aks prom grafana with terraform

2023-04-03 11:34:13 +02:00 · 2023-04-03 11:34:13 +02:00 · 98a0b86e34
--- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/03-AAD-create/ad_groups.tf
+++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/03-AAD-create/ad_groups.tf
@ -18,4 +18,4 @@ output "appdev_object_id" {

 output "aksops_object_id" {
  value = azuread_group.aksops.object_id
-}
+}
--- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/03-AAD-create/provider.tf
+++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/03-AAD-create/provider.tf
@ -5,7 +5,11 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = "= 3.9.0"
+      version = "= 3.44.1"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "= 2.34.1"
    }
  }

--- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/03-AAD-create/tfplan
+++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/03-AAD-create/tfplan
--- a/Scenarios/Prometheus
+++ b/Scenarios/Prometheus
@ -98,3 +98,35 @@ Connect Grafana to your Azure monitor workspace by following the instructions in
 - Select your workspace
 - Click "Linked Grafana Workspaces"
 - Select a Grafana workspace
+
+
+## Deploying Grafana and Monitor Workspace for Prometheus using Terraform
+
+re Monitor Workspace for Prometheus is a new service (in preview).
+It is not yet supported with ARM template or with Terraform resource.
+
+So, we'll use `azapi` terraform provider to create the Monitor Workspace for Prometheus.
+
+And we'll use a `local-exec` to run a command line to configure AKS with Prometheus.
+
+AKS, Grafana and Log Analytics are suported with ARM templates and Terraform.
+
+### Deploying the resources using Terraform
+
+To deploy the Terraform configuration files, run the following commands:
+
+```shell
+terraform init
+
+terraform plan -out tfplan
+
+terraform apply tfplan
+```
+
+### Cleanup resources
+
+To delete the creates resources, run the following command:
+
+```shell
+terraform destroy
+```
--- a/Grafana/Terraform/aks.tf
+++ b/Grafana/Terraform/aks.tf
@ -0,0 +1,29 @@
+# aks cluster
+resource "azurerm_kubernetes_cluster" "aks" {
+  name                = var.aks_name
+  location            = azurerm_resource_group.rg_aks_cluster.location
+  resource_group_name = azurerm_resource_group.rg_aks_cluster.name
+  dns_prefix          = "aks"
+  kubernetes_version  = "1.25.5"
+
+  default_node_pool {
+    name       = "default"
+    node_count = "3"
+    vm_size    = "Standard_DS2_v2"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  oms_agent {
+    log_analytics_workspace_id      = azurerm_log_analytics_workspace.workspace.id
+    msi_auth_for_monitoring_enabled = true
+  }
+
+  lifecycle {
+    ignore_changes = [
+      monitor_metrics
+    ]
+  }
+}
--- a/Grafana/Terraform/enable_prometheus.tf
+++ b/Grafana/Terraform/enable_prometheus.tf
@ -0,0 +1,22 @@
+resource "null_resource" "enable_azuremonitormetrics" {
+  # for windows
+  provisioner "local-exec" {
+    interpreter = ["PowerShell", "-Command"]
+    command     = <<-EOT
+
+      az aks update --enable-azuremonitormetrics `
+                    -g ${azurerm_kubernetes_cluster.aks.resource_group_name} `
+                    -n ${azurerm_kubernetes_cluster.aks.name} `
+                    --azure-monitor-workspace-resource-id ${azapi_resource.prometheus.id}
+    EOT
+  }
+
+  triggers = {
+    "key" = "value1"
+  }
+
+  # for linux
+  # provisioner "local-exec" {
+  #   command    = "az aks update --enable-azuremonitormetrics -g ${azurerm_kubernetes_cluster.aks.resource_group_name} -n ${azurerm_kubernetes_cluster.aks.name} --azure-monitor-workspace-resource-id ${azapi_resource.prometheus.id}"
+  # }
+}
--- a/Grafana/Terraform/grafana.tf
+++ b/Grafana/Terraform/grafana.tf
@ -0,0 +1,47 @@
+resource "azurerm_dashboard_grafana" "grafana" {
+  name                              = var.grafana_name
+  resource_group_name               = azurerm_resource_group.rg_monitoring.name
+  location                          = azurerm_resource_group.rg_monitoring.location
+  api_key_enabled                   = true
+  deterministic_outbound_ip_enabled = true
+  public_network_access_enabled     = true
+  sku                               = "Standard"
+  zone_redundancy_enabled           = true
+
+  azure_monitor_workspace_integrations {
+    resource_id = azapi_resource.prometheus.id
