Azure Core Infrastructure

The core infrastructure is the foundation for all other Stacks Workloads. As, in most cases, this will be the first part of Stacks that you deploy we will also cover bootstrapping your Azure tenant.

Resources Provisioned

Both the diagram and resource list below are for a single environment. By default, the pipeline template will create two environments (nonprod and prod).

Diagram

Azure Core Infrastructure

Resource List

ResourceDescription
Resource GroupUsed to logically group infrastructure
Virtual NetworkFundamental building block for the private network
Subnet - AGWDedicated subnet required for Application Gateway
Application GatewayWeb traffic load balancer
Public IPIP address associated with the Application Gateway
Subnet - k8sSubnet used by the AKS cluster
AKSAzure Kubernetes Service
Resource Group: Node PoolAKS created resource group for nodes, load balancers, etc.
Internal Load BalancerLoad balancer used with NGINX ingress
VM Scale Set: NodesVirtual Machine scaling for AKS
NGINX IngressNginx ingress Kubernetes namespace, deployment and service
Internal DNS ZoneCustom DNS domain
Public DNS ZoneHosted service for DNS domain
Application InsightsApplication performance management, monitoring and analytics service
Log Analytics WorkspaceLog analytics with container insights
Managed IdentityManaged Identity with aadpodidentity binding
ACRAzure Container Registry
Key VaultCryptographic keys and secrets management service

Deploying

Bootstrap the Azure tenant

The first step is to create the Azure tenant and subscription. This process only needs to be run once on an administrators workstation.

The administrator will need the following permissions:

  • Azure AD "Global Administrator" role for the Azure AD Tenant
  • IAM subscription owner

With owner privileges:

  1. Create an Azure Service Principal for use with Terraform.
    • Make note of the TenantID, SubscriptionID, ClientID and ClientSecret
  2. Create a Blob Storage instance and container for storing Terraform state.
    • Take note of the storage account and container name.

Using the Scaffolding CLI

The Amido Stacks Scaffolding CLI can be used to create a project consisting of the core infrastructure as code scripts and the deployment pipeline.

We are supporting and running node@12. Please ensure that your local environment has the correct version installed.

To run the Scaffolding CLI, use the following command:

npx @amidostacks/scaffolding-cli@latest run -i

You will be asked a number of questions. Make sure to select Azure and Cloud platform shared services.

Pipelines

The following pipelines are currently supported for automating the deployment:

Running Locally

Currently, vars.tf and provider configuration is not automatically updated. Future iterations will include this.

The safest way to run and maintain this locally is to rely on Docker and environment variables as that is the way the pipeline will trigger the executions of Terraform.

Sample commands with example environment vars:

# Navigate to the infra directory
cd ${YOUR_DIRECTORY_PATH}/deploy/azure/infra
# Run Amido Terraform Docker container
docker run -v $(pwd):/usr/data --rm -it amidostacks/ci-tf:0.0.4 /bin/bash
###########################################################################
# All commands from this point should be executed in the Docker container #
###########################################################################
# Navigate to /usr/data directory
cd /usr/data
# Export Azure Credentials. Replace the example values.
export ARM_CLIENT_ID=1111-2222-3333-444 \
ARM_CLIENT_SECRET=1111-2222-3333-4444 \
ARM_SUBSCRIPTION_ID=1111-2222-3333-444 \
ARM_TENANT_ID=1111-2222-3333-444
# Export Terraform variables. Replace the example values.
export TF_VAR_resource_group_location=uksouth \
TF_VAR_name_company=amido \
TF_VAR_name_project=example \
TF_VAR_name_component=core \
TF_VAR_name_environment=nonprod \
TF_VAR_create_acr=true \
TF_VAR_acme_email=example@amidostacks.com \
TF_VAR_is_cluster_private=true \
TF_VAR_cluster_version=1.17.11 \
TF_VAR_stage=nonprod \
TF_VAR_key_vault_name=example-core-nonprod \
TF_VAR_dns_zone=nonprod.amidostacks.com \
TF_VAR_internal_dns_zone=nonprod.amidostacks.internal
# Initial Terraform. Replace the example values.
terraform init \
-backend-config="resource_group_name=amido-stacks-terraform" \
-backend-config="storage_account_name=amidostacksterraform" \
-backend-config="container_name=tfstate" \
-backend-config="key=example-core"
# Select or create the "nonprod" workspace.
terraform workspace select nonprod || terraform workspace new nonprod
# Check the plan matches your expected changes.
terraform plan