Zero Downtime Blue-Green Deployment for AKS with Terraform - Simulation Using a Resource Group with Pipeline Steps

In this post we use a resource group to demo a blue green deployment scenario for AKS with Terraform IaC, to understand the steps required for successful pipline implementation. Same pattern can be applied to deploy other Azure resources well. Instead of two resource groups used here to run demo faster, actual implementation can be two AKS clusters (blue and green) withing a single resource group or in two resource groups. Full pipeline with Terrafrom IaC for AKS blue greeen with application deployments will be dicussed in a future post(s). For now let's loo at the example blue green, using resource group to represent AKS cluster, which is used to validate blue green deployment algorithm for AKS.

Full algorithm test information and terraform files available in below links.

• ReadMe file describing algorithim and test steps in detail.
• Excel file containing algorithm steps and variable behaviour which will help to understand the algorith decribed in ReadMe.
• Terraform files used to simulate the AKS deployment using a resource group.

Fix Terraform Azure AD Group Read with "403 Insufficient privileges" in Azure Pipelines

 For deploying Azure resources  with Terraform via Azure pipelines we use service principals (SPN) to connect to Azure from Azure DevOps. You might encounter "403 Insufficient privileges" errors while trying to read Azure AD groups data, which you might want to use to create role assignment in the new resources you are provsioning with Terraform. For example it can be a Azure AD group referred as data as shown below.

# refer to sub_owners AD group to assign as aks admins

data "azuread_group" "myteam" {

  display_name     = "sub_owners"

  security_enabled = true

}

 Let's look at the how to resolve the exception "403 Insufficient privileges".

Fix Azure Advisor "Update VNet permission of Application Gateway users" in AKS Application Gateway Ingress Controller (AGIC) App Gateway

 In last two days there was an alert in the AKS ingress app gateway, recomending to  "Update VNet permission of Application Gateway users". Then starting on 20th June 2023, any newly created  AKS cluster with AGIC, started to fail to manage ingess settings on app gatway for eastus region. Same behavoiur is shown in westeurope region today 21 June 2023. 

ch-demo-dev-euw-005-aks-agw-snet to perform action Microsoft.Network/virtualNetworks/subnets/join/action. For details on the required permissions, 

HPA Desired Pod Counts for All Services Summary - Grafana Chart with Azure Monitor for AKS

 Monitoring the desired pod count by each horizontal pod autoscaler for your application is useful to get a summarize view, that will help to understand scale out demand of each individual service. We can enable monitoring AKS cluster with Managed Grafana in Azure with Azure Monitor and Log Analytics Workspace. Let's write a query to and create Grafana chart for this purpose.