From ab8451379781623a6c077bbdf4df82a92bf3c0fb Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 10:46:21 -0400 Subject: [PATCH 01/10] feat(azure): standardize network defaults for AKS and VNet - Update AKS service_cidr to 10.0.0.0/16 and dns_service_ip to 10.0.0.10 - Simplify network config structure in AKS module - Fix test assertions for VNet address_space and subnet structure - Add context_id to network configuration tests - Update subnet object structure in VNet tests --- terraform/cluster/azure-aks/test.tftest.hcl | 20 ++++++++ terraform/cluster/azure-aks/variables.tf | 22 ++++++++- terraform/network/azure-vnet/test.tftest.hcl | 48 +++++++++++++------- 3 files changed, 72 insertions(+), 18 deletions(-) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index 47c82b4c..bf18b2e1 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -218,3 +218,23 @@ run "config_file_created" { error_message = "Kubeconfig file should be generated when context path is provided" } } + +run "network_configuration" { + command = plan + + variables { + context_id = "test" + service_cidr = "10.0.0.0/16" + dns_service_ip = "10.0.0.10" + } + + assert { + condition = azurerm_kubernetes_cluster.main.network_profile[0].service_cidr == "10.0.0.0/16" + error_message = "Service CIDR should match input value" + } + + assert { + condition = azurerm_kubernetes_cluster.main.network_profile[0].dns_service_ip == "10.0.0.10" + error_message = "DNS service IP should match input value" + } +} diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index f6895d8e..21756c10 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -72,7 +72,7 @@ variable "default_node_pool" { name = "system" vm_size = "Standard_D2s_v3" os_disk_type = "Managed" - max_pods = 30 + max_pods = 110 host_encryption_enabled = true min_count = 1 max_count = 3 @@ -100,7 +100,7 @@ variable "autoscaled_node_pool" { vm_size = "Standard_D2s_v3" mode = "User" os_disk_type = "Managed" - max_pods = 30 + max_pods = 110 host_encryption_enabled = true min_count = 1 max_count = 3 @@ -216,3 +216,21 @@ variable "tags" { type = map(string) default = {} } + +variable "temporary_name_for_rotation" { + description = "Temporary name for node pool rotation" + type = string + default = null +} + +variable "service_cidr" { + description = "The CIDR block for Kubernetes services" + type = string + default = "10.0.0.0/16" +} + +variable "dns_service_ip" { + description = "The IP address for the Kubernetes DNS service" + type = string + default = "10.0.0.10" +} diff --git a/terraform/network/azure-vnet/test.tftest.hcl b/terraform/network/azure-vnet/test.tftest.hcl index 7483ba0c..ed659301 100644 --- a/terraform/network/azure-vnet/test.tftest.hcl +++ b/terraform/network/azure-vnet/test.tftest.hcl @@ -21,23 +21,23 @@ run "minimal_configuration" { } assert { - condition = [for space in azurerm_virtual_network.main.address_space : space][0] == "10.20.0.0/16" - error_message = "VNet CIDR should default to '10.20.0.0/16'" + condition = [for space in azurerm_virtual_network.main.address_space : space][0] == "10.0.0.0/16" + error_message = "VNet CIDR should default to '10.0.0.0/16'" } assert { - condition = length(azurerm_subnet.public) == 1 - error_message = "One public subnet should be created by default" + condition = length(azurerm_subnet.public) == 3 + error_message = "Three public subnets should be created by default" } assert { - condition = length(azurerm_subnet.private) == 1 - error_message = "One private subnet should be created by default" + condition = length(azurerm_subnet.private) == 3 + error_message = "Three private subnets should be created by default" } assert { - condition = length(azurerm_subnet.isolated) == 1 - error_message = "One isolated subnet should be created by default" + condition = length(azurerm_subnet.isolated) == 3 + error_message = "Three isolated subnets should be created by default" } assert { @@ -58,9 +58,9 @@ run "full_configuration" { vnet_zones = 2 vnet_cidr = "10.30.0.0/16" vnet_subnets = { - public = ["10.30.1.0/24", "10.30.2.0/24"] - private = ["10.30.11.0/24", "10.30.12.0/24"] - isolated = ["10.30.21.0/24", "10.30.22.0/24"] + public = [{ name = "public-1", address_prefixes = ["10.30.1.0/24"] }, { name = "public-2", address_prefixes = ["10.30.2.0/24"] }] + private = [{ name = "private-1", address_prefixes = ["10.30.11.0/24"] }, { name = "private-2", address_prefixes = ["10.30.12.0/24"] }] + isolated = [{ name = "isolated-1", address_prefixes = ["10.30.21.0/24"] }, { name = "isolated-2", address_prefixes = ["10.30.22.0/24"] }] } context_id = "test" name = "custom" @@ -77,23 +77,23 @@ run "full_configuration" { } assert { - condition = [for space in azurerm_virtual_network.main.address_space : space][0] == "10.30.0.0/16" - error_message = "VNet CIDR should match input" + condition = tolist(azurerm_virtual_network.main.address_space)[0] == "10.30.0.0/16" + error_message = "VNet CIDR should match input value" } assert { condition = length(azurerm_subnet.public) == 2 - error_message = "Two public subnets should be created" + error_message = "Should create 2 public subnets" } assert { condition = length(azurerm_subnet.private) == 2 - error_message = "Two private subnets should be created" + error_message = "Should create 2 private subnets" } assert { condition = length(azurerm_subnet.isolated) == 2 - error_message = "Two isolated subnets should be created" + error_message = "Should create 2 isolated subnets" } assert { @@ -101,3 +101,19 @@ run "full_configuration" { error_message = "Two NAT Gateways should be created" } } + +# Tests NAT Gateway configuration +run "nat_gateway_configuration" { + command = plan + + variables { + context_id = "test" + name = "windsor-vnet" + enable_nat_gateway = false + } + + assert { + condition = length(azurerm_subnet_nat_gateway_association.private) == 0 + error_message = "No NAT Gateway associations should be created when disabled" + } +} From a2ddadf66af93b1c07a94cc2f6923b9030e72225 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 10:47:02 -0400 Subject: [PATCH 02/10] feat(azure): update docs and examples for network defaults - Update documentation for Azure AKS and VNet modules - Add Azure example context - Update Talos and Nginx configurations - Add AKS module README --- contexts/azure-example/blueprint.yaml | 93 ++++++++++++++++ .../terraform/backend/azurerm.tfvars | 29 +++++ .../terraform/cluster/azure-aks.tfvars | 103 ++++++++++++++++++ .../terraform/gitops/flux.tfvars | 32 ++++++ .../terraform/network/azure-vnet.tfvars | 24 ++++ contexts/local/blueprint.yaml | 6 - contexts/local/terraform/cluster/talos.tfvars | 6 +- docs/terraform/backend/azurerm.md | 12 +- docs/terraform/cluster/azure-aks.md | 32 +++++- docs/terraform/cluster/talos.md | 2 +- docs/terraform/network/azure-vnet.md | 9 +- .../ingress/base/nginx/helm-release.yaml | 2 +- terraform/cluster/azure-aks/README.md | 20 ++++ terraform/cluster/azure-aks/main.tf | 25 ++--- terraform/network/azure-vnet/main.tf | 14 +-- terraform/network/azure-vnet/variables.tf | 68 +++++++++--- 16 files changed, 419 insertions(+), 58 deletions(-) create mode 100644 contexts/azure-example/blueprint.yaml create mode 100644 contexts/azure-example/terraform/backend/azurerm.tfvars create mode 100644 contexts/azure-example/terraform/cluster/azure-aks.tfvars create mode 100644 contexts/azure-example/terraform/gitops/flux.tfvars create mode 100644 contexts/azure-example/terraform/network/azure-vnet.tfvars create mode 100644 terraform/cluster/azure-aks/README.md diff --git a/contexts/azure-example/blueprint.yaml b/contexts/azure-example/blueprint.yaml new file mode 100644 index 00000000..52e515f0 --- /dev/null +++ b/contexts/azure-example/blueprint.yaml @@ -0,0 +1,93 @@ +kind: Blueprint +apiVersion: blueprints.windsorcli.dev/v1alpha1 +metadata: + name: cloud + description: This blueprint outlines resources in the cloud context +repository: + url: "" + ref: + branch: main + secretName: flux-system +sources: +- name: core + url: github.com/windsorcli/core + ref: + branch: main +terraform: +- path: network/azure-vnet +- path: cluster/azure-aks +- path: gitops/flux + destroy: false +kustomize: +- name: telemetry-base + path: telemetry/base + source: core + components: + - prometheus + - prometheus/flux +- name: telemetry-resources + path: telemetry/resources + source: core + dependsOn: + - telemetry-base + components: + - prometheus + - prometheus/flux +- name: policy-base + path: policy/base + source: core + components: + - kyverno +- name: policy-resources + path: policy/resources + source: core + dependsOn: + - policy-base +- name: pki-base + path: pki/base + source: core + dependsOn: + - policy-resources + force: true + components: + - cert-manager + - trust-manager +- name: pki-resources + path: pki/resources + source: core + dependsOn: + - pki-base + force: true + components: + - private-issuer/ca + - public-issuer/selfsigned +- name: ingress-base + path: ingress/base + source: core + dependsOn: + - pki-resources + force: true + components: + - nginx + - nginx/flux-webhook + - nginx/web +- name: gitops + path: gitops/flux + source: core + dependsOn: + - ingress-base + force: true + components: + - webhook +- name: observability + path: observability + source: core + dependsOn: + - ingress-base + components: + - grafana + - grafana/ingress + - grafana/prometheus + - grafana/node + - grafana/kubernetes + - grafana/flux diff --git a/contexts/azure-example/terraform/backend/azurerm.tfvars b/contexts/azure-example/terraform/backend/azurerm.tfvars new file mode 100644 index 00000000..ef8b9ae2 --- /dev/null +++ b/contexts/azure-example/terraform/backend/azurerm.tfvars @@ -0,0 +1,29 @@ +// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. + +// Azure region where resources will be created +// location = "eastus2" + +// Name of the resource group where the storage account will be created +// resource_group_name = "" + +// Name of the storage account. If not provided, a default name will be generated +// storage_account_name = "" + +// Name of the blob container for Terraform state +// container_name = "" + +// Additional tags to apply to resources +// tags = { +// } + +// Enable customer managed key encryption +// enable_cmk = false + +// The ID of the Key Vault Key to use for CMK encryption +// key_vault_key_id = "" + +// Allow public access to the storage account +// allow_public_access = true + +// List of IP ranges to allow access to the storage account +// allowed_ip_ranges = [] diff --git a/contexts/azure-example/terraform/cluster/azure-aks.tfvars b/contexts/azure-example/terraform/cluster/azure-aks.tfvars new file mode 100644 index 00000000..c4dd44b8 --- /dev/null +++ b/contexts/azure-example/terraform/cluster/azure-aks.tfvars @@ -0,0 +1,103 @@ +# Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. + +# Name of the resource +# name = "cluster" + +# Name of the resource group +# resource_group_name = null + +# Name of the AKS cluster +# cluster_name = null + +# Name on the VNET module +# vnet_module_name = "network" + +# ID of the subnet +# vnet_subnet_id = null + +# Region for the resources +# region = "eastus" + +# Version of Kubernetes to use +# kubernetes_version = "1.32" + +# Configuration for the default node pool +# default_node_pool = { +# host_encryption_enabled = true +# max_count = null +# max_pods = null +# min_count = null +# name = "system" +# node_count = null +# only_critical_addons_enabled = true +# os_disk_type = "Managed" +# vm_size = "Standard_D2s_v3" +# } + +# Configuration for the autoscaled node pool +# autoscaled_node_pool = { +# enabled = true +# host_encryption_enabled = true +# max_count = null +# max_pods = null +# min_count = null +# mode = "User" +# name = "autoscaled" +# os_disk_type = "Managed" +# vm_size = "Standard_D2s_v3" +# } + +# Whether to enable role-based access control for the AKS cluster +# role_based_access_control_enabled = true + +# Configuration for the AKS cluster's auto-scaler +# auto_scaler_profile = { +# balance_similar_node_groups = true +# max_graceful_termination_sec = null +# scale_down_delay_after_add = "10m" +# scale_down_delay_after_delete = "10s" +# scale_down_delay_after_failure = "3m" +# scale_down_unneeded = "10m" +# scale_down_unready = "20m" +# scale_down_utilization_threshold = "0.5" +# scan_interval = "10s" +# } + +# Configuration for the AKS cluster's workload autoscaler +# workload_autoscaler_profile = { +# keda_enabled = false +# vertical_pod_autoscaler_enabled = false +# } + +# The automatic upgrade channel for the AKS cluster +# automatic_upgrade_channel = "stable" + +# The SKU tier for the AKS cluster +# sku_tier = "Standard" + +# Whether to enable private cluster for the AKS cluster +# private_cluster_enabled = false + +# Whether to enable Azure Policy for the AKS cluster +# azure_policy_enabled = true + +# Whether to disable local accounts for the AKS cluster +# local_account_disabled = false + +# Whether to enable public network access for the AKS cluster +# public_network_access_enabled = true + +# The default action for the AKS cluster's network ACLs +# network_acls_default_action = "Allow" + +# The expiration date for the AKS cluster's key vault +# expiration_date = null + +# Additional user assigned identity IDs for the AKS cluster +# additional_cluster_identity_ids = [] + +# The number of days to retain the AKS cluster's key vault +# soft_delete_retention_days = null + +# Tags to apply to the resources +# tags = {} diff --git a/contexts/azure-example/terraform/gitops/flux.tfvars b/contexts/azure-example/terraform/gitops/flux.tfvars new file mode 100644 index 00000000..5d257471 --- /dev/null +++ b/contexts/azure-example/terraform/gitops/flux.tfvars @@ -0,0 +1,32 @@ +# Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. +# Module source: github.com/windsorcli/core//terraform/gitops/flux?ref=aws-eks + +# The namespace in which Flux will be installed +# flux_namespace = "system-gitops" + +# The version of Flux Helm chart to install +# flux_helm_version = "2.15.0" + +# The version of Flux to install +# flux_version = "2.5.1" + +# The private key to use for SSH authentication +# ssh_private_key = "(sensitive)" + +# The public key to use for SSH authentication +# ssh_public_key = "(sensitive)" + +# The known hosts to use for SSH authentication +# ssh_known_hosts = "(sensitive)" + +# The name of the secret to store the git authentication details +# git_auth_secret = "flux-system" + +# The git user to use to authenticte with the git provider +# git_username = "git" + +# The git password or PAT used to authenticte with the git provider +# git_password = "(sensitive)" + +# The token to use for the webhook +# webhook_token = "(sensitive)" diff --git a/contexts/azure-example/terraform/network/azure-vnet.tfvars b/contexts/azure-example/terraform/network/azure-vnet.tfvars new file mode 100644 index 00000000..dd618088 --- /dev/null +++ b/contexts/azure-example/terraform/network/azure-vnet.tfvars @@ -0,0 +1,24 @@ +// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. +// Module source: github.com/windsorcli/core//terraform/network/azure-vnet?ref=main + +// Region for the resources +// region = "eastus" + +// Name of the resource group +// resource_group_name = null + +// Name of the VNET +// vnet_name = null + +// Number of availability zones to create +// vnet_zones = null + +// CIDR block for VNET +// vnet_cidr = "10.20.0.0/16" + +// Subnets to create in the VNET +// vnet_subnets = { +// data = [] +// private = [] +// public = [] +// } diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index 6a587856..55c8f82c 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -43,7 +43,6 @@ kustomize: path: csi dependsOn: - policy-resources - force: true components: - openebs - openebs/dynamic-localpv @@ -51,7 +50,6 @@ kustomize: