From a15144e8ca03fbdccad2e63f1ab48b68c615bbe9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 11:54:36 +0000 Subject: [PATCH 01/47] Added external-dns helm chart --- scripts/k8s_manifests_apply.sh | 12 +-- terraform/dns.tf | 146 ++++++++++++++++++++++----------- terraform/variables.tf | 6 ++ 3 files changed, 110 insertions(+), 54 deletions(-) diff --git a/scripts/k8s_manifests_apply.sh b/scripts/k8s_manifests_apply.sh index bc64610..4d67f68 100644 --- a/scripts/k8s_manifests_apply.sh +++ b/scripts/k8s_manifests_apply.sh @@ -22,10 +22,10 @@ echo "FINISHED: $message." # Testing kubectl kubectl version --short -# Apply manifests -message="Applying Kubernetes manifests" -echo "STARTED: $message..." +# # Apply manifests +# message="Applying Kubernetes manifests" +# echo "STARTED: $message..." -# external-dns -kubectl apply -n ingress -f ./manifests/external-dns.yml -echo "FINISHED: $message." +# # external-dns +# kubectl apply -n ingress -f ./manifests/external-dns.yml +# echo "FINISHED: $message." diff --git a/terraform/dns.tf b/terraform/dns.tf index a5ebed0..8d15793 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -1,6 +1,6 @@ # DNS data "azurerm_resource_group" "dns" { - name = var.dns_resource_group_name + name = var.dns_resource_group_name } data "azurerm_dns_zone" "dns" { @@ -8,74 +8,124 @@ data "azurerm_dns_zone" "dns" { resource_group_name = data.azurerm_resource_group.dns.name } +# # Service Principle for external-dns k8s deployment +# resource "azuread_application" "aks_dns_sp" { +# name = var.dns_service_principle_name +# } -# Service Principle for external-dns k8s deployment -resource "azuread_application" "aks_dns_sp" { - name = var.dns_service_principle_name -} +# resource "azuread_service_principal" "aks_dns_sp" { +# application_id = azuread_application.aks_dns_sp.application_id +# } -resource "azuread_service_principal" "aks_dns_sp" { - application_id = azuread_application.aks_dns_sp.application_id -} +# resource "random_string" "aks_dns_sp" { +# length = 16 +# special = true +# keepers = { +# service_principal = azuread_service_principal.aks_dns_sp.id +# } +# } -resource "random_string" "aks_dns_sp" { - length = 16 - special = true - keepers = { - service_principal = azuread_service_principal.aks_dns_sp.id - } -} - -resource "azuread_service_principal_password" "aks_dns_sp" { - service_principal_id = azuread_service_principal.aks_dns_sp.id - value = random_string.aks_dns_sp.result - end_date_relative = "8760h" # 8760h = 1 year - - lifecycle { - ignore_changes = [end_date] - } -} +# resource "azuread_service_principal_password" "aks_dns_sp" { +# service_principal_id = azuread_service_principal.aks_dns_sp.id +# value = random_string.aks_dns_sp.result +# end_date_relative = "8760h" # 8760h = 1 year +# lifecycle { +# ignore_changes = [end_date] +# } +# } # Service Principle role assignments # reader on dns resource group -resource "azurerm_role_assignment" "aks_dns_sp_to_rg" { - principal_id = azuread_service_principal.aks_dns_sp.id +resource "azurerm_role_assignment" "aks_dns_mi_to_rg" { + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id role_definition_name = "Reader" scope = data.azurerm_dns_zone.dns.id skip_service_principal_aad_check = true - depends_on = [azuread_service_principal_password.aks_dns_sp] } # contributor on dns zone -resource "azurerm_role_assignment" "aks_dns_sp_to_zone" { - principal_id = azuread_service_principal.aks_dns_sp.id +resource "azurerm_role_assignment" "aks_dns_mi_to_zone" { + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id role_definition_name = "Contributor" scope = data.azurerm_resource_group.dns.id skip_service_principal_aad_check = true - depends_on = [azuread_service_principal_password.aks_dns_sp] } +# # Kuberenetes Secret for external-dns +# # https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/azure.md#azure-managed-service-identity-msi +# resource "kubernetes_secret" "external_dns" { +# metadata { +# name = "azure-config-file" +# namespace = "ingress" +# } + +# data = { +# "azure.json" = < Date: Sun, 25 Oct 2020 12:13:47 +0000 Subject: [PATCH 02/47] Added missing external-dns helm vars --- terraform/dns.tf | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 8d15793..b49a81b 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -99,22 +99,17 @@ resource "helm_release" "external_dns" { set { name = "azure.tenantId" - value = "" + value = data.azurerm_subscription.current.tenant_id } set { name = "azure.subscriptionId" - value = "" - } - - set { - name = "azure.tenantId" - value = "" + value = data.azurerm_subscription.current.subscription_id } set { name = "azure.resourceGroup" - value = "" + value = data.azurerm_resource_group.dns.name } set { From 7e3d279ecdc68d9e7798adf9ed86e8ec16d44afa Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 12:22:34 +0000 Subject: [PATCH 03/47] Removed old comments --- terraform/variables.tf | 1 - velero/Deploy-Velero.ps1 | 1 - velero/velero-values.yaml | 5 ++--- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 03d5873..4c33259 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -294,7 +294,6 @@ variable "nexus_tls_secret_name" { # akv2k8s -# TODO: is this CRD file required? variable "akv2k8s_yaml_path" { default = "files/AzureKeyVaultSecret.yaml" } diff --git a/velero/Deploy-Velero.ps1 b/velero/Deploy-Velero.ps1 index e076a92..1aedb76 100644 --- a/velero/Deploy-Velero.ps1 +++ b/velero/Deploy-Velero.ps1 @@ -108,7 +108,6 @@ if ($helmReleaseName -in $helmDeployedList.Releases.Name) { # # OPTION 2 - YAML file # https://github.com/vmware-tanzu/helm-charts/tree/master/charts/velero#option-2-yaml-file # still use '--set` for dynamic values - # TODO add splatting for dynamic usage of debug flags # https://stackoverflow.com/questions/52854092/how-to-use-powershell-splatting-for-azure-cli helm install vmware-tanzu/velero ` --name velero ` diff --git a/velero/velero-values.yaml b/velero/velero-values.yaml index cc42f9a..3f4f99b 100644 --- a/velero/velero-values.yaml +++ b/velero/velero-values.yaml @@ -89,10 +89,9 @@ configuration: # Additional provider-specific configuration. See link above # for details of required/optional fields for your provider. config: {} - # TODO: complete below same as "$backupResourceGroupName,storageAccount=$storageAccountName" in CLI # config: - # resourceGroup: TODO - # storageAccount: TODO + # resourceGroup: + # storageAccount: # region: # s3ForcePathStyle: # s3Url: From dd014eaec5debc86526150c088e061e6c89fd6d8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 12:23:11 +0000 Subject: [PATCH 04/47] Added ignore_changes for app_settings. Added static dates for SAS --- terraform/function_app.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index e2d625f..9d870f1 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -32,8 +32,12 @@ resource "azurerm_storage_blob" "func_app" { data "azurerm_storage_account_sas" "func_app" { connection_string = azurerm_storage_account.func_app.primary_connection_string https_only = true - start = formatdate("YYYY-MM-DD", timestamp()) - expiry = formatdate("YYYY-MM-DD", timeadd(timestamp(), var.func_app_sas_expires_in_hours)) + # start = formatdate("YYYY-MM-DD", timestamp()) + # expiry = formatdate("YYYY-MM-DD", timeadd(timestamp(), var.func_app_sas_expires_in_hours)) + + # hardcoded values to stop timestamp() affecting EVERY Terraform Plan + start = "2020-10-25" + expiry = "2022-01-01" resource_types { object = true @@ -111,11 +115,11 @@ resource "azurerm_function_app" "func_app" { type = "SystemAssigned" } - # lifecycle { - # ignore_changes = [ - # app_settings, - # ] - # } + lifecycle { + ignore_changes = [ + app_settings, + ] + } } From 55094b396a282432827178af301a7597dc3fc14b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 13:16:31 +0000 Subject: [PATCH 05/47] Added external-dns MI and aad identity binding --- .github/workflows/build.yml | 1 + terraform/dns.tf | 45 +++++++++++++++++-- .../files/azureIdentity-external-dns.yaml.tpl | 19 ++++++++ terraform/variables.tf | 6 ++- 4 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 terraform/files/azureIdentity-external-dns.yaml.tpl diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 63fddfa..2570533 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -218,6 +218,7 @@ jobs: with: name: test results path: test/pester-test-results.xml + # TODO: