From 678838cb66e8ae110c0e5057465b6341033e1aef Mon Sep 17 00:00:00 2001 From: zjhe Date: Mon, 13 Nov 2023 11:03:50 +0800 Subject: [PATCH 1/4] add support for node_os_channel_upgrade --- README.md | 1 + main.tf | 105 ++++++++++++++++++++++++++++++--------------------- variables.tf | 6 +++ 3 files changed, 70 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 6e0de174..d85ac234 100644 --- a/README.md +++ b/README.md @@ -348,6 +348,7 @@ No modules. | [network\_plugin](#input\_network\_plugin) | Network plugin to use for networking. | `string` | `"kubenet"` | no | | [network\_plugin\_mode](#input\_network\_plugin\_mode) | (Optional) Specifies the network plugin mode used for building the Kubernetes network. Possible value is `Overlay`. Changing this forces a new resource to be created. | `string` | `null` | no | | [network\_policy](#input\_network\_policy) | (Optional) Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created. | `string` | `null` | no | +| [node\_os\_channel\_upgrade](#input\_node\_os\_channel\_upgrade) | (Optional) The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are `Unmanaged`, `SecurityPatch`, `NodeImage` and `None`. | `string` | `null` | no | | [node\_pools](#input\_node\_pools) | A map of node pools that need to be created and attached on the Kubernetes cluster. The key of the map can be the name of the node pool, and the key must be static string. The value of the map is a `node_pool` block as defined below:
map(object({
name = (Required) The name of the Node Pool which should be created within the Kubernetes Cluster. Changing this forces a new resource to be created. A Windows Node Pool cannot have a `name` longer than 6 characters. A random suffix of 4 characters is always added to the name to avoid clashes during recreates.
node\_count = (Optional) The initial number of nodes which should exist within this Node Pool. Valid values are between `0` and `1000` (inclusive) for user pools and between `1` and `1000` (inclusive) for system pools and must be a value in the range `min_count` - `max_count`.
tags = (Optional) A mapping of tags to assign to the resource. At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you [may wish to use Terraform's `ignore_changes` functionality to ignore changes to the casing](https://www.terraform.io/language/meta-arguments/lifecycle#ignore_changess) until this is fixed in the AKS API.
vm\_size = (Required) The SKU which should be used for the Virtual Machines used in this Node Pool. Changing this forces a new resource to be created.
host\_group\_id = (Optional) The fully qualified resource ID of the Dedicated Host Group to provision virtual machines from. Changing this forces a new resource to be created.
capacity\_reservation\_group\_id = (Optional) Specifies the ID of the Capacity Reservation Group where this Node Pool should exist. Changing this forces a new resource to be created.
custom\_ca\_trust\_enabled = (Optional) Specifies whether to trust a Custom CA. This requires that the Preview Feature `Microsoft.ContainerService/CustomCATrustPreview` is enabled and the Resource Provider is re-registered, see [the documentation](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority) for more information.
enable\_auto\_scaling = (Optional) Whether to enable [auto-scaler](https://docs.microsoft.com/azure/aks/cluster-autoscaler).
enable\_host\_encryption = (Optional) Should the nodes in this Node Pool have host encryption enabled? Changing this forces a new resource to be created.
enable\_node\_public\_ip = (Optional) Should each node have a Public IP Address? Changing this forces a new resource to be created.
eviction\_policy = (Optional) The Eviction Policy which should be used for Virtual Machines within the Virtual Machine Scale Set powering this Node Pool. Possible values are `Deallocate` and `Delete`. Changing this forces a new resource to be created. An Eviction Policy can only be configured when `priority` is set to `Spot` and will default to `Delete` unless otherwise specified.
kubelet\_config = optional(object({
cpu\_manager\_policy = (Optional) Specifies the CPU Manager policy to use. Possible values are `none` and `static`, Changing this forces a new resource to be created.
cpu\_cfs\_quota\_enabled = (Optional) Is CPU CFS quota enforcement for containers enabled? Changing this forces a new resource to be created.
cpu\_cfs\_quota\_period = (Optional) Specifies the CPU CFS quota period value. Changing this forces a new resource to be created.
image\_gc\_high\_threshold = (Optional) Specifies the percent of disk usage above which image garbage collection is always run. Must be between `0` and `100`. Changing this forces a new resource to be created.
