feat: add azure-acr module

Author: matihost

terraform/azure/aks/module/acr.tf

@@ -23,6 +23,10 @@ resource "azurerm_role_assignment" "aks-cr" {
   skip_service_principal_aad_check = true
 }
 
+data "azurerm_private_dns_zone" "acr" {
+  name                = "privatelink.azurecr.io"
+  resource_group_name = local.resource_group_name
+}
 
 resource "azurerm_private_endpoint" "aks-cr" {
   name                          = azurerm_container_registry.aks.name
@@ -38,11 +42,12 @@ resource "azurerm_private_endpoint" "aks-cr" {
     is_manual_connection           = false
   }
 
-  # TODO ?
-  # private_dns_zone_group {
-  #   name                 = "example-dns-zone-group"
-  #   private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
-  # }
+  private_dns_zone_group {
+    name = "acr-zonegroup"
+    private_dns_zone_ids = [
+      data.azurerm_private_dns_zone.acr.id
+    ]
+  }
 }
 
 

terraform/azure/aro/Makefile

@@ -51,6 +51,14 @@ get-sp-expiration-date: ## check ARO cluster ServicePrincipal credential expirat
 rotate-sp-credentials: ## automated ServicePrincipal credential rotation will check if the service principal exists and rotate or create a new service principal.
 	az aro update --refresh-credentials --name $(CLUSTER_NAME) --resource-group $(CLUSTER_RG)
 
+show-current-pull-secret: ## show current pull secret
+	oc get secrets pull-secret -n openshift-config -o template='{{index .data ".dockerconfigjson"}}' | base64 -d
+
+show-current-runtime-pull-secret: ## show current pull secret from runtime (kubelet config)
+	oc exec -n openshift-apiserver `oc get pod -n openshift-apiserver -o jsonpath="{.items[0].metadata.name}"` -- cat /var/lib/kubelet/config.json
+
+show-aro-entraid-callback: ## show ARO cluster's callback URL for Azure AD authentication (for use in Entra ID app registration)
+	echo "$$(az aro show -g $(CLUSTER_RG) -n $(CLUSTER_NAME) --query consoleProfile.url -o tsv | sed 's/console-openshift-console/oauth-openshift/')oauth2callback/AAD"
 
 show-state: ## show state
 	cd stage/$(ENV) && terragrunt state list && terragrunt show

terraform/azure/azure-acr/Makefile

@@ -0,0 +1,97 @@
+SHELL := /usr/bin/env bash
+.EXPORT_ALL_VARIABLES:
+
+DEBUG := false
+ifeq ($(strip $(DEBUG)),true)
+	TF_LOG := DEBUG
+	TG_FLAGS := --inputs-debug
+endif
+
+MODE := apply
+ifeq ($(strip $(MODE)),apply)
+	MODE_STR := --non-interactive -- apply -auto-approve
+else ifeq ($(strip $(MODE)),destroy)
+	MODE_STR := --non-interactive -- destroy -auto-approve
+else
+	MODE_STR := --non-interactive -- plan
+endif
+
+
+ENV := dev-westeurope-shared1
+
+init: init-tf-backend
+	cd stage/$(ENV) && terragrunt run -- init -upgrade=true
+
+
+run: init ## setup ACR: make run [ENV=dev-northeurope-shared1] [MODE=apply]
+	@cd stage/$(ENV) && terragrunt run validate && terragrunt run $(MODE_STR) $(TG_FLAGS)
+
+acr-admin-login: ## login to ACR registry with docker admin credentials
+	ACR_NAME="$$(cd stage/$(ENV) && terragrunt output -raw acr_name 2>/dev/null)" && \
+	ACR_USERNAME="$$(cd stage/$(ENV) && terragrunt output -raw acr_username 2>/dev/null)" && \
+	ACR_PASSWORD="$$(cd stage/$(ENV) && terragrunt output -raw acr_password 2>/dev/null)" && \
+		docker login "$${ACR_NAME}.azurecr.io" \
+			-u "$${ACR_USERNAME}" \
+			-p "$${ACR_PASSWORD}"
+
+acr-login: ## login to ACR registry
+	RG="$$(cd stage/$(ENV) && terragrunt output -raw rg 2>/dev/null)" && \
+	ACR_NAME="$$(cd stage/$(ENV) && terragrunt output -raw acr_name 2>/dev/null)" && \
+		az acr login \
+			--resource-group "$${RG}" \
+			--name "$${ACR_NAME}"
+
+get-container-registries: ## get names of configured container registries
+	RG="$$(cd stage/$(ENV) && terragrunt output -raw rg 2>/dev/null)" && \
+		az acr list \
+			--resource-group "$${RG}" \
+			--query "[].name" \
+			-o tsv
+
+make list-repositories: ## list repositories in ACR registry
+	ACR_NAME="$$(cd stage/$(ENV) && terragrunt output -raw acr_name 2>/dev/null)" && \
+		az acr repository list \
+			--name "$${ACR_NAME}" \
+			-o tsv
+
+show-state: ## show state
+	cd stage/$(ENV) && terragrunt state list && terragrunt show
+
+clean: ## clean cached plugins and data
+	find . -name ".terra*" -exec rm -rf {} +
+	find . -name "target" -exec rm -rf {} +
+
+upgrade-providers-version: init
+
+init-tf-backend:
+	cd stage && ./init_azurerm_tf_backend.sh
+
+whoami: ## show current logon (tenant, subscription, user)
+	@az account show
+
+login: ## login to Azure Subscription
+	az login
+
+update-pull-secret: ## update ARO cluster pull secret with ACR credentials
+	oc get secrets pull-secret -n openshift-config -o template='{{index .data ".dockerconfigjson"}}' | base64 -d > pull-secret.json
+	ACR_NAME="$$(cd stage/$(ENV) && terragrunt output -raw acr_name 2>/dev/null)" && \
+	ACR_USERNAME="$$(cd stage/$(ENV) && terragrunt output -raw acr_username 2>/dev/null)" && \
+	ACR_PASSWORD="$$(cd stage/$(ENV) && terragrunt output -raw acr_password 2>/dev/null)" && \
+	jq --arg acr "$${ACR_NAME}.azurecr.io" \
+		 --arg user "$${ACR_USERNAME}" \
+		 --arg pass "$${ACR_PASSWORD}" \
+		 '.auths += {($$acr): {"auth": ($$user + ":" + $$pass | @base64)}}' \
+		 pull-secret.json > pull-secret-modified.json && \
+	oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=./pull-secret-modified.json && \
+	rm pull-secret.json pull-secret-modified.json
+
+show-current-pull-secret: ## show current pull secret
+	oc get secrets pull-secret -n openshift-config -o template='{{index .data ".dockerconfigjson"}}' | base64 -d
+
+show-current-runtime-pull-secret: ## show current pull secret from runtime (kubelet config)
+	oc exec -n openshift-apiserver `oc get pod -n openshift-apiserver -o jsonpath="{.items[0].metadata.name}"` -- cat /var/lib/kubelet/config.json
+
+help: ## show usage and tasks (default)
+	@eval $$(sed -E -n 's/^([\*\.a-zA-Z0-9_-]+):.*?## (.*)$$/printf "\\033[36m%-30s\\033[0m %s\\n" "\1" "\2" ;/; ta; b; :a p' $(MAKEFILE_LIST))
+.DEFAULT_GOAL := help
+.PHONY: help run clean

