From 4f754ae9988e55e600652d4d302488cd4715853f Mon Sep 17 00:00:00 2001 From: "Konetzka, Helge" Date: Thu, 6 Feb 2025 15:16:37 +0100 Subject: [PATCH 1/5] feat: configure adding default node pool upgrade settings Using a current azurerm without explicit upgrade settings will remove default upgrade settings: Terraform will perform the following actions: ~ resource "azurerm_kubernetes_cluster" "k8s" { ~ default_node_pool { - upgrade_settings { - drain_timeout_in_minutes = 0 -> null - max_surge = "10%" -> null - node_soak_duration_in_minutes = 0 -> null } } } Plan: 0 to add, 1 to change, 0 to destroy. This feature makes adding upgrade settings configurable --- README.md | 16 ++++++++++++++++ main.tf | 9 +++++++++ vars.tf | 18 ++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/README.md b/README.md index b9cf497..df9cd85 100644 --- a/README.md +++ b/README.md @@ -190,6 +190,22 @@ Type: `string` Default: `"default"` +### default\_node\_pool\_upgrade\_settings\_enabled + +Description: default upgrade settings is added to default node pool + +Type: `boolean` + +Default: `false` + +### default\_node\_pool\_upgrade\_settings\_max\_surge + +Description: max surge of upgrade settings for default node pool + +Type: `string` + +Default: `"10%"` + ### dns\_prefix Description: DNS-Prefix to use. Defaults to cluster name diff --git a/main.tf b/main.tf index 94ef9ba..314bcb2 100644 --- a/main.tf +++ b/main.tf @@ -12,6 +12,9 @@ locals { has_automatic_channel_upgrade_maintenance_window = var.automatic_upgrade_channel != "none" ? [ var.automatic_upgrade_channel ] : [] + has_default_node_pool_upgrade_settings = var.default_node_pool_upgrade_settings_enabled == true ? [ + var.default_node_pool_upgrade_settings_enabled + ] : [] } # Log analytics required for OMS Agent result processing - usually other logging solutions are used. Hence the affected tfsec rule is @@ -61,6 +64,12 @@ resource "azurerm_kubernetes_cluster" "k8s" { auto_scaling_enabled = var.auto_scaling_enabled min_count = var.auto_scaling_min_node_count max_count = var.auto_scaling_max_node_count + dynamic "upgrade_settings" { + for_each = local.has_default_node_pool_upgrade_settings + content { + max_surge = var.default_node_pool_upgrade_settings_max_surge + } + } } dynamic "api_server_access_profile" { diff --git a/vars.tf b/vars.tf index 1ae07bb..77500ff 100644 --- a/vars.tf +++ b/vars.tf @@ -270,3 +270,21 @@ variable "maintenance_window_auto_upgrade_utc_offset" { see https://learn.microsoft.com/en-us/azure/aks/planned-maintenance#creating-a-maintenance-window EOF } + +variable "default_node_pool_upgrade_settings_enabled" { + type = bool + default = false + description = <<-EOF + Values: + false, true + EOF +} + +variable "default_node_pool_upgrade_settings_max_surge" { + type = string + default = "10%" + description = <<-EOF + Example: "10%" + see https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade + EOF +} From 40ba59900c871cb44ce9e9b5f44eac530ce48bc0 Mon Sep 17 00:00:00 2001 From: "Konetzka, Helge" Date: Fri, 7 Feb 2025 10:26:35 +0100 Subject: [PATCH 2/5] feat: use input parameter node_count as output parameter --- outputs.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index e3d7e10..4b2ed68 100644 --- a/outputs.tf +++ b/outputs.tf @@ -66,4 +66,8 @@ output "public_outbound_ips" { output "managed_identity_object_id" { value = azurerm_kubernetes_cluster.k8s.identity[0].principal_id description = "The object ID of the service principal of the managed identity of the AKS" -} \ No newline at end of file +} + +output "node_count" { + value = var.node_count +} From 6df4dda6af1991c09455d5714f7a9307105267f6 Mon Sep 17 00:00:00 2001 From: "Konetzka, Helge" Date: Fri, 7 Feb 2025 10:26:53 +0100 Subject: [PATCH 3/5] feat: configure azure_rbac_enabled for azure_active_directory_role_based_access_control independent from role_based_access_control_enabled Documentation was generated with the terraform module tool --- README.md | 41 ++++++++++++++++++++++++++++++++++++----- main.tf | 6 +++--- vars.tf | 9 +++++++++ 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index df9cd85..a0e48f3 100644 --- a/README.md +++ b/README.md @@ -124,6 +124,15 @@ Type: `string` The following input variables are optional (have default values): +### ad\_rbac\_enabled + +Description: Defines RBAC for block azure\_active\_directory\_role\_based\_access\_control explicitly if set. +Else RBAC for block azure\_active\_directory\_role\_based\_access\_control is set by "rbac\_enabled" + +Type: `bool` + +Default: `null` + ### api\_server\_ip\_ranges Description: The IP ranges to allow for incoming traffic to the server nodes. To disable the limitation, set an empty list as