@rulebricks/cli 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/README.md +62 -0
  2. package/dist/commands/clone.d.ts +6 -0
  3. package/dist/commands/clone.js +60 -0
  4. package/dist/commands/deploy.d.ts +8 -0
  5. package/dist/commands/deploy.js +409 -0
  6. package/dist/commands/destroy.d.ts +8 -0
  7. package/dist/commands/destroy.js +298 -0
  8. package/dist/commands/init.d.ts +7 -0
  9. package/dist/commands/init.js +201 -0
  10. package/dist/commands/logs.d.ts +9 -0
  11. package/dist/commands/logs.js +222 -0
  12. package/dist/commands/open.d.ts +7 -0
  13. package/dist/commands/open.js +139 -0
  14. package/dist/commands/status.d.ts +5 -0
  15. package/dist/commands/status.js +125 -0
  16. package/dist/commands/upgrade.d.ts +7 -0
  17. package/dist/commands/upgrade.js +239 -0
  18. package/dist/components/DNSWaitScreen.d.ts +9 -0
  19. package/dist/components/DNSWaitScreen.js +73 -0
  20. package/dist/components/Wizard/WizardContext.d.ts +176 -0
  21. package/dist/components/Wizard/WizardContext.js +346 -0
  22. package/dist/components/Wizard/index.d.ts +2 -0
  23. package/dist/components/Wizard/index.js +2 -0
  24. package/dist/components/Wizard/steps/CloudProviderStep.d.ts +6 -0
  25. package/dist/components/Wizard/steps/CloudProviderStep.js +210 -0
  26. package/dist/components/Wizard/steps/CredentialsStep.d.ts +6 -0
  27. package/dist/components/Wizard/steps/CredentialsStep.js +22 -0
  28. package/dist/components/Wizard/steps/DatabaseStep.d.ts +6 -0
  29. package/dist/components/Wizard/steps/DatabaseStep.js +80 -0
  30. package/dist/components/Wizard/steps/DeploymentModeStep.d.ts +5 -0
  31. package/dist/components/Wizard/steps/DeploymentModeStep.js +26 -0
  32. package/dist/components/Wizard/steps/DomainStep.d.ts +6 -0
  33. package/dist/components/Wizard/steps/DomainStep.js +126 -0
  34. package/dist/components/Wizard/steps/FeatureConfigStep.d.ts +6 -0
  35. package/dist/components/Wizard/steps/FeatureConfigStep.js +765 -0
  36. package/dist/components/Wizard/steps/FeaturesStep.d.ts +6 -0
  37. package/dist/components/Wizard/steps/FeaturesStep.js +119 -0
  38. package/dist/components/Wizard/steps/ReviewStep.d.ts +6 -0
  39. package/dist/components/Wizard/steps/ReviewStep.js +56 -0
  40. package/dist/components/Wizard/steps/SMTPStep.d.ts +6 -0
  41. package/dist/components/Wizard/steps/SMTPStep.js +191 -0
  42. package/dist/components/Wizard/steps/SupabaseCredentialsStep.d.ts +6 -0
  43. package/dist/components/Wizard/steps/SupabaseCredentialsStep.js +76 -0
  44. package/dist/components/Wizard/steps/TierStep.d.ts +6 -0
  45. package/dist/components/Wizard/steps/TierStep.js +29 -0
  46. package/dist/components/Wizard/steps/VersionStep.d.ts +6 -0
  47. package/dist/components/Wizard/steps/VersionStep.js +113 -0
  48. package/dist/components/Wizard/steps/index.d.ts +12 -0
  49. package/dist/components/Wizard/steps/index.js +12 -0
  50. package/dist/components/common/AppShell.d.ts +31 -0
  51. package/dist/components/common/AppShell.js +31 -0
  52. package/dist/components/common/Box.d.ts +20 -0
  53. package/dist/components/common/Box.js +20 -0
  54. package/dist/components/common/Logo.d.ts +7 -0
  55. package/dist/components/common/Logo.js +22 -0
  56. package/dist/components/common/Spinner.d.ts +12 -0
  57. package/dist/components/common/Spinner.js +28 -0
  58. package/dist/components/common/index.d.ts +6 -0
