Azure
diff --git a/‎README.md‎
Lines changed: 7 additions & 1 deletion b/‎README.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎examples/application_gateway_ingress/k8s_workload.tf‎
Lines changed: 105 additions & 0 deletions b/‎examples/application_gateway_ingress/k8s_workload.tf‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎examples/application_gateway_ingress/main.tf‎
Lines changed: 189 additions & 0 deletions b/‎examples/application_gateway_ingress/main.tf‎
Lines changed: 189 additions & 0 deletions
diff --git a/‎examples/application_gateway_ingress/outputs.tf‎
Lines changed: 4 additions & 0 deletions b/‎examples/application_gateway_ingress/outputs.tf‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎examples/application_gateway_ingress/providers.tf‎
Lines changed: 38 additions & 0 deletions b/‎examples/application_gateway_ingress/providers.tf‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎examples/application_gateway_ingress/variables.tf‎
Lines changed: 19 additions & 0 deletions b/‎examples/application_gateway_ingress/variables.tf‎
Lines changed: 19 additions & 0 deletions
@@ -238,14 +238,20 @@ No modules.
 | [azurerm_log_analytics_solution.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) | resource |
 | [azurerm_log_analytics_workspace.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
 | [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.application_gateway_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.application_gateway_resource_group_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.application_gateway_vnet_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.network_contributor_on_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [null_resource.kubernetes_version_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.pool_name_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [azurerm_client_config.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_log_analytics_workspace.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_resource_group.ingress_appgw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_user_assigned_identity.cluster_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
+| [azurerm_virtual_network.application_gateway_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs
 
@@ -271,6 +277,7 @@ No modules.
 | <a name="input_agents_type"></a> [agents\_type](#input\_agents\_type) | (Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. | `string` | `"VirtualMachineScaleSets"` | no |
 | <a name="input_api_server_authorized_ip_ranges"></a> [api\_server\_authorized\_ip\_ranges](#input\_api\_server\_authorized\_ip\_ranges) | (Optional) The IP ranges to allow for incoming traffic to the server nodes. | `set(string)` | `null` | no |
 | <a name="input_api_server_subnet_id"></a> [api\_server\_subnet\_id](#input\_api\_server\_subnet\_id) | (Optional) The ID of the Subnet where the API server endpoint is delegated to. | `string` | `null` | no |
+| <a name="input_application_gateway_for_ingress"></a> [application\_gateway\_for\_ingress](#input\_application\_gateway\_for\_ingress) | * `id` - (Required) The ID of the Application Gateway that be used as cluster ingress.<br>* `subnet_id` - (Optional) The ID of the Subnet which the Application Gateway is connected to. Must be set when `create_role_assignments` is `true`.<br>* `create_role_assignments` - (Optional) Whether to create the corresponding role assignments or not. Defaults to `true`. | <pre>object({<br>    id                      = string<br>    subnet_id               = optional(string)<br>    create_role_assignments = optional(bool, true)<br>  })</pre> | `null` | no |
 | <a name="input_attached_acr_id_map"></a> [attached\_acr\_id\_map](#input\_attached\_acr\_id\_map) | Azure Container Registry ids that need an authentication mechanism with Azure Kubernetes Service (AKS). Map key must be static string as acr's name, the value is acr's resource id. Changing this forces some new resources to be created. | `map(string)` | `{}` | no |
 | <a name="input_auto_scaler_profile_balance_similar_node_groups"></a> [auto\_scaler\_profile\_balance\_similar\_node\_groups](#input\_auto\_scaler\_profile\_balance\_similar\_node\_groups) | Detect similar node groups and balance the number of nodes between them. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_auto_scaler_profile_empty_bulk_delete_max"></a> [auto\_scaler\_profile\_empty\_bulk\_delete\_max](#input\_auto\_scaler\_profile\_empty\_bulk\_delete\_max) | Maximum number of empty nodes that can be deleted at the same time. Defaults to `10`. | `number` | `10` | no |
@@ -310,7 +317,6 @@ No modules.
