Skip to content

Feature/aks starterkit integration #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
malhussan merged 11 commits into from
Mar 15, 2026
Merged

Feature/aks starterkit integration #127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
cbd167c
refactor: modularize aks starterkit integration
malhussan Mar 11, 2026
783d4ba
chore: reference logo for aks starterkit integration
malhussan Mar 11, 2026
78bd65c
chore: remove likvid references from readme
malhussan Mar 11, 2026
482e3a3
chore: starterkit template repo as variable
malhussan Mar 11, 2026
dca70aa
chore: aks gh connector + gh repo integrations
malhussan Mar 11, 2026
ec54479
chore: improve aks gh connector backplane
malhussan Mar 11, 2026
75d478c
chore: app links should also be adaptable
malhussan Mar 12, 2026
a078a07
chore: sync with ske starterkit structure
malhussan Mar 15, 2026
afccead
chore: bbddraft parameter for gh and connector integrations
malhussan Mar 15, 2026
99238ec
chore: repo admin in aks starterkit
malhussan Mar 15, 2026
4f0db6f
chore: address PR review comments
malhussan Mar 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 24 additions & 6 deletions .github/copilot-instructions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ They are starting points that should cover the simplest use case.
A secondary purpose of these files is to serve as a ready-to-use Terraform module root that IaC runtimes can source directly.

- Must use variables for required user inputs.
- Must include `required_providers`.
- Must include `required_providers` (place the `terraform { required_providers { ... } }` block at the **bottom** of the file — resources and variables should come first so readers see the important configuration before technical boilerplate).
- Never include `provider` configuration.
- Reference modules using Git URLs and a ref pointing to the feature branch when developing. Once merged into main, the `update-module-refs` tooling in CI pins the ref to an appropriate commit.

Expand All @@ -61,12 +61,27 @@ is always required.
# Shared Hub reference — always include this variable
variable "hub" {
type = object({
git_ref = string
git_ref = optional(string, "main")
bbd_draft = optional(bool, false)
})
default = {
git_ref = "main"
}
description = "Hub release reference. Set git_ref to a tag (e.g. 'v1.2.3') or branch for the meshstack-hub repo."
default = {}
description = <<-EOT
`git_ref`: Hub release reference. Set to a tag (e.g. 'v1.2.3') or branch or commit sha of the meshstack-hub repo.
`bbd_draft`: If true, the building block definition version is kept in draft mode, which allows changing it (useful during development in LCF/ICF).
EOT
}
```

Always use `var.hub.bbd_draft` for the `draft` field of `version_spec` in `meshstack_building_block_definition` resources.

### Exposing the BBD Version

When a `meshstack_integration.tf` exposes the building block definition version UUID as an output (needed for compositions), use the following pattern to pin to released versions in production while allowing draft updates during development:

