diff --git a/terraform/main.tf b/terraform/main.tf index 4cff353..9240133 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -2,13 +2,19 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "3.50" + version = "4.2.0" } } } provider "azurerm" { - features {} + features { + key_vault { + purge_soft_delete_on_destroy = true + recover_soft_deleted_key_vaults = true + } + } + resource_provider_registrations = "core" } terraform { @@ -52,13 +58,13 @@ module "hub_network" { { name : "AzureFirewallSubnet" address_prefixes : var.hub_firewall_subnet_address_prefix - private_endpoint_network_policies_enabled : true + private_endpoint_network_policies_enabled : "Enabled" private_link_service_network_policies_enabled : false }, { name : "AzureBastionSubnet" address_prefixes : var.hub_bastion_subnet_address_prefix - private_endpoint_network_policies_enabled : true + private_endpoint_network_policies_enabled : "Enabled" private_link_service_network_policies_enabled : false } ] @@ -76,25 +82,25 @@ module "aks_network" { { name : var.default_node_pool_subnet_name address_prefixes : var.default_node_pool_subnet_address_prefix - private_endpoint_network_policies_enabled : true + private_endpoint_network_policies_enabled : "Enabled" private_link_service_network_policies_enabled : false }, { name : var.additional_node_pool_subnet_name address_prefixes : var.additional_node_pool_subnet_address_prefix - private_endpoint_network_policies_enabled : true + private_endpoint_network_policies_enabled : "Enabled" private_link_service_network_policies_enabled : false }, { name : var.pod_subnet_name address_prefixes : var.pod_subnet_address_prefix - private_endpoint_network_policies_enabled : true + private_endpoint_network_policies_enabled : "Enabled" private_link_service_network_policies_enabled : false }, { name : var.vm_subnet_name address_prefixes : var.vm_subnet_address_prefix - private_endpoint_network_policies_enabled : true + private_endpoint_network_policies_enabled : "Enabled" private_link_service_network_policies_enabled : false } ] @@ -173,8 +179,6 @@ module "aks_cluster" { default_node_pool_vm_size = var.default_node_pool_vm_size vnet_subnet_id = module.aks_network.subnet_ids[var.default_node_pool_subnet_name] default_node_pool_availability_zones = var.default_node_pool_availability_zones - default_node_pool_node_labels = var.default_node_pool_node_labels - default_node_pool_node_taints = var.default_node_pool_node_taints default_node_pool_enable_auto_scaling = var.default_node_pool_enable_auto_scaling default_node_pool_enable_host_encryption = var.default_node_pool_enable_host_encryption default_node_pool_enable_node_public_ip = var.default_node_pool_enable_node_public_ip diff --git a/terraform/modules/aks/main.tf b/terraform/modules/aks/main.tf index 16a4c9f..696ac60 100644 --- a/terraform/modules/aks/main.tf +++ b/terraform/modules/aks/main.tf @@ -1,150 +1,149 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - } - } - - required_version = ">= 0.14.9" -} - -resource "azurerm_user_assigned_identity" "aks_identity" { - resource_group_name = var.resource_group_name - location = var.location - tags = var.tags - - name = "${var.name}Identity" - - lifecycle { - ignore_changes = [ - tags - ] - } -} - -resource "azurerm_kubernetes_cluster" "aks_cluster" { - name = var.name - location = var.location - resource_group_name = var.resource_group_name - kubernetes_version = var.kubernetes_version - dns_prefix = var.dns_prefix - private_cluster_enabled = var.private_cluster_enabled - automatic_channel_upgrade = var.automatic_channel_upgrade - sku_tier = var.sku_tier - workload_identity_enabled = var.workload_identity_enabled - oidc_issuer_enabled = var.oidc_issuer_enabled - open_service_mesh_enabled = var.open_service_mesh_enabled - image_cleaner_enabled = var.image_cleaner_enabled - azure_policy_enabled = var.azure_policy_enabled - http_application_routing_enabled = var.http_application_routing_enabled - - default_node_pool { - name = var.default_node_pool_name - vm_size = var.default_node_pool_vm_size - vnet_subnet_id = var.vnet_subnet_id - pod_subnet_id = var.pod_subnet_id - zones = var.default_node_pool_availability_zones - node_labels = var.default_node_pool_node_labels - node_taints = var.default_node_pool_node_taints - enable_auto_scaling = var.default_node_pool_enable_auto_scaling - enable_host_encryption = var.default_node_pool_enable_host_encryption - enable_node_public_ip = var.default_node_pool_enable_node_public_ip - max_pods = var.default_node_pool_max_pods - max_count = var.default_node_pool_max_count - min_count = var.default_node_pool_min_count - node_count = var.default_node_pool_node_count - os_disk_type = var.default_node_pool_os_disk_type - tags = var.tags - } - - linux_profile { - admin_username = var.admin_username - ssh_key { - key_data = var.ssh_public_key - } - } - - identity { - type = "UserAssigned" - identity_ids = tolist([azurerm_user_assigned_identity.aks_identity.id]) - } - - network_profile { - dns_service_ip = var.network_dns_service_ip - network_plugin = var.network_plugin - outbound_type = var.outbound_type - service_cidr = var.network_service_cidr - } - - oms_agent { - msi_auth_for_monitoring_enabled = true - log_analytics_workspace_id = coalesce(var.oms_agent.log_analytics_workspace_id, var.log_analytics_workspace_id) - } - - dynamic "ingress_application_gateway" { - for_each = try(var.ingress_application_gateway.gateway_id, null) == null ? [] : [1] - - content { - gateway_id = var.ingress_application_gateway.gateway_id - subnet_cidr = var.ingress_application_gateway.subnet_cidr - subnet_id = var.ingress_application_gateway.subnet_id - } - } - - azure_active_directory_role_based_access_control { - managed = true - tenant_id = var.tenant_id - admin_group_object_ids = var.admin_group_object_ids - azure_rbac_enabled = var.azure_rbac_enabled - } - - workload_autoscaler_profile { - keda_enabled = var.keda_enabled - vertical_pod_autoscaler_enabled = var.vertical_pod_autoscaler_enabled - } - - lifecycle { - ignore_changes = [ - kubernetes_version, - tags - ] - } -} - -resource "azurerm_monitor_diagnostic_setting" "settings" { - name = "DiagnosticsSettings" - target_resource_id = azurerm_kubernetes_cluster.aks_cluster.id - log_analytics_workspace_id = var.log_analytics_workspace_id - - enabled_log { - category = "kube-apiserver" - } - - enabled_log { - category = "kube-audit" - } - - enabled_log { - category = "kube-audit-admin" - } - - enabled_log { - category = "kube-controller-manager" - } - - enabled_log { - category = "kube-scheduler" - } - - enabled_log { - category = "cluster-autoscaler" - } - - enabled_log { - category = "guard" - } - - metric { - category = "AllMetrics" - } -} +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + } + } + + required_version = ">= 0.14.9" +} + +resource "azurerm_user_assigned_identity" "aks_identity" { + resource_group_name = var.resource_group_name + location = var.location + tags = var.tags + + name = "${var.name}Identity" + + lifecycle { + ignore_changes = [ + tags + ] + } +} + +resource "azurerm_kubernetes_cluster" "aks_cluster" { + name = var.name + location = var.location + resource_group_name = var.resource_group_name + kubernetes_version = var.kubernetes_version + dns_prefix = var.dns_prefix + private_cluster_enabled = var.private_cluster_enabled + automatic_upgrade_channel = var.automatic_channel_upgrade + sku_tier = var.sku_tier + workload_identity_enabled = var.workload_identity_enabled + oidc_issuer_enabled = var.oidc_issuer_enabled + open_service_mesh_enabled = var.open_service_mesh_enabled + image_cleaner_enabled = var.image_cleaner_enabled + image_cleaner_interval_hours = 168 + azure_policy_enabled = var.azure_policy_enabled + http_application_routing_enabled = var.http_application_routing_enabled + + default_node_pool { + name = var.default_node_pool_name + vm_size = var.default_node_pool_vm_size + vnet_subnet_id = var.vnet_subnet_id + pod_subnet_id = var.pod_subnet_id + zones = var.default_node_pool_availability_zones + node_labels = var.default_node_pool_node_labels + auto_scaling_enabled = var.default_node_pool_enable_auto_scaling + host_encryption_enabled = var.default_node_pool_enable_host_encryption + node_public_ip_enabled = var.default_node_pool_enable_node_public_ip + max_pods = var.default_node_pool_max_pods + max_count = var.default_node_pool_max_count + min_count = var.default_node_pool_min_count + node_count = var.default_node_pool_node_count + os_disk_type = var.default_node_pool_os_disk_type + tags = var.tags + } + + linux_profile { + admin_username = var.admin_username + ssh_key { + key_data = var.ssh_public_key + } + } + + identity { + type = "UserAssigned" + identity_ids = tolist([azurerm_user_assigned_identity.aks_identity.id]) + } + + network_profile { + dns_service_ip = var.network_dns_service_ip + network_plugin = var.network_plugin + outbound_type = var.outbound_type + service_cidr = var.network_service_cidr + } + + oms_agent { + msi_auth_for_monitoring_enabled = true + log_analytics_workspace_id = coalesce(var.oms_agent.log_analytics_workspace_id, var.log_analytics_workspace_id) + } + + dynamic "ingress_application_gateway" { + for_each = try(var.ingress_application_gateway.gateway_id, null) == null ? [] : [1] + + content { + gateway_id = var.ingress_application_gateway.gateway_id + subnet_cidr = var.ingress_application_gateway.subnet_cidr + subnet_id = var.ingress_application_gateway.subnet_id + } + } + + azure_active_directory_role_based_access_control { + tenant_id = var.tenant_id + admin_group_object_ids = var.admin_group_object_ids + azure_rbac_enabled = var.azure_rbac_enabled + } + + workload_autoscaler_profile { + keda_enabled = var.keda_enabled + vertical_pod_autoscaler_enabled = var.vertical_pod_autoscaler_enabled + } + + lifecycle { + ignore_changes = [ + kubernetes_version, + tags + ] + } +} + +resource "azurerm_monitor_diagnostic_setting" "settings" { + name = "DiagnosticsSettings" + target_resource_id = azurerm_kubernetes_cluster.aks_cluster.id + log_analytics_workspace_id = var.log_analytics_workspace_id + + enabled_log { + category = "kube-apiserver" + } + + enabled_log { + category = "kube-audit" + } + + enabled_log { + category = "kube-audit-admin" + } + + enabled_log { + category = "kube-controller-manager" + } + + enabled_log { + category = "kube-scheduler" + } + + enabled_log { + category = "cluster-autoscaler" + } + + enabled_log { + category = "guard" + } + + metric { + category = "AllMetrics" + } +} diff --git a/terraform/modules/aks/variables.tf b/terraform/modules/aks/variables.tf index 772c6a8..a552ea8 100644 --- a/terraform/modules/aks/variables.tf +++ b/terraform/modules/aks/variables.tf @@ -1,310 +1,305 @@ -variable "name" { - description = "(Required) Specifies the name of the AKS cluster." - type = string -} - -variable "resource_group_name" { - description = "(Required) Specifies the name of the resource group." - type = string -} - -variable "resource_group_id" { - description = "(Required) Specifies the resource id of the resource group." - type = string -} - -variable "location" { - description = "(Required) Specifies the location where the AKS cluster will be deployed." - type = string -} - -variable "dns_prefix" { - description = "(Optional) DNS prefix specified when creating the managed cluster. Changing this forces a new resource to be created." - type = string -} - -variable "private_cluster_enabled" { - description = "Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created." - type = bool - default = false -} - -variable "azure_rbac_enabled" { - description = "(Optional) Is Role Based Access Control based on Microsoft Entra ID enabled?" - default = true - type = bool -} - -variable "admin_group_object_ids" { - description = "(Optional) A list of Object IDs of Microsoft Entra ID Groups which should have Admin Role on the Cluster." - default = [] - type = list(string) -} - -variable "role_based_access_control_enabled" { - description = "(Required) Is Role Based Access Control Enabled? Changing this forces a new resource to be created." - default = true - type = bool -} - -variable "automatic_channel_upgrade" { - description = "(Optional) The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, and stable." - default = "stable" - type = string - - validation { - condition = contains( ["patch", "rapid", "stable"], var.automatic_channel_upgrade) - error_message = "The upgrade mode is invalid." - } -} - -variable "sku_tier" { - description = "(Optional) The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid (which includes the Uptime SLA). Defaults to Free." - default = "Free" - type = string - - validation { - condition = contains( ["Free", "Paid"], var.sku_tier) - error_message = "The sku tier is invalid." - } -} - -variable "kubernetes_version" { - description = "Specifies the AKS Kubernetes version" - default = "1.21.1" - type = string -} - -variable "default_node_pool_vm_size" { - description = "Specifies the vm size of the default node pool" - default = "Standard_F8s_v2" - type = string -} - -variable "default_node_pool_availability_zones" { - description = "Specifies the availability zones of the default node pool" - default = ["1", "2", "3"] - type = list(string) -} - -variable "network_dns_service_ip" { - description = "Specifies the DNS service IP" - default = "10.2.0.10" - type = string -} - -variable "network_service_cidr" { - description = "Specifies the service CIDR" - default = "10.2.0.0/24" - type = string -} - -variable "network_plugin" { - description = "Specifies the network plugin of the AKS cluster" - default = "azure" - type = string -} - -variable "outbound_type" { - description = "(Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer." - type = string - default = "userDefinedRouting" - - validation { - condition = contains(["loadBalancer", "userDefinedRouting"], var.outbound_type) - error_message = "The outbound type is invalid." - } -} - -variable "default_node_pool_name" { - description = "Specifies the name of the default node pool" - default = "system" - type = string -} - -variable "default_node_pool_subnet_name" { - description = "Specifies the name of the subnet that hosts the default node pool" - default = "SystemSubnet" - type = string -} - -variable "default_node_pool_subnet_address_prefix" { - description = "Specifies the address prefix of the subnet that hosts the default node pool" - default = ["10.0.0.0/20"] - type = list(string) -} - -variable "default_node_pool_enable_auto_scaling" { - description = "(Optional) Whether to enable auto-scaler. Defaults to false." - type = bool - default = true -} - -variable "default_node_pool_enable_host_encryption" { - description = "(Optional) Should the nodes in this Node Pool have host encryption enabled? Defaults to false." - type = bool - default = false -} - -variable "default_node_pool_enable_node_public_ip" { - description = "(Optional) Should each node have a Public IP Address? Defaults to false. Changing this forces a new resource to be created." - type = bool - default = false -} - -variable "default_node_pool_max_pods" { - description = "(Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created." - type = number - default = 50 -} - -variable "default_node_pool_node_labels" { - description = "(Optional) A list of Kubernetes taints which should be applied to nodes in the agent pool (e.g key=value:NoSchedule). Changing this forces a new resource to be created." - type = map(any) - default = {} -} - -variable "default_node_pool_node_taints" { - description = "(Optional) A map of Kubernetes labels which should be applied to nodes in this Node Pool. Changing this forces a new resource to be created." - type = list(string) - default = [] -} - -variable "default_node_pool_os_disk_type" { - description = "(Optional) The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. Changing this forces a new resource to be created." - type = string - default = "Ephemeral" -} - -variable "default_node_pool_max_count" { - description = "(Required) The maximum number of nodes which should exist within this Node Pool. Valid values are between 0 and 1000 and must be greater than or equal to min_count." - type = number - default = 10 -} - -variable "default_node_pool_min_count" { - description = "(Required) The minimum number of nodes which should exist within this Node Pool. Valid values are between 0 and 1000 and must be less than or equal to max_count." - type = number - default = 3 -} - -variable "default_node_pool_node_count" { - description = "(Optional) The initial number of nodes which should exist within this Node Pool. Valid values are between 0 and 1000 and must be a value in the range min_count - max_count." - type = number - default = 3 -} - -variable "log_analytics_workspace_id" { - description = "(Optional) The ID of the Log Analytics Workspace which the OMS Agent should send data to. Must be present if enabled is true." - type = string -} - -variable "tenant_id" { - description = "(Required) The tenant id of the system assigned identity which is used by master components." - type = string -} - -variable "vnet_subnet_id" { - description = "(Optional) The ID of a Subnet where the Kubernetes Node Pool should exist. Changing this forces a new resource to be created." - type = string -} - -variable "pod_subnet_id" { - description = "(Optional) The ID of the Subnet where the pods in the default Node Pool should exist. Changing this forces a new resource to be created." - type = string - default = null -} - -variable "tags" { - description = "(Optional) Specifies the tags of the bastion host" - default = {} -} - -variable "oms_agent" { - description = "Specifies the OMS agent addon configuration." - type = object({ - enabled = bool - log_analytics_workspace_id = string - }) - default = { - enabled = true - log_analytics_workspace_id = null - } -} - -variable "ingress_application_gateway" { - description = "Specifies the Application Gateway Ingress Controller addon configuration." - type = object({ - enabled = bool - gateway_id = string - gateway_name = string - subnet_cidr = string - subnet_id = string - }) - default = { - enabled = false - gateway_id = null - gateway_name = null - subnet_cidr = null - subnet_id = null - } -} - -variable "admin_username" { - description = "(Required) Specifies the Admin Username for the AKS cluster worker nodes. Changing this forces a new resource to be created." - type = string - default = "azadmin" -} - -variable "ssh_public_key" { - description = "(Required) Specifies the SSH public key used to access the cluster. Changing this forces a new resource to be created." - type = string -} - -variable "keda_enabled" { - description = "(Optional) Specifies whether KEDA Autoscaler can be used for workloads." - type = bool - default = true -} - -variable "vertical_pod_autoscaler_enabled" { - description = "(Optional) Specifies whether Vertical Pod Autoscaler should be enabled." - type = bool - default = true -} - -variable "workload_identity_enabled" { - description = "(Optional) Specifies whether Microsoft Entra ID Workload Identity should be enabled for the Cluster. Defaults to false." - type = bool - default = true -} - -variable "oidc_issuer_enabled" { - description = "(Optional) Enable or Disable the OIDC issuer URL." - type = bool - default = true -} - -variable "open_service_mesh_enabled" { - description = "(Optional) Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS." - type = bool - default = true -} - -variable "image_cleaner_enabled" { - description = "(Optional) Specifies whether Image Cleaner is enabled." - type = bool - default = true -} - -variable "azure_policy_enabled" { - description = "(Optional) Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service" - type = bool - default = true -} - -variable "http_application_routing_enabled" { - description = "(Optional) Should HTTP Application Routing be enabled?" - type = bool - default = false -} +variable "name" { + description = "(Required) Specifies the name of the AKS cluster." + type = string +} + +variable "resource_group_name" { + description = "(Required) Specifies the name of the resource group." + type = string +} + +variable "resource_group_id" { + description = "(Required) Specifies the resource id of the resource group." + type = string +} + +variable "location" { + description = "(Required) Specifies the location where the AKS cluster will be deployed." + type = string +} + +variable "dns_prefix" { + description = "(Optional) DNS prefix specified when creating the managed cluster. Changing this forces a new resource to be created." + type = string +} + +variable "private_cluster_enabled" { + description = "Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created." + type = bool + default = false +} + +variable "azure_rbac_enabled" { + description = "(Optional) Is Role Based Access Control based on Microsoft Entra ID enabled?" + default = true + type = bool +} + +variable "admin_group_object_ids" { + description = "(Optional) A list of Object IDs of Microsoft Entra ID Groups which should have Admin Role on the Cluster." + default = [] + type = list(string) +} + +variable "role_based_access_control_enabled" { + description = "(Required) Is Role Based Access Control Enabled? Changing this forces a new resource to be created." + default = true + type = bool +} + +variable "automatic_channel_upgrade" { + description = "(Optional) The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, and stable." + default = "stable" + type = string + + validation { + condition = contains( ["patch", "rapid", "node-image", "stable"], var.automatic_channel_upgrade) + error_message = "The upgrade mode is invalid." + } +} + +variable "sku_tier" { + description = "(Optional) The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid (which includes the Uptime SLA). Defaults to Free." + default = "Free" + type = string + + validation { + condition = contains( ["Free", "Paid"], var.sku_tier) + error_message = "The sku tier is invalid." + } +} + +variable "kubernetes_version" { + description = "Specifies the AKS Kubernetes version" + default = "1.21.1" + type = string +} + +variable "default_node_pool_vm_size" { + description = "Specifies the vm size of the default node pool" + default = "Standard_F8s_v2" + type = string +} + +variable "default_node_pool_availability_zones" { + description = "Specifies the availability zones of the default node pool" + default = ["1", "2", "3"] + type = list(string) +} + +variable "network_dns_service_ip" { + description = "Specifies the DNS service IP" + default = "10.2.0.10" + type = string +} + +variable "network_service_cidr" { + description = "Specifies the service CIDR" + default = "10.2.0.0/24" + type = string +} + +variable "network_plugin" { + description = "Specifies the network plugin of the AKS cluster" + default = "azure" + type = string +} + +variable "outbound_type" { + description = "(Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer." + type = string + default = "userDefinedRouting" + + validation { + condition = contains(["loadBalancer", "userDefinedRouting"], var.outbound_type) + error_message = "The outbound type is invalid." + } +} + +variable "default_node_pool_name" { + description = "Specifies the name of the default node pool" + default = "system" + type = string +} + +variable "default_node_pool_subnet_name" { + description = "Specifies the name of the subnet that hosts the default node pool" + default = "SystemSubnet" + type = string +} + +variable "default_node_pool_subnet_address_prefix" { + description = "Specifies the address prefix of the subnet that hosts the default node pool" + default = ["10.0.0.0/20"] + type = list(string) +} + +variable "default_node_pool_enable_auto_scaling" { + description = "(Optional) Whether to enable auto-scaler. Defaults to false." + type = bool + default = true +} + +variable "default_node_pool_enable_host_encryption" { + description = "(Optional) Should the nodes in this Node Pool have host encryption enabled? Defaults to false." + type = bool + default = false +} + +variable "default_node_pool_enable_node_public_ip" { + description = "(Optional) Should each node have a Public IP Address? Defaults to false. Changing this forces a new resource to be created." + type = bool + default = false +} + +variable "default_node_pool_max_pods" { + description = "(Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created." + type = number + default = 50 +} + +variable "default_node_pool_node_labels" { + description = "(Optional) A list of Kubernetes taints which should be applied to nodes in the agent pool (e.g key=value:NoSchedule). Changing this forces a new resource to be created." + type = map(any) + default = {} +} + + +variable "default_node_pool_os_disk_type" { + description = "(Optional) The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. Changing this forces a new resource to be created." + type = string + default = "Ephemeral" +} + +variable "default_node_pool_max_count" { + description = "(Required) The maximum number of nodes which should exist within this Node Pool. Valid values are between 0 and 1000 and must be greater than or equal to min_count." + type = number + default = 10 +} + +variable "default_node_pool_min_count" { + description = "(Required) The minimum number of nodes which should exist within this Node Pool. Valid values are between 0 and 1000 and must be less than or equal to max_count." + type = number + default = 3 +} + +variable "default_node_pool_node_count" { + description = "(Optional) The initial number of nodes which should exist within this Node Pool. Valid values are between 0 and 1000 and must be a value in the range min_count - max_count." + type = number + default = 3 +} + +variable "log_analytics_workspace_id" { + description = "(Optional) The ID of the Log Analytics Workspace which the OMS Agent should send data to. Must be present if enabled is true." + type = string +} + +variable "tenant_id" { + description = "(Required) The tenant id of the system assigned identity which is used by master components." + type = string +} + +variable "vnet_subnet_id" { + description = "(Optional) The ID of a Subnet where the Kubernetes Node Pool should exist. Changing this forces a new resource to be created." + type = string +} + +variable "pod_subnet_id" { + description = "(Optional) The ID of the Subnet where the pods in the default Node Pool should exist. Changing this forces a new resource to be created." + type = string + default = null +} + +variable "tags" { + description = "(Optional) Specifies the tags of the bastion host" + default = {} +} + +variable "oms_agent" { + description = "Specifies the OMS agent addon configuration." + type = object({ + enabled = bool + log_analytics_workspace_id = string + }) + default = { + enabled = true + log_analytics_workspace_id = null + } +} + +variable "ingress_application_gateway" { + description = "Specifies the Application Gateway Ingress Controller addon configuration." + type = object({ + enabled = bool + gateway_id = string + gateway_name = string + subnet_cidr = string + subnet_id = string + }) + default = { + enabled = false + gateway_id = null + gateway_name = null + subnet_cidr = null + subnet_id = null + } +} + +variable "admin_username" { + description = "(Required) Specifies the Admin Username for the AKS cluster worker nodes. Changing this forces a new resource to