V5.0.0 is a major version upgrade and a lot of breaking changes have been introduced. Extreme caution must be taken during the upgrade to avoid resource replacement and downtime by accident.
Running the terraform plan first to inspect the plan is strongly advised.
Now Terraform core's lowest version is v1.2.0 and terraform-provider-azurerm's lowest version is v3.21.0.
variable user_assigned_identity_id has been renamed to identity_ids and it's type has been changed from string to list(string).
It has been broken into the following new outputs:
aci_connector_linuxaci_connector_linux_enabledazure_policy_enabledhttp_application_routing_enabledingress_application_gatewayingress_application_gateway_enabledkey_vault_secrets_providerkey_vault_secrets_provider_enabledoms_agentoms_agent_enabledopen_service_mesh_enabled
enable_azure_policyhas been renamed toazure_policy_enabledenable_http_application_routinghas been renamed tohttp_application_routing_enabledenable_ingress_application_gatewayhas been renamed toingress_application_gateway_enabledenable_log_analytics_workspacehas been renamed tolog_analytics_workspace_enabledenable_open_service_meshhas been renamed toopen_service_mesh_enabledenable_role_based_access_controlhas been renamed torole_based_access_control_enabled
nullable = true has been added to the following variables so setting them to null explicitly will use the default value
log_analytics_workspace_enableos_disk_typeprivate_cluster_enabledrbac_aad_managedrbac_aad_admin_group_object_idsnetwork_policyenable_node_public_ip
In v4.x var.admin_username has a default value azureuser and has been removed in V5.0.0. Since the admin_username argument in linux_profile block is a ForceNew argument, any value change to this argument will trigger a Kubernetes cluster replacement SO THE EXTREME CAUTION MUST BE TAKEN. The module's callers must set var.admin_username to azureuser explicitly if they didn't set it before.
The file named private_ssh_key which contains the tls private key will be deleted since the local_file resource has been removed. Now the private key is exported via generated_cluster_private_ssh_key in output and the corresponding public key is exported via generated_cluster_public_ssh_key in output.
A moved block has been added to relocate the existing tls_private_key resource to the new address. If the var.admin_username is not null, no action is needed.
Resource tls_private_key's creation now is conditional. Users may see the destruction of existing tls_private_key in the generated plan if var.admin_username is null.
The system_assigned_identity was:
output "system_assigned_identity" {
value = azurerm_kubernetes_cluster.main.identity
}Now it has been renamed to cluster_identity, and the block has been changed to:
output "cluster_identity" {
description = "The `azurerm_kubernetes_cluster`'s `identity` block."
value = try(azurerm_kubernetes_cluster.main.identity[0], null)
}The callers who used to read the cluster's identity block need to remove the index in their expression, from module.aks.system_assigned_identity[0] to module.aks.cluster_identity.
The following outputs are now sensitive. All outputs referenced them must be declared as sensitive too
client_certificateclient_keycluster_ca_certificategenerated_cluster_private_ssh_keyhostkube_admin_config_rawkube_config_rawpasswordusername