From 5432839bc6c448d6f50e6ea4534d644f3710243d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Tue, 22 Oct 2024 10:34:21 +0200 Subject: [PATCH 1/8] Add conditional use balancer public ip and create role assignment on AKS module --- modules/azure-aks/aks.tf | 2 +- modules/azure-aks/data.tf | 1 + modules/azure-aks/role_assignment.tf | 2 +- modules/azure-aks/variables.tf | 13 ++++++------- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/azure-aks/aks.tf b/modules/azure-aks/aks.tf index 4a8f67c5..cbf3d280 100644 --- a/modules/azure-aks/aks.tf +++ b/modules/azure-aks/aks.tf @@ -31,7 +31,7 @@ module "aks" { key_vault_secrets_provider_enabled = var.key_vault_secrets_provider_enabled kubernetes_version = var.aks_kubernetes_version load_balancer_profile_enabled = var.load_balancer_profile_enabled - load_balancer_profile_outbound_ip_address_ids = [data.azurerm_public_ip.aks_public_ip.id] + load_balancer_profile_outbound_ip_address_ids = var.load_balancer_profile_outbound_ip_address_enabled ? [data.azurerm_public_ip.aks_public_ip.id] : null load_balancer_sku = var.load_balancer_sku log_analytics_workspace_enabled = false network_contributor_role_assigned_subnet_ids = { aks_subnet = data.azurerm_subnet.aks_subnet.id } diff --git a/modules/azure-aks/data.tf b/modules/azure-aks/data.tf index db6ebedc..a8bb9879 100644 --- a/modules/azure-aks/data.tf +++ b/modules/azure-aks/data.tf @@ -8,6 +8,7 @@ data "azurerm_subnet" "aks_subnet" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip data "azurerm_public_ip" "aks_public_ip" { + count = var.load_balancer_profile_outbound_ip_address_enabled ? 1 : 0 name = var.public_ip_name resource_group_name = var.resource_group_name } diff --git a/modules/azure-aks/role_assignment.tf b/modules/azure-aks/role_assignment.tf index 2dcfc8d8..a9c63402 100644 --- a/modules/azure-aks/role_assignment.tf +++ b/modules/azure-aks/role_assignment.tf @@ -1,6 +1,6 @@ # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment resource "azurerm_role_assignment" "role_assignment_network_contributor_over_public_ip_aks" { - count = var.create_role_assignment_public_ip ? 1 : 0 + count = var.load_balancer_profile_outbound_ip_address_enabled ? 1 : 0 scope = data.azurerm_public_ip.aks_public_ip.id role_definition_name = "Network Contributor" principal_id = module.aks.cluster_identity.principal_id diff --git a/modules/azure-aks/variables.tf b/modules/azure-aks/variables.tf index 52ce226f..958e8b87 100644 --- a/modules/azure-aks/variables.tf +++ b/modules/azure-aks/variables.tf @@ -113,6 +113,12 @@ variable "load_balancer_sku" { default = "standard" } +variable "load_balancer_profile_outbound_ip_address_enabled" { + description = "Boolean value to enable or not the load balancer profile outbound ip address" + type = bool + default = false +} + variable "node_os_channel_upgrade" { description = "The automatic node channel upgrade setting for the AKS cluster" default = "None" @@ -268,10 +274,3 @@ variable "api_server_authorized_ip_ranges" { type = list(string) default = null } - -# Role assignment for public IP -variable "create_role_assignment_public_ip" { - description = "Boolean value to create a role assignment for the public IP" - type = bool - default = false -} From 1f1c25674c397c11787522fdc75171ca02fd4d63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Tue, 22 Oct 2024 10:41:12 +0200 Subject: [PATCH 2/8] Add conditional use balancer public ip and create role assignment on AKS module --- modules/azure-aks/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure-aks/aks.tf b/modules/azure-aks/aks.tf index cbf3d280..29010067 100644 --- a/modules/azure-aks/aks.tf +++ b/modules/azure-aks/aks.tf @@ -31,7 +31,7 @@ module "aks" { key_vault_secrets_provider_enabled = var.key_vault_secrets_provider_enabled kubernetes_version = var.aks_kubernetes_version load_balancer_profile_enabled = var.load_balancer_profile_enabled - load_balancer_profile_outbound_ip_address_ids = var.load_balancer_profile_outbound_ip_address_enabled ? [data.azurerm_public_ip.aks_public_ip.id] : null + load_balancer_profile_outbound_ip_address_ids = var.load_balancer_profile_outbound_ip_address_enabled ? [data.azurerm_public_ip.aks_public_ip[count.index].id] : null load_balancer_sku = var.load_balancer_sku log_analytics_workspace_enabled = false network_contributor_role_assigned_subnet_ids = { aks_subnet = data.azurerm_subnet.aks_subnet.id } From f842609c8a94b56a72a9a1c9882d2b850a599b63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Tue, 22 Oct 2024 10:45:46 +0200 Subject: [PATCH 3/8] Add conditional use balancer public ip and create role assignment on AKS module --- modules/azure-aks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure-aks/outputs.tf b/modules/azure-aks/outputs.tf index 201686d8..df435904 100644 --- a/modules/azure-aks/outputs.tf +++ b/modules/azure-aks/outputs.tf @@ -38,7 +38,7 @@ output "oidc_issuer_url" { } output "outbound_ip_address" { - value = data.azurerm_public_ip.aks_public_ip.id + value = data.azurerm_public_ip.aks_public_ip[count.index].id } # Data section From 