  59. package/dist/components/common/index.js +5 -0
  60. package/dist/index.d.ts +2 -0
  61. package/dist/index.js +202 -0
  62. package/dist/lib/cloudCli.d.ts +156 -0
  63. package/dist/lib/cloudCli.js +691 -0
  64. package/dist/lib/config.d.ts +91 -0
  65. package/dist/lib/config.js +278 -0
  66. package/dist/lib/dns.d.ts +41 -0
  67. package/dist/lib/dns.js +235 -0
  68. package/dist/lib/dockerHub.d.ts +57 -0
  69. package/dist/lib/dockerHub.js +128 -0
  70. package/dist/lib/helm.d.ts +53 -0
  71. package/dist/lib/helm.js +209 -0
  72. package/dist/lib/helmValues.d.ts +17 -0
  73. package/dist/lib/helmValues.js +693 -0
  74. package/dist/lib/kubernetes.d.ts +161 -0
  75. package/dist/lib/kubernetes.js +755 -0
  76. package/dist/lib/terraform.d.ts +44 -0
  77. package/dist/lib/terraform.js +230 -0
  78. package/dist/lib/theme.d.ts +81 -0
  79. package/dist/lib/theme.js +115 -0
  80. package/dist/lib/validation.d.ts +47 -0
  81. package/dist/lib/validation.js +164 -0
  82. package/dist/lib/versions.d.ts +69 -0
  83. package/dist/lib/versions.js +139 -0
  84. package/dist/types/index.d.ts +718 -0
  85. package/dist/types/index.js +556 -0
  86. package/email-templates/email_change.html +325 -0
  87. package/email-templates/invite.html +383 -0
  88. package/email-templates/password_change.html +414 -0
  89. package/email-templates/verify.html +396 -0
  90. package/package.json +78 -0
  91. package/terraform/aws/main.tf +327 -0
  92. package/terraform/azure/main.tf +326 -0
  93. package/terraform/gcp/main.tf +369 -0
@@ -0,0 +1,327 @@
1
+ # AWS EKS Cluster for Rulebricks
2
+ # Meets minimum requirements: 4 nodes, 8 vCPU, 16GB RAM per node
3
+
4
+ terraform {
5
+ required_version = ">= 1.0.0"
6
+
7
+ required_providers {
8
+ aws = {
9
+ source = "hashicorp/aws"
10
+ version = "~> 5.0"
11
+ }
12
+ }
13
+ }
14
+
15
+ provider "aws" {
16
+ region = var.region
17
+ }
18
+
19
+ # Variables
20
+ variable "cluster_name" {
21
+ description = "Name of the EKS cluster"
22
+ type = string
23
+ default = "rulebricks-cluster"
24
+ }
25
+
26
+ variable "region" {
27
+ description = "AWS region"
28
+ type = string
29
+ default = "us-east-1"
30
+ }
31
+
32
+ variable "tier" {
33
+ description = "Performance tier: small, medium, large"
34
+ type = string
35
+ default = "small"
36
+ }
37
+
38
+ variable "kubernetes_version" {
39
+ description = "Kubernetes version"
40
+ type = string
41
+ default = "1.29"
42
+ }
43
+
44
+ variable "enable_external_dns" {
45
+ description = "Enable IAM role for external-dns (Route53)"
46
+ type = bool
47
+ default = false
48
+ }
49
+
50
+ variable "external_dns_domain" {
51
+ description = "Domain filter for external-dns"
52
+ type = string
53
+ default = ""
54
+ }
55
+
56
+ variable "enable_s3_logging" {
57
+ description = "Enable IAM role for Vector S3 logging"
58
+ type = bool
59
+ default = false
60
+ }
61
+
62
+ variable "logging_s3_bucket" {
63
+ description = "S3 bucket name for Vector logs"
64
+ type = string
65
+ default = ""
66
+ }
67
+
68
+ # Tier configurations
69
+ # Using Graviton4 (ARM64) instances for compatibility with arm64 container images
70
+ locals {
71
+ tier_configs = {
72
+ small = {
73
+ node_count = 4
74
+ instance_type = "c8g.large" # 2 vCPU, 4GB (Graviton4 ARM64)
75
+ min_nodes = 4
76
+ max_nodes = 4
77
+ disk_size = 50
78
+ }
79
+ medium = {
