Merge pull request #11 from cmendible/master

Adding security features
cloudcommons · Apr 4, 2020 · d758cbe · d758cbe
2 parents 31d104d + f8978b0
commit d758cbe
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 11 deletions.
diff --git a/aks.tf b/aks.tf
@@ -7,12 +7,14 @@ locals {
 }
 
 resource "azurerm_kubernetes_cluster" "cloudcommons" {
-  name                = var.name
-  location            = var.location
-  resource_group_name = var.resource_group
-  dns_prefix          = var.dns_prefix
-  kubernetes_version  = var.kubernetes_version
-  node_resource_group = local.node_resource_group
+  name                            = var.name
+  location                        = var.location
+  resource_group_name             = var.resource_group
+  dns_prefix                      = var.dns_prefix
+  kubernetes_version              = var.kubernetes_version
+  node_resource_group             = local.node_resource_group
+  api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges
+  enable_pod_security_policy      = var.enable_pod_security_policy
 
   default_node_pool {
     name                  = var.node_pool_name
@@ -48,10 +50,10 @@ resource "azurerm_kubernetes_cluster" "cloudcommons" {
     dynamic "azure_active_directory" {
       for_each = var.rbac_aad == true ? [1] : []
       content {
-        client_app_id = var.rbac_aad_client_app_id
-        server_app_id = var.rbac_aad_server_app_id
+        client_app_id     = var.rbac_aad_client_app_id
+        server_app_id     = var.rbac_aad_server_app_id
         server_app_secret = var.rbac_aad_server_app_secret
-        tenant_id = var.rbac_aad_tenant_id
+        tenant_id         = var.rbac_aad_tenant_id
       }
     }
   }
@@ -62,11 +64,14 @@ resource "azurerm_kubernetes_cluster" "cloudcommons" {
   }
 
   addon_profile {
+    http_application_routing {
+      enabled = var.http_application_routing_enabled
+    }
     kube_dashboard {
       enabled = var.kube_dashboard_enabled
     }
     oms_agent {
-      enabled = local.oms_enabled
+      enabled                    = local.oms_enabled
       log_analytics_workspace_id = var.oms_log_analytics_workspace_id
     }
   }

diff --git a/variables.tf b/variables.tf
@@ -2,6 +2,7 @@ variable name {
   type        = string
   description = "(Required) The name of the Azure Kubernetes Service. Changing this forces a new resource to be created."
 }
+
 variable location {
   type        = string
   description = "(Required) The location where the resource group should be created. For a list of all Azure locations, please consult this link or run az account list-locations --output table."
@@ -260,6 +261,25 @@ variable vnet_subnets {
 
 variable oms_log_analytics_workspace_id {
   type        = string
-  description = "(Optional) The Log Analytics Workspace id when the OMS should store logs."
+  description = "(Optional) The Log Analytics Workspace id where the OMS should store logs."
   default     = null
 }
+
+variable api_server_authorized_ip_ranges {
+  type        = list(string)
+  description = "(Optional) The IP ranges to whitelist for incoming traffic to the masters."
+  default     = []
+}
+
+variable http_application_routing_enabled {
+  type        = bool
+  description = "(Optional) Enables http application routing"
+  default     = false
+}
+
+# Feature is in preview so deafautl is disabled.
+variable enable_pod_security_policy {
+  type        = bool
+  description = "(Optional) Enables http application routing"
+  default     = false
+}