feat: Added velero installation and backup module (#154)

azure_devops_agent_custom_image/packer/script-config.sh

@@ -14,18 +14,19 @@ function check_command(){
 # install zip unzip ca-certificates curl wget apt-transport-https lsb-release gnupg jq
 apt-get -y update
 apt-get -y --allow-unauthenticated install zip unzip ca-certificates curl wget apt-transport-https lsb-release gnupg jq
-
 check_command "zip"
 check_command "unzip"
 check_command "jq"
 
 # install az cli
 curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+check_command "az"
 
 az acr helm install-cli -y --client-version 3.12.0
+check_command "helm"
 
 az aks install-cli --client-version 1.25.10 --kubelogin-version 0.0.29
-
+check_command "kubectl"
 
 # setup Docker installation from https://docs.docker.com/engine/install/ubuntu/
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
@@ -38,32 +39,32 @@ echo \
 
 apt-get -y update
 apt-get -y install  python3-pip
-apt-get -y --allow-unauthenticated install docker-ce docker-ce-cli containerd.io docker-compose-plugin
-
+check_command "python3"
 
-check_command "az"
-check_command "kubectl"
+apt-get -y --allow-unauthenticated install docker-ce docker-ce-cli containerd.io docker-compose-plugin
 check_command "docker"
-check_command "helm"
-check_command "python3"
+
 
 # install yq from https://github.com/mikefarah/yq#install
 YQ_VERSION="v4.33.3"
 YQ_BINARY="yq_linux_amd64"
 wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BINARY}.tar.gz -O - |\
   tar xz && mv ${YQ_BINARY} /usr/bin/yq
-
-
 check_command "yq"
 
 # install SOPS from https://github.com/mozilla/sops
 SOPS_VERSION="v3.7.3"
 SOPS_BINARY="3.7.3_amd64.deb"
 wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops_3.7.3_amd64.deb
 apt install -y $PWD/sops_3.7.3_amd64.deb
-
 check_command "sops"
 
+VELERO_VERSION=v1.11.1
+wget https://github.com/vmware-tanzu/velero/releases/download/${VELERO_VERSION}/velero-${VELERO_VERSION}-linux-amd64.tar.gz && \
+tar -zxvf velero-${VELERO_VERSION}-linux-amd64.tar.gz && \
+sudo mv velero-${VELERO_VERSION}-linux-amd64/velero /usr/bin/velero
+check_command "velero"
+
 # prepare machine for k6 large load test
 
 sysctl -w net.ipv4.ip_local_port_range="1024 65535"

kubernetes_cluster/99_variables.tf

@@ -340,3 +340,4 @@ variable "sec_storage_id" {
 variable "tags" {
   type = map(any)
 }
+

kubernetes_cluster/README.md

@@ -13,11 +13,13 @@ By default the modules have a default set of metric alerts.
 * If you want is possible to add new **custom metrics alerts** using the varible: `custom_metric_alerts`
 * Or override the **default metrics alert** using the variable: `default_metric_alerts`. (is prefered to add new metrics)
 
+
+
 ## How to use it
 
 ### Variable definition example
 
-```ts
+```hcl
 #
 # ⛴ AKS PROD
 #
@@ -437,7 +439,7 @@ variable "keda_helm_version" {
 
 ### Variables values
 
-```ts
+```hcl
 rg_vnet_aks_name           = "dvopla-d-neu-dev01-aks-vnet-rg"
 vnet_aks_name              = "dvopla-d-neu-dev01-aks-vnet"
 public_ip_aksoutbound_name = "dvopla-d-dev01-aksoutbound-pip-1"
@@ -484,7 +486,7 @@ keda_helm_version        = "2.6.2"
 
