Eric van Wijk geekzter

## scale-set-agent-aks-peering.tf
data azurerm_virtual_network peered_network {
  name                         = element(split("/",var.peer_network_id),length(split("/",var.peer_network_id))-1)
  resource_group_name          = element(split("/",var.peer_network_id),length(split("/",var.peer_network_id))-5)

  count                        = var.peer_network_id == "" ? 0 : 1
}

resource azurerm_virtual_network_peering peer_to_network {
  name                         = "${azurerm_virtual_network.network.name}-from-peer"
  resource_group_name          = data.azurerm_virtual_network.peered_network.0.resource_group_name

## scale-set-agent-terraform-input-vars.yaml
- pwsh: |
    # 1. Use pipeline agent VNet as network to peer from
    $env:TF_VAR_peer_network_id ??= $env:GEEKZTER_AGENT_VIRTUAL_NETWORK_ID

    # 2. Set random CIDR (to reduce the risk of clashing VNet peerings with agent VNet)
    $env:TF_VAR_address_space ??= "$([IPAddress]::Parse(`
        [String] (`
          167772160 + (`
            65536*(`
              Get-Random -Minimum 0 -Maximum 255 -SetSeed $(Build.BuildId)`

## scale-set-agent-aks-app-deployment.yaml
    - task: TerraformCLI@0
      displayName: 'Terraform output'
      inputs:
        command: 'output'
        workingDirectory: '$(terraformDirectory)'
        environmentServiceName: '$(subscriptionConnection)'
        runAzLogin: true
        allowTelemetryCollection: true

    - task: KubectlInstaller@0

## scale-set-cloudinit-race-condition-fix.tf
resource azurerm_virtual_machine_scale_set_extension cloud_config_status {
  name                         = "CloudConfigStatusScript"
  virtual_machine_scale_set_id = azurerm_linux_virtual_machine_scale_set.linux_agents.id
  publisher                    = "Microsoft.Azure.Extensions"
  type                         = "CustomScript"
  type_handler_version         = "2.0"
  settings                     = jsonencode({
    "commandToExecute"         = "/usr/bin/cloud-init status --long --wait ; systemctl status cloud-final.service --full --no-pager --wait"
  })
}

## generate-random-cidr.ps1
# Set random CIDR (to reduce the risk of clashing VNet peerings with agent VNet)
$env:TF_VAR_address_space ??= "$([IPAddress]::Parse([String] (167772160 + (65536*(Get-Random -Minimum 0 -Maximum 255 -SetSeed $(Build.BuildId))))) | Select-Object -ExpandProperty IPAddressToString)/16"

## pipeline-agent-cloud-config.tf
data cloudinit_config user_data {
  gzip                         = false
  base64_encode                = false

  part {
    content                    = templatefile("${path.root}/../cloudinit/cloud-config-userdata.yaml",
    {
      # Propagate virtual network information, so cloudinit can set up environment variables
      subnet_id                = azurerm_subnet.agent_subnet.id
      virtual_network_id       = azurerm_virtual_network.pipeline_network.id

## pipeline-agent-cloud-config.yaml
#cloud-config
bootcmd:
  - sudo apt remove unattended-upgrades -y
  # Prevent race condition with VM extension provisioning
  - while ( fuser /var/lib/dpkg/lock >/dev/null 2>&1 ); do sleep 5; done;
  - while ( fuser /var/lib/apt/lists/lock >/dev/null 2>&1 ); do sleep 5; done;
  # Get apt repository signing keys
  - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key C99B11DEB97541F0    # GitHub
  - sudo apt-add-repository https://cli.github.com/packages
  - curl https://baltocdn.com/helm/signing.asc | sudo apt-key add -                  # Helm

## acr-private-endpoint.tf
resource azurerm_private_dns_zone acr {
  name                         = "privatelink.azurecr.io"
  resource_group_name          = var.resource_group_name
}
resource azurerm_private_dns_zone_virtual_network_link acr {
  name                         = "${var.resource_group_name}-registry-dns-link"
  resource_group_name          = var.resource_group_name
  private_dns_zone_name        = azurerm_private_dns_zone.acr.name
  virtual_network_id           = var.virtual_network_id
}

## denied-outbound-http-traffic.csl
AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| where msg_s contains("Deny")
| project TimeGenerated, msg_s
| order by TimeGenerated desc

