Infrastructure as Code (IaC) Terraform to install all Azure IoT Operations (AIO) components. Provides an optional infrastructure deployment that configures a Kubernetes cluster connected to Azure Arc. Includes Terraform module for deploying each part; Infra, Azure IoT Operations, and/or OPC PLC Simulator easy and reusable.
Warning
This Azure Edge Extensions has confirmed compatiblity with the 0.5.0 preview version of Azure IoT Operations. Please review AIO release notes for current preview version releases.
This project utilizes Terraform to do the following:
- (Optional) Provision an appropriately sized VM in Azure for Kubernetes and AIO.
- (Optional) Provision necessary service principals for onboarding Arc and Azure Key Vault Secrets Provider access in the cluster.
- (Optional) Creates self-signed certificates used within AIO.
- Install Azure IoT Orchestrator into the cluster.
- Install Azure IoT MQ into the cluster.
- Install Azure IoT Data Processor into the cluster.
- Install Azure IoT Akri agent into the cluster.
- Install Azure IoT OPC UA Broker into the cluster.
- Install Azure IoT Layered Network Management into the cluster.
- Install IoT OPC PLC Simulator managed through Terraform.
- (Optionally for Windows) WSL installed and setup.
- Azure CLI available on the command line where this will be deployed.
- Terraform available on the command line where this will be deployed.
- (Optional) Owner access to a Subscription to deploy the infrastructure.
- (Or) Owner access to a Resource Group with an existing cluster configured and connected to Azure Arc.
You may need to manually register the providers. This can be achieved by running the following Azure CLI commands from the command line (after az login
):
az provider register -n "Microsoft.ExtendedLocation"
az provider register -n "Microsoft.Kubernetes"
az provider register -n "Microsoft.KubernetesConfiguration"
az provider register -n "Microsoft.IoTOperationsOrchestrator"
az provider register -n "Microsoft.IoTOperationsMQ"
az provider register -n "Microsoft.IoTOperationsDataProcessor"
az provider register -n "Microsoft.DeviceRegistry"
# Verify the providers are registered with the following commands
az provider show -n "Microsoft.ExtendedLocation" --query "registrationState"
az provider show -n "Microsoft.Kubernetes" --query "registrationState"
az provider show -n "Microsoft.KubernetesConfiguration" --query "registrationState"
az provider show -n "Microsoft.IoTOperationsOrchestrator" --query "registrationState"
az provider show -n "Microsoft.IoTOperationsMQ" --query "registrationState"
az provider show -n "Microsoft.IoTOperationsDataProcessor" --query "registrationState"
az provider show -n "Microsoft.DeviceRegistry" --query "registrationState"
- Login to the AZ CLI:
az login --tenant <tenant>.onmicrosoft.com
- Make sure your subscription is the one that you would like to use:
az account show
. - Change to the subscription that you would like to use if needed:
az account set -s <subscription-id>
- Make sure your subscription is the one that you would like to use:
- Add a
<unique-name>.auto.tfvars
file to the root of the deploy directory that contains the following (refer to deploy/sample-aio.auto.tfvars.example for an example):// <project-root>/deploy/<unique-name>.auto.tfvars name = "sample-aio" location = "westus3" should_create_virtual_machine = "<true/false>" is_linux_server = "<true/false>" should_use_event_hub = "<true/false>"
- From the deploy directory execute the following (the
<unique-name>.auto.tfvars
created earlier will automatically be applied):terraform init terraform apply
NOTE: Follow these instructions if you want to skip deploying
infra
and are only wanting to useaio-full
and/oropc-plc-sim
.
It is possible to use this repository to deploy Azure IoT Operations to an existing Azure Arc enabled cluster in an existing Resource Group. Ensure your cluster is setup and configured with the following prerequisites before deploying Azure IoT Operations.
- An Azure Arc connected cluster in a Resource Group that meets the minimum requirements for Azure IoT Operations.
- Follow these instructions to make sure the following Connect a Kubernetes cluster to Azure Arc:
- user watch/instance limits have been increased.
- The cluster has been
az connectedk8s connect
connected to Azure. - The cluster has
az connectedk8s enable-features
enabled forcustom-locations
.
- Follow these instructions to make sure the following Connect a Kubernetes cluster to Azure Arc:
- All Azure Providers for Azure IoT Operations have been registered into your subscription.
- An Azure Key Vault in a Resource Group that has RBAC Authorization disabled.
- A placeholder secret in the Azure Key Vault.
- A Service Principal with access policies to
List
andGet
Secrets on the Azure Key Vault withuser_impersonation
API permissions.- The following AZ CLI commands will create a new Service Principal and give it the API permissions.
# Keep track of the clientId, clientSecret, subscriptionId, and tenantId az ad sp create-for-rbac -n <your-service-principal-name> --json-auth # Grant your new app registration 'user_impersonation' on AzureKeyVault # - AzureKeyVault is the well-known GUID cfa8b339-82a2-471a-a3c9-0fc0be7a4093 # - user_impersonation for AzureKeyVault is the well-known GUID f53da476-18e3-4152-8e01-aec403e6edc0 az ad app permission add --id <clientId-from-above> --api cfa8b339-82a2-471a-a3c9-0fc0be7a4093 --api-permissions f53da476-18e3-4152-8e01-aec403e6edc0=Scope # Print out the new app registration Object ID OBJECTID=$(az ad app show --id <clientId-from-above> --query 'id' -o tsv) # Set the Azure Key Vault Access Policies for the new app registration az keyvault set-policy -n <key-vault-name> -g <resource-group-name> --object-id "$OBJECTID" --secret-permissions get list --key-permissions get list --certificate-permissions get list
- The following AZ CLI commands will create a new Service Principal and give it the API permissions.
- The Azure Key Vault Secret Provider Arc Extension installed into the cluster.
az k8s-extension create -g <resource-group-name> -c <arc-cluster-name> -n "aks-secrets-provider" -t "connectedClusters" --extension-type "Microsoft.AzureKeyVaultSecretsProvider"
Refer to deploy/modules/infra/scripts and deploy/modules/infra/manifests for additional required Kubernetes objects that must be present in the cluster before Azure IoT Operations can be installed.
- Refer to the Quickstart for instructions on setting up the root
.tfvars
file. - Update the new
<unique-name>.auto.tfvars
with the following (unless defaults were used):- The
resource_group_name
. - The
arc_cluster_name
. - The
key_vault_name
.
- The
- Execute the
terraform
commands the same way in the deploy directory:terraform init terraform apply"
It is possible to use the Terraform modules directly from this repository using the module primitive supported by HCL syntax.
An example of deploying just aio-full
using Terraform from another repo would look like the following:
module "aio_full" {
source = "github.com/azure-samples/azure-edge-extensions-aio-iac-terraform//deploy/modules/aio-full"
name = var.name
location = var.location
}
If you would like to lock the module on a particular tag that's possible by adding a ?ref=<tag>
version to the end of the source
field.
module "aio_full_with_tag" {
source = "github.com/azure-samples/azure-edge-extensions-aio-iac-terraform//deploy/modules/aio-full?ref=0.1.4"
name = var.name
location = var.location
}