Azure Core Infrastructure
The core infrastructure is the foundation for all other Ensono Stacks Workloads. As, in most cases, this will be the first part of Ensono Stacks that you deploy we will also cover bootstrapping your Azure tenant.
Resources Provisioned
Both the diagram and resource list below are for a single environment. By default, the pipeline template will create two environments (nonprod and prod).
Diagram
Resource List
| Resource | Description |
|---|---|
| Resource Group | Used to logically group infrastructure |
| Virtual Network | Fundamental building block for the private network |
| Subnet - AGW | Dedicated subnet required for Application Gateway |
| Application Gateway | Web traffic load balancer |
| Public IP | IP address associated with the Application Gateway |
| Subnet - k8s | Subnet used by the AKS cluster |
| AKS | Azure Kubernetes Service |
| Resource Group: Node Pool | AKS created resource group for nodes, load balancers, etc. |
| Internal Load Balancer | Load balancer used with NGINX ingress |
| VM Scale Set: Nodes | Virtual Machine scaling for AKS |
| NGINX Ingress | Nginx ingress Kubernetes namespace, deployment and service |
| Internal DNS Zone | Custom DNS domain |
| Public DNS Zone | Hosted service for DNS domain |
| Application Insights | Application performance management, monitoring and analytics service |
| Log Analytics Workspace | Log analytics with container insights |
| Managed Identity | Managed Identity with aadpodidentity binding |
| ACR | Azure Container Registry |
| Key Vault | Cryptographic keys and secrets management service |
Deploying
Bootstrap the Azure tenant
The first step is to create the Azure tenant and subscription. This process only needs to be run once on an administrators workstation.
The administrator will need the following permissions:
- Azure AD "Global Administrator" role for the Azure AD Tenant
- IAM subscription owner
With owner privileges:
- Create an Azure Service Principal for use with Terraform.
- Make note of the TenantID, SubscriptionID, ClientID and ClientSecret
- Create a Blob Storage instance and container for storing Terraform state.
- Take note of the storage account and container name.
Using the Scaffolding CLI
The Ensono Stacks Scaffolding CLI can be used to create a project consisting of the core infrastructure as code scripts and the deployment pipeline.
We are supporting and running node@12. Please ensure that your local environment has the correct version installed.
To run the Scaffolding CLI, use the following command:
npx @amidostacks/scaffolding-cli@latest run -i
You will be asked a number of questions. Make sure to select Azure and Cloud platform shared services.
Pipelines
The following pipelines are currently supported for automating the deployment:
Running Locally
Currently, vars.tf and provider configuration is not automatically updated. Future iterations will include this.
The safest way to run and maintain this locally is to rely on Docker and environment variables as that is the way the pipeline will trigger the executions of Terraform.
Sample commands with example environment vars:
# Navigate to the infra directory
cd ${YOUR_DIRECTORY_PATH}/deploy/azure/infra
# Run Ensono Terraform Docker container
docker run -v $(pwd):/usr/data --rm -it amidostacks/ci-tf:0.0.4 /bin/bash
###########################################################################
# All commands from this point should be executed in the Docker container #
###########################################################################
# Navigate to /usr/data directory
cd /usr/data
# Export Azure Credentials. Replace the example values.
export ARM_CLIENT_ID=1111-2222-3333-444 \
ARM_CLIENT_SECRET=1111-2222-3333-4444 \
ARM_SUBSCRIPTION_ID=1111-2222-3333-444 \
ARM_TENANT_ID=1111-2222-3333-444
# Export Terraform variables. Replace the example values.
export TF_VAR_resource_group_location=uksouth \
TF_VAR_name_company=ensono \
TF_VAR_name_project=example \
TF_VAR_name_component=core \
TF_VAR_name_environment=nonprod \
TF_VAR_create_acr=true \
TF_VAR_acme_email=example@ensonostacks.com \
TF_VAR_is_cluster_private=true \
TF_VAR_cluster_version=1.17.11 \
TF_VAR_stage=nonprod \
TF_VAR_key_vault_name=example-core-nonprod \
TF_VAR_dns_zone=nonprod.ensonostacks.com \
TF_VAR_internal_dns_zone=nonprod.ensonostacks.internal
# Initial Terraform. Replace the example values.
terraform init \
-backend-config="resource_group_name=amido-stacks-terraform" \
-backend-config="storage_account_name=amidostacksterraform" \
-backend-config="container_name=tfstate" \
-backend-config="key=example-core"
# Select or create the "nonprod" workspace.
terraform workspace select nonprod || terraform workspace new nonprod
# Check the plan matches your expected changes.
terraform plan
