nomaddevops · nomaddevops · Apr 25, 2023 · Apr 25, 2023 · Apr 25, 2023 · Apr 25, 2023
diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
@@ -167,9 +167,13 @@ jobs:
                                      --github-token=${{github.token}} \
                                      --pull-request=${{github.event.pull_request.number}} \
                                      --behavior=new
+
   tfsec:
     name: tfsec
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Clone repo
@@ -179,9 +183,9 @@ jobs:
         uses: aquasecurity/tfsec-action@v1.0.0
 
       - uses: actions/github-script@v6
-        if: github.event_name == 'pull_request'
+        if: always()
         env:
-          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+          PLAN: "terraform\n${{ steps.sec.outputs.stdout }}"
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

diff --git a/platforms/dev/terraform.tfvars b/platforms/dev/terraform.tfvars
@@ -5,21 +5,28 @@ charts = {
     create_namespace = true
     repository       = "https://charts.bitnami.com/bitnami"
     version          = "9.4.1"
-    sets = {}
+    sets             = {
+      "service.loadBalancerIP" = "20.101.234.17"
+    }
+    skip_crds        = false
   }
-  cert-manager = {
+  /*cert-manager = {
     create_namespace = true
-    repository       = "https://charts.bitnami.com/bitnami"
-    version          = "v0.9.4"
-    sets = {}
-  }
+    repository       = "https://charts.jetstack.io"
+    version          = "v1.11.1"
+    sets             = {
+      "installCRDs" = true
+    }
+    skip_crds        = false
+  }*/
   redis = {
     create_namespace = true
     repository       = "https://charts.bitnami.com/bitnami"
     version          = "v17.9.2"
+    skip_crds        = false
     sets = {
       "global.redis.password" = "plop",
-      "replica.replicaCount" = 1
+      "replica.replicaCount"  = 1
     }
   }
 }
diff --git a/terraform.tf b/terraform.tf
@@ -4,13 +4,12 @@ Le module network sert a deployer le resource group mais aussi le virtual networ
 Le module est construit de façon a être le plus réutilisable possible ça évite de réécrire du code pour rien
 */
 module "network" {
-  source = "git@github.com:nomaddevops/azure_resource_group?ref=v1.0.1"
+  source = "git@github.com:nomaddevops/azure_resource_group?ref=v1.0.2"
 
   location      = var.location
   subnet_config = var.subnet_config
 }
 
-
 /*
 Maintenant que les bases réseaux sont déployé et pour plus de facilité ici car c'est une petite infrastructure 
 je crée directement le cluster AKS, les paramètres pouvant varier je n'utilise que des variables
@@ -28,15 +27,36 @@ resource "azurerm_kubernetes_cluster" "aks" {
     name       = var.aks_node_pool_config.default.name
     node_count = var.aks_node_pool_config.default.node_count
     vm_size    = var.aks_node_pool_config.default.vm_size
+    vnet_subnet_id = module.network.subnets.private.subnet.id
+  }
+
+  network_profile {
+    network_plugin = "azure"
   }
 
   identity {
-    type = "SystemAssigned"
+    type = "UserAssigned"
+    identity_ids = [ azurerm_user_assigned_identity.identity.id ]
   }
 
   tags = var.tags
 }
 
+resource "azurerm_user_assigned_identity" "identity" {
+  name                = format("mi-%s", var.name)
+  resource_group_name = module.network.resource_group.name
+  location            = module.network.resource_group.location
+}
+
+resource "azurerm_role_assignment" "role_assignment" {
+    for_each             = {
+    "Owner" = module.network.subnets.private.subnet.id
+    }
+    scope                = each.value
+    role_definition_name = each.key
+    principal_id         = azurerm_user_assigned_identity.identity.principal_id
+}
+
 /*
  J'ai maintenant le cluster pret a acceuillir des pods/servicse etc cependant je n'ai aucun Ingress Controller.
  En utilisant Helm Chart je déploie mon controller nginx (j'utilise un chart de la communauté) et je fais pareil
@@ -50,9 +70,6 @@ resource "azurerm_kubernetes_cluster" "aks" {
  ou le rasoir d'Occam (shorturl.at/eBEFV)
 */
 
-# UPDATE YOUR KUBE CONFIG OTHERWISE HELM WILL NOT BE ABLE TO DEPLOY THE CHART 
-
-
 resource "local_file" "kube_config" {
   content  = azurerm_kubernetes_cluster.aks.kube_config_raw
   filename = ".kube/config"
@@ -66,11 +83,12 @@ resource "helm_release" "chart" {
   repository       = each.value.repository
   chart            = each.key
   version          = each.value.version
+  skip_crds        = each.value.skip_crds
 
   dynamic "set" {
     for_each = each.value.sets
     content {
-      name = set.key
+      name  = set.key
       value = set.value
     }
   }

diff --git a/variables.tf b/variables.tf
@@ -6,7 +6,6 @@ variable "location" {
 
 variable "subnet_config" {
   default = {
-    public  = { is_multi_az = false }
     private = { is_multi_az = false }
   }
   description = "Multi az deployment for subnets"
@@ -35,4 +34,9 @@ variable "tags" {
 
 variable "charts" {
   type = any
+}
+
+variable "role_assignment" {
+  type = any
+  default = {}
 }