Merge pull request #15 from kpshjk/default_node_pool_upgrade_settings_max_surge

feat: pool upgrade settings, separate rbac_enabled for azure_active_directory_role_based_access_control, node_count as output parameter

Author: timdeluxe

README.md

@@ -124,6 +124,15 @@ Type: `string`
 
 The following input variables are optional (have default values):
 
+### ad\_rbac\_enabled
+
+Description: Defines RBAC for block azure\_active\_directory\_role\_based\_access\_control explicitly if set.  
+Else RBAC for block azure\_active\_directory\_role\_based\_access\_control is set by "rbac\_enabled"
+
+Type: `bool`
+
+Default: `null`
+
 ### api\_server\_ip\_ranges
 
 Description: The IP ranges to allow for incoming traffic to the server nodes. To disable the limitation, set an empty list as value (default).
@@ -132,7 +141,7 @@ Type: `list(string)`
 
 Default: `[]`
 
-### auto\_scaling\_enable
+### auto\_scaling\_enabled
 
 Description: Enable auto-scaling of node pool
 
@@ -156,7 +165,7 @@ Type: `string`
 
 Default: `"1"`
 
-### automatic\_channel\_upgrade
+### automatic\_upgrade\_channel
 
 Description: Values:  
 none, patch, stable, rapid, node-image  
@@ -190,6 +199,24 @@ Type: `string`
 
 Default: `"default"`
 
+### default\_node\_pool\_upgrade\_settings\_enabled
+
+Description: Values:  
+false, true
+
+Type: `bool`
+
+Default: `false`
+
+### default\_node\_pool\_upgrade\_settings\_max\_surge
+
+Description: Example: "10%"  
+see https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade
+
+Type: `string`
+
+Default: `"10%"`
+
 ### dns\_prefix
 
 Description: DNS-Prefix to use. Defaults to cluster name
@@ -206,6 +233,22 @@ Type: `number`
 
 Default: `5`
 
+### image\_cleaner\_enabled
+
+Description: Azure default settings
+
+Type: `bool`
+
+Default: `false`
+
+### image\_cleaner\_interval\_hours
+
+Description: Azure default settings
+
+Type: `number`
+
+Default: `48`
+
 ### load\_balancer\_sku
 
 Description: The SKU for the used Load Balancer
@@ -418,6 +461,10 @@ Description: The Kubernetes API host for a kubectl config
 
 Description: The object ID of the service principal of the managed identity of the AKS
 
+### node\_count
+
+Description: n/a
+
 ### node\_resource\_group
 
 Description: The resource group the Kubernetes nodes were created in

main.tf

@@ -8,10 +8,13 @@
  */
 
 locals {
-  cluster_name                                     = "${lower(var.project)}${lower(var.stage)}k8s"
+  cluster_name = "${lower(var.project)}${lower(var.stage)}k8s"
   has_automatic_channel_upgrade_maintenance_window = var.automatic_upgrade_channel != "none" ? [
     var.automatic_upgrade_channel
   ] : []
+  has_default_node_pool_upgrade_settings = var.default_node_pool_upgrade_settings_enabled == true ? [
+    var.default_node_pool_upgrade_settings_enabled
+  ] : []
 }
 
 # Log analytics required for OMS Agent result processing - usually other logging solutions are used. Hence the affected tfsec rule is
@@ -61,6 +64,12 @@ resource "azurerm_kubernetes_cluster" "k8s" {
     auto_scaling_enabled        = var.auto_scaling_enabled
     min_count                   = var.auto_scaling_min_node_count
     max_count                   = var.auto_scaling_max_node_count
+    dynamic "upgrade_settings" {
+      for_each = local.has_default_node_pool_upgrade_settings
+      content {
+        max_surge = var.default_node_pool_upgrade_settings_max_surge
+      }
+    }
   }
 
   dynamic "api_server_access_profile" {
@@ -77,7 +86,7 @@ resource "azurerm_kubernetes_cluster" "k8s" {
   role_based_access_control_enabled = var.rbac_enabled
   azure_active_directory_role_based_access_control {
     admin_group_object_ids = var.rbac_managed_admin_groups
-    azure_rbac_enabled     = var.rbac_enabled
+    azure_rbac_enabled     = var.ad_rbac_enabled != null ? var.ad_rbac_enabled : var.rbac_enabled
   }
 
   network_profile {

outputs.tf

@@ -66,4 +66,8 @@ output "public_outbound_ips" {
 output "managed_identity_object_id" {
   value       = azurerm_kubernetes_cluster.k8s.identity[0].principal_id
   description = "The object ID of the service principal of the managed identity of the AKS"
-}
+}
+
+output "node_count" {
+  value = var.node_count
+}

vars.tf

@@ -62,6 +62,15 @@ variable "rbac_enabled" {
   default     = true
 }
 
+variable "ad_rbac_enabled" {
+  type        = bool
+  description = <<-EOF
+    Defines RBAC for block azure_active_directory_role_based_access_control explicitly if set.
+    Else RBAC for block azure_active_directory_role_based_access_control is set by "rbac_enabled"
+  EOF
+  default     = null
+}
+
 variable "rbac_managed_admin_groups" {
   type        = list(string)
   description = "The group IDs that have admin access to the cluster. Have to be specified if rbac_enabled is true"
@@ -133,6 +142,10 @@ variable "availability_zones" {
 variable "temporary_name_for_rotation" {
   type        = string
   description = "Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing."
+  validation {
+    condition     = var.temporary_name_for_rotation != null
+    error_message = "The temporary_name_for_rotation value must not be null"
+  }
   default     = "rotationtmp"
 }
 
@@ -270,3 +283,21 @@ variable "maintenance_window_auto_upgrade_utc_offset" {
     see https://learn.microsoft.com/en-us/azure/aks/planned-maintenance#creating-a-maintenance-window
   EOF
 }
+
+variable "default_node_pool_upgrade_settings_enabled" {
+  type        = bool
+  default     = false
+  description = <<-EOF
+    If true, an upgrade_settings block will be added to default_node_pool.
+  EOF
+}
+
+variable "default_node_pool_upgrade_settings_max_surge" {
+  type        = string
+  default     = "10%"
+  description = <<-EOF
+    max_surge is a required parameter for an upgrade_settings block
+    Example: "10%"
+    see https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade
+  EOF
+}