only run when previous task (Pester tests) has been successful if: always() # remove NuGet proxy repo so pester report step doesnt fail diff --git a/terraform/dns.tf b/terraform/dns.tf index b49a81b..46ff96d 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -35,10 +35,16 @@ data "azurerm_dns_zone" "dns" { # } # } -# Service Principle role assignments +# external-dns managed identity +resource "azurerm_user_assigned_identity" "external_dns" { + resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group + location = azurerm_kubernetes_cluster.aks.location + name = "mi_external_dns" +} + # reader on dns resource group resource "azurerm_role_assignment" "aks_dns_mi_to_rg" { - principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id + principal_id = azurerm_user_assigned_identity.external_dns.principal_id role_definition_name = "Reader" scope = data.azurerm_dns_zone.dns.id skip_service_principal_aad_check = true @@ -46,12 +52,39 @@ resource "azurerm_role_assignment" "aks_dns_mi_to_rg" { # contributor on dns zone resource "azurerm_role_assignment" "aks_dns_mi_to_zone" { - principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id + principal_id = azurerm_user_assigned_identity.external_dns.principal_id role_definition_name = "Contributor" scope = data.azurerm_resource_group.dns.id skip_service_principal_aad_check = true } + +data "template_file" "azureIdentity_external_dns" { + template = file(var.azureidentity_external_dns_yaml_path) + vars = { + managedIdentityResourceID = azurerm_user_assigned_identity.external_dns.id + managedIdentityClientID = azurerm_user_assigned_identity.external_dns.client_id + } +} + +# https://www.terraform.io/docs/provisioners/local-exec.html +resource "null_resource" "azureIdentity_external_dns" { + triggers = { + # always_run = "${timestamp()}" + azureidentity_external_dns_yaml_contents = filemd5(var.azureidentity_external_dns_yaml_path) + } + + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = < Date: Sun, 25 Oct 2020 13:30:35 +0000 Subject: [PATCH 06/47] Debug template output for kubectl --- terraform/dns.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 46ff96d..e120b20 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -78,7 +78,7 @@ resource "null_resource" "azureIdentity_external_dns" { interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 25 Oct 2020 13:41:04 +0000 Subject: [PATCH 07/47] Added namespace: ingress --- terraform/files/azureIdentity-external-dns.yaml.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/files/azureIdentity-external-dns.yaml.tpl b/terraform/files/azureIdentity-external-dns.yaml.tpl index 2acdc58..54fa648 100644 --- a/terraform/files/azureIdentity-external-dns.yaml.tpl +++ b/terraform/files/azureIdentity-external-dns.yaml.tpl @@ -3,6 +3,7 @@ apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentity metadata: name: external-dns + namespace: ingress spec: type: 0 ResourceID: ${managedIdentityResourceID} @@ -14,6 +15,7 @@ apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentityBinding metadata: name: external-dns + namespace: ingress spec: AzureIdentity: external-dns Selector: external-dns From 6232575149d1844533c10bbc1303b962acaa528e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 13:53:33 +0000 Subject: [PATCH 08/47] Changed namespace to aad-pod-identity --- terraform/files/azureIdentity-external-dns.yaml.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/files/azureIdentity-external-dns.yaml.tpl b/terraform/files/azureIdentity-external-dns.yaml.tpl index 54fa648..2b1079f 100644 --- a/terraform/files/azureIdentity-external-dns.yaml.tpl +++ b/terraform/files/azureIdentity-external-dns.yaml.tpl @@ -3,7 +3,7 @@ apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentity metadata: name: external-dns - namespace: ingress + namespace: aad-pod-identity spec: type: 0 ResourceID: ${managedIdentityResourceID} @@ -15,7 +15,7 @@ apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentityBinding metadata: name: external-dns - namespace: ingress + namespace: aad-pod-identity spec: AzureIdentity: external-dns Selector: external-dns From 4cd74135221a5d374128f99be3ac44656cfb8b25 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 13:55:37 +0000 Subject: [PATCH 09/47] Changed ansible retry timeout --- ansible/roles/init/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/init/tasks/main.yml b/ansible/roles/init/tasks/main.yml index 41d2e37..bcebd5b 100644 --- a/ansible/roles/init/tasks/main.yml +++ b/ansible/roles/init/tasks/main.yml @@ -28,8 +28,8 @@ register: result until: - result.status == 200 - # 90 x 10secs = 15mins - retries: 90 + # 30 x 10secs = 5mins + retries: 30 delay: 10 # reset module defaults for this simple check module_defaults: From c0d01b1e593b2bb0cf35b3588b53783d84118eb4 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 14:19:31 +0000 Subject: [PATCH 10/47] Fixed akv2k8s controller.logLevel --- terraform/helm_akv2k8s.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/helm_akv2k8s.tf b/terraform/helm_akv2k8s.tf index 96dbf36..1cb8073 100644 --- a/terraform/helm_akv2k8s.tf +++ b/terraform/helm_akv2k8s.tf @@ -98,7 +98,7 @@ resource "helm_release" "akv2k8s" { version = var.akv2k8s_chart_version set { - name = "logLevel" + name = "controller.logLevel" value = "debug" } From ac23522d26f92dc4cbe310bb0ff9e7d4252b1efb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 14:26:58 +0000 Subject: [PATCH 11/47] Changed aad-pod-identity logVerbosity --- terraform/helm_aad_pod_identity.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/helm_aad_pod_identity.tf b/terraform/helm_aad_pod_identity.tf index d36e336..dc678f5 100644 --- a/terraform/helm_aad_pod_identity.tf +++ b/terraform/helm_aad_pod_identity.tf @@ -68,6 +68,12 @@ resource "helm_release" "aad_pod_identity" { value = "true" } + # https://github.com/Azure/aad-pod-identity/wiki/Debugging#increasing-the-verbosity-of-the-logs + set { + name = "mic.logVerbosity" + value = 6 + } + timeout = 600 depends_on = [kubernetes_namespace.aad_pod_identity[0]] } From 4920032d5dc205bdefe8c22b4e5bad173ca65a13 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 25 Oct 2020 17:33:25 +0000 Subject: [PATCH 12/47] Changed casing --- terraform/files/azureIdentity-external-dns.yaml.tpl | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/terraform/files/azureIdentity-external-dns.yaml.tpl b/terraform/files/azureIdentity-external-dns.yaml.tpl index 2b1079f..f699e04 100644 --- a/terraform/files/azureIdentity-external-dns.yaml.tpl +++ b/terraform/files/azureIdentity-external-dns.yaml.tpl @@ -6,16 +6,14 @@ metadata: namespace: aad-pod-identity spec: type: 0 - ResourceID: ${managedIdentityResourceID} - ClientID: ${managedIdentityClientID} - + resourceID: ${managedIdentityResourceID} + clientID: ${managedIdentityClientID} --- - apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentityBinding metadata: name: external-dns namespace: aad-pod-identity spec: - AzureIdentity: external-dns - Selector: external-dns + azureIdentity: external-dns + selector: external-dns From e02a1cbced54c71e1f044f257453d4875270cac3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 26 Oct 2020 07:22:11 +0000 Subject: [PATCH 13/47] Changed MI location to aks node RG --- terraform/dns.tf | 2 +- terraform/helm_aad_pod_identity.tf | 18 ++---------------- terraform/velero_mi_auth.tf | 7 +++---- 3 files changed, 6 insertions(+), 21 deletions(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index e120b20..463f175 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -39,7 +39,7 @@ data "azurerm_dns_zone" "dns" { resource "azurerm_user_assigned_identity" "external_dns" { resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group location = azurerm_kubernetes_cluster.aks.location - name = "mi_external_dns" + name = "mi-external-dns" } # reader on dns resource group diff --git a/terraform/helm_aad_pod_identity.tf b/terraform/helm_aad_pod_identity.tf index dc678f5..71e35ca 100644 --- a/terraform/helm_aad_pod_identity.tf +++ b/terraform/helm_aad_pod_identity.tf @@ -3,7 +3,6 @@ # role assignment for aad-pod-identity # https://azure.github.io/aad-pod-identity/docs/getting-started/role-assignment/#performing-role-assignments resource "azurerm_role_assignment" "aks_mi_aks_node_rg_vm_contributor" { - count = var.velero_enabled ? 