fix: change aks_pod_cidr based on aks_network_plugin (PSKD-1458) (#513)

saschjmil · web-flow · commit abbafb1320e5 · 2025-06-10T15:25:26.000-04:00
* chore: add aks_network_plugin to outputs

Signed-off-by: chjmil &lt;christopher.miller@sas.com&gt;

* chore: change aks_pod_cidr based on network_plugin

Signed-off-by: chjmil &lt;christopher.miller@sas.com&gt;

* test: adding azure network plugin tests

Signed-off-by: chjmil &lt;christopher.miller@sas.com&gt;

* fix: change from vnet_address space to aks subnet address space

Signed-off-by: chjmil &lt;christopher.miller@sas.com&gt;

---------

Signed-off-by: chjmil &lt;christopher.miller@sas.com&gt;
diff --git a/outputs.tf b/outputs.tf
@@ -27,7 +27,8 @@ output "aks_cluster_password" {
 }
 
 output "aks_pod_cidr" {
-  value = var.aks_pod_cidr
+  # If the aks_network_plugin is set to azure, use the aks subnet address space as the pod CIDR.
+  value = var.aks_network_plugin == "kubenet" ? var.aks_pod_cidr : module.vnet.subnets["aks"].address_prefixes[0]
 }
 
 # postgres
@@ -148,3 +149,7 @@ output "cluster_node_pool_mode" {
 output "cluster_api_mode" {
   value = var.cluster_api_mode
 }
+
+output "aks_network_plugin" {
+  value = var.aks_network_plugin
+}
diff --git a/test/defaultplan/network_test.go b/test/defaultplan/network_test.go
@@ -42,6 +42,11 @@ func TestPlanNetwork(t *testing.T) {
 			ResourceMapName:   "module.aks.azurerm_kubernetes_cluster.aks",
 			AttributeJsonPath: "{$.expressions.aks_network_plugin_mode.reference[0]}",
 		},
+		"kubeletPluginAksPodCidrTest": {
+			Expected:        "10.244.0.0/16",
+			ResourceMapName: "aks_pod_cidr",
+			Retriever:       helpers.RetrieveFromRawPlanOutputChanges,
+		},
 	}
 
 	helpers.RunTests(t, tests, helpers.GetDefaultPlan(t))
diff --git a/test/go.mod b/test/go.mod
@@ -5,6 +5,8 @@ go 1.23.0
 toolchain go1.23.2
 
 require (
+	github.com/Azure/azure-sdk-for-go v51.0.0+incompatible
+	github.com/Azure/go-autorest/autorest/to v0.4.0
 	github.com/gruntwork-io/terratest v0.48.2
 	github.com/hashicorp/terraform-json v0.23.0
 	github.com/stretchr/testify v1.10.0
@@ -13,7 +15,6 @@ require (
 
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go v51.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
@@ -24,7 +25,6 @@ require (
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.8 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
diff --git a/test/helpers/test_case.go b/test/helpers/test_case.go
@@ -5,10 +5,11 @@ package helpers
 
 import (
 	"fmt"
+	"testing"
+
 	"github.com/gruntwork-io/terratest/modules/terraform"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"testing"
 )
 
 // TupleTestCase struct which encapsulates a range of tests against a single resource map.
@@ -45,6 +46,16 @@ func RetrieveFromRawPlan(plan *terraform.PlanStruct, outputName string, jsonPath
 	return value, nil
 }
 
+// RetrieveFromRawPlan Retriever that gets a value from the raw plan variables
+func RetrieveFromRawPlanOutputChanges(plan *terraform.PlanStruct, outputName string, jsonPath string) (string, error) {
+	output, exists := plan.RawPlan.OutputChanges[outputName]
+	if !exists {
+		return "nil", nil
+	}
+	value := fmt.Sprintf("%v", output.After)
+	return value, nil
+}
+
 // RetrieveFromResourcePlannedValuesMap Retriever that gets the value of a jsonpath query on a given *terraform.PlanStruct
 func RetrieveFromResourcePlannedValuesMap(plan *terraform.PlanStruct, resourceMapName string, jsonPath string) (string, error) {
 	valuesMap, exists := plan.ResourcePlannedValuesMap[resourceMapName]
diff --git a/test/nondefaultplan/azure_policy_test.go b/test/nondefaultplan/azure_policy_test.go
@@ -15,6 +15,7 @@ func TestPlanAzurePolicy(t *testing.T) {
 
