From dfa5cffb5cc9fc34ed0ee57740795862d7cbe7b6 Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 14 Jul 2022 10:29:56 +0800 Subject: [PATCH 01/20] Sort assignments, variables, outputs. --- main.tf | 155 +++++----- outputs.tf | 140 ++++----- test/fixture/disk_encryption_set.tf | 40 ++- test/fixture/main.tf | 104 +++---- test/fixture/outputs.tf | 52 ++-- test/fixture/providers.tf | 10 +- test/fixture/variables.tf | 9 +- variables.tf | 460 ++++++++++++++-------------- versions.tf | 5 +- 9 files changed, 483 insertions(+), 492 deletions(-) diff --git a/main.tf b/main.tf index 8f3f5132..4ce75c90 100644 --- a/main.tf +++ b/main.tf @@ -8,90 +8,97 @@ moved { } resource "tls_private_key" "ssh" { - count = var.admin_username == null ? 0 : 1 + count = var.admin_username == null ? 0 : 1 + algorithm = "RSA" rsa_bits = 2048 } resource "azurerm_kubernetes_cluster" "main" { - name = var.cluster_name == null ? "${var.prefix}-aks" : var.cluster_name + name = var.cluster_name == null ? "${var.prefix}-aks" : var.cluster_name + location = coalesce(var.location, data.azurerm_resource_group.main.location) + resource_group_name = data.azurerm_resource_group.main.name + + dns_prefix = var.prefix + api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges + azure_policy_enabled = var.azure_policy_enabled + disk_encryption_set_id = var.disk_encryption_set_id + http_application_routing_enabled = var.enable_http_application_routing kubernetes_version = var.kubernetes_version - location = coalesce(var.location, data.azurerm_resource_group.main.location) - resource_group_name = data.azurerm_resource_group.main.name + local_account_disabled = var.local_account_disabled node_resource_group = var.node_resource_group - disk_encryption_set_id = var.disk_encryption_set_id - dns_prefix = var.prefix - sku_tier = var.sku_tier + oidc_issuer_enabled = var.oidc_issuer_enabled + open_service_mesh_enabled = var.enable_open_service_mesh private_cluster_enabled = var.private_cluster_enabled private_dns_zone_id = var.private_dns_zone_id private_cluster_public_fqdn_enabled = var.private_cluster_public_fqdn_enabled - local_account_disabled = var.local_account_disabled - api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges - - dynamic "linux_profile" { - for_each = var.admin_username == null ? [] : ["linux_profile"] - content { - admin_username = var.admin_username - - ssh_key { - # remove any new lines using the replace interpolation function - key_data = replace(coalesce(var.public_ssh_key, tls_private_key.ssh[0].public_key_openssh), "\n", "") - } - } - } + role_based_access_control_enabled = var.enable_role_based_access_control + sku_tier = var.sku_tier + tags = var.tags dynamic "default_node_pool" { for_each = var.enable_auto_scaling == true ? [] : ["default_node_pool_manually_scaled"] content { - orchestrator_version = var.orchestrator_version name = var.agents_pool_name - node_count = var.agents_count vm_size = var.agents_size + enable_auto_scaling = var.enable_auto_scaling + enable_host_encryption = var.enable_host_encryption + enable_node_public_ip = var.enable_node_public_ip + max_pods = var.agents_max_pods + node_labels = var.agents_labels + only_critical_addons_enabled = var.only_critical_addons_enabled + orchestrator_version = var.orchestrator_version os_disk_size_gb = var.os_disk_size_gb os_disk_type = var.os_disk_type + type = var.agents_type + tags = merge(var.tags, var.agents_tags) vnet_subnet_id = var.vnet_subnet_id - enable_auto_scaling = var.enable_auto_scaling max_count = null min_count = null - enable_node_public_ip = var.enable_node_public_ip + node_count = var.agents_count zones = var.agents_availability_zones - node_labels = var.agents_labels - type = var.agents_type - tags = merge(var.tags, var.agents_tags) - max_pods = var.agents_max_pods - enable_host_encryption = var.enable_host_encryption - only_critical_addons_enabled = var.only_critical_addons_enabled } } - dynamic "default_node_pool" { for_each = var.enable_auto_scaling == true ? ["default_node_pool_auto_scaled"] : [] content { - orchestrator_version = var.orchestrator_version name = var.agents_pool_name vm_size = var.agents_size + enable_auto_scaling = var.enable_auto_scaling + enable_host_encryption = var.enable_host_encryption + enable_node_public_ip = var.enable_node_public_ip + max_pods = var.agents_max_pods + node_labels = var.agents_labels + only_critical_addons_enabled = var.only_critical_addons_enabled + orchestrator_version = var.orchestrator_version os_disk_size_gb = var.os_disk_size_gb os_disk_type = var.os_disk_type + type = var.agents_type + tags = merge(var.tags, var.agents_tags) vnet_subnet_id = var.vnet_subnet_id - enable_auto_scaling = var.enable_auto_scaling max_count = var.agents_max_count min_count = var.agents_min_count - enable_node_public_ip = var.enable_node_public_ip zones = var.agents_availability_zones - node_labels = var.agents_labels - type = var.agents_type - tags = merge(var.tags, var.agents_tags) - max_pods = var.agents_max_pods - enable_host_encryption = var.enable_host_encryption - only_critical_addons_enabled = var.only_critical_addons_enabled } } - dynamic "service_principal" { - for_each = var.client_id != "" && var.client_secret != "" ? ["service_principal"] : [] + dynamic "azure_active_directory_role_based_access_control" { + for_each = var.enable_role_based_access_control && var.rbac_aad_managed ? ["rbac"] : [] content { - client_id = var.client_id - client_secret = var.client_secret + managed = true + tenant_id = var.rbac_aad_tenant_id + admin_group_object_ids = var.rbac_aad_admin_group_object_ids + azure_rbac_enabled = var.rbac_aad_azure_rbac_enabled + } + } + dynamic "azure_active_directory_role_based_access_control" { + for_each = var.enable_role_based_access_control && !var.rbac_aad_managed ? ["rbac"] : [] + content { + managed = false + tenant_id = var.rbac_aad_tenant_id + client_app_id = var.rbac_aad_client_app_id + server_app_id = var.rbac_aad_server_app_id + server_app_secret = var.rbac_aad_server_app_secret } } @@ -103,19 +110,6 @@ resource "azurerm_kubernetes_cluster" "main" { } } - http_application_routing_enabled = var.enable_http_application_routing - - azure_policy_enabled = var.azure_policy_enabled - - dynamic "oms_agent" { - for_each = var.enable_log_analytics_workspace ? ["oms_agent"] : [] - content { - log_analytics_workspace_id = var.log_analytics_workspace == null ? azurerm_log_analytics_workspace.main[0].id : var.log_analytics_workspace.id - } - } - - open_service_mesh_enabled = var.enable_open_service_mesh - dynamic "ingress_application_gateway" { for_each = var.enable_ingress_application_gateway ? ["ingress_application_gateway"] : [] content { @@ -134,26 +128,15 @@ resource "azurerm_kubernetes_cluster" "main" { } } - role_based_access_control_enabled = var.enable_role_based_access_control - - dynamic "azure_active_directory_role_based_access_control" { - for_each = var.enable_role_based_access_control && var.rbac_aad_managed ? ["rbac"] : [] + dynamic "linux_profile" { + for_each = var.admin_username == null ? [] : ["linux_profile"] content { - managed = true - admin_group_object_ids = var.rbac_aad_admin_group_object_ids - azure_rbac_enabled = var.rbac_aad_azure_rbac_enabled - tenant_id = var.rbac_aad_tenant_id - } - } + admin_username = var.admin_username - dynamic "azure_active_directory_role_based_access_control" { - for_each = var.enable_role_based_access_control && !var.rbac_aad_managed ? ["rbac"] : [] - content { - managed = false - client_app_id = var.rbac_aad_client_app_id - server_app_id = var.rbac_aad_server_app_id - server_app_secret = var.rbac_aad_server_app_secret - tenant_id = var.rbac_aad_tenant_id + ssh_key { + # remove any new lines using the replace interpolation function + key_data = replace(coalesce(var.public_ssh_key, tls_private_key.ssh[0].public_key_openssh), "\n", "") + } } } @@ -167,9 +150,20 @@ resource "azurerm_kubernetes_cluster" "main" { service_cidr = var.net_profile_service_cidr } - oidc_issuer_enabled = var.oidc_issuer_enabled + dynamic "oms_agent" { + for_each = var.enable_log_analytics_workspace ? ["oms_agent"] : [] + content { + log_analytics_workspace_id = var.log_analytics_workspace == null ? azurerm_log_analytics_workspace.main[0].id : var.log_analytics_workspace.id + } + } - tags = var.tags + dynamic "service_principal" { + for_each = var.client_id != "" && var.client_secret != "" ? ["service_principal"] : [] + content { + client_id = var.client_id + client_secret = var.client_secret + } + } lifecycle { precondition { @@ -178,14 +172,15 @@ resource "azurerm_kubernetes_cluster" "main" { } precondition { # Why don't use var.identity_ids != null && length(var.identity_ids)>0 ? Because bool expression in Terraform is not short circuit so even var.identity_ids is null Terraform will still invoke length function with null and cause error. https://github.com/hashicorp/terraform/issues/24128 - condition = (var.client_id != "" && var.client_secret != "") || (var.identity_type == "SystemAssigned") || (var.identity_ids == null ? false :length(var.identity_ids) > 0) + condition = (var.client_id != "" && var.client_secret != "") || (var.identity_type == "SystemAssigned") || (var.identity_ids == null ? false : length(var.identity_ids) > 0) error_message = "If use identity and `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well." } } } resource "azurerm_log_analytics_workspace" "main" { - count = var.enable_log_analytics_workspace && var.log_analytics_workspace == null ? 1 : 0 + count = var.enable_log_analytics_workspace && var.log_analytics_workspace == null ? 1 : 0 + name = var.cluster_log_analytics_workspace_name == null ? "${var.prefix}-workspace" : var.cluster_log_analytics_workspace_name location = coalesce(var.location, data.azurerm_resource_group.main.location) resource_group_name = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name) diff --git a/outputs.tf b/outputs.tf index bde2e44f..99151c0d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,121 +1,126 @@ -output "client_key" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].client_key +output "aci_connector_linux" { + value = try(azurerm_kubernetes_cluster.main.aci_connector_linux[0], null) } -output "client_certificate" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].client_certificate +output "aci_connector_linux_enabled" { + value = can(azurerm_kubernetes_cluster.main.aci_connector_linux[0]) } -output "cluster_ca_certificate" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].cluster_ca_certificate +output "admin_client_certificate" { + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_certificate, "") } -output "host" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].host +output "admin_client_key" { + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_key, "") } -output "username" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].username +output "admin_cluster_ca_certificate" { + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].cluster_ca_certificate, "") } -output "password" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].password +output "admin_host" { + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].host, "") } -output "node_resource_group" { - value = azurerm_kubernetes_cluster.main.node_resource_group +output "admin_password" { + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].password, "") } -output "location" { - value = azurerm_kubernetes_cluster.main.location +output "admin_username" { + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].username, "") } output "aks_id" { value = azurerm_kubernetes_cluster.main.id } -output "kube_config_raw" { +output "azure_policy_enabled" { + value = azurerm_kubernetes_cluster.main.azure_policy_enabled +} + +output "client_certificate" { sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config_raw + value = azurerm_kubernetes_cluster.main.kube_config[0].client_certificate } -output "kube_admin_config_raw" { +output "client_key" { sensitive = true - value = azurerm_kubernetes_cluster.main.kube_admin_config_raw + value = azurerm_kubernetes_cluster.main.kube_config[0].client_key } -output "http_application_routing_zone_name" { - value = azurerm_kubernetes_cluster.main.http_application_routing_zone_name != null ? azurerm_kubernetes_cluster.main.http_application_routing_zone_name : "" +output "cluster_ca_certificate" { + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].cluster_ca_certificate } output "cluster_identity" { value = try(azurerm_kubernetes_cluster.main.identity[0], null) } -output "kubelet_identity" { - value = azurerm_kubernetes_cluster.main.kubelet_identity +output "generated_cluster_private_ssh_key" { + description = "The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null." + sensitive = true + value = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh[0].private_key_pem : null) : null } -output "admin_client_key" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_key, "") +output "generated_cluster_public_ssh_key" { + description = "The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null." + value = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh[0].public_key_openssh : null) : null } -output "admin_client_certificate" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_certificate, "") +output "host" { + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].host } -output "admin_cluster_ca_certificate" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].cluster_ca_certificate, "") +output "http_application_routing_enabled" { + value = azurerm_kubernetes_cluster.main.http_application_routing_enabled } -output "admin_host" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].host, "") +output "http_application_routing_zone_name" { + value = azurerm_kubernetes_cluster.main.http_application_routing_zone_name != null ? azurerm_kubernetes_cluster.main.http_application_routing_zone_name : "" } -output "admin_username" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].username, "") +output "ingress_application_gateway" { + value = try(azurerm_kubernetes_cluster.main.ingress_application_gateway[0], null) } -output "admin_password" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].password, "") +output "ingress_application_gateway_enabled" { + value = can(azurerm_kubernetes_cluster.main.ingress_application_gateway[0]) } -output "aci_connector_linux" { - value = try(azurerm_kubernetes_cluster.main.aci_connector_linux[0], null) +output "key_vault_secrets_provider" { + value = try(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0], null) } -output "aci_connector_linux_enabled" { - value = can(azurerm_kubernetes_cluster.main.aci_connector_linux[0]) +output "key_vault_secrets_provider_enabled" { + value = can(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0]) } -output "azure_policy_enabled" { - value = azurerm_kubernetes_cluster.main.azure_policy_enabled +output "kube_admin_config_raw" { + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_admin_config_raw } -output "http_application_routing_enabled" { - value = azurerm_kubernetes_cluster.main.http_application_routing_enabled +output "kube_config_raw" { + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config_raw } -output "ingress_application_gateway" { - value = try(azurerm_kubernetes_cluster.main.ingress_application_gateway[0], null) +output "kubelet_identity" { + value = azurerm_kubernetes_cluster.main.kubelet_identity } -output "ingress_application_gateway_enabled" { - value = can(azurerm_kubernetes_cluster.main.ingress_application_gateway[0]) +output "location" { + value = azurerm_kubernetes_cluster.main.location } -output "key_vault_secrets_provider" { - value = try(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0], null) +output "node_resource_group" { + value = azurerm_kubernetes_cluster.main.node_resource_group } -output "key_vault_secrets_provider_enabled" { - value = can(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0]) +output "oidc_issuer_url" { + value = azurerm_kubernetes_cluster.main.oidc_issuer_url } output "oms_agent" { @@ -130,17 +135,12 @@ output "open_service_mesh_enabled" { value = azurerm_kubernetes_cluster.main.open_service_mesh_enabled } -output "oidc_issuer_url" { - value = azurerm_kubernetes_cluster.main.oidc_issuer_url -} - -output "generated_cluster_public_ssh_key" { - description = "The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null." - value = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh[0].public_key_openssh : null) : null +output "password" { + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].password } -output "generated_cluster_private_ssh_key" { - description = "The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null." - sensitive = true - value = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh[0].private_key_pem : null) : null -} +output "username" { + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].username +} \ No newline at end of file diff --git a/test/fixture/disk_encryption_set.tf b/test/fixture/disk_encryption_set.tf index d7129a4e..117bdff1 100644 --- a/test/fixture/disk_encryption_set.tf +++ b/test/fixture/disk_encryption_set.tf @@ -2,13 +2,14 @@ data "azurerm_client_config" "current" {} resource "random_string" "key_vault_prefix" { length = 6 + numeric = false special = false upper = false - numeric = false } data "curl" "public_ip" { - count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 + count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 + http_method = "GET" uri = "https://api.ipify.org?format=json" } @@ -22,11 +23,11 @@ resource "azurerm_key_vault" "des_vault" { name = "${random_string.key_vault_prefix.result}-des-keyvault" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name - tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" - soft_delete_retention_days = 7 + tenant_id = data.azurerm_client_config.current.tenant_id enabled_for_disk_encryption = true purge_protection_enabled = true + soft_delete_retention_days = 7 network_acls { bypass = "AzureServices" @@ -36,13 +37,11 @@ resource "azurerm_key_vault" "des_vault" { } resource "azurerm_key_vault_key" "des_key" { - name = "des-key" - key_vault_id = azurerm_key_vault.des_vault.id - key_type = "RSA-HSM" - key_size = 2048 - expiration_date = timeadd("${formatdate("YYYY-MM-DD", timestamp())}T00:00:00Z", "168h") - - key_opts = [ + name = "des-key" + key_vault_id = azurerm_key_vault.des_vault.id + key_type = "RSA-HSM" + key_size = 2048 + key_opts = [ "decrypt", "encrypt", "sign", @@ -50,6 +49,7 @@ resource "azurerm_key_vault_key" "des_key" { "verify", "wrapKey", ] + expiration_date = timeadd("${formatdate("YYYY-MM-DD", timestamp())}T00:00:00Z", "168h") lifecycle { ignore_changes = [expiration_date] @@ -62,8 +62,8 @@ resource "azurerm_key_vault_key" "des_key" { resource "azurerm_disk_encryption_set" "des" { name = "des" - location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location key_vault_key_id = azurerm_key_vault_key.des_key.id identity { @@ -72,11 +72,9 @@ resource "azurerm_disk_encryption_set" "des" { } resource "azurerm_key_vault_access_policy" "des" { - key_vault_id = azurerm_key_vault.des_vault.id - - tenant_id = azurerm_disk_encryption_set.des.identity.0.tenant_id - object_id = azurerm_disk_encryption_set.des.identity.0.principal_id - + key_vault_id = azurerm_key_vault.des_vault.id + tenant_id = azurerm_disk_encryption_set.des.identity.0.tenant_id + object_id = azurerm_disk_encryption_set.des.identity.0.principal_id key_permissions = [ "Get", "WrapKey", @@ -85,11 +83,9 @@ resource "azurerm_key_vault_access_policy" "des" { } resource "azurerm_key_vault_access_policy" "current_user" { - key_vault_id = azurerm_key_vault.des_vault.id - - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) - + key_vault_id = azurerm_key_vault.des_vault.