terraform.md

Use terraform to deploy all resources

1. prepare terraform execution for the simple deployment

open up an shell.azure.com

git clone https://github.com/denniszielke/phoenix.git
cd phoenix/terraform/simple
code .

1. Create the service principals for AKS and Azure DevOps. You need a service principal for your azure devops service connection that it can use to authenticate to your azure subscription. You need a service principal for Kubernetes to use - if you do not have, use the following command to creat one, get a secret and your azure tenant id and subscription id by running the following azure cli commands: Try to define a unique but short deployment name - it will be used to define dns names

DEPLOYMENT_NAME=dzphix1
echo "creating service principals in azure"
AKS_SERVICE_PRINCIPAL_ID=$(az ad sp create-for-rbac --name $DEPLOYMENT_NAME-aks -o json | jq -r '.appId')
AZDO_SERVICE_PRINCIPAL_ID=$(az ad sp create-for-rbac --name $DEPLOYMENT_NAME-azdo -o json | jq -r '.appId')

AKS_SERVICE_PRINCIPAL_SECRET=$(az ad app credential reset --id $AKS_SERVICE_PRINCIPAL_ID -o json | jq '.password' -r)
AZDO_SERVICE_PRINCIPAL_SECRET=$(az ad app credential reset --id $AZDO_SERVICE_PRINCIPAL_ID -o json | jq '.password' -r)

AKS_SERVICE_PRINCIPAL_OBJECTID=$(az ad sp show --id $AKS_SERVICE_PRINCIPAL_ID -o json | jq '.id' -r)
AZDO_SERVICE_PRINCIPAL_OBJECTID=$(az ad sp show --id $AZDO_SERVICE_PRINCIPAL_ID -o json | jq '.objectId' -r)

AZURE_TENANT_ID=$(az account show --query tenantId -o tsv)
AZURE_SUBSCRIPTION_NAME=$(az account show --query name -o tsv)
AZURE_SUBSCRIPTION_ID=$(az account show --query id -o tsv)
AZURE_MYOWN_OBJECT_ID=$(az ad signed-in-user show --query id --output tsv)

echo -e "\n\n Remember these outputs:"
echo -e "Your Kubernetes service_principal_id should be \e[7m$AKS_SERVICE_PRINCIPAL_ID\e[0m"
echo -e "Your Kubernetes service_principal_secret should be \e[7m$AKS_SERVICE_PRINCIPAL_SECRET\e[0m"
echo -e "Your Azure DevOps service_principal_id should be \e[7m$AZDO_SERVICE_PRINCIPAL_ID\e[0m"
echo -e "Your Azure DevOps service_principal_secret should be \e[7m$AZDO_SERVICE_PRINCIPAL_SECRET\e[0m"
echo -e "Your Azure tenant_id should be \e[7m$AZURE_TENANT_ID\e[0m"
echo -e "Your Azure subscription_id should be \e[7m$AZURE_SUBSCRIPTION_ID\e[0m"
echo -e "Your Azure subscription_name should be \e[7m$AZURE_SUBSCRIPTION_NAME\e[0m"
echo -e "Your Azure DevOps Service Connection name should be \e[7mdefaultAzure\e[0m"
echo -e "\n\n"


echo -e "\n This is the private output in case you want to set them later:"
echo -e "DEPLOYMENT_NAME=$DEPLOYMENT_NAME"
echo -e "AKS_SERVICE_PRINCIPAL_ID=$AKS_SERVICE_PRINCIPAL_ID"
echo -e "AZDO_SERVICE_PRINCIPAL_ID=$AZDO_SERVICE_PRINCIPAL_ID"
echo -e "AKS_SERVICE_PRINCIPAL_SECRET=$AKS_SERVICE_PRINCIPAL_SECRET"
echo -e "AZDO_SERVICE_PRINCIPAL_SECRET=$AZDO_SERVICE_PRINCIPAL_SECRET"
echo -e "AKS_SERVICE_PRINCIPAL_OBJECTID=$AKS_SERVICE_PRINCIPAL_OBJECTID"
echo -e "AZDO_SERVICE_PRINCIPAL_OBJECTID=$AZDO_SERVICE_PRINCIPAL_OBJECTID"
echo -e "AZURE_TENANT_ID=$AZURE_TENANT_ID"
echo -e "AZURE_SUBSCRIPTION_NAME=$AZURE_SUBSCRIPTION_NAME"
echo -e "AZURE_SUBSCRIPTION_ID=$AZURE_SUBSCRIPTION_ID"
echo -e "AZURE_MYOWN_OBJECT_ID=$AZURE_MYOWN_OBJECT_ID"
echo -e "\n"

