diff --git a/cluster/terraform_aks_cluster/caching.tf b/cluster/terraform_aks_cluster/caching.tf new file mode 100644 index 00000000..eeb3e634 --- /dev/null +++ b/cluster/terraform_aks_cluster/caching.tf @@ -0,0 +1,81 @@ +data "azurerm_client_config" "current" {} + +data "azurerm_key_vault" "key_vault" { + name = var.cluster_kv + resource_group_name = var.resource_group_name +} + +data "azurerm_key_vault_secret" "dockerhub_username" { + name = "dockerhub-username" + key_vault_id = data.azurerm_key_vault.key_vault.id +} + +data "azurerm_key_vault_secret" "dockerhub_pat" { + name = "dockerhub-pat" + key_vault_id = data.azurerm_key_vault.key_vault.id +} + + +resource "azurerm_container_registry" "acr" { + name = "AcrCache${var.environment}Dockerhub" + resource_group_name = data.azurerm_resource_group.cluster.name + location = data.azurerm_resource_group.cluster.location + sku = "Standard" + + admin_enabled = false +} + +resource "azapi_resource" "dockerhub_credential_set" { + count = var.environment == "development" ? 1 : 0 + + type = "Microsoft.ContainerRegistry/registries/credentialSets@2025-11-01" + name = "dockerhub-creds" + parent_id = azurerm_container_registry.acr.id + + identity { + type = "SystemAssigned" + } + + body = { + properties = { + loginServer = "docker.io" + + authCredentials = [ + { + name = "Credential1" + usernameSecretIdentifier = data.azurerm_key_vault_secret.dockerhub_username.versionless_id + passwordSecretIdentifier = data.azurerm_key_vault_secret.dockerhub_pat.versionless_id + } + ] + } + } +} + +resource "azurerm_role_assignment" "acr_cache_kv_secrets_user" { + count = var.environment == "development" ? 1 : 0 + + scope = data.azurerm_key_vault.key_vault.id + role_definition_name = "Key Vault Secrets User" + + principal_id = azapi_resource.dockerhub_credential_set[0].identity[0].principal_id +} + +resource "azapi_resource" "dockerhub_nginx_cache" { + count = var.environment == "development" ? 1 : 0 + + type = "Microsoft.ContainerRegistry/registries/cacheRules@2025-11-01" + name = "dockerhub-nginx" + parent_id = azurerm_container_registry.acr.id + + body = { + properties = { + sourceRepository = "docker.io/library/nginx" + targetRepository = "dockerhub/library/nginx" + credentialSetResourceId = azapi_resource.dockerhub_credential_set[0].id + } + } + + depends_on = [ + azurerm_role_assignment.acr_cache_kv_secrets_user + ] +} diff --git a/cluster/terraform_aks_cluster/config/development.tfvars.json b/cluster/terraform_aks_cluster/config/development.tfvars.json index 8e72e04c..ef8c46fe 100644 --- a/cluster/terraform_aks_cluster/config/development.tfvars.json +++ b/cluster/terraform_aks_cluster/config/development.tfvars.json @@ -21,5 +21,6 @@ "node_soak_duration_in_minutes": 1 } }, - "admin_group_id": "f77b2daf-7ff4-4aa5-8138-cf983d0b4a18" + "admin_group_id": "f77b2daf-7ff4-4aa5-8138-cf983d0b4a18", + "cluster_kv": "s189d01-tsc2-dv-kv" } diff --git a/cluster/terraform_aks_cluster/terraform.tf b/cluster/terraform_aks_cluster/terraform.tf index 8bdd97eb..379cc656 100644 --- a/cluster/terraform_aks_cluster/terraform.tf +++ b/cluster/terraform_aks_cluster/terraform.tf @@ -5,6 +5,10 @@ terraform { source = "hashicorp/azurerm" version = "4.61.0" } + azapi = { + source = "Azure/azapi" + version = "~> 2.0" + } } backend "azurerm" { container_name = "tsc-tfstate" @@ -15,3 +19,5 @@ provider "azurerm" { features {} resource_provider_registrations = "none" } + +provider "azapi" {} diff --git a/cluster/terraform_aks_cluster/variables.tf b/cluster/terraform_aks_cluster/variables.tf index ae2e65b8..17f54627 100644 --- a/cluster/terraform_aks_cluster/variables.tf +++ b/cluster/terraform_aks_cluster/variables.tf @@ -55,6 +55,18 @@ variable "second_egress_ip" { description = "Allocate a second egress public IP for the cluster" } +variable "dockerhub_username" { + type = string + sensitive = true +} + +variable "dockerhub_pat" { + type = string + sensitive = true +} + +variable "cluster_kv" { type = string } + locals { backing_services_resource_group_name = "${var.resource_prefix}-tsc-${var.environment}-bs-rg" cluster_name = (