Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/opszero/terraform-azurerm-kubespot

Last synced: 6 days ago
JSON representation
Host: GitHub
URL: https://github.com/opszero/terraform-azurerm-kubespot
Owner: opszero
License: other
Created: 2022-04-15T23:03:38.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-09-16T21:20:59.000Z (about 2 months ago)
Last Synced: 2024-09-17T02:40:09.264Z (about 2 months ago)
Language: HCL
Homepage: https://opszero.com
Size: 92.8 KB
Stars: 0
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Support: SUPPORT
Awesome Lists containing this project

README

        
# Kubespot (Azure)



Compliance Oriented Kubernetes Setup for AWS, Google Cloud and Microsoft Azure.

Kubespot is an open source terraform module that attempts to create a complete

compliance-oriented Kubernetes setup on AWS, Google Cloud and Azure. These add

additional security such as additional system logs, file system monitoring, hard

disk encryption and access control. Further, we setup the managed Redis and SQL

on each of the Cloud providers with limited access to the Kubernetes cluster so

things are further locked down. All of this should lead to setting up a HIPAA /

PCI / SOC2 being made straightforward and repeatable.

This covers how we setup your infrastructure on AWS, Google Cloud and Azure.

These are the three Cloud Providers that we currently support to run Kubernetes.

Further, we use the managed service provided by each of the Cloud Providers.

This document covers everything related to how infrastructure is setup within

each Cloud, how we create an isolated environment for Compliance and the

commonalities between them.

# Tools & Setup

```

brew install kubectl kubernetes-helm google-cloud-sdk terraform

```

# Keys

How to get key for cluster creation (client id and secret)

1. Sign in to Azure portal

2. Navigate to the Azure Active Directory

3. Select "App registrations"

4. If there is application already use existing one or create new one as follows

5. Click on the "New registration" button to create a new application registration

6. select the appropriate supported account type (e.g., "Accounts in this organizational directory only")

7. Click on the "Register" button to create the application.

8. After application is created, Under "Certificates & secrets," click on the "New client secret" button to create a new client secret.

9. Copy the client id and client secret and pass it to cluster creation opszero module

# Deployment

```sh

terraform init

terraform plan

terraform apply -auto-approve

```

# Teardown

```sh

terraform destroy -auto-approve

```

## Providers

| Name | Version |

|------|---------|

|  [azuread](#provider\_azuread) | n/a |

|  [azurerm](#provider\_azurerm) | n/a |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [ad\_group\_ids](#input\_ad\_group\_ids) | ActiveDirectory Groups that have access to this cluster | `list` | `[]` | no |

|  [ad\_user\_ids](#input\_ad\_user\_ids) | ActiveDirectory users that have access to the kubernetes admin group and attached to the cluster | `list` | `[]` | no |

|  [cidr](#input\_cidr) | The address space that is used the virtual network | `string` | `"10.0.0.0"` | no |

|  [client\_id](#input\_client\_id) | The Client ID which should be used when authenticating as a service principal | `string` | n/a | yes |

|  [client\_secret](#input\_client\_secret) | The application password to be used when authenticating using a client secret | `string` | n/a | yes |

|  [environment\_name](#input\_environment\_name) | Name of the environment to create resources | `string` | n/a | yes |

|  [mariadb\_sql\_enabled](#input\_mariadb\_sql\_enabled) | Specify whether the mariadb is enabled | `bool` | `false` | no |

|  [mariadb\_sql\_version](#input\_mariadb\_sql\_version) | Specify the version of MariaDB to use. Possible values are 10.2 and 10.3 | `string` | `"10.2"` | no |

|  [nodes\_desired\_capacity](#input\_nodes\_desired\_capacity) | The number of Amazon EC2 instances that should be running in the group | `number` | `1` | no |

|  [postgres\_sql\_enabled](#input\_postgres\_sql\_enabled) | Specify whether postgres sql is enabled | `bool` | `false` | no |

