Add MI credentials for Velero and Add nodepool ARM - Playground (#1323)

Co-authored-by: Automatic Update <[email protected]>
equinor · May 3, 2024 · d89a3bf · d89a3bf
1 parent 491e042
commit d89a3bf
Show file tree

Hide file tree

Showing 17 changed files with 167 additions and 63 deletions.
diff --git a/scripts/aks/bootstrap.sh b/scripts/aks/bootstrap.sh
@@ -786,7 +786,7 @@ az aks nodepool add "${AKS_PIPELINE_OPTIONS[@]}"
 #######################################################################################
 ### Add tainted Arm64 nodepool
 ###
-if [ "$RADIX_ENVIRONMENT" = "dev" ]; then
+if [ "$RADIX_ENVIRONMENT" = "dev" ] || ["$RADIX_ENVIRONMENT" = "playground"]; then
     AKS_ARM64_OPTIONS=(
         --cluster-name "$CLUSTER_NAME"
         --nodepool-name armpool

diff --git a/scripts/aks/playground.env b/scripts/aks/playground.env
@@ -25,6 +25,9 @@ PIPELINE_MIN_COUNT="1"
 PIPELINE_MAX_COUNT="3"
 PIPELINE_VM_SIZE="Standard_B16ms"
 PIPELINE_DISK_SIZE="256"
+ARM_MIN_COUNT="1"
+ARM_MAX_COUNT="6"
+ARM_VM_SIZE="Standard_D8pds_v5"
 NODE_DISK_SIZE="256"
 NODE_VM_SIZE="Standard_B8ms"
 NODE_VM_SIZE_DESCRIPTION="8 vCPU, 32GB RAM"

diff --git a/terraform/subscriptions/s940/c2/clusters/main.tf b/terraform/subscriptions/s940/c2/clusters/main.tf
@@ -19,13 +19,9 @@ data "azurerm_log_analytics_workspace" "workspace" {
   resource_group_name = module.config.common_resource_group
 }
 
-# data "azurerm_user_assigned_identity" "infrastructure_id" {
-#   name                = "radix-id-infrastructure-${module.config.environment}"
-#   resource_group_name = module.config.common_resource_group
-# }
-
-data "azurerm_policy_definition" "policy_aks_cluster" {
-  display_name = module.config.policy_aks_diagnostics_cluster
+data "azurerm_storage_account" "velero" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
 }
 
 module "radix_id_external_secrets_operator_mi" {
@@ -41,16 +37,19 @@ module "radix_id_external_secrets_operator_mi" {
   }
 }
 
-# module "policyassignment_resourcegroup" {
-#   for_each             = module.resourcegroups
-#   source               = "../../../modules/policyassignment_resourcegroup"
-#   policy_name          = "Radix-Enforce-Diagnostics-AKS-Clusters"
-#   location             = each.value["data"].location
-#   resource_group_id    = each.value["data"].id
-#   policy_definition_id = data.azurerm_policy_definition.policy_aks_cluster.id
-#   identity_ids         = data.azurerm_user_assigned_identity.infrastructure_id.id
-#   workspaceId          = data.azurerm_log_analytics_workspace.workspace.id
-# }
+module "radix_id_velero_mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-velero-${module.config.environment}"
+  location            = module.config.location
+  resource_group_name = "common-${module.config.environment}"
+  roleassignments = {
+    sac_user = {
+      role     = "Storage Account Contributor"
+      scope_id = data.azurerm_storage_account.velero.id
+    }
+  }
+}
+
 
 module "nsg" {
   source                     = "../../../modules/networksecuritygroup"

diff --git a/terraform/subscriptions/s940/c2/log-api/main.tf b/terraform/subscriptions/s940/c2/log-api/main.tf
@@ -3,7 +3,7 @@ module "config" {
 }
 
 data "azurerm_log_analytics_workspace" "this" {
-  name = "radix-container-logs-c2-prod"
+  name                = "radix-container-logs-c2-prod"
   resource_group_name = "logs-westeurope"
 }
 

diff --git a/terraform/subscriptions/s940/c2/post-clusters/velero.tf b/terraform/subscriptions/s940/c2/post-clusters/velero.tf
@@ -0,0 +1,15 @@
+data "azurerm_user_assigned_identity" "velero" {
+  resource_group_name = module.config.common_resource_group
+  name                = "radix-id-velero-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-velero-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:velero:velero"
+  parent_id           = data.azurerm_user_assigned_identity.velero.id
+  resource_group_name = module.config.common_resource_group
+}
diff --git a/terraform/subscriptions/s940/extmon/clusters/main.tf b/terraform/subscriptions/s940/extmon/clusters/main.tf
@@ -21,13 +21,9 @@ data "azurerm_log_analytics_workspace" "workspace" {
   resource_group_name = module.config.common_resource_group
 }
 
