meshcloud
diff --git a/‎modules/azure/aks/backplane/main.tf‎
Lines changed: 1 addition & 0 deletions b/‎modules/azure/aks/backplane/main.tf‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/azure/aks/buildingblock/README.md‎
Lines changed: 2 additions & 2 deletions b/‎modules/azure/aks/buildingblock/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎modules/azure/aks/buildingblock/aks.tftest.hcl‎
Lines changed: 214 additions & 36 deletions b/‎modules/azure/aks/buildingblock/aks.tftest.hcl‎
Lines changed: 214 additions & 36 deletions
@@ -119,6 +119,7 @@ resource "azurerm_role_definition" "buildingblock_deploy" {
       "Microsoft.OperationalInsights/workspaces/read",
       "Microsoft.OperationalInsights/workspaces/write",
       "Microsoft.OperationalInsights/workspaces/delete",
+      "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
       "Microsoft.Insights/diagnosticSettings/read",
       "Microsoft.Insights/diagnosticSettings/write",
       "Microsoft.Insights/diagnosticSettings/delete",
 
@@ -231,7 +231,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aks_admin_group_object_id"></a> [aks\_admin\_group\_object\_id](#input\_aks\_admin\_group\_object\_id) | Object ID of the Azure AD group used for AKS admin access. If null, Azure AD RBAC will not be configured. | `string` | `null` | no |
 | <a name="input_aks_cluster_name"></a> [aks\_cluster\_name](#input\_aks\_cluster\_name) | Name of the AKS cluster | `string` | `"prod-aks"` | no |
-| <a name="input_allow_gateway_transit_from_hub"></a> [allow\_gateway\_transit\_from\_hub](#input\_allow\_gateway\_transit\_from\_hub) | Allow gateway transit from hub to spoke. Set to true if hub has a gateway and you want spoke to use it. | `bool` | `true` | no |
+| <a name="input_allow_gateway_transit_from_hub"></a> [allow\_gateway\_transit\_from\_hub](#input\_allow\_gateway\_transit\_from\_hub) | Allow gateway transit from hub to spoke. Set to true if hub has a gateway and you want spoke to use it. | `bool` | `false` | no |
 | <a name="input_dns_prefix"></a> [dns\_prefix](#input\_dns\_prefix) | DNS prefix for the AKS cluster | `string` | `"prodaks"` | no |
 | <a name="input_dns_service_ip"></a> [dns\_service\_ip](#input\_dns\_service\_ip) | IP address for Kubernetes DNS service (must be within service\_cidr) | `string` | `"10.0.0.10"` | no |
 | <a name="input_enable_auto_scaling"></a> [enable\_auto\_scaling](#input\_enable\_auto\_scaling) | Enable auto-scaling for the default node pool | `bool` | `false` | no |
@@ -257,7 +257,7 @@ No modules.
 | <a name="input_subnet_address_prefix"></a> [subnet\_address\_prefix](#input\_subnet\_address\_prefix) | Address prefix for the AKS subnet (only used if subnet\_name is not provided) | `string` | `"10.240.0.0/20"` | no |
 | <a name="input_subnet_name"></a> [subnet\_name](#input\_subnet\_name) | Name of the subnet for AKS. If not provided, a new subnet will be created. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | `{}` | no |
-| <a name="input_vm_size"></a> [vm\_size](#input\_vm\_size) | Size of the virtual machines for the default node pool | `string` | `"Standard_DS3_v2"` | no |
+| <a name="input_vm_size"></a> [vm\_size](#input\_vm\_size) | Size of the virtual machines for the default node pool | `string` | `"Standard_A2_v2"` | no |
 | <a name="input_vnet_address_space"></a> [vnet\_address\_space](#input\_vnet\_address\_space) | Address space for the AKS virtual network (only used if vnet\_name is not provided) | `string` | `"10.240.0.0/16"` | no |
 | <a name="input_vnet_name"></a> [vnet\_name](#input\_vnet\_name) | Name of the virtual network for AKS. If not provided, a new VNet will be created. | `string` | `null` | no |
 
