From dd4f7d7c39a5fd165777f9c3397ad5cbf71410b3 Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Tue, 25 Apr 2023 15:08:56 +0200
Subject: [PATCH 1/8] fix: fake

---
 outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/outputs.tf b/outputs.tf
index ca671b9..08bf190 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -4,6 +4,6 @@ output "client_certificate" {
 }
 
 output "kube_config" {
-  value     = azurerm_kubernetes_cluster.aks.kube_config_raw
+  value     = azurerm_kubernetes_cluster.aks
   sensitive = true
 }
\ No newline at end of file

From ff4f80b9cec0ad7470d7747fd1eb72931eba0eb4 Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Tue, 25 Apr 2023 15:12:40 +0200
Subject: [PATCH 2/8] build: update

---
 .github/workflows/on_pull_request.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
index 3f31a80..68b36e4 100644
--- a/.github/workflows/on_pull_request.yml
+++ b/.github/workflows/on_pull_request.yml
@@ -170,6 +170,9 @@ jobs:
   tfsec:
     name: tfsec
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Clone repo

From ffebdd1169b138deb2ecea99754314074ef034ab Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Tue, 25 Apr 2023 15:15:08 +0200
Subject: [PATCH 3/8] format: fmt

---
 platforms/dev/terraform.tfvars | 6 +++---
 terraform.tf                   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/platforms/dev/terraform.tfvars b/platforms/dev/terraform.tfvars
index d1a9236..96c69f6 100644
--- a/platforms/dev/terraform.tfvars
+++ b/platforms/dev/terraform.tfvars
@@ -5,13 +5,13 @@ charts = {
     create_namespace = true
     repository       = "https://charts.bitnami.com/bitnami"
     version          = "9.4.1"
-    sets = {}
+    sets             = {}
   }
   cert-manager = {
     create_namespace = true
     repository       = "https://charts.bitnami.com/bitnami"
     version          = "v0.9.4"
-    sets = {}
+    sets             = {}
   }
   redis = {
     create_namespace = true
@@ -19,7 +19,7 @@ charts = {
     version          = "v17.9.2"
     sets = {
       "global.redis.password" = "plop",
-      "replica.replicaCount" = 1
+      "replica.replicaCount"  = 1
     }
   }
 }
\ No newline at end of file
diff --git a/terraform.tf b/terraform.tf
index e039dc8..3de1836 100644
--- a/terraform.tf
+++ b/terraform.tf
@@ -70,7 +70,7 @@ resource "helm_release" "chart" {
   dynamic "set" {
     for_each = each.value.sets
     content {
-      name = set.key
+      name  = set.key
       value = set.value
     }
   }

From b50bbcc3b5739119e004e01cfd98080618ad5e13 Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Tue, 25 Apr 2023 15:16:11 +0200
Subject: [PATCH 4/8] build: update

---
 .github/workflows/on_pull_request.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
index 68b36e4..09942ed 100644
--- a/.github/workflows/on_pull_request.yml
+++ b/.github/workflows/on_pull_request.yml
@@ -180,6 +180,8 @@ jobs:
       - name: tfsec
         id: sec
         uses: aquasecurity/tfsec-action@v1.0.0
+        with:
+          soft_fail: true
       
       - uses: actions/github-script@v6
         if: github.event_name == 'pull_request'

From 98108a3a296523851495b5a27d79fba65cc233ee Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Tue, 25 Apr 2023 15:19:43 +0200
Subject: [PATCH 5/8] build: update

---
 .github/workflows/on_pull_request.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
index 09942ed..54ba15d 100644
--- a/.github/workflows/on_pull_request.yml
+++ b/.github/workflows/on_pull_request.yml
@@ -180,13 +180,11 @@ jobs:
       - name: tfsec
         id: sec
         uses: aquasecurity/tfsec-action@v1.0.0
-        with:
-          soft_fail: true
       
       - uses: actions/github-script@v6
-        if: github.event_name == 'pull_request'
+        if: always()
         env:
-          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+          PLAN: "terraform\n${{ steps.sec.outputs.stdout }}"
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

From ccdc3117a9bda46f635794174c044eae61af5a86 Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Tue, 25 Apr 2023 15:22:43 +0200
Subject: [PATCH 6/8] fix: fake

---
 outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/outputs.tf b/outputs.tf
index 08bf190..ca671b9 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -4,6 +4,6 @@ output "client_certificate" {
 }
 
 output "kube_config" {
-  value     = azurerm_kubernetes_cluster.aks
+  value     = azurerm_kubernetes_cluster.aks.kube_config_raw
   sensitive = true
 }
\ No newline at end of file

From 8b152a27c14ac5983d1f16a98d447f3acc3b0f46 Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Tue, 25 Apr 2023 15:32:22 +0200
Subject: [PATCH 7/8] build: format

---
 .github/workflows/on_pull_request.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
index 54ba15d..57baae6 100644
--- a/.github/workflows/on_pull_request.yml
+++ b/.github/workflows/on_pull_request.yml
@@ -167,6 +167,7 @@ jobs:
                                      --github-token=${{github.token}} \
                                      --pull-request=${{github.event.pull_request.number}} \
                                      --behavior=new
+  
   tfsec:
     name: tfsec
     runs-on: ubuntu-latest

