From c9d36908e2c9a5ab235745e5b5f047e9f63ed647 Mon Sep 17 00:00:00 2001
From: Robin Mordasiewicz <robin@mordasiewicz.com>
Date: Fri, 2 Aug 2024 09:51:25 -0400
Subject: [PATCH] adding init

---
 README.md                                     |  2 +
 .../flannel/HelmRepository.yaml               |  6 +--
 .../fortiweb-ingress/kustomization.yaml       |  2 +-
 terraform/cloud-init/fortiweb.conf            |  2 +-
 terraform/hub-network.tf                      |  9 ++--
 terraform/hub-nva.tf                          |  1 +
 terraform/spoke-k8s_cluster.tf                | 51 +++++++++++++++----
 terraform/spoke-network.tf                    | 32 +++++++-----
 terraform/terraform.auto.tfvars               | 13 +++--
 terraform/variables.tf                        |  8 +--
 10 files changed, 83 insertions(+), 43 deletions(-)

diff --git a/README.md b/README.md
index 5c4e665c..643c6036 100644
--- a/README.md
+++ b/README.md
@@ -29,3 +29,5 @@ gh repo edit \
 ```quote
 your infrastructure will mirror the understanding, competence and goals of the people building it, and contain their nuanced areas of understanding in more detail than areas outside their interest of confidence realms.
 ```
+
+https://azure.github.io/application-gateway-kubernetes-ingress/
diff --git a/manifests/infrastructure/flannel/HelmRepository.yaml b/manifests/infrastructure/flannel/HelmRepository.yaml
index ad06534a..9235b518 100644
--- a/manifests/infrastructure/flannel/HelmRepository.yaml
+++ b/manifests/infrastructure/flannel/HelmRepository.yaml
@@ -1,6 +1,6 @@
-  ---
-  apiVersion: source.toolkit.fluxcd.io/v1beta2
-  kind: HelmRepository
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
 metadata:
   name: flannel-repo
   namespace: cluster-config
diff --git a/manifests/infrastructure/fortiweb-ingress/kustomization.yaml b/manifests/infrastructure/fortiweb-ingress/kustomization.yaml
index fa0e343b..1b5b81f9 100644
--- a/manifests/infrastructure/fortiweb-ingress/kustomization.yaml
+++ b/manifests/infrastructure/fortiweb-ingress/kustomization.yaml
@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - HelmRepository.yaml
   - HelmRelease.yaml
-  - namespace.yaml
+
diff --git a/terraform/cloud-init/fortiweb.conf b/terraform/cloud-init/fortiweb.conf
index 432836d3..4c5b949e 100644
--- a/terraform/cloud-init/fortiweb.conf
+++ b/terraform/cloud-init/fortiweb.conf
@@ -82,7 +82,7 @@ config global
     next
     edit "kubernetes_nodes"
       set type ip-netmask
-      set ip-netmask 10.1.1.0/24
+      set ip-netmask ${VAR-spoke-aks-network}
     next
   end
   config system firewall service
diff --git a/terraform/hub-network.tf b/terraform/hub-network.tf
index 6ab5a51f..43416043 100644
--- a/terraform/hub-network.tf
+++ b/terraform/hub-network.tf
@@ -107,8 +107,10 @@ resource "azurerm_network_security_group" "hub-internal_network_security_group"
     protocol                   = "Icmp"
     source_port_range          = "*"
     destination_port_range     = "*"
-    source_address_prefix      = var.spoke-linux-server-ip
-    destination_address_prefix = var.spoke-check-internet-up-ip
+    #source_address_prefix      = var.spoke-linux-server-ip
+    source_address_prefix      = "*"
+    #destination_address_prefix = var.spoke-check-internet-up-ip
+    destination_address_prefix = "*"
   }
   security_rule {
     name                       = "outbound-http_rule"
@@ -119,7 +121,8 @@ resource "azurerm_network_security_group" "hub-internal_network_security_group"
     source_port_range          = "*"
     destination_port_ranges    = ["80", "81"]
     source_address_prefix      = "*"
-    destination_address_prefix = var.spoke-linux-server-ip
+    #destination_address_prefix = var.spoke-linux-server-ip
+    destination_address_prefix = "*"
   }
 }
 
diff --git a/terraform/hub-nva.tf b/terraform/hub-nva.tf
index 9fb9447d..92931c09 100644
--- a/terraform/hub-nva.tf
+++ b/terraform/hub-nva.tf
@@ -88,6 +88,7 @@ resource "azurerm_linux_virtual_machine" "hub-nva_virtual_machine" {
         VAR-fwb_license_fortiflex                = ""
         VAR-spoke-linux-server-ollama-port       = var.spoke-linux-server-ollama-port
         VAR-spoke-linux-server-ollama-webui-port = var.spoke-linux-server-ollama-webui-port
+        VAR-spoke-aks-network                    = var.spoke-aks-subnet_prefix
       }
     )
   )
diff --git a/terraform/spoke-k8s_cluster.tf b/terraform/spoke-k8s_cluster.tf
index 37e720a1..c7c62087 100644
--- a/terraform/spoke-k8s_cluster.tf
+++ b/terraform/spoke-k8s_cluster.tf
@@ -43,11 +43,11 @@ resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
   oidc_issuer_enabled               = true
   workload_identity_enabled         = true
 