## isolated-aks.tf
resource azurerm_kubernetes_cluster aks {
  # ...

  addon_profile {
    # ...
    # 3. Ingress via Application Gateway
    ingress_application_gateway {
      enabled                  = true
      subnet_id                = var.application_gateway_subnet_id
    }
	data azurerm_virtual_network peered_network {
	name = element(split("/",var.peer_network_id),length(split("/",var.peer_network_id))-1)
	resource_group_name = element(split("/",var.peer_network_id),length(split("/",var.peer_network_id))-5)

	count = var.peer_network_id == "" ? 0 : 1
	}

	resource azurerm_virtual_network_peering peer_to_network {
	name = "${azurerm_virtual_network.network.name}-from-peer"
	resource_group_name = data.azurerm_virtual_network.peered_network.0.resource_group_name
	- pwsh: \|
	# 1. Use pipeline agent VNet as network to peer from
	$env:TF_VAR_peer_network_id ??= $env:GEEKZTER_AGENT_VIRTUAL_NETWORK_ID

	# 2. Set random CIDR (to reduce the risk of clashing VNet peerings with agent VNet)
	$env:TF_VAR_address_space ??= "$([IPAddress]::Parse(`
	[String] (`
	167772160 + (`
	65536*(`
	Get-Random -Minimum 0 -Maximum 255 -SetSeed $(Build.BuildId)`
	- task: TerraformCLI@0
	displayName: 'Terraform output'
	inputs:
	command: 'output'
	workingDirectory: '$(terraformDirectory)'
	environmentServiceName: '$(subscriptionConnection)'
	runAzLogin: true
	allowTelemetryCollection: true

	- task: KubectlInstaller@0
	resource azurerm_virtual_machine_scale_set_extension cloud_config_status {
	name = "CloudConfigStatusScript"
	virtual_machine_scale_set_id = azurerm_linux_virtual_machine_scale_set.linux_agents.id
	publisher = "Microsoft.Azure.Extensions"
	type = "CustomScript"
	type_handler_version = "2.0"
	settings = jsonencode({
	"commandToExecute" = "/usr/bin/cloud-init status --long --wait ; systemctl status cloud-final.service --full --no-pager --wait"
	})
	}
	# Set random CIDR (to reduce the risk of clashing VNet peerings with agent VNet)
	$env:TF_VAR_address_space ??= "$([IPAddress]::Parse([String] (167772160 + (65536*(Get-Random -Minimum 0 -Maximum 255 -SetSeed $(Build.BuildId))))) \| Select-Object -ExpandProperty IPAddressToString)/16"
	data cloudinit_config user_data {
	gzip = false
	base64_encode = false

	part {
	content = templatefile("${path.root}/../cloudinit/cloud-config-userdata.yaml",
	{
	# Propagate virtual network information, so cloudinit can set up environment variables
	subnet_id = azurerm_subnet.agent_subnet.id
	virtual_network_id = azurerm_virtual_network.pipeline_network.id
	#cloud-config
	bootcmd:
	- sudo apt remove unattended-upgrades -y
	# Prevent race condition with VM extension provisioning
	- while ( fuser /var/lib/dpkg/lock >/dev/null 2>&1 ); do sleep 5; done;
	- while ( fuser /var/lib/apt/lists/lock >/dev/null 2>&1 ); do sleep 5; done;
	# Get apt repository signing keys
	- sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key C99B11DEB97541F0 # GitHub
	- sudo apt-add-repository https://cli.github.com/packages
	- curl https://baltocdn.com/helm/signing.asc \| sudo apt-key add - # Helm
	resource azurerm_private_dns_zone acr {
	name = "privatelink.azurecr.io"
	resource_group_name = var.resource_group_name
	}
	resource azurerm_private_dns_zone_virtual_network_link acr {
	name = "${var.resource_group_name}-registry-dns-link"
	resource_group_name = var.resource_group_name
	private_dns_zone_name = azurerm_private_dns_zone.acr.name
	virtual_network_id = var.virtual_network_id
	}
	AzureDiagnostics
	\| where Category == "AzureFirewallApplicationRule"
	\| where msg_s contains("Deny")
	\| project TimeGenerated, msg_s
	\| order by TimeGenerated desc
	resource azurerm_kubernetes_cluster aks {
	# ...

	addon_profile {
	# ...
	# 3. Ingress via Application Gateway
	ingress_application_gateway {
	enabled = true
	subnet_id = var.application_gateway_subnet_id
	}