1 : 0 principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id role_definition_name = "Virtual Machine Contributor" scope = data.azurerm_resource_group.aks_node_rg.id @@ -11,24 +10,13 @@ resource "azurerm_role_assignment" "aks_mi_aks_node_rg_vm_contributor" { } resource "azurerm_role_assignment" "aks_mi_aks_node_rg_mi_operator" { - count = var.velero_enabled ? 1 : 0 principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id role_definition_name = "Managed Identity Operator" scope = data.azurerm_resource_group.aks_node_rg.id skip_service_principal_aad_check = true } -# velero user MI in different RG, so assign role there too -resource "azurerm_role_assignment" "aks_mi_velero_rg_mi_operator" { - count = var.velero_enabled ? 1 : 0 - principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id - role_definition_name = "Managed Identity Operator" - scope = azurerm_resource_group.velero[0].id - skip_service_principal_aad_check = true -} - data "template_file" "azureIdentities" { - count = var.velero_enabled ? 1 : 0 template = file("${path.module}/files/azureIdentities.yaml.tpl") vars = { resourceID = azurerm_user_assigned_identity.velero[0].id @@ -38,7 +26,6 @@ data "template_file" "azureIdentities" { # https://www.terraform.io/docs/providers/kubernetes/r/namespace.html resource "kubernetes_namespace" "aad_pod_identity" { - count = var.velero_enabled ? 1 : 0 metadata { name = "aad-pod-identity" } @@ -51,7 +38,6 @@ resource "kubernetes_namespace" "aad_pod_identity" { # https://www.terraform.io/docs/providers/helm/r/release.html resource "helm_release" "aad_pod_identity" { - count = var.velero_enabled ? 1 : 0 chart = "aad-pod-identity" name = "aad-pod-identity" namespace = "aad-pod-identity" @@ -60,7 +46,7 @@ resource "helm_release" "aad_pod_identity" { values = [ file("helm/aad_pod_identity_values.yaml"), - data.template_file.azureIdentities[0].rendered + data.template_file.azureIdentities.rendered ] set { @@ -75,5 +61,5 @@ resource "helm_release" "aad_pod_identity" { } timeout = 600 - depends_on = [kubernetes_namespace.aad_pod_identity[0]] + depends_on = [kubernetes_namespace.aad_pod_identity] } diff --git a/terraform/velero_mi_auth.tf b/terraform/velero_mi_auth.tf index 52a99e7..a34c41c 100644 --- a/terraform/velero_mi_auth.tf +++ b/terraform/velero_mi_auth.tf @@ -1,10 +1,9 @@ # velero managed identity auth resource "azurerm_user_assigned_identity" "velero" { count = var.velero_enabled ? 1 : 0 - resource_group_name = azurerm_resource_group.velero[0].name - location = azurerm_resource_group.velero[0].location - - name = "mi_velero" + resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group + location = azurerm_kubernetes_cluster.aks.location + name = "mi-velero" } # assign velero MI contributor rights to velero storage RG From 845e468746771b21265d5c91ce3faa28c01f86bc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 26 Oct 2020 07:26:56 +0000 Subject: [PATCH 14/47] Changed external-dns logLevel to debug --- terraform/dns.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 463f175..d1232a0 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -63,7 +63,7 @@ data "template_file" "azureIdentity_external_dns" { template = file(var.azureidentity_external_dns_yaml_path) vars = { managedIdentityResourceID = azurerm_user_assigned_identity.external_dns.id - managedIdentityClientID = azurerm_user_assigned_identity.external_dns.client_id + managedIdentityClientID = azurerm_user_assigned_identity.external_dns.client_id } } @@ -120,6 +120,11 @@ resource "helm_release" "external_dns" { version = var.external_dns_chart_version # values = [file("helm/NOT_USED.yaml")] + set { + name = "logLevel" + value = "debug" + } + set { name = "domainFilters[0]" value = var.dns_zone_name From c45c7eecfeee275cb90cca0535885f150e90195b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 26 Oct 2020 07:49:05 +0000 Subject: [PATCH 15/47] Added dependency on helm_release.aad_pod_identity --- terraform/dns.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index d1232a0..eb9fb1f 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -82,7 +82,7 @@ resource "null_resource" "azureIdentity_external_dns" { EOT } - depends_on = [local_file.kubeconfig, kubernetes_namespace.ingress] + depends_on = [local_file.kubeconfig, kubernetes_namespace.ingress, helm_release.aad_pod_identity] } # # Kuberenetes Secret for external-dns From 6a10ebca605bc9660601baa1366a45ca970ded3b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 27 Oct 2020 07:54:34 +0000 Subject: [PATCH 16/47] Added external-dns namespace. Removed old code. --- .github/workflows/build.yml | 1 - .github/workflows/destroy.yml | 1 - terraform/dns.tf | 77 +++++++++-------------------------- terraform/helm_nginx.tf | 24 ----------- terraform/variables.tf | 35 ---------------- 5 files changed, 20 insertions(+), 118 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2570533..b6405c7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,7 +44,6 @@ env: EMAIL_ADDRESS: certadmin@domain.com ENABLE_TLS_INGRESS: true FORCE_TEST_FAIL: false - HAS_SUBDOMAIN: true K8S_TLS_SECRET_NAME: tls-secret KEY_VAULT_NAME: kv-rush-iz6y KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 9ed843a..2bf379a 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -37,7 +37,6 @@ env: EMAIL_ADDRESS: certadmin@domain.com ENABLE_TLS_INGRESS: true FORCE_TEST_FAIL: false - HAS_SUBDOMAIN: true K8S_TLS_SECRET_NAME: tls-secret KEY_VAULT_NAME: kv-rush-iz6y KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk diff --git a/terraform/dns.tf b/terraform/dns.tf index eb9fb1f..438ecf8 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -8,33 +8,6 @@ data "azurerm_dns_zone" "dns" { resource_group_name = data.azurerm_resource_group.dns.name } -# # Service Principle for external-dns k8s deployment -# resource "azuread_application" "aks_dns_sp" { -# name = var.dns_service_principle_name -# } - -# resource "azuread_service_principal" "aks_dns_sp" { -# application_id = azuread_application.aks_dns_sp.application_id -# } - -# resource "random_string" "aks_dns_sp" { -# length = 16 -# special = true -# keepers = { -# service_principal = azuread_service_principal.aks_dns_sp.id -# } -# } - -# resource "azuread_service_principal_password" "aks_dns_sp" { -# service_principal_id = azuread_service_principal.aks_dns_sp.id -# value = random_string.aks_dns_sp.result -# end_date_relative = "8760h" # 8760h = 1 year - -# lifecycle { -# ignore_changes = [end_date] -# } -# } - # external-dns managed identity resource "azurerm_user_assigned_identity" "external_dns" { resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group @@ -59,6 +32,17 @@ resource "azurerm_role_assignment" "aks_dns_mi_to_zone" { } +resource "kubernetes_namespace" "external_dns" { + metadata { + name = "external-dns" + } + timeouts { + delete = "15m" + } + + depends_on = [azurerm_kubernetes_cluster.aks] +} + data "template_file" "azureIdentity_external_dns" { template = file(var.azureidentity_external_dns_yaml_path) vars = { @@ -82,40 +66,19 @@ resource "null_resource" "azureIdentity_external_dns" { EOT } - depends_on = [local_file.kubeconfig, kubernetes_namespace.ingress, helm_release.aad_pod_identity] + depends_on = [ + local_file.kubeconfig, + kubernetes_namespace.external_dns, + helm_release.aad_pod_identity + ] } -# # Kuberenetes Secret for external-dns -# # https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/azure.md#azure-managed-service-identity-msi -# resource "kubernetes_secret" "external_dns" { -# metadata { -# name = "azure-config-file" -# namespace = "ingress" -# } - -# data = { -# "azure.json" = < Date: Tue, 27 Oct 2020 07:59:53 +0000 Subject: [PATCH 17/47] Added comment for external-dns --- terraform/helm/nginx_values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/helm/nginx_values.yaml b/terraform/helm/nginx_values.yaml index c8b6b29..4d7248f 100644 --- a/terraform/helm/nginx_values.yaml +++ b/terraform/helm/nginx_values.yaml @@ -32,6 +32,9 @@ controller: ## by the service. If disable, the status field reports the IP address of the ## node or nodes where an ingress controller pod is running. publishService: + # ! This is required for external-dns to work properly + # ! https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/azure.md#deploy-externaldns + # ! https://github.com/kubernetes-sigs/external-dns/blob/master/docs/faq.md#why-is-externaldns-only-adding-a-single-ip-address-in-route-53-on-aws-when-using-the-nginx-ingress-controller-how-do-i-get-it-to-use-the-fqdn-of-the-elb-assigned-to-my-nginx-ingress-controller-service-instead enabled: true ## Allows overriding of the publish service to bind to ## Must be / From b148e63b6f07d0c93a58948a07a013aab1764daa Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 27 Oct 2020 08:11:37 +0000 Subject: [PATCH 18/47] Added akv2k8s_exceptions dep for aad_pod_identity --- terraform/helm_akv2k8s.tf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/terraform/helm_akv2k8s.tf b/terraform/helm_akv2k8s.tf index 1cb8073..1560e08 100644 --- a/terraform/helm_akv2k8s.tf +++ b/terraform/helm_akv2k8s.tf @@ -41,8 +41,8 @@ resource "local_file" "kubeconfig" { resource "null_resource" "akv2k8s_crds" { triggers = { # always_run = "${timestamp()}" - akv2k8s_yaml_contents = filemd5(var.akv2k8s_yaml_path) - cert_sync_yaml_contents = filemd5(var.cert_sync_yaml_path) + akv2k8s_yaml_contents = filemd5(var.akv2k8s_yaml_path) + cert_sync_yaml_contents = filemd5(var.cert_sync_yaml_path) } provisioner "local-exec" { @@ -85,7 +85,11 @@ resource "null_resource" "akv2k8s_exceptions" { EOT } - depends_on = [local_file.kubeconfig, kubernetes_namespace.akv2k8s] + depends_on = [ + local_file.kubeconfig, + kubernetes_namespace.akv2k8s, + helm_release.aad_pod_identity + ] } # https://www.terraform.io/docs/providers/helm/r/release.html From ac34e84b7dc24379528a7ddb4c8e3db85762441b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 28 Oct 2020 06:59:27 +0000 Subject: [PATCH 19/47] Added workaround - Restart Function App --- .github/workflows/build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b6405c7..93e972d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -183,6 +183,12 @@ jobs: run: ./scripts/wait.sh + # TODO: Remove once issue has been fixed + # https://github.com/terraform-providers/terraform-provider-azurerm/issues/8546 + - name: Restart Function App + run: az functionapp restart --name "${{ env.PREFIX }}-funcapp" --resource-group "${{ env.PREFIX }}-rg-function-app" + + # Ansible - name: Lint Ansible Playbook uses: ansible/ansible-lint-action@6c8c141 From 88876215d522f81065ad8b23e8ebacc803e78275 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 28 Oct 2020 08:52:35 +0000 Subject: [PATCH 20/47] Disabled aks autoscaling --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index beab175..0aa0d7f 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -143,7 +143,7 @@ variable "agent_pool_node_count" { } variable "agent_pool_enable_auto_scaling" { - default = true + default = false } variable "agent_pool_node_min_count" { From 1cd1fe0b1871ab477cfee1d5ca2cabefdbccd71c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 28 Oct 2020 09:00:06 +0000 Subject: [PATCH 21/47] Disabled agent pool node count vars --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 0aa0d7f..e958bc1 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -147,11 +147,11 @@ variable "agent_pool_enable_auto_scaling" { } variable "agent_pool_node_min_count" { - default = 1 + default = null } variable "agent_pool_node_max_count" { - default = 3 + default = null } variable "agent_pool_profile_name" { From 029cb3bf691c72337c3885e5a49f2b120fe3ea53 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 28 Oct 2020 09:22:34 +0000 Subject: [PATCH 22/47] Added aks start stop cli preview feature --- .github/workflows/deallocate_aks_vmss.yml | 15 ++++++++++++--- .github/workflows/start_aks_vmss.yml | 13 +++++++++++-- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deallocate_aks_vmss.yml b/.github/workflows/deallocate_aks_vmss.yml index 161e4d3..4f6c1dd 100644 --- a/.github/workflows/deallocate_aks_vmss.yml +++ b/.github/workflows/deallocate_aks_vmss.yml @@ -55,9 +55,18 @@ jobs: - name: Login to Azure run: ./scripts/azure_login.sh - # Deallocate - - name: Deallocate AKS VMSS - run: ./scripts/deallocate_aks_vmss.sh + # Stop + # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster + - name: Stop AKS Cluster + run: | + # Install the aks-preview extension + az extension add --name aks-preview + + # Update the extension to make sure you have the latest version installed + az extension update --name aks-preview + + # Stop AKS cluster + az aks stop --name ${{ env.AKS_CLUSTER_NAME }} --resource-group ${{ env.AKS_RG_NAME }} # Notify - name: Notify slack diff --git a/.github/workflows/start_aks_vmss.yml b/.github/workflows/start_aks_vmss.yml index 04d7d12..e230b69 100644 --- a/.github/workflows/start_aks_vmss.yml +++ b/.github/workflows/start_aks_vmss.yml @@ -57,8 +57,17 @@ jobs: run: ./scripts/azure_login.sh # Start - - name: Start AKS VMSS - run: ./scripts/start_aks_vmss.sh + # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster + - name: Start AKS Cluster + run: | + # Install the aks-preview extension + az extension add --name aks-preview + + # Update the extension to make sure you have the latest version installed + az extension update --name aks-preview + + # Start AKS cluster + az aks start --name ${{ env.AKS_CLUSTER_NAME }} --resource-group ${{ env.AKS_RG_NAME }} # Notify - name: Notify slack From ce3929f6be452136f197033087db8f11888036d6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 29 Oct 2020 07:14:28 +0000 Subject: [PATCH 23/47] Renamed aks start/stop workflows --- .../{start_aks_vmss.yml => start_aks_cluster.yml} | 8 ++++---- .../{deallocate_aks_vmss.yml => stop_aks_cluster.yml} | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) rename .github/workflows/{start_aks_vmss.yml => start_aks_cluster.yml} (95%) rename .github/workflows/{deallocate_aks_vmss.yml => stop_aks_cluster.yml} (95%) diff --git a/.github/workflows/start_aks_vmss.yml b/.github/workflows/start_aks_cluster.yml similarity index 95% rename from .github/workflows/start_aks_vmss.yml rename to .github/workflows/start_aks_cluster.yml index e230b69..435848f 100644 --- a/.github/workflows/start_aks_vmss.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -1,9 +1,9 @@ -name: Start AKS VMSS +name: Start AKS Cluster on: repository_dispatch: # name of GitHub event that triggers workflow - types: [start_vmss] + types: [start_aks_cluster] # enable manual workflow # https://docs.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow#manually-running-a-workflow @@ -25,7 +25,7 @@ env: ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} jobs: - start_vmss: + start_aks_cluster: runs-on: ubuntu-18.04 # only run if owner triggered action @@ -76,4 +76,4 @@ jobs: uses: pullreminders/slack-action@v1.0.9 with: # env var concatenation not supported atm, so hard-code messages - args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Start AKS VMSS complete\"}' + args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Start AKS Cluster complete\"}' diff --git a/.github/workflows/deallocate_aks_vmss.yml b/.github/workflows/stop_aks_cluster.yml similarity index 95% rename from .github/workflows/deallocate_aks_vmss.yml rename to .github/workflows/stop_aks_cluster.yml index 4f6c1dd..cab8752 100644 --- a/.github/workflows/deallocate_aks_vmss.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -1,9 +1,9 @@ -name: Deallocate AKS VMSS +name: Stop AKS Cluster on: repository_dispatch: # name of GitHub event that triggers workflow - types: [deallocate_vmss] + types: [stop_aks_cluster] # enable manual workflow # https://docs.