-  api_server_access_profile {
-    authorized_ip_ranges = [
-      "${chomp(data.http.myip.response_body)}/32"
-    ]
-  }
+  #api_server_access_profile {
+  #  authorized_ip_ranges = [
+  #    "${chomp(data.http.myip.response_body)}/32"
+  #  ]
+  #}
   oms_agent {
     log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id
   }
@@ -59,17 +59,19 @@ resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
     os_sku                      = "AzureLinux"
     max_pods                    = "50"
     vnet_subnet_id              = azurerm_subnet.spoke_subnet.id
-    #vnet_subnet_id              = azurerm_subnet.spoke_subnet.id
     upgrade_settings {
       max_surge = "10%"
     }
   }
   network_profile {
-    network_plugin    = "none"
+    #network_plugin    = "azure"
+    network_plugin = "kubenet"
+    #outbound_type     = "loadBalancer" 
     #network_policy    = "azure"
-    #load_balancer_sku = "standard"
-    #service_cidr      = var.spoke-k8s_service_cidr
-    #dns_service_ip    = var.spoke-ks8_dns_service_ip
+    load_balancer_sku = "standard"
+    #service_cidr      = var.spoke-aks-subnet_prefix
+    #dns_service_ip    = var.spoke-aks_dns_service_ip
+    #pod_cidr          = "10.244.0.0/16"
   }
 
   identity {
@@ -93,7 +95,6 @@ resource "azurerm_kubernetes_cluster_node_pool" "node-pool" {
   os_disk_size_gb       = "256"
   max_pods              = "50"
   zones                 = ["1"]
-  #vnet_subnet_id        = azurerm_subnet.spoke_subnet.id
 }
 
 resource "azurerm_kubernetes_cluster_extension" "flux_extension" {
@@ -130,6 +131,14 @@ resource "null_resource" "secret" {
     interpreter = ["bash", "-c"]
     command = <<-EOF
       kubectl apply -f - <<EOF2
+      ---
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: fortiweb-ingress
+        labels:
+          name: fortiweb-ingress
+      ---
       apiVersion: v1
       kind: Secret
       metadata:
@@ -189,3 +198,23 @@ output "kube_config" {
   value       = azurerm_kubernetes_cluster.kubernetes_cluster.kube_config_raw
   sensitive   = true
 }
+
+#resource "azurerm_public_ip" "nat_gateway_public_ip" {
+#  name                = "nat_gateway_public_ip"
+#  location            = azurerm_resource_group.azure_resource_group.location
+#  resource_group_name = azurerm_resource_group.azure_resource_group.name
+#  allocation_method   = "Static"
+#  sku                 = "Standard"
+#}
+
+#resource "azurerm_nat_gateway" "nat_gateway" {
+#  name                = "nat_gateway"
+#  location            = azurerm_resource_group.azure_resource_group.location
+#  resource_group_name = azurerm_resource_group.azure_resource_group.name
+#  sku_name = "Standard"
+#}
+
+#resource "azurerm_subnet_nat_gateway_association" "nat_gateway_association" {
+#  subnet_id     = azurerm_subnet.spoke_subnet.id
+#  nat_gateway_id = azurerm_nat_gateway.nat_gateway.id
+#}
diff --git a/terraform/spoke-network.tf b/terraform/spoke-network.tf
index cb00d860..bd9b76be 100644
--- a/terraform/spoke-network.tf
+++ b/terraform/spoke-network.tf
@@ -22,12 +22,12 @@ resource "azurerm_subnet" "spoke_subnet" {
   virtual_network_name = azurerm_virtual_network.spoke_virtual_network.name
 }
 
-#resource "azurerm_subnet" "spoke_aks_subnet" {
-#  address_prefixes     = [var.spoke-aks-subnet_prefix]
-#  name                 = var.spoke-aks-subnet_name
-#  resource_group_name  = azurerm_resource_group.azure_resource_group.name
-#  virtual_network_name = azurerm_virtual_network.spoke_virtual_network.name
-#}
+resource "azurerm_subnet" "spoke_aks_subnet" {
+  address_prefixes     = [var.spoke-aks-subnet_prefix]
+  name                 = var.spoke-aks-subnet_name
+  resource_group_name  = azurerm_resource_group.azure_resource_group.name
+  virtual_network_name = azurerm_virtual_network.spoke_virtual_network.name
+}
 
 resource "azurerm_route_table" "spoke_route_table" {
   name                = "spoke_route_table"
@@ -42,9 +42,8 @@ resource "azurerm_route_table" "spoke_route_table" {
 }
 
 resource "azurerm_subnet_route_table_association" "spoke-route-table_association" {
-  subnet_id      = azurerm_subnet.spoke_subnet.id
+  subnet_id      = azurerm_subnet.spoke_aks_subnet.id
   route_table_id = azurerm_route_table.spoke_route_table.id
-  depends_on     = [azurerm_subnet.spoke_subnet]
 }
 
