Skip to content

Commit

Permalink
fix(aks): update module to support workload identities
Browse files Browse the repository at this point in the history
  • Loading branch information
lentidas committed Apr 16, 2024
1 parent e14253f commit e60855b
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 49 deletions.
18 changes: 12 additions & 6 deletions aks/extra-variables.tf
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
variable "metrics_storage" {
description = "Azure Blob Storage configuration for metric archival."
type = object({
container = string
storage_account = string
managed_identity_node_rg_name = optional(string, null)
storage_account_key = optional(string, null)
container = string
storage_account = string
managed_identity_node_rg_name = optional(string, null)
managed_identity_oidc_issuer_url = optional(string, null)
storage_account_key = optional(string, null)
})

validation {
condition = try((var.metrics_storage.managed_identity_node_rg_name == null) != (var.metrics_storage.storage_account_key == null), true)
error_message = "You must set one (and only one) of these attributes: managed_identity_node_rg_name, storage_account_key."
condition = try((var.metrics_storage.managed_identity_node_rg_name == null && var.metrics_storage.managed_identity_oidc_issuer_url == null) != (var.metrics_storage.storage_account_key == null), true)
error_message = "You can either set the variables for the managed identity or use storage account key, not both at the same time."
}

validation {
condition = try((var.metrics_storage.managed_identity_node_rg_name == null) == (var.metrics_storage.managed_identity_oidc_issuer_url == null), true)
error_message = "When using the managed identity, both `managed_identity_node_rg_name` and `managed_identity_oidc_issuer_url` are required."
}

default = null
Expand Down
34 changes: 16 additions & 18 deletions aks/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,34 +4,32 @@ locals {
metrics_storage = var.metrics_storage == null ? null : {
storage_config = {
type = "AZURE"
config = merge(
{
container = var.metrics_storage.container
storage_account = var.metrics_storage.storage_account
},
local.use_managed_identity ? null : {
storage_account_key = var.metrics_storage.storage_account_key
config = merge({
container = var.metrics_storage.container
storage_account = var.metrics_storage.storage_account
}, local.use_managed_identity ? null : {
storage_account_key = var.metrics_storage.storage_account_key
}
)
}
}

helm_values = [{
kube-prometheus-stack = {
prometheus = {
prometheusSpec = merge(local.use_managed_identity ? {
prometheus = local.use_managed_identity ? {
serviceAccount = {
annotations = {
"azure.workload.identity/client-id" = resource.azurerm_user_assigned_identity.prometheus[0].client_id
}
}
prometheusSpec = {
podMetadata = {
labels = {
aadpodidbinding = "prometheus"
"azure.workload.identity/use" = "true"
}
}
} : null, {})
}
}
}, local.use_managed_identity ? {
azureIdentity = {
resourceID = azurerm_user_assigned_identity.prometheus[0].id
clientID = azurerm_user_assigned_identity.prometheus[0].client_id
}
} : null
}
} : null]
}]
}
33 changes: 29 additions & 4 deletions aks/main.tf
Original file line number Diff line number Diff line change
@@ -1,32 +1,57 @@
data "azurerm_resource_group" "node" {
# This null_resource is required otherwise Terraform would try to read the resource group data and/or the storage
# account even if they were not created yet.
resource "null_resource" "dependencies" {
triggers = var.dependency_ids
}

data "azurerm_resource_group" "node_resource_group" {
count = local.use_managed_identity ? 1 : 0

name = var.metrics_storage.managed_identity_node_rg_name

depends_on = [
resource.null_resource.dependencies
]
}

data "azurerm_storage_container" "container" {
count = local.use_managed_identity ? 1 : 0

name = var.metrics_storage.container
storage_account_name = var.metrics_storage.storage_account

depends_on = [
resource.null_resource.dependencies
]
}

resource "azurerm_user_assigned_identity" "prometheus" {
count = local.use_managed_identity ? 1 : 0

resource_group_name = data.azurerm_resource_group.node[0].name
location = data.azurerm_resource_group.node[0].location
name = "prometheus"
resource_group_name = data.azurerm_resource_group.node_resource_group[0].name
location = data.azurerm_resource_group.node_resource_group[0].location
}

resource "azurerm_role_assignment" "contributor" {
resource "azurerm_role_assignment" "storage_contributor" {
count = local.use_managed_identity ? 1 : 0

scope = data.azurerm_storage_container.container[0].resource_manager_id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_user_assigned_identity.prometheus[0].principal_id
}

resource "azurerm_federated_identity_credential" "prometheus" {
count = local.use_managed_identity ? 1 : 0

name = "prometheus"
resource_group_name = data.azurerm_resource_group.node_resource_group[0].name
audience = ["api://AzureADTokenExchange"]
issuer = var.metrics_storage.managed_identity_oidc_issuer_url
parent_id = azurerm_user_assigned_identity.prometheus[0].id
subject = "system:serviceaccount:kube-prometheus-stack:kube-prometheus-stack-prometheus"
}

module "kube-prometheus-stack" {
source = "../"

Expand Down
11 changes: 0 additions & 11 deletions charts/kube-prometheus-stack/templates/azureidentity.yaml

This file was deleted.

10 changes: 0 additions & 10 deletions charts/kube-prometheus-stack/templates/azureidentitybinding.yaml

This file was deleted.

0 comments on commit e60855b

Please sign in to comment.