image\_gc\_low\_threshold = (Optional) Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between `0` and `100`. Changing this forces a new resource to be created.
topology\_manager\_policy = (Optional) Specifies the Topology Manager policy to use. Possible values are `none`, `best-effort`, `restricted` or `single-numa-node`. Changing this forces a new resource to be created.
allowed\_unsafe\_sysctls = (Optional) Specifies the allow list of unsafe sysctls command or patterns (ending in `*`). Changing this forces a new resource to be created.
container\_log\_max\_size\_mb = (Optional) Specifies the maximum size (e.g. 10MB) of container log file before it is rotated. Changing this forces a new resource to be created.
container\_log\_max\_files = (Optional) Specifies the maximum number of container log files that can be present for a container. must be at least 2. Changing this forces a new resource to be created.
pod\_max\_pid = (Optional) Specifies the maximum number of processes per pod. Changing this forces a new resource to be created.
}))
linux\_os\_config = optional(object({
sysctl\_config = optional(object({
fs\_aio\_max\_nr = (Optional) The sysctl setting fs.aio-max-nr. Must be between `65536` and `6553500`. Changing this forces a new resource to be created.
fs\_file\_max = (Optional) The sysctl setting fs.file-max. Must be between `8192` and `12000500`. Changing this forces a new resource to be created.
fs\_inotify\_max\_user\_watches = (Optional) The sysctl setting fs.inotify.max\_user\_watches. Must be between `781250` and `2097152`. Changing this forces a new resource to be created.
fs\_nr\_open = (Optional) The sysctl setting fs.nr\_open. Must be between `8192` and `20000500`. Changing this forces a new resource to be created.
kernel\_threads\_max = (Optional) The sysctl setting kernel.threads-max. Must be between `20` and `513785`. Changing this forces a new resource to be created.
net\_core\_netdev\_max\_backlog = (Optional) The sysctl setting net.core.netdev\_max\_backlog. Must be between `1000` and `3240000`. Changing this forces a new resource to be created.
net\_core\_optmem\_max = (Optional) The sysctl setting net.core.optmem\_max. Must be between `20480` and `4194304`. Changing this forces a new resource to be created.
net\_core\_rmem\_default = (Optional) The sysctl setting net.core.rmem\_default. Must be between `212992` and `134217728`. Changing this forces a new resource to be created.
net\_core\_rmem\_max = (Optional) The sysctl setting net.core.rmem\_max. Must be between `212992` and `134217728`. Changing this forces a new resource to be created.
net\_core\_somaxconn = (Optional) The sysctl setting net.core.somaxconn. Must be between `4096` and `3240000`. Changing this forces a new resource to be created.
net\_core\_wmem\_default = (Optional) The sysctl setting net.core.wmem\_default. Must be between `212992` and `134217728`. Changing this forces a new resource to be created.
net\_core\_wmem\_max = (Optional) The sysctl setting net.core.wmem\_max. Must be between `212992` and `134217728`. Changing this forces a new resource to be created.
net\_ipv4\_ip\_local\_port\_range\_min = (Optional) The sysctl setting net.ipv4.ip\_local\_port\_range min value. Must be between `1024` and `60999`. Changing this forces a new resource to be created.
net\_ipv4\_ip\_local\_port\_range\_max = (Optional) The sysctl setting net.ipv4.ip\_local\_port\_range max value. Must be between `1024` and `60999`. Changing this forces a new resource to be created.
net\_ipv4\_neigh\_default\_gc\_thresh1 = (Optional) The sysctl setting net.ipv4.neigh.default.gc\_thresh1. Must be between `128` and `80000`. Changing this forces a new resource to be created.
net\_ipv4\_neigh\_default\_gc\_thresh2 = (Optional) The sysctl setting net.ipv4.neigh.default.gc\_thresh2. Must be between `512` and `90000`. Changing this forces a new resource to be created.
net\_ipv4\_neigh\_default\_gc\_thresh3 = (Optional) The sysctl setting net.ipv4.neigh.default.gc\_thresh3. Must be between `1024` and `100000`. Changing this forces a new resource to be created.
net\_ipv4\_tcp\_fin\_timeout = (Optional) The sysctl setting net.ipv4.tcp\_fin\_timeout. Must be between `5` and `120`. Changing this forces a new resource to be created.