|  [postgres\_sql\_version](#input\_postgres\_sql\_version) | Specify the version of PostgreSQL to use. Valid values are 9.5, 9.6, 10, 10.0, and 11 | `string` | `"11"` | no |

|  [redis\_capacity](#input\_redis\_capacity) | The size of the Redis cache to deploy | `number` | `1` | no |

|  [redis\_enabled](#input\_redis\_enabled) | Specify whether the redis cluster is enabled | `bool` | `false` | no |

|  [redis\_family](#input\_redis\_family) | The SKU family/pricing group to use. Valid values are C (for Basic/Standard SKU family) and P (for Premium) | `string` | `"C"` | no |

|  [redis\_shard\_count](#input\_redis\_shard\_count) | Only available when using the Premium SKU The number of Shards to create on the Redis Cluster | `number` | `0` | no |

|  [redis\_sku\_name](#input\_redis\_sku\_name) | The SKU of Redis to use. Possible values are Basic, Standard and Premium | `string` | `"Standard"` | no |

|  [region](#input\_region) | The Azure Region where the Resource Group should exist. | `string` | `"Central US"` | no |

|  [registry\_enabled](#input\_registry\_enabled) | Specify whether the container registry is enabled | `bool` | `false` | no |

|  [sql\_master\_password](#input\_sql\_master\_password) | The Password associated with the administrator\_login for the PostgreSQL/MariaDB Server | `string` | `""` | no |

|  [sql\_master\_username](#input\_sql\_master\_username) | The Administrator login for the PostgreSQL/MariabDB Server | `string` | `""` | no |

|  [sql\_sku\_name](#input\_sql\_sku\_name) | Specify the SKU Name for this PostgreSQL Server | `string` | `"GP_Gen5_2"` | no |

|  [sql\_storage\_in\_mb](#input\_sql\_storage\_in\_mb) | Max storage allowed for a MariaDB server | `number` | `10240` | no |

## Resources

| Name | Type |

|------|------|

| [azuread_group.cluster](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |

| [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource |

| [azurerm_kubernetes_cluster.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) | resource |

| [azurerm_mariadb_database.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_database) | resource |

| [azurerm_mariadb_server.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server) | resource |

| [azurerm_mariadb_virtual_network_rule.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_virtual_network_rule) | resource |

| [azurerm_postgresql_database.qa](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_database) | resource |

| [azurerm_postgresql_server.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server) | resource |

| [azurerm_postgresql_virtual_network_rule.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_virtual_network_rule) | resource |

| [azurerm_redis_cache.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache) | resource |

| [azurerm_resource_group.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |

| [azurerm_route_table.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) | resource |

| [azurerm_subnet.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |

| [azurerm_subnet_route_table_association.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource |

| [azurerm_virtual_network.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |

## Outputs

| Name | Description |

|------|-------------|

|  [subnet\_id](#output\_subnet\_id) | n/a |

# 🚀 Built by opsZero!



Since 2016 [opsZero](https://opszero.com) has been providing Kubernetes

expertise to companies of all sizes on any Cloud. With a focus on AI and

Compliance we can say we seen it all whether SOC2, HIPAA, PCI-DSS, ITAR,

FedRAMP, CMMC we have you and your customers covered.

We provide support to organizations in the following ways:

- [Modernize or Migrate to Kubernetes](https://opszero.com/solutions/modernization/)

- [Cloud Infrastructure with Kubernetes on AWS, Azure, Google Cloud, or Bare Metal](https://opszero.com/solutions/cloud-infrastructure/)

- [Building AI and Data Pipelines on Kubernetes](https://opszero.com/solutions/ai/)

- [Optimizing Existing Kubernetes Workloads](https://opszero.com/solutions/optimized-workloads/)

We do this with a high-touch support model where you:

- Get access to us on Slack, Microsoft Teams or Email

- Get 24/7 coverage of your infrastructure

- Get an accelerated migration to Kubernetes

Please [schedule a call](https://calendly.com/opszero-llc/discovery) if you need support.