value (default). @@ -132,7 +141,7 @@ Type: `list(string)` Default: `[]` -### auto\_scaling\_enable +### auto\_scaling\_enabled Description: Enable auto-scaling of node pool @@ -156,7 +165,7 @@ Type: `string` Default: `"1"` -### automatic\_channel\_upgrade +### automatic\_upgrade\_channel Description: Values: none, patch, stable, rapid, node-image @@ -192,15 +201,17 @@ Default: `"default"` ### default\_node\_pool\_upgrade\_settings\_enabled -Description: default upgrade settings is added to default node pool +Description: Values: +false, true -Type: `boolean` +Type: `bool` Default: `false` ### default\_node\_pool\_upgrade\_settings\_max\_surge -Description: max surge of upgrade settings for default node pool +Description: Example: "10%" +see https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade Type: `string` @@ -222,6 +233,22 @@ Type: `number` Default: `5` +### image\_cleaner\_enabled + +Description: Azure default settings + +Type: `bool` + +Default: `false` + +### image\_cleaner\_interval\_hours + +Description: Azure default settings + +Type: `number` + +Default: `48` + ### load\_balancer\_sku Description: The SKU for the used Load Balancer @@ -434,6 +461,10 @@ Description: The Kubernetes API host for a kubectl config Description: The object ID of the service principal of the managed identity of the AKS +### node\_count + +Description: n/a + ### node\_resource\_group Description: The resource group the Kubernetes nodes were created in diff --git a/main.tf b/main.tf index 314bcb2..fd455e2 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,7 @@ */ locals { - cluster_name = "${lower(var.project)}${lower(var.stage)}k8s" + cluster_name = "${lower(var.project)}${lower(var.stage)}k8s" has_automatic_channel_upgrade_maintenance_window = var.automatic_upgrade_channel != "none" ? [ var.automatic_upgrade_channel ] : [] @@ -67,7 +67,7 @@ resource "azurerm_kubernetes_cluster" "k8s" { dynamic "upgrade_settings" { for_each = local.has_default_node_pool_upgrade_settings content { - max_surge = var.default_node_pool_upgrade_settings_max_surge + max_surge = var.default_node_pool_upgrade_settings_max_surge } } } @@ -86,7 +86,7 @@ resource "azurerm_kubernetes_cluster" "k8s" { role_based_access_control_enabled = var.rbac_enabled azure_active_directory_role_based_access_control { admin_group_object_ids = var.rbac_managed_admin_groups - azure_rbac_enabled = var.rbac_enabled + azure_rbac_enabled = var.ad_rbac_enabled != null ? var.ad_rbac_enabled : var.rbac_enabled } network_profile { diff --git a/vars.tf b/vars.tf index 77500ff..b433637 100644 --- a/vars.tf +++ b/vars.tf @@ -62,6 +62,15 @@ variable "rbac_enabled" { default = true } +variable "ad_rbac_enabled" { + type = bool + description = <<-EOF + Defines RBAC for block azure_active_directory_role_based_access_control explicitly if set. + Else RBAC for block azure_active_directory_role_based_access_control is set by "rbac_enabled" + EOF + default = null +} + variable "rbac_managed_admin_groups" { type = list(string) description = "The group IDs that have admin access to the cluster. Have to be specified if rbac_enabled is true" From ffffc7e5a4f4a4af6427af491d9f872ca3d33cff Mon Sep 17 00:00:00 2001 From: "Konetzka, Helge" Date: Fri, 7 Feb 2025 10:52:54 +0100 Subject: [PATCH 4/5] fix: The temporary_name_for_rotation value must not be null --- vars.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vars.tf b/vars.tf index b433637..958847b 100644 --- a/vars.tf +++ b/vars.tf @@ -142,6 +142,10 @@ variable "availability_zones" { variable "temporary_name_for_rotation" { type = string description = "Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing." + validation { + condition = var.temporary_name_for_rotation != null + error_message = "The temporary_name_for_rotation value must not be null" + } default = "rotationtmp" } From 0223bae0605dc1113131bbd0d43b08cc205abed9 Mon Sep 17 00:00:00 2001 From: "Konetzka, Helge" Date: Thu, 13 Feb 2025 10:09:33 +0100 Subject: [PATCH 5/5] fix: configure adding default node pool upgrade settings --- vars.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vars.tf b/vars.tf index 958847b..c71dce0 100644 --- a/vars.tf +++ b/vars.tf @@ -288,8 +288,7 @@ variable "default_node_pool_upgrade_settings_enabled" { type = bool default = false description = <<-EOF - Values: - false, true + If true, an upgrade_settings block will be added to default_node_pool. EOF } @@ -297,6 +296,7 @@ variable "default_node_pool_upgrade_settings_max_surge" { type = string default = "10%" description = <<-EOF + max_surge is a required parameter for an upgrade_settings block Example: "10%" see https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade EOF