 
@@ -1,51 +1,169 @@
-run "valid_aks_configuration" {
-  command = plan
+run "scenario_1_new_vnet_with_hub_peering" {
 
   variables {
     subscription_id              = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
-    resource_group_name          = "test-aks-rg"
-    location                     = "West Europe"
-    aks_cluster_name             = "test-aks-cluster"
-    dns_prefix                   = "testaks"
-    node_count                   = 3
-    vm_size                      = "Standard_DS2_v2"
-    kubernetes_version           = "1.29.2"
+    aks_cluster_name             = "test-aks-hub"
+    resource_group_name          = "test-aks-hub-rg"
+    location                     = "Germany West Central"
+    dns_prefix                   = "testakshub"
+    aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
+    log_analytics_workspace_name = "test-law"
+
+    private_cluster_enabled             = true
+    private_dns_zone_id                 = "System"
+    private_cluster_public_fqdn_enabled = false
+
+    vnet_address_space    = "10.240.0.0/16"
+    subnet_address_prefix = "10.240.0.0/20"
+
+    hub_subscription_id     = "5066eff7-4173-4fea-8c67-268456b4a4f7"
+    hub_resource_group_name = "likvid-hub-vnet-rg"
+    hub_vnet_name           = "hub-vnet"
+  }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.aks.private_cluster_enabled == true
+    error_message = "AKS cluster should be private"
+  }
+
+  assert {
+    condition     = length(azurerm_virtual_network.vnet) == 1
+    error_message = "VNet should be created when vnet_name is null"
+  }
+
+  assert {
+    condition     = contains(one(azurerm_virtual_network.vnet[*].address_space), "10.240.0.0/16")
+    error_message = "VNet should have correct address space"
+  }
+
+  assert {
+    condition     = length(azurerm_subnet.aks_subnet) == 1
+    error_message = "Subnet should be created when subnet_name is null"
+  }
+
+  assert {
+    condition     = length(azurerm_virtual_network_peering.aks_to_hub) == 1
+    error_message = "Peering to hub should be created when creating new VNet"
+  }
+
+  assert {
+    condition     = length(azurerm_virtual_network_peering.hub_to_aks) == 1
+    error_message = "Peering from hub should be created when creating new VNet"
+  }
+
+  assert {
+    condition     = one(azurerm_virtual_network_peering.hub_to_aks[*].allow_gateway_transit) == false
+    error_message = "Hub should not allow gateway transit when not configured"
+  }
+
+  assert {
+    condition     = one(azurerm_virtual_network_peering.aks_to_hub[*].use_remote_gateways) == false
+    error_message = "AKS VNet should not use remote gateways when not configured"
+  }
+}
+
+run "scenario_2_existing_shared_vnet" {
+
+  variables {
+    subscription_id              = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
+    aks_cluster_name             = "test-aks-shared"
+    resource_group_name          = "test-aks-shared-rg"
+    location                     = "Germany West Central"
+    dns_prefix                   = "testaksshared"
     aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
-    vnet_address_space           = "10.1.0.0/16"
-    subnet_address_prefix        = "10.1.0.0/20"
-    service_cidr                 = "10.2.0.0/16"
-    dns_service_ip               = "10.2.0.10"
     log_analytics_workspace_name = "test-law"
+
+    private_cluster_enabled             = true
+    private_dns_zone_id                 = "System"
+    private_cluster_public_fqdn_enabled = false
+
+    vnet_name                         = "lz102-on-prem-nwk-vnet"
+    existing_vnet_resource_group_name = "connectivity"
+    subnet_name                       = "default"
+  }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.aks.private_cluster_enabled == true
+    error_message = "AKS cluster should be private"
   }
 
   assert {
-    condition     = azurerm_kubernetes_cluster.aks.name == "test-aks-cluster"
-    error_message = "AKS cluster name should match the input variable"
+    condition     = length(azurerm_virtual_network.vnet) == 0
+    error_message = "VNet should NOT be created when vnet_name is provided"
   }
 
   assert {
-    condition     = azurerm_kubernetes_cluster.aks.kubernetes_version == "1.29.2"
-    error_message = "Kubernetes version should match the input variable"
+    condition     = length(azurerm_subnet.aks_subnet) == 0
+    error_message = "Subnet should NOT be created when subnet_name is provided"
   }
 
