quixio
diff --git a/‎.github/workflows/terraform-module.yml‎
Lines changed: 7 additions & 2 deletions b/‎.github/workflows/terraform-module.yml‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 38 additions & 0 deletions b/‎README.md‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎examples/private-quix-infr-external-vnet/main.tf‎
Lines changed: 144 additions & 0 deletions b/‎examples/private-quix-infr-external-vnet/main.tf‎
Lines changed: 144 additions & 0 deletions
diff --git a/‎examples/public-quix-infr-tiered-storage/main.tf‎
Lines changed: 101 additions & 0 deletions b/‎examples/public-quix-infr-tiered-storage/main.tf‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎modules/quix-aks/README.md‎
Lines changed: 13 additions & 0 deletions b/‎modules/quix-aks/README.md‎
Lines changed: 13 additions & 0 deletions
@@ -5,6 +5,7 @@ on:
     branches: [ main, dev ]
     paths:
       - 'modules/quix-aks/**'
+      - 'modules/tiered-storage/**'
       - '.github/workflows/terraform-module.yml'
   workflow_dispatch:
     inputs:
@@ -24,7 +25,11 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: modules/quix-aks
+        working-directory: ${{ matrix.module }}
+    strategy:
+      fail-fast: false
+      matrix:
+        module: [ 'modules/quix-aks', 'modules/tiered-storage' ]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -48,7 +53,7 @@ jobs:
       - name: Generate terraform-docs (inject & commit)
         uses: terraform-docs/[email protected]
         with:
-          working-dir: modules/quix-aks
+          working-dir: ${{ matrix.module }}
           output-file: README.md
           output-method: inject
           config-file: ''
 
@@ -11,9 +11,14 @@ Repository of production-ready Terraform modules for installing quix-platform.
   - `rbac.tf`: role assignments for the managed identity
   - `bastion.tf`: Azure Bastion + jumpbox (optional)
   - `README.md`: terraform-docs generated documentation
+- `modules/tiered-storage/` (Tiered Storage module)
+  - `main.tf`: Storage Account, federated identity credentials, role assignment for kubelet identity
+  - `README.md`: terraform-docs generated documentation
 - `examples/` usage examples
   - `public-quix-infr/`: public cluster
   - `private-quix-infr/`: private cluster with Bastion + jumpbox
+  - `public-quix-infr-tiered-storage/`: public cluster + tiered-storage module
+  - `private-quix-infr-external-vnet/`: private cluster using external VNet/Subnets, external NAT (BYO), and Bastion subnet
 - `BASTION_ACCESS.md`: how to access a private AKS via Bastion
 
 ## AKS module (quix-aks)
@@ -29,6 +34,31 @@ cd modules/quix-aks
 terraform-docs markdown table --output-file README.md --output-mode inject .
 ```
 
+### Bring Your Own NAT (BYO NAT)
+
+You can use an external NAT Gateway instead of creating one:
+
+```hcl
+module "quix_aks" {
+  # ...
+  create_nat     = false
+  nat_gateway_id = azurerm_nat_gateway.external.id
+}
+```
+
+## Tiered Storage module (tiered-storage)
+
+Module documentation (inputs/outputs/resources):
+
+- [modules/tiered-storage/README.md](modules/tiered-storage/README.md) (generated with terraform-docs)
+
+Regenerate docs (requires `terraform-docs`):
+
+```bash
+cd modules/tiered-storage
+terraform-docs markdown table --output-file README.md --output-mode inject .
+```
+
 ## Examples
 
 Public example:
@@ -47,6 +77,14 @@ terraform init
 terraform apply
 ```
 
+External VNet + external NAT + Bastion subnet example:
+
+```bash
+cd examples/private-quix-infr-external-vnet
+terraform init
+terraform apply
+```
+
 Access a private AKS: see `BASTION_ACCESS.md`.