 resource "azurerm_network_security_group" "spoke_network_security_group" {
@@ -58,9 +57,11 @@ resource "azurerm_network_security_group" "spoke_network_security_group" {
     access                     = "Allow"
     protocol                   = "Tcp"
     source_port_range          = "*"
-    destination_port_ranges    = var.spoke-linux-server-image-gpu == true ? ["80", "81", "8080", "11434"] : ["80", "81"] #checkov:skip=CKV_AZURE_160: Allow HTTP redirects
+    #destination_port_ranges    = var.spoke-linux-server-image-gpu == true ? ["80", "81", "8080", "11434"] : ["80", "81"] #checkov:skip=CKV_AZURE_160: Allow HTTP redirects
     source_address_prefix      = "*"
-    destination_address_prefix = var.spoke-linux-server-ip
+    #destination_address_prefix = var.spoke-linux-server-ip
+    destination_port_range = "*"
+    destination_address_prefix = "*"
   }
   security_rule {
     name                       = "linux-server_to_internet_rule"
@@ -70,7 +71,9 @@ resource "azurerm_network_security_group" "spoke_network_security_group" {
     protocol                   = "Tcp"
     source_port_range          = "*"
     destination_port_ranges    = ["80", "443"]
-    source_address_prefix      = var.spoke-linux-server-ip
+    #source_address_prefix      = var.spoke-linux-server-ip
+    #source_address_prefix = var.spoke-subnet_prefix
+    source_address_prefix = "*"
     destination_address_prefix = "*" #tfsec:ignore:AVD-AZU-0051
   }
   security_rule { #tfsec:ignore:AVD-AZU-0051
@@ -81,8 +84,11 @@ resource "azurerm_network_security_group" "spoke_network_security_group" {
     protocol                   = "Icmp"
     source_port_range          = "*"
     destination_port_range     = "*"
-    source_address_prefix      = var.spoke-linux-server-ip
-    destination_address_prefix = "8.8.8.8"
+    #source_address_prefix      = var.spoke-linux-server-ip
+    #source_address_prefix = var.spoke-subnet_prefix
+    source_address_prefix = "*"
+    #destination_address_prefix = "8.8.8.8"
+    destination_address_prefix = "*"
   }
 }
 
diff --git a/terraform/terraform.auto.tfvars b/terraform/terraform.auto.tfvars
index cc5d1f51..ec879d8c 100644
--- a/terraform/terraform.auto.tfvars
+++ b/terraform/terraform.auto.tfvars
@@ -11,14 +11,13 @@ hub-nva-management-action            = "Allow"
 hub-nva-management-ip                = "10.0.0.4"
 hub-nva-vip                          = "10.0.0.5"
 hub-nva-gateway                      = "10.0.0.37"
-spoke-virtual-network_address_prefix = "10.1.0.0/24"
+spoke-virtual-network_address_prefix = "10.1.0.0/16"
 spoke-subnet_name                    = "spoke_subnet"
-spoke-subnet_prefix                  = "10.1.0.0/24"
-spoke-aks-subnet_name                = "spoke-aks-subnet_name"
-spoke-aks-subnet_prefix              = "10.1.0.0/24"
-spoke-k8s_service_cidr               = "10.2.0.0/16"
-spoke-ks8_dns_service_ip             = "10.2.0.10"
+spoke-subnet_prefix                  = "10.1.1.0/24"
+spoke-aks-subnet_name                = "spoke_aks_subnet"
+spoke-aks-subnet_prefix              = "10.1.2.0/24"
+spoke-aks_dns_service_ip             = "10.1.2.10"
 spoke-check-internet-up-ip           = "8.8.8.8"
-spoke-linux-server-ip                = "10.1.0.5"
+spoke-linux-server-ip                = "10.1.1.5"
 spoke-linux-server-image-gpu         = false
 spoke-k8s-node-pool-gpu              = false
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 37f56bb4..91e6b779 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -289,22 +289,22 @@ variable "spoke-aks-subnet_prefix" {
   }
 }
 
-variable "spoke-k8s_service_cidr" {
+variable "spoke-aks_service_cidr" {
   default     = "10.1.2.0/24"
   description = "Spoke k8s service cidr."
   type        = string
   validation {
-    condition     = can(regex("^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$", var.spoke-k8s_service_cidr))
+    condition     = can(regex("^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$", var.spoke-aks_service_cidr))
     error_message = "The subnet must be in the format of 'xxx.xxx.xxx.xxx/xx', where xxx is between 0 and 255, and xx is between 0 and 32."
   } 
 }
 
-variable "spoke-ks8_dns_service_ip" {
+variable "spoke-aks_dns_service_ip" {
   default     = "10.2.0.10"
   description = "Spoke k8s dns service ip"
   type        = string
   validation {
-    condition     = can(regex("^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", var.spoke-ks8_dns_service_ip))
+    condition     = can(regex("^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", var.spoke-aks_dns_service_ip))
     error_message = "The IP address must be a valid IPv4 format (e.g., 10.2.0.10)."
   }
 }