 | <a name="input_image_cleaner_enabled"></a> [image\_cleaner\_enabled](#input\_image\_cleaner\_enabled) | (Optional) Specifies whether Image Cleaner is enabled. | `bool` | `false` | no |
 | <a name="input_image_cleaner_interval_hours"></a> [image\_cleaner\_interval\_hours](#input\_image\_cleaner\_interval\_hours) | (Optional) Specifies the interval in hours when images should be cleaned up. Defaults to `48`. | `number` | `48` | no |
 | <a name="input_ingress_application_gateway_enabled"></a> [ingress\_application\_gateway\_enabled](#input\_ingress\_application\_gateway\_enabled) | Whether to deploy the Application Gateway ingress controller to this Kubernetes Cluster? | `bool` | `false` | no |
-| <a name="input_ingress_application_gateway_id"></a> [ingress\_application\_gateway\_id](#input\_ingress\_application\_gateway\_id) | The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
 | <a name="input_ingress_application_gateway_name"></a> [ingress\_application\_gateway\_name](#input\_ingress\_application\_gateway\_name) | The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
 | <a name="input_ingress_application_gateway_subnet_cidr"></a> [ingress\_application\_gateway\_subnet\_cidr](#input\_ingress\_application\_gateway\_subnet\_cidr) | The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
 | <a name="input_ingress_application_gateway_subnet_id"></a> [ingress\_application\_gateway\_subnet\_id](#input\_ingress\_application\_gateway\_subnet\_id) | The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
 
@@ -0,0 +1,105 @@
+resource "kubernetes_namespace_v1" "example" {
+  metadata {
+    name = "example"
+  }
+  depends_on = [module.aks]
+}
+
+resource "kubernetes_pod" "aspnet_app" {
+  #checkov:skip=CKV_K8S_8:We don't need readiness probe for this simple example.
+  #checkov:skip=CKV_K8S_9:We don't need readiness probe for this simple example.
+  #checkov:skip=CKV_K8S_22:readOnlyRootFilesystem would block our pod from working
+  #checkov:skip=CKV_K8S_28:capabilities would block our pod from working
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+    labels = {
+      app = "aspnetapp"
+    }
+  }
+  spec {
+    container {
+      name              = "aspnetapp-image"
+      image             = "mcr.microsoft.com/dotnet/samples@sha256:7070894cc10d2b1e68e72057cca22040c5984cfae2ec3e079e34cf0a4da7fcea"
+      image_pull_policy = "Always"
+      security_context {}
+      port {
+        container_port = 80
+        protocol       = "TCP"
+      }
+      resources {
+        requests = {
+          cpu    = "250m"
+          memory = "256Mi"
+        }
+        limits = {
+          cpu    = "250m"
+          memory = "256Mi"
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "svc" {
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+  }
+  spec {
+    selector = {
+      app = "aspnetapp"
+    }
+    port {
+      port        = 80
+      target_port = 80
+      protocol    = "TCP"
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "ing" {
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+    annotations = {
+      "kubernetes.io/ingress.class" : "azure/application-gateway"
+    }
+  }
+  spec {
+    rule {
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "aspnetapp"
+              port {
+                number = 80
+              }
+            }
+          }
+          path_type = "Exact"
+        }
+      }
+    }
+  }
+  depends_on = [
+    module.aks,
+  ]
+}
+
+resource "time_sleep" "wait_for_ingress" {
+  create_duration = var.use_existing_application_gateway ? "1m" : "15m"
+
+  depends_on = [kubernetes_ingress_v1.ing]
+}
+
+data "kubernetes_ingress_v1" "ing" {
+  metadata {
+    name      = "aspnetapp"
+    namespace = kubernetes_namespace_v1.example.metadata[0].name
+  }
+
+  depends_on = [time_sleep.wait_for_ingress]
+}
@@ -0,0 +1,189 @@
+resource "random_id" "prefix" {
+  byte_length = 8
+}
+
+resource "random_id" "name" {
+  byte_length = 8
+}
+
+resource "azurerm_resource_group" "main" {
+  count = var.create_resource_group ? 1 : 0
+
+  location = var.location
+  name     = coalesce(var.resource_group_name, "${random_id.prefix.hex}-rg")