80
+ node_count = 4
81
+ instance_type = "c8g.xlarge" # 4 vCPU, 8GB (Graviton4 ARM64)
82
+ min_nodes = 4
83
+ max_nodes = 8
84
+ disk_size = 100
85
+ }
86
+ large = {
87
+ node_count = 5
88
+ instance_type = "c8g.2xlarge" # 8 vCPU, 16GB (Graviton4 ARM64)
89
+ min_nodes = 5
90
+ max_nodes = 16
91
+ disk_size = 200
92
+ }
93
+ }
94
+
95
+ config = local.tier_configs[var.tier]
96
+ }
97
+
98
+ # VPC
99
+ module "vpc" {
100
+ source = "terraform-aws-modules/vpc/aws"
101
+ version = "~> 5.0"
102
+
103
+ name = "${var.cluster_name}-vpc"
104
+ cidr = "10.0.0.0/16"
105
+
106
+ azs = ["${var.region}a", "${var.region}b", "${var.region}c"]
107
+ private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
108
+ public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
109
+
110
+ enable_nat_gateway = true
111
+ single_nat_gateway = var.tier == "small" ? true : false
112
+ enable_dns_hostnames = true
113
+ enable_dns_support = true
114
+
115
+ public_subnet_tags = {
116
+ "kubernetes.io/role/elb" = 1
117
+ "kubernetes.io/cluster/${var.cluster_name}" = "owned"
118
+ }
119
+
120
+ private_subnet_tags = {
121
+ "kubernetes.io/role/internal-elb" = 1
122
+ "kubernetes.io/cluster/${var.cluster_name}" = "owned"
123
+ }
124
+
125
+ tags = {
126
+ Environment = "rulebricks"
127
+ Terraform = "true"
128
+ }
129
+ }
130
+
131
+ # EKS Cluster
132
+ module "eks" {
133
+ source = "terraform-aws-modules/eks/aws"
134
+ version = "~> 20.0"
135
+
136
+ cluster_name = var.cluster_name
137
+ cluster_version = var.kubernetes_version
138
+
139
+ # Grant the IAM identity running Terraform admin access to the cluster
140
+ enable_cluster_creator_admin_permissions = true
141
+
142
+ cluster_endpoint_public_access = true
143
+ cluster_endpoint_private_access = true
144
+
145
+ vpc_id = module.vpc.vpc_id
146
+ subnet_ids = module.vpc.private_subnets
147
+
148
+ # EKS Managed Node Group
149
+ eks_managed_node_groups = {
150
+ rulebricks = {
151
+ name = "rulebricks-nodes"
152
+ instance_types = [local.config.instance_type]
153
+ ami_type = "AL2_ARM_64" # ARM AMI for Graviton instances
154
+
155
+ min_size = local.config.min_nodes
156
+ max_size = local.config.max_nodes
157
+ desired_size = local.config.node_count
158
+
159
+ disk_size = local.config.disk_size
160
+
161
+ labels = {
162
+ Environment = "rulebricks"
163
+ Tier = var.tier
164
+ }
165
+ }
166
+ }
167
+
168
+ # Enable IRSA for service accounts
169
+ enable_irsa = true
170
+
171
+ # Cluster add-ons
172
+ cluster_addons = {
173
+ coredns = {
174
+ most_recent = true
175
+ }
176
+ kube-proxy = {
177
+ most_recent = true
178
+ }
179
+ vpc-cni = {
180
+ most_recent = true
181
+ }
182
+ aws-ebs-csi-driver = {
183
+ most_recent = true
184
+ service_account_role_arn = module.ebs_csi_irsa.iam_role_arn
185
+ }
186
+ }
187
+
188
+ tags = {
189
+ Environment = "rulebricks"
190
+ Terraform = "true"
191
+ }
192
+ }
193
+
194
+ # IAM role for EBS CSI driver
195
+ module "ebs_csi_irsa" {
196
+ source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
197
+ version = "~> 5.0"
198
+
199
+ role_name = "${var.cluster_name}-ebs-csi"
200
+ attach_ebs_csi_policy = true
201
+
202
+ oidc_providers = {
203
+ main = {
204
+ provider_arn = module.eks.oidc_provider_arn
205
+ namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
206
+ }
207
+ }
208
+ }
209
+
210
+ # ============================================
