml2 @@ -166,7 +165,7 @@ data: g, $ARGO_ADMIN_GROUP_ID, role:admin EOF -# Apply RBAC patch for default admin and readonly roles +# Apply yaml RBAC patch for default admin and readonly roles kubectl patch configmap/argocd-rbac-cm --namespace argocd --type merge --patch "$(cat argocd-rbac-cm-patch.yaml)" @@ -177,7 +176,11 @@ ARGO_FQDN="argocd.thehypepipe.co.uk" TENANT_ID=$(az account show --query "tenantId" --output tsv) # assumes SAML Signing Certificate has been downloaded/saved as "ArgoCD.cer" (choosing Certificate (Base64) option) SAML_CERT_BASE64=$(cat ArgoCD.cer | base64) -echo $SAML_CERT_BASE64 +echo "$SAML_CERT_BASE64" + +# created indented string ready for caData YAML multi-line block +SAML_CERT_BASE64_INDENTED=$(cat ArgoCD.cer | base64 | sed 's/^/ /') +echo "$SAML_CERT_BASE64_INDENTED" cat > argocd-cm-sso-patch.yaml << EOF # Patch ConfigMap to add dex SSO config @@ -195,14 +198,14 @@ data: entityIssuer: https://$ARGO_FQDN/api/dex/callback ssoURL: https://login.microsoftonline.com/$TENANT_ID/saml2 caData: | - $SAML_CERT_BASE64 +$SAML_CERT_BASE64_INDENTED redirectURI: https://$ARGO_FQDN/api/dex/callback usernameAttr: email emailAttr: email groupsAttr: Group EOF -# Apply SSO patch +# Apply SSO patch kubectl patch configmap/argocd-cm --namespace argocd --type merge --patch "$(cat argocd-cm-sso-patch.yaml)" ``` From eea84d6077454c1bfd8b49e5e98eb0d616f5e73d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 14 Feb 2021 08:58:34 +0000 Subject: [PATCH 45/54] Fixed relative chart path --- terraform/files/argocd-gitlab.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/argocd-gitlab.yaml b/terraform/files/argocd-gitlab.yaml index 72206fe..dbdbe0a 100644 --- a/terraform/files/argocd-gitlab.yaml +++ b/terraform/files/argocd-gitlab.yaml @@ -11,7 +11,7 @@ spec: source: repoURL: git@github.com:adamrushuk/charts-private.git targetRevision: main - path: gitlab-https + path: charts/gitlab-https helm: # target helm version version: v3 From f4067c66aacd108c1b06f18625552a80d0a1299e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 14 Feb 2021 09:06:36 +0000 Subject: [PATCH 46/54] Added app of apps argocd definition --- terraform/files/argocd-apps.yaml | 30 ++++++++++++++++++++++++++++++ terraform/helm_argocd.tf | 9 +++++++-- terraform/variables.tf | 11 +++++++---- 3 files changed, 44 insertions(+), 6 deletions(-) create mode 100644 terraform/files/argocd-apps.yaml diff --git a/terraform/files/argocd-apps.yaml b/terraform/files/argocd-apps.yaml new file mode 100644 index 0000000..00b8061 --- /dev/null +++ b/terraform/files/argocd-apps.yaml @@ -0,0 +1,30 @@ +# App of Apps pattern +# https://argoproj.github.io/argo-cd/operator-manual/cluster-bootstrapping/ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd-apps + # namespace of argo cd deployment + namespace: argocd +spec: + project: default + source: + repoURL: git@github.com:adamrushuk/charts-private.git + targetRevision: main + path: charts/argocd-apps + helm: + # target helm version + # * NOT required if "Chart.yaml" helm metadata contains "apiVersion: v2" + # version: v3 + + # values file path is relative from the source.path folder + valueFiles: + - values.yaml + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: {} + # # sync options which modifies sync behavior + # syncOptions: + # # namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster + # - CreateNamespace=true diff --git a/terraform/helm_argocd.tf b/terraform/helm_argocd.tf index f94a6cf..744a2d7 100644 --- a/terraform/helm_argocd.tf +++ b/terraform/helm_argocd.tf @@ -103,15 +103,20 @@ resource "null_resource" "argocd_configure" { ] } -# create argo app definitions +# create argo apps definition +# https://argoproj.github.io/argo-cd/operator-manual/cluster-bootstrapping/ resource "null_resource" "argocd_apps" { + triggers = { + argocd_app_yaml_contents = filemd5(var.argocd_apps_path) + } + provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] environment = { KUBECONFIG = var.aks_config_path } command = <<-EOT - kubectl apply -f ${var.gitlab_argocd_app_path} + kubectl apply -f ${var.argocd_apps_path} EOT } diff --git a/terraform/variables.tf b/terraform/variables.tf index b4deda3..2be614f 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -349,13 +349,16 @@ __HELM_CHART_REPO_DEPLOY_PRIVATE_KEY__ EOT } - +variable "argocd_apps_path" { + default = "files/argocd-apps.yaml" +} # gitlab variable "gitlab_cert_sync_yaml_path" { default = "files/gitlab-akvs-certificate-sync.yaml" } -variable "gitlab_argocd_app_path" { - default = "files/argocd-gitlab.yaml" -} +# TODO: remove if no longer required +# variable "gitlab_argocd_app_path" { +# default = "files/argocd-gitlab.yaml" +# } From 081273ca2cc7f506bb02f10b37decf8248f42548 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 15 Feb 2021 08:04:31 +0000 Subject: [PATCH 47/54] Added automated sync policy for Argo CD app-of-apps spec --- terraform/files/argocd-apps.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/terraform/files/argocd-apps.yaml b/terraform/files/argocd-apps.yaml index 00b8061..d6f9b1c 100644 --- a/terraform/files/argocd-apps.yaml +++ b/terraform/files/argocd-apps.yaml @@ -23,8 +23,10 @@ spec: destination: server: https://kubernetes.default.svc namespace: argocd - syncPolicy: {} - # # sync options which modifies sync behavior + syncPolicy: + # https://argoproj.github.io/argo-cd/user-guide/auto_sync/#automated-sync-policy + automated: {} + # sync options which modifies sync behavior # syncOptions: # # namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster # - CreateNamespace=true From 90b2638d18b27ce5c29c6ec01e05005f63d5acfd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 15 Feb 2021 08:57:18 +0000 Subject: [PATCH 48/54] Changed function app deps and login --- function_app/profile.ps1 | 2 +- function_app/requirements.psd1 | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/function_app/profile.ps1 b/function_app/profile.ps1 index 5b999c8..0be2628 100644 --- a/function_app/profile.ps1 +++ b/function_app/profile.ps1 @@ -13,7 +13,7 @@ # Remove this if you are not planning on using MSI or Azure PowerShell. if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) { Write-Output "Authenticating PowerShell using Managed Identity..." - # Disable-AzContextAutosave -Scope Process | Out-Null + Disable-AzContextAutosave -Scope Process | Out-Null Connect-AzAccount -Identity } elseif ($env:ARM_TENANT_ID -and $env:ARM_SUBSCRIPTION_ID -and $env:ARM_CLIENT_ID -and $env:ARM_CLIENT_SECRET) { diff --git a/function_app/requirements.psd1 b/function_app/requirements.psd1 index 35f155b..ab3deba 100644 --- a/function_app/requirements.psd1 +++ b/function_app/requirements.psd1 @@ -2,8 +2,8 @@ # See https://aka.ms/functionsmanageddependency for additional information. # @{ - # 'Az' = '5.*' + 'Az' = '5.*' # Only need Account and Compute cmdlets for VMSS and VM status checks - 'Az.Accounts' = '2.*' - 'Az.Compute' = '4.*' + # 'Az.Accounts' = '2.*' + # 'Az.Compute' = '4.*' } From fc10361becfbf220b47d488240653f16c46b1551 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 19 Feb 2021 08:06:21 +0000 Subject: [PATCH 49/54] Changed velero default values to v2.14.8 --- terraform/helm/velero_values.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index 1a25bd6..571b502 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.14.1/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.14.8/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -9,7 +9,7 @@ image: # https://hub.docker.com/r/velero/velero/tags repository: velero/velero - tag: v1.5.2 + tag: v1.5.3 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. If used, it will # take precedence over the image.tag. # digest: @@ -41,7 +41,7 @@ dnsPolicy: ClusterFirst initContainers: - name: velero-plugin-for-microsoft-azure # https://hub.docker.com/r/velero/velero-plugin-for-microsoft-azure/tags - image: velero/velero-plugin-for-microsoft-azure:v1.1.1 + image: velero/velero-plugin-for-microsoft-azure:v1.1.2 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target @@ -75,6 +75,7 @@ extraVolumeMounts: [] metrics: enabled: true scrapeInterval: 30s + scrapeTimeout: 10s # Pod annotations for Prometheus podAnnotations: @@ -85,6 +86,8 @@ metrics: serviceMonitor: enabled: false additionalLabels: {} + # ServiceMonitor namespace. Default to Velero namespace. + # namespace: # Install CRDs as a templates. Enabled by default. installCRDs: true From 0de820bd6c319c9d2ce8880b3f7200a8cf238de5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 19 Feb 2021 08:06:38 +0000 Subject: [PATCH 50/54] Bumped versions / providers --- terraform/providers.tf | 4 ++-- terraform/variables.tf | 6 +++--- terraform/velero.tf | 8 -------- 3 files changed, 5 insertions(+), 13 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 2f2c10a..8042511 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -17,7 +17,7 @@ terraform { kubernetes = "2.0.2" # https://github.com/terraform-providers/terraform-provider-azuread/releases - azuread = "1.3.0" + azuread = "1.4.0" random = "~> 2.2" # ~> 2.2 = 2.X.Y tls = "~> 2.1" @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.47.0" + version = "2.48.0" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index 2be614f..8b9f4c5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -67,13 +67,13 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.6.0" + default = "4.8.0" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.3.1" + default = "2.3.2" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility @@ -86,7 +86,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.14.0" + default = "2.14.6" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/velero.tf b/terraform/velero.tf index 5678f06..9e9b554 100644 --- a/terraform/velero.tf +++ b/terraform/velero.tf @@ -78,14 +78,6 @@ EOT depends_on = [kubernetes_namespace.velero] } -# Manually test new values: -# helm upgrade \ -# velero vmware-tanzu/velero \ -# --install --atomic \ -# --namespace velero \ -# --reuse-values \ -# -f terraform/helm/velero_values.yaml - resource "helm_release" "velero" { count = var.velero_enabled ? 1 : 0 chart = "velero" From 7356ee67c9d1ee8a505dee89299844d5f482155c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 19 Feb 2021 10:19:48 +0000 Subject: [PATCH 51/54] Reverted to v2.47.0 for azurerm --- terraform/providers.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 8042511..b507eb7 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.48.0" + version = "2.47.0" features {} } From 994316d460ba9818b270656a678257dce9fc7b50 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 23 Feb 2021 08:33:45 +0000 Subject: [PATCH 52/54] Bumped adamrushuk/aks/azurerm to 0.7.0 --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index ca2fe62..5fac5db 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "0.6.0" + version = "0.7.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location From 07e565c3dd229574f828347e65a353158316e392 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 26 Feb 2021 10:39:27 +0000 Subject: [PATCH 53/54] Bumped nginx ingress to v3.23.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 8b9f4c5..d845623 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,7 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - default = "3.22.0" + default = "3.23.0" } # https://hub.helm.sh/charts/jetstack/cert-manager From a600dbbd8af69b059bff61000162bd60ca5ff2bc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 12 Mar 2021 07:53:10 +0000 Subject: [PATCH 54/54] Bumped azurerm and helm providers --- terraform/providers.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index b507eb7..af623f3 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -11,7 +11,7 @@ terraform { # versioning syntax: https://www.terraform.io/docs/configuration/modules.html#module-versions required_providers { # https://github.com/hashicorp/terraform-provider-helm/releases - helm = "2.0.2" + helm = "2.0.3" # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = "2.0.2" @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.47.0" + version = "2.51.0" features {} }