net\_ipv4\_tcp\_keepalive\_intvl = (Optional) The sysctl setting net.ipv4.tcp\_keepalive\_intvl. Must be between `10` and `75`. Changing this forces a new resource to be created.
net\_ipv4\_tcp\_keepalive\_probes = (Optional) The sysctl setting net.ipv4.tcp\_keepalive\_probes. Must be between `1` and `15`. Changing this forces a new resource to be created.
net\_ipv4\_tcp\_keepalive\_time = (Optional) The sysctl setting net.ipv4.tcp\_keepalive\_time. Must be between `30` and `432000`. Changing this forces a new resource to be created.
net\_ipv4\_tcp\_max\_syn\_backlog = (Optional) The sysctl setting net.ipv4.tcp\_max\_syn\_backlog. Must be between `128` and `3240000`. Changing this forces a new resource to be created.
net\_ipv4\_tcp\_max\_tw\_buckets = (Optional) The sysctl setting net.ipv4.tcp\_max\_tw\_buckets. Must be between `8000` and `1440000`. Changing this forces a new resource to be created.
net\_ipv4\_tcp\_tw\_reuse = (Optional) Is sysctl setting net.ipv4.tcp\_tw\_reuse enabled? Changing this forces a new resource to be created.
net\_netfilter\_nf\_conntrack\_buckets = (Optional) The sysctl setting net.netfilter.nf\_conntrack\_buckets. Must be between `65536` and `147456`. Changing this forces a new resource to be created.
net\_netfilter\_nf\_conntrack\_max = (Optional) The sysctl setting net.netfilter.nf\_conntrack\_max. Must be between `131072` and `1048576`. Changing this forces a new resource to be created.
vm\_max\_map\_count = (Optional) The sysctl setting vm.max\_map\_count. Must be between `65530` and `262144`. Changing this forces a new resource to be created.
vm\_swappiness = (Optional) The sysctl setting vm.swappiness. Must be between `0` and `100`. Changing this forces a new resource to be created.
vm\_vfs\_cache\_pressure = (Optional) The sysctl setting vm.vfs\_cache\_pressure. Must be between `0` and `100`. Changing this forces a new resource to be created.
}))
transparent\_huge\_page\_enabled = (Optional) Specifies the Transparent Huge Page enabled configuration. Possible values are `always`, `madvise` and `never`. Changing this forces a new resource to be created.
transparent\_huge\_page\_defrag = (Optional) specifies the defrag configuration for Transparent Huge Page. Possible values are `always`, `defer`, `defer+madvise`, `madvise` and `never`. Changing this forces a new resource to be created.
swap\_file\_size\_mb = (Optional) Specifies the size of swap file on each node in MB. Changing this forces a new resource to be created.
}))
fips\_enabled = (Optional) Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created. FIPS support is in Public Preview - more information and details on how to opt into the Preview can be found in [this article](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview).
kubelet\_disk\_type = (Optional) The type of disk used by kubelet. Possible values are `OS` and `Temporary`.
max\_count = (Optional) The maximum number of nodes which should exist within this Node Pool. Valid values are between `0` and `1000` and must be greater than or equal to `min_count`.
max\_pods = (Optional) The minimum number of nodes which should exist within this Node Pool. Valid values are between `0` and `1000` and must be less than or equal to `max_count`.
message\_of\_the\_day = (Optional) A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.
mode = (Optional) Should this Node Pool be used for System or User resources? Possible values are `System` and `User`. Defaults to `User`.
min\_count = (Optional) The minimum number of nodes which should exist within this Node Pool. Valid values are between `0` and `1000` and must be less than or equal to `max_count`.
node\_network\_profile = optional(object({
node\_public\_ip\_tags = (Optional) Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.
}))
node\_labels = (Optional) A map of Kubernetes labels which should be applied to nodes in this Node Pool.
node\_public\_ip\_prefix\_id = (Optional) Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. `enable_node_public_ip` should be `true`. Changing this forces a new resource to be created.
node\_taints = (Optional) A list of Kubernetes taints which should be applied to nodes in the agent pool (e.g `key=value:NoSchedule`). Changing this forces a new resource to be created.
orchestrator\_version = (Optional) Version of Kubernetes used for the Agents. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as `1.22` are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in [the documentation](https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#alias-minor-version). This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.
os\_disk\_size\_gb = (Optional) The Agent Operating System disk size in GB. Changing this forces a new resource to be created.