211
+ # External DNS IAM Role (Route53)
212
+ # ============================================
213
+ module "external_dns_irsa" {
214
+ source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
215
+ version = "~> 5.0"
216
+
217
+ count = var.enable_external_dns ? 1 : 0
218
+
219
+ role_name = "${var.cluster_name}-external-dns"
220
+ attach_external_dns_policy = true
221
+ external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/*"]
222
+
223
+ oidc_providers = {
224
+ main = {
225
+ provider_arn = module.eks.oidc_provider_arn
226
+ namespace_service_accounts = ["rulebricks:external-dns"]
227
+ }
228
+ }
229
+
230
+ tags = {
231
+ Environment = "rulebricks"
232
+ Terraform = "true"
233
+ }
234
+ }
235
+
236
+ # ============================================
237
+ # Vector S3 Logging IAM Role
238
+ # ============================================
239
+ resource "aws_iam_policy" "vector_s3" {
240
+ count = var.enable_s3_logging ? 1 : 0
241
+
242
+ name = "${var.cluster_name}-vector-s3"
243
+ description = "IAM policy for Vector to write logs to S3"
244
+
245
+ policy = jsonencode({
246
+ Version = "2012-10-17"
247
+ Statement = [
248
+ {
249
+ Effect = "Allow"
250
+ Action = [
251
+ "s3:PutObject",
252
+ "s3:PutObjectAcl",
253
+ "s3:GetObject",
254
+ "s3:DeleteObject",
255
+ "s3:ListBucket"
256
+ ]
257
+ Resource = [
258
+ "arn:aws:s3:::${var.logging_s3_bucket}",
259
+ "arn:aws:s3:::${var.logging_s3_bucket}/*"
260
+ ]
261
+ }
262
+ ]
263
+ })
264
+ }
265
+
266
+ module "vector_irsa" {
267
+ source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
268
+ version = "~> 5.0"
269
+
270
+ count = var.enable_s3_logging ? 1 : 0
271
+
272
+ role_name = "${var.cluster_name}-vector"
273
+
274
+ role_policy_arns = {
275
+ vector_s3 = aws_iam_policy.vector_s3[0].arn
276
+ }
277
+
278
+ oidc_providers = {
279
+ main = {
280
+ provider_arn = module.eks.oidc_provider_arn
281
+ namespace_service_accounts = ["rulebricks:vector"]
282
+ }
283
+ }
284
+
285
+ tags = {
286
+ Environment = "rulebricks"
287
+ Terraform = "true"
288
+ }
289
+ }
290
+
291
+
292
+ # Outputs
293
+ output "cluster_name" {
294
+ value = module.eks.cluster_name
295
+ description = "EKS cluster name"
296
+ }
297
+
298
+ output "cluster_endpoint" {
299
+ value = module.eks.cluster_endpoint
300
+ description = "EKS cluster endpoint"
301
+ }
302
+
303
+ output "cluster_certificate_authority" {
304
+ value = module.eks.cluster_certificate_authority_data
305
+ description = "Base64 encoded cluster CA certificate"
306
+ sensitive = true
307
+ }
308
+
309
+ output "region" {
310
+ value = var.region
311
+ description = "AWS region"
312
+ }
313
+
314
+ output "kubeconfig_command" {
315
+ value = "aws eks update-kubeconfig --name ${var.cluster_name} --region ${var.region}"
316
+ description = "Command to update kubeconfig"
317
+ }
318
+
319
+ output "external_dns_role_arn" {
320
+ value = var.enable_external_dns ? module.external_dns_irsa[0].iam_role_arn : ""
321
+ description = "IAM role ARN for external-dns service account"
322
+ }
323
+
324
+ output "vector_role_arn" {
325
+ value = var.enable_s3_logging ? module.vector_irsa[0].iam_role_arn : ""
326
+ description = "IAM role ARN for Vector service account"
327
+ }
@@ -0,0 +1,326 @@
1
+ # Azure AKS Cluster for Rulebricks
2
+ # Meets minimum requirements: 4 nodes, 8 vCPU, 16GB RAM per node
3
+
4