From e8fc789af14ed7a4c61d5f9ef0106fc88eef7e7f Mon Sep 17 00:00:00 2001
From: Joffrey Dupire <joffrey.dupirewefight.co>
Date: Thu, 27 Apr 2023 11:33:47 +0200
Subject: [PATCH 8/8] fix: improve sec

---
 platforms/dev/terraform.tfvars | 19 +++++++++++++------
 terraform.tf                   | 30 ++++++++++++++++++++++++------
 variables.tf                   |  6 +++++-
 3 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/platforms/dev/terraform.tfvars b/platforms/dev/terraform.tfvars
index 96c69f6..86547b9 100644
--- a/platforms/dev/terraform.tfvars
+++ b/platforms/dev/terraform.tfvars
@@ -5,18 +5,25 @@ charts = {
     create_namespace = true
     repository       = "https://charts.bitnami.com/bitnami"
     version          = "9.4.1"
-    sets             = {}
+    sets             = {
+      "service.loadBalancerIP" = "20.101.234.17"
+    }
+    skip_crds        = false
   }
-  cert-manager = {
+  /*cert-manager = {
     create_namespace = true
-    repository       = "https://charts.bitnami.com/bitnami"
-    version          = "v0.9.4"
-    sets             = {}
-  }
+    repository       = "https://charts.jetstack.io"
+    version          = "v1.11.1"
+    sets             = {
+      "installCRDs" = true
+    }
+    skip_crds        = false
+  }*/
   redis = {
     create_namespace = true
     repository       = "https://charts.bitnami.com/bitnami"
     version          = "v17.9.2"
+    skip_crds        = false
     sets = {
       "global.redis.password" = "plop",
       "replica.replicaCount"  = 1
diff --git a/terraform.tf b/terraform.tf
index 3de1836..ea7cf71 100644
--- a/terraform.tf
+++ b/terraform.tf
@@ -4,13 +4,12 @@ Le module network sert a deployer le resource group mais aussi le virtual networ
 Le module est construit de façon a être le plus réutilisable possible ça évite de réécrire du code pour rien
 */
 module "network" {
-  source = "git@github.com:nomaddevops/azure_resource_group?ref=v1.0.1"
+  source = "git@github.com:nomaddevops/azure_resource_group?ref=v1.0.2"
 
   location      = var.location
   subnet_config = var.subnet_config
 }
 
-
 /*
 Maintenant que les bases réseaux sont déployé et pour plus de facilité ici car c'est une petite infrastructure 
 je crée directement le cluster AKS, les paramètres pouvant varier je n'utilise que des variables
@@ -28,15 +27,36 @@ resource "azurerm_kubernetes_cluster" "aks" {
     name       = var.aks_node_pool_config.default.name
     node_count = var.aks_node_pool_config.default.node_count
     vm_size    = var.aks_node_pool_config.default.vm_size
+    vnet_subnet_id = module.network.subnets.private.subnet.id
+  }
+
+  network_profile {
+    network_plugin = "azure"
   }
 
   identity {
-    type = "SystemAssigned"
+    type = "UserAssigned"
+    identity_ids = [ azurerm_user_assigned_identity.identity.id ]
   }
 
   tags = var.tags
 }
 
+resource "azurerm_user_assigned_identity" "identity" {
+  name                = format("mi-%s", var.name)
+  resource_group_name = module.network.resource_group.name
+  location            = module.network.resource_group.location
+}
+
+resource "azurerm_role_assignment" "role_assignment" {
+    for_each             = {
+    "Owner" = module.network.subnets.private.subnet.id
+    }
+    scope                = each.value
+    role_definition_name = each.key
+    principal_id         = azurerm_user_assigned_identity.identity.principal_id
+}
+
 /*
  J'ai maintenant le cluster pret a acceuillir des pods/servicse etc cependant je n'ai aucun Ingress Controller.
  En utilisant Helm Chart je déploie mon controller nginx (j'utilise un chart de la communauté) et je fais pareil
@@ -50,9 +70,6 @@ resource "azurerm_kubernetes_cluster" "aks" {
  ou le rasoir d'Occam (shorturl.at/eBEFV)
 */
 
-# UPDATE YOUR KUBE CONFIG OTHERWISE HELM WILL NOT BE ABLE TO DEPLOY THE CHART 
-
-
 resource "local_file" "kube_config" {
   content  = azurerm_kubernetes_cluster.aks.kube_config_raw
   filename = ".kube/config"
@@ -66,6 +83,7 @@ resource "helm_release" "chart" {
   repository       = each.value.repository
   chart            = each.key
   version          = each.value.version
+  skip_crds        = each.value.skip_crds
 
   dynamic "set" {
     for_each = each.value.sets
diff --git a/variables.tf b/variables.tf
index d38a4a3..5ed5947 100644
--- a/variables.tf
+++ b/variables.tf
@@ -6,7 +6,6 @@ variable "location" {
 
 variable "subnet_config" {
   default = {
-    public  = { is_multi_az = false }
     private = { is_multi_az = false }
   }
   description = "Multi az deployment for subnets"
@@ -35,4 +34,9 @@ variable "tags" {
 
 variable "charts" {
   type = any
+}
+
+variable "role_assignment" {
+  type = any
+  default = {}
 }
\ No newline at end of file