os\_disk\_type = (Optional) The type of disk which should be used for the Operating System. Possible values are `Ephemeral` and `Managed`. Defaults to `Managed`. Changing this forces a new resource to be created.
os\_sku = (Optional) Specifies the OS SKU used by the agent pool. Possible values include: `Ubuntu`, `CBLMariner`, `Mariner`, `Windows2019`, `Windows2022`. If not specified, the default is `Ubuntu` if OSType=Linux or `Windows2019` if OSType=Windows. And the default Windows OSSKU will be changed to `Windows2022` after Windows2019 is deprecated. Changing this forces a new resource to be created.
os\_type = (Optional) The Operating System which should be used for this Node Pool. Changing this forces a new resource to be created. Possible values are `Linux` and `Windows`. Defaults to `Linux`.
pod\_subnet\_id = (Optional) The ID of the Subnet where the pods in the Node Pool should exist. Changing this forces a new resource to be created.
priority = (Optional) The Priority for Virtual Machines within the Virtual Machine Scale Set that powers this Node Pool. Possible values are `Regular` and `Spot`. Defaults to `Regular`. Changing this forces a new resource to be created.
proximity\_placement\_group\_id = (Optional) The ID of the Proximity Placement Group where the Virtual Machine Scale Set that powers this Node Pool will be placed. Changing this forces a new resource to be created. When setting `priority` to Spot - you must configure an `eviction_policy`, `spot_max_price` and add the applicable `node_labels` and `node_taints` [as per the Azure Documentation](https://docs.microsoft.com/azure/aks/spot-node-pool).
spot\_max\_price = (Optional) The maximum price you're willing to pay in USD per Virtual Machine. Valid values are `-1` (the current on-demand price for a Virtual Machine) or a positive value with up to five decimal places. Changing this forces a new resource to be created. This field can only be configured when `priority` is set to `Spot`.
scale\_down\_mode = (Optional) Specifies how the node pool should deal with scaled-down nodes. Allowed values are `Delete` and `Deallocate`. Defaults to `Delete`.
snapshot\_id = (Optional) The ID of the Snapshot which should be used to create this Node Pool. Changing this forces a new resource to be created.
ultra\_ssd\_enabled = (Optional) Used to specify whether the UltraSSD is enabled in the Node Pool. Defaults to `false`. See [the documentation](https://docs.microsoft.com/azure/aks/use-ultra-disks) for more information. Changing this forces a new resource to be created.
vnet\_subnet\_id = (Optional) The ID of the Subnet where this Node Pool should exist. Changing this forces a new resource to be created. A route table must be configured on this Subnet.
upgrade\_settings = optional(object({
max\_surge = string
}))
windows\_profile = optional(object({
outbound\_nat\_enabled = optional(bool, true)
}))
workload\_runtime = (Optional) Used to specify the workload runtime. Allowed values are `OCIContainer` and `WasmWasi`. WebAssembly System Interface node pools are in Public Preview - more information and details on how to opt into the preview can be found in [this article](https://docs.microsoft.com/azure/aks/use-wasi-node-pools)
zones = (Optional) Specifies a list of Availability Zones in which this Kubernetes Cluster Node Pool should be located. Changing this forces a new Kubernetes Cluster Node Pool to be created.