 
 ## Requirements
 
@@ -0,0 +1,144 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.112"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# Resource group Created externally
+resource "azurerm_resource_group" "this" {
+  name     = "rg-quix-private"
+  location = "westeurope"
+}
+
+# External VNet and subnets (managed outside the module)
+resource "azurerm_virtual_network" "ext" {
+  name                = "vnet-quix-private"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+  address_space       = ["10.240.0.0/16"]
+}
+
+resource "azurerm_subnet" "nodes_ext" {
+  name                 = "Subnet-Nodes"
+  resource_group_name  = azurerm_resource_group.this.name
+  virtual_network_name = azurerm_virtual_network.ext.name
+  address_prefixes     = ["10.240.0.0/22"]
+}
+
+resource "azurerm_subnet" "bastion_ext" {
+  name                 = "AzureBastionSubnet"
+  resource_group_name  = azurerm_resource_group.this.name
+  virtual_network_name = azurerm_virtual_network.ext.name
+  address_prefixes     = ["10.240.5.0/27"]
+}
+
+
+# External NAT (bring your own)
+resource "azurerm_public_ip" "nat_ext" {
+  name                = "pip-quix-private-nat-ext"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+  zones               = ["2"]
+}
+
+resource "azurerm_nat_gateway" "ext" {
+  name                = "ngw-quix-private-ext"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+  sku_name            = "Standard"
+}
+
+resource "azurerm_nat_gateway_public_ip_association" "ext" {
+  nat_gateway_id       = azurerm_nat_gateway.ext.id
+  public_ip_address_id = azurerm_public_ip.nat_ext.id
+}
+
+resource "azurerm_subnet_nat_gateway_association" "nodes_ext" {
+  subnet_id      = azurerm_subnet.nodes_ext.id
+  nat_gateway_id = azurerm_nat_gateway.ext.id
+}
+
+
+module "aks" {
+  source = "../../modules/quix-aks"
+
+  name                    = "quix-aks-private"
+  location                = "westeurope"
+  resource_group_name     = azurerm_resource_group.this.name
+  create_resource_group   = false
+  kubernetes_version      = "1.32.4"
+  sku_tier                = "Standard"
+  private_cluster_enabled = true
+
+  vnet_name          = "vnet-quix-private"
+  vnet_address_space = ["10.240.0.0/16"]
+  nodes_subnet_name  = "Subnet-Nodes"
+  nodes_subnet_cidr  = "10.240.0.0/22"
+
+  # Reuse external VNet/Subnets
+  vnet_id         = azurerm_virtual_network.ext.id
+  nodes_subnet_id = azurerm_subnet.nodes_ext.id
+
+  nat_identity_name = "quix-private-nat-id"
+  public_ip_name    = "quix-private-nat-ip"
+  nat_gateway_name  = "quix-private-nat"
+  availability_zone = "2"
+
+  enable_credentials_fetch = true
+  node_pools = {
+    default = {
+      name       = "default"
+      type       = "system"
+      node_count = 2
+      vm_size    = "Standard_D4ds_v5"
+    }
+  }
+
+  network_profile = {
+    network_plugin_mode = "overlay"
+    service_cidr        = "172.22.0.0/16"
+    dns_service_ip      = "172.22.0.10"
+    pod_cidr            = "10.144.0.0/16"
+  }
+  # Bring your own NAT
+  create_nat            = false
+  nat_gateway_id        = azurerm_nat_gateway.ext.id
+  create_nodes_subnet   = false
+  create_vnet           = false
+  create_bastion_subnet = false
+  enable_bastion        = true
+  bastion_name          = "quix-bastion"
+  # Reuse external Bastion subnet & IP
+  bastion_subnet_id = azurerm_subnet.bastion_ext.id
+
+  jumpbox_name           = "quix-jumpbox"
+  jumpbox_vm_size        = "Standard_B2s"
+  jumpbox_admin_username = "azureuser"
