Skip to content

DTSPO-27918 Update azurerm provider version to 4.51.0 #766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Tyler-35 wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

DTSPO-27918 Update azurerm provider version to 4.51.0 #766

Tyler-35 wants to merge 5 commits into from

Conversation

@Tyler-35
Copy link
Contributor

@Tyler-35 Tyler-35 commented Nov 6, 2025
edited by github-actions bot
Loading

Jira link

DTSPO-27918

Change description

Notice on the pipeline that it is trying to downgrade the latest version of kubernetes cluster version from 1.33.5 to 1.33
updating provider to see if it prevents this.

Link to Terraform Plan

https://tfplan-viewer.hmcts.net/aks-cft-deploy/766

🤖AEP PR SUMMARY🤖

aat.tfvars

  • Updated kubernetes_cluster_version from "1.33" to "1.33.5" for cluster "00".
  • Updated kubernetes_cluster_version from "1.33" to "1.33.3" for cluster "01".

sbox.tfvars

  • Updated kubernetes_cluster_version from "1.33" to "1.33.5" for both clusters "00" and "01".
  • Updated the project_acr_enabled to true for cluster "00".

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025
edited
Loading

Review Feedback

The updated configuration shows an improvement with patch-level updates to kubernetes_cluster_version, which are generally considered good for stability and security. However, there are still several best practices and potential improvements to consider:

1. Use Variables for Common Values

While SSH keys are repeatedly hardcoded for multiple clusters in the configuration, this could be replaced with a variable for maintainability and security purposes.
Example:
hcl
variable "kubernetes_cluster_ssh_key" {
description = "SSH public key for Kubernetes clusters"
type = string
}

Replace hardcoded SSH key references

kubernetes_cluster_ssh_key = var.kubernetes_cluster_ssh_key


**Benefits**:
- Reduces potential for errors and makes updates easier.
- Prevents exposing sensitive data in plain text.

---

### **2. Upgrade Kubernetes Cluster Versions Cautiously**
The Kubernetes cluster versions 1.33.5 and 1.33.3 are being specified. Ensure these are supported by your AKS subscription, as Azure may not offer long-term support for every minor version. Consider switching to a variable, e.g., `default_kubernetes_version`, to standardize the process of version upgrades across different environments.

**Consider using a variable**:
```hcl
variable \"default_kubernetes_version\" {
  description = \"Default Kubernetes version for all clusters\"
  type        = string
  default     = \"1.33.5\"
}

Then:

kubernetes_cluster_version = var.default_kubernetes_version

Impact:

  • Cost: Up-to-date Kubernetes versions can help optimize workloads and limit resource waste, which may indirectly reduce operational costs.
  • Carbon Emissions: Newer Kubernetes versions might contain optimizations that reduce compute demand, decreasing carbon footprint.
  • Security: Ensures compliance with AKS version support policies, and reduces exposure to potential vulnerabilities.

3. Validate kubernetes_cluster_ssh_key

Hardcoding SSH keys poses security risks. Utilize Terraform's file function to reference an external file containing the SSH key, or set it securely in an environment variable.

Example:

kubernetes_cluster_ssh_key = file(var.ssh_key_path)

Security Impact:

  • Reduces risk of accidentally exposing sensitive credentials in your configuration files.

4. Use Version Locking for Provider

The file doesn't appear to mention specific version locking for the providers. This can lead to potential compatibility issues due to provider updates.

Example:

terraform {
  required_providers {
    azurerm = {
      source  = \"hashicorp/azurerm\"
      version = \"~> 3.74.0\" # Pin to a patch release for safety
    }
  }
}

5. Centralize Common Configurations Across Environments

The repetition of similar configuration (e.g., the two kubernetes_cluster_version keys for different clusters in aat.tfvars and sbox.tfvars) could be centralized into a shared base config or via Terraform modules. Overrides can be applied using terraform.workspace or locals.

Costs

The changes here don't directly affect costs, but:

  • Keeping Kubernetes versions up-to-date might improve autoscaling and resource consumption efficiency, potentially lowering costs.
  • Using Terraform modules and optimizing your configurations could also simplify maintenance, indirectly saving on engineering time.

Other Suggestions

  1. Use terraform fmt: Ensure proper formatting. The indentation in the modifications is inconsistent.
  2. Confirm Changes Don't Break Compatibility: When upgrading Kubernetes, test workloads in a staging environment to ensure compatibility and prevent downtime.

By applying these changes, you can enhance maintainability, security, and overall best practices for this Terraform configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Tyler-35