 ### AKS Cluster
 
-```ts
+```hcl
   resource "azurerm_resource_group" "rg_aks" {
     name     = local.aks_rg_name
     location = var.location
@@ -552,7 +554,7 @@ keda_helm_version        = "2.6.2"
       service_cidr       = "10.250.0.0/16"
     }
     # end network
-
+    
     rbac_enabled        = true
     aad_admin_group_ids = var.env_short == "d" ? [data.azuread_group.adgroup_admin.object_id, data.azuread_group.adgroup_developers.object_id, data.azuread_group.adgroup_externals.object_id] : [data.azuread_group.adgroup_admin.object_id]
 

kubernetes_cluster_velero/01_main.tf

@@ -0,0 +1,160 @@
+locals {
+  sa_prefix = replace(replace(var.prefix, "-", ""), "_", "")
+}
+
+data "azurerm_kubernetes_cluster" "aks_cluster" {
+  name                = var.aks_cluster_name
+  resource_group_name = var.aks_cluster_rg
+}
+
+module "velero_storage_account" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v7.2.0"
+
+  name                            = "${local.sa_prefix}velerosa"
+  account_kind                    = "BlobStorage"
+  account_tier                    = var.storage_account_tier
+  account_replication_type        = var.storage_account_replication_type
+  blob_versioning_enabled         = true
+  resource_group_name             = var.resource_group_name
+  location                        = var.location
+  allow_nested_items_to_be_public = false
+  advanced_threat_protection      = true
+  enable_low_availability_alert   = false
+  public_network_access_enabled   = var.use_storage_private_endpoint ? false : true
+  tags                            = var.tags
+}
+
+resource "azurerm_private_endpoint" "velero_storage_private_endpoint" {
+  count = var.use_storage_private_endpoint ? 1 : 0
+
+  name                = "${var.prefix}-velerosa-private-endpoint"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.private_endpoint_subnet_id
+
+  private_dns_zone_group {
+    name                 = "${var.prefix}-velerosa-private-dns-zone-group"
+    private_dns_zone_ids = [var.storage_account_private_dns_zone_id]
+  }
+
+  private_service_connection {
+    name                           = "${var.prefix}-velerosa-private-service-connection"
+    private_connection_resource_id = module.velero_storage_account.id
+    is_manual_connection           = false
+    subresource_names              = ["blob"]
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_storage_container" "velero_backup_container" {
+  name                  = "${var.prefix}-velero-backup"
+  storage_account_name  = module.velero_storage_account.name
+  container_access_type = "private"
+
+  depends_on = [azurerm_private_endpoint.velero_storage_private_endpoint]
+}
+
+data "azuread_client_config" "current" {}
+
+
+resource "azuread_application" "velero_application" {
+  display_name = "${var.prefix}-velero-application"
+  owners       = [data.azuread_client_config.current.object_id]
+}
+
+resource "azuread_application_password" "velero_application_password" {
+  application_object_id = azuread_application.velero_application.object_id
+}
+
+resource "azuread_service_principal" "velero_sp" {
+  application_id = azuread_application.velero_application.application_id
+  owners         = [data.azuread_client_config.current.object_id]
+}
+
+resource "azuread_service_principal_password" "velero_principal_password" {
+  service_principal_id = azuread_service_principal.velero_sp.object_id
+}
+
+resource "azurerm_role_assignment" "velero_sp_aks_role" {
+  scope                = data.azurerm_kubernetes_cluster.aks_cluster.id #var.aks_cluster_id
+  role_definition_name = "Azure Kubernetes Service Cluster Admin Role"
+  principal_id         = azuread_service_principal.velero_sp.object_id
+}
+
+resource "azurerm_role_assignment" "velero_sp_storage_role" {
+  scope                = module.velero_storage_account.id
+  role_definition_name = "Storage Account Contributor"
+  principal_id         = azuread_service_principal.velero_sp.object_id
+}
+
+resource "local_file" "credentials" {
+
+  content = templatefile("${path.module}/velero-credentials.tpl", {
+    subscription_id = var.subscription_id
+    tenant_id       = var.tenant_id
+    client_id       = azuread_application.velero_application.application_id
+    client_secret   = azuread_application_password.velero_application_password.value
+    backup_rg       = var.resource_group_name
+  })
+  filename = "${path.module}/credentials-velero.txt"
+
+  lifecycle {
+    replace_triggered_by = [
+      azurerm_storage_container.velero_backup_container,
+      azuread_application.velero_application,
+      azuread_service_principal.velero_sp,
+      azuread_application_password.velero_application_password
+    ]
+  }
+}
+
+
+resource "null_resource" "install_velero" {
+  depends_on = [local_file.credentials]
+
+  triggers = {
+    bucket                = azurerm_storage_container.velero_backup_container.name
+    storage_account       = module.velero_storage_account.name
+    subscription_id       = var.subscription_id
+    tenant_id             = var.tenant_id
+    client_id             = azuread_application.velero_application.application_id
+    client_secret         = azuread_application_password.velero_application_password.value
+    resource_group        = var.resource_group_name
+    plugin_version        = var.plugin_version
+    cluster_name          = var.aks_cluster_name
+    credentials_file_name = local_file.credentials.filename
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+    kubectl config use-context "${self.triggers.cluster_name}" && \
+    velero uninstall --force
+    EOT
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+    kubectl config use-context "${self.triggers.cluster_name}" && \
+    velero install --provider azure --plugins velero/velero-plugin-for-microsoft-azure:${self.triggers.plugin_version} \
+    --bucket ${self.triggers.bucket} \
+    --secret-file ${self.triggers.credentials_file_name} \
+    --backup-location-config resourceGroup=${self.triggers.resource_group},storageAccount=${self.triggers.storage_account},subscriptionId=${self.triggers.subscription_id} \
+    EOT
+  }
+
+  lifecycle {
+    replace_triggered_by = [
+      local_file.credentials,
+      azurerm_storage_container.velero_backup_container,
+      azuread_service_principal.velero_sp,
+      azuread_application.velero_application,
+      azuread_application_password.velero_application_password
+    ]
+  }
+}
+
+
+
+