+  jumpbox_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3Zz+tHUEI7ulzE69GxtLwi9DOvROBG4aI7h3za2FAP6Ya9/GhG2zcBiKOzk3SlKavE3/5NomgGifTC/ica6rTPlpb4U5oky/2phs9AtczVVI2G+yNC43hJzVhWbqKT3qAGGCGEm2+Cpxx7spKEbZAfAcq5GxL3k9kTcpaQEv3hpVvqK3zlCziHyahUv1pxQGuX3b2hqi4idgFX3m0FaqU98DtQu/I9x95jXHrb7Wltp3sbTSKCDxGo3nk4plpzILs/OqTMSPpfxwarCXA1ZtU82hyWO4Szn2U4I+MbuNaO/dso1oNlprqJQgsQ8t+hawCdIHeZ00M/QELdnYldBjo1jM19AT1OwMcB7PP7GRTNv7YsDW10YCvX9XRPab66PIKpe5R4IG/n6TzEwUP2pb4hRJWvnPJzrHK5HEJg7G7baCEyjCtaWkL4M7dBxIGJ3sp9IfjdeztV2Llh+hYmwPefTejprER+Q/qHZTNr1wEW4BV0TQQd+jeqdIL4QkIno3IyM3IBX+uPM/WlSpi2sT+hDqiUcCRu/x21O/bVYz/UbeHIqptRDfGc5rVoAN/zc/kGsGeGuP3auyI6aQxlnU0wMDdyS8rf3SpWagOB2UFNxZSuU2gnYdtz2uWG4vF75Sqr04MFJImHIY4N7gHJrvdarg6YBaDDnmdREcqp3ooAw== "
+
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+
+
+  tags = {
+    environment = "demo"
+    project     = "Quix"
+  }
+
+  depends_on = [
+    azurerm_resource_group.this,
+    azurerm_subnet.bastion_ext,
+    azurerm_subnet_nat_gateway_association.nodes_ext
+  ]
+}
+
+
@@ -0,0 +1,101 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.112"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+module "aks" {
+  source = "../../modules/quix-aks"
+
+  name                    = "quix-aks-public"
+  location                = "westeurope"
+  resource_group_name     = "rg-quix-public"
+  create_resource_group   = true
+  kubernetes_version      = "1.32.4"
+  sku_tier                = "Standard"
+  private_cluster_enabled = false
+
+  vnet_name          = "vnet-quix-public"
+  vnet_address_space = ["10.240.0.0/16"]
+  nodes_subnet_name  = "Subnet-Nodes"
+  nodes_subnet_cidr  = "10.240.0.0/22"
+
+  nat_identity_name = "quix-public-nat-id"
+  public_ip_name    = "quix-public-nat-ip"
+  nat_gateway_name  = "quix-public-nat"
+  availability_zone = "1"
+
+  enable_credentials_fetch = true
+
+  node_pools = {
+    default = {
+      name       = "default"
+      type       = "system"
+      node_count = 1
+      vm_size    = "Standard_D4ds_v5"
+    },
+    quix_controller = {
+      name       = "quixcontroller"
+      type       = "user"
+      node_count = 1
+      vm_size    = "Standard_D4ds_v5"
+      taints     = ["dedicated=controller:NoSchedule"]
+      labels     = { role = "controller" }
+    }
+    quix_deployments = {
+      name       = "quixdeployment"
+      type       = "user"
+      node_count = 1
+      vm_size    = "Standard_D4ds_v5"
+      taints     = ["dedicated=controller:NoSchedule"]
+      labels     = { role = "controller" }
+    }
+  }
+
+  network_profile = {
+    network_plugin_mode = "vnet"
+    service_cidr        = "172.22.0.0/16"
+    dns_service_ip      = "172.22.0.10"
+  }
+
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+
+  tags = {
+    environment = "demo"
+    project     = "Quix"
+  }
+}
+
+module "tiered_storage" {
+  source = "../../modules/tiered-storage"
+
+  resource_group_name        = module.aks.resource_group_name
+  location                   = module.aks.resource_group_location
+  storage_account_name       = "quixstorpublic01" # must be globally unique
+  cluster_name               = module.aks.cluster_name
+  aks_oidc_issuer_url        = module.aks.oidc_issuer_url
+  kubelet_identity_object_id = module.aks.kubelet_identity_object_id
+
+  # Use the cluster managed identity client/resource from AKS module
+  cluster_identity_resource_id = module.aks.cluster_identity_resource_id
+
+  federated_bindings = [
+    { namespace = "default", service_account_name = "tiered-storage-sa" },
+    { namespace = "analytics", service_account_name = "tiered-storage-sa" }
+  ]
+
+  tags = {
+    environment = "demo"
+    project     = "Quix"
+  }
+}
+
+
@@ -43,6 +43,9 @@ No modules.