+ terraform {
5
+ required_version = ">= 1.0.0"
6
+
7
+ required_providers {
8
+ azurerm = {
9
+ source = "hashicorp/azurerm"
10
+ version = "~> 3.0"
11
+ }
12
+ }
13
+ }
14
+
15
+ provider "azurerm" {
16
+ features {}
17
+ }
18
+
19
+ # Variables
20
+ variable "cluster_name" {
21
+ description = "Name of the AKS cluster"
22
+ type = string
23
+ default = "rulebricks-cluster"
24
+ }
25
+
26
+ variable "resource_group_name" {
27
+ description = "Name of the Azure resource group"
28
+ type = string
29
+ default = "rulebricks-rg"
30
+ }
31
+
32
+ variable "location" {
33
+ description = "Azure region"
34
+ type = string
35
+ default = "eastus"
36
+ }
37
+
38
+ variable "tier" {
39
+ description = "Performance tier: small, medium, large"
40
+ type = string
41
+ default = "small"
42
+ }
43
+
44
+ variable "kubernetes_version" {
45
+ description = "Kubernetes version"
46
+ type = string
47
+ default = "1.29"
48
+ }
49
+
50
+ variable "enable_external_dns" {
51
+ description = "Enable managed identity for external-dns (Azure DNS)"
52
+ type = bool
53
+ default = false
54
+ }
55
+
56
+ variable "dns_zone_resource_group" {
57
+ description = "Resource group containing the Azure DNS zone"
58
+ type = string
59
+ default = ""
60
+ }
61
+
62
+ variable "enable_blob_logging" {
63
+ description = "Enable managed identity for Vector Azure Blob logging"
64
+ type = bool
65
+ default = false
66
+ }
67
+
68
+ variable "logging_storage_account" {
69
+ description = "Azure Storage account name for Vector logs"
70
+ type = string
71
+ default = ""
72
+ }
73
+
74
+ variable "logging_container_name" {
75
+ description = "Azure Blob container name for Vector logs"
76
+ type = string
77
+ default = ""
78
+ }
79
+
80
+ # Tier configurations
81
+ # Using Ampere (ARM64) instances for compatibility with arm64 container images
82
+ locals {
83
+ tier_configs = {
84
+ small = {
85
+ node_count = 4
86
+ vm_size = "Standard_D2ps_v5" # 2 vCPU, 8GB (Ampere ARM64)
87
+ min_nodes = 4
88
+ max_nodes = 4
89
+ disk_size = 50
90
+ }
91
+ medium = {
92
+ node_count = 4
93
+ vm_size = "Standard_D4ps_v5" # 4 vCPU, 16GB (Ampere ARM64)
94
+ min_nodes = 4
95
+ max_nodes = 8
96
+ disk_size = 100
97
+ }
98
+ large = {
99
+ node_count = 5
100
+ vm_size = "Standard_D8ps_v5" # 8 vCPU, 32GB (Ampere ARM64)
101
+ min_nodes = 5
102
+ max_nodes = 16
103
+ disk_size = 200
104
+ }
105
+ }
106
+
107
+ config = local.tier_configs[var.tier]
108
+ }
109
+
110
+ # Resource Group
111
+ resource "azurerm_resource_group" "rg" {
112
+ name = var.resource_group_name
113
+ location = var.location
114
+
115
+ tags = {
116
+ Environment = "rulebricks"
117
+ Terraform = "true"
118
+ }
119
+ }
120
+
121
+ # Virtual Network
122
+ resource "azurerm_virtual_network" "vnet" {
123
+ name = "${var.cluster_name}-vnet"
124
+ location = azurerm_resource_group.rg.location
125
+ resource_group_name = azurerm_resource_group.rg.name
126
+ address_space = ["10.0.0.0/8"]
127
+
128
+ tags = {
129
+ Environment = "rulebricks"
130
+ }
131
+ }
132
+
133
+ # Subnet for AKS
134
+ resource "azurerm_subnet" "aks" {
135
+ name = "aks-subnet"
136
+ resource_group_name = azurerm_resource_group.rg.name
137
+ virtual_network_name = azurerm_virtual_network.vnet.name
138
+ address_prefixes = ["10.240.0.0/16"]
139
+ }
140
+
141
+ # User Assigned Identity for AKS
142
+ resource "azurerm_user_assigned_identity" "aks" {