be created." + type = string + default = "azadmin" +} + +variable "ssh_public_key" { + description = "(Required) Specifies the SSH public key used to access the cluster. Changing this forces a new resource to be created." + type = string +} + +variable "keda_enabled" { + description = "(Optional) Specifies whether KEDA Autoscaler can be used for workloads." + type = bool + default = true +} + +variable "vertical_pod_autoscaler_enabled" { + description = "(Optional) Specifies whether Vertical Pod Autoscaler should be enabled." + type = bool + default = true +} + +variable "workload_identity_enabled" { + description = "(Optional) Specifies whether Microsoft Entra ID Workload Identity should be enabled for the Cluster. Defaults to false." + type = bool + default = true +} + +variable "oidc_issuer_enabled" { + description = "(Optional) Enable or Disable the OIDC issuer URL." + type = bool + default = true +} + +variable "open_service_mesh_enabled" { + description = "(Optional) Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS." + type = bool + default = true +} + +variable "image_cleaner_enabled" { + description = "(Optional) Specifies whether Image Cleaner is enabled." + type = bool + default = true +} + +variable "azure_policy_enabled" { + description = "(Optional) Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service" + type = bool + default = true +} + +variable "http_application_routing_enabled" { + description = "(Optional) Should HTTP Application Routing be enabled?" + type = bool + default = false +} diff --git a/terraform/modules/node_pool/main.tf b/terraform/modules/node_pool/main.tf index e8c2045..d326d1b 100644 --- a/terraform/modules/node_pool/main.tf +++ b/terraform/modules/node_pool/main.tf @@ -18,9 +18,9 @@ resource "azurerm_kubernetes_cluster_node_pool" "node_pool" { zones = var.availability_zones vnet_subnet_id = var.vnet_subnet_id pod_subnet_id = var.pod_subnet_id - enable_auto_scaling = var.enable_auto_scaling - enable_host_encryption = var.enable_host_encryption - enable_node_public_ip = var.enable_node_public_ip + auto_scaling_enabled = var.enable_auto_scaling + host_encryption_enabled = var.enable_host_encryption + node_public_ip_enabled = var.enable_node_public_ip proximity_placement_group_id = var.proximity_placement_group_id orchestrator_version = var.orchestrator_version max_pods = var.max_pods diff --git a/terraform/modules/virtual_network/main.tf b/terraform/modules/virtual_network/main.tf index 8dcb2ac..0ef2fe7 100644 --- a/terraform/modules/virtual_network/main.tf +++ b/terraform/modules/virtual_network/main.tf @@ -29,7 +29,7 @@ resource "azurerm_subnet" "subnet" { resource_group_name = var.resource_group_name virtual_network_name = azurerm_virtual_network.vnet.name address_prefixes = each.value.address_prefixes - private_endpoint_network_policies_enabled = each.value.private_endpoint_network_policies_enabled + private_endpoint_network_policies = each.value.private_endpoint_network_policies_enabled private_link_service_network_policies_enabled = each.value.private_link_service_network_policies_enabled } diff --git a/terraform/modules/virtual_network/variables.tf b/terraform/modules/virtual_network/variables.tf index 560a58a..9c0b706 100644 --- a/terraform/modules/virtual_network/variables.tf +++ b/terraform/modules/virtual_network/variables.tf @@ -23,7 +23,7 @@ variable "subnets" { type = list(object({ name = string address_prefixes = list(string) - private_endpoint_network_policies_enabled = bool + private_endpoint_network_policies_enabled = string private_link_service_network_policies_enabled = bool })) } diff --git a/terraform/modules/virtual_network_peering/main.tf b/terraform/modules/virtual_network_peering/main.tf index 30b9b73..e991480 100644 --- a/terraform/modules/virtual_network_peering/main.tf +++ b/terraform/modules/virtual_network_peering/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~>3.50.0" + version = ">= 4" } } diff --git a/terraform/variables.tf b/terraform/variables.tf index 4cdaa35..8c351d7 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -99,7 +99,7 @@ variable "automatic_channel_upgrade" { type = string validation { - condition = contains( ["patch", "rapid", "stable"], var.automatic_channel_upgrade) + condition = contains( ["patch", "rapid", "node-image", "stable"], var.automatic_channel_upgrade) error_message = "The upgrade mode is invalid." } } @@ -129,7 +129,7 @@ variable "sku_tier" { variable "kubernetes_version" { description = "Specifies the AKS Kubernetes version" - default = "1.21.1" + default = "1.30" type = string }