1cce782fae2bf8dd8fbc83a919da09948b125580 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Tue, 22 Oct 2024 11:02:51 +0200 Subject: [PATCH 4/8] Add conditional use balancer public ip and create role assignment on AKS module --- modules/azure-aks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure-aks/outputs.tf b/modules/azure-aks/outputs.tf index df435904..201686d8 100644 --- a/modules/azure-aks/outputs.tf +++ b/modules/azure-aks/outputs.tf @@ -38,7 +38,7 @@ output "oidc_issuer_url" { } output "outbound_ip_address" { - value = data.azurerm_public_ip.aks_public_ip[count.index].id + value = data.azurerm_public_ip.aks_public_ip.id } # Data section From 8ec8820de8dd952fef21e64c3d8debe56556adaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Tue, 22 Oct 2024 11:04:17 +0200 Subject: [PATCH 5/8] Add conditional use balancer public ip and create role assignment on AKS module --- modules/azure-aks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure-aks/outputs.tf b/modules/azure-aks/outputs.tf index 201686d8..7fa93875 100644 --- a/modules/azure-aks/outputs.tf +++ b/modules/azure-aks/outputs.tf @@ -38,7 +38,7 @@ output "oidc_issuer_url" { } output "outbound_ip_address" { - value = data.azurerm_public_ip.aks_public_ip.id + value = data.azurerm_public_ip.aks_public_ip[0].id } # Data section From 4508e607184f6655e96fa490f9c345695eb0c941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Tue, 22 Oct 2024 11:05:27 +0200 Subject: [PATCH 6/8] Add conditional use balancer public ip and create role assignment on AKS module --- modules/azure-aks/role_assignment.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure-aks/role_assignment.tf b/modules/azure-aks/role_assignment.tf index a9c63402..fa21421c 100644 --- a/modules/azure-aks/role_assignment.tf +++ b/modules/azure-aks/role_assignment.tf @@ -1,7 +1,7 @@ # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment resource "azurerm_role_assignment" "role_assignment_network_contributor_over_public_ip_aks" { count = var.load_balancer_profile_outbound_ip_address_enabled ? 1 : 0 - scope = data.azurerm_public_ip.aks_public_ip.id + scope = data.azurerm_public_ip.aks_public_ip[count.index].id role_definition_name = "Network Contributor" principal_id = module.aks.cluster_identity.principal_id } From 30c21ae3fd0b302c63e0c434f81241ea44de771a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Tue, 22 Oct 2024 11:07:31 +0200 Subject: [PATCH 7/8] Add conditional use balancer public ip and create role assignment on AKS module --- modules/azure-aks/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure-aks/aks.tf b/modules/azure-aks/aks.tf index 29010067..648822a4 100644 --- a/modules/azure-aks/aks.tf +++ b/modules/azure-aks/aks.tf @@ -31,7 +31,7 @@ module "aks" { key_vault_secrets_provider_enabled = var.key_vault_secrets_provider_enabled kubernetes_version = var.aks_kubernetes_version load_balancer_profile_enabled = var.load_balancer_profile_enabled - load_balancer_profile_outbound_ip_address_ids = var.load_balancer_profile_outbound_ip_address_enabled ? [data.azurerm_public_ip.aks_public_ip[count.index].id] : null + load_balancer_profile_outbound_ip_address_ids = var.load_balancer_profile_outbound_ip_address_enabled ? [for ip in data.azurerm_public_ip.aks_public_ip : ip.id] : null load_balancer_sku = var.load_balancer_sku log_analytics_workspace_enabled = false network_contributor_role_assigned_subnet_ids = { aks_subnet = data.azurerm_subnet.aks_subnet.id } From 3ccae75f89017129fd469e3f77d0a7f04e71ca6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20Esteban=20Borrag=C3=A1n?= Date: Wed, 27 Nov 2024 12:32:34 +0100 Subject: [PATCH 8/8] Test --- modules/azure-aks/data.tf | 10 +++++++++- modules/azure-aks/outputs.tf | 6 +++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/azure-aks/data.tf b/modules/azure-aks/data.tf index a8bb9879..d70fefdd 100644 --- a/modules/azure-aks/data.tf +++ b/modules/azure-aks/data.tf @@ -6,9 +6,17 @@ data "azurerm_subnet" "aks_subnet" { resource_group_name = var.vnet_resource_group_name } +# Interface + +# outbound_public_ips: +# - id: # me pasas el id de la ip publica +# or # me pasas el grupo de recursos y el nombre de la ip publica y yo me encargo de buscarla +# - resource_group: +# - name: + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip data "azurerm_public_ip" "aks_public_ip" { - count = var.load_balancer_profile_outbound_ip_address_enabled ? 1 : 0 + for_each = var.outbound_public_ips != null ? { for idx, ip in var.outbound_public_ips : idx => ip if lookup(ip, "id", null) != null } : {} name = var.public_ip_name resource_group_name = var.resource_group_name } diff --git a/modules/azure-aks/outputs.tf b/modules/azure-aks/outputs.tf index 7fa93875..278cd010 100644 --- a/modules/azure-aks/outputs.tf +++ b/modules/azure-aks/outputs.tf @@ -37,9 +37,9 @@ output "oidc_issuer_url" { value = module.aks.oidc_issuer_url } -output "outbound_ip_address" { - value = data.azurerm_public_ip.aks_public_ip[0].id -} +# output "outbound_ip_address" { +# value = data.azurerm_public_ip.aks_public_ip[0].id +# } # Data section output "subnet_id" {