})) | 
map(object({
    name                          = string
    node_count                    = optional(number)
    tags                          = optional(map(string))
    vm_size                       = string
    host_group_id                 = optional(string)
    capacity_reservation_group_id = optional(string)
    custom_ca_trust_enabled       = optional(bool)
    enable_auto_scaling           = optional(bool)
    enable_host_encryption        = optional(bool)
    enable_node_public_ip         = optional(bool)
    eviction_policy               = optional(string)
    kubelet_config = optional(object({
      cpu_manager_policy        = optional(string)
      cpu_cfs_quota_enabled     = optional(bool)
      cpu_cfs_quota_period      = optional(string)
      image_gc_high_threshold   = optional(number)
      image_gc_low_threshold    = optional(number)
      topology_manager_policy   = optional(string)
      allowed_unsafe_sysctls    = optional(set(string))
      container_log_max_size_mb = optional(number)
      container_log_max_files   = optional(number)
      pod_max_pid               = optional(number)
    }))
    linux_os_config = optional(object({
      sysctl_config = optional(object({
        fs_aio_max_nr                      = optional(number)
        fs_file_max                        = optional(number)
        fs_inotify_max_user_watches        = optional(number)
        fs_nr_open                         = optional(number)
        kernel_threads_max                 = optional(number)
        net_core_netdev_max_backlog        = optional(number)
        net_core_optmem_max                = optional(number)
        net_core_rmem_default              = optional(number)
        net_core_rmem_max                  = optional(number)
        net_core_somaxconn                 = optional(number)
        net_core_wmem_default              = optional(number)
        net_core_wmem_max                  = optional(number)
        net_ipv4_ip_local_port_range_min   = optional(number)
        net_ipv4_ip_local_port_range_max   = optional(number)
        net_ipv4_neigh_default_gc_thresh1  = optional(number)
        net_ipv4_neigh_default_gc_thresh2  = optional(number)
        net_ipv4_neigh_default_gc_thresh3  = optional(number)
        net_ipv4_tcp_fin_timeout           = optional(number)
        net_ipv4_tcp_keepalive_intvl       = optional(number)
        net_ipv4_tcp_keepalive_probes      = optional(number)
        net_ipv4_tcp_keepalive_time        = optional(number)
        net_ipv4_tcp_max_syn_backlog       = optional(number)
        net_ipv4_tcp_max_tw_buckets        = optional(number)
        net_ipv4_tcp_tw_reuse              = optional(bool)
        net_netfilter_nf_conntrack_buckets = optional(number)
        net_netfilter_nf_conntrack_max     = optional(number)
        vm_max_map_count                   = optional(number)
        vm_swappiness                      = optional(number)
        vm_vfs_cache_pressure              = optional(number)
      }))
      transparent_huge_page_enabled = optional(string)
      transparent_huge_page_defrag  = optional(string)
      swap_file_size_mb             = optional(number)
    }))
    fips_enabled       = optional(bool)
    kubelet_disk_type  = optional(string)
    max_count          = optional(number)
    max_pods           = optional(number)
    message_of_the_day = optional(string)
    mode               = optional(string, "User")
    min_count          = optional(number)
    node_network_profile = optional(object({
      node_public_ip_tags = optional(map(string))
    }))
    node_labels                  = optional(map(string))
    node_public_ip_prefix_id     = optional(string)
    node_taints                  = optional(list(string))
    orchestrator_version         = optional(string)
    os_disk_size_gb              = optional(number)
    os_disk_type                 = optional(string, "Managed")
    os_sku                       = optional(string)
    os_type                      = optional(string, "Linux")
    pod_subnet_id                = optional(string)
    priority                     = optional(string, "Regular")
    proximity_placement_group_id = optional(string)
    spot_max_price               = optional(number)
    scale_down_mode              = optional(string, "Delete")
    snapshot_id                  = optional(string)
    ultra_ssd_enabled            = optional(bool)
    vnet_subnet_id               = optional(string)
    upgrade_settings = optional(object({
      max_surge = string
    }))
    windows_profile = optional(object({
      outbound_nat_enabled = optional(bool, true)
    }))
    workload_runtime = optional(string)
    zones            = optional(set(string))
