From 3c380354f1596f30ace5e30da3fc5d787f9a31c6 Mon Sep 17 00:00:00 2001 From: Mohamed Amine Dridi <78367821+modridi@users.noreply.github.com> Date: Thu, 6 Apr 2023 10:46:59 +0200 Subject: [PATCH] feat(azure)!: use managed identity to access object storage (#42) * feat(azure)!: use managed identity to access object storage * chore(azure)!: simplify metrics_storage object structure * docs(terraform-docs): generate docs and write to README.adoc * chore(azure): update metrics_storage variable description * docs(terraform-docs): generate docs and write to README.adoc --------- Co-authored-by: modridi --- README.adoc | 4 +- aks/README.adoc | 46 ++++++++----------- aks/extra-variables.tf | 20 ++++---- aks/locals.tf | 19 ++++---- aks/main.tf | 41 ++++++++++++++--- .../templates/azureidentity.yaml | 8 ++-- .../templates/azureidentitybinding.yaml | 9 ++-- eks/README.adoc | 4 +- kind/README.adoc | 4 +- 9 files changed, 90 insertions(+), 65 deletions(-) diff --git a/README.adoc b/README.adoc index e271d4a8..b5e30416 100644 --- a/README.adoc +++ b/README.adoc @@ -170,7 +170,7 @@ Description: Override of target revision of the application chart. Type: `string` -Default: `"v1.0.0-alpha.7"` +Default: `"v1.0.0"` === Outputs @@ -337,7 +337,7 @@ object({ |[[input_target_revision]] <> |Override of target revision of the application chart. |`string` -|`"v1.0.0-alpha.7"` +|`"v1.0.0"` |no |=== diff --git a/aks/README.adoc b/aks/README.adoc index 6d11d7da..942146fd 100644 --- a/aks/README.adoc +++ b/aks/README.adoc @@ -21,8 +21,10 @@ Version: The following resources are used by this module: -- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity[azurerm_user_assigned_identity.kube_prometheus_stack_prometheus] (resource) -- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node_resource_group] (data source) +- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment[azurerm_role_assignment.contributor] (resource) +- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity[azurerm_user_assigned_identity.prometheus] (resource) +- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node] (data source) +- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_container[azurerm_storage_container.container] (data source) === Required Inputs @@ -46,12 +48,6 @@ Description: n/a Type: `string` -==== [[input_node_resource_group_name]] <> - -Description: The Resource Group of the Managed Kubernetes Cluster. - -Type: `string` - === Optional Inputs The following input variables are optional (have default values): @@ -122,15 +118,16 @@ Default: `[]` ==== [[input_metrics_storage]] <> -Description: Azure Blob Storage configuration values for the storage container where the archived metrics will be stored. +Description: Azure Blob Storage configuration for metric archival. Type: [source,hcl] ---- object({ - container = string - storage_account = string - storage_account_key = string + container = string + storage_account = string + managed_identity_node_rg_name = optional(string, null) + storage_account_key = optional(string, null) }) ---- @@ -166,7 +163,7 @@ Description: Override of target revision of the application chart. Type: `string` -Default: `"v1.0.0-alpha.7"` +Default: `"v1.0.0"` === Outputs @@ -200,8 +197,10 @@ Description: n/a [cols="a,a",options="header,autowidth"] |=== |Name |Type -|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity[azurerm_user_assigned_identity.kube_prometheus_stack_prometheus] |resource -|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node_resource_group] |data source +|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment[azurerm_role_assignment.contributor] |resource +|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity[azurerm_user_assigned_identity.prometheus] |resource +|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node] |data source +|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_container[azurerm_storage_container.container] |data source |=== = Inputs @@ -284,15 +283,16 @@ object({ |no |[[input_metrics_storage]] <> -|Azure Blob Storage configuration values for the storage container where the archived metrics will be stored. +|Azure Blob Storage configuration for metric archival. | [source] ---- object({ - container = string - storage_account = string - storage_account_key = string + container = string + storage_account = string + managed_identity_node_rg_name = optional(string, null) + storage_account_key = optional(string, null) }) ---- @@ -311,12 +311,6 @@ object({ |`"kube-prometheus-stack"` |no -|[[input_node_resource_group_name]] <> -|The Resource Group of the Managed Kubernetes Cluster. -|`string` -|n/a -|yes - |[[input_prometheus]] <> |Prometheus settings |`any` @@ -326,7 +320,7 @@ object({ |[[input_target_revision]] <> |Override of target revision of the application chart. |`string` -|`"v1.0.0-alpha.7"` +|`"v1.0.0"` |no |=== diff --git a/aks/extra-variables.tf b/aks/extra-variables.tf index 8f6befb2..13118e77 100644 --- a/aks/extra-variables.tf +++ b/aks/extra-variables.tf @@ -1,14 +1,16 @@ -variable "node_resource_group_name" { - description = "The Resource Group of the Managed Kubernetes Cluster." - type = string -} - variable "metrics_storage" { - description = "Azure Blob Storage configuration values for the storage container where the archived metrics will be stored." + description = "Azure Blob Storage configuration for metric archival." type = object({ - container = string - storage_account = string - storage_account_key = string + container = string + storage_account = string + managed_identity_node_rg_name = optional(string, null) + storage_account_key = optional(string, null) }) + + validation { + condition = try((var.metrics_storage.managed_identity_node_rg_name == null) != (var.metrics_storage.storage_account_key == null), true) + error_message = "You must set one (and only one) of these attributes: managed_identity_node_rg_name, storage_account_key." + } + default = null } diff --git a/aks/locals.tf b/aks/locals.tf index a1bb6995..319dae45 100644 --- a/aks/locals.tf +++ b/aks/locals.tf @@ -1,19 +1,22 @@ locals { + use_managed_identity = try(var.metrics_storage.managed_identity_node_rg_name != null, false) + helm_values = [{ kube-prometheus-stack = { prometheus = { - azureIdentity = { - resourceID = azurerm_user_assigned_identity.kube_prometheus_stack_prometheus.id - clientID = azurerm_user_assigned_identity.kube_prometheus_stack_prometheus.client_id - } - prometheusSpec = { + prometheusSpec = merge(local.use_managed_identity ? { podMetadata = { labels = { - aadpodidbinding = "kube-prometheus-stack-prometheus" + aadpodidbinding = "prometheus" } } - } + } : null, {}) } } - }] + }, local.use_managed_identity ? { + azureIdentity = { + resourceID = azurerm_user_assigned_identity.prometheus[0].id + clientID = azurerm_user_assigned_identity.prometheus[0].client_id + } + } : null] } diff --git a/aks/main.tf b/aks/main.tf index d4f5d909..28446af2 100644 --- a/aks/main.tf +++ b/aks/main.tf @@ -1,11 +1,30 @@ -data "azurerm_resource_group" "node_resource_group" { - name = var.node_resource_group_name +data "azurerm_resource_group" "node" { + count = local.use_managed_identity ? 1 : 0 + + name = var.metrics_storage.managed_identity_node_rg_name +} + +data "azurerm_storage_container" "container" { + count = local.use_managed_identity ? 1 : 0 + + name = var.metrics_storage.container + storage_account_name = var.metrics_storage.storage_account } -resource "azurerm_user_assigned_identity" "kube_prometheus_stack_prometheus" { - resource_group_name = data.azurerm_resource_group.node_resource_group.name - location = data.azurerm_resource_group.node_resource_group.location - name = "kube-prometheus-stack-prometheus" +resource "azurerm_user_assigned_identity" "prometheus" { + count = local.use_managed_identity ? 