Terraform Azurerm Kubernetes Cluster

The main purpose of this repository is to create Azure resources needed to deploy a FastAPI service to Azure Kubernetes service. The code for the FastAPI service can be found here ¹, the repository also contains Azure Pipelines to pull and push a docker image to the Azure Container Registry, and re-use use this image to deploy to the Kubernetes cluster.

The main resources created via this Terraform are:

Azure Active Directory Applications (App registration and Enterprise application)
Azure Kubernetes Service
Azure Container Registry
Azure DevOps service connections

Note

This repository was created within Azure DevOps and is now being mirrored to this GitHub repository. Source of truth will always be the Azure DevOps repository.

Architecture

Developer makes changes to the source code then pushes changes.
Azure pipeline triggered by new commit and starts a build on either Microsoft hosted agent or self-managed build agents.
Azure build agent starts and runs unit tests within the repository.
Azure pipeline creates a docker image, tags and pushed to an Azure container registry.
Azure pipeline pulls the recently pushed image and deploys to Azure Kubernetes Cluster.
Application is accessible from public URLs.

Development

Dependencies

terraform
terragrunt
pre-commit
terraform-docs this is required for terraform_docs hooks

Prerequisites

Have a Azure Portal account.
You will need to create a Service Principal with a Client Secret follow instructions.

Usage

Navigate to the environment you would like to deploy,
Plan your changes with terragrunt plan to see what changes will be made,
If you're happy with the changes terragrunt apply.

Important

Please note that .tfstate files are stored locally on your machine as no backend has been specified. If you would like to properly version control your state files, please configure an azure storage account to store these files. This will ensure anyone else other than you running a plan or apply will be using the same state file.

Cost

A majority of the resources created will have either be 'Standard' or 'Premium' tier. Please be mindful of the cost for each tier, Infracost has been used to help indicate how much it will cost to have all these resources created and running for a month.

Predicted Infracost as of 12/12/2023

 Name                                                                     Monthly Qty  Unit                  Monthly Cost

module.kubernetes_cluster.azurerm_kubernetes_cluster.cluster
├─ Uptime SLA                                                                    730  hours                       $73.00
├─ default_node_pool
│  ├─ Instance usage (Linux, pay as you go, Standard_D2_v2)                    1,460  hours                      $198.56
│  └─ os_disk
│     └─ Storage (S10, LRS)                                                        2  months                      $11.78
└─ Load Balancer
    └─ Data processed                                                Monthly cost depends on usage: $0.005 per GB

module.python_fastapi_registry.azurerm_container_registry.registry
├─ Geo replication (1 location)                                                   30  days                        $50.00
├─ Registry usage (Premium)                                                       30  days                        $50.00
├─ Storage (over 500GB)                                             Monthly cost depends on usage: $0.10 per GB
└─ Build vCPU                                                       Monthly cost depends on usage: $0.0001 per seconds

OVERALL TOTAL                                                                                                    $383.33
──────────────────────────────────
13 cloud resources were detected:
∙ 2 were estimated, all of which include usage-based costs, see https://infracost.io/usage-file
∙ 10 were free:
  ∙ 7 x azurerm_role_assignment
  ∙ 1 x azurerm_container_registry_scope_map
  ∙ 1 x azurerm_container_registry_token
  ∙ 1 x azurerm_resource_group
  ∙ 1 is not supported yet, see https://infracost.io/requested-resources:
  ∙ 1 x azurerm_container_registry_token_password

Pre-Commit hooks

Git hook scripts are very helpful for identifying simple issues before pushing any changes. Hooks will run on every commit automatically pointing out issues in the code e.g. trailing whitespace.

To help with the maintenance of these hooks, pre-commit is used, along with pre-commit-hooks.

Please follow these instructions to install pre-commit locally and ensure that you have run pre-commit install to install the hooks for this project.

Additionally, once installed, the hooks can be updated to the latest available version with pre-commit autoupdate.

Documentation Generation

Code formatting and documentation for variables and outputs is generated using pre-commit-terraform hooks that in turn uses terraform-docs that will insert/update documentation. The following markers have been added to the README.md:

<!-- {BEGINNING|END} OF PRE-COMMIT-TERRAFORM DOCS HOOK --->

Requirements

Name	Version
terraform	= 1.4.5
azuread	2.46.0
azuredevops	= 0.8.0
azurerm	3.82.0
time	0.10.0

Providers

Name	Version
azuread	2.46.0
azuredevops	0.8.0
azurerm	3.82.0
time	0.10.0

Modules

Name	Source	Version
azure_devops_service_connections	./modules/service_connections	n/a
kubernetes_cluster	./modules/kubernetes_service	n/a
python_fastapi_registry	./modules/container_registry	n/a

Resources

Name	Type
azuread_application.aad_application	resource
azuread_application_password.aad_application_password	resource
azuread_service_principal.service_principal_application_id	resource
azurerm_resource_group.resource_group	resource
time_rotating.aad_application_password_rotation	resource
azuread_client_config.current	data source
azuredevops_project.project	data source

Inputs

Name	Description	Type	Default	Required
arm_client_id	The Client ID which should be used. This can also be sourced from the ARM_CLIENT_ID Environment Variable.	`string`	n/a	yes
arm_client_secret	The Client Secret which should be used. This can also be sourced from the ARM_CLIENT_SECRET Environment Variable.	`string`	n/a	yes
arm_subscription_id	The Subscription ID which should be used. This can also be sourced from the ARM_SUBSCRIPTION_ID Environment Variable.	`string`	n/a	yes
arm_tenant_id	The Tenant ID which should be used. This can also be sourced from the ARM_TENANT_ID Environment Variable.	`string`	n/a	yes
cloud_enviornment	The Cloud Environment which should be used. Possible values are public, `usgovernment`, `german`, and `china`. Defaults to `public`. This can also be sourced from the ARM_ENVIRONMENT Environment Variable.	`string`	`"public"`	no
environment	The name of the environment to help identify resources.	`string`	n/a	yes
location	The Azure Region where the Resource Group should exist. Changing this forces a new Resource Group to be created.	`string`	`"West Europe"`	no
organization_url	This is the Azure DevOps organization url. It can also be sourced from the AZDO_ORG_SERVICE_URL environment variable.	`string`	n/a	yes
personal_access_token	This is the Azure DevOps organization personal access token. The account corresponding to the token will need "owner" privileges for this organization. It can also be sourced from the AZDO_PERSONAL_ACCESS_TOKEN environment variable.	`string`	n/a	yes
personal_ip_address	Add your client IP address to the networking to allow access.	`string`	n/a	yes
project_name	Name of the project.	`string`	n/a	yes
tags	Tags to be added to resources created.	`map(string)`	`{}`	no

Outputs

Name	Description
azurerm_service_connection_id	The ID of the azure resource manager service endpoint.
docker_registry_service_connection_id	The ID of the docker registry service endpoint.
tenant_id	The tenant ID used for this subscription.

My Azure DevOps organisation / project is private, FastAPI repository is mirrored here in GitHub. ↩

kwame-mintah / terraform-azurerm-kubernetes-cluster Goto Github PK