   assert {
-    condition     = one(azurerm_virtual_network.vnet.address_space) == "10.1.0.0/16"
-    error_message = "VNet address space should match the input variable"
+    condition     = length(azurerm_virtual_network_peering.aks_to_hub) == 0
+    error_message = "Peering to hub should NOT be created when using existing VNet"
   }
 
   assert {
-    condition     = one(azurerm_subnet.aks_subnet.address_prefixes) == "10.1.0.0/20"
-    error_message = "Subnet address prefix should match the input variable"
+    condition     = length(azurerm_virtual_network_peering.hub_to_aks) == 0
+    error_message = "Peering from hub should NOT be created when using existing VNet"
+  }
+
+  assert {
+    condition     = var.existing_vnet_resource_group_name == "connectivity"
+    error_message = "Should use VNet from different resource group"
+  }
+}
+
+
+
+run "scenario_4_public_cluster" {
+
+  variables {
+    subscription_id              = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
+    aks_cluster_name             = "test-aks-public"
+    resource_group_name          = "test-aks-public-rg"
+    location                     = "Germany West Central"
+    dns_prefix                   = "testakspublic"
+    aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
+    log_analytics_workspace_name = "test-law"
+
+    private_cluster_enabled = false
+
+    vnet_address_space    = "10.240.0.0/16"
+    subnet_address_prefix = "10.240.0.0/20"
+  }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.aks.private_cluster_enabled == false
+    error_message = "AKS cluster should be public"
+  }
+
+  assert {
+    condition     = length(azurerm_virtual_network.vnet) == 1
+    error_message = "VNet should be created"
+  }
+
+  assert {
+    condition     = length(azurerm_subnet.aks_subnet) == 1
+    error_message = "Subnet should be created"
+  }
+
+  assert {
+    condition     = length(azurerm_virtual_network_peering.aks_to_hub) == 0
+    error_message = "Peering should NOT be created for public cluster"
+  }
+
+  assert {
+    condition     = output.oidc_issuer_url != ""
+    error_message = "OIDC issuer URL should be available"
   }
 }
 
 run "valid_autoscaling_configuration" {
-  command = plan
 
   variables {
     subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name       = "test-aks-autoscale-rg"
-    location                  = "West Europe"
+    location                  = "Germany West Central"
     aks_cluster_name          = "test-aks-autoscale"
     dns_prefix                = "testaksautoscale"
     aks_admin_group_object_id = "12345678-1234-1234-1234-123456789012"
@@ -66,12 +184,11 @@ run "valid_autoscaling_configuration" {
 }
 
 run "no_monitoring_when_law_null" {
-  command = plan
 
   variables {
     subscription_id              = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name          = "test-aks-no-monitoring-rg"
-    location                     = "West Europe"
+    location                     = "Germany West Central"
     aks_cluster_name             = "test-aks-no-monitoring"
     dns_prefix                   = "testaksnomon"
     aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
@@ -95,7 +212,7 @@ run "invalid_dns_prefix" {
   variables {
     subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name       = "test-aks-rg"
-    location                  = "West Europe"
+    location                  = "Germany West Central"
     aks_cluster_name          = "test-aks"
     dns_prefix                = "Invalid_DNS_Prefix!"
     aks_admin_group_object_id = "12345678-1234-1234-1234-123456789012"
@@ -112,7 +229,7 @@ run "invalid_kubernetes_version" {
   variables {
     subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name       = "test-aks-rg"
-    location                  = "West Europe"
+    location                  = "Germany West Central"
     aks_cluster_name          = "test-aks"
     dns_prefix                = "testaks"
     kubernetes_version        = "invalid-version"
@@ -130,7 +247,7 @@ run "invalid_admin_group_object_id" {
   variables {
     subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name       = "test-aks-rg"
-    location                  = "West Europe"
+    location                  = "Germany West Central"
     aks_cluster_name          = "test-aks"
     dns_prefix                = "testaks"
     aks_admin_group_object_id = "not-a-valid-guid"
@@ -147,7 +264,7 @@ run "invalid_node_count_too_low" {
   variables {
     subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name       = "test-aks-rg"
-    location                  = "West Europe"
+    location                  = "Germany West Central"
     aks_cluster_name          = "test-aks"
     dns_prefix                = "testaks"
     node_count                = 0
@@ -165,7 +282,7 @@ run "invalid_os_disk_size" {
   variables {
     subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name       = "test-aks-rg"
-    location                  = "West Europe"
+    location                  = "Germany West Central"
     aks_cluster_name          = "test-aks"
     dns_prefix                = "testaks"
     os_disk_size_gb           = 20
@@ -178,12 +295,11 @@ run "invalid_os_disk_size" {
 }
 