+  }
+
+  identity {
+    type = "SystemAssigned" # The only possible values is SystemAssigned
+  }
+}
+
+data "azurerm_client_config" "current" {}
+
+# assign current user as Grafana Admin
+resource "azurerm_role_assignment" "role_grafana_admin" {
+  scope                = azurerm_dashboard_grafana.grafana.id
+  role_definition_name = "Grafana Admin"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_role_assignment" "role_monitoring_data_reader" {
+  scope                = azapi_resource.prometheus.id
+  role_definition_name = "Monitoring Data Reader"
+  principal_id         = azurerm_dashboard_grafana.grafana.identity.0.principal_id
+}
+
+data "azurerm_subscription" "current" {}
+
+# https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/grafana-plugin
+# (Optional) Grafana to monitor all Azure resources
+resource "azurerm_role_assignment" "role_monitoring_reader" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Monitoring Reader"
+  principal_id         = azurerm_dashboard_grafana.grafana.identity.0.principal_id
+}
+
+output "garafana_endpoint" {
+  value = azurerm_dashboard_grafana.grafana.endpoint
+}
--- a/Grafana/Terraform/log_analytics.tf
+++ b/Grafana/Terraform/log_analytics.tf
@ -0,0 +1,20 @@
+resource "azurerm_log_analytics_workspace" "workspace" {
+  name                = "log-analytics-workspace"
+  resource_group_name = azurerm_resource_group.rg_monitoring.name
+  location            = var.resources_location
+  sku                 = "PerGB2018" # PerGB2018, Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation
+  retention_in_days   = 30          # possible values are either 7 (Free Tier only) or range between 30 and 730
+}
+
+resource "azurerm_log_analytics_solution" "solution" {
+  solution_name         = "ContainerInsights"
+  location              = azurerm_log_analytics_workspace.workspace.location
+  resource_group_name   = azurerm_log_analytics_workspace.workspace.resource_group_name
+  workspace_resource_id = azurerm_log_analytics_workspace.workspace.id
+  workspace_name        = azurerm_log_analytics_workspace.workspace.name
+
+  plan {
+    publisher = "Microsoft"
+    product   = "OMSGallery/ContainerInsights"
+  }
+}
--- a/Grafana/Terraform/prometheus.tf
+++ b/Grafana/Terraform/prometheus.tf
@ -0,0 +1,9 @@
+# https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/azure-monitor-workspace-overview?tabs=resource-manager#create-an-azure-monitor-workspace
+# https://registry.terraform.io/providers/azure/azapi/latest/docs/resources/azapi_resource
+
+resource "azapi_resource" "prometheus" {
+  type      = "microsoft.monitor/accounts@2021-06-03-preview"
+  name      = var.prometheus_name
+  parent_id = azurerm_resource_group.rg_monitoring.id
+  location  = azurerm_resource_group.rg_monitoring.location
+}
--- a/Grafana/Terraform/provider.tf
+++ b/Grafana/Terraform/provider.tf
@ -0,0 +1,34 @@
+terraform {
+
+  required_version = ">= 1.2.8"
+
+  required_providers {
+
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "= 3.50.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "= 2.36.0"
+    }
+
+    azapi = {
+      source  = "Azure/azapi"
+      version = "1.4.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# Configure the Azure Active Directory Provider
+provider "azuread" { # default takes current user/identity tenant
+}
+
+provider "azapi" {
+  # Configuration options
+}
--- a/Grafana/Terraform/resource_group.tf
+++ b/Grafana/Terraform/resource_group.tf
@ -0,0 +1,9 @@
+resource "azurerm_resource_group" "rg_aks_cluster" {
+  name     = var.rg_aks_cluster
+  location = var.resources_location
+}
+
+resource "azurerm_resource_group" "rg_monitoring" {
+  name     = var.rg_monitoring
+  location = var.resources_location
+}
--- a/Grafana/Terraform/variables.tf
+++ b/Grafana/Terraform/variables.tf
@ -0,0 +1,29 @@
+variable "resources_location" {
+  type    = string
+  default = "westeurope"
+}
+
+variable "rg_aks_cluster" {
+  type    = string
+  default = "rg-aks-cluster"
+}
+
+variable "rg_monitoring" {
+  type    = string
+  default = "rg-monitoring"
+}
+
+variable "aks_name" {
+  type    = string
+  default = "aks-cluster"
+}
+
+variable "grafana_name" {
+  type    = string
+  default = "azure-grafana-13579"
+}
+
+variable "prometheus_name" {
+  type    = string
+  default = "azure-prometheus"
+}