143
+ name = "${var.cluster_name}-identity"
144
+ location = azurerm_resource_group.rg.location
145
+ resource_group_name = azurerm_resource_group.rg.name
146
+ }
147
+
148
+ # Role assignment for network contributor
149
+ resource "azurerm_role_assignment" "network" {
150
+ scope = azurerm_virtual_network.vnet.id
151
+ role_definition_name = "Network Contributor"
152
+ principal_id = azurerm_user_assigned_identity.aks.principal_id
153
+ }
154
+
155
+ # AKS Cluster
156
+ resource "azurerm_kubernetes_cluster" "aks" {
157
+ name = var.cluster_name
158
+ location = azurerm_resource_group.rg.location
159
+ resource_group_name = azurerm_resource_group.rg.name
160
+ dns_prefix = var.cluster_name
161
+ kubernetes_version = var.kubernetes_version
162
+
163
+ default_node_pool {
164
+ name = "default"
165
+ node_count = var.tier == "small" ? local.config.node_count : null
166
+ min_count = var.tier != "small" ? local.config.min_nodes : null
167
+ max_count = var.tier != "small" ? local.config.max_nodes : null
168
+ enable_auto_scaling = var.tier != "small"
169
+ vm_size = local.config.vm_size
170
+ os_disk_size_gb = local.config.disk_size
171
+ os_disk_type = "Managed"
172
+ vnet_subnet_id = azurerm_subnet.aks.id
173
+
174
+ node_labels = {
175
+ "environment" = "rulebricks"
176
+ "tier" = var.tier
177
+ }
178
+ }
179
+
180
+ identity {
181
+ type = "UserAssigned"
182
+ identity_ids = [azurerm_user_assigned_identity.aks.id]
183
+ }
184
+
185
+ network_profile {
186
+ network_plugin = "azure"
187
+ network_policy = "calico"
188
+ load_balancer_sku = "standard"
189
+ service_cidr = "10.0.0.0/16"
190
+ dns_service_ip = "10.0.0.10"
191
+ }
192
+
193
+ oidc_issuer_enabled = true
194
+ workload_identity_enabled = true
195
+
196
+ storage_profile {
197
+ disk_driver_enabled = true
198
+ file_driver_enabled = true
199
+ }
200
+
201
+ tags = {
202
+ Environment = "rulebricks"
203
+ Terraform = "true"
204
+ }
205
+
206
+ depends_on = [
207
+ azurerm_role_assignment.network
208
+ ]
209
+ }
210
+
211
+ # ============================================
212
+ # External DNS Managed Identity (Azure DNS)
213
+ # ============================================
214
+ resource "azurerm_user_assigned_identity" "external_dns" {
215
+ count = var.enable_external_dns ? 1 : 0
216
+ name = "${var.cluster_name}-external-dns"
217
+ location = azurerm_resource_group.rg.location
218
+ resource_group_name = azurerm_resource_group.rg.name
219
+ }
220
+
221
+ # DNS Zone Contributor role for external-dns
222
+ resource "azurerm_role_assignment" "external_dns_zone" {
223
+ count = var.enable_external_dns && var.dns_zone_resource_group != "" ? 1 : 0
224
+ scope = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/${var.dns_zone_resource_group}"
225
+ role_definition_name = "DNS Zone Contributor"
226
+ principal_id = azurerm_user_assigned_identity.external_dns[0].principal_id
227
+ }
228
+
229
+ # Federated credential for external-dns workload identity
230
+ resource "azurerm_federated_identity_credential" "external_dns" {
231
+ count = var.enable_external_dns ? 1 : 0
232
+ name = "external-dns"
233
+ resource_group_name = azurerm_resource_group.rg.name
234
+ parent_id = azurerm_user_assigned_identity.external_dns[0].id
235
+ audience = ["api://AzureADTokenExchange"]
236
+ issuer = azurerm_kubernetes_cluster.aks.oidc_issuer_url
237