path: ingress/base dependsOn: - pki-resources - force: true components: - nginx - nginx/nodeport @@ -62,7 +60,6 @@ kustomize: path: pki/base dependsOn: - policy-resources - force: true components: - cert-manager - trust-manager @@ -70,7 +67,6 @@ kustomize: path: pki/resources dependsOn: - pki-base - force: true components: - private-issuer/ca - public-issuer/selfsigned @@ -78,7 +74,6 @@ kustomize: path: dns dependsOn: - pki-base - force: true components: - coredns - coredns/etcd @@ -90,6 +85,5 @@ kustomize: path: gitops/flux dependsOn: - ingress-base - force: true components: - webhook diff --git a/contexts/local/terraform/cluster/talos.tfvars b/contexts/local/terraform/cluster/talos.tfvars index ab379b0a..79937124 100644 --- a/contexts/local/terraform/cluster/talos.tfvars +++ b/contexts/local/terraform/cluster/talos.tfvars @@ -5,7 +5,7 @@ # kubernetes_version = "1.33.1" # The talos version to deploy. -# talos_version = "1.10.1" +# talos_version = "1.10.2" # The name of the cluster. cluster_name = "talos" @@ -32,12 +32,16 @@ common_config_patches = < [azurerm](#requirement\_azurerm) | 4.28.0 | +| [azurerm](#requirement\_azurerm) | 4.29.0 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 4.28.0 | +| [azurerm](#provider\_azurerm) | 4.29.0 | | [local](#provider\_local) | 2.5.3 | ## Modules @@ -19,10 +19,10 @@ No modules. | Name | Type | |------|------| -| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/resource_group) | resource | -| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/storage_account) | resource | -| [azurerm_storage_container.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/storage_container) | resource | -| [azurerm_user_assigned_identity.storage](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/user_assigned_identity) | resource | +| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/resource_group) | resource | +| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/storage_account) | resource | +| [azurerm_storage_container.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/storage_container) | resource | +| [azurerm_user_assigned_identity.storage](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/user_assigned_identity) | resource | | [local_file.backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | ## Inputs diff --git a/docs/terraform/cluster/azure-aks.md b/docs/terraform/cluster/azure-aks.md index e93853b7..42fda189 100644 --- a/docs/terraform/cluster/azure-aks.md +++ b/docs/terraform/cluster/azure-aks.md @@ -1,15 +1,36 @@ +# Azure AKS Module + +This module creates an Azure Kubernetes Service (AKS) cluster with configurable node pools, networking, and security settings. + +## Prerequisites + +The following features must be enabled in your Azure subscription before using this module: + +- EncryptionAtHost feature for Microsoft.Compute provider + ```bash + az feature register --namespace Microsoft.Compute --name EncryptionAtHost + az provider register --namespace Microsoft.Compute + ``` + +### Subscription Requirements + +This module requires a paid Azure subscription. Free tier subscriptions are not supported due to: +- Insufficient vCPU quotas +- Restricted VM sizes +- Limited node pool operations + ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >=1.8 | -| [azurerm](#requirement\_azurerm) | ~> 4.28.0 | +| [azurerm](#requirement\_azurerm) | ~> 4.29.0 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 4.28.0 | +| [azurerm](#provider\_azurerm) | 4.29.0 | | [local](#provider\_local) | 2.5.3 | | [random](#provider\_random) | 3.7.2 | | [time](#provider\_time) | 0.13.1 | @@ -50,12 +71,13 @@ No modules. | [additional\_cluster\_identity\_ids](#input\_additional\_cluster\_identity\_ids) | Additional user assigned identity IDs for the AKS cluster | `list(string)` | `[]` | no | | [auto\_scaler\_profile](#input\_auto\_scaler\_profile) | Configuration for the AKS cluster's auto-scaler | 
object({
    balance_similar_node_groups      = bool
    max_graceful_termination_sec     = number
    scale_down_delay_after_add       = string
    scale_down_delay_after_delete    = string
    scale_down_delay_after_failure   = string
    scan_interval                    = string
    scale_down_unneeded              = string
    scale_down_unready               = string
    scale_down_utilization_threshold = string
  })
| 
{
  "balance_similar_node_groups": true,
  "max_graceful_termination_sec": 600,
  "scale_down_delay_after_add": "10m",
  "scale_down_delay_after_delete": "10s",
  "scale_down_delay_after_failure": "3m",
  "scale_down_unneeded": "10m",
  "scale_down_unready": "20m",
  "scale_down_utilization_threshold": "0.5",
  "scan_interval": "10s"
}
| no | | [automatic\_upgrade\_channel](#input\_automatic\_upgrade\_channel) | The automatic upgrade channel for the AKS cluster | `string` | `"stable"` | no | -| [autoscaled\_node\_pool](#input\_autoscaled\_node\_pool) | Configuration for the autoscaled node pool | 
object({
    enabled                 = bool
    name                    = string
    vm_size                 = string
    mode                    = string
    os_disk_type            = string
    max_pods                = number
    host_encryption_enabled = bool
    min_count               = number
    max_count               = number
  })
| 
{
  "enabled": true,
  "host_encryption_enabled": true,
  "max_count": 3,
  "max_pods": 30,
  "min_count": 1,
  "mode": "User",
  "name": "autoscaled",
  "os_disk_type": "Managed",
  "vm_size": "Standard_D2s_v3"
}
| no | +| [autoscaled\_node\_pool](#input\_autoscaled\_node\_pool) | Configuration for the autoscaled node pool | 
object({
    enabled                 = bool
    name                    = string
    vm_size                 = string
    mode                    = string
    os_disk_type            = string
    max_pods                = number
    host_encryption_enabled = bool
    min_count               = number
    max_count               = number
  })
| 
{
  "enabled": true,
  "host_encryption_enabled": true,
  "max_count": 3,
  "max_pods": 110,
  "min_count": 1,
  "mode": "User",
  "name": "autoscaled",
  "os_disk_type": "Managed",
  "vm_size": "Standard_D2s_v3"
}
| no | | [azure\_policy\_enabled](#input\_azure\_policy\_enabled) | Whether to enable Azure Policy for the AKS cluster | `bool` | `true` | no | | [cluster\_name](#input\_cluster\_name) | Name of the AKS cluster | `string` | `null` | no | | [context\_id](#input\_context\_id) | Context ID for the resources | `string` | `null` | no | | [context\_path](#input\_context\_path) | The path to the context folder, where kubeconfig is stored | `string` | `""` | no | -| [default\_node\_pool](#input\_default\_node\_pool) | Configuration for the default node pool | 
object({
    name                         = string
    vm_size                      = string
    os_disk_type                 = string
    max_pods                     = number
    host_encryption_enabled      = bool
    min_count                    = number
    max_count                    = number
    node_count                   = number
    only_critical_addons_enabled = bool
  })
| 
{
  "host_encryption_enabled": true,
  "max_count": 3,
  "max_pods": 30,
  "min_count": 1,
  "name": "system",
  "node_count": 1,
  "only_critical_addons_enabled": true,
  "os_disk_type": "Managed",
  "vm_size": "Standard_D2s_v3"
}
| no | +| [default\_node\_pool](#input\_default\_node\_pool) | Configuration for the default node pool | 
object({
    name                         = string
    vm_size                      = string
    os_disk_type                 = string
    max_pods                     = number
    host_encryption_enabled      = bool
    min_count                    = number
    max_count                    = number
    node_count                   = number
    only_critical_addons_enabled = bool
  })
| 
{
  "host_encryption_enabled": true,