1 : 0 + + resource_group_name = data.azurerm_resource_group.node[0].name + location = data.azurerm_resource_group.node[0].location + name = "prometheus" +} + +resource "azurerm_role_assignment" "contributor" { + count = local.use_managed_identity ? 1 : 0 + + scope = data.azurerm_storage_container.container[0].resource_manager_id + role_definition_name = "Storage Blob Data Contributor" + principal_id = azurerm_user_assigned_identity.prometheus[0].principal_id } module "kube-prometheus-stack" { @@ -24,7 +43,15 @@ module "kube-prometheus-stack" { alertmanager = var.alertmanager grafana = var.grafana - metrics_storage_main = var.metrics_storage != null ? { storage_config = merge({ type = "AZURE" }, { config = var.metrics_storage }) } : null + metrics_storage_main = var.metrics_storage == null ? null : { + storage_config = merge({ type = "AZURE" }, { + config = merge({ + container = var.metrics_storage.container + storage_account = var.metrics_storage.storage_account + }, + local.use_managed_identity ? null : { storage_account_key = var.metrics_storage.storage_account_key }) + }) + } helm_values = concat(local.helm_values, var.helm_values) } diff --git a/charts/kube-prometheus-stack/templates/azureidentity.yaml b/charts/kube-prometheus-stack/templates/azureidentity.yaml index 45b11787..3056d93e 100644 --- a/charts/kube-prometheus-stack/templates/azureidentity.yaml +++ b/charts/kube-prometheus-stack/templates/azureidentity.yaml @@ -1,11 +1,11 @@ -{{- if index $.Values "kube-prometheus-stack" "prometheus" "azureIdentity" }} +{{- with .Values.azureIdentity }} --- apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentity metadata: - name: kube-prometheus-stack-prometheus + name: prometheus spec: type: 0 - resourceID: {{ index $.Values "kube-prometheus-stack" "prometheus" "azureIdentity" "resourceID" }} - clientID: {{ index $.Values "kube-prometheus-stack" "prometheus" "azureIdentity" "clientID" }} + resourceID: {{ .resourceID }} + clientID: {{ .clientID }} {{- end }} diff --git a/charts/kube-prometheus-stack/templates/azureidentitybinding.yaml b/charts/kube-prometheus-stack/templates/azureidentitybinding.yaml index b828dcb8..914626c2 100644 --- a/charts/kube-prometheus-stack/templates/azureidentitybinding.yaml +++ b/charts/kube-prometheus-stack/templates/azureidentitybinding.yaml @@ -1,11 +1,10 @@ -{{- if index $.Values "kube-prometheus-stack" "prometheus" "azureIdentity" }} +{{- with .Values.azureIdentity }} --- apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentityBinding metadata: - name: kube-prometheus-stack-prometheus-binding + name: prometheus-binding spec: - azureIdentity: kube-prometheus-stack-prometheus - selector: kube-prometheus-stack-prometheus - weight: 0 + azureIdentity: prometheus + selector: prometheus {{- end }} diff --git a/eks/README.adoc b/eks/README.adoc index 885fdfa5..2aa3e396 100644 --- a/eks/README.adoc +++ b/eks/README.adoc @@ -147,7 +147,7 @@ Description: Override of target revision of the application chart. Type: `string` -Default: `"v1.0.0-alpha.7"` +Default: `"v1.0.0"` === Outputs @@ -300,7 +300,7 @@ object({ |[[input_target_revision]] <> |Override of target revision of the application chart. |`string` -|`"v1.0.0-alpha.7"` +|`"v1.0.0"` |no |=== diff --git a/kind/README.adoc b/kind/README.adoc index 96a6b7cc..ec5b94f9 100644 --- a/kind/README.adoc +++ b/kind/README.adoc @@ -149,7 +149,7 @@ Description: Override of target revision of the application chart. Type: `string` -Default: `"v1.0.0-alpha.7"` +Default: `"v1.0.0"` === Outputs @@ -304,7 +304,7 @@ object({ |[[input_target_revision]] <> |Override of target revision of the application chart. |`string` -|`"v1.0.0-alpha.7"` +|`"v1.0.0"` |no |===