 | [azurerm_resource_group.existing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_role_definition.contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
 | [azurerm_role_definition.network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
+| [azurerm_subnet.bastion](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.nodes](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_virtual_network.existing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs
 
@@ -51,9 +54,15 @@ No modules.
 | <a name="input_attach_identity_ids"></a> [attach\_identity\_ids](#input\_attach\_identity\_ids) | Additional user-assigned identity IDs to attach to the cluster | `list(string)` | `[]` | no |
 | <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | Availability zone for public IP | `string` | n/a | yes |
 | <a name="input_bastion_name"></a> [bastion\_name](#input\_bastion\_name) | Name of the Azure Bastion resource | `string` | `"QuixBastion"` | no |
+| <a name="input_bastion_public_ip_id"></a> [bastion\_public\_ip\_id](#input\_bastion\_public\_ip\_id) | Existing Bastion Public IP ID to reuse (skip public IP creation when set) | `string` | `null` | no |
 | <a name="input_bastion_public_ip_name"></a> [bastion\_public\_ip\_name](#input\_bastion\_public\_ip\_name) | Name of the Public IP for Azure Bastion | `string` | `"QuixBastionIP"` | no |
 | <a name="input_bastion_subnet_cidr"></a> [bastion\_subnet\_cidr](#input\_bastion\_subnet\_cidr) | CIDR for AzureBastionSubnet | `string` | `"10.0.64.0/27"` | no |
+| <a name="input_bastion_subnet_id"></a> [bastion\_subnet\_id](#input\_bastion\_subnet\_id) | Existing AzureBastionSubnet ID to reuse (skip subnet creation when set) | `string` | `null` | no |
+| <a name="input_create_bastion_subnet"></a> [create\_bastion\_subnet](#input\_create\_bastion\_subnet) | Whether to create AzureBastionSubnet (set false when supplying bastion\_subnet\_id) | `bool` | `true` | no |
+| <a name="input_create_nat"></a> [create\_nat](#input\_create\_nat) | Whether to create NAT Gateway and its Public IP (set false to bring your own) | `bool` | `true` | no |
+| <a name="input_create_nodes_subnet"></a> [create\_nodes\_subnet](#input\_create\_nodes\_subnet) | Whether to create the nodes subnet (set false when using external nodes\_subnet\_id) | `bool` | `true` | no |
 | <a name="input_create_resource_group"></a> [create\_resource\_group](#input\_create\_resource\_group) | Whether to create the resource group | `bool` | `true` | no |
+| <a name="input_create_vnet"></a> [create\_vnet](#input\_create\_vnet) | Whether to create the VNet (set false when using external vnet\_id) | `bool` | `true` | no |
 | <a name="input_enable_bastion"></a> [enable\_bastion](#input\_enable\_bastion) | Deploy Azure Bastion and its required subnet | `bool` | `false` | no |
 | <a name="input_enable_credentials_fetch"></a> [enable\_credentials\_fetch](#input\_enable\_credentials\_fetch) | Run az aks get-credentials after creating the cluster | `bool` | `false` | no |
 | <a name="input_jumpbox_admin_username"></a> [jumpbox\_admin\_username](#input\_jumpbox\_admin\_username) | Admin username for the jumpbox | `string` | `"azureuser"` | no |
@@ -63,11 +72,13 @@ No modules.