-# data "azurerm_user_assigned_identity" "infrastructure_id" {
-#   name                = "radix-id-infrastructure-${module.config.environment}"
-#   resource_group_name = module.config.common_resource_group
-# }
-
-data "azurerm_policy_definition" "policy_aks_cluster" {
-  display_name = module.config.policy_aks_diagnostics_cluster
+data "azurerm_storage_account" "velero" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
 }
 
 module "radix_id_external_secrets_operator_mi" {
@@ -43,22 +39,15 @@ module "radix_id_external_secrets_operator_mi" {
   }
 }
 
-# module "policyassignment_resourcegroup" {
-#   for_each             = module.resourcegroups
-#   source               = "../../../modules/policyassignment_resourcegroup"
-#   policy_name          = "Radix-Enforce-Diagnostics-AKS-Clusters"
-#   location             = each.value["data"].location
-#   resource_group_id    = each.value["data"].id
-#   policy_definition_id = data.azurerm_policy_definition.policy_aks_cluster.id
-#   identity_ids         = data.azurerm_user_assigned_identity.infrastructure_id.id
-#   workspaceId          = data.azurerm_log_analytics_workspace.workspace.id
-# }
-
-# module "nsg" {
-#   source                     = "../../../modules/networksecuritygroup"
-#   for_each                   = local.flattened_clusters
-#   networksecuritygroupname   = "nsg-${each.key}"
-#   location                   = each.value.location
-#   resource_group_name        = each.value.resource_group_name
-#   destination_address_prefix = each.value.destination_address_prefix
-# }
+module "radix_id_velero_mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-velero-${module.config.environment}"
+  location            = module.config.location
+  resource_group_name = "common-${module.config.environment}"
+  roleassignments = {
+    sac_user = {
+      role     = "Storage Account Contributor"
+      scope_id = data.azurerm_storage_account.velero.id
+    }
+  }
+}
diff --git a/terraform/subscriptions/s940/extmon/post-clusters/grafana.tf b/terraform/subscriptions/s940/extmon/post-clusters/grafana.tf
@@ -5,9 +5,9 @@ data "azuread_application" "grafana-logreader" {
 resource "azuread_application_federated_identity_credential" "grafana-logreader" {
   for_each = module.clusters.oidc_issuer_url
 
-  audiences      = ["api://AzureADTokenExchange"]
-  display_name   = "k8s-radix-grafana-logreader-${each.key}"
-  issuer         = each.value
-  subject        = "system:serviceaccount:monitor:grafana"
-  application_id = data.azuread_application.grafana-logreader.id
+  audiences             = ["api://AzureADTokenExchange"]
+  display_name          = "k8s-radix-grafana-logreader-${each.key}"
+  issuer                = each.value
+  subject               = "system:serviceaccount:monitor:grafana"
+  application_object_id = data.azuread_application.grafana-logreader.id
 }
diff --git a/terraform/subscriptions/s940/extmon/post-clusters/velero.tf b/terraform/subscriptions/s940/extmon/post-clusters/velero.tf
@@ -0,0 +1,15 @@
+data "azurerm_user_assigned_identity" "velero" {
+  resource_group_name = module.config.common_resource_group
+  name                = "radix-id-velero-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-velero-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:velero:velero"
+  parent_id           = data.azurerm_user_assigned_identity.velero.id
+  resource_group_name = module.config.common_resource_group
+}
diff --git a/terraform/subscriptions/s940/prod/clusters/main.tf b/terraform/subscriptions/s940/prod/clusters/main.tf
@@ -21,11 +21,10 @@ data "azurerm_log_analytics_workspace" "workspace" {
   resource_group_name = module.config.common_resource_group
 }
 
-# data "azurerm_user_assigned_identity" "infrastructure_id" {
-#   name                = "radix-id-infrastructure-${module.config.environment}"
-#   resource_group_name = module.config.common_resource_group
-# }
-
+data "azurerm_storage_account" "velero" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+}
 data "azurerm_policy_definition" "policy_aks_cluster" {
   display_name = module.config.policy_aks_diagnostics_cluster
 }
@@ -43,6 +42,18 @@ module "radix_id_external_secrets_operator_mi" {
   }
 }
 
+module "radix_id_velero_mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-velero-${module.config.environment}"
+  location            = module.config.location
+  resource_group_name = "common-${module.config.environment}"
+  roleassignments = {
+    sac_user = {
+      role     = "Storage Account Contributor"
+      scope_id = data.azurerm_storage_account.velero.id
+    }
+  }
+}
 
 module "nsg" {
   source                     = "../../../modules/networksecuritygroup"

diff --git a/terraform/subscriptions/s940/prod/log-api/main.tf b/terraform/subscriptions/s940/prod/log-api/main.tf
@@ -3,7 +3,7 @@ module "config" {
 }
 
 data "azurerm_log_analytics_workspace" "this" {
-  name = "radix-container-logs-prod"
+  name                = "radix-container-logs-prod"
   resource_group_name = "Logs"
 }
 