+ subject = "system:serviceaccount:rulebricks:external-dns"
238
+ }
239
+
240
+ # ============================================
241
+ # Vector Blob Storage Managed Identity
242
+ # ============================================
243
+ resource "azurerm_user_assigned_identity" "vector" {
244
+ count = var.enable_blob_logging ? 1 : 0
245
+ name = "${var.cluster_name}-vector"
246
+ location = azurerm_resource_group.rg.location
247
+ resource_group_name = azurerm_resource_group.rg.name
248
+ }
249
+
250
+ # Get storage account (if provided)
251
+ data "azurerm_storage_account" "logging" {
252
+ count = var.enable_blob_logging && var.logging_storage_account != "" ? 1 : 0
253
+ name = var.logging_storage_account
254
+ resource_group_name = azurerm_resource_group.rg.name
255
+ }
256
+
257
+ # Storage Blob Data Contributor role for Vector
258
+ resource "azurerm_role_assignment" "vector_blob" {
259
+ count = var.enable_blob_logging && var.logging_storage_account != "" ? 1 : 0
260
+ scope = data.azurerm_storage_account.logging[0].id
261
+ role_definition_name = "Storage Blob Data Contributor"
262
+ principal_id = azurerm_user_assigned_identity.vector[0].principal_id
263
+ }
264
+
265
+ # Federated credential for Vector workload identity
266
+ resource "azurerm_federated_identity_credential" "vector" {
267
+ count = var.enable_blob_logging ? 1 : 0
268
+ name = "vector"
269
+ resource_group_name = azurerm_resource_group.rg.name
270
+ parent_id = azurerm_user_assigned_identity.vector[0].id
271
+ audience = ["api://AzureADTokenExchange"]
272
+ issuer = azurerm_kubernetes_cluster.aks.oidc_issuer_url
273
+ subject = "system:serviceaccount:rulebricks:vector"
274
+ }
275
+
276
+ # Current subscription data
277
+ data "azurerm_subscription" "current" {}
278
+
279
+ # Outputs
280
+ output "cluster_name" {
281
+ value = azurerm_kubernetes_cluster.aks.name
282
+ description = "AKS cluster name"
283
+ }
284
+
285
+ output "cluster_endpoint" {
286
+ value = azurerm_kubernetes_cluster.aks.kube_config[0].host
287
+ description = "AKS cluster endpoint"
288
+ sensitive = true
289
+ }
290
+
291
+ output "cluster_ca_certificate" {
292
+ value = azurerm_kubernetes_cluster.aks.kube_config[0].cluster_ca_certificate
293
+ description = "Base64 encoded cluster CA certificate"
294
+ sensitive = true
295
+ }
296
+
297
+ output "resource_group_name" {
298
+ value = azurerm_resource_group.rg.name
299
+ description = "Azure resource group name"
300
+ }
301
+
302
+ output "location" {
303
+ value = var.location
304
+ description = "Azure region"
305
+ }
306
+
307
+ output "kubeconfig_command" {
308
+ value = "az aks get-credentials --name ${var.cluster_name} --resource-group ${var.resource_group_name}"
309
+ description = "Command to update kubeconfig"
310
+ }
311
+
312
+ output "kube_config" {
313
+ value = azurerm_kubernetes_cluster.aks.kube_config_raw
314
+ description = "Raw kubeconfig for the AKS cluster"
315
+ sensitive = true
316
+ }
317
+
318
+ output "external_dns_client_id" {
319
+ value = var.enable_external_dns ? azurerm_user_assigned_identity.external_dns[0].client_id : ""
320
+ description = "Client ID for external-dns managed identity"
321
+ }
322
+
323
+ output "vector_client_id" {
324
+ value = var.enable_blob_logging ? azurerm_user_assigned_identity.vector[0].client_id : ""
325
+ description = "Client ID for Vector managed identity"
326
+ }