1. Your can replace these values in the variable file by running the following

sed -e "s/SERVICE_PRINCIPAL_ID_PLACEHOLDER/$AKS_SERVICE_PRINCIPAL_ID/ ; s/SERVICE_PRINCIPAL_SECRET_PLACEHOLDER/$AKS_SERVICE_PRINCIPAL_SECRET/ ; s/SERVICE_PRINCIPAL_OBJECTID_PLACEHOLDER/$AKS_SERVICE_PRINCIPAL_OBJECTID/ ; s/AZDO_OBJECTID_PLACEHOLDER/$AZDO_SERVICE_PRINCIPAL_OBJECTID/ ; s/TENANT_ID_PLACEHOLDER/$AZURE_TENANT_ID/ ; s/DEPLOYMENT_NAME/$DEPLOYMENT_NAME/ ; s/SUBSCRIPTION_ID_PLACEHOLDER/$AZURE_SUBSCRIPTION_ID/ ; s/MYOBJECT_ID_PLACEHOLDER/$AZURE_MYOWN_OBJECT_ID/ " variables.tf.template > variables_mod.tf

1. initialize the terraform state

terraform init

1. create an execution plan and execute it

terraform plan -out out.plan

1. this will ensure the following deployment:

• Azure Resource Group
• Azure Virtual Network
• Azure Container Registry
• Application Insights
• Azure Cache for Redis
• Azure Kubernetes Cluster
• Azure Container Insights
• Azure KeyVault
• Variables for Azure Container Registry, Application Insights and Azure Redis inside the Azure KeyVault as secrets
• Permission assignments on ACR, Keyvault (your azure devops service principals needs permissions on these resources for that)
• Nginx Ingress Controller in AKS
• Traffic Manager Profile

1. trigger the deployment apply the execution plan

terraform apply out.plan

1. configure the application gateway addon

KUBE_GROUP=dzphix_284
KUBE_NAME=dzphix-284
appgwId=$(az network application-gateway list -g $KUBE_GROUP -o tsv --query "[].id") 
az aks enable-addons -n $KUBE_NAME -g $KUBE_GROUP -a ingress-appgw --appgw-id $appgwId

1. optionally you can create another environment using the following process:

echo "deleting existing terraform state"
rm -rf .terraform
rm terraform.tfstate
rm terraform.tfstate.backup
rm out.plan

echo "retrieving existing azure container registry"
ACR_RG_ID=$(az group show -n $DEPLOYMENT_NAME --query id -o tsv)
ACR_ID=$(az acr list -g $DEPLOYMENT_NAME --query '[0].id' -o tsv)
ACR_AKS_ID=$(az role assignment list --scope $ACR_ID --assignee $AKS_SERVICE_PRINCIPAL_OBJECTID --query '[0].id' -o tsv)
ACR_AZDO_ID=$(az role assignment list --scope $ACR_ID --assignee $AZDO_SERVICE_PRINCIPAL_OBJECTID --query '[0].id' -o tsv)

terraform init
echo "importing existing azure container registry"
terraform import azurerm_resource_group.acrrg $ACR_RG_ID
terraform import azurerm_container_registry.aksacr $ACR_ID
terraform import azurerm_role_assignment.aksacrrole $ACR_AKS_ID
terraform import azurerm_role_assignment.azdoacrrole $ACR_AZDO_ID

echo "redeploying"
terraform plan -out out.plan
terraform apply out.plan