+}
+
+locals {
+  resource_group = {
+    name     = var.create_resource_group ? azurerm_resource_group.main[0].name : var.resource_group_name
+    location = var.location
+  }
+}
+
+resource "azurerm_virtual_network" "test" {
+  count = var.use_existing_application_gateway ? 1 : 0
+  address_space       = ["10.52.0.0/16"]
+  location            = local.resource_group.location
+  name                = "${random_id.prefix.hex}-vn"
+  resource_group_name = local.resource_group.name
+}
+
+resource "azurerm_subnet" "test" {
+  count = var.use_existing_application_gateway ? 1 : 0
+  address_prefixes     = ["10.52.0.0/24"]
+  name                 = "${random_id.prefix.hex}-sn"
+  resource_group_name  = local.resource_group.name
+  virtual_network_name = azurerm_virtual_network.test[0].name
+}
+
+resource "azurerm_subnet" "appgw" {
+  count = var.use_existing_application_gateway ? 1 : 0
+
+  address_prefixes     = ["10.52.1.0/24"]
+  name                 = "${random_id.prefix.hex}-gw"
+  resource_group_name  = local.resource_group.name
+  virtual_network_name = azurerm_virtual_network.test[0].name
+}
+
+# Locals block for hardcoded names
+locals {
+  backend_address_pool_name      = try("${azurerm_virtual_network.test[0].name}-beap", "")
+  frontend_ip_configuration_name = try("${azurerm_virtual_network.test[0].name}-feip", "")
+  frontend_port_name             = try("${azurerm_virtual_network.test[0].name}-feport", "")
+  http_setting_name              = try("${azurerm_virtual_network.test[0].name}-be-htst", "")
+  listener_name                  = try("${azurerm_virtual_network.test[0].name}-httplstn", "")
+  request_routing_rule_name      = try("${azurerm_virtual_network.test[0].name}-rqrt", "")
+}
+
+resource "azurerm_public_ip" "pip" {
+  count = var.use_existing_application_gateway ? 1 : 0
+
+  allocation_method   = "Static"
+  location            = local.resource_group.location
+  name                = "appgw-pip"
+  resource_group_name = local.resource_group.name
+  sku                 = "Standard"
+}
+
+resource "azurerm_application_gateway" "appgw" {
+  count = var.use_existing_application_gateway ? 1 : 0
+
+  location            = local.resource_group.location
+  #checkov:skip=CKV_AZURE_120:We don't need the WAF for this simple example
+  name                = "ingress"
+  resource_group_name = local.resource_group.name
+
+  backend_address_pool {
+    name = local.backend_address_pool_name
+  }
+  backend_http_settings {
+    cookie_based_affinity = "Disabled"
+    name                  = local.http_setting_name
+    port                  = 80
+    protocol              = "Http"
+    request_timeout       = 1
+  }
+  frontend_ip_configuration {
+    name                 = local.frontend_ip_configuration_name
+    public_ip_address_id = azurerm_public_ip.pip[0].id
+  }
+  frontend_port {
+    name = local.frontend_port_name
+    port = 80
+  }
+  gateway_ip_configuration {
+    name      = "appGatewayIpConfig"
+    subnet_id = azurerm_subnet.appgw[0].id
+  }
+  http_listener {
+    frontend_ip_configuration_name = local.frontend_ip_configuration_name
+    frontend_port_name             = local.frontend_port_name
+    name                           = local.listener_name
+    protocol                       = "Http"
+  }
+  request_routing_rule {
+    http_listener_name         = local.listener_name
+    name                       = local.request_routing_rule_name
+    rule_type                  = "Basic"
+    backend_address_pool_name  = local.backend_address_pool_name
+    backend_http_settings_name = local.http_setting_name
+    priority                   = 1
+  }
+  sku {
+    name     = "Standard_v2"
+    tier     = "Standard_v2"
+    capacity = 1
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags,
+      backend_address_pool,
+      backend_http_settings,
+      http_listener,
+      probe,
+      request_routing_rule,
+      url_path_map,
+    ]
+  }
+}
+
+module "aks" {
+  #checkov:skip=CKV_AZURE_141:We enable admin account here so we can provision K8s resources directly in this simple example
+  source = "../.."