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) key_permissions = [ "Get", "Create", diff --git a/test/fixture/main.tf b/test/fixture/main.tf index 2a23146e..7824da80 100644 --- a/test/fixture/main.tf +++ b/test/fixture/main.tf @@ -2,15 +2,15 @@ resource "random_id" "prefix" { byte_length = 8 } resource "azurerm_resource_group" "main" { - name = "${random_id.prefix.hex}-rg" location = var.location + name = "${random_id.prefix.hex}-rg" } resource "azurerm_virtual_network" "test" { name = "${random_id.prefix.hex}-vn" + resource_group_name = azurerm_resource_group.main.name address_space = ["10.52.0.0/16"] location = azurerm_resource_group.main.location - resource_group_name = azurerm_resource_group.main.name } resource "azurerm_subnet" "test" { @@ -21,55 +21,51 @@ resource "azurerm_subnet" "test" { } resource "azurerm_user_assigned_identity" "test" { + name = "${random_id.prefix.hex}-identity" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location - name = "${random_id.prefix.hex}-identity" } module "aks" { - source = "../.." - prefix = "prefix-${random_id.prefix.hex}" - resource_group_name = azurerm_resource_group.main.name - client_id = var.client_id - client_secret = var.client_secret - network_plugin = "azure" - vnet_subnet_id = azurerm_subnet.test.id - os_disk_size_gb = 60 - disk_encryption_set_id = azurerm_disk_encryption_set.des.id - enable_http_application_routing = true - azure_policy_enabled = true - enable_host_encryption = true - enable_role_based_access_control = true - rbac_aad_managed = true - enable_log_analytics_workspace = true - sku_tier = "Paid" - private_cluster_enabled = true - enable_auto_scaling = true - agents_min_count = 1 - agents_max_count = 2 - agents_count = null - agents_max_pods = 100 - agents_pool_name = "testnodepool" - agents_availability_zones = ["1", "2"] - agents_type = "VirtualMachineScaleSets" - - agents_labels = { + source = "../.." + prefix = "prefix-${random_id.prefix.hex}" + resource_group_name = azurerm_resource_group.main.name + agents_availability_zones = ["1", "2"] + agents_count = null + agents_labels = { "node1" : "label1" } - - agents_tags = { + agents_max_count = 2 + agents_max_pods = 100 + agents_min_count = 1 + agents_pool_name = "testnodepool" + agents_tags = { "Agent" : "agentTag" } - + agents_type = "VirtualMachineScaleSets" + azure_policy_enabled = true + client_id = var.client_id + client_secret = var.client_secret + disk_encryption_set_id = azurerm_disk_encryption_set.des.id + enable_auto_scaling = true + enable_host_encryption = true + enable_http_application_routing = true enable_ingress_application_gateway = true + enable_log_analytics_workspace = true + enable_role_based_access_control = true ingress_application_gateway_name = "${random_id.prefix.hex}-agw" ingress_application_gateway_subnet_cidr = "10.52.1.0/24" - - network_policy = "azure" - net_profile_dns_service_ip = "10.0.0.10" - net_profile_docker_bridge_cidr = "170.10.0.1/16" - net_profile_service_cidr = "10.0.0.0/16" - local_account_disabled = true + local_account_disabled = true + net_profile_dns_service_ip = "10.0.0.10" + net_profile_docker_bridge_cidr = "170.10.0.1/16" + net_profile_service_cidr = "10.0.0.0/16" + network_plugin = "azure" + network_policy = "azure" + os_disk_size_gb = 60 + private_cluster_enabled = true + rbac_aad_managed = true + sku_tier = "Paid" + vnet_subnet_id = azurerm_subnet.test.id depends_on = [azurerm_resource_group.main] } @@ -79,32 +75,34 @@ module "aks_without_monitor" { prefix = "prefix2-${random_id.prefix.hex}" resource_group_name = azurerm_resource_group.main.name disk_encryption_set_id = azurerm_disk_encryption_set.des.id - enable_role_based_access_control = true - rbac_aad_managed = true - private_cluster_enabled = true #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT! enable_log_analytics_workspace = false - net_profile_pod_cidr = "10.1.0.0/16" + enable_role_based_access_control = true local_account_disabled = true - depends_on = [azurerm_resource_group.main] + net_profile_pod_cidr = "10.1.0.0/16" + private_cluster_enabled = true + rbac_aad_managed = true + + depends_on = [azurerm_resource_group.main] } module "aks_cluster_name" { source = "../.." - cluster_name = "test-cluster" prefix = "prefix" resource_group_name = azurerm_resource_group.main.name - disk_encryption_set_id = azurerm_disk_encryption_set.des.id - enable_role_based_access_control = true - rbac_aad_managed = true - enable_log_analytics_workspace = true - private_cluster_enabled = true # Not necessary, just for demo purpose. admin_username = "azureuser" cluster_log_analytics_workspace_name = "test-cluster" - net_profile_pod_cidr = "10.1.0.0/16" + cluster_name = "test-cluster" + disk_encryption_set_id = azurerm_disk_encryption_set.des.id + enable_log_analytics_workspace = true + enable_role_based_access_control = true + identity_ids = [azurerm_user_assigned_identity.test.id] identity_type = "UserAssigned" local_account_disabled = true - identity_ids = [azurerm_user_assigned_identity.test.id] - depends_on = [azurerm_resource_group.main] + net_profile_pod_cidr = "10.1.0.0/16" + private_cluster_enabled = true + rbac_aad_managed = true + + depends_on = [azurerm_resource_group.main] } diff --git a/test/fixture/outputs.tf b/test/fixture/outputs.tf index 2ac27915..7f34755c 100644 --- a/test/fixture/outputs.tf +++ b/test/fixture/outputs.tf @@ -1,13 +1,6 @@ -output "test_aks_id" { - value = module.aks.aks_id -} - -output "test_aks_without_monitor_id" { - value = module.aks_without_monitor.aks_id -} - -output "test_aks_without_monitor_identity" { - value = module.aks_without_monitor.cluster_identity +output "test_admin_client_certificate" { + sensitive = true + value = module.aks.admin_client_certificate } output "test_admin_client_key" { @@ -15,11 +8,6 @@ output "test_admin_client_key" { value = module.aks.admin_client_key } -output "test_admin_client_certificate" { - sensitive = true - value = module.aks.admin_client_certificate -} - output "test_admin_cluster_ca_certificate" { sensitive = true value = module.aks.admin_client_certificate @@ -30,19 +18,26 @@ output "test_admin_host" { value = module.aks.admin_host } +output "test_admin_password" { + sensitive = true + value = module.aks.admin_password +} + output "test_admin_username" { sensitive = true value = module.aks.admin_username } -output "test_admin_password" { - sensitive = true - value = module.aks.admin_password +output "test_aks_id" { + value = module.aks.aks_id } -output "test_client_key" { - sensitive = true - value = module.aks.client_key +output "test_aks_without_monitor_id" { + value = module.aks_without_monitor.aks_id +} + +output "test_aks_without_monitor_identity" { + value = module.aks_without_monitor.cluster_identity } output "test_client_certificate" { @@ -50,6 +45,11 @@ output "test_client_certificate" { value = module.aks.client_certificate } +output "test_client_key" { + sensitive = true + value = module.aks.client_key +} + output "test_cluster_ca_certificate" { sensitive = true value = module.aks.client_certificate @@ -60,9 +60,9 @@ output "test_host" { value = module.aks.host } -output "test_username" { +output "test_kube_raw" { sensitive = true - value = module.aks.username + value = module.aks.kube_config_raw } output "test_password" { @@ -70,7 +70,7 @@ output "test_password" { value = module.aks.password } -output "test_kube_raw" { +output "test_username" { sensitive = true - value = module.aks.kube_config_raw -} + value = module.aks.username +} \ No newline at end of file diff --git a/test/fixture/providers.tf b/test/fixture/providers.tf index 8f57f3f2..48452a5c 100644 --- a/test/fixture/providers.tf +++ b/test/fixture/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.2" + required_providers { azurerm = { source = "hashicorp/azurerm" @@ -11,17 +13,17 @@ terraform { } } -provider "curl" {} - provider "azurerm" { features { resource_group { prevent_deletion_if_contains_resources = false } key_vault { - recover_soft_deleted_key_vaults = false purge_soft_delete_on_destroy = false purge_soft_deleted_keys_on_destroy = false + recover_soft_deleted_key_vaults = false } } -} \ No newline at end of file +} + +provider "curl" {} \ No newline at end of file diff --git a/test/fixture/variables.tf b/test/fixture/variables.tf index 997b01fa..0b8ed7ff 100644 --- a/test/fixture/variables.tf +++ b/test/fixture/variables.tf @@ -1,8 +1,5 @@ -variable "location" { - default = "eastus" -} - variable "client_id" {} + variable "client_secret" {} variable "key_vault_firewall_bypass_ip_cidr" { @@ -10,6 +7,10 @@ variable "key_vault_firewall_bypass_ip_cidr" { default = null } +variable "location" { + default = "eastus" +} + variable "managed_identity_principal_id" { type = string default = null diff --git a/variables.tf b/variables.tf index 33b94778..4cf0362d 100644 --- a/variables.tf +++ b/variables.tf @@ -1,452 +1,452 @@ -variable "resource_group_name" { - description = "The resource group name to be imported" +variable "prefix" { type = string + description = "(Required) The prefix for the resources created in the specified Azure Resource Group" } -variable "cluster_name" { - description = "(Optional) The name for the AKS resources created in the specified Azure Resource Group. This variable overwrites the 'prefix' var (The 'prefix' var will still be applied to the dns_prefix if it is set)" +variable "resource_group_name" { type = string - default = null + description = "The resource group name to be imported" } -variable "cluster_log_analytics_workspace_name" { - description = "(Optional) The name of the Analytics workspace" +variable "admin_username" { type = string + description = "The username of the local administrator to be created on the Kubernetes cluster. Set this variable to `null` to turn off the cluster's `linux_profile`. Changing this forces a new resource to be created." default = null } -variable "location" { - description = "Location of cluster, if not defined it will be read from the resource-group" - type = string +variable "agents_availability_zones" { + type = list(string) + description = "(Optional) A list of Availability Zones across which the Node Pool should be spread. Changing this forces a new resource to be created." default = null } -variable "prefix" { - description = "(Required) The prefix for the resources created in the specified Azure Resource Group" - type = string +variable "agents_count" { + type = number + description = "The number of Agents that should exist in the Agent Pool. Please set `agents_count` `null` while `enable_auto_scaling` is `true` to avoid possible `agents_count` changes." + default = 2 } -variable "client_id" { - description = "(Optional) The Client ID (appId) for the Service Principal used for the AKS deployment" - type = string - default = "" - nullable = false +variable "agents_labels" { + type = map(string) + description = "(Optional) A map of Kubernetes labels which should be applied to nodes in the Default Node Pool. Changing this forces a new resource to be created." + default = {} } -variable "client_secret" { - description = "(Optional) The Client Secret (password) for the Service Principal used for the AKS deployment" - type = string - default = "" - nullable = false +variable "agents_max_count" { + type = number + description = "Maximum number of nodes in a pool" + default = null } -variable "api_server_authorized_ip_ranges" { - type = set(string) - description = "(Optional) The IP ranges to allow for incoming traffic to the server nodes." +variable "agents_max_pods" { + type = number + description = "(Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created." default = null } -variable "admin_username" { +variable "agents_min_count" { + type = number + description = "Minimum number of nodes in a pool" default = null - description = "The username of the local administrator to be created on the Kubernetes cluster. Set this variable to `null` to turn off the cluster's `linux_profile`. Changing this forces a new resource to be created." - type = string } -variable "agents_size" { - default = "Standard_D2s_v3" - description = "The default virtual machine size for the Kubernetes agents" +variable "agents_pool_name" { type = string + description = "The default Azure AKS agentpool (nodepool) name." + default = "nodepool" + nullable = false } -variable "log_analytics_workspace_sku" { - description = "The SKU (pricing level) of the Log Analytics workspace. For new subscriptions the SKU should be set to PerGB2018" +variable "agents_size" { type = string - default = "PerGB2018" -} - -variable "log_retention_in_days" { - description = "The retention period for the logs in days" - type = number - default = 30 + description = "The default virtual machine size for the Kubernetes agents" + default = "Standard_D2s_v3" } -variable "agents_count" { - description = "The number of Agents that should exist in the Agent Pool. Please set `agents_count` `null` while `enable_auto_scaling` is `true` to avoid possible `agents_count` changes." - type = number - default = 2 +variable "agents_tags" { + type = map(string) + description = "(Optional) A mapping of tags to assign to the Node Pool." + default = {} } -variable "public_ssh_key" { - description = "A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created." +variable "agents_type" { type = string - default = "" + description = "(Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets." + default = "VirtualMachineScaleSets" } -variable "tags" { - type = map(string) - description = "Any tags that should be present on the AKS cluster resources" - default = {} +variable "api_server_authorized_ip_ranges" { + type = set(string) + description = "(Optional) The IP ranges to allow for incoming traffic to the server nodes." + default = null } -variable "enable_log_analytics_workspace" { +variable "azure_policy_enabled" { type = bool - description = "Enable the integration of azurerm_log_analytics_workspace and azurerm_log_analytics_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard" - default = true - nullable = false + description = "Enable Azure Policy Addon." + default = false } -variable "log_analytics_solution_id" { +variable "client_id" { type = string - description = "(Optional) Existing azurerm_log_analytics_solution ID. Providing ID disables creation of azurerm_log_analytics_solution." - default = null - nullable = true + description = "(Optional) The Client ID (appId) for the Service Principal used for the AKS deployment" + default = "" + nullable = false } -variable "log_analytics_workspace" { - type = object({ - id = string - name = string - }) - description = "(Optional) Existing azurerm_log_analytics_workspace to attach azurerm_log_analytics_solution. Providing the config disables creation of azurerm_log_analytics_workspace." - default = null - nullable = true +variable "client_secret" { + type = string + description = "(Optional) The Client Secret (password) for the Service Principal used for the AKS deployment" + default = "" + nullable = false } -variable "log_analytics_workspace_resource_group_name" { +variable "cluster_log_analytics_workspace_name" { type = string - description = "(Optional) Resource group name to create azurerm_log_analytics_solution." + description = "(Optional) The name of the Analytics workspace" default = null - nullable = true } -variable "vnet_subnet_id" { - description = "(Optional) The ID of a Subnet where the Kubernetes Node Pool should exist. Changing this forces a new resource to be created." +variable "cluster_name" { type = string + description = "(Optional) The name for the AKS resources created in the specified Azure Resource Group. This variable overwrites the 'prefix' var (The 'prefix' var will still be applied to the dns_prefix if it is set)" default = null } -variable "os_disk_size_gb" { - description = "Disk size of nodes in GBs." - type = number - default = 50 -} - -variable "os_disk_type" { - description = "The type of disk which should be used for the Operating System. Possible values are `Ephemeral` and `Managed`. Defaults to `Managed`. Changing this forces a new resource to be created." +variable "disk_encryption_set_id" { type = string - default = "Managed" - nullable = false + description = "(Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created." + default = null } -variable "private_cluster_enabled" { - description = "If true cluster API server will be exposed only on internal IP address and available only in cluster vnet." +variable "enable_auto_scaling" { type = bool + description = "Enable node pool autoscaling" default = false } -variable "enable_http_application_routing" { - description = "Enable HTTP Application Routing Addon (forces recreation)." +variable "enable_host_encryption" { type = bool + description = "Enable Host Encryption for default node pool. Encryption at host feature must be enabled on the subscription: https://docs.microsoft.com/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli" default = false } -variable "azure_policy_enabled" { - description = "Enable Azure Policy Addon." +variable "enable_node_public_ip" { type = bool + description = "(Optional) Should nodes in this Node Pool have a Public IP Address? Defaults to false." default = false } -variable "enable_open_service_mesh" { - description = "Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about)." +variable "enable_http_application_routing" { type = bool + description = "Enable HTTP Application Routing Addon (forces recreation)." + default = false +} + +variable "identity_ids" { + type = list(string) + description = "(Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster." default = null } -variable "sku_tier" { - description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid" +variable "identity_type" { type = string - default = "Free" + description = "(Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both). If `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well." + default = "SystemAssigned" + + validation { + condition = var.identity_type == "SystemAssigned" || var.identity_type == "UserAssigned" || var.identity_type == "SystemAssigned, UserAssigned" + error_message = "`identity_type`'s possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both)." + } } -variable "enable_role_based_access_control" { - description = "Enable Role Based Access Control." +variable "enable_ingress_application_gateway" { type = bool + description = "Whether to deploy the Application Gateway ingress controller to this Kubernetes Cluster?" default = false nullable = false } -variable "rbac_aad_managed" { - description = "Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration." +variable "ingress_application_gateway_id" { + type = string + description = "The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster." + default = null +} + +variable "ingress_application_gateway_name" { + type = string + description = "The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster." + default = null +} + +variable "ingress_application_gateway_subnet_cidr" { + type = string + description = "The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster." + default = null +} + +variable "ingress_application_gateway_subnet_id" { + type = string + description = "The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster." + default = null +} + +variable "key_vault_secrets_provider_enabled" { type = bool + description = "(Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver" default = false nullable = false } -variable "rbac_aad_admin_group_object_ids" { - description = "Object ID of groups with admin access." - type = list(string) +variable "kubernetes_version" { + type = string + description = "Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region" default = null } -variable "rbac_aad_azure_rbac_enabled" { - description = "(Optional) Is Role Based Access Control based on Azure AD enabled?" +variable "local_account_disabled" { type = bool + description = "(Optional) - If `true` local accounts will be disabled. Defaults to `false`. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information." default = null } -variable "rbac_aad_tenant_id" { - description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used." +variable "location" { type = string + description = "Location of cluster, if not defined it will be read from the resource-group" default = null } -variable "rbac_aad_client_app_id" { - description = "The Client ID of an Azure Active Directory Application." +variable "log_analytics_solution_id" { type = string + description = "(Optional) Existing azurerm_log_analytics_solution ID. Providing ID disables creation of azurerm_log_analytics_solution." default = null + nullable = true } -variable "rbac_aad_server_app_id" { - description = "The Server ID of an Azure Active Directory Application." - type = string +variable "log_analytics_workspace" { + type = object({ + id = string + name = string + }) + description = "(Optional) Existing azurerm_log_analytics_workspace to attach azurerm_log_analytics_solution. Providing the config disables creation of azurerm_log_analytics_workspace." default = null + nullable = true } -variable "rbac_aad_server_app_secret" { - description = "The Server Secret of an Azure Active Directory Application." +variable "enable_log_analytics_workspace" { + type = bool + description = "Enable the integration of azurerm_log_analytics_workspace and azurerm_log_analytics_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard" + default = true + nullable = false +} + +variable "log_analytics_workspace_resource_group_name" { type = string + description = "(Optional) Resource group name to create azurerm_log_analytics_solution." default = null + nullable = true } -variable "network_plugin" { - description = "Network plugin to use for networking." +variable "log_analytics_workspace_sku" { type = string - default = "kubenet" - nullable = false + description = "The SKU (pricing level) of the Log Analytics workspace. For new subscriptions the SKU should be set to PerGB2018" + default = "PerGB2018" } -variable "network_policy" { - description = " (Optional) Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created." - type = string - default = null +variable "log_retention_in_days" { + type = number + description = "The retention period for the logs in days" + default = 30 } variable "net_profile_dns_service_ip" { - description = "(Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created." type = string + description = "(Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created." default = null } variable "net_profile_docker_bridge_cidr" { - description = "(Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created." type = string + description = "(Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created." default = null } variable "net_profile_outbound_type" { - description = "(Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer." type = string + description = "(Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer." default = "loadBalancer" } variable "net_profile_pod_cidr" { - description = " (Optional) The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created." type = string + description = " (Optional) The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created." default = null } variable "net_profile_service_cidr" { - description = "(Optional) The Network Range used by the Kubernetes service. Changing this forces a new resource to be created." type = string + description = "(Optional) The Network Range used by the Kubernetes service. Changing this forces a new resource to be created." default = null } -variable "kubernetes_version" { - description = "Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region" +variable "network_plugin" { + type = string + description = "Network plugin to use for networking." + default = "kubenet" + nullable = false +} + +variable "network_policy" { type = string + description = " (Optional) Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created." default = null } -variable "orchestrator_version" { - description = "Specify which Kubernetes release to use for the orchestration layer. The default used is the latest Kubernetes version available in the region" +variable "node_resource_group" { type = string + description = "The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster. Changing this forces a new resource to be created." default = null } -variable "enable_auto_scaling" { - description = "Enable node pool autoscaling" +variable "oidc_issuer_enabled" { + description = "Enable or Disable the OIDC issuer URL. Defaults to false." type = bool default = false } -variable "agents_max_count" { - type = number - description = "Maximum number of nodes in a pool" +variable "only_critical_addons_enabled" { + type = bool + description = "(Optional) Enabling this option will taint default node pool with `CriticalAddonsOnly=true:NoSchedule` taint. Changing this forces a new resource to be created." default = null } -variable "agents_min_count" { - type = number - description = "Minimum number of nodes in a pool" +variable "enable_open_service_mesh" { + type = bool + description = "Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about)." default = null } -variable "agents_pool_name" { - description = "The default Azure AKS agentpool (nodepool) name." +variable "orchestrator_version" { type = string - default = "nodepool" - nullable = false -} - -variable "enable_node_public_ip" { - description = "(Optional) Should nodes in this Node Pool have a Public IP Address? Defaults to false." - type = bool - default = false -} - -variable "agents_availability_zones" { - description = "(Optional) A list of Availability Zones across which the Node Pool should be spread. Changing this forces a new resource to be created." - type = list(string) + description = "Specify which Kubernetes release to use for the orchestration layer. The default used is the latest Kubernetes version available in the region" default = null } -variable "agents_labels" { - description = "(Optional) A map of Kubernetes labels which should be applied to nodes in the Default Node Pool. Changing this forces a new resource to be created." - type = map(string) - default = {} +variable "os_disk_size_gb" { + type = number + description = "Disk size of nodes in GBs." + default = 50 } -variable "agents_type" { - description = "(Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets." +variable "os_disk_type" { type = string - default = "VirtualMachineScaleSets" -} - -variable "agents_tags" { - description = "(Optional) A mapping of tags to assign to the Node Pool." - type = map(string) - default = {} -} - -variable "agents_max_pods" { - description = "(Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created." - type = number - default = null + description = "The type of disk which should be used for the Operating System. Possible values are `Ephemeral` and `Managed`. Defaults to `Managed`. Changing this forces a new resource to be created." + default = "Managed" + nullable = false } -variable "enable_ingress_application_gateway" { - description = "Whether to deploy the Application Gateway ingress controller to this Kubernetes Cluster?" +variable "private_cluster_enabled" { type = bool + description = "If true cluster API server will be exposed only on internal IP address and available only in cluster vnet." default = false - nullable = false -} - -variable "ingress_application_gateway_id" { - description = "The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster." - type = string - default = null } -variable "ingress_application_gateway_name" { - description = "The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster." - type = string - default = null -} - -variable "ingress_application_gateway_subnet_cidr" { - description = "The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster." - type = string - default = null +variable "private_cluster_public_fqdn_enabled" { + type = bool + description = "(Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`." + default = false } -variable "ingress_application_gateway_subnet_id" { - description = "The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster." +variable "private_dns_zone_id" { type = string + description = "(Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created." default = null } -variable "identity_type" { - description = "(Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both). If `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well." +variable "public_ssh_key" { type = string - default = "SystemAssigned" - - validation { - condition = var.identity_type == "SystemAssigned" || var.identity_type == "UserAssigned" || var.identity_type == "SystemAssigned, UserAssigned" - error_message = "`identity_type`'s possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both)." - } + description = "A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created." + default = "" } -variable "identity_ids" { - description = "(Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster." +variable "rbac_aad_admin_group_object_ids" { type = list(string) + description = "Object ID of groups with admin access." default = null } -variable "enable_host_encryption" { - description = "Enable Host Encryption for default node pool. Encryption at host feature must be enabled on the subscription: https://docs.microsoft.com/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli" +variable "rbac_aad_azure_rbac_enabled" { type = bool - default = false + description = "(Optional) Is Role Based Access Control based on Azure AD enabled?" + default = null } -variable "private_dns_zone_id" { - description = "(Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created." +variable "rbac_aad_client_app_id" { type = string + description = "The Client ID of an Azure Active Directory Application." default = null } -variable "private_cluster_public_fqdn_enabled" { - description = "(Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`." +variable "rbac_aad_managed" { type = bool + description = "Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration." default = false + nullable = false } -variable "node_resource_group" { - description = "The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster. Changing this forces a new resource to be created." +variable "rbac_aad_server_app_id" { type = string + description = "The Server ID of an Azure Active Directory Application." default = null } -variable "disk_encryption_set_id" { - description = "(Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created." +variable "rbac_aad_server_app_secret" { type = string + description = "The Server Secret of an Azure Active Directory Application." default = null } -variable "oidc_issuer_enabled" { - description = "Enable or Disable the OIDC issuer URL. Defaults to false." - type = bool - default = false -} - -variable "only_critical_addons_enabled" { - description = "(Optional) Enabling this option will taint default node pool with `CriticalAddonsOnly=true:NoSchedule` taint. Changing this forces a new resource to be created." - type = bool +variable "rbac_aad_tenant_id" { + type = string + description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used." default = null } -variable "key_vault_secrets_provider_enabled" { - description = "(Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver" +variable "enable_role_based_access_control" { type = bool + description = "Enable Role Based Access Control." default = false nullable = false } variable "secret_rotation_enabled" { - description = "Is secret rotation enabled? This variable is only used when enable_key_vault_secrets_provider is true and defaults to false" type = bool + description = "Is secret rotation enabled? This variable is only used when `key_vault_secrets_provider_enabled` is `true` and defaults to `false`" default = false nullable = false } variable "secret_rotation_interval" { - description = "The interval to poll for secret rotation. This attribute is only set when secret_rotation is true and defaults to 2m" type = string + description = "The interval to poll for secret rotation. This attribute is only set when `secret_rotation` is `true` and defaults to `2m`" default = "2m" nullable = false } -variable "local_account_disabled" { - description = "(Optional) - If `true` local accounts will be disabled. Defaults to `false`. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information." - type = bool - default = null +variable "sku_tier" { + type = string + description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid" + default = "Free" +} + +variable "tags" { + type = map(string) + description = "Any tags that should be present on the AKS cluster resources" + default = {} } + +variable "vnet_subnet_id" { + type = string + description = "(Optional) The ID of a Subnet where the Kubernetes Node Pool should exist. Changing this forces a new resource to be created." + default = null +} \ No newline at end of file diff --git a/versions.tf b/versions.tf index 3fa9bf7c..d3eee6e1 100644 --- a/versions.tf +++ b/versions.tf @@ -1,11 +1,10 @@ - terraform { + required_version = ">= 1.2" + required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 3.3" } } - - required_version = ">= 1.2" } From 2659048cc762ecc7498d277af38cf1c83a65ddb0 Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 14 Jul 2022 10:47:58 +0800 Subject: [PATCH 02/20] Rename some variables from `enable_xxx` to `xxx_enabled` --- main.tf | 18 +++++++++--------- test/fixture/main.tf | 16 ++++++++-------- variables.tf | 10 +++++----- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/main.tf b/main.tf index 4ce75c90..3627a361 100644 --- a/main.tf +++ b/main.tf @@ -23,16 +23,16 @@ resource "azurerm_kubernetes_cluster" "main" { api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges azure_policy_enabled = var.azure_policy_enabled disk_encryption_set_id = var.disk_encryption_set_id - http_application_routing_enabled = var.enable_http_application_routing + http_application_routing_enabled = var.http_application_routing_enabled kubernetes_version = var.kubernetes_version local_account_disabled = var.local_account_disabled node_resource_group = var.node_resource_group oidc_issuer_enabled = var.oidc_issuer_enabled - open_service_mesh_enabled = var.enable_open_service_mesh + open_service_mesh_enabled = var.open_service_mesh_enabled private_cluster_enabled = var.private_cluster_enabled private_dns_zone_id = var.private_dns_zone_id private_cluster_public_fqdn_enabled = var.private_cluster_public_fqdn_enabled - role_based_access_control_enabled = var.enable_role_based_access_control + role_based_access_control_enabled = var.role_based_access_control_enabled sku_tier = var.sku_tier tags = var.tags @@ -83,7 +83,7 @@ resource "azurerm_kubernetes_cluster" "main" { } dynamic "azure_active_directory_role_based_access_control" { - for_each = var.enable_role_based_access_control && var.rbac_aad_managed ? ["rbac"] : [] + for_each = var.role_based_access_control_enabled && var.rbac_aad_managed ? ["rbac"] : [] content { managed = true tenant_id = var.rbac_aad_tenant_id @@ -92,7 +92,7 @@ resource "azurerm_kubernetes_cluster" "main" { } } dynamic "azure_active_directory_role_based_access_control" { - for_each = var.enable_role_based_access_control && !var.rbac_aad_managed ? ["rbac"] : [] + for_each = var.role_based_access_control_enabled && !var.rbac_aad_managed ? ["rbac"] : [] content { managed = false tenant_id = var.rbac_aad_tenant_id @@ -111,7 +111,7 @@ resource "azurerm_kubernetes_cluster" "main" { } dynamic "ingress_application_gateway" { - for_each = var.enable_ingress_application_gateway ? ["ingress_application_gateway"] : [] + for_each = var.ingress_application_gateway_enabled ? ["ingress_application_gateway"] : [] content { gateway_id = var.ingress_application_gateway_id gateway_name = var.ingress_application_gateway_name @@ -151,7 +151,7 @@ resource "azurerm_kubernetes_cluster" "main" { } dynamic "oms_agent" { - for_each = var.enable_log_analytics_workspace ? ["oms_agent"] : [] + for_each = var.log_analytics_workspace_enabled ? ["oms_agent"] : [] content { log_analytics_workspace_id = var.log_analytics_workspace == null ? azurerm_log_analytics_workspace.main[0].id : var.log_analytics_workspace.id } @@ -179,7 +179,7 @@ resource "azurerm_kubernetes_cluster" "main" { } resource "azurerm_log_analytics_workspace" "main" { - count = var.enable_log_analytics_workspace && var.log_analytics_workspace == null ? 1 : 0 + count = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null ? 1 : 0 name = var.cluster_log_analytics_workspace_name == null ? "${var.prefix}-workspace" : var.cluster_log_analytics_workspace_name location = coalesce(var.location, data.azurerm_resource_group.main.location) @@ -191,7 +191,7 @@ resource "azurerm_log_analytics_workspace" "main" { } resource "azurerm_log_analytics_solution" "main" { - count = var.enable_log_analytics_workspace && var.log_analytics_solution_id == null ? 