  "max_count": 3,
  "max_pods": 110,
  "min_count": 1,
  "name": "system",
  "node_count": 1,
  "only_critical_addons_enabled": true,
  "os_disk_type": "Managed",
  "vm_size": "Standard_D2s_v3"
}
| no | +| [dns\_service\_ip](#input\_dns\_service\_ip) | The IP address for the Kubernetes DNS service | `string` | `"10.0.0.10"` | no | | [expiration\_date](#input\_expiration\_date) | The expiration date for the AKS cluster's key vault | `string` | `null` | no | | [kubernetes\_version](#input\_kubernetes\_version) | Version of Kubernetes to use | `string` | `"1.32"` | no | | [local\_account\_disabled](#input\_local\_account\_disabled) | Whether to disable local accounts for the AKS cluster | `bool` | `false` | no | @@ -66,9 +88,11 @@ No modules. | [region](#input\_region) | Region for the resources | `string` | `"eastus"` | no | | [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group | `string` | `null` | no | | [role\_based\_access\_control\_enabled](#input\_role\_based\_access\_control\_enabled) | Whether to enable role-based access control for the AKS cluster | `bool` | `true` | no | +| [service\_cidr](#input\_service\_cidr) | The CIDR block for Kubernetes services | `string` | `"10.0.0.0/16"` | no | | [sku\_tier](#input\_sku\_tier) | The SKU tier for the AKS cluster | `string` | `"Standard"` | no | | [soft\_delete\_retention\_days](#input\_soft\_delete\_retention\_days) | The number of days to retain the AKS cluster's key vault | `number` | `7` | no | | [tags](#input\_tags) | Tags to apply to the resources | `map(string)` | `{}` | no | +| [temporary\_name\_for\_rotation](#input\_temporary\_name\_for\_rotation) | Temporary name for node pool rotation | `string` | `null` | no | | [vnet\_module\_name](#input\_vnet\_module\_name) | Name on the VNET module | `string` | `"network"` | no | | [vnet\_subnet\_id](#input\_vnet\_subnet\_id) | ID of the subnet | `string` | `null` | no | | [workload\_autoscaler\_profile](#input\_workload\_autoscaler\_profile) | Configuration for the AKS cluster's workload autoscaler | 
object({
    keda_enabled                    = bool
    vertical_pod_autoscaler_enabled = bool
  })
| 
{
  "keda_enabled": false,
  "vertical_pod_autoscaler_enabled": false
}
| no | diff --git a/docs/terraform/cluster/talos.md b/docs/terraform/cluster/talos.md index 9f4677f5..0a4e1810 100644 --- a/docs/terraform/cluster/talos.md +++ b/docs/terraform/cluster/talos.md @@ -44,7 +44,7 @@ | [controlplanes](#input\_controlplanes) | A list of machine configuration details for control planes. | 
list(object({
    hostname = optional(string)
    endpoint = string
    node     = string
    disk_selector = optional(object({
      busPath  = optional(string)
      modalias = optional(string)
      model    = optional(string)
      name     = optional(string)
      serial   = optional(string)
      size     = optional(string)
      type     = optional(string)
      uuid     = optional(string)
      wwid     = optional(string)
    }))
    wipe_disk         = optional(bool, true)
    extra_kernel_args = optional(list(string), [])
    config_patches    = optional(string, "")
  }))
| `[]` | no | | [kubernetes\_version](#input\_kubernetes\_version) | The kubernetes version to deploy. | `string` | `"1.33.1"` | no | | [os\_type](#input\_os\_type) | The operating system type, must be either 'unix' or 'windows' | `string` | `"unix"` | no | -| [talos\_version](#input\_talos\_version) | The talos version to deploy. | `string` | `"1.10.1"` | no | +| [talos\_version](#input\_talos\_version) | The talos version to deploy. | `string` | `"1.10.2"` | no | | [worker\_config\_patches](#input\_worker\_config\_patches) | A YAML string of worker config patches to apply. Can be an empty string or valid YAML. | `string` | `""` | no | | [workers](#input\_workers) | A list of machine configuration details | 
list(object({
    hostname = optional(string)
    endpoint = string
    node     = string
    disk_selector = optional(object({
      busPath  = optional(string)
      modalias = optional(string)
      model    = optional(string)
      name     = optional(string)
      serial   = optional(string)
      size     = optional(string)
      type     = optional(string)
      uuid     = optional(string)
      wwid     = optional(string)
    }))
    wipe_disk         = optional(bool, true)
    extra_kernel_args = optional(list(string), [])
    config_patches    = optional(string, "")
  }))
| `[]` | no | diff --git a/docs/terraform/network/azure-vnet.md b/docs/terraform/network/azure-vnet.md index e1025697..8dbe6e4e 100644 --- a/docs/terraform/network/azure-vnet.md +++ b/docs/terraform/network/azure-vnet.md @@ -3,13 +3,13 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >=1.8 | -| [azurerm](#requirement\_azurerm) | ~> 4.28.0 | +| [azurerm](#requirement\_azurerm) | ~> 4.29.0 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 4.28.0 | +| [azurerm](#provider\_azurerm) | 4.29.0 | ## Modules @@ -34,13 +34,14 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [context\_id](#input\_context\_id) | Context ID for the resources | `string` | `null` | no | +| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT Gateway for private subnets | `bool` | `true` | no | | [name](#input\_name) | Name of the resource | `string` | `"network"` | no | | [region](#input\_region) | Region for the resources | `string` | `"eastus"` | no | | [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group | `string` | `null` | no | | [tags](#input\_tags) | Tags to apply to the resources | `map(string)` | `{}` | no | -| [vnet\_cidr](#input\_vnet\_cidr) | CIDR block for VNET | `string` | `"10.20.0.0/16"` | no | +| [vnet\_cidr](#input\_vnet\_cidr) | CIDR block for the VNET | `string` | `"10.0.0.0/16"` | no | | [vnet\_name](#input\_vnet\_name) | Name of the VNET | `string` | `null` | no | -| [vnet\_subnets](#input\_vnet\_subnets) | Subnets to create in the VNET | `map(list(string))` | 
{
  "isolated": [],
  "private": [],
  "public": []
}
| no | +| [vnet\_subnets](#input\_vnet\_subnets) | Map of subnet configurations | 
map(list(object({
    name             = string
    address_prefixes = list(string)
  })))
| 
{
  "isolated": [
    {
      "address_prefixes": [
        "10.0.48.0/24"
      ],
      "name": "isolated-1"
    },
    {
      "address_prefixes": [
        "10.0.49.0/24"
      ],
      "name": "isolated-2"
    },
    {
      "address_prefixes": [
        "10.0.50.0/24"
      ],
      "name": "isolated-3"
    }
  ],
  "private": [
    {
      "address_prefixes": [
        "10.0.0.0/20"
      ],
      "name": "private-1"
    },
    {
      "address_prefixes": [
        "10.0.16.0/20"
      ],
      "name": "private-2"
    },
    {
      "address_prefixes": [
        "10.0.32.0/20"
      ],
      "name": "private-3"
    }
  ],
  "public": [
    {
      "address_prefixes": [
        "10.0.51.0/24"
      ],
      "name": "public-1"
    },
    {
      "address_prefixes": [
        "10.0.52.0/24"
      ],
      "name": "public-2"
    },
    {
      "address_prefixes": [
        "10.0.53.0/24"
      ],
      "name": "public-3"
    }
  ]
}