terraform/azure/azure-acr/README.md

@@ -0,0 +1,42 @@
+# Terraform :: AKS Classic
+
+Setup Azure Container Registry (ACR)
+
+* Azure RBAC (aka Azure EntraID) Roles to manage K8S RBAC, with EntraId group acting as cluster-admins
+
+
+## Prerequisites
+
+* Latest Terragrunt/OpenTofu installed
+
+* [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt)
+
+* Azure Subscription.
+
+* Logged to Azure Subscription:
+
+  ```bash
+  make login
+  ```
+
+* Initialize Azure Storage Account and Container for keeping Terraform state
+
+  ```bash
+  make init
+  ```
+
+* [../azure-entraid](../azure-entraid) - installed for the same stage environment (contains resource group and policies)
+
+* Ensure networking is setup for evn and region: [../azure-network-setup](../azure-network-setup) - installed for the same stage environment and region
+Not all regions are compatible with AKS or contains desired VM sizes:
+
+
+## Usage
+
+```bash
+# setup ACR registry
+make run MODE=apply [ENV=dev-westeurope-shared1]
+
+# update pull secret in currently logged ARO cluster with credentials to this repo
+make update-pull-secret
+```

terraform/azure/azure-acr/module/acr.tf

@@ -0,0 +1,70 @@
+resource "azurerm_container_registry" "acr" {
+  name                          = replace("${local.prefix}${var.name}", "-", "")
+  location                      = local.location
+  resource_group_name           = local.resource_group_name
+  sku                           = "Premium"
+  zone_redundancy_enabled       = true
+  public_network_access_enabled = var.public
+
+  # whether to expose break-glass admin access to ACR, normally only EntraId access possible
+  admin_enabled = var.admin_enabled
+
+  lifecycle {
+    ignore_changes = [tags, ]
+  }
+  tags = var.tags
+}
+
+data "azurerm_subnet" "private-endpoints-subnet" {
+  name                 = "${data.azurerm_virtual_network.vnet.name}-${var.private_endpoints_subnet_suffix}"
+  virtual_network_name = data.azurerm_virtual_network.vnet.name
+  resource_group_name  = local.resource_group_name
+}
+
+data "azurerm_private_dns_zone" "acr" {
+  name                = "privatelink.azurecr.io"
+  resource_group_name = local.resource_group_name
+}
+
+resource "azurerm_private_endpoint" "acr" {
+  name                          = azurerm_container_registry.acr.name
+  location                      = local.location
+  resource_group_name           = local.resource_group_name
+  subnet_id                     = data.azurerm_subnet.private-endpoints-subnet.id
+  custom_network_interface_name = "nic${azurerm_container_registry.acr.name}"
+
+  private_service_connection {
+    name                           = "config"
+    private_connection_resource_id = azurerm_container_registry.acr.id
+    subresource_names              = ["registry"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name = "acr-zonegroup"
+    private_dns_zone_ids = [
+      data.azurerm_private_dns_zone.acr.id
+    ]
+  }
+
+}
+
+
+output "acr_name" {
+  value = azurerm_container_registry.acr.name
+}
+
+output "acr_login_server" {
+  value = azurerm_container_registry.acr.login_server
+}
+
+# Available when admin=true, otherwise only EntraID access available
+#
+output "acr_username" {
+  value = azurerm_container_registry.acr.admin_username
+}
+
+output "acr_password" {
+  value     = azurerm_container_registry.acr.admin_password
+  sensitive = true
+}