  }))
| `{}` | no | | [node\_resource\_group](#input\_node\_resource\_group) | The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster. Changing this forces a new resource to be created. | `string` | `null` | no | | [oidc\_issuer\_enabled](#input\_oidc\_issuer\_enabled) | Enable or Disable the OIDC issuer URL. Defaults to false. | `bool` | `false` | no | diff --git a/main.tf b/main.tf index 8f97b7cd..2e80d24b 100644 --- a/main.tf +++ b/main.tf @@ -27,6 +27,7 @@ resource "azurerm_kubernetes_cluster" "main" { image_cleaner_interval_hours = var.image_cleaner_interval_hours kubernetes_version = var.kubernetes_version local_account_disabled = var.local_account_disabled + node_os_channel_upgrade = var.node_os_channel_upgrade node_resource_group = var.node_resource_group oidc_issuer_enabled = var.oidc_issuer_enabled open_service_mesh_enabled = var.open_service_mesh_enabled @@ -37,16 +38,20 @@ resource "azurerm_kubernetes_cluster" "main" { role_based_access_control_enabled = var.role_based_access_control_enabled run_command_enabled = var.run_command_enabled sku_tier = var.sku_tier - tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_git_commit = "99803f7459dec967a852f846498cad2583564533" - avm_git_file = "main.tf" - avm_git_last_modified_at = "2023-11-02 07:48:26" - avm_git_org = "Azure" - avm_git_repo = "terraform-azurerm-aks" - avm_yor_trace = "859d38b1-860e-4ce2-ad14-6c7da0ddd3bf" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_yor_name = "main" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/)) + tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_git_commit = "99803f7459dec967a852f846498cad2583564533" + avm_git_file = "main.tf" + avm_git_last_modified_at = "2023-11-02 07:48:26" + avm_git_org = "Azure" + avm_git_repo = "terraform-azurerm-aks" + avm_yor_trace = "859d38b1-860e-4ce2-ad14-6c7da0ddd3bf" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_yor_name = "main" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/)) workload_identity_enabled = var.workload_identity_enabled dynamic "default_node_pool" { @@ -260,7 +265,9 @@ resource "azurerm_kubernetes_cluster" "main" { } } dynamic "api_server_access_profile" { - for_each = var.api_server_authorized_ip_ranges != null || var.api_server_subnet_id != null ? ["api_server_access_profile"] : [] + for_each = var.api_server_authorized_ip_ranges != null || var.api_server_subnet_id != null ? [ + "api_server_access_profile" + ] : [] content { authorized_ip_ranges = var.api_server_authorized_ip_ranges @@ -434,7 +441,9 @@ resource "azurerm_kubernetes_cluster" "main" { service_cidr = var.net_profile_service_cidr dynamic "load_balancer_profile" { - for_each = var.load_balancer_profile_enabled && var.load_balancer_sku == "standard" ? ["load_balancer_profile"] : [] + for_each = var.load_balancer_profile_enabled && var.load_balancer_sku == "standard" ? [ + "load_balancer_profile" + ] : [] content { idle_timeout_in_minutes = var.load_balancer_profile_idle_timeout_in_minutes @@ -600,16 +609,20 @@ resource "azurerm_kubernetes_cluster_node_pool" "node_pool" { scale_down_mode = each.value.scale_down_mode snapshot_id = each.value.snapshot_id spot_max_price = each.value.spot_max_price - tags = merge(each.value.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_git_commit = "bc0c9fab9ee53296a64c7a682d2ed7e0726c6547" - avm_git_file = "main.tf" - avm_git_last_modified_at = "2023-05-04 05:02:32" - avm_git_org = "Azure" - avm_git_repo = "terraform-azurerm-aks" - avm_yor_trace = "ebb72772-ec89-44c3-ba73-8a84d7cc9c47" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_yor_name = "node_pool" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/)) + tags = merge(each.value.tags, (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_git_commit = "bc0c9fab9ee53296a64c7a682d2ed7e0726c6547" + avm_git_file = "main.tf" + avm_git_last_modified_at = "2023-05-04 05:02:32" + avm_git_org = "Azure" + avm_git_repo = "terraform-azurerm-aks" + avm_yor_trace = "ebb72772-ec89-44c3-ba73-8a84d7cc9c47" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_yor_name = "node_pool" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/)) ultra_ssd_enabled = each.value.ultra_ssd_enabled vnet_subnet_id = each.value.vnet_subnet_id workload_runtime = each.value.workload_runtime @@ -744,16 +757,20 @@ resource "azurerm_log_analytics_workspace" "main" { resource_group_name = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name) retention_in_days = var.log_retention_in_days sku = var.log_analytics_workspace_sku - tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_git_commit = "0ae8a663f1dc1dc474b14c10d9c94c77a3d1e234" - avm_git_file = "main.tf" - avm_git_last_modified_at = "2023-06-05 02:21:33" - avm_git_org = "Azure" - avm_git_repo = "terraform-azurerm-aks" - avm_yor_trace = "aad634ac-2ab7-4b34-b61e-fc9f1afe402a" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_yor_name = "main" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/)) + tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_git_commit = "0ae8a663f1dc1dc474b14c10d9c94c77a3d1e234" + avm_git_file = "main.tf" + avm_git_last_modified_at = "2023-06-05 02:21:33" + avm_git_org = "Azure" + avm_git_repo = "terraform-azurerm-aks" + avm_yor_trace = "aad634ac-2ab7-4b34-b61e-fc9f1afe402a" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_yor_name = "main" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/)) lifecycle { precondition { @@ -785,16 +802,20 @@ resource "azurerm_log_analytics_solution" "main" { solution_name = "ContainerInsights" workspace_name = local.log_analytics_workspace.name workspace_resource_id = local.log_analytics_workspace.id - tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_git_commit = "886c26d95843149cc2a58ae72edb31478faa2a8c" - avm_git_file = "main.tf" - avm_git_last_modified_at = "2023-07-20 06:04:07" - avm_git_org = "Azure" - avm_git_repo = "terraform-azurerm-aks" - avm_yor_trace = "9c7b610a-6825-431f-a6b4-3a9c05309eca" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ { - avm_yor_name = "main" - } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/)) + tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_git_commit = "886c26d95843149cc2a58ae72edb31478faa2a8c" + avm_git_file = "main.tf" + avm_git_last_modified_at = "2023-07-20 06:04:07" + avm_git_org = "Azure" + avm_git_repo = "terraform-azurerm-aks" + avm_yor_trace = "9c7b610a-6825-431f-a6b4-3a9c05309eca" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/), (/**/ (var.tracing_tags_enabled ? { + for k, v in /**/ { + avm_yor_name = "main" + } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v + } : {}) /**/)) plan { product = "OMSGallery/ContainerInsights" diff --git a/variables.tf b/variables.tf index 6b6babfa..f31c24b1 100644 --- a/variables.tf +++ b/variables.tf @@ -785,6 +785,12 @@ variable "network_policy" { description = " (Optional) Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created." } +variable "node_os_channel_upgrade" { + type = string + default = null + description = " (Optional) The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are `Unmanaged`, `SecurityPatch`, `NodeImage` and `None`." +} + variable "node_pools" { type = map(object({ name = string From aef241e6b3dde5c053bd239b0da194db1e98c442 Mon Sep 17 00:00:00 2001 From: zjhe Date: Mon, 13 Nov 2023 14:14:46 +0800 Subject: [PATCH 2/4] add node_os_channel_upgrade to example --- examples/startup/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/startup/main.tf b/examples/startup/main.tf index 8b6ce6ea..e72cb59c 100644 --- a/examples/startup/main.tf +++ b/examples/startup/main.tf @@ -102,6 +102,7 @@ module "aks" { net_profile_service_cidr = "10.0.0.0/16" network_plugin = "azure" network_policy = "azure" + node_os_channel_upgrade = "NodeImage" os_disk_size_gb = 60 private_cluster_enabled = true public_network_access_enabled = false From af8e8ffed7a79ac8f7dd648d3cdc8a097ffa3e44 Mon Sep 17 00:00:00 2001 From: zjhe Date: Mon, 13 Nov 2023 17:05:15 +0800 Subject: [PATCH 3/4] add extra precodition --- main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main.tf b/main.tf index 2e80d24b..6c8a7b6c 100644 --- a/main.tf +++ b/main.tf @@ -550,6 +550,10 @@ resource "azurerm_kubernetes_cluster" "main" { condition = can(coalesce(var.cluster_name, var.prefix)) error_message = "You must set one of `var.cluster_name` and `var.prefix` to create `azurerm_kubernetes_cluster.main`." } + precondition { + condition = var.automatic_channel_upgrade != "node-image" || var.node_os_channel_upgrade == "NodeImage" + error_message = "`node_os_channel_upgrade` must be set to `NodeImage` if `automatic_channel_upgrade` has been set to `node-image`." + } } } From b30b2281739e17b65440d51c77e51edacea4e4b3 Mon Sep 17 00:00:00 2001 From: zjhe Date: Mon, 13 Nov 2023 22:01:14 +0800 Subject: [PATCH 4/4] correct format issue --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 6c8a7b6c..e472b645 100644 --- a/main.tf +++ b/main.tf @@ -551,7 +551,7 @@ resource "azurerm_kubernetes_cluster" "main" { error_message = "You must set one of `var.cluster_name` and `var.prefix` to create `azurerm_kubernetes_cluster.main`." } precondition { - condition = var.automatic_channel_upgrade != "node-image" || var.node_os_channel_upgrade == "NodeImage" + condition = var.automatic_channel_upgrade != "node-image" || var.node_os_channel_upgrade == "NodeImage" error_message = "`node_os_channel_upgrade` must be set to `NodeImage` if `automatic_channel_upgrade` has been set to `node-image`." } }