| no | | [vnet\_zones](#input\_vnet\_zones) | Number of availability zones to create | `number` | `1` | no | ## Outputs diff --git a/kustomize/ingress/base/nginx/helm-release.yaml b/kustomize/ingress/base/nginx/helm-release.yaml index 0f792cc6..ae5b3a88 100644 --- a/kustomize/ingress/base/nginx/helm-release.yaml +++ b/kustomize/ingress/base/nginx/helm-release.yaml @@ -12,7 +12,7 @@ spec: chart: ingress-nginx # renovate: datasource=helm depName=ingress-nginx package=ingress-nginx helmRepo=https://kubernetes.github.io/ingress-nginx version: 4.12.2 - sourceRef: + sourceRef: kind: HelmRepository name: ingress-nginx namespace: system-ingress diff --git a/terraform/cluster/azure-aks/README.md b/terraform/cluster/azure-aks/README.md new file mode 100644 index 00000000..59681b6b --- /dev/null +++ b/terraform/cluster/azure-aks/README.md @@ -0,0 +1,20 @@ +# Azure AKS Module + +This module creates an Azure Kubernetes Service (AKS) cluster with configurable node pools, networking, and security settings. + +## Prerequisites + +The following features must be enabled in your Azure subscription before using this module: + +- EncryptionAtHost feature for Microsoft.Compute provider + ```bash + az feature register --namespace Microsoft.Compute --name EncryptionAtHost + az provider register --namespace Microsoft.Compute + ``` + +### Subscription Requirements + +This module requires a paid Azure subscription. Free tier subscriptions are not supported due to: +- Insufficient vCPU quotas +- Restricted VM sizes +- Limited node pool operations diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index 688539d1..1866192b 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -247,10 +247,13 @@ resource "azurerm_kubernetes_cluster" "main" { orchestrator_version = var.kubernetes_version only_critical_addons_enabled = var.default_node_pool.only_critical_addons_enabled # checkov:skip=CKV_AZURE_226: we are using the managed disk type to reduce costs + os_disk_type = var.default_node_pool.os_disk_type host_encryption_enabled = var.default_node_pool.host_encryption_enabled # checkov:skip=CKV_AZURE_168: This is set in the variable by default to 50 - max_pods = var.default_node_pool.max_pods + + max_pods = var.default_node_pool.max_pods + temporary_name_for_rotation = "rotate" } auto_scaler_profile { @@ -271,8 +274,10 @@ resource "azurerm_kubernetes_cluster" "main" { } network_profile { - network_policy = "azure" network_plugin = "azure" + network_policy = "azure" + service_cidr = var.service_cidr + dns_service_ip = var.dns_service_ip } oms_agent { @@ -293,12 +298,6 @@ resource "azurerm_kubernetes_cluster" "main" { user_assigned_identity_id = azurerm_user_assigned_identity.cluster.id } - lifecycle { - ignore_changes = [ - default_node_pool[0].upgrade_settings, - workload_autoscaler_profile - ] - } tags = merge({ Name = local.cluster_name }, local.tags) @@ -318,14 +317,10 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { # checkov:skip=CKV_AZURE_226: We are using the managed disk type to reduce costs os_disk_type = var.autoscaled_node_pool.os_disk_type # checkov:skip=CKV_AZURE_168: This is set in the variable by default to 50 - max_pods = var.autoscaled_node_pool.max_pods - host_encryption_enabled = var.autoscaled_node_pool.host_encryption_enabled + max_pods = var.autoscaled_node_pool.max_pods + host_encryption_enabled = var.autoscaled_node_pool.host_encryption_enabled + temporary_name_for_rotation = "rotate" - lifecycle { - ignore_changes = [ - upgrade_settings - ] - } tags = merge({ Name = var.autoscaled_node_pool.name }, local.tags) diff --git a/terraform/network/azure-vnet/main.tf b/terraform/network/azure-vnet/main.tf index 79aae102..1cebe531 100644 --- a/terraform/network/azure-vnet/main.tf +++ b/terraform/network/azure-vnet/main.tf @@ -65,28 +65,28 @@ resource "azurerm_virtual_network" "main" { # Public subnets resource "azurerm_subnet" "public" { count = length(var.vnet_subnets["public"]) > 0 ? length(var.vnet_subnets["public"]) : var.vnet_zones - name = "public-${count.index + 1}-${var.context_id}" + name = length(var.vnet_subnets["public"]) > 0 ? "${var.vnet_subnets["public"][count.index].name}-${var.context_id}" : "public-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["public"]) > 0 ? [var.vnet_subnets["public"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${count.index + 1}.0/24"] + address_prefixes = length(var.vnet_subnets["public"]) > 0 ? var.vnet_subnets["public"][count.index].address_prefixes : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${count.index + 1}.0/24"] } # Private subnets resource "azurerm_subnet" "private" { count = length(var.vnet_subnets["private"]) > 0 ? length(var.vnet_subnets["private"]) : var.vnet_zones - name = "private-${count.index + 1}-${var.context_id}" + name = length(var.vnet_subnets["private"]) > 0 ? "${var.vnet_subnets["private"][count.index].name}-${var.context_id}" : "private-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["private"]) > 0 ? [var.vnet_subnets["private"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.1${count.index + 1}.0/24"] + address_prefixes = length(var.vnet_subnets["private"]) > 0 ? var.vnet_subnets["private"][count.index].address_prefixes : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.1${count.index + 1}.0/24"] } # Isolated subnets resource "azurerm_subnet" "isolated" { count = length(var.vnet_subnets["isolated"]) > 0 ? length(var.vnet_subnets["isolated"]) : var.vnet_zones - name = "isolated-${count.index + 1}-${var.context_id}" + name = length(var.vnet_subnets["isolated"]) > 0 ? "${var.vnet_subnets["isolated"][count.index].name}-${var.context_id}" : "isolated-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["isolated"]) > 0 ? [var.vnet_subnets["isolated"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.2${count.index + 1}.0/24"] + address_prefixes = length(var.vnet_subnets["isolated"]) > 0 ? var.vnet_subnets["isolated"][count.index].address_prefixes : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.2${count.index + 1}.0/24"] } #----------------------------------------------------------------------------------------------------------------------- @@ -127,7 +127,7 @@ resource "azurerm_nat_gateway_public_ip_association" "main" { # Associate NAT Gateway with private subnet resource "azurerm_subnet_nat_gateway_association" "private" { - count = var.vnet_zones + count = var.enable_nat_gateway ? var.vnet_zones : 0 subnet_id = azurerm_subnet.private[count.index].id nat_gateway_id = azurerm_nat_gateway.main[count.index].id } diff --git a/terraform/network/azure-vnet/variables.tf b/terraform/network/azure-vnet/variables.tf index a23ab8ab..b0d4ead8 100644 --- a/terraform/network/azure-vnet/variables.tf +++ b/terraform/network/azure-vnet/variables.tf @@ -1,4 +1,3 @@ - # Variables variable "context_id" { description = "Context ID for the resources" @@ -31,23 +30,60 @@ variable "vnet_name" { } variable "vnet_cidr" { - description = "CIDR block for VNET" + description = "CIDR block for the VNET" type = string - default = "10.20.0.0/16" + default = "10.0.0.0/16" } variable "vnet_subnets" { - description = "Subnets to create in the VNET" - type = map(list(string)) - # example: { - # public = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"] - # private = ["10.20.11.0/24", "10.20.12.0/24", "10.20.13.0/24"] - # isolated = ["10.20.21.0/24", "10.20.22.0/24", "10.20.23.0/24"] - # } + description = "Map of subnet configurations" + type = map(list(object({ + name = string + address_prefixes = list(string) + }))) default = { - public = [] - private = [] - isolated = [] + private = [ + { + name = "private-1" + address_prefixes = ["10.0.0.0/20"] # 10.0.0.0 - 10.0.15.255 + }, + { + name = "private-2" + address_prefixes = ["10.0.16.0/20"] # 10.0.16.0 - 10.0.31.255 + }, + { + name = "private-3" + address_prefixes = ["10.0.32.0/20"] # 10.0.32.0 - 10.0.47.255 + } + ] + isolated = [ + { + name = "isolated-1" + address_prefixes = ["10.0.48.0/24"] # 10.0.48.0 - 10.0.48.255 + }, + { + name = "isolated-2" + address_prefixes = ["10.0.49.0/24"] # 10.0.49.0 - 10.0.49.255 + }, + { + name = "isolated-3" + address_prefixes = ["10.0.50.0/24"] # 10.0.50.0 - 10.0.50.255 + } + ] + public = [ + { + name = "public-1" + address_prefixes = ["10.0.51.0/24"] # 10.0.51.0 - 10.0.51.255 + }, + { + name = "public-2" + address_prefixes = ["10.0.52.0/24"] # 10.0.52.0 - 10.0.52.255 + }, + { + name = "public-3" + address_prefixes = ["10.0.53.0/24"] # 10.0.53.0 - 10.0.53.255 + } + ] } } @@ -58,6 +94,12 @@ variable "vnet_zones" { default = 1 } +variable "enable_nat_gateway" { + description = "Enable NAT Gateway for private subnets" + type = bool + default = true +} + variable "tags" { description = "Tags