1 : 0 + count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0 solution_name = "ContainerInsights" location = coalesce(var.location, data.azurerm_resource_group.main.location) resource_group_name = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name) diff --git a/test/fixture/main.tf b/test/fixture/main.tf index 7824da80..76cca19b 100644 --- a/test/fixture/main.tf +++ b/test/fixture/main.tf @@ -49,10 +49,10 @@ module "aks" { disk_encryption_set_id = azurerm_disk_encryption_set.des.id enable_auto_scaling = true enable_host_encryption = true - enable_http_application_routing = true - enable_ingress_application_gateway = true - enable_log_analytics_workspace = true - enable_role_based_access_control = true + http_application_routing_enabled = true + ingress_application_gateway_enabled = true + log_analytics_workspace_enabled = true + role_based_access_control_enabled = true ingress_application_gateway_name = "${random_id.prefix.hex}-agw" ingress_application_gateway_subnet_cidr = "10.52.1.0/24" local_account_disabled = true @@ -76,8 +76,8 @@ module "aks_without_monitor" { resource_group_name = azurerm_resource_group.main.name disk_encryption_set_id = azurerm_disk_encryption_set.des.id #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT! - enable_log_analytics_workspace = false - enable_role_based_access_control = true + log_analytics_workspace_enabled = false + role_based_access_control_enabled = true local_account_disabled = true net_profile_pod_cidr = "10.1.0.0/16" private_cluster_enabled = true @@ -95,8 +95,8 @@ module "aks_cluster_name" { cluster_log_analytics_workspace_name = "test-cluster" cluster_name = "test-cluster" disk_encryption_set_id = azurerm_disk_encryption_set.des.id - enable_log_analytics_workspace = true - enable_role_based_access_control = true + log_analytics_workspace_enabled = true + role_based_access_control_enabled = true identity_ids = [azurerm_user_assigned_identity.test.id] identity_type = "UserAssigned" local_account_disabled = true diff --git a/variables.tf b/variables.tf index 4cf0362d..b8c9a9e0 100644 --- a/variables.tf +++ b/variables.tf @@ -137,7 +137,7 @@ variable "enable_node_public_ip" { default = false } -variable "enable_http_application_routing" { +variable "http_application_routing_enabled" { type = bool description = "Enable HTTP Application Routing Addon (forces recreation)." default = false @@ -160,7 +160,7 @@ variable "identity_type" { } } -variable "enable_ingress_application_gateway" { +variable "ingress_application_gateway_enabled" { type = bool description = "Whether to deploy the Application Gateway ingress controller to this Kubernetes Cluster?" default = false @@ -233,7 +233,7 @@ variable "log_analytics_workspace" { nullable = true } -variable "enable_log_analytics_workspace" { +variable "log_analytics_workspace_enabled" { type = bool description = "Enable the integration of azurerm_log_analytics_workspace and azurerm_log_analytics_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard" default = true @@ -320,7 +320,7 @@ variable "only_critical_addons_enabled" { default = null } -variable "enable_open_service_mesh" { +variable "open_service_mesh_enabled" { type = bool description = "Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about)." default = null @@ -412,7 +412,7 @@ variable "rbac_aad_tenant_id" { default = null } -variable "enable_role_based_access_control" { +variable "role_based_access_control_enabled" { type = bool description = "Enable Role Based Access Control." default = false From 2e0d422d13176f342ec66b728fba54a526b4161b Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 14 Jul 2022 13:34:57 +0800 Subject: [PATCH 03/20] Update CHANGELOG --- CHANGLOG.md | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/CHANGLOG.md b/CHANGLOG.md index b12ae8a9..72756db8 100644 --- a/CHANGLOG.md +++ b/CHANGLOG.md @@ -1,7 +1,28 @@ -## 5.0.0 (June 16, 2022) +## 5.0.0 (July 14, 2022) ENHANCEMENTS: -Bump AzureRM Provider version to 3.3.0 ([#157](https://github.com/Azure/terraform-azurerm-aks/pull/157)) +* Add new variable `location` so we can define location for the resources explicitly. ([#172](https://github.com/Azure/terraform-azurerm-aks/pull/172)) +* Bump AzureRM Provider version to 3.3.0. ([#157](https://github.com/Azure/terraform-azurerm-aks/pull/157)) +* Add new variable `private_dns_zone_id` to make argument `private_dns_zone_id` configurable. ([#174](https://github.com/Azure/terraform-azurerm-aks/pull/174)) +* Add new variable `open_service_mesh_enabled` to make argument `open_service_mesh_enabled` configurable. ([#132](https://github.com/Azure/terraform-azurerm-aks/pull/132)) +* Remove `addon_profile` in the outputs since the block has been removed from provider 3.x. Extract embedded blocks inside `addon_profile` block into standalone outputs. ([#188](https://github.com/Azure/terraform-azurerm-aks/pull/188)) +* Add `nullable = true` to some variables to simplify the conditional expressions. ([#193](https://github.com/Azure/terraform-azurerm-aks/pull/193)) +* Add new variable `oidc_issuer_enabled` to make argument `oidc_issuer_enabled` configurable. ([#205](https://github.com/Azure/terraform-azurerm-aks/pull/205) [#206](https://github.com/Azure/terraform-azurerm-aks/pull/206)) +* Turn monitoring on in the test code. ([#201](https://github.com/Azure/terraform-azurerm-aks/pull/201)) +* Add new variables `private_dns_zone_id` and `private_cluster_public_fqdn_enabled` to make arguments `private_dns_zone_id` and `private_cluster_public_fqdn_enabled` configurable. ([#149](https://github.com/Azure/terraform-azurerm-aks/pull/149)) +* Remove `module.ssh-key` and moves resource `tls_private_key` inside the module to root directory, then outputs tls keys. ([#189](https://github.com/Azure/terraform-azurerm-aks/pull/189)) +* Add new variables `rbac_aad_azure_rbac_enabled` and `rbac_aad_tenant_id` to make arguments in `azure_active_directory_role_based_access_control` configurable. ([#199](https://github.com/Azure/terraform-azurerm-aks/pull/199)) +* Add `count` meta-argument to resource `tls_private_key` to avoid the unnecessary creation. ([#209](https://github.com/Azure/terraform-azurerm-aks/pull/209)) +* Add new variable `only_critical_addons_enabled` to make argument `only_critical_addons_enabled` in block `default_node_pool` configurable. ([#129](https://github.com/Azure/terraform-azurerm-aks/pull/129)) +* Add support for the argument `key_vault_secrets_provider`. ([#214](https://github.com/Azure/terraform-azurerm-aks/pull/214)) +* Provides a way to attach existing Log Analytics Workspace to AKS through Container Insights. ([#213](https://github.com/Azure/terraform-azurerm-aks/pull/213)) +* Add new variable `local_account_disabled` to make argument `local_account_disabled` configurable. ([#218](https://github.com/Azure/terraform-azurerm-aks/pull/218)) +* Set argument `private_cluster_enabled` to `true` in the test code. ([#219](https://github.com/Azure/terraform-azurerm-aks/pull/219)) +* Add new variable `disk_encryption_set_id` to make argument `disk_encryption_set_id` configurable. Create resource `azurerm_disk_encryption_set` in the test code to turn disk encryption on for the cluster. ([#195](https://github.com/Azure/terraform-azurerm-aks/pull/195)) +* Add new variable `api_server_authorized_ip_ranges` to make argument `api_server_authorized_ip_ranges` configurable. ([#220](https://github.com/Azure/terraform-azurerm-aks/pull/220)) +* Rename output `system_assigned_identity` to `cluster_identity` since it could be user assigned identity. ([#197](https://github.com/Azure/terraform-azurerm-aks/pull/197)) -BUG FIXES: \ No newline at end of file +BUG FIXES: + +* Change the incorrect description of variable `tags`. ([#175](https://github.com/Azure/terraform-azurerm-aks/pull/175)) \ No newline at end of file From 254ef09378543661f82f35601d7970b619c6a624 Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 14 Jul 2022 15:22:11 +0800 Subject: [PATCH 04/20] Update README --- README.md | 211 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 141 insertions(+), 70 deletions(-) diff --git a/README.md b/README.md index bfcdb28a..0f3717fc 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,69 @@ # terraform-azurerm-aks + ## Deploys a Kubernetes cluster on AKS with monitoring support through Azure Log Analytics This Terraform module deploys a Kubernetes cluster on Azure using AKS (Azure Kubernetes Service) and adds support for monitoring with Log Analytics. -> **NOTE:** If you have not assigned `client_id` or `client_secret`, A `SystemAssigned` identity will be created. +## Notice on Upgrade to V5.x + +V5.0.0 is a major version upgrade and a lot of breaking changes have been introduced. Extremely cautious must be taken during the upgrade to avoid resource replacement and downtime by accident. + +Running the `terraform plan` first to inspect the plan is strongly advised. + +### Terraform and terraform-provider-azurerm version restrictions + +Now Terraform core's lowest version is v1.2.0 and terraform-provider-azurerm's lowest version is v3.3.0. + +### `addon_profile` in outputs is no longer available. + +It has been broken into the following new outputs: + +* `aci_connector_linux` +* `aci_connector_linux_enabled` +* `azure_policy_enabled` +* `http_application_routing_enabled` +* `ingress_application_gateway` +* `ingress_application_gateway_enabled` +* `key_vault_secrets_provider` +* `key_vault_secrets_provider_enabled` +* `oms_agent` +* `oms_agent_enabled` +* `open_service_mesh_enabled` + +### The following variables have been renamed from `enable_xxx` to `xxx_enabled` + +* `enable_http_application_routing` has been renamed to `http_application_routing_enabled` +* `enable_ingress_application_gateway` has been renamed to `ingress_application_gateway_enabled` +* `enable_log_analytics_workspace` has been renamed to `log_analytics_workspace_enabled` +* `enable_open_service_mesh` has been renamed to `open_service_mesh_enabled` +* `enable_role_based_access_control` has been renamed to `role_based_access_control_enabled` + +### `nullable = true` has been added to the following variables so setting them to `null` explicitly will use the default value + +* `log_analytics_workspace_enable` +* `os_disk_type` +* `private_cluster_enabled` +* `rbac_aad_managed` +* `rbac_aad_admin_group_object_ids` +* `network_policy` +* `enable_node_public_ip` + +### `var.admin_username`'s default value has been removed + +In v4.x `var.admin_username` has a default value `azureuser` and has been removed in V5.0.0. Since the `admin_username` argument in `linux_profile` block is a ForceNew argument, any value change to this argument will trigger a Kubernetes cluster replacement **SO THE EXTREMELY CAUTIOUS MUST BE TAKEN**. The module's callers must set `var.admin_username` to `azureuser` explicitly if they didn't set it before. + +### `module.ssh-key` has been removed + +The file named `private_ssh_key` which contains the tls private key will be deleted since the `local_file` resource has been removed. Now the private key is exported via `generated_cluster_private_ssh_key` in output and the corresponding public key is exported via `generated_cluster_public_ssh_key` in output. + +A `moved` block has been added to relocate the existing `tls_private_key` resource to the new address. If the `var.admin_username` is not `null`, no action is needed. + +Resource `tls_private_key`'s creation now is conditional. Users may see the destruction of existing `tls_private_key` in the generated plan if `var.admin_username` is `null`. + +### `system_assigned_identity` in the output has been renamed to `cluster_identity` + ## Usage in Terraform 0.13 ```hcl @@ -126,7 +185,7 @@ We provide 2 ways to build, run, and test the module on a local development mach - [Ruby **(~> 2.3)**](https://www.ruby-lang.org/en/downloads/) - [Bundler **(~> 1.15)**](https://bundler.io/) -- [Terraform **(~> 0.11.7)**](https://www.terraform.io/downloads.html) +- [Terraform **(>= 1.2.0)**](https://www.terraform.io/downloads.html) - [Golang **(~> 1.10.3)**](https://golang.org/dl/) #### Environment setup @@ -223,17 +282,17 @@ contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additio ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|----------| -| [terraform](#requirement\_terraform) | >= 1.1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.3 | +| Name | Version | +|---------------------------------------------------------------------------|---------| +| [terraform](#requirement\_terraform) | >= 1.2 | +| [azurerm](#requirement\_azurerm) | ~> 3.3 | ## Providers | Name | Version | |---------------------------------------------------------------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.3 | -| [tls](#provider\_tls) | n/a | +| [azurerm](#provider\_azurerm) | 3.13.0 | +| [tls](#provider\_tls) | 3.4.0 | ## Modules @@ -251,68 +310,80 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|-----------------------------|:--------:| -| [admin\_username](#input\_admin\_username) | The username of the local administrator to be created on the Kubernetes cluster. Set this variable to `null` to turn off the cluster's `linux_profile`. Changing this forces a new resource to be created. | `string` | `null` | no | -| [agents\_availability\_zones](#input\_agents\_availability\_zones) | (Optional) A list of Availability Zones across which the Node Pool should be spread. Changing this forces a new resource to be created. | `list(string)` | `null` | no | -| [agents\_count](#input\_agents\_count) | The number of Agents that should exist in the Agent Pool. Please set `agents_count` `null` while `enable_auto_scaling` is `true` to avoid possible `agents_count` changes. | `number` | `2` | no | -| [agents\_labels](#input\_agents\_labels) | (Optional) A map of Kubernetes labels which should be applied to nodes in the Default Node Pool. Changing this forces a new resource to be created. | `map(string)` | `{}` | no | -| [agents\_max\_count](#input\_agents\_max\_count) | Maximum number of nodes in a pool | `number` | `null` | no | -| [agents\_max\_pods](#input\_agents\_max\_pods) | (Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created. | `number` | `null` | no | -| [agents\_min\_count](#input\_agents\_min\_count) | Minimum number of nodes in a pool | `number` | `null` | no | -| [agents\_pool\_name](#input\_agents\_pool\_name) | The default Azure AKS agentpool (nodepool) name. | `string` | `"nodepool"` | no | -| [agents\_size](#input\_agents\_size) | The default virtual machine size for the Kubernetes agents | `string` | `"Standard_D2s_v3"` | no | -| [agents\_tags](#input\_agents\_tags) | (Optional) A mapping of tags to assign to the Node Pool. | `map(string)` | `{}` | no | -| [agents\_type](#input\_agents\_type) | (Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. | `string` | `"VirtualMachineScaleSets"` | no | -| [client\_id](#input\_client\_id) | (Optional) The Client ID (appId) for the Service Principal used for the AKS deployment | `string` | `""` | no | -| [client\_secret](#input\_client\_secret) | (Optional) The Client Secret (password) for the Service Principal used for the AKS deployment | `string` | `""` | no | -| [cluster\_log\_analytics\_workspace\_name](#input\_cluster\_log\_analytics\_workspace\_name) | (Optional) The name of the Analytics workspace | `string` | `null` | no | -| [cluster\_name](#input\_cluster\_name) | (Optional) The name for the AKS resources created in the specified Azure Resource Group. This variable overwrites the 'prefix' var (The 'prefix' var will still be applied to the dns\_prefix if it is set) | `string` | `null` | no | -| [enable\_auto\_scaling](#input\_enable\_auto\_scaling) | Enable node pool autoscaling | `bool` | `false` | no | -| [enable\_azure\_policy](#input\_enable\_azure\_policy) | Enable Azure Policy Addon. | `bool` | `false` | no | -| [enable\_host\_encryption](#input\_enable\_host\_encryption) | Enable Host Encryption for default node pool. Encryption at host feature must be enabled on the subscription: https://docs.microsoft.com/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli | `bool` | `false` | no | -| [enable\_http\_application\_routing](#input\_enable\_http\_application\_routing) | Enable HTTP Application Routing Addon (forces recreation). | `bool` | `false` | no | -| [enable\_ingress\_application\_gateway](#input\_enable\_ingress\_application\_gateway) | Whether to deploy the Application Gateway ingress controller to this Kubernetes Cluster? | `bool` | `false` | no | -| [enable\_log\_analytics\_workspace](#input\_enable\_log\_analytics\_workspace) | Enable the integration of azurerm\_log\_analytics\_workspace and azurerm\_log\_analytics\_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard | `bool` | `true` | no | -| [enable\_node\_public\_ip](#input\_enable\_node\_public\_ip) | (Optional) Should nodes in this Node Pool have a Public IP Address? Defaults to false. | `bool` | `false` | no | -| [enable\_role\_based\_access\_control](#input\_enable\_role\_based\_access\_control) | Enable Role Based Access Control. | `bool` | `false` | no | -| [identity\_ids](#input\_identity\_ids) | (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster. | `list(string)` | `null` | no | -| [identity\_type](#input\_identity\_type) | (Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned` and `UserAssigned`. If `UserAssigned` is set, a `user_assigned_identity_id` must be set as well. | `string` | `"SystemAssigned"` | no | -| [ingress\_application\_gateway\_id](#input\_ingress\_application\_gateway\_id) | The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | -| [ingress\_application\_gateway\_name](#input\_ingress\_application\_gateway\_name) | The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | -| [ingress\_application\_gateway\_subnet\_cidr](#input\_ingress\_application\_gateway\_subnet\_cidr) | The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | -| [ingress\_application\_gateway\_subnet\_id](#input\_ingress\_application\_gateway\_subnet\_id) | The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | -| [kubernetes\_version](#input\_kubernetes\_version) | Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region | `string` | `null` | no | -| [location](#input\_location) | Location of cluster, if not defined it will be read from the resource-group | `string` | `null` | no | -| [log\_analytics\_solution\_id](#input\_log\_analytics\_solution\_id) | (Optional) Existing azurerm_log_analytics_solution ID. Providing ID disables creation of azurerm_log_analytics_solution. | `string` | `null` | no | -| [log\_analytics\_workspace](#input\_log\_analytics\_workspace) | (Optional) Existing azurerm_log_analytics_workspace to attach azurerm_log_analytics_solution. Providing the config disables creation of azurerm_log_analytics_workspace. | `object({ id=string name=string })` | `null` | no | -| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | (Optional) Resource group name to create azurerm_log_analytics_solution. | `string` | `null` | no | -| [log\_analytics\_workspace\_sku](#input\_log\_analytics\_workspace\_sku) | The SKU (pricing level) of the Log Analytics workspace. For new subscriptions the SKU should be set to PerGB2018 | `string` | `"PerGB2018"` | no | -| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period for the logs in days | `number` | `30` | no | -| [net\_profile\_dns\_service\_ip](#input\_net\_profile\_dns\_service\_ip) | (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created. | `string` | `null` | no | -| [net\_profile\_docker\_bridge\_cidr](#input\_net\_profile\_docker\_bridge\_cidr) | (Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created. | `string` | `null` | no | -| [net\_profile\_outbound\_type](#input\_net\_profile\_outbound\_type) | (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer. | `string` | `"loadBalancer"` | no | -| [net\_profile\_pod\_cidr](#input\_net\_profile\_pod\_cidr) | (Optional) The CIDR to use for pod IP addresses. This field can only be set when network\_plugin is set to kubenet. Changing this forces a new resource to be created. | `string` | `null` | no | -| [net\_profile\_service\_cidr](#input\_net\_profile\_service\_cidr) | (Optional) The Network Range used by the Kubernetes service. Changing this forces a new resource to be created. | `string` | `null` | no | -| [network\_plugin](#input\_network\_plugin) | Network plugin to use for networking. | `string` | `"kubenet"` | no | -| [network\_policy](#input\_network\_policy) | (Optional) Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created. | `string` | `null` | no | -| [node\_resource\_group](#input\_node\_resource\_group) | The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster. Changing this forces a new resource to be created. | `string` | `null` | no | -| [oidc\_issuer\_enabled](#input\_oidc\_issuer\_enabled) | Enable or Disable the OIDC issuer URL. Defaults to false. | `bool` | `false` | no | -| [orchestrator\_version](#input\_orchestrator\_version) | Specify which Kubernetes release to use for the orchestration layer. The default used is the latest Kubernetes version available in the region | `string` | `null` | no | -| [os\_disk\_size\_gb](#input\_os\_disk\_size\_gb) | Disk size of nodes in GBs. | `number` | `50` | no | -| [os\_disk\_type](#input\_os\_disk\_type) | The type of disk which should be used for the Operating System. Possible values are `Ephemeral` and `Managed`. Defaults to `Managed`. Changing this forces a new resource to be created. | `string` | `"Managed"` | no | -| [prefix](#input\_prefix) | (Required) The prefix for the resources created in the specified Azure Resource Group | `string` | n/a | yes | -| [private\_cluster\_enabled](#input\_private\_cluster\_enabled) | If true cluster API server will be exposed only on internal IP address and available only in cluster vnet. | `bool` | `false` | no | -| [public\_ssh\_key](#input\_public\_ssh\_key) | A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created. | `string` | `""` | no | -| [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids) | Object ID of groups with admin access. | `list(string)` | `null` | no | -| [rbac\_aad\_client\_app\_id](#input\_rbac\_aad\_client\_app\_id) | The Client ID of an Azure