diff --git a/terraform/subscriptions/s940/prod/post-clusters/velero.tf b/terraform/subscriptions/s940/prod/post-clusters/velero.tf
@@ -0,0 +1,15 @@
+data "azurerm_user_assigned_identity" "velero" {
+  resource_group_name = module.config.common_resource_group
+  name                = "radix-id-velero-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-velero-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:velero:velero"
+  parent_id           = data.azurerm_user_assigned_identity.velero.id
+  resource_group_name = module.config.common_resource_group
+}
diff --git a/terraform/subscriptions/s941/dev/clusters/main.tf b/terraform/subscriptions/s941/dev/clusters/main.tf
@@ -21,8 +21,9 @@ data "azurerm_log_analytics_workspace" "workspace" {
   resource_group_name = module.config.common_resource_group
 }
 
-data "azurerm_policy_definition" "policy_aks_cluster" {
-  display_name = module.config.policy_aks_diagnostics_cluster
+data "azurerm_storage_account" "velero" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
 }
 
 module "radix_id_external_secrets_operator_mi" {
@@ -38,6 +39,19 @@ module "radix_id_external_secrets_operator_mi" {
   }
 }
 
+module "radix_id_velero_mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-velero-${module.config.environment}"
+  location            = module.config.location
+  resource_group_name = "common-${module.config.environment}"
+  roleassignments = {
+    sac_user = {
+      role     = "Storage Account Contributor"
+      scope_id = data.azurerm_storage_account.velero.id
+    }
+  }
+}
+
 module "nsg" {
   source                     = "../../../modules/networksecuritygroup"
   for_each                   = local.flattened_clusters

diff --git a/terraform/subscriptions/s941/dev/log-api/main.tf b/terraform/subscriptions/s941/dev/log-api/main.tf
@@ -3,7 +3,7 @@ module "config" {
 }
 
 data "azurerm_log_analytics_workspace" "this" {
-  name = "radix-container-logs-dev"
+  name                = "radix-container-logs-dev"
   resource_group_name = "Logs-Dev"
 }
 

diff --git a/terraform/subscriptions/s941/dev/post-clusters/velero.tf b/terraform/subscriptions/s941/dev/post-clusters/velero.tf
@@ -0,0 +1,15 @@
+data "azurerm_user_assigned_identity" "velero" {
+  resource_group_name = module.config.common_resource_group
+  name                = "radix-id-velero-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-velero-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:velero:velero"
+  parent_id           = data.azurerm_user_assigned_identity.velero.id
+  resource_group_name = module.config.common_resource_group
+}
diff --git a/terraform/subscriptions/s941/playground/clusters/main.tf b/terraform/subscriptions/s941/playground/clusters/main.tf
@@ -21,9 +21,9 @@ data "azurerm_log_analytics_workspace" "workspace" {
   resource_group_name = module.config.common_resource_group
 }
 
-
-data "azurerm_policy_definition" "policy_aks_cluster" {
-  display_name = module.config.policy_aks_diagnostics_cluster
+data "azurerm_storage_account" "velero" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
 }
 
 module "radix_id_external_secrets_operator_mi" {
@@ -39,6 +39,19 @@ module "radix_id_external_secrets_operator_mi" {
   }
 }
 
+module "radix_id_velero_mi" {
+  source              = "../../../modules/userassignedidentity"
+  name                = "radix-id-velero-${module.config.environment}"
+  location            = module.config.location
+  resource_group_name = "common-${module.config.environment}"
+  roleassignments = {
+    sac_user = {
+      role     = "Storage Account Contributor"
+      scope_id = data.azurerm_storage_account.velero.id
+    }
+  }
+}
+
 module "nsg" {
   source                     = "../../../modules/networksecuritygroup"
   for_each                   = local.flattened_clusters

diff --git a/terraform/subscriptions/s941/playground/log-api/main.tf b/terraform/subscriptions/s941/playground/log-api/main.tf
@@ -3,7 +3,7 @@ module "config" {
 }
 
 data "azurerm_log_analytics_workspace" "this" {
-  name = "radix-container-logs-playground"
+  name                = "radix-container-logs-playground"
   resource_group_name = "Logs-Dev"
 }
 

diff --git a/terraform/subscriptions/s941/playground/post-clusters/velero.tf b/terraform/subscriptions/s941/playground/post-clusters/velero.tf
@@ -0,0 +1,15 @@
+data "azurerm_user_assigned_identity" "velero" {
+  resource_group_name = module.config.common_resource_group
+  name                = "radix-id-velero-${module.config.environment}"
+}
+
+resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
+  for_each = module.clusters.oidc_issuer_url
+
+  audience            = ["api://AzureADTokenExchange"]
+  name                = "k8s-velero-${each.key}-${module.config.environment}"
+  issuer              = each.value
+  subject             = "system:serviceaccount:velero:velero"
+  parent_id           = data.azurerm_user_assigned_identity.velero.id
+  resource_group_name = module.config.common_resource_group
+}