 run "custom_network_plugin_kubenet" {
-  command = plan
 
   variables {
     subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name       = "test-aks-rg"
-    location                  = "West Europe"
+    location                  = "Germany West Central"
     aks_cluster_name          = "test-aks-kubenet"
     dns_prefix                = "testakskube"
     network_plugin            = "kubenet"
@@ -203,25 +319,24 @@ run "custom_network_plugin_kubenet" {
 }
 
 run "naming_derived_from_cluster_name" {
-  command = plan
 
   variables {
     subscription_id              = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
     resource_group_name          = "test-aks-rg"
-    location                     = "West Europe"
+    location                     = "Germany West Central"
     aks_cluster_name             = "myapp-prod"
     dns_prefix                   = "myappprod"
     aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
     log_analytics_workspace_name = "test-law"
   }
 
   assert {
-    condition     = azurerm_virtual_network.vnet.name == "myapp-prod-vnet"
+    condition     = one(azurerm_virtual_network.vnet[*].name) == "myapp-prod-vnet"
     error_message = "VNet name should be derived from cluster name"
   }
 
   assert {
-    condition     = azurerm_subnet.aks_subnet.name == "myapp-prod-subnet"
+    condition     = one(azurerm_subnet.aks_subnet[*].name) == "myapp-prod-subnet"
     error_message = "Subnet name should be derived from cluster name"
   }
 
@@ -230,3 +345,66 @@ run "naming_derived_from_cluster_name" {
     error_message = "Log Analytics Workspace name should be derived from cluster name"
   }
 }
+
+run "workload_identity_enabled" {
+
+  variables {
+    subscription_id           = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
+    resource_group_name       = "test-aks-rg"
+    location                  = "Germany West Central"
+    aks_cluster_name          = "test-aks-wi"
+    dns_prefix                = "testakswi"
+    aks_admin_group_object_id = "12345678-1234-1234-1234-123456789012"
+  }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.aks.workload_identity_enabled == true
+    error_message = "Workload Identity should be enabled"
+  }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.aks.oidc_issuer_enabled == true
+    error_message = "OIDC issuer should be enabled"
+  }
+
+  assert {
+    condition     = output.oidc_issuer_url != ""
+    error_message = "OIDC issuer URL should be available"
+  }
+}
+
+run "gateway_transit_configuration" {
+  command = plan
+
+  variables {
+    subscription_id              = "ffb344c9-26d7-45f5-9ba0-806a024ae697"
+    aks_cluster_name             = "test-aks-gateway"
+    resource_group_name          = "test-aks-gateway-rg"
+    location                     = "Germany West Central"
+    dns_prefix                   = "testaksgateway"
+    aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
+    log_analytics_workspace_name = "test-law"
+
+    private_cluster_enabled             = true
+    private_dns_zone_id                 = "System"
+    private_cluster_public_fqdn_enabled = false
+
+    vnet_address_space    = "10.240.0.0/16"
+    subnet_address_prefix = "10.240.0.0/20"
+
+    hub_subscription_id            = "5066eff7-4173-4fea-8c67-268456b4a4f7"
+    hub_resource_group_name        = "likvid-hub-vnet-rg"
+    hub_vnet_name                  = "hub-vnet"
+    allow_gateway_transit_from_hub = false
+  }
+
+  assert {
+    condition     = one(azurerm_virtual_network_peering.hub_to_aks[*].allow_gateway_transit) == false
+    error_message = "Hub should not allow gateway transit when disabled"
+  }
+
+  assert {
+    condition     = one(azurerm_virtual_network_peering.aks_to_hub[*].use_remote_gateways) == false
+    error_message = "AKS VNet should not use remote gateways when gateway transit disabled"
+  }
+}