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow#manually-running-a-workflow @@ -25,7 +25,7 @@ env: ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} jobs: - deallocate_vmss: + stop_aks_cluster: runs-on: ubuntu-18.04 # only run if owner triggered action @@ -75,4 +75,4 @@ jobs: uses: pullreminders/slack-action@v1.0.9 with: # env var concatenation not supported atm, so hard-code messages - args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Deallocate AKS VMSS complete\"}' + args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Stop AKS Cluster complete\"}' From 256ade013d7c384e9759992fecf75ac6eaad0698 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 29 Oct 2020 13:08:48 +0000 Subject: [PATCH 24/47] Changed WF name --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 93e972d..f1650f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,5 @@ # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions -name: Build env +name: Build environment # name of GitHub event that triggers workflow # https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch From 33f0510f7d96ef10e9f2fc8f2989f1e69a057c74 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 30 Oct 2020 07:48:44 +0000 Subject: [PATCH 25/47] Added scripts for start/stop aks cluster --- .github/workflows/destroy.yml | 6 +++--- .github/workflows/start_aks_cluster.yml | 10 +--------- .github/workflows/stop_aks_cluster.yml | 10 +--------- scripts/start_aks_cluster.sh | 20 ++++++++++++++++++++ scripts/stop_aks_cluster.sh | 20 ++++++++++++++++++++ 5 files changed, 45 insertions(+), 21 deletions(-) create mode 100644 scripts/start_aks_cluster.sh create mode 100644 scripts/stop_aks_cluster.sh diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 2bf379a..f4c9a61 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -104,9 +104,9 @@ jobs: - name: Login to Azure run: ./scripts/azure_login.sh - # Ensure VMSS is started, else timeouts will occur on k8s Terraform resource destroy tasks - - name: Start AKS VMSS - run: ./scripts/start_aks_vmss.sh + # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform resource destroy tasks + - name: Start AKS Cluster + run: ./scripts/start_aks_cluster.sh # Prereqs diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 435848f..985f06c 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -59,15 +59,7 @@ jobs: # Start # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster - name: Start AKS Cluster - run: | - # Install the aks-preview extension - az extension add --name aks-preview - - # Update the extension to make sure you have the latest version installed - az extension update --name aks-preview - - # Start AKS cluster - az aks start --name ${{ env.AKS_CLUSTER_NAME }} --resource-group ${{ env.AKS_RG_NAME }} + run: ./scripts/start_aks_cluster.sh # Notify - name: Notify slack diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index cab8752..215d23f 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -58,15 +58,7 @@ jobs: # Stop # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster - name: Stop AKS Cluster - run: | - # Install the aks-preview extension - az extension add --name aks-preview - - # Update the extension to make sure you have the latest version installed - az extension update --name aks-preview - - # Stop AKS cluster - az aks stop --name ${{ env.AKS_CLUSTER_NAME }} --resource-group ${{ env.AKS_RG_NAME }} + run: ./scripts/stop_aks_cluster.sh # Notify - name: Notify slack diff --git a/scripts/start_aks_cluster.sh b/scripts/start_aks_cluster.sh new file mode 100644 index 0000000..3ec0bb8 --- /dev/null +++ b/scripts/start_aks_cluster.sh @@ -0,0 +1,20 @@ +#! /usr/bin/env bash +# +# Starts AKS Cluster +# +# ensure strict mode and predictable pipeline failure +set -euo pipefail +trap "echo 'error: Script failed: see failed command above'" ERR + +# Prereqs as this is a preview feature: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster +# Install the aks-preview extension +az extension add --name aks-preview + +# Update the extension to make sure you have the latest version installed +az extension update --name aks-preview + +# Start AKS Cluster +message="Starting AKS Cluster: [$AKS_CLUSTER_NAME]" +echo -e "\nSTARTED: $message..." +az aks start --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" +echo -e "FINISHED: $message." diff --git a/scripts/stop_aks_cluster.sh b/scripts/stop_aks_cluster.sh new file mode 100644 index 0000000..1625999 --- /dev/null +++ b/scripts/stop_aks_cluster.sh @@ -0,0 +1,20 @@ +#! /usr/bin/env bash +# +# Stops AKS Cluster +# +# ensure strict mode and predictable pipeline failure +set -euo pipefail +trap "echo 'error: Script failed: see failed command above'" ERR + +# Prereqs as this is a preview feature: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster +# Install the aks-preview extension +az extension add --name aks-preview + +# Update the extension to make sure you have the latest version installed +az extension update --name aks-preview + +# Stop AKS Cluster +message="Stopping AKS Cluster: [$AKS_CLUSTER_NAME]" +echo -e "\nSTARTED: $message..." +az aks stop --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" +echo -e "FINISHED: $message." From 7a6f10a0fedf9cd246fcbde150b989202258f3f6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 30 Oct 2020 08:15:37 +0000 Subject: [PATCH 26/47] Bumped versions --- terraform/providers.tf | 2 +- terraform/variables.tf | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/providers.tf b/terraform/providers.tf index 376a756..32ccfb2 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -30,7 +30,7 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - version = "2.32.0" + version = "2.34.0" features {} } diff --git a/terraform/variables.tf b/terraform/variables.tf index e958bc1..bbdf248 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -17,12 +17,12 @@ variable "kubernetes_version" { # https://github.com/kubernetes/ingress-nginx/releases # https://github.com/kubernetes/ingress-nginx/blob/master/charts/ingress-nginx/Chart.yaml#L3 variable "nginx_chart_version" { - default = "3.4.0" + default = "3.7.1" } # https://hub.helm.sh/charts/jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.0.3" + default = "v1.0.4" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -44,7 +44,7 @@ variable "nexus_chart_version" { # https://github.com/SparebankenVest/helm-charts/tree/gh-pages/akv2k8s # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 variable "akv2k8s_chart_version" { - default = "1.1.25" + default = "1.1.26" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 @@ -52,10 +52,10 @@ variable "aad_pod_identity_chart_version" { default = "2.0.2" } -# https://github.com/bitnami/charts/tree/master/bitnami/external-dns # https://bitnami.com/stack/external-dns/helm +# https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L3 variable "external_dns_chart_version" { - default = "3.4.9" + default = "3.5.0" } #endregion Versions From 34bc5cee0d2bb8a08570ef19f8d1b7d47323a427 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 08:03:24 +0000 Subject: [PATCH 27/47] Moved Restart Function App step further down --- .github/workflows/build.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f1650f1..47fc084 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -183,12 +183,6 @@ jobs: run: ./scripts/wait.sh - # TODO: Remove once issue has been fixed - # https://github.com/terraform-providers/terraform-provider-azurerm/issues/8546 - - name: Restart Function App - run: az functionapp restart --name "${{ env.PREFIX }}-funcapp" --resource-group "${{ env.PREFIX }}-rg-function-app" - - # Ansible - name: Lint Ansible Playbook uses: ansible/ansible-lint-action@6c8c141 @@ -214,8 +208,15 @@ jobs: run: ./scripts/push_docker_images.sh + # TODO: Remove once issue has been fixed + # https://github.com/terraform-providers/terraform-provider-azurerm/issues/8546 + - name: Restart Function App + run: az functionapp restart --name "${{ env.PREFIX }}-funcapp" --resource-group "${{ env.PREFIX }}-rg-function-app" + + # Pester tests - name: Run Pester tests + continue-on-error: true run: pwsh -command "./scripts/Start-Test.ps1" - name: Archive test artifacts @@ -232,6 +233,8 @@ jobs: # Shows at the bottom of a run: https://github.com/adamrushuk/aks-nexus-velero/runs/1035347513?check_suite_focus=true - name: Pester report + # TODO: remove continue-on-error once bug is fixed + continue-on-error: true uses: zyborg/pester-tests-report@v1.3.2 with: test_results_path: test/pester-test-results.xml From 72f7e67cde0a561222cea445f61a77dad7ce4208 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 08:50:41 +0000 Subject: [PATCH 28/47] Bumped setup-terraform action to v1.2.1 --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 47fc084..8aaebd4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,7 +124,7 @@ jobs: # Terraform - - uses: hashicorp/setup-terraform@v1 + - uses: hashicorp/setup-terraform@v1.2.1 with: terraform_version: ${{ env.TF_VERSION }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index f4c9a61..9d38f87 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -123,7 +123,7 @@ jobs: # Terraform - - uses: hashicorp/setup-terraform@v1 + - uses: hashicorp/setup-terraform@v1.2.1 with: terraform_version: ${{ env.TF_VERSION }} - name: Terraform destroy From ad5df811306ff2597d70be5c0cd00efdcda48623 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 09:11:52 +0000 Subject: [PATCH 29/47] Changed back to major version selection --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8aaebd4..47fc084 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,7 +124,7 @@ jobs: # Terraform - - uses: hashicorp/setup-terraform@v1.2.1 + - uses: hashicorp/setup-terraform@v1 with: terraform_version: ${{ env.TF_VERSION }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 9d38f87..ba9c1a7 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -67,6 +67,8 @@ jobs: steps: # Checkout + # Reference the major version of a release + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions - uses: actions/checkout@v2 # specify different branch # NOT required as I've changed the default branch to develop @@ -123,7 +125,7 @@ jobs: # Terraform - - uses: hashicorp/setup-terraform@v1.2.1 + - uses: hashicorp/setup-terraform@v1 with: terraform_version: ${{ env.TF_VERSION }} - name: Terraform destroy From 327f4668dc20755ea5ae0eeceee58bf818279028 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 10:39:05 +0000 Subject: [PATCH 30/47] Removed Trigger start_aks_vmss Workflow, and REPO_ACCESS_TOKEN --- .github/workflows/destroy.yml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index ba9c1a7..6d74223 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -93,15 +93,6 @@ jobs: env: GITHUB_CONTEXT: ${{ toJson(github) }} - # # Trigger workflow via Repository Dispatch - # - name: Trigger start_aks_vmss Workflow - # uses: peter-evans/repository-dispatch@v1 - # with: - # token: ${{ secrets.REPO_ACCESS_TOKEN }} - # repository: adamrushuk/aks-nexus-velero - # event-type: start_vmss - # client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}"}' - # Login - name: Login to Azure run: ./scripts/azure_login.sh @@ -110,7 +101,6 @@ jobs: - name: Start AKS Cluster run: ./scripts/start_aks_cluster.sh - # Prereqs - name: Lookup Storage Key run: ./scripts/storage_key.sh @@ -123,23 +113,21 @@ jobs: - name: Create zip file of Function App run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" - # Terraform - uses: hashicorp/setup-terraform@v1 with: terraform_version: ${{ env.TF_VERSION }} + - name: Terraform destroy run: | terraform init terraform destroy -no-color -auto-approve working-directory: ${{ env.TF_WORKING_DIR }} - # Cleanup - name: Delete Storage run: ./scripts/storage_delete.sh - # Notify - name: Notify slack env: From e28c4cde31c6cfcca44d4cd1d35945dc2b49138d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 17:07:58 +0000 Subject: [PATCH 31/47] Changed slack-action to simple API script --- .github/workflows/build.yml | 6 ++-- .github/workflows/destroy.yml | 6 ++-- .github/workflows/start_aks_cluster.yml | 6 ++-- .github/workflows/stop_aks_cluster.yml | 6 ++-- .github/workflows/test.yml | 6 ++-- scripts/send_slack_message.sh | 40 +++++++++++++++++++++++++ 6 files changed, 50 insertions(+), 20 deletions(-) create mode 100644 scripts/send_slack_message.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 47fc084..e4bba1b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -246,11 +246,9 @@ jobs: # Notify - name: Notify slack env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: pullreminders/slack-action@v1.0.9 - with: - # env var concatenation not supported atm, so hard-code messages - args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Build complete\"}' + run: ./scripts/send_slack_message "[aks-nexus-velero] Build complete" # used for any windows-only tasks diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 6d74223..d14b4e7 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -131,8 +131,6 @@ jobs: # Notify - name: Notify slack env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: pullreminders/slack-action@v1.0.9 - with: - # env var concatenation not supported atm, so hard-code messages - args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Destroy complete\"}' + run: ./scripts/send_slack_message "[aks-nexus-velero] Destroy complete" diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 985f06c..101bcea 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -64,8 +64,6 @@ jobs: # Notify - name: Notify slack env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: pullreminders/slack-action@v1.0.9 - with: - # env var concatenation not supported atm, so hard-code messages - args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Start AKS Cluster complete\"}' + run: ./scripts/send_slack_message "[aks-nexus-velero] Start AKS Cluster complete" diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index 215d23f..6a11005 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -63,8 +63,6 @@ jobs: # Notify - name: Notify slack env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: pullreminders/slack-action@v1.0.9 - with: - # env var concatenation not supported atm, so hard-code messages - args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Stop AKS Cluster complete\"}' + run: ./scripts/send_slack_message "[aks-nexus-velero] Stop AKS Cluster complete" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 924fc7d..2884234 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -84,8 +84,6 @@ jobs: # Notify - name: Notify slack env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: pullreminders/slack-action@v1.0.9 - with: - # env var concatenation not supported atm, so hard-code messages - args: '{\"channel\":\"C012ZQHT9A4\",\"text\":\"[aks-nexus-velero] Test notification\"}' + run: ./scripts/send_slack_message "[aks-nexus-velero] Test notification" diff --git a/scripts/send_slack_message.sh b/scripts/send_slack_message.sh new file mode 100644 index 0000000..31bfc90 --- /dev/null +++ b/scripts/send_slack_message.sh @@ -0,0 +1,40 @@ +#! /usr/bin/env bash +# +# Posts a message to a Slack channel +# +# Usage: +# export SLACK_CHANNEL_ID="" +# export SLACK_BOT_TOKEN="" +# ./send_slack_message.sh "This is a test message" +# +# Configure Bot User OAuth Access Token here: +# https://api.slack.com/apps//oauth? + +# Ensure strict mode and predictable pipeline failure +set -euo pipefail +trap "echo 'error: Script failed: see failed command above'" ERR + +# Check vars +if test -z "$SLACK_CHANNEL_ID"; then + echo "SLACK_CHANNEL_ID variable is missing, please set and try again." + exit 1 +fi + +if test -z "$SLACK_BOT_TOKEN"; then + echo "SLACK_BOT_TOKEN variable is missing, please set and try again." + exit 1 +fi + +if test -z "$1" ; then + echo "No argument supplied for Slack message" +fi + +# Set message JSON data +http_post_data="{\"channel\":\"$SLACK_CHANNEL_ID\",\"text\":\"$1\"}" + +# Send message to Slack API +curl -X POST \ + -H "Content-type: application/json" \ + -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ + --data "$http_post_data" \ + https://slack.com/api/chat.postMessage From 11dcc4d18072ba044b499e867127fecde68474b0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 17:12:14 +0000 Subject: [PATCH 32/47] Removed Show event info step --- .github/workflows/start_aks_cluster.yml | 6 ------ .github/workflows/stop_aks_cluster.yml | 5 ----- 2 files changed, 11 deletions(-) diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 101bcea..242935d 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -46,12 +46,6 @@ jobs: echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV - # Show event info - - name: Show triggered event data - run: pwsh -command "./scripts/Get-EventData.ps1" - env: - GITHUB_CONTEXT: ${{ toJson(github) }} - # Login - name: Login to Azure run: ./scripts/azure_login.sh diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index 6a11005..9e579a2 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -45,11 +45,6 @@ jobs: chmod -R +x ./scripts/ echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV - # Show event info - - name: Show triggered event data - run: pwsh -command "./scripts/Get-EventData.ps1" - env: - GITHUB_CONTEXT: ${{ toJson(github) }} # Login - name: Login to Azure From 7dc98d6c4673a43b75e951b30d3cbb705e8c9911 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 17:14:51 +0000 Subject: [PATCH 33/47] Added missing script suffix --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- .github/workflows/start_aks_cluster.yml | 2 +- .github/workflows/stop_aks_cluster.yml | 2 +- .github/workflows/test.