kubernetes_cluster_velero/99_variables.tf

@@ -0,0 +1,82 @@
+variable "tags" {
+  type = map(any)
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "(Required) Name of the resource group in which the backup storage account is located"
+}
+
+
+variable "backup_storage_container_name" {
+  type        = string
+  description = "(Required) Name of the storage container where Velero keeps the backups"
+}
+
+variable "aks_cluster_name" {
+  type        = string
+  description = "(Required) Name of the aks cluster on which Velero will be installed"
+}
+
+variable "aks_cluster_rg" {
+  type        = string
+  description = "(Required) AKS cluster resource group name"
+}
+
+variable "subscription_id" {
+  type        = string
+  description = "(Required) ID of the subscription"
+}
+
+variable "tenant_id" {
+  type        = string
+  description = "(Required) ID of the tenant"
+}
+
+variable "plugin_version" {
+  type        = string
+  description = "(Optional) Version for the velero plugin"
+  default     = "v1.7.1"
+}
+
+variable "prefix" {
+  type        = string
+  description = "(Required) Prefix used in the Velero dedicated resource names"
+}
+
+
+variable "location" {
+  type        = string
+  description = "(Required) Resource location"
+}
+
+variable "storage_account_private_dns_zone_id" {
+  type        = string
+  description = "(Optional) Storage account private dns zone id, used in the private endpoint creation"
+  default     = null
+}
+
+variable "private_endpoint_subnet_id" {
+  type        = string
+  description = "(Optional) Subnet id where to create the private endpoint for backups storage account"
+  default     = null
+}
+
+variable "use_storage_private_endpoint" {
+  type        = bool
+  description = "(Optional) Whether to make the storage account private and use a private endpoint to connect"
+  default     = true
+}
+
+
+variable "storage_account_tier" {
+  type        = string
+  description = "(Optional) Tier used for the backup storage account"
+  default     = "Standard"
+}
+
+variable "storage_account_replication_type" {
+  type        = string
+  description = "(Optional) Replication type used for the backup storage account"
+  default     = "ZRS"
+}

kubernetes_cluster_velero/99_versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.30.0, <= 3.64.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "<= 3.2.1"
+    }
+  }
+}