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version | `string` | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | Azure region | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name of the AKS cluster | `string` | n/a | yes |
+| <a name="input_nat_gateway_id"></a> [nat\_gateway\_id](#input\_nat\_gateway\_id) | Existing NAT Gateway ID to associate when create\_nat is false | `string` | `null` | no |
 | <a name="input_nat_gateway_name"></a> [nat\_gateway\_name](#input\_nat\_gateway\_name) | Name of the NAT Gateway | `string` | n/a | yes |
 | <a name="input_nat_identity_name"></a> [nat\_identity\_name](#input\_nat\_identity\_name) | Name of the managed identity for NAT | `string` | n/a | yes |
 | <a name="input_network_profile"></a> [network\_profile](#input\_network\_profile) | AKS network profile | <pre>object({<br/>    network_plugin_mode = string # "overlay" or "vnet"<br/>    service_cidr        = string<br/>    dns_service_ip      = string<br/>    pod_cidr            = optional(string)<br/>    network_policy      = optional(string, "calico")<br/>    outbound_type       = optional(string, "userAssignedNATGateway")<br/>  })</pre> | n/a | yes |
 | <a name="input_node_pools"></a> [node\_pools](#input\_node\_pools) | Map of additional node pools (include a 'system' pool to override default) | <pre>map(object({<br/>    name       = string<br/>    type       = string # system | user<br/>    node_count = number<br/>    vm_size    = string<br/>    max_pods   = optional(number)<br/>    taints     = optional(list(string))<br/>    labels     = optional(map(string))<br/>    mode       = optional(string) # system | user (overrides type)<br/>  }))</pre> | `{}` | no |
 | <a name="input_nodes_subnet_cidr"></a> [nodes\_subnet\_cidr](#input\_nodes\_subnet\_cidr) | CIDR for the AKS nodes subnet | `string` | n/a | yes |
+| <a name="input_nodes_subnet_id"></a> [nodes\_subnet\_id](#input\_nodes\_subnet\_id) | Existing nodes subnet ID to reuse (skip subnet creation when set) | `string` | `null` | no |
 | <a name="input_nodes_subnet_name"></a> [nodes\_subnet\_name](#input\_nodes\_subnet\_name) | Name of the AKS nodes subnet | `string` | n/a | yes |
 | <a name="input_oidc_issuer_enabled"></a> [oidc\_issuer\_enabled](#input\_oidc\_issuer\_enabled) | Enable OIDC issuer | `bool` | `true` | no |
 | <a name="input_private_cluster_enabled"></a> [private\_cluster\_enabled](#input\_private\_cluster\_enabled) | Enable AKS private cluster | `bool` | `false` | no |
@@ -76,6 +87,7 @@ No modules.
 | <a name="input_sku_tier"></a> [sku\_tier](#input\_sku\_tier) | AKS tier (Free or Standard) | `string` | `"Standard"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources | `map(string)` | `{}` | no |
 | <a name="input_vnet_address_space"></a> [vnet\_address\_space](#input\_vnet\_address\_space) | Address space for the Virtual Network | `list(string)` | n/a | yes |
+| <a name="input_vnet_id"></a> [vnet\_id](#input\_vnet\_id) | Existing VNet ID to reuse (skip VNet creation when set) | `string` | `null` | no |
 | <a name="input_vnet_name"></a> [vnet\_name](#input\_vnet\_name) | Name of the Virtual Network | `string` | n/a | yes |
 | <a name="input_workload_identity_enabled"></a> [workload\_identity\_enabled](#input\_workload\_identity\_enabled) | Enable workload identity | `bool` | `true` | no |
 
@@ -86,6 +98,7 @@ No modules.
 | <a name="output_aks_id"></a> [aks\_id](#output\_aks\_id) | ID of the AKS cluster |
 | <a name="output_cluster_identity_client_id"></a> [cluster\_identity\_client\_id](#output\_cluster\_identity\_client\_id) | Client ID of the cluster's user-assigned identity |
 | <a name="output_cluster_identity_principal_id"></a> [cluster\_identity\_principal\_id](#output\_cluster\_identity\_principal\_id) | Principal ID of the cluster's user-assigned identity |
+| <a name="output_cluster_identity_resource_id"></a> [cluster\_identity\_resource\_id](#output\_cluster\_identity\_resource\_id) | Resource ID of the cluster's user-assigned identity |
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | AKS cluster name |
 | <a name="output_fqdn"></a> [fqdn](#output\_fqdn) | Public FQDN of the API server (null if private) |
 | <a name="output_kubelet_identity_client_id"></a> [kubelet\_identity\_client\_id](#output\_kubelet\_identity\_client\_id) | Kubelet identity client ID |