to apply to the resources" type = map(string) From b27c5bd259a267465932f28a63a7d09fec3c61c4 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 14:16:49 -0400 Subject: [PATCH 03/10] Revert to previous variable style --- docs/terraform/cluster/azure-aks.md | 5 +- docs/terraform/network/azure-vnet.md | 2 +- terraform/backend/azurerm/test.tftest.hcl | 3 ++ terraform/backend/azurerm/variables.tf | 4 ++ terraform/cluster/azure-aks/variables.tf | 14 +++-- terraform/network/azure-vnet/main.tf | 12 ++--- terraform/network/azure-vnet/test.tftest.hcl | 19 +++++-- terraform/network/azure-vnet/variables.tf | 56 ++++++-------------- 8 files changed, 58 insertions(+), 57 deletions(-) diff --git a/docs/terraform/cluster/azure-aks.md b/docs/terraform/cluster/azure-aks.md index 42fda189..e2a21f02 100644 --- a/docs/terraform/cluster/azure-aks.md +++ b/docs/terraform/cluster/azure-aks.md @@ -77,7 +77,8 @@ No modules. | [context\_id](#input\_context\_id) | Context ID for the resources | `string` | `null` | no | | [context\_path](#input\_context\_path) | The path to the context folder, where kubeconfig is stored | `string` | `""` | no | | [default\_node\_pool](#input\_default\_node\_pool) | Configuration for the default node pool | 
object({
    name                         = string
    vm_size                      = string
    os_disk_type                 = string
    max_pods                     = number
    host_encryption_enabled      = bool
    min_count                    = number
    max_count                    = number
    node_count                   = number
    only_critical_addons_enabled = bool
  })
| 
{
  "host_encryption_enabled": true,
  "max_count": 3,
  "max_pods": 110,
  "min_count": 1,
  "name": "system",
  "node_count": 1,
  "only_critical_addons_enabled": true,
  "os_disk_type": "Managed",
  "vm_size": "Standard_D2s_v3"
}
| no | -| [dns\_service\_ip](#input\_dns\_service\_ip) | The IP address for the Kubernetes DNS service | `string` | `"10.0.0.10"` | no | +| [dns\_service\_ip](#input\_dns\_service\_ip) | IP address for Kubernetes DNS service | `string` | `"10.96.0.10"` | no | +| [endpoint\_private\_access](#input\_endpoint\_private\_access) | Whether to enable private access to the Kubernetes API server | `bool` | `false` | no | | [expiration\_date](#input\_expiration\_date) | The expiration date for the AKS cluster's key vault | `string` | `null` | no | | [kubernetes\_version](#input\_kubernetes\_version) | Version of Kubernetes to use | `string` | `"1.32"` | no | | [local\_account\_disabled](#input\_local\_account\_disabled) | Whether to disable local accounts for the AKS cluster | `bool` | `false` | no | @@ -88,7 +89,7 @@ No modules. | [region](#input\_region) | Region for the resources | `string` | `"eastus"` | no | | [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group | `string` | `null` | no | | [role\_based\_access\_control\_enabled](#input\_role\_based\_access\_control\_enabled) | Whether to enable role-based access control for the AKS cluster | `bool` | `true` | no | -| [service\_cidr](#input\_service\_cidr) | The CIDR block for Kubernetes services | `string` | `"10.0.0.0/16"` | no | +| [service\_cidr](#input\_service\_cidr) | CIDR block for Kubernetes services | `string` | `"10.96.0.0/16"` | no | | [sku\_tier](#input\_sku\_tier) | The SKU tier for the AKS cluster | `string` | `"Standard"` | no | | [soft\_delete\_retention\_days](#input\_soft\_delete\_retention\_days) | The number of days to retain the AKS cluster's key vault | `number` | `7` | no | | [tags](#input\_tags) | Tags to apply to the resources | `map(string)` | `{}` | no | diff --git a/docs/terraform/network/azure-vnet.md b/docs/terraform/network/azure-vnet.md index 8dbe6e4e..7f591a3b 100644 --- a/docs/terraform/network/azure-vnet.md +++ b/docs/terraform/network/azure-vnet.md @@ -41,7 +41,7 @@ No modules. | [tags](#input\_tags) | Tags to apply to the resources | `map(string)` | `{}` | no | | [vnet\_cidr](#input\_vnet\_cidr) | CIDR block for the VNET | `string` | `"10.0.0.0/16"` | no | | [vnet\_name](#input\_vnet\_name) | Name of the VNET | `string` | `null` | no | -| [vnet\_subnets](#input\_vnet\_subnets) | Map of subnet configurations | 
map(list(object({
    name             = string
    address_prefixes = list(string)
  })))
| 
{
  "isolated": [
    {
      "address_prefixes": [
        "10.0.48.0/24"
      ],
      "name": "isolated-1"
    },
    {
      "address_prefixes": [
        "10.0.49.0/24"
      ],
      "name": "isolated-2"
    },
    {
      "address_prefixes": [
        "10.0.50.0/24"
      ],
      "name": "isolated-3"
    }
  ],
  "private": [
    {
      "address_prefixes": [
        "10.0.0.0/20"
      ],
      "name": "private-1"
    },
    {
      "address_prefixes": [
        "10.0.16.0/20"
      ],
      "name": "private-2"
    },
    {
      "address_prefixes": [
        "10.0.32.0/20"
      ],
      "name": "private-3"
    }
  ],
  "public": [
    {
      "address_prefixes": [
        "10.0.51.0/24"
      ],
      "name": "public-1"
    },
    {
      "address_prefixes": [
        "10.0.52.0/24"
      ],
      "name": "public-2"
    },
    {
      "address_prefixes": [
        "10.0.53.0/24"
      ],
      "name": "public-3"
    }
  ]
}
| no | +| [vnet\_subnets](#input\_vnet\_subnets) | Subnets to create in the VNET | `map(list(string))` | 
{
  "isolated": [
    "10.0.48.0/24",
    "10.0.49.0/24",
    "10.0.50.0/24"
  ],
  "private": [
    "10.0.0.0/20",
    "10.0.16.0/20",
    "10.0.32.0/20"
  ],
  "public": [
    "10.0.51.0/24",
    "10.0.52.0/24",
    "10.0.53.0/24"
  ]
}
| no | | [vnet\_zones](#input\_vnet\_zones) | Number of availability zones to create | `number` | `1` | no | ## Outputs diff --git a/terraform/backend/azurerm/test.tftest.hcl b/terraform/backend/azurerm/test.tftest.hcl index 030dbfee..d3e3f728 100644 --- a/terraform/backend/azurerm/test.tftest.hcl +++ b/terraform/backend/azurerm/test.tftest.hcl @@ -11,6 +11,7 @@ run "minimal_configuration" { variables { context_id = "test" location = "eastus2" + container_name = "tfstate-test" } assert { @@ -115,6 +116,7 @@ run "backend_config_generation" { context_id = "test" location = "eastus2" context_path = "test" + container_name = "tfstate-test" } assert { @@ -142,6 +144,7 @@ run "backend_config_without_context_path" { context_id = "test-nopath" location = "eastus2" context_path = "" + container_name = "tfstate-test-nopath" } assert { diff --git a/terraform/backend/azurerm/variables.tf b/terraform/backend/azurerm/variables.tf index 68c3b560..767d64fd 100644 --- a/terraform/backend/azurerm/variables.tf +++ b/terraform/backend/azurerm/variables.tf @@ -11,6 +11,10 @@ variable "context_path" { variable "context_id" { description = "Context ID for the resources" type = string + validation { + condition = var.context_id != null && var.context_id != "" + error_message = "context_id must be provided and cannot be empty." + } } #--------------------------------------------------------------------------------------------------- diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index 21756c10..712c7513 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -224,13 +224,19 @@ variable "temporary_name_for_rotation" { } variable "service_cidr" { - description = "The CIDR block for Kubernetes services" + description = "CIDR block for Kubernetes services" type = string - default = "10.0.0.0/16" + default = "10.96.0.0/16" } variable "dns_service_ip" { - description = "The IP address for the Kubernetes DNS service" + description = "IP address for Kubernetes DNS service" type = string - default = "10.0.0.10" + default = "10.96.0.10" +} + +variable "endpoint_private_access" { + description = "Whether to enable private access to the Kubernetes API server" + type = bool + default = false } diff --git a/terraform/network/azure-vnet/main.tf b/terraform/network/azure-vnet/main.tf index 1cebe531..1574de77 