Active Directory Application. | `string` | `null` | no | -| [rbac\_aad\_managed](#input\_rbac\_aad\_managed) | Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration. | `bool` | `false` | no | -| [rbac\_aad\_server\_app\_id](#input\_rbac\_aad\_server\_app\_id) | The Server ID of an Azure Active Directory Application. | `string` | `null` | no | -| [rbac\_aad\_server\_app\_secret](#input\_rbac\_aad\_server\_app\_secret) | The Server Secret of an Azure Active Directory Application. | `string` | `null` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to be imported | `string` | n/a | yes | -| [sku\_tier](#input\_sku\_tier) | The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid | `string` | `"Free"` | no | -| [tags](#input\_tags) | Any tags that should be present on the AKS cluster resources | `map(string)` | `{}` | no | -| [vnet\_subnet\_id](#input\_vnet\_subnet\_id) | (Optional) The ID of a Subnet where the Kubernetes Node Pool should exist. Changing this forces a new resource to be created. | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|-----------------------------|:--------:| +| [admin\_username](#input\_admin\_username) | The username of the local administrator to be created on the Kubernetes cluster. Set this variable to `null` to turn off the cluster's `linux_profile`. Changing this forces a new resource to be created. | `string` | `null` | no | +| [agents\_availability\_zones](#input\_agents\_availability\_zones) | (Optional) A list of Availability Zones across which the Node Pool should be spread. Changing this forces a new resource to be created. | `list(string)` | `null` | no | +| [agents\_count](#input\_agents\_count) | The number of Agents that should exist in the Agent Pool. Please set `agents_count` `null` while `enable_auto_scaling` is `true` to avoid possible `agents_count` changes. | `number` | `2` | no | +| [agents\_labels](#input\_agents\_labels) | (Optional) A map of Kubernetes labels which should be applied to nodes in the Default Node Pool. Changing this forces a new resource to be created. | `map(string)` | `{}` | no | +| [agents\_max\_count](#input\_agents\_max\_count) | Maximum number of nodes in a pool | `number` | `null` | no | +| [agents\_max\_pods](#input\_agents\_max\_pods) | (Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created. | `number` | `null` | no | +| [agents\_min\_count](#input\_agents\_min\_count) | Minimum number of nodes in a pool | `number` | `null` | no | +| [agents\_pool\_name](#input\_agents\_pool\_name) | The default Azure AKS agentpool (nodepool) name. | `string` | `"nodepool"` | no | +| [agents\_size](#input\_agents\_size) | The default virtual machine size for the Kubernetes agents | `string` | `"Standard_D2s_v3"` | no | +| [agents\_tags](#input\_agents\_tags) | (Optional) A mapping of tags to assign to the Node Pool. | `map(string)` | `{}` | no | +| [agents\_type](#input\_agents\_type) | (Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. | `string` | `"VirtualMachineScaleSets"` | no | +| [api\_server\_authorized\_ip\_ranges](#input\_api\_server\_authorized\_ip\_ranges) | (Optional) The IP ranges to allow for incoming traffic to the server nodes. | `set(string)` | `null` | no | +| [azure\_policy\_enabled](#input\_azure\_policy\_enabled) | Enable Azure Policy Addon. | `bool` | `false` | no | +| [client\_id](#input\_client\_id) | (Optional) The Client ID (appId) for the Service Principal used for the AKS deployment | `string` | `""` | no | +| [client\_secret](#input\_client\_secret) | (Optional) The Client Secret (password) for the Service Principal used for the AKS deployment | `string` | `""` | no | +| [cluster\_log\_analytics\_workspace\_name](#input\_cluster\_log\_analytics\_workspace\_name) | (Optional) The name of the Analytics workspace | `string` | `null` | no | +| [cluster\_name](#input\_cluster\_name) | (Optional) The name for the AKS resources created in the specified Azure Resource Group. This variable overwrites the 'prefix' var (The 'prefix' var will still be applied to the dns\_prefix if it is set) | `string` | `null` | no | +| [disk\_encryption\_set\_id](#input\_disk\_encryption\_set\_id) | (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created. | `string` | `null` | no | +| [enable\_auto\_scaling](#input\_enable\_auto\_scaling) | Enable node pool autoscaling | `bool` | `false` | no | +| [enable\_host\_encryption](#input\_enable\_host\_encryption) | Enable Host Encryption for default node pool. Encryption at host feature must be enabled on the subscription: https://docs.microsoft.com/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli | `bool` | `false` | no | +| [enable\_node\_public\_ip](#input\_enable\_node\_public\_ip) | (Optional) Should nodes in this Node Pool have a Public IP Address? Defaults to false. | `bool` | `false` | no | +| [http\_application\_routing\_enabled](#input\_http\_application\_routing\_enabled) | Enable HTTP Application Routing Addon (forces recreation). | `bool` | `false` | no | +| [identity\_ids](#input\_identity\_ids) | (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster. | `list(string)` | `null` | no | +| [identity\_type](#input\_identity\_type) | (Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both). If `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well. | `string` | `"SystemAssigned"` | no | +| [ingress\_application\_gateway\_enabled](#input\_ingress\_application\_gateway\_enabled) | Whether to deploy the Application Gateway ingress controller to this Kubernetes Cluster? | `bool` | `false` | no | +| [ingress\_application\_gateway\_id](#input\_ingress\_application\_gateway\_id) | The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | +| [ingress\_application\_gateway\_name](#input\_ingress\_application\_gateway\_name) | The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | +| [ingress\_application\_gateway\_subnet\_cidr](#input\_ingress\_application\_gateway\_subnet\_cidr) | The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | +| [ingress\_application\_gateway\_subnet\_id](#input\_ingress\_application\_gateway\_subnet\_id) | The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no | +| [key\_vault\_secrets\_provider\_enabled](#input\_key\_vault\_secrets\_provider\_enabled) | (Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver | `bool` | `false` | no | +| [kubernetes\_version](#input\_kubernetes\_version) | Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region | `string` | `null` | no | +| [local\_account\_disabled](#input\_local\_account\_disabled) | (Optional) - If `true` local accounts will be disabled. Defaults to `false`. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information. | `bool` | `null` | no | +| [location](#input\_location) | Location of cluster, if not defined it will be read from the resource-group | `string` | `null` | no | +| [log\_analytics\_solution\_id](#input\_log\_analytics\_solution\_id) | (Optional) Existing azurerm\_log\_analytics\_solution ID. Providing ID disables creation of azurerm\_log\_analytics\_solution. | `string` | `null` | no | +| [log\_analytics\_workspace](#input\_log\_analytics\_workspace) | (Optional) Existing azurerm\_log\_analytics\_workspace to attach azurerm\_log\_analytics\_solution. Providing the config disables creation of azurerm\_log\_analytics\_workspace. | 
object({
    id   = string
    name = string
  })
| `null` | no | +| [log\_analytics\_workspace\_enabled](#input\_log\_analytics\_workspace\_enabled) | Enable the integration of azurerm\_log\_analytics\_workspace and azurerm\_log\_analytics\_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard | `bool` | `true` | no | +| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | (Optional) Resource group name to create azurerm\_log\_analytics\_solution. | `string` | `null` | no | +| [log\_analytics\_workspace\_sku](#input\_log\_analytics\_workspace\_sku) | The SKU (pricing level) of the Log Analytics workspace. For new subscriptions the SKU should be set to PerGB2018 | `string` | `"PerGB2018"` | no | +| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period for the logs in days | `number` | `30` | no | +| [net\_profile\_dns\_service\_ip](#input\_net\_profile\_dns\_service\_ip) | (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created. | `string` | `null` | no | +| [net\_profile\_docker\_bridge\_cidr](#input\_net\_profile\_docker\_bridge\_cidr) | (Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created. | `string` | `null` | no | +| [net\_profile\_outbound\_type](#input\_net\_profile\_outbound\_type) | (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer. | `string` | `"loadBalancer"` | no | +| [net\_profile\_pod\_cidr](#input\_net\_profile\_pod\_cidr) | (Optional) The CIDR to use for pod IP addresses. This field can only be set when network\_plugin is set to kubenet. Changing this forces a new resource to be created. | `string` | `null` | no | +| [net\_profile\_service\_cidr](#input\_net\_profile\_service\_cidr) | (Optional) The Network Range used by the Kubernetes service. Changing this forces a new resource to be created. | `string` | `null` | no | +| [network\_plugin](#input\_network\_plugin) | Network plugin to use for networking. | `string` | `"kubenet"` | no | +| [network\_policy](#input\_network\_policy) | (Optional) Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created. | `string` | `null` | no | +| [node\_resource\_group](#input\_node\_resource\_group) | The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster. Changing this forces a new resource to be created. | `string` | `null` | no | +| [oidc\_issuer\_enabled](#input\_oidc\_issuer\_enabled) | Enable or Disable the OIDC issuer URL. Defaults to false. | `bool` | `false` | no | +| [only\_critical\_addons\_enabled](#input\_only\_critical\_addons\_enabled) | (Optional) Enabling this option will taint default node pool with `CriticalAddonsOnly=true:NoSchedule` taint. Changing this forces a new resource to be created. | `bool` | `null` | no | +| [open\_service\_mesh\_enabled](#input\_open\_service\_mesh\_enabled) | Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about). | `bool` | `null` | no | +| [orchestrator\_version](#input\_orchestrator\_version) | Specify which Kubernetes release to use for the orchestration layer. The default used is the latest Kubernetes version available in the region | `string` | `null` | no | +| [os\_disk\_size\_gb](#input\_os\_disk\_size\_gb) | Disk size of nodes in GBs. | `number` | `50` | no | +| [os\_disk\_type](#input\_os\_disk\_type) | The type of disk which should be used for the Operating System. Possible values are `Ephemeral` and `Managed`. Defaults to `Managed`. Changing this forces a new resource to be created. | `string` | `"Managed"` | no | +| [prefix](#input\_prefix) | (Required) The prefix for the resources created in the specified Azure Resource Group | `string` | n/a | yes | +| [private\_cluster\_enabled](#input\_private\_cluster\_enabled) | If true cluster API server will be exposed only on internal IP address and available only in cluster vnet. | `bool` | `false` | no | +| [private\_cluster\_public\_fqdn\_enabled](#input\_private\_cluster\_public\_fqdn\_enabled) | (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`. | `bool` | `false` | no | +| [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created. | `string` | `null` | no | +| [public\_ssh\_key](#input\_public\_ssh\_key) | A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created. | `string` | `""` | no | +| [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids) | Object ID of groups with admin access. | `list(string)` | `null` | no | +| [rbac\_aad\_azure\_rbac\_enabled](#input\_rbac\_aad\_azure\_rbac\_enabled) | (Optional) Is Role Based Access Control based on Azure AD enabled? | `bool` | `null` | no | +| [rbac\_aad\_client\_app\_id](#input\_rbac\_aad\_client\_app\_id) | The Client ID of an Azure Active Directory Application. | `string` | `null` | no | +| [rbac\_aad\_managed](#input\_rbac\_aad\_managed) | Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration. | `bool` | `false` | no | +| [rbac\_aad\_server\_app\_id](#input\_rbac\_aad\_server\_app\_id) | The Server ID of an Azure Active Directory Application. | `string` | `null` | no | +| [rbac\_aad\_server\_app\_secret](#input\_rbac\_aad\_server\_app\_secret) | The Server Secret of an Azure Active Directory Application. | `string` | `null` | no | +| [rbac\_aad\_tenant\_id](#input\_rbac\_aad\_tenant\_id) | (Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used. | `string` | `null` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to be imported | `string` | n/a | yes | +| [role\_based\_access\_control\_enabled](#input\_role\_based\_access\_control\_enabled) | Enable Role Based Access Control. | `bool` | `false` | no | +| [secret\_rotation\_enabled](#input\_secret\_rotation\_enabled) | Is secret rotation enabled? This variable is only used when `key_vault_secrets_provider_enabled` is `true` and defaults to `false` | `bool` | `false` | no | +| [secret\_rotation\_interval](#input\_secret\_rotation\_interval) | The interval to poll for secret rotation. This attribute is only set when `secret_rotation` is `true` and defaults to `2m` | `string` | `"2m"` | no | +| [sku\_tier](#input\_sku\_tier) | The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid | `string` | `"Free"` | no | +| [tags](#input\_tags) | Any tags that should be present on the AKS cluster resources | `map(string)` | `{}` | no | +| [vnet\_subnet\_id](#input\_vnet\_subnet\_id) | (Optional) The ID of a Subnet where the Kubernetes Node Pool should exist. Changing this forces a new resource to be created. | `string` | `null` | no | ## Outputs @@ -331,6 +402,7 @@ No modules. | [client\_certificate](#output\_client\_certificate) | n/a | | [client\_key](#output\_client\_key) | n/a | | [cluster\_ca\_certificate](#output\_cluster\_ca\_certificate) | n/a | +| [cluster\_identity](#output\_cluster\_identity) | n/a | | [generated\_cluster\_private\_ssh\_key](#output\_generated\_cluster\_private\_ssh\_key) | The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null. | | [generated\_cluster\_public\_ssh\_key](#output\_generated\_cluster\_public\_ssh\_key) | The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null. | | [host](#output\_host) | n/a | @@ -350,6 +422,5 @@ No modules. | [oms\_agent\_enabled](#output\_oms\_agent\_enabled) | n/a | | [open\_service\_mesh\_enabled](#output\_open\_service\_mesh\_enabled) | n/a | | [password](#output\_password) | n/a | -| [system\_assigned\_identity](#output\_system\_assigned\_identity) | n/a | | [username](#output\_username) | n/a | \ No newline at end of file From 74746d2f8d02f8d20c45abc79f8f2d3be0d58f26 Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 14 Jul 2022 16:12:53 +0800 Subject: [PATCH 05/20] Amend `description` to all outputs. --- outputs.tf | 116 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 74 insertions(+), 42 deletions(-) diff --git a/outputs.tf b/outputs.tf index 99151c0d..8e7bace7 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,146 +1,178 @@ output "aci_connector_linux" { - value = try(azurerm_kubernetes_cluster.main.aci_connector_linux[0], null) + description = "The `aci_connector_linux` block of `azurerm_kubernetes_cluster` resource." + value = try(azurerm_kubernetes_cluster.main.aci_connector_linux[0], null) } output "aci_connector_linux_enabled" { - value = can(azurerm_kubernetes_cluster.main.aci_connector_linux[0]) + description = "Has `aci_connector_linux` been enabled on the `azurerm_kubernetes_cluster` resource?" + value = can(azurerm_kubernetes_cluster.main.aci_connector_linux[0]) } output "admin_client_certificate" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_certificate, "") + description = "The `client_certificate` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster." + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_certificate, "") } output "admin_client_key" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_key, "") + description = "The `client_key` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. Base64 encoded private key used by clients to authenticate to the Kubernetes cluster." + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].client_key, "") } output "admin_cluster_ca_certificate" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].cluster_ca_certificate, "") + description = "The `cluster_ca_certificate` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster." + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].cluster_ca_certificate, "") } output "admin_host" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].host, "") + description = "The `host` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. The Kubernetes cluster server host." + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].host, "") } output "admin_password" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].password, "") + description = "The `password` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. A password or token used to authenticate to the Kubernetes cluster." + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].password, "") } output "admin_username" { - value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].username, "") + description = "The `username` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. A username used to authenticate to the Kubernetes cluster." + value = try(azurerm_kubernetes_cluster.main.kube_admin_config[0].username, "") } output "aks_id" { - value = azurerm_kubernetes_cluster.main.id + description = "The `azurerm_kubernetes_cluster`'s id." + value = azurerm_kubernetes_cluster.main.id } output "azure_policy_enabled" { - value = azurerm_kubernetes_cluster.main.azure_policy_enabled + description = "The `azurerm_kubernetes_cluster`'s `azure_policy_enabled` argument. Should the Azure Policy Add-On be enabled? For more details please visit [Understand Azure Policy for Azure Kubernetes Service](https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/rego-for-aks)" + value = azurerm_kubernetes_cluster.main.azure_policy_enabled } output "client_certificate" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].client_certificate + description = "The `client_certificate` in the `azurerm_kubernetes_cluster`'s `kube_config` block. Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].client_certificate } output "client_key" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].client_key + description = "The `client_key` in the `azurerm_kubernetes_cluster`'s `kube_config` block. Base64 encoded private key used by clients to authenticate to the Kubernetes cluster." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].client_key } output "cluster_ca_certificate" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].cluster_ca_certificate + description = "The `cluster_ca_certificate` in the `azurerm_kubernetes_cluster`'s `kube_config` block. Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].cluster_ca_certificate } output "cluster_identity" { - value = try(azurerm_kubernetes_cluster.main.identity[0], null) + description = "The `azurerm_kubernetes_cluster`'s `identity` block." + value = try(azurerm_kubernetes_cluster.main.identity[0], null) } output "generated_cluster_private_ssh_key" { - description = "The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null." + description = "The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null. Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format." sensitive = true value = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh[0].private_key_pem : null) : null } output "generated_cluster_public_ssh_key" { - description = "The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null." + description = "The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null. The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:....` Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](https://registry.terraform.io/providers/hashicorp/tls/latest/docs#limitations)." value = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh[0].public_key_openssh : null) : null } output "host" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].host + description = "The `host` in the `azurerm_kubernetes_cluster`'s `kube_config` block. The Kubernetes cluster server host." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].host } output "http_application_routing_enabled" { - value = azurerm_kubernetes_cluster.main.http_application_routing_enabled + description = "The `azurerm_kubernetes_cluster`'s `http_application_routing_enabled` argument. (Optional) Should HTTP Application Routing be enabled?" + value = azurerm_kubernetes_cluster.main.http_application_routing_enabled } output "http_application_routing_zone_name" { - value = azurerm_kubernetes_cluster.main.http_application_routing_zone_name != null ? azurerm_kubernetes_cluster.main.http_application_routing_zone_name : "" + description = "The `azurerm_kubernetes_cluster`'s `http_application_routing_zone_name` argument. The Zone Name of the HTTP Application Routing." + value = azurerm_kubernetes_cluster.main.http_application_routing_zone_name != null ? azurerm_kubernetes_cluster.main.http_application_routing_zone_name : "" } output "ingress_application_gateway" { - value = try(azurerm_kubernetes_cluster.main.ingress_application_gateway[0], null) + description = "The `azurerm_kubernetes_cluster`'s `ingress_application_gateway` block." + value = try(azurerm_kubernetes_cluster.main.ingress_application_gateway[0], null) } output "ingress_application_gateway_enabled" { - value = can(azurerm_kubernetes_cluster.main.ingress_application_gateway[0]) + description = "Has the `azurerm_kubernetes_cluster` turned on `ingress_application_gateway` block?" + value = can(azurerm_kubernetes_cluster.main.ingress_application_gateway[0]) } output "key_vault_secrets_provider" { - value = try(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0], null) + description = "The `azurerm_kubernetes_cluster`'s `key_vault_secrets_provider` block." + value = try(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0], null) } output "key_vault_secrets_provider_enabled" { - value = can(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0]) + description = "Has the `azurerm_kubernetes_cluster` turned on `key_vault_secrets_provider` block?" + value = can(azurerm_kubernetes_cluster.main.key_vault_secrets_provider[0]) } output "kube_admin_config_raw" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_admin_config_raw + description = "The `azurerm_kubernetes_cluster`'s `kube_admin_config_raw` argument. Raw Kubernetes config for the admin account to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_admin_config_raw } output "kube_config_raw" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config_raw + description = "The `azurerm_kubernetes_cluster`'s `kube_config_raw` argument. Raw Kubernetes config to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config_raw } output "kubelet_identity" { - value = azurerm_kubernetes_cluster.main.kubelet_identity + description = "The `azurerm_kubernetes_cluster`'s `kubelet_identity` block." + value = azurerm_kubernetes_cluster.main.kubelet_identity } output "location" { - value = azurerm_kubernetes_cluster.main.location + description = "The `azurerm_kubernetes_cluster`'s `location` argument. (Required) The location where the Managed Kubernetes Cluster should be created." + value = azurerm_kubernetes_cluster.main.location } output "node_resource_group" { - value = azurerm_kubernetes_cluster.main.node_resource_group + description = "The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster." + value = azurerm_kubernetes_cluster.main.node_resource_group } output "oidc_issuer_url" { - value = azurerm_kubernetes_cluster.main.oidc_issuer_url + description = "The OIDC issuer URL that is associated with the cluster." + value = azurerm_kubernetes_cluster.main.oidc_issuer_url } output "oms_agent" { - value = try(azurerm_kubernetes_cluster.main.oms_agent[0], null) + description = "The `azurerm_kubernetes_cluster`'s `oms_agent` argument." + value = try(azurerm_kubernetes_cluster.main.oms_agent[0], null) } output "oms_agent_enabled" { - value = can(azurerm_kubernetes_cluster.main.oms_agent[0]) + description = "Has the `azurerm_kubernetes_cluster` turned on `oms_agent` block?" + value = can(azurerm_kubernetes_cluster.main.oms_agent[0]) } output "open_service_mesh_enabled" { - value = azurerm_kubernetes_cluster.main.open_service_mesh_enabled + description = "(Optional) Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about)." + value = azurerm_kubernetes_cluster.main.open_service_mesh_enabled } output "password" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].password + description = "The `password` in the `azurerm_kubernetes_cluster`'s `kube_config` block. A password or token used to authenticate to the Kubernetes cluster." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].password } output "username" { - sensitive = true - value = azurerm_kubernetes_cluster.main.kube_config[0].username + description = "The `username` in the `azurerm_kubernetes_cluster`'s `kube_config` block. A username used to authenticate to the Kubernetes cluster." + sensitive = true + value = azurerm_kubernetes_cluster.main.kube_config[0].username } \ No newline at end of file From e5e794d42d67f5c206ddf8e823e4a61fc21a6464 Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 14 Jul 2022 16:15:26 +0800 Subject: [PATCH 06/20] Remove blank line. --- main.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 3627a361..70c7c4af 100644 --- a/main.tf +++ b/main.tf @@ -15,10 +15,9 @@ resource "tls_private_key" "ssh" { } resource "azurerm_kubernetes_cluster" "main" { - name = var.cluster_name == null ? "${var.prefix}-aks" : var.cluster_name - location = coalesce(var.location, data.azurerm_resource_group.main.location) - resource_group_name = data.azurerm_resource_group.main.name - + name = var.cluster_name == null ? "${var.prefix}-aks" : var.cluster_name + location = coalesce(var.location, data.azurerm_resource_group.main.location) + resource_group_name = data.azurerm_resource_group.main.name dns_prefix = var.prefix api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges azure_policy_enabled = var.azure_policy_enabled From f17e2913541bff212732ad7b172a3b12e4977ebf Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 14 Jul 2022 18:49:35 +0800 Subject: [PATCH 07/20] Update CHANGELOG and README --- CHANGLOG.md | 1 + README.md | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/CHANGLOG.md b/CHANGLOG.md index 72756db8..8435223f 100644 --- a/CHANGLOG.md +++ b/CHANGLOG.md @@ -2,6 +2,7 @@ ENHANCEMENTS: +* Variable `enable_kube_dashboard` has been remove as [#181](https://github.com/Azure/terraform-azurerm-aks/issues/181) described. ([#181](https://github.com/Azure/terraform-azurerm-aks/pull/181)) * Add new variable `location` so we can define location for the resources explicitly. ([#172](https://github.com/Azure/terraform-azurerm-aks/pull/172)) * Bump AzureRM Provider version to 3.3.0. ([#157](https://github.com/Azure/terraform-azurerm-aks/pull/157)) * Add new variable `private_dns_zone_id` to make argument `private_dns_zone_id` configurable. ([#174](https://github.com/Azure/terraform-azurerm-aks/pull/174)) diff --git a/README.md b/README.md index 0f3717fc..24960c30 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,10 @@ Running the `terraform plan` first to inspect the plan is strongly advised. Now Terraform core's lowest version is v1.2.0 and terraform-provider-azurerm's lowest version is v3.3.0. +### variable `user_assigned_identity_id` has been renamed. + +variable `user_assigned_identity_id` has been renamed to `identity_ids` and it's type has been changed from `string` to `list(string)`. + ### `addon_profile` in outputs is no longer available. It has been broken into the following new outputs: @@ -64,6 +68,18 @@ Resource `tls_private_key`'s creation now is conditional. Users may see the dest ### `system_assigned_identity` in the output has been renamed to `cluster_identity` +### The following outputs are now sensitive. All outputs referenced them must declare sensitive too + +* `client_certificate` +* `client_key` +* `cluster_ca_certificate` +* `generated_cluster_private_ssh_key` +* `host` +* `kube_admin_config_raw` +* `kube_config_raw` +* `password` +* `username` + ## Usage in Terraform 0.13 ```hcl From b9384b9a09f542e93e22d4106a1fdbcec899c9eb Mon Sep 17 00:00:00 2001 From: zjhe Date: Fri, 15 Jul 2022 14:37:50 +0800 Subject: [PATCH 08/20] Add provider version constraint, use square brackets instead of deprecated index syntax. --- test/fixture/disk_encryption_set.tf | 4 ++-- test/fixture/providers.tf | 4 ++++ versions.tf | 4 ++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/test/fixture/disk_encryption_set.tf b/test/fixture/disk_encryption_set.tf index 117bdff1..035ca6b3 100644 --- a/test/fixture/disk_encryption_set.tf +++ b/test/fixture/disk_encryption_set.tf @@ -73,8 +73,8 @@ resource "azurerm_disk_encryption_set" "des" { resource "azurerm_key_vault_access_policy" "des" { key_vault_id = azurerm_key_vault.des_vault.id - tenant_id = azurerm_disk_encryption_set.des.identity.0.tenant_id - object_id = azurerm_disk_encryption_set.des.identity.0.principal_id + tenant_id = azurerm_disk_encryption_set.des.identity[0].tenant_id + object_id = azurerm_disk_encryption_set.des.identity[0].principal_id key_permissions = [ "Get", "WrapKey", diff --git a/test/fixture/providers.tf b/test/fixture/providers.tf index 48452a5c..f2f349ff 100644 --- a/test/fixture/providers.tf +++ b/test/fixture/providers.tf @@ -10,6 +10,10 @@ terraform { source = "anschoewe/curl" version = ">=1.0.2" } + random = { + source = "hashicorp/random" + version = ">=3.3.0" + } } } diff --git a/versions.tf b/versions.tf index d3eee6e1..9ec442e7 100644 --- a/versions.tf +++ b/versions.tf @@ -6,5 +6,9 @@ terraform { source = "hashicorp/azurerm" version = "~> 3.3" } + tls = { + source = "hashicorp/tls" + version = "~> 3.1" + } } } From 3971482eb73791df874c803cc537abd14addc59d Mon Sep 17 00:00:00 2001 From: zjhe Date: Fri, 15 Jul 2022 14:56:14 +0800 Subject: [PATCH 09/20] Reformat example code. Turn on azure policy for test code to meet compliance requirement. --- test/fixture/main.tf | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/test/fixture/main.tf b/test/fixture/main.tf index 76cca19b..2172611e 100644 --- a/test/fixture/main.tf +++ b/test/fixture/main.tf @@ -27,7 +27,8 @@ resource "azurerm_user_assigned_identity" "test" { } module "aks" { - source = "../.." + source = "../.." + prefix = "prefix-${random_id.prefix.hex}" resource_group_name = azurerm_resource_group.main.name agents_availability_zones = ["1", "2"] @@ -49,10 +50,10 @@ module "aks" { disk_encryption_set_id = azurerm_disk_encryption_set.des.id enable_auto_scaling = true enable_host_encryption = true - http_application_routing_enabled = true - ingress_application_gateway_enabled = true - log_analytics_workspace_enabled = true - role_based_access_control_enabled = true + http_application_routing_enabled = true + ingress_application_gateway_enabled = true + log_analytics_workspace_enabled = true + role_based_access_control_enabled = true ingress_application_gateway_name = "${random_id.prefix.hex}-agw" ingress_application_gateway_subnet_cidr = "10.52.1.0/24" local_account_disabled = true @@ -71,32 +72,36 @@ module "aks" { } module "aks_without_monitor" { - source = "../.." - prefix = "prefix2-${random_id.prefix.hex}" - resource_group_name = azurerm_resource_group.main.name - disk_encryption_set_id = azurerm_disk_encryption_set.des.id + source = "../.." + + prefix = "prefix2-${random_id.prefix.hex}" + resource_group_name = azurerm_resource_group.main.name + azure_policy_enabled = true + disk_encryption_set_id = azurerm_disk_encryption_set.des.id #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT! log_analytics_workspace_enabled = false role_based_access_control_enabled = true - local_account_disabled = true - net_profile_pod_cidr = "10.1.0.0/16" - private_cluster_enabled = true - rbac_aad_managed = true + local_account_disabled = true + net_profile_pod_cidr = "10.1.0.0/16" + private_cluster_enabled = true + rbac_aad_managed = true depends_on = [azurerm_resource_group.main] } module "aks_cluster_name" { - source = "../.." + source = "../.." + prefix = "prefix" resource_group_name = azurerm_resource_group.main.name # Not necessary, just for demo purpose. admin_username = "azureuser" + azure_policy_enabled = true cluster_log_analytics_workspace_name = "test-cluster" cluster_name = "test-cluster" disk_encryption_set_id = azurerm_disk_encryption_set.des.id - log_analytics_workspace_enabled = true - role_based_access_control_enabled = true + log_analytics_workspace_enabled = true + role_based_access_control_enabled = true identity_ids = [azurerm_user_assigned_identity.test.id] identity_type = "UserAssigned" local_account_disabled = true From 20799c4e9ced997285b94fe0115be97eedf61c42 Mon Sep 17 00:00:00 2001 From: zjhe Date: Fri, 15 Jul 2022 17:06:44 +0800 Subject: [PATCH 10/20] Update usage in readme. --- README.md | 165 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 95 insertions(+), 70 deletions(-) diff --git a/README.md b/README.md index 24960c30..00a40129 100644 --- a/README.md +++ b/README.md @@ -80,98 +80,121 @@ Resource `tls_private_key`'s creation now is conditional. Users may see the dest * `password` * `username` -## Usage in Terraform 0.13 +## Usage in Terraform 1.2.0 ```hcl provider "azurerm" { features {} } -resource "azurerm_resource_group" "example" { - name = "aks-resource-group" - location = "eastus" +resource "random_id" "prefix" { + byte_length = 8 +} +resource "azurerm_resource_group" "main" { + location = var.location + name = "${random_id.prefix.hex}-rg" +} + +resource "azurerm_virtual_network" "test" { + name = "${random_id.prefix.hex}-vn" + resource_group_name = azurerm_resource_group.main.name + address_space = ["10.52.0.0/16"] + location = azurerm_resource_group.main.location } -module "network" { - source = "Azure/network/azurerm" - resource_group_name = azurerm_resource_group.example.name - address_space = "10.52.0.0/16" - subnet_prefixes = ["10.52.0.0/24"] - subnet_names = ["subnet1"] - depends_on = [azurerm_resource_group.example] +resource "azurerm_subnet" "test" { + name = "${random_id.prefix.hex}-sn" + resource_group_name = azurerm_resource_group.main.name + virtual_network_name = azurerm_virtual_network.test.name + address_prefixes = ["10.52.0.0/24"] } -data "azuread_group" "aks_cluster_admins" { - display_name = "AKS-cluster-admins" +resource "azurerm_user_assigned_identity" "test" { + name = "${random_id.prefix.hex}-identity" + resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location } module "aks" { - source = "Azure/aks/azurerm" - resource_group_name = azurerm_resource_group.example.name - client_id = "your-service-principal-client-appid" - client_secret = "your-service-principal-client-password" - kubernetes_version = "1.23.5" - orchestrator_version = "1.23.5" - prefix = "prefix" - cluster_name = "cluster-name" - network_plugin = "azure" - vnet_subnet_id = module.network.vnet_subnets[0] - os_disk_size_gb = 50 - sku_tier = "Paid" # defaults to Free - enable_role_based_access_control = true - rbac_aad_admin_group_object_ids = [data.azuread_group.aks_cluster_admins.id] - rbac_aad_managed = true - private_cluster_enabled = true # default value - enable_http_application_routing = true - enable_azure_policy = true - enable_open_service_mesh = true - enable_auto_scaling = true - enable_host_encryption = true - agents_min_count = 1 - agents_max_count = 2 - agents_count = null # Please set `agents_count` `null` while `enable_auto_scaling` is `true` to avoid possible `agents_count` changes. - agents_max_pods = 100 - agents_pool_name = "exnodepool" - agents_availability_zones = ["1", "2"] - agents_type = "VirtualMachineScaleSets" - - agents_labels = { - "nodepool" : "defaultnodepool" + source = "../.." + + prefix = "prefix-${random_id.prefix.hex}" + resource_group_name = azurerm_resource_group.main.name + agents_availability_zones = ["1", "2"] + agents_count = null + agents_labels = { + "node1" : "label1" } - - agents_tags = { - "Agent" : "defaultnodepoolagent" + agents_max_count = 2 + agents_max_pods = 100 + agents_min_count = 1 + agents_pool_name = "testnodepool" + agents_tags = { + "Agent" : "agentTag" } - - enable_ingress_application_gateway = true - ingress_application_gateway_name = "aks-agw" + agents_type = "VirtualMachineScaleSets" + azure_policy_enabled = true + client_id = var.client_id + client_secret = var.client_secret + enable_auto_scaling = true + enable_host_encryption = true + http_application_routing_enabled = true + ingress_application_gateway_enabled = true + log_analytics_workspace_enabled = true + role_based_access_control_enabled = true + ingress_application_gateway_name = "${random_id.prefix.hex}-agw" ingress_application_gateway_subnet_cidr = "10.52.1.0/24" - - network_policy = "azure" - net_profile_dns_service_ip = "10.0.0.10" - net_profile_docker_bridge_cidr = "170.10.0.1/16" - net_profile_service_cidr = "10.0.0.0/16" - - depends_on = [module.network] + local_account_disabled = true + net_profile_dns_service_ip = "10.0.0.10" + net_profile_docker_bridge_cidr = "170.10.0.1/16" + net_profile_service_cidr = "10.0.0.0/16" + network_plugin = "azure" + network_policy = "azure" + os_disk_size_gb = 60 + private_cluster_enabled = true + rbac_aad_managed = true + sku_tier = "Paid" + vnet_subnet_id = azurerm_subnet.test.id + + depends_on = [azurerm_resource_group.main] } -``` -## Usage in Terraform 0.12 +module "aks_without_monitor" { + source = "../.." -```hcl -provider "azurerm" { - features {} -} + prefix = "prefix2-${random_id.prefix.hex}" + resource_group_name = azurerm_resource_group.main.name + azure_policy_enabled = true + log_analytics_workspace_enabled = true + role_based_access_control_enabled = true + local_account_disabled = true + net_profile_pod_cidr = "10.1.0.0/16" + private_cluster_enabled = true + rbac_aad_managed = true -resource "azurerm_resource_group" "example" { - name = "aks-resource-group" - location = "eastus" + depends_on = [azurerm_resource_group.main] } -module "aks" { - source = "Azure/aks/azurerm" - resource_group_name = azurerm_resource_group.example.name - prefix = "prefix" +module "aks_cluster_name" { + source = "../.." + + prefix = "prefix" + resource_group_name = azurerm_resource_group.main.name + # Not necessary, just for demo purpose. + admin_username = "azureuser" + azure_policy_enabled = true + cluster_log_analytics_workspace_name = "test-cluster" + cluster_name = "test-cluster" + log_analytics_workspace_enabled = true + role_based_access_control_enabled = true + identity_ids = [azurerm_user_assigned_identity.test.id] + identity_type = "UserAssigned" + local_account_disabled = true + net_profile_pod_cidr = "10.1.0.0/16" + private_cluster_enabled = true + rbac_aad_managed = true + + depends_on = [azurerm_resource_group.main] } ``` @@ -187,6 +210,8 @@ provider "kubernetes" { } ``` +To try the module, please run `terraform apply` command in `test/fixture` folder. + ## Test ### Configurations From ed5b7a535852040709d2bcc3524be095a909b261 Mon Sep 17 00:00:00 2001 From: zjhe Date: Sat, 16 Jul 2022 07:30:05 +0800 Subject: [PATCH 11/20] Update README --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index 00a40129..b75aa540 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,25 @@ Resource `tls_private_key`'s creation now is conditional. Users may see the dest ### `system_assigned_identity` in the output has been renamed to `cluster_identity` +The `system_assigned_identity` was: + +```hcl +output "system_assigned_identity" { + value = azurerm_kubernetes_cluster.main.identity +} +``` + +Now it has been renamed to `cluster_identity`, and the block has been changed to: + +```hcl +output "cluster_identity" { + description = "The `azurerm_kubernetes_cluster`'s `identity` block." + value = try(azurerm_kubernetes_cluster.main.identity[0], null) +} +``` + +The callers who used to read the cluster's identity block need to remove the index in their expression, from `module.aks.system_assigned_identity[0]` to `module.aks.cluster_identity`. + ### The following outputs are now sensitive. All outputs referenced them must declare sensitive too * `client_certificate` From a9a27b242b0828575fe7d127208d843b11e7d972 Mon Sep 17 00:00:00 2001 From: zjhe Date: Sat, 16 Jul 2022 07:32:35 +0800 Subject: [PATCH 12/20] Update CHANGELOG --- CHANGLOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGLOG.md b/CHANGLOG.md index 8435223f..e1bc5148 100644 --- a/CHANGLOG.md +++ b/CHANGLOG.md @@ -22,7 +22,7 @@ ENHANCEMENTS: * Set argument `private_cluster_enabled` to `true` in the test code. ([#219](https://github.com/Azure/terraform-azurerm-aks/pull/219)) * Add new variable `disk_encryption_set_id` to make argument `disk_encryption_set_id` configurable. Create resource `azurerm_disk_encryption_set` in the test code to turn disk encryption on for the cluster. ([#195](https://github.com/Azure/terraform-azurerm-aks/pull/195)) * Add new variable `api_server_authorized_ip_ranges` to make argument `api_server_authorized_ip_ranges` configurable. ([#220](https://github.com/Azure/terraform-azurerm-aks/pull/220)) -* Rename output `system_assigned_identity` to `cluster_identity` since it could be user assigned identity. ([#197](https://github.com/Azure/terraform-azurerm-aks/pull/197)) +* Rename output `system_assigned_identity` to `cluster_identity` since it could be user assigned identity, Remove the index inside output's value expression. ([#197](https://github.com/Azure/terraform-azurerm-aks/pull/197)) BUG FIXES: From 2ff80105e588904404f435eeed61f05142b79743 Mon Sep 17 00:00:00 2001 From: zjhe Date: Thu, 4 Aug 2022 17:35:53 +0800 Subject: [PATCH 13/20] reorder attributes and blocks in resrouces. --- main.tf | 69 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 35 insertions(+), 34 deletions(-) diff --git a/main.tf b/main.tf index 70c7c4af..be99fa59 100644 --- a/main.tf +++ b/main.tf @@ -15,13 +15,13 @@ resource "tls_private_key" "ssh" { } resource "azurerm_kubernetes_cluster" "main" { - name = var.cluster_name == null ? "${var.prefix}-aks" : var.cluster_name location = coalesce(var.location, data.azurerm_resource_group.main.location) + name = var.cluster_name == null ? "${var.prefix}-aks" : var.cluster_name resource_group_name = data.azurerm_resource_group.main.name - dns_prefix = var.prefix api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges azure_policy_enabled = var.azure_policy_enabled disk_encryption_set_id = var.disk_encryption_set_id + dns_prefix = var.prefix http_application_routing_enabled = var.http_application_routing_enabled kubernetes_version = var.kubernetes_version local_account_disabled = var.local_account_disabled @@ -29,88 +29,92 @@ resource "azurerm_kubernetes_cluster" "main" { oidc_issuer_enabled = var.oidc_issuer_enabled open_service_mesh_enabled = var.open_service_mesh_enabled private_cluster_enabled = var.private_cluster_enabled - private_dns_zone_id = var.private_dns_zone_id private_cluster_public_fqdn_enabled = var.private_cluster_public_fqdn_enabled + private_dns_zone_id = var.private_dns_zone_id role_based_access_control_enabled = var.role_based_access_control_enabled sku_tier = var.sku_tier tags = var.tags dynamic "default_node_pool" { for_each = var.enable_auto_scaling == true ? [] : ["default_node_pool_manually_scaled"] + content { name = var.agents_pool_name vm_size = var.agents_size enable_auto_scaling = var.enable_auto_scaling enable_host_encryption = var.enable_host_encryption enable_node_public_ip = var.enable_node_public_ip + max_count = null max_pods = var.agents_max_pods + min_count = null + node_count = var.agents_count node_labels = var.agents_labels only_critical_addons_enabled = var.only_critical_addons_enabled orchestrator_version = var.orchestrator_version os_disk_size_gb = var.os_disk_size_gb os_disk_type = var.os_disk_type - type = var.agents_type tags = merge(var.tags, var.agents_tags) + type = var.agents_type vnet_subnet_id = var.vnet_subnet_id - max_count = null - min_count = null - node_count = var.agents_count zones = var.agents_availability_zones } } dynamic "default_node_pool" { for_each = var.enable_auto_scaling == true ? ["default_node_pool_auto_scaled"] : [] + content { name = var.agents_pool_name vm_size = var.agents_size enable_auto_scaling = var.enable_auto_scaling enable_host_encryption = var.enable_host_encryption enable_node_public_ip = var.enable_node_public_ip + max_count = var.agents_max_count max_pods = var.agents_max_pods + min_count = var.agents_min_count node_labels = var.agents_labels only_critical_addons_enabled = var.only_critical_addons_enabled orchestrator_version = var.orchestrator_version os_disk_size_gb = var.os_disk_size_gb os_disk_type = var.os_disk_type - type = var.agents_type tags = merge(var.tags, var.agents_tags) + type = var.agents_type vnet_subnet_id = var.vnet_subnet_id - max_count = var.agents_max_count - min_count = var.agents_min_count zones = var.agents_availability_zones } } dynamic "azure_active_directory_role_based_access_control" { for_each = var.role_based_access_control_enabled && var.rbac_aad_managed ? ["rbac"] : [] + content { - managed = true - tenant_id = var.rbac_aad_tenant_id admin_group_object_ids = var.rbac_aad_admin_group_object_ids azure_rbac_enabled = var.rbac_aad_azure_rbac_enabled + managed = true + tenant_id = var.rbac_aad_tenant_id } } dynamic "azure_active_directory_role_based_access_control" { for_each = var.role_based_access_control_enabled && !var.rbac_aad_managed ? ["rbac"] : [] + content { - managed = false - tenant_id = var.rbac_aad_tenant_id client_app_id = var.rbac_aad_client_app_id + managed = false server_app_id = var.rbac_aad_server_app_id server_app_secret = var.rbac_aad_server_app_secret + tenant_id = var.rbac_aad_tenant_id } } - dynamic "identity" { for_each = var.client_id == "" || var.client_secret == "" ? ["identity"] : [] + content { type = var.identity_type identity_ids = var.identity_ids } } - dynamic "ingress_application_gateway" { for_each = var.ingress_application_gateway_enabled ? ["ingress_application_gateway"] : [] + content { gateway_id = var.ingress_application_gateway_id gateway_name = var.ingress_application_gateway_name @@ -118,46 +122,44 @@ resource "azurerm_kubernetes_cluster" "main" { subnet_id = var.ingress_application_gateway_subnet_id } } - dynamic "key_vault_secrets_provider" { for_each = var.key_vault_secrets_provider_enabled ? ["key_vault_secrets_provider"] : [] + content { secret_rotation_enabled = var.secret_rotation_enabled secret_rotation_interval = var.secret_rotation_interval } } - dynamic "linux_profile" { for_each = var.admin_username == null ? [] : ["linux_profile"] + content { admin_username = var.admin_username ssh_key { - # remove any new lines using the replace interpolation function key_data = replace(coalesce(var.public_ssh_key, tls_private_key.ssh[0].public_key_openssh), "\n", "") } } } - network_profile { network_plugin = var.network_plugin - network_policy = var.network_policy dns_service_ip = var.net_profile_dns_service_ip docker_bridge_cidr = var.net_profile_docker_bridge_cidr + network_policy = var.network_policy outbound_type = var.net_profile_outbound_type pod_cidr = var.net_profile_pod_cidr service_cidr = var.net_profile_service_cidr } - dynamic "oms_agent" { for_each = var.log_analytics_workspace_enabled ? ["oms_agent"] : [] + content { log_analytics_workspace_id = var.log_analytics_workspace == null ? azurerm_log_analytics_workspace.main[0].id : var.log_analytics_workspace.id } } - dynamic "service_principal" { for_each = var.client_id != "" && var.client_secret != "" ? ["service_principal"] : [] + content { client_id = var.client_id client_secret = var.client_secret @@ -180,27 +182,26 @@ resource "azurerm_kubernetes_cluster" "main" { resource "azurerm_log_analytics_workspace" "main" { count = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null ? 1 : 0 - name = var.cluster_log_analytics_workspace_name == null ? "${var.prefix}-workspace" : var.cluster_log_analytics_workspace_name location = coalesce(var.location, data.azurerm_resource_group.main.location) + name = var.cluster_log_analytics_workspace_name == null ? "${var.prefix}-workspace" : var.cluster_log_analytics_workspace_name resource_group_name = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name) - sku = var.log_analytics_workspace_sku retention_in_days = var.log_retention_in_days - - tags = var.tags + sku = var.log_analytics_workspace_sku + tags = var.tags } resource "azurerm_log_analytics_solution" "main" { - count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0 - solution_name = "ContainerInsights" + count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0 + location = coalesce(var.location, data.azurerm_resource_group.main.location) resource_group_name = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name) - workspace_resource_id = var.log_analytics_workspace != null ? var.log_analytics_workspace.id : azurerm_log_analytics_workspace.main[0].id + solution_name = "ContainerInsights" workspace_name = var.log_analytics_workspace != null ? var.log_analytics_workspace.name : azurerm_log_analytics_workspace.main[0].name + workspace_resource_id = var.log_analytics_workspace != null ? var.log_analytics_workspace.id : azurerm_log_analytics_workspace.main[0].id + tags = var.tags plan { - publisher = "Microsoft" product = "OMSGallery/ContainerInsights" + publisher = "Microsoft" } - - tags = var.tags -} +} \ No newline at end of file From 6af5627809a086304760153152a308cd14d0ea42 Mon Sep 17 00:00:00 2001 From: zjhe Date: Fri, 5 Aug 2022 10:26:35 +0800 Subject: [PATCH 14/20] Amend changelog and readme --- CHANGLOG.md | 6 ++++-- README.md | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGLOG.md b/CHANGLOG.md index e1bc5148..3ca2a9c9 100644 --- a/CHANGLOG.md +++ b/CHANGLOG.md @@ -2,14 +2,15 @@ ENHANCEMENTS: -* Variable `enable_kube_dashboard` has been remove as [#181](https://github.com/Azure/terraform-azurerm-aks/issues/181) described. ([#181](https://github.com/Azure/terraform-azurerm-aks/pull/181)) +* Variable `enable_kube_dashboard` has been remove as [#181](https://github.com/Azure/terraform-azurerm-aks/issues/181) described. ([#187](https://github.com/Azure/terraform-azurerm-aks/pull/187)) * Add new variable `location` so we can define location for the resources explicitly. ([#172](https://github.com/Azure/terraform-azurerm-aks/pull/172)) * Bump AzureRM Provider version to 3.3.0. ([#157](https://github.com/Azure/terraform-azurerm-aks/pull/157)) * Add new variable `private_dns_zone_id` to make argument `private_dns_zone_id` configurable. ([#174](https://github.com/Azure/terraform-azurerm-aks/pull/174)) * Add new variable `open_service_mesh_enabled` to make argument `open_service_mesh_enabled` configurable. ([#132](https://github.com/Azure/terraform-azurerm-aks/pull/132)) * Remove `addon_profile` in the outputs since the block has been removed from provider 3.x. Extract embedded blocks inside `addon_profile` block into standalone outputs. ([#188](https://github.com/Azure/terraform-azurerm-aks/pull/188)) * Add `nullable = true` to some variables to simplify the conditional expressions. ([#193](https://github.com/Azure/terraform-azurerm-aks/pull/193)) -* Add new variable `oidc_issuer_enabled` to make argument `oidc_issuer_enabled` configurable. ([#205](https://github.com/Azure/terraform-azurerm-aks/pull/205) [#206](https://github.com/Azure/terraform-azurerm-aks/pull/206)) +* Add new variable `oidc_issuer_enabled` to make argument `oidc_issuer_enabled` configurable. ([#205](https://github.com/Azure/terraform-azurerm-aks/pull/205) +* Add new output `oidc_issuer_url` to expose the created issuer URL from the module. [#206](https://github.com/Azure/terraform-azurerm-aks/pull/206)) * Turn monitoring on in the test code. ([#201](https://github.com/Azure/terraform-azurerm-aks/pull/201)) * Add new variables `private_dns_zone_id` and `private_cluster_public_fqdn_enabled` to make arguments `private_dns_zone_id` and `private_cluster_public_fqdn_enabled` configurable. ([#149](https://github.com/Azure/terraform-azurerm-aks/pull/149)) * Remove `module.ssh-key` and moves resource `tls_private_key` inside the module to root directory, then outputs tls keys. ([#189](https://github.com/Azure/terraform-azurerm-aks/pull/189)) @@ -23,6 +24,7 @@ ENHANCEMENTS: * Add new variable `disk_encryption_set_id` to make argument `disk_encryption_set_id` configurable. Create resource `azurerm_disk_encryption_set` in the test code to turn disk encryption on for the cluster. ([#195](https://github.com/Azure/terraform-azurerm-aks/pull/195)) * Add new variable `api_server_authorized_ip_ranges` to make argument `api_server_authorized_ip_ranges` configurable. ([#220](https://github.com/Azure/terraform-azurerm-aks/pull/220)) * Rename output `system_assigned_identity` to `cluster_identity` since it could be user assigned identity, Remove the index inside output's value expression. ([#197](https://github.com/Azure/terraform-azurerm-aks/pull/197)) +* Rename `var.enable_azure_policy` to `var.azure_policy_enabled` to meet the naming convention. Set `azure_policy_enabled` to `true` in test fixture code. ([#203](https://github.com/Azure/terraform-azurerm-aks/pull/203)) BUG FIXES: diff --git a/README.md b/README.md index b75aa540..cb28dfcb 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ It has been broken into the following new outputs: ### The following variables have been renamed from `enable_xxx` to `xxx_enabled` +* `enable_azure_policy` has been renamed to `azure_policy_enabled` * `enable_http_application_routing` has been renamed to `http_application_routing_enabled` * `enable_ingress_application_gateway` has been renamed to `ingress_application_gateway_enabled` * `enable_log_analytics_workspace` has been renamed to `log_analytics_workspace_enabled` From c5e7e777677fd252f9058ecd1ac9643533f715b1 Mon Sep 17 00:00:00 2001 From: zjhe Date: Fri, 5 Aug 2022 10:30:48 +0800 Subject: [PATCH 15/20] Update generated readme part. --- README.md | 77 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index cb28dfcb..fecb2224 100644 --- a/README.md +++ b/README.md @@ -347,13 +347,14 @@ contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additio |---------------------------------------------------------------------------|---------| | [terraform](#requirement\_terraform) | >= 1.2 | | [azurerm](#requirement\_azurerm) | ~> 3.3 | +| [tls](#requirement\_tls) | ~> 3.1 | ## Providers | Name | Version | |---------------------------------------------------------------|---------| -| [azurerm](#provider\_azurerm) | 3.13.0 | -| [tls](#provider\_tls) | 3.4.0 | +| [azurerm](#provider\_azurerm) | ~> 3.3 | +| [tls](#provider\_tls) | ~> 3.1 | ## Modules @@ -448,40 +449,40 @@ No modules. ## Outputs -| Name | Description | -|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------| -| [aci\_connector\_linux](#output\_aci\_connector\_linux) | n/a | -| [aci\_connector\_linux\_enabled](#output\_aci\_connector\_linux\_enabled) | n/a | -| [admin\_client\_certificate](#output\_admin\_client\_certificate) | n/a | -| [admin\_client\_key](#output\_admin\_client\_key) | n/a | -| [admin\_cluster\_ca\_certificate](#output\_admin\_cluster\_ca\_certificate) | n/a | -| [admin\_host](#output\_admin\_host) | n/a | -| [admin\_password](#output\_admin\_password) | n/a | -| [admin\_username](#output\_admin\_username) | n/a | -| [aks\_id](#output\_aks\_id) | n/a | -| [azure\_policy\_enabled](#output\_azure\_policy\_enabled) | n/a | -| [client\_certificate](#output\_client\_certificate) | n/a | -| [client\_key](#output\_client\_key) | n/a | -| [cluster\_ca\_certificate](#output\_cluster\_ca\_certificate) | n/a | -| [cluster\_identity](#output\_cluster\_identity) | n/a | -| [generated\_cluster\_private\_ssh\_key](#output\_generated\_cluster\_private\_ssh\_key) | The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null. | -| [generated\_cluster\_public\_ssh\_key](#output\_generated\_cluster\_public\_ssh\_key) | The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null. | -| [host](#output\_host) | n/a | -| [http\_application\_routing\_enabled](#output\_http\_application\_routing\_enabled) | n/a | -| [http\_application\_routing\_zone\_name](#output\_http\_application\_routing\_zone\_name) | n/a | -| [ingress\_application\_gateway](#output\_ingress\_application\_gateway) | n/a | -| [ingress\_application\_gateway\_enabled](#output\_ingress\_application\_gateway\_enabled) | n/a | -| [key\_vault\_secrets\_provider](#output\_key\_vault\_secrets\_provider) | n/a | -| [key\_vault\_secrets\_provider\_enabled](#output\_key\_vault\_secrets\_provider\_enabled) | n/a | -| [kube\_admin\_config\_raw](#output\_kube\_admin\_config\_raw) | n/a | -| [kube\_config\_raw](#output\_kube\_config\_raw) | n/a | -| [kubelet\_identity](#output\_kubelet\_identity) | n/a | -| [location](#output\_location) | n/a | -| [node\_resource\_group](#output\_node\_resource\_group) | n/a | -| [oidc\_issuer\_url](#output\_oidc\_issuer\_url) | n/a | -| [oms\_agent](#output\_oms\_agent) | n/a | -| [oms\_agent\_enabled](#output\_oms\_agent\_enabled) | n/a | -| [open\_service\_mesh\_enabled](#output\_open\_service\_mesh\_enabled) | n/a | -| [password](#output\_password) | n/a | -| [username](#output\_username) | n/a | +| Name | Description | +|-----------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [aci\_connector\_linux](#output\_aci\_connector\_linux) | The `aci_connector_linux` block of `azurerm_kubernetes_cluster` resource. | +| [aci\_connector\_linux\_enabled](#output\_aci\_connector\_linux\_enabled) | Has `aci_connector_linux` been enabled on the `azurerm_kubernetes_cluster` resource? | +| [admin\_client\_certificate](#output\_admin\_client\_certificate) | The `client_certificate` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster. | +| [admin\_client\_key](#output\_admin\_client\_key) | The `client_key` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. Base64 encoded private key used by clients to authenticate to the Kubernetes cluster. | +| [admin\_cluster\_ca\_certificate](#output\_admin\_cluster\_ca\_certificate) | The `cluster_ca_certificate` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster. | +| [admin\_host](#output\_admin\_host) | The `host` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. The Kubernetes cluster server host. | +| [admin\_password](#output\_admin\_password) | The `password` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. A password or token used to authenticate to the Kubernetes cluster. | +| [admin\_username](#output\_admin\_username) | The `username` in the `azurerm_kubernetes_cluster`'s `kube_admin_config` block. A username used to authenticate to the Kubernetes cluster. | +| [aks\_id](#output\_aks\_id) | The `azurerm_kubernetes_cluster`'s id. | +| [azure\_policy\_enabled](#output\_azure\_policy\_enabled) | The `azurerm_kubernetes_cluster`'s `azure_policy_enabled` argument. Should the Azure Policy Add-On be enabled? For more details please visit [Understand Azure Policy for Azure Kubernetes Service](https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/rego-for-aks) | +| [client\_certificate](#output\_client\_certificate) | The `client_certificate` in the `azurerm_kubernetes_cluster`'s `kube_config` block. Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster. | +| [client\_key](#output\_client\_key) | The `client_key` in the `azurerm_kubernetes_cluster`'s `kube_config` block. Base64 encoded private key used by clients to authenticate to the Kubernetes cluster. | +| [cluster\_ca\_certificate](#output\_cluster\_ca\_certificate) | The `cluster_ca_certificate` in the `azurerm_kubernetes_cluster`'s `kube_config` block. Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster. | +| [cluster\_identity](#output\_cluster\_identity) | The `azurerm_kubernetes_cluster`'s `identity` block. | +| [generated\_cluster\_private\_ssh\_key](#output\_generated\_cluster\_private\_ssh\_key) | The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null. Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. | +| [generated\_cluster\_public\_ssh\_key](#output\_generated\_cluster\_public\_ssh\_key) | The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null. The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:....` Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](https://registry.terraform.io/providers/hashicorp/tls/latest/docs#limitations). | +| [host](#output\_host) | The `host` in the `azurerm_kubernetes_cluster`'s `kube_config` block. The Kubernetes cluster server host. | +| [http\_application\_routing\_enabled](#output\_http\_application\_routing\_enabled) | The `azurerm_kubernetes_cluster`'s `http_application_routing_enabled` argument. (Optional) Should HTTP Application Routing be enabled? | +| [http\_application\_routing\_zone\_name](#output\_http\_application\_routing\_zone\_name) | The `azurerm_kubernetes_cluster`'s `http_application_routing_zone_name` argument. The Zone Name of the HTTP Application Routing. | +| [ingress\_application\_gateway](#output\_ingress\_application\_gateway) | The `azurerm_kubernetes_cluster`'s `ingress_application_gateway` block. | +| [ingress\_application\_gateway\_enabled](#output\_ingress\_application\_gateway\_enabled) | Has the `azurerm_kubernetes_cluster` turned on `ingress_application_gateway` block? | +| [key\_vault\_secrets\_provider](#output\_key\_vault\_secrets\_provider) | The `azurerm_kubernetes_cluster`'s `key_vault_secrets_provider` block. | +| [key\_vault\_secrets\_provider\_enabled](#output\_key\_vault\_secrets\_provider\_enabled) | Has the `azurerm_kubernetes_cluster` turned on `key_vault_secrets_provider` block? | +| [kube\_admin\_config\_raw](#output\_kube\_admin\_config\_raw) | The `azurerm_kubernetes_cluster`'s `kube_admin_config_raw` argument. Raw Kubernetes config for the admin account to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. | +| [kube\_config\_raw](#output\_kube\_config\_raw) | The `azurerm_kubernetes_cluster`'s `kube_config_raw` argument. Raw Kubernetes config to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. | +| [kubelet\_identity](#output\_kubelet\_identity) | The `azurerm_kubernetes_cluster`'s `kubelet_identity` block. | +| [location](#output\_location) | The `azurerm_kubernetes_cluster`'s `location` argument. (Required) The location where the Managed Kubernetes Cluster should be created. | +| [node\_resource\_group](#output\_node\_resource\_group) | The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster. | +| [oidc\_issuer\_url](#output\_oidc\_issuer\_url) | The OIDC issuer URL that is associated with the cluster. | +| [oms\_agent](#output\_oms\_agent) | The `azurerm_kubernetes_cluster`'s `oms_agent` argument. | +| [oms\_agent\_enabled](#output\_oms\_agent\_enabled) | Has the `azurerm_kubernetes_cluster` turned on `oms_agent` block? | +| [open\_service\_mesh\_enabled](#output\_open\_service\_mesh\_enabled) | (Optional) Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about). | +| [password](#output\_password) | The `password` in the `azurerm_kubernetes_cluster`'s `kube_config` block. A password or token used to authenticate to the Kubernetes cluster. | +| [username](#output\_username) | The `username` in the `azurerm_kubernetes_cluster`'s `kube_config` block. A username used to authenticate to the Kubernetes cluster. | \ No newline at end of file From 3261c3d9b7843079d2871fbb4f9e84370154ba0d Mon Sep 17 00:00:00 2001 From: hezijie Date: Mon, 8 Aug 2022 13:24:49 +0800 Subject: [PATCH 16/20] correct changelog and readme as @jiaweitao001 suggested --- CHANGLOG.md | 4 ++-- README.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGLOG.md b/CHANGLOG.md index 3ca2a9c9..c4b98ce1 100644 --- a/CHANGLOG.md +++ b/CHANGLOG.md @@ -2,7 +2,7 @@ ENHANCEMENTS: -* Variable `enable_kube_dashboard` has been remove as [#181](https://github.com/Azure/terraform-azurerm-aks/issues/181) described. ([#187](https://github.com/Azure/terraform-azurerm-aks/pull/187)) +* Variable `enable_kube_dashboard` has been removed as [#181](https://github.com/Azure/terraform-azurerm-aks/issues/181) described. ([#187](https://github.com/Azure/terraform-azurerm-aks/pull/187)) * Add new variable `location` so we can define location for the resources explicitly. ([#172](https://github.com/Azure/terraform-azurerm-aks/pull/172)) * Bump AzureRM Provider version to 3.3.0. ([#157](https://github.com/Azure/terraform-azurerm-aks/pull/157)) * Add new variable `private_dns_zone_id` to make argument `private_dns_zone_id` configurable. ([#174](https://github.com/Azure/terraform-azurerm-aks/pull/174)) @@ -23,7 +23,7 @@ ENHANCEMENTS: * Set argument `private_cluster_enabled` to `true` in the test code. ([#219](https://github.com/Azure/terraform-azurerm-aks/pull/219)) * Add new variable `disk_encryption_set_id` to make argument `disk_encryption_set_id` configurable. Create resource `azurerm_disk_encryption_set` in the test code to turn disk encryption on for the cluster. ([#195](https://github.com/Azure/terraform-azurerm-aks/pull/195)) * Add new variable `api_server_authorized_ip_ranges` to make argument `api_server_authorized_ip_ranges` configurable. ([#220](https://github.com/Azure/terraform-azurerm-aks/pull/220)) -* Rename output `system_assigned_identity` to `cluster_identity` since it could be user assigned identity, Remove the index inside output's value expression. ([#197](https://github.com/Azure/terraform-azurerm-aks/pull/197)) +* Rename output `system_assigned_identity` to `cluster_identity` since it could be user assigned identity. Remove the index inside output's value expression. ([#197](https://github.com/Azure/terraform-azurerm-aks/pull/197)) * Rename `var.enable_azure_policy` to `var.azure_policy_enabled` to meet the naming convention. Set `azure_policy_enabled` to `true` in test fixture code. ([#203](https://github.com/Azure/terraform-azurerm-aks/pull/203)) BUG FIXES: diff --git a/README.md b/README.md index fecb2224..1e0cc0b8 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ This Terraform module deploys a Kubernetes cluster on Azure using AKS (Azure Kub ## Notice on Upgrade to V5.x -V5.0.0 is a major version upgrade and a lot of breaking changes have been introduced. Extremely cautious must be taken during the upgrade to avoid resource replacement and downtime by accident. +V5.0.0 is a major version upgrade and a lot of breaking changes have been introduced. Extreme caution must be taken during the upgrade to avoid resource replacement and downtime by accident. Running the `terraform plan` first to inspect the plan is strongly advised. @@ -57,7 +57,7 @@ It has been broken into the following new outputs: ### `var.admin_username`'s default value has been removed -In v4.x `var.admin_username` has a default value `azureuser` and has been removed in V5.0.0. Since the `admin_username` argument in `linux_profile` block is a ForceNew argument, any value change to this argument will trigger a Kubernetes cluster replacement **SO THE EXTREMELY CAUTIOUS MUST BE TAKEN**. The module's callers must set `var.admin_username` to `azureuser` explicitly if they didn't set it before. +In v4.x `var.admin_username` has a default value `azureuser` and has been removed in V5.0.0. Since the `admin_username` argument in `linux_profile` block is a ForceNew argument, any value change to this argument will trigger a Kubernetes cluster replacement **SO THE EXTREME CAUTION MUST BE TAKEN**. The module's callers must set `var.admin_username` to `azureuser` explicitly if they didn't set it before. ### `module.ssh-key` has been removed @@ -88,7 +88,7 @@ output "cluster_identity" { The callers who used to read the cluster's identity block need to remove the index in their expression, from `module.aks.system_assigned_identity[0]` to `module.aks.cluster_identity`. -### The following outputs are now sensitive. All outputs referenced them must declare sensitive too +### The following outputs are now sensitive. All outputs referenced them must be declared as sensitive too * `client_certificate` * `client_key` From 1e2df97b30169cce0f18e4040ef103e075550234 Mon Sep 17 00:00:00 2001 From: hezijie Date: Mon, 8 Aug 2022 14:09:57 +0800 Subject: [PATCH 17/20] Fix terraform code format in markdown file using terrafmt. --- CHANGLOG.md | 2 +- README.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGLOG.md b/CHANGLOG.md index c4b98ce1..2a7d4fd5 100644 --- a/CHANGLOG.md +++ b/CHANGLOG.md @@ -28,4 +28,4 @@ ENHANCEMENTS: BUG FIXES: -* Change the incorrect description of variable `tags`. ([#175](https://github.com/Azure/terraform-azurerm-aks/pull/175)) \ No newline at end of file +* Change the incorrect description of variable `tags`. ([#175](https://github.com/Azure/terraform-azurerm-aks/pull/175)) diff --git a/README.md b/README.md index 1e0cc0b8..5504a661 100644 --- a/README.md +++ b/README.md @@ -142,14 +142,14 @@ module "aks" { resource_group_name = azurerm_resource_group.main.name agents_availability_zones = ["1", "2"] agents_count = null - agents_labels = { + agents_labels = { "node1" : "label1" } agents_max_count = 2 agents_max_pods = 100 agents_min_count = 1 agents_pool_name = "testnodepool" - agents_tags = { + agents_tags = { "Agent" : "agentTag" } agents_type = "VirtualMachineScaleSets" @@ -198,8 +198,8 @@ module "aks_without_monitor" { module "aks_cluster_name" { source = "../.." - prefix = "prefix" - resource_group_name = azurerm_resource_group.main.name + prefix = "prefix" + resource_group_name = azurerm_resource_group.main.name # Not necessary, just for demo purpose. admin_username = "azureuser" azure_policy_enabled = true @@ -485,4 +485,4 @@ No modules. | [open\_service\_mesh\_enabled](#output\_open\_service\_mesh\_enabled) | (Optional) Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about). | | [password](#output\_password) | The `password` in the `azurerm_kubernetes_cluster`'s `kube_config` block. A password or token used to authenticate to the Kubernetes cluster. | | [username](#output\_username) | The `username` in the `azurerm_kubernetes_cluster`'s `kube_config` block. A username used to authenticate to the Kubernetes cluster. | - \ No newline at end of file + From 70edcac4f46ac31c14c3654123c79cd712256366 Mon Sep 17 00:00:00 2001 From: hezijie Date: Mon, 8 Aug 2022 14:10:41 +0800 Subject: [PATCH 18/20] Fix terraform code format test folder. --- test/fixture/disk_encryption_set.tf | 14 +++++++------- test/fixture/main.tf | 16 ++++++++-------- test/fixture/providers.tf | 2 +- versions.tf | 2 +- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/test/fixture/disk_encryption_set.tf b/test/fixture/disk_encryption_set.tf index 035ca6b3..bfb9a61c 100644 --- a/test/fixture/disk_encryption_set.tf +++ b/test/fixture/disk_encryption_set.tf @@ -41,7 +41,7 @@ resource "azurerm_key_vault_key" "des_key" { key_vault_id = azurerm_key_vault.des_vault.id key_type = "RSA-HSM" key_size = 2048 - key_opts = [ + key_opts = [ "decrypt", "encrypt", "sign", @@ -72,9 +72,9 @@ resource "azurerm_disk_encryption_set" "des" { } resource "azurerm_key_vault_access_policy" "des" { - key_vault_id = azurerm_key_vault.des_vault.id - tenant_id = azurerm_disk_encryption_set.des.identity[0].tenant_id - object_id = azurerm_disk_encryption_set.des.identity[0].principal_id + key_vault_id = azurerm_key_vault.des_vault.id + tenant_id = azurerm_disk_encryption_set.des.identity[0].tenant_id + object_id = azurerm_disk_encryption_set.des.identity[0].principal_id key_permissions = [ "Get", "WrapKey", @@ -83,9 +83,9 @@ resource "azurerm_key_vault_access_policy" "des" { } resource "azurerm_key_vault_access_policy" "current_user" { - key_vault_id = azurerm_key_vault.des_vault.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) + key_vault_id = azurerm_key_vault.des_vault.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) key_permissions = [ "Get", "Create", diff --git a/test/fixture/main.tf b/test/fixture/main.tf index 2172611e..b01bf863 100644 --- a/test/fixture/main.tf +++ b/test/fixture/main.tf @@ -33,14 +33,14 @@ module "aks" { resource_group_name = azurerm_resource_group.main.name agents_availability_zones = ["1", "2"] agents_count = null - agents_labels = { + agents_labels = { "node1" : "label1" } agents_max_count = 2 agents_max_pods = 100 agents_min_count = 1 agents_pool_name = "testnodepool" - agents_tags = { + agents_tags = { "Agent" : "agentTag" } agents_type = "VirtualMachineScaleSets" @@ -74,10 +74,10 @@ module "aks" { module "aks_without_monitor" { source = "../.." - prefix = "prefix2-${random_id.prefix.hex}" - resource_group_name = azurerm_resource_group.main.name - azure_policy_enabled = true - disk_encryption_set_id = azurerm_disk_encryption_set.des.id + prefix = "prefix2-${random_id.prefix.hex}" + resource_group_name = azurerm_resource_group.main.name + azure_policy_enabled = true + disk_encryption_set_id = azurerm_disk_encryption_set.des.id #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT! log_analytics_workspace_enabled = false role_based_access_control_enabled = true @@ -92,8 +92,8 @@ module "aks_without_monitor" { module "aks_cluster_name" { source = "../.." - prefix = "prefix" - resource_group_name = azurerm_resource_group.main.name + prefix = "prefix" + resource_group_name = azurerm_resource_group.main.name # Not necessary, just for demo purpose. admin_username = "azureuser" azure_policy_enabled = true diff --git a/test/fixture/providers.tf b/test/fixture/providers.tf index f2f349ff..3ad7745c 100644 --- a/test/fixture/providers.tf +++ b/test/fixture/providers.tf @@ -11,7 +11,7 @@ terraform { version = ">=1.0.2" } random = { - source = "hashicorp/random" + source = "hashicorp/random" version = ">=3.3.0" } } diff --git a/versions.tf b/versions.tf index 9ec442e7..9f0bc9c3 100644 --- a/versions.tf +++ b/versions.tf @@ -7,7 +7,7 @@ terraform { version = "~> 3.3" } tls = { - source = "hashicorp/tls" + source = "hashicorp/tls" version = "~> 3.1" } } From 04c441deddc51411d7b30a5cc71541b1f9f058ca Mon Sep 17 00:00:00 2001 From: hezijie Date: Mon, 8 Aug 2022 16:55:22 +0800 Subject: [PATCH 19/20] Sort arrtibutes inside test tf code. --- test/fixture/disk_encryption_set.tf | 19 +++++++++---------- test/fixture/main.tf | 8 ++++---- test/fixture/providers.tf | 6 +++--- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/test/fixture/disk_encryption_set.tf b/test/fixture/disk_encryption_set.tf index bfb9a61c..71d52d06 100644 --- a/test/fixture/disk_encryption_set.tf +++ b/test/fixture/disk_encryption_set.tf @@ -20,8 +20,8 @@ locals { } resource "azurerm_key_vault" "des_vault" { - name = "${random_string.key_vault_prefix.result}-des-keyvault" location = azurerm_resource_group.main.location + name = "${random_string.key_vault_prefix.result}-des-keyvault" resource_group_name = azurerm_resource_group.main.name sku_name = "premium" tenant_id = data.azurerm_client_config.current.tenant_id @@ -37,10 +37,6 @@ resource "azurerm_key_vault" "des_vault" { } resource "azurerm_key_vault_key" "des_key" { - name = "des-key" - key_vault_id = azurerm_key_vault.des_vault.id - key_type = "RSA-HSM" - key_size = 2048 key_opts = [ "decrypt", "encrypt", @@ -49,22 +45,25 @@ resource "azurerm_key_vault_key" "des_key" { "verify", "wrapKey", ] + key_type = "RSA-HSM" + key_vault_id = azurerm_key_vault.des_vault.id + name = "des-key" expiration_date = timeadd("${formatdate("YYYY-MM-DD", timestamp())}T00:00:00Z", "168h") + key_size = 2048 lifecycle { ignore_changes = [expiration_date] } - depends_on = [ azurerm_key_vault_access_policy.current_user ] } resource "azurerm_disk_encryption_set" "des" { + key_vault_key_id = azurerm_key_vault_key.des_key.id + location = azurerm_resource_group.main.location name = "des" resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location - key_vault_key_id = azurerm_key_vault_key.des_key.id identity { type = "SystemAssigned" @@ -73,8 +72,8 @@ resource "azurerm_disk_encryption_set" "des" { resource "azurerm_key_vault_access_policy" "des" { key_vault_id = azurerm_key_vault.des_vault.id - tenant_id = azurerm_disk_encryption_set.des.identity[0].tenant_id object_id = azurerm_disk_encryption_set.des.identity[0].principal_id + tenant_id = azurerm_disk_encryption_set.des.identity[0].tenant_id key_permissions = [ "Get", "WrapKey", @@ -84,8 +83,8 @@ resource "azurerm_key_vault_access_policy" "des" { resource "azurerm_key_vault_access_policy" "current_user" { key_vault_id = azurerm_key_vault.des_vault.id - tenant_id = data.azurerm_client_config.current.tenant_id object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) + tenant_id = data.azurerm_client_config.current.tenant_id key_permissions = [ "Get", "Create", diff --git a/test/fixture/main.tf b/test/fixture/main.tf index b01bf863..f2acfe36 100644 --- a/test/fixture/main.tf +++ b/test/fixture/main.tf @@ -7,23 +7,23 @@ resource "azurerm_resource_group" "main" { } resource "azurerm_virtual_network" "test" { - name = "${random_id.prefix.hex}-vn" - resource_group_name = azurerm_resource_group.main.name address_space = ["10.52.0.0/16"] location = azurerm_resource_group.main.location + name = "${random_id.prefix.hex}-vn" + resource_group_name = azurerm_resource_group.main.name } resource "azurerm_subnet" "test" { + address_prefixes = ["10.52.0.0/24"] name = "${random_id.prefix.hex}-sn" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.test.name - address_prefixes = ["10.52.0.0/24"] } resource "azurerm_user_assigned_identity" "test" { + location = azurerm_resource_group.main.location name = "${random_id.prefix.hex}-identity" resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location } module "aks" { diff --git a/test/fixture/providers.tf b/test/fixture/providers.tf index 3ad7745c..25994edb 100644 --- a/test/fixture/providers.tf +++ b/test/fixture/providers.tf @@ -19,14 +19,14 @@ terraform { provider "azurerm" { features { - resource_group { - prevent_deletion_if_contains_resources = false - } key_vault { purge_soft_delete_on_destroy = false purge_soft_deleted_keys_on_destroy = false recover_soft_deleted_key_vaults = false } + resource_group { + prevent_deletion_if_contains_resources = false + } } } From 442e414da226d68bf5623323955b60c5cf915b88 Mon Sep 17 00:00:00 2001 From: zjhe Date: Mon, 8 Aug 2022 21:57:30 +0800 Subject: [PATCH 20/20] Remove default value for the `key_vault_firewall_bypass_ip_cidr` so the user won't miss it. --- test/fixture/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/fixture/variables.tf b/test/fixture/variables.tf index 0b8ed7ff..987caba0 100644 --- a/test/fixture/variables.tf +++ b/test/fixture/variables.tf @@ -3,8 +3,8 @@ variable "client_id" {} variable "client_secret" {} variable "key_vault_firewall_bypass_ip_cidr" { - type = string - default = null + type = string + description = "This Terraform script will provision a new Azure KeyVault key so this machine's public ip should be put into KeyVault's firewall allow list." } variable "location" {