terraform/azure/azure-acr/module/variables.tf

@@ -0,0 +1,135 @@
+data "azurerm_subscription" "current" {
+}
+
+data "azurerm_resource_group" "rg" {
+  name = var.env
+}
+
+data "azurerm_virtual_network" "vnet" {
+  name                = "${local.prefix}-vnet"
+  resource_group_name = local.resource_group_name
+}
+
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  subscription_id     = data.azurerm_subscription.current.id
+  resource_group_name = data.azurerm_resource_group.rg.name
+  location            = var.region
+
+  prefix            = "${var.env}-${local.azure_region_abbreviations[var.region]}"
+  subscription_name = data.azurerm_subscription.current.display_name
+  azure_region_abbreviations = {
+    "eastus"             = "eus"
+    "eastus2"            = "eu2"
+    "westus"             = "wus"
+    "westus2"            = "wu2"
+    "centralus"          = "cus"
+    "northeurope"        = "neu"
+    "westeurope"         = "weu"
+    "southeastasia"      = "sea"
+    "eastasia"           = "eas"
+    "australiaeast"      = "aue"
+    "australiasoutheast" = "aus"
+    "japaneast"          = "jpe"
+    "japanwest"          = "jpw"
+    "canadacentral"      = "cac"
+    "canadaeast"         = "cae"
+    "germanywestcentral" = "gwc"
+    "uksouth"            = "uks"
+    "ukwest"             = "ukw"
+    "polandcentral"      = "plc"
+    "brazilsouth"        = "brs"
+    "southafricanorth"   = "san"
+    "southafricasouth"   = "sas"
+    "francecentral"      = "frc"
+    "francesouth"        = "frs"
+    "uaecentral"         = "uae"
+    "uaenorth"           = "uan"
+    "koreacentral"       = "kor"
+    "koreasouth"         = "kos"
+    "swedencentral"      = "swc"
+    "swedensouth"        = "sws"
+    "norwayeast"         = "noe"
+    "norwaywest"         = "now"
+    "switzerlandnorth"   = "swn"
+    "switzerlandwest"    = "sww"
+    "italynorth"         = "itn"
+    "israelcentral"      = "isc"
+    "qatarcentral"       = "qac"
+    "spaincentral"       = "spc"
+    "newzealandnorth"    = "nzn"
+    "australiacentral"   = "auc"
+    "australiacentral2"  = "au2"
+    "mexicocentral"      = "mxc"
+    "indiacentral"       = "inc"
+    "indiaseast"         = "ise"
+    "indiasouth"         = "iss"
+    "indiasouth"         = "isw"
+    "japanwest"          = "jpw"
+    "chinanorth"         = "chn"
+    "chinaeast"          = "che"
+    "chinaeast2"         = "ch2"
+    "chinanorth2"        = "ch3"
+    "chinanorth3"        = "ch4"
+    "germanycentral"     = "gmc"
+    "germanynortheast"   = "gne"
+    "usgovarizona"       = "uga"
+    "usgovtexas"         = "ugt"
+    "usgovvirginia"      = "ugv"
+    "usgovpennsylvania"  = "ugp"
+    "usdodeast"          = "ude"
+    "usdodcentral"       = "udc"
+    "usgovarizona"       = "uga"
+    "usgovtexas"         = "ugt"
+    "usgovvirginia"      = "ugv"
+    "usgovpennsylvania"  = "ugp"
+    "usdodeast"          = "ude"
+    "usdodcentral"       = "udc"
+  }
+}
+
+variable "env" {
+  description = "Environment name"
+  type        = string
+}
+
+variable "region" {
+  description = "Azure region"
+  type        = string
+}
+
+variable "name" {
+  description = "Name of the Azure Container Registry"
+  type        = string
+  default     = "acr"
+}
+
+
+variable "admin_enabled" {
+  description = "Enable admin user for the Azure Container Registry"
+  type        = bool
+  default     = false
+}
+
+
+variable "public" {
+  description = "Expose ACR to public network, otherwise only private endpoint access possible"
+  type        = bool
+  default     = false
+}
+
+variable "private_endpoints_subnet_suffix" {
+  type        = string
+  description = "Name of subnet for private endpoints"
+}
+
+
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
+
+output "rg" {
+  value = local.resource_group_name
+}