diff --git a/README.md b/README.md index b9cf497..a0e48f3 100644 --- a/README.md +++ b/README.md @@ -124,6 +124,15 @@ Type: `string` The following input variables are optional (have default values): +### ad\_rbac\_enabled + +Description: Defines RBAC for block azure\_active\_directory\_role\_based\_access\_control explicitly if set. +Else RBAC for block azure\_active\_directory\_role\_based\_access\_control is set by "rbac\_enabled" + +Type: `bool` + +Default: `null` + ### api\_server\_ip\_ranges Description: The IP ranges to allow for incoming traffic to the server nodes. To disable the limitation, set an empty list as value (default). @@ -132,7 +141,7 @@ Type: `list(string)` Default: `[]` -### auto\_scaling\_enable +### auto\_scaling\_enabled Description: Enable auto-scaling of node pool @@ -156,7 +165,7 @@ Type: `string` Default: `"1"` -### automatic\_channel\_upgrade +### automatic\_upgrade\_channel Description: Values: none, patch, stable, rapid, node-image @@ -190,6 +199,24 @@ Type: `string` Default: `"default"` +### default\_node\_pool\_upgrade\_settings\_enabled + +Description: Values: +false, true + +Type: `bool` + +Default: `false` + +### default\_node\_pool\_upgrade\_settings\_max\_surge + +Description: Example: "10%" +see https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade + +Type: `string` + +Default: `"10%"` + ### dns\_prefix Description: DNS-Prefix to use. Defaults to cluster name @@ -206,6 +233,22 @@ Type: `number` Default: `5` +### image\_cleaner\_enabled + +Description: Azure default settings + +Type: `bool` + +Default: `false` + +### image\_cleaner\_interval\_hours + +Description: Azure default settings + +Type: `number` + +Default: `48` + ### load\_balancer\_sku Description: The SKU for the used Load Balancer @@ -418,6 +461,10 @@ Description: The Kubernetes API host for a kubectl config Description: The object ID of the service principal of the managed identity of the AKS +### node\_count + +Description: n/a + ### node\_resource\_group Description: The resource group the Kubernetes nodes were created in diff --git a/main.tf b/main.tf index 94ef9ba..fd455e2 100644 --- a/main.tf +++ b/main.tf @@ -8,10 +8,13 @@ */ locals { - cluster_name = "${lower(var.project)}${lower(var.stage)}k8s" + cluster_name = "${lower(var.project)}${lower(var.stage)}k8s" has_automatic_channel_upgrade_maintenance_window = var.automatic_upgrade_channel != "none" ? [ var.automatic_upgrade_channel ] : [] + has_default_node_pool_upgrade_settings = var.default_node_pool_upgrade_settings_enabled == true ? [ + var.default_node_pool_upgrade_settings_enabled + ] : [] } # Log analytics required for OMS Agent result processing - usually other logging solutions are used. Hence the affected tfsec rule is @@ -61,6 +64,12 @@ resource "azurerm_kubernetes_cluster" "k8s" { auto_scaling_enabled = var.auto_scaling_enabled min_count = var.auto_scaling_min_node_count max_count = var.auto_scaling_max_node_count + dynamic "upgrade_settings" { + for_each = local.has_default_node_pool_upgrade_settings + content { + max_surge = var.default_node_pool_upgrade_settings_max_surge + } + } } dynamic "api_server_access_profile" { @@ -77,7 +86,7 @@ resource "azurerm_kubernetes_cluster" "k8s" { role_based_access_control_enabled = var.rbac_enabled azure_active_directory_role_based_access_control { admin_group_object_ids = var.rbac_managed_admin_groups - azure_rbac_enabled = var.rbac_enabled + azure_rbac_enabled = var.ad_rbac_enabled != null ? var.ad_rbac_enabled : var.rbac_enabled } network_profile { diff --git a/outputs.tf b/outputs.tf index e3d7e10..4b2ed68 100644 --- a/outputs.tf +++ b/outputs.tf @@ -66,4 +66,8 @@ output "public_outbound_ips" { output "managed_identity_object_id" { value = azurerm_kubernetes_cluster.k8s.identity[0].principal_id description = "The object ID of the service principal of the managed identity of the AKS" -} \ No newline at end of file +} + +output "node_count" { + value = var.node_count +} diff --git a/vars.tf b/vars.tf index 1ae07bb..c71dce0 100644 --- a/vars.tf +++ b/vars.tf @@ -62,6 +62,15 @@ variable "rbac_enabled" { default = true } +variable "ad_rbac_enabled" { + type = bool + description = <<-EOF + Defines RBAC for block azure_active_directory_role_based_access_control explicitly if set. + Else RBAC for block azure_active_directory_role_based_access_control is set by "rbac_enabled" + EOF + default = null +} + variable "rbac_managed_admin_groups" { type = list(string) description = "The group IDs that have admin access to the cluster. Have to be specified if rbac_enabled is true" @@ -133,6 +142,10 @@ variable "availability_zones" { variable "temporary_name_for_rotation" { type = string description = "Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing." + validation { + condition = var.temporary_name_for_rotation != null + error_message = "The temporary_name_for_rotation value must not be null" + } default = "rotationtmp" } @@ -270,3 +283,21 @@ variable "maintenance_window_auto_upgrade_utc_offset" { see https://learn.microsoft.com/en-us/azure/aks/planned-maintenance#creating-a-maintenance-window EOF } + +variable "default_node_pool_upgrade_settings_enabled" { + type = bool + default = false + description = <<-EOF + If true, an upgrade_settings block will be added to default_node_pool. + EOF +} + +variable "default_node_pool_upgrade_settings_max_surge" { + type = string + default = "10%" + description = <<-EOF + max_surge is a required parameter for an upgrade_settings block + Example: "10%" + see https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade + EOF +}