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e4bba1b..0831874 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -248,7 +248,7 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message "[aks-nexus-velero] Build complete" + run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Build complete" # used for any windows-only tasks diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index d14b4e7..e209c15 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -133,4 +133,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message "[aks-nexus-velero] Destroy complete" + run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Destroy complete" diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 242935d..13a16eb 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -60,4 +60,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message "[aks-nexus-velero] Start AKS Cluster complete" + run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Start AKS Cluster complete" diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index 9e579a2..b7259d7 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -60,4 +60,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message "[aks-nexus-velero] Stop AKS Cluster complete" + run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Stop AKS Cluster complete" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2884234..c8fbc17 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -86,4 +86,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message "[aks-nexus-velero] Test notification" + run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Test notification" From 3dc05fee3448e0183aac58c5ea63e1e3f6a54a49 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Oct 2020 17:28:20 +0000 Subject: [PATCH 34/47] Changed switches and suppress output --- scripts/send_slack_message.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/scripts/send_slack_message.sh b/scripts/send_slack_message.sh index 31bfc90..ed5b3d9 100644 --- a/scripts/send_slack_message.sh +++ b/scripts/send_slack_message.sh @@ -33,8 +33,9 @@ fi http_post_data="{\"channel\":\"$SLACK_CHANNEL_ID\",\"text\":\"$1\"}" # Send message to Slack API -curl -X POST \ - -H "Content-type: application/json" \ - -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ - --data "$http_post_data" \ - https://slack.com/api/chat.postMessage +curl --request POST \ + --header "Content-type: application/json" \ + --header "Authorization: Bearer $SLACK_BOT_TOKEN" \ + --data "$http_post_data" \ + --silent --output /dev/null --show-error --fail \ + https://slack.com/api/chat.postMessage From a423437658ee18fda6253b7be2c78f1f9c14e021 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 4 Nov 2020 07:23:30 +0000 Subject: [PATCH 35/47] Updated function app files --- .vscode/tasks.json | 5 ++--- function_app/host.json | 9 ++++++++- function_app/profile.ps1 | 2 ++ function_app/requirements.psd1 | 4 ++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.vscode/tasks.json b/.vscode/tasks.json index f0e1763..856af47 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -4,12 +4,11 @@ { "type": "func", "command": "host start", - "problemMatcher": "$func-watch", + "problemMatcher": "$func-powershell-watch", "isBackground": true, "options": { "cwd": "${workspaceFolder}/function_app" - }, - "label": "func host start" + } } ] } diff --git a/function_app/host.json b/function_app/host.json index da7f5ab..c1437cb 100644 --- a/function_app/host.json +++ b/function_app/host.json @@ -1,6 +1,13 @@ -// https://docs.microsoft.com/en-us/azure/azure-functions/functions-host-json { "version": "2.0", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, "extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle", "version": "[1.*, 2.0.0)" diff --git a/function_app/profile.ps1 b/function_app/profile.ps1 index 2892cd9..8269de4 100644 --- a/function_app/profile.ps1 +++ b/function_app/profile.ps1 @@ -13,11 +13,13 @@ # Remove this if you are not planning on using MSI or Azure PowerShell. if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) { Write-Output "Authenticating PowerShell using Managed Identity..." + Disable-AzContextAutosave -Scope Process | Out-Null Connect-AzAccount -Identity } elseif ($env:ARM_TENANT_ID -and $env:ARM_SUBSCRIPTION_ID -and $env:ARM_CLIENT_ID -and $env:ARM_CLIENT_SECRET) { # This is used for local development Write-Output "Authenticating PowerShell session using env vars..." + Disable-AzContextAutosave -Scope Process | Out-Null $servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose } diff --git a/function_app/requirements.psd1 b/function_app/requirements.psd1 index ac743d8..35f155b 100644 --- a/function_app/requirements.psd1 +++ b/function_app/requirements.psd1 @@ -2,8 +2,8 @@ # See https://aka.ms/functionsmanageddependency for additional information. # @{ - # 'Az' = '4.*' + # 'Az' = '5.*' # Only need Account and Compute cmdlets for VMSS and VM status checks - 'Az.Accounts' = '1.*' + 'Az.Accounts' = '2.*' 'Az.Compute' = '4.*' } From c526de360063f280ad2e3a02123d88b070c7c138 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 4 Nov 2020 07:36:01 +0000 Subject: [PATCH 36/47] Added note on local function app testing --- function_app/TimerTrigger1/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/function_app/TimerTrigger1/readme.md b/function_app/TimerTrigger1/readme.md index aecd48e..ab7c2dd 100644 --- a/function_app/TimerTrigger1/readme.md +++ b/function_app/TimerTrigger1/readme.md @@ -22,7 +22,7 @@ then follow the steps below to run and test the code locally: ```powershell -<# set to use PowerShell 7 +<# [NO LONGER REQUIRED?] set to use PowerShell 7 $env:FUNCTIONS_WORKER_RUNTIME_VERSION = '~7' #> # enter function directory From 61222ea64ade889493a027a3666196d48e09b2bd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 4 Nov 2020 07:55:52 +0000 Subject: [PATCH 37/47] Changed setup-terraform to v1.2 --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0831874..8508d1e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,7 +124,7 @@ jobs: # Terraform - - uses: hashicorp/setup-terraform@v1 + - uses: hashicorp/setup-terraform@v1.2 with: terraform_version: ${{ env.TF_VERSION }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index e209c15..9f9f27c 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -114,7 +114,7 @@ jobs: run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" # Terraform - - uses: hashicorp/setup-terraform@v1 + - uses: hashicorp/setup-terraform@v1.2 with: terraform_version: ${{ env.TF_VERSION }} From 1d9232a1f25bb226363d5f80b946e803200fd2df Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 4 Nov 2020 07:59:44 +0000 Subject: [PATCH 38/47] Added local settings example for function app --- function_app/TimerTrigger1/readme.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/function_app/TimerTrigger1/readme.md b/function_app/TimerTrigger1/readme.md index ab7c2dd..fa4456c 100644 --- a/function_app/TimerTrigger1/readme.md +++ b/function_app/TimerTrigger1/readme.md @@ -8,6 +8,21 @@ For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expr ## Local Testing +Ensure you have a `local.settings.json` file with the following settings (replacing the placeholders): + +```json +{ + "IsEncrypted": false, + "Values": { + "AzureWebJobsStorage": "", + "FUNCTIONS_WORKER_RUNTIME": "powershell", + "FUNCTIONS_WORKER_RUNTIME_VERSION": "~7", + "IFTTT_WEBHOOK_KEY": "", + "WEEKDAY_ALLOWED_TIME_RANGE": "06:30 -> 08:00" + } +} +``` + Full instructions here: https://docs.microsoft.com/en-us/azure/azure-functions/functions-develop-vs-code?tabs=csharp#run-functions-locally Ensure the [Azure Functions Core Tools are installed](https://docs.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=windows%2Ccsharp%2Cbash#install-the-azure-functions-core-tools), From 80142149590442fea41aca1a4b3ad9940e0fe178 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 4 Nov 2020 08:08:12 +0000 Subject: [PATCH 39/47] Bumped setup-terraform action to v1.2.1 --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8508d1e..69c2830 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,7 +124,7 @@ jobs: # Terraform - - uses: hashicorp/setup-terraform@v1.2 + - uses: hashicorp/setup-terraform@v1.2.1 with: terraform_version: ${{ env.TF_VERSION }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 9f9f27c..2a7a469 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -114,7 +114,7 @@ jobs: run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" # Terraform - - uses: hashicorp/setup-terraform@v1.2 + - uses: hashicorp/setup-terraform@v1.2.1 with: terraform_version: ${{ env.TF_VERSION }} From e56b950a9a23f0ccfd08cf6149d4020242d41656 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 4 Nov 2020 08:27:39 +0000 Subject: [PATCH 40/47] Removed Disable-AzContextAutosave --- function_app/profile.