+
+  prefix                       = random_id.name.hex
+  resource_group_name          = local.resource_group.name
+  kubernetes_version           = "1.26" # don't specify the patch version!
+  automatic_channel_upgrade    = "patch"
+  agents_availability_zones    = ["1", "2"]
+  agents_count                 = null
+  agents_max_count             = 2
+  agents_max_pods              = 100
+  agents_min_count             = 1
+  agents_pool_name             = "testnodepool"
+  agents_pool_linux_os_configs = [
+    {
+      transparent_huge_page_enabled = "always"
+      sysctl_configs                = [
+        {
+          fs_aio_max_nr               = 65536
+          fs_file_max                 = 100000
+          fs_inotify_max_user_watches = 1000000
+        }
+      ]
+    }
+  ]
+  agents_type                      = "VirtualMachineScaleSets"
+  azure_policy_enabled             = true
+  enable_auto_scaling              = true
+  enable_host_encryption           = true
+  http_application_routing_enabled = true
+  application_gateway_for_ingress  = {
+    new_gw = var.use_existing_application_gateway ? null : {
+      name        = "ingress"
+      subnet_cidr = "10.225.0.0/16"
+    }
+    existing_gw = var.use_existing_application_gateway ? {
+      id        = azurerm_application_gateway.appgw[0].id
+      subnet_id = azurerm_subnet.appgw[0].id
+    } : null
+  }
+  local_account_disabled            = false
+  log_analytics_workspace_enabled   = false
+  net_profile_dns_service_ip        = "10.0.0.10"
+  net_profile_service_cidr          = "10.0.0.0/16"
+  network_plugin                    = "azure"
+  network_policy                    = "azure"
+  os_disk_size_gb                   = 60
+  private_cluster_enabled           = false
+  public_network_access_enabled     = true
+  rbac_aad                          = true
+  rbac_aad_managed                  = true
+  role_based_access_control_enabled = true
+  sku_tier                          = "Standard"
+  vnet_subnet_id                    = var.use_existing_application_gateway ? azurerm_subnet.test[0].id : null
+  depends_on                        = [
+    azurerm_subnet.test,
+  ]
+}
@@ -0,0 +1,4 @@
+output "ingress_endpoint" {
+  depends_on = [time_sleep.wait_for_ingress]
+  value      = "http://${data.kubernetes_ingress_v1.ing.status[0].load_balancer[0].ingress[0].ip}"
+}
@@ -0,0 +1,38 @@
+terraform {
+  required_version = ">=1.3"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.51, < 4.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.22.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.3.2"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.9.1"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+}
+
+provider "kubernetes" {
+  host                   = module.aks.admin_host
+  client_certificate     = base64decode(module.aks.admin_client_certificate)
+  client_key             = base64decode(module.aks.admin_client_key)
+  cluster_ca_certificate = base64decode(module.aks.admin_cluster_ca_certificate)
+}
+
+provider "random" {}
@@ -0,0 +1,19 @@
+variable "create_resource_group" {
+  type     = bool
+  default  = true
+  nullable = false
+}
+
+variable "location" {
+  default = "eastus"
+}
+
+variable "resource_group_name" {
+  type    = string
+  default = null
+}
+
+variable "use_existing_application_gateway" {
+  type     = bool
+  default  = false
+}