Skip to content

feat(infra): Terraform IaC for demo environment#37

Open
raykao wants to merge 9 commits intomainfrom
feat/terraform-infra
Open

feat(infra): Terraform IaC for demo environment#37
raykao wants to merge 9 commits intomainfrom
feat/terraform-infra

Conversation

@raykao
Copy link
Copy Markdown

@raykao raykao commented Mar 26, 2026

What changed

Adds infra/ — a complete Terraform deployment for the agentic-platform-engineering demo environment. This was explicitly listed as a TODO in the root README.

What gets provisioned

Resource Details
Resource Group rg-agentic-demo
VNet + subnet 10.0.0.0/8 VNet, 10.240.0.0/16 AKS subnet
AKS cluster Standard_D4s_v3 × 3 nodes, OIDC issuer + workload identity enabled
ACR Basic SKU, auto-named acragentic<suffix>, AKS pull access via role assignment
User Assigned Managed Identity + 5 federated credentials (GitHub env:copilot, env:demo, branch:main, PRs, AKS MCP SA)
ArgoCD Via Helm (argo-helm chart), notifications controller enabled, LoadBalancer service
AKS MCP Server Via Helm (OCI chart from ghcr.io/azure/aks-mcp), workload identity, port 8000

Why it's safe to merge

  • terraform validate passes clean — all 5 providers init and configuration is valid
  • No changes to any existing files — infra/ is entirely new
  • Local state by default; backend.tf.example provided for Azure Storage migration
  • No credentials or secrets committed — OIDC auth only (ARM_USE_OIDC=true)
  • *.tfvars excluded via .gitignore; only *.tfvars.example committed

After merging

See infra/README.md for full setup instructions. Minimum to get started:

cd infra/
cp terraform.tfvars.example terraform.tfvars  # set github_org + github_repo
terraform init && terraform apply

Closes: raykao/dark-factory#3

raykao and others added 9 commits March 26, 2026 15:01
@raykao
feat(infra): scaffold Terraform structure for demo environment
8606dcc 
Flat infra/ layout optimised for workshop readability. Providers wired
for azurerm (OIDC-ready), kubernetes and helm (from AKS output),
azuread and random. Local state by default; backend.tf.example provided
for Azure Storage migration. Placeholder files created for all
subsequent tasks (aks, acr, identity, kubernetes, argocd, aks-mcp).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
feat(infra): add VNet and AKS subnet (networking)
210c2b5 
Simple flat networking for demo: /8 VNet, /16 AKS subnet.
No NSGs or NAT gateway — demo environment only.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
feat(infra): add Azure Container Registry (acr.tf)
2cce2bc 
Basic SKU for demo; name auto-generated from random suffix if not
provided via var.acr_name. Admin disabled — workload identity used
for AKS pull access (role assignment added in aks.tf).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
feat(infra): add AKS cluster with OIDC + workload identity (aks.tf)
3e7f706 
Standard_D4s_v3 x3 nodes, Azure CNI, OIDC issuer enabled, workload
identity enabled. ACR pull role assigned to kubelet identity.
Kubernetes and Helm providers wired to cluster kube_config output.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
feat(infra): add UAMI and GitHub Actions OIDC federation (identity.tf)
6530536 
4 federated credentials: environments copilot+demo, branch main, PRs.
UAMI granted Contributor on RG and AKS Cluster Admin for workflow use.
github_actions_env_vars output surfaces all ARM_* values needed for
GitHub Actions secrets — no static credentials required.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
feat(infra): add Kubernetes namespaces and workload identity SA (kube…
2bf4289 
…rnetes.tf)

argocd and aks-mcp namespaces. Workload identity service account for
aks-mcp with UAMI client ID annotation. Federated credential wiring
the SA to the UAMI via the cluster OIDC issuer.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
feat(infra): deploy ArgoCD via Helm (argocd.tf)
b326102 
argo-helm chart, notifications controller enabled (required for
ArgoCD → GitHub webhook integration in Act-3). Admin password
auto-generated, sensitive output. LoadBalancer service type.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
feat(infra): deploy AKS MCP Server via Helm (aks-mcp.tf)
19f074e 
Uses pre-created workload identity SA (kubernetes.tf). Workload
identity pod label set so Azure SDK picks up federated token.
Port 8000 — matches .copilot/mcp-config.json localhost reference.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@raykao
docs(infra): add README with setup guide and remote state migration
00ff41e 
Covers prerequisites, quick-start, post-apply commands, GitHub
Actions secrets setup, and optional Azure Storage backend migration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raykao