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/function_app/profile.ps1 b/function_app/profile.ps1 index 8269de4..5b999c8 100644 --- a/function_app/profile.ps1 +++ b/function_app/profile.ps1 @@ -13,13 +13,13 @@ # Remove this if you are not planning on using MSI or Azure PowerShell. if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) { Write-Output "Authenticating PowerShell using Managed Identity..." - Disable-AzContextAutosave -Scope Process | Out-Null + # Disable-AzContextAutosave -Scope Process | Out-Null Connect-AzAccount -Identity } elseif ($env:ARM_TENANT_ID -and $env:ARM_SUBSCRIPTION_ID -and $env:ARM_CLIENT_ID -and $env:ARM_CLIENT_SECRET) { # This is used for local development Write-Output "Authenticating PowerShell session using env vars..." - Disable-AzContextAutosave -Scope Process | Out-Null + # Disable-AzContextAutosave -Scope Process | Out-Null $servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose } From 297d305deeef01b85889abce3333e379ac68b8bf Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 6 Nov 2020 09:18:13 +0000 Subject: [PATCH 41/47] Changed setup-terraform tag to v1 --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 69c2830..0831874 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,7 +124,7 @@ jobs: # Terraform - - uses: hashicorp/setup-terraform@v1.2.1 + - uses: hashicorp/setup-terraform@v1 with: terraform_version: ${{ env.TF_VERSION }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 2a7a469..e209c15 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -114,7 +114,7 @@ jobs: run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" # Terraform - - uses: hashicorp/setup-terraform@v1.2.1 + - uses: hashicorp/setup-terraform@v1 with: terraform_version: ${{ env.TF_VERSION }} From 6a6f72d01d9f63044906506d8ddd5cd413854db5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 7 Nov 2020 07:48:50 +0000 Subject: [PATCH 42/47] Changed kubernetes-charts.storage.googleapis.com to charts.helm.sh/stable --- ansible/roles/helm_repo/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/helm_repo/tasks/main.yml b/ansible/roles/helm_repo/tasks/main.yml index 8a1e648..7252a4c 100644 --- a/ansible/roles/helm_repo/tasks/main.yml +++ b/ansible/roles/helm_repo/tasks/main.yml @@ -14,7 +14,7 @@ when: enable_debug_output == "true" - name: Add stable Helm Chart - shell: "helm repo add stable https://kubernetes-charts.storage.googleapis.com/" + shell: "helm repo add stable https://charts.helm.sh/stable/" - name: Download Example Helm Charts from GitHub shell: "helm pull stable/{{ item.name }} --version {{ item.version }}" From 90de8ba2ef2f44e22702b73c4bbcd6b5cfb4d96b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 7 Nov 2020 09:22:08 +0000 Subject: [PATCH 43/47] Added aks power state check --- scripts/start_aks_cluster.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/scripts/start_aks_cluster.sh b/scripts/start_aks_cluster.sh index 3ec0bb8..8144e1e 100644 --- a/scripts/start_aks_cluster.sh +++ b/scripts/start_aks_cluster.sh @@ -13,8 +13,14 @@ az extension add --name aks-preview # Update the extension to make sure you have the latest version installed az extension update --name aks-preview -# Start AKS Cluster -message="Starting AKS Cluster: [$AKS_CLUSTER_NAME]" -echo -e "\nSTARTED: $message..." -az aks start --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" -echo -e "FINISHED: $message." +# Check AKS power state +aks_power_state=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" --query 'powerState.code') +if [ "$aks_power_state" == "Running" ]; then + echo -e "\nSKIPPING: $AKS_CLUSTER_NAME AKS Cluster state is [$aks_power_state]." +else + # Start AKS Cluster + message="Starting AKS Cluster: [$AKS_CLUSTER_NAME]" + echo -e "\nSTARTED: $message..." + az aks start --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" + echo -e "FINISHED: $message." +fi From 61314e2e147f22b8014b2ea23ce5441b9c20c9de Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 7 Nov 2020 09:27:06 +0000 Subject: [PATCH 44/47] Added Start AKS Cluster step --- .github/workflows/build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0831874..de2344a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -106,6 +106,12 @@ jobs: - name: Login to Azure run: ./scripts/azure_login.sh + # This is required when developing after the initial build, and the AKS cluster may have been stopped + # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform apply tasks + - name: Start AKS Cluster + continue-on-error: true + run: ./scripts/start_aks_cluster.sh + # Prereqs - name: Create Storage Account for Terraform state From eddf44cb85c2eee44b4da27e15376e1f64e1b423 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 7 Nov 2020 09:57:43 +0000 Subject: [PATCH 45/47] Added log output --- scripts/start_aks_cluster.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/start_aks_cluster.sh b/scripts/start_aks_cluster.sh index 8144e1e..3da7934 100644 --- a/scripts/start_aks_cluster.sh +++ b/scripts/start_aks_cluster.sh @@ -15,8 +15,10 @@ az extension update --name aks-preview # Check AKS power state aks_power_state=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" --query 'powerState.code') +echo -e "\n[$AKS_CLUSTER_NAME] AKS Cluster power state is [$aks_power_state]." + if [ "$aks_power_state" == "Running" ]; then - echo -e "\nSKIPPING: $AKS_CLUSTER_NAME AKS Cluster state is [$aks_power_state]." + echo -e "\nSKIPPING: $AKS_CLUSTER_NAME AKS Cluster is already running." else # Start AKS Cluster message="Starting AKS Cluster: [$AKS_CLUSTER_NAME]" From 6d47f6ba86bc8569360d2c2c4c94c41ef4afe690 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 7 Nov 2020 10:05:10 +0000 Subject: [PATCH 46/47] Added tsv output to remove quotes --- scripts/start_aks_cluster.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/start_aks_cluster.sh b/scripts/start_aks_cluster.sh index 3da7934..d7f7a6b 100644 --- a/scripts/start_aks_cluster.sh +++ b/scripts/start_aks_cluster.sh @@ -14,7 +14,7 @@ az extension add --name aks-preview az extension update --name aks-preview # Check AKS power state -aks_power_state=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" --query 'powerState.code') +aks_power_state=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" --output tsv --query 'powerState.code') echo -e "\n[$AKS_CLUSTER_NAME] AKS Cluster power state is [$aks_power_state]." if [ "$aks_power_state" == "Running" ]; then From 93c126af7d57452ef2c0e9fbc5781fc7137f32a7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 7 Nov 2020 10:16:37 +0000 Subject: [PATCH 47/47] Added power state check to aks stop script --- scripts/stop_aks_cluster.sh | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/scripts/stop_aks_cluster.sh b/scripts/stop_aks_cluster.sh index 1625999..83bd3e5 100644 --- a/scripts/stop_aks_cluster.sh +++ b/scripts/stop_aks_cluster.sh @@ -13,8 +13,16 @@ az extension add --name aks-preview # Update the extension to make sure you have the latest version installed az extension update --name aks-preview -# Stop AKS Cluster -message="Stopping AKS Cluster: [$AKS_CLUSTER_NAME]" -echo -e "\nSTARTED: $message..." -az aks stop --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" -echo -e "FINISHED: $message." +# Check AKS power state +aks_power_state=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" --output tsv --query 'powerState.code') +echo -e "\n[$AKS_CLUSTER_NAME] AKS Cluster power state is [$aks_power_state]." + +if [ "$aks_power_state" == "Stopped" ]; then + echo -e "\nSKIPPING: $AKS_CLUSTER_NAME AKS Cluster is already stopped." +else + # Stop AKS Cluster + message="Stopping AKS Cluster: [$AKS_CLUSTER_NAME]" + echo -e "\nSTARTED: $message..." + az aks stop --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_RG_NAME" + echo -e "FINISHED: $message." +fi