 	variables := helpers.GetDefaultPlanVars(t)
 	variables["aks_azure_policy_enabled"] = true
+	variables["aks_network_plugin"] = "azure"
 
 	tests := map[string]helpers.TestCase{
 		"azurePolicyEnabledTest": {
@@ -23,6 +24,69 @@ func TestPlanAzurePolicy(t *testing.T) {
 			AttributeJsonPath: "{$.azure_policy_enabled}",
 			Message:           "Unexpected azure_policy_enabled value",
 		},
+		"networkPluginTest": {
+			Expected:          "azure",
+			ResourceMapName:   "module.aks.azurerm_kubernetes_cluster.aks",
+			AttributeJsonPath: "{$.network_profile[0].network_plugin}",
+		},
+		"azurePluginAksPodCidrTest": {
+			Expected:        "192.168.0.0/23",
+			ResourceMapName: "aks_pod_cidr",
+			Retriever:       helpers.RetrieveFromRawPlanOutputChanges,
+		},
+	}
+
+	plan := helpers.GetPlan(t, variables)
+	helpers.RunTests(t, tests, plan)
+}
+
+// Test the default variables when using the sample-input-defaults.tfvars file
+// with aks_network_plugin set to azure and custom subnets.
+func TestPlanCustomSubnets(t *testing.T) {
+	t.Parallel()
+
+	variables := helpers.GetDefaultPlanVars(t)
+	variables["aks_network_plugin"] = "azure"
+	variables["subnets"] = map[string]interface{}{
+		"aks": map[string]interface{}{
+			"prefixes":                                      []string{"123.12.0.0/21"},
+			"service_endpoints":                             []string{"Microsoft.Sql"},
+			"private_endpoint_network_policies":             "Disabled",
+			"private_link_service_network_policies_enabled": false,
+			"service_delegations":                           map[string]interface{}{},
+		},
+		"misc": map[string]interface{}{
+			"prefixes":                                      []string{"123.12.8.0/24"},
+			"service_endpoints":                             []string{"Microsoft.Sql"},
+			"private_endpoint_network_policies":             "Disabled",
+			"private_link_service_network_policies_enabled": false,
+			"service_delegations":                           map[string]interface{}{},
+		},
+		"netapp": map[string]interface{}{
+			"prefixes":                                      []string{"123.12.9.0/24"},
+			"service_endpoints":                             []string{""},
+			"private_endpoint_network_policies":             "Disabled",
+			"private_link_service_network_policies_enabled": false,
+			"service_delegations": map[string]interface{}{
+				"netapp": map[string]interface{}{
+					"name":    "Microsoft.Netapp/volumes",
+					"actions": []string{"Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"},
+				},
+			},
+		},
+	}
+
+	tests := map[string]helpers.TestCase{
+		"networkPluginTest": {
+			Expected:          "azure",
+			ResourceMapName:   "module.aks.azurerm_kubernetes_cluster.aks",
+			AttributeJsonPath: "{$.network_profile[0].network_plugin}",
+		},
+		"azurePluginAksPodCidrTest": {
+			Expected:        "123.12.0.0/21",
+			ResourceMapName: "aks_pod_cidr",
+			Retriever:       helpers.RetrieveFromRawPlanOutputChanges,
+		},
 	}
 
 	plan := helpers.GetPlan(t, variables)

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,8 @@ output "aks_cluster_password" {`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`output "aks_pod_cidr" {`
`30`		`- value = var.aks_pod_cidr`
	`30`	`+ # If the aks_network_plugin is set to azure, use the aks subnet address space as the pod CIDR.`
	`31`	`+ value = var.aks_network_plugin == "kubenet" ? var.aks_pod_cidr : module.vnet.subnets["aks"].address_prefixes[0]`
`31`	`32`	`}`
`32`	`33`
`33`	`34`	`# postgres`
`@@ -148,3 +149,7 @@ output "cluster_node_pool_mode" {`
`148`	`149`	`output "cluster_api_mode" {`
`149`	`150`	`value = var.cluster_api_mode`
`150`	`151`	`}`
	`152`	`+`
	`153`	`+output "aks_network_plugin" {`
	`154`	`+ value = var.aks_network_plugin`
	`155`	`+}`