```hcl
output "building_block_definition_version_uuid" {
description = "UUID of the latest version. In draft mode returns the latest draft; otherwise returns the latest release."
value = var.hub.bbd_draft ? meshstack_building_block_definition.this.version_latest.uuid : meshstack_building_block_definition.this.version_latest_release.uuid
}
```

Expand Down Expand Up @@ -159,6 +174,9 @@ Do **not** commit these relative paths; switch back to the Hub GitHub URL before
- [ ] `buildingblock/README.md` with YAML front-matter
- [ ] `buildingblock/APP_TEAM_README.md` with shared responsibility matrix
- [ ] `ref_name` uses `var.hub.git_ref` — no hardcoded `"main"`
- [ ] `version_spec.draft` uses `var.hub.bbd_draft`
- [ ] `building_block_definition_version_uuid` output uses `bbd_draft ? version_latest.uuid : version_latest_release.uuid`
- [ ] `terraform { required_providers { ... } }` block is at the **bottom** of `meshstack_integration.tf`
- [ ] Test file covering positive, negative, and naming collision scenarios
- [ ] `logo.png` included in `buildingblock/`
- [ ] No trailing whitespace
55 changes: 16 additions & 39 deletions modules/aks/github-connector/backplane/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,59 +9,36 @@
# - update image pull secret
# - deployment
#
data "azurerm_subscription" "current" {
locals {
acr_resource_group_name = coalesce(var.acr.resource_group_name, azurerm_resource_group.bb_github_connector.name)
}

data "azurerm_kubernetes_cluster" "aks" {
name = "aks"
resource_group_name = "aks-rg"
name = var.aks.cluster_name
resource_group_name = var.aks.resource_group_name
}

resource "azurerm_resource_group" "bb_github_connector" {
name = "bb-github-connector"
location = "Germany West Central"
}

# SPN for Terraform state

resource "azuread_application" "bb_github_connector" {
display_name = "bb-github-connector"
}

resource "azuread_service_principal" "bb_github_connector" {
client_id = azuread_application.bb_github_connector.client_id
}

resource "azuread_service_principal_password" "bb_github_connector" {
service_principal_id = azuread_service_principal.bb_github_connector.id
}

resource "azurerm_role_assignment" "bb_github_connector" {
scope = data.azurerm_subscription.current.id
role_definition_name = "Contributor" # TODO: restrict permissions
principal_id = azuread_service_principal.bb_github_connector.object_id
}

resource "azurerm_role_assignment" "terraform_state" {
role_definition_name = "Storage Blob Data Owner"
principal_id = azuread_service_principal.bb_github_connector.object_id
scope = var.tfstates_resource_manager_id
name = var.resource_prefix
location = var.acr.location
}

# Container registry
# We're using a shared container registry for all consumers of this building block.
# This could easily be changed to deploy a dedicated container registry per building block
# or by making the container registry configurable.
# A shared ACR is used for all building block consumers by default.
# Set var.acr.resource_group_name to place the ACR in an existing resource group.

resource "azurerm_container_registry" "acr" {
name = "githubconnector"
resource_group_name = azurerm_resource_group.bb_github_connector.name
location = azurerm_resource_group.bb_github_connector.location
name = replace(var.resource_prefix, "-", "")
resource_group_name = local.acr_resource_group_name
location = var.acr.location
sku = "Basic"
}

# Service principal used by GitHub Actions to push images to ACR.
# Granted AcrPush (not Contributor) — scoped to this registry only.

resource "azuread_application" "bb_github_connector_acr" {
display_name = "bb-github-connector-acr"
display_name = "${var.resource_prefix}-acr"
}

resource "azuread_service_principal" "bb_github_connector_acr" {
Expand All @@ -74,7 +51,7 @@ resource "azuread_service_principal_password" "bb_github_connector_acr" {

resource "azurerm_role_assignment" "bb_github_connector_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "Contributor"
role_definition_name = "AcrPush"
principal_id = azuread_service_principal.bb_github_connector_acr.object_id
}

Expand Down
5 changes: 2 additions & 3 deletions modules/aks/github-connector/backplane/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ output "config_tf" {
description = "Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block."
sensitive = true
value = <<-EOF
provider "kubernetes" {
provider "kubernetes" {
host = "${data.azurerm_kubernetes_cluster.aks.kube_admin_config[0].host}"
cluster_ca_certificate = base64decode("${data.azurerm_kubernetes_cluster.aks.kube_admin_config[0].cluster_ca_certificate}")
client_certificate = base64decode("${data.azurerm_kubernetes_cluster.aks.kube_admin_config[0].client_certificate}")
Expand Down Expand Up @@ -32,6 +32,5 @@ output "config_tf" {
password = "${azuread_service_principal_password.bb_github_connector_acr.value}"
}
}
EOF
EOF
}

34 changes: 20 additions & 14 deletions modules/aks/github-connector/backplane/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,26 @@
variable "tfstates_resource_manager_id" {
type = string
nullable = false
variable "resource_prefix" {
type = string
default = "bb-github-connector"
description = "Prefix used for all named resources created by this backplane (resource group, app registrations, ACR)."
}

variable "tfstates_resource_group_name" {
type = string
nullable = false
variable "aks" {
type = object({
cluster_name = string
resource_group_name = string
})
description = "Reference to the existing AKS cluster this building block connects to."
}

variable "tfstates_storage_account_name" {
type = string
nullable = false
}

variable "tfstates_storage_container_name" {
type = string
nullable = false
variable "acr" {
type = object({
location = string
resource_group_name = optional(string)
})
description = "Configuration for the shared Azure Container Registry. resource_group_name defaults to the resource group created by this backplane when omitted."
default = {
location = "Germany West Central"
resource_group_name = null
}
}

Loading
Loading