100644 --- a/terraform/network/azure-vnet/main.tf +++ b/terraform/network/azure-vnet/main.tf @@ -65,28 +65,28 @@ resource "azurerm_virtual_network" "main" { # Public subnets resource "azurerm_subnet" "public" { count = length(var.vnet_subnets["public"]) > 0 ? length(var.vnet_subnets["public"]) : var.vnet_zones - name = length(var.vnet_subnets["public"]) > 0 ? "${var.vnet_subnets["public"][count.index].name}-${var.context_id}" : "public-${count.index + 1}-${var.context_id}" + name = length(var.vnet_subnets["public"]) > 0 ? "public-${count.index + 1}-${var.context_id}" : "public-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["public"]) > 0 ? var.vnet_subnets["public"][count.index].address_prefixes : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${count.index + 1}.0/24"] + address_prefixes = length(var.vnet_subnets["public"]) > 0 ? [var.vnet_subnets["public"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${count.index + 1}.0/24"] } # Private subnets resource "azurerm_subnet" "private" { count = length(var.vnet_subnets["private"]) > 0 ? length(var.vnet_subnets["private"]) : var.vnet_zones - name = length(var.vnet_subnets["private"]) > 0 ? "${var.vnet_subnets["private"][count.index].name}-${var.context_id}" : "private-${count.index + 1}-${var.context_id}" + name = length(var.vnet_subnets["private"]) > 0 ? "private-${count.index + 1}-${var.context_id}" : "private-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["private"]) > 0 ? var.vnet_subnets["private"][count.index].address_prefixes : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.1${count.index + 1}.0/24"] + address_prefixes = length(var.vnet_subnets["private"]) > 0 ? [var.vnet_subnets["private"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.1${count.index + 1}.0/24"] } # Isolated subnets resource "azurerm_subnet" "isolated" { count = length(var.vnet_subnets["isolated"]) > 0 ? length(var.vnet_subnets["isolated"]) : var.vnet_zones - name = length(var.vnet_subnets["isolated"]) > 0 ? "${var.vnet_subnets["isolated"][count.index].name}-${var.context_id}" : "isolated-${count.index + 1}-${var.context_id}" + name = length(var.vnet_subnets["isolated"]) > 0 ? "isolated-${count.index + 1}-${var.context_id}" : "isolated-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["isolated"]) > 0 ? var.vnet_subnets["isolated"][count.index].address_prefixes : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.2${count.index + 1}.0/24"] + address_prefixes = length(var.vnet_subnets["isolated"]) > 0 ? [var.vnet_subnets["isolated"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.2${count.index + 1}.0/24"] } #----------------------------------------------------------------------------------------------------------------------- diff --git a/terraform/network/azure-vnet/test.tftest.hcl b/terraform/network/azure-vnet/test.tftest.hcl index ed659301..d85dd5dd 100644 --- a/terraform/network/azure-vnet/test.tftest.hcl +++ b/terraform/network/azure-vnet/test.tftest.hcl @@ -58,9 +58,9 @@ run "full_configuration" { vnet_zones = 2 vnet_cidr = "10.30.0.0/16" vnet_subnets = { - public = [{ name = "public-1", address_prefixes = ["10.30.1.0/24"] }, { name = "public-2", address_prefixes = ["10.30.2.0/24"] }] - private = [{ name = "private-1", address_prefixes = ["10.30.11.0/24"] }, { name = "private-2", address_prefixes = ["10.30.12.0/24"] }] - isolated = [{ name = "isolated-1", address_prefixes = ["10.30.21.0/24"] }, { name = "isolated-2", address_prefixes = ["10.30.22.0/24"] }] + public = ["10.30.1.0/24", "10.30.2.0/24"] + private = ["10.30.11.0/24", "10.30.12.0/24"] + isolated = ["10.30.21.0/24", "10.30.22.0/24"] } context_id = "test" name = "custom" @@ -117,3 +117,16 @@ run "nat_gateway_configuration" { error_message = "No NAT Gateway associations should be created when disabled" } } + +# Tests validation rules for required variables +run "multiple_invalid_inputs" { + command = plan + + expect_failures = [ + var.context_id, + ] + + variables { + name = "windsor-vnet" + } +} diff --git a/terraform/network/azure-vnet/variables.tf b/terraform/network/azure-vnet/variables.tf index b0d4ead8..508ba5d4 100644 --- a/terraform/network/azure-vnet/variables.tf +++ b/terraform/network/azure-vnet/variables.tf @@ -3,6 +3,10 @@ variable "context_id" { description = "Context ID for the resources" type = string default = null + validation { + condition = var.context_id != null && var.context_id != "" + error_message = "context_id must be provided and cannot be empty." + } } variable "region" { @@ -36,53 +40,23 @@ variable "vnet_cidr" { } variable "vnet_subnets" { - description = "Map of subnet configurations" - type = map(list(object({ - name = string - address_prefixes = list(string) - }))) + description = "Subnets to create in the VNET" + type = map(list(string)) default = { private = [ - { - name = "private-1" - address_prefixes = ["10.0.0.0/20"] # 10.0.0.0 - 10.0.15.255 - }, - { - name = "private-2" - address_prefixes = ["10.0.16.0/20"] # 10.0.16.0 - 10.0.31.255 - }, - { - name = "private-3" - address_prefixes = ["10.0.32.0/20"] # 10.0.32.0 - 10.0.47.255 - } + "10.0.0.0/20", # 10.0.0.0 - 10.0.15.255 + "10.0.16.0/20", # 10.0.16.0 - 10.0.31.255 + "10.0.32.0/20" # 10.0.32.0 - 10.0.47.255 ] isolated = [ - { - name = "isolated-1" - address_prefixes = ["10.0.48.0/24"] # 10.0.48.0 - 10.0.48.255 - }, - { - name = "isolated-2" - address_prefixes = ["10.0.49.0/24"] # 10.0.49.0 - 10.0.49.255 - }, - { - name = "isolated-3" - address_prefixes = ["10.0.50.0/24"] # 10.0.50.0 - 10.0.50.255 - } + "10.0.48.0/24", # 10.0.48.0 - 10.0.48.255 + "10.0.49.0/24", # 10.0.49.0 - 10.0.49.255 + "10.0.50.0/24" # 10.0.50.0 - 10.0.50.255 ] public = [ - { - name = "public-1" - address_prefixes = ["10.0.51.0/24"] # 10.0.51.0 - 10.0.51.255 - }, - { - name = "public-2" - address_prefixes = ["10.0.52.0/24"] # 10.0.52.0 - 10.0.52.255 - }, - { - name = "public-3" - address_prefixes = ["10.0.53.0/24"] # 10.0.53.0 - 10.0.53.255 - } + "10.0.51.0/24", # 10.0.51.0 - 10.0.51.255 + "10.0.52.0/24", # 10.0.52.0 - 10.0.52.255 + "10.0.53.0/24" # 10.0.53.0 - 10.0.53.255 ] } } From 19b5ecfe4621b4ec7a8ac6afc51ea91f964aa8ef Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 14:29:47 -0400 Subject: [PATCH 04/10] Remove extra checks and enhance tests --- terraform/network/azure-vnet/main.tf | 18 ++++++------- terraform/network/azure-vnet/test.tftest.hcl | 27 ++++++++++++++++---- terraform/network/azure-vnet/variables.tf | 14 ++++++++++ 3 files changed, 45 insertions(+), 14 deletions(-) diff --git a/terraform/network/azure-vnet/main.tf b/terraform/network/azure-vnet/main.tf index 1574de77..527024db 100644 --- a/terraform/network/azure-vnet/main.tf +++ b/terraform/network/azure-vnet/main.tf @@ -64,29 +64,29 @@ resource "azurerm_virtual_network" "main" { # Public subnets resource "azurerm_subnet" "public" { - count = length(var.vnet_subnets["public"]) > 0 ? length(var.vnet_subnets["public"]) : var.vnet_zones - name = length(var.vnet_subnets["public"]) > 0 ? "public-${count.index + 1}-${var.context_id}" : "public-${count.index + 1}-${var.context_id}" + count = length(var.vnet_subnets["public"]) + name = "public-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["public"]) > 0 ? [var.vnet_subnets["public"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${count.index + 1}.0/24"] + address_prefixes = [var.vnet_subnets["public"][count.index]] } # Private subnets resource "azurerm_subnet" "private" { - count = length(var.vnet_subnets["private"]) > 0 ? length(var.vnet_subnets["private"]) : var.vnet_zones - name = length(var.vnet_subnets["private"]) > 0 ? "private-${count.index + 1}-${var.context_id}" : "private-${count.index + 1}-${var.context_id}" + count = length(var.vnet_subnets["private"]) + name = "private-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["private"]) > 0 ? [var.vnet_subnets["private"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.1${count.index + 1}.0/24"] + address_prefixes = [var.vnet_subnets["private"][count.index]] } # Isolated subnets resource "azurerm_subnet" "isolated" { - count = length(var.vnet_subnets["isolated"]) > 0 ? length(var.vnet_subnets["isolated"]) : var.vnet_zones - name = length(var.vnet_subnets["isolated"]) > 0 ? "isolated-${count.index + 1}-${var.context_id}" : "isolated-${count.index + 1}-${var.context_id}" + count = length(var.vnet_subnets["isolated"]) + name = "isolated-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = length(var.vnet_subnets["isolated"]) > 0 ? [var.vnet_subnets["isolated"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.2${count.index + 1}.0/24"] + address_prefixes = [var.vnet_subnets["isolated"][count.index]] } #----------------------------------------------------------------------------------------------------------------------- diff --git a/terraform/network/azure-vnet/test.tftest.hcl b/terraform/network/azure-vnet/test.tftest.hcl index d85dd5dd..a1acb7dd 100644 --- a/terraform/network/azure-vnet/test.tftest.hcl +++ b/terraform/network/azure-vnet/test.tftest.hcl @@ -122,11 +122,28 @@ run "nat_gateway_configuration" { run "multiple_invalid_inputs" { command = plan - expect_failures = [ - var.context_id, - ] - variables { - name = "windsor-vnet" + context_id = "test" + vnet_subnets = { + private = [ + "10.0.0.0/20", + "invalid-cidr", + "10.0.32.0/20" + ] + isolated = [ + "10.0.48.0/24", + "10.0.49.0/24", + "10.0.50.0/24" + ] + public = [ + "10.0.51.0/24", + "10.0.52.0/24", + "10.0.53.0/24" + ] + } } + + expect_failures = [ + var.vnet_subnets, + ] } diff --git a/terraform/network/azure-vnet/variables.tf b/terraform/network/azure-vnet/variables.tf index 508ba5d4..c6ad8eba 100644 --- a/terraform/network/azure-vnet/variables.tf +++ b/terraform/network/azure-vnet/variables.tf @@ -59,6 +59,20 @@ variable "vnet_subnets" { "10.0.53.0/24" # 10.0.53.0 - 10.0.53.255 ] } + validation { + condition = alltrue([for subnet in var.vnet_subnets["private"] : can(cidrhost(subnet, 0))]) + error_message = "Each private subnet must be a valid CIDR block" + } + + validation { + condition = alltrue([for subnet in var.vnet_subnets["isolated"] : can(cidrhost(subnet, 0))]) + error_message = "Each isolated subnet must be a valid CIDR block" + } + + validation { + condition = alltrue([for subnet in var.vnet_subnets["public"] : can(cidrhost(subnet, 0))]) + error_message = "Each public subnet must be a valid CIDR block" + } } # Only used if vnet_subnets is not defined From d5959058b3bef7f1592e5dd4da75f0c65022a68a Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 14:34:06 -0400 Subject: [PATCH 05/10] Remove unused variable --- terraform/cluster/azure-aks/variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index 712c7513..dde63e97 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -217,12 +217,6 @@ variable "tags" { default = {} } -variable "temporary_name_for_rotation" { - description = "Temporary name for node pool rotation" - type = string - default = null -} - variable "service_cidr" { description = "CIDR block for Kubernetes services" type = string From 49d44d0e172b39896a804c3e502438d915a4871c Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 14:34:16 -0400 Subject: [PATCH 06/10] docs --- docs/terraform/cluster/azure-aks.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/terraform/cluster/azure-aks.md b/docs/terraform/cluster/azure-aks.md index e2a21f02..c7f949ab 100644 --- a/docs/terraform/cluster/azure-aks.md +++ b/docs/terraform/cluster/azure-aks.md @@ -93,7 +93,6 @@ No modules. | [sku\_tier](#input\_sku\_tier) | The SKU tier for the AKS cluster | `string` | `"Standard"` | no | | [soft\_delete\_retention\_days](#input\_soft\_delete\_retention\_days) | The number of days to retain the AKS cluster's key vault | `number` | `7` | no | | [tags](#input\_tags) | Tags to apply to the resources | `map(string)` | `{}` | no | -| [temporary\_name\_for\_rotation](#input\_temporary\_name\_for\_rotation) | Temporary name for node pool rotation | `string` | `null` | no | | [vnet\_module\_name](#input\_vnet\_module\_name) | Name on the VNET module | `string` | `"network"` | no | | [vnet\_subnet\_id](#input\_vnet\_subnet\_id) | ID of the subnet | `string` | `null` | no | | [workload\_autoscaler\_profile](#input\_workload\_autoscaler\_profile) | Configuration for the AKS cluster's workload autoscaler | 
object({
    keda_enabled                    = bool
    vertical_pod_autoscaler_enabled = bool
  })
| 
{
  "keda_enabled": false,
  "vertical_pod_autoscaler_enabled": false
}
| no | From a68b0a6720a2af46297ea9e79fd67c3c93ac20a0 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 14:44:31 -0400 Subject: [PATCH 07/10] use implicit network config --- terraform/network/azure-vnet/main.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/network/azure-vnet/main.tf b/terraform/network/azure-vnet/main.tf index 527024db..df719b31 100644 --- a/terraform/network/azure-vnet/main.tf +++ b/terraform/network/azure-vnet/main.tf @@ -64,29 +64,29 @@ resource "azurerm_virtual_network" "main" { # Public subnets resource "azurerm_subnet" "public" { - count = length(var.vnet_subnets["public"]) + count = length(var.vnet_subnets["public"]) > 0 ? length(var.vnet_subnets["public"]) : var.vnet_zones name = "public-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = [var.vnet_subnets["public"][count.index]] + address_prefixes = length(var.vnet_subnets["public"]) > 0 ? [var.vnet_subnets["public"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${51 + count.index}.0/24"] } # Private subnets resource "azurerm_subnet" "private" { - count = length(var.vnet_subnets["private"]) + count = length(var.vnet_subnets["private"]) > 0 ? length(var.vnet_subnets["private"]) : var.vnet_zones name = "private-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = [var.vnet_subnets["private"][count.index]] + address_prefixes = length(var.vnet_subnets["private"]) > 0 ? [var.vnet_subnets["private"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${count.index * 16}.0/20"] } # Isolated subnets resource "azurerm_subnet" "isolated" { - count = length(var.vnet_subnets["isolated"]) + count = length(var.vnet_subnets["isolated"]) > 0 ? length(var.vnet_subnets["isolated"]) : var.vnet_zones name = "isolated-${count.index + 1}-${var.context_id}" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = [var.vnet_subnets["isolated"][count.index]] + address_prefixes = length(var.vnet_subnets["isolated"]) > 0 ? [var.vnet_subnets["isolated"][count.index]] : ["${join(".", slice(split(".", var.vnet_cidr), 0, 2))}.${48 + count.index}.0/24"] } #----------------------------------------------------------------------------------------------------------------------- From fb79ada6fc3fcbe9b2ab7324397f1671c2a7fedf Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 14:51:32 -0400 Subject: [PATCH 08/10] Use vnet_zones default --- terraform/cluster/aws-eks/.terraform.lock.hcl | 1 + terraform/network/azure-vnet/test.tftest.hcl | 87 +++++++++++++++++-- terraform/network/azure-vnet/variables.tf | 21 +---- 3 files changed, 86 insertions(+), 23 deletions(-) diff --git a/terraform/cluster/aws-eks/.terraform.lock.hcl b/terraform/cluster/aws-eks/.terraform.lock.hcl index 0f3b090e..6bec0754 100644 --- a/terraform/cluster/aws-eks/.terraform.lock.hcl +++ b/terraform/cluster/aws-eks/.terraform.lock.hcl @@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.97.0" constraints = "5.97.0" hashes = [ + "h1:+3RBrMkjHMTzLr62gPGI04yTihsPYDWOVr3DyUMAPr8=", "h1:rUDE0OgA+6IiEA+w0cPp3/QQNH4SpjFjYcQ6p7byKS4=", "zh:02790ad98b767d8f24d28e8be623f348bcb45590205708334d52de2fb14f5a95", "zh:088b4398a161e45762dc28784fcc41c4fa95bd6549cb708b82de577f2d39ffc7", diff --git a/terraform/network/azure-vnet/test.tftest.hcl b/terraform/network/azure-vnet/test.tftest.hcl index a1acb7dd..9963e589 100644 --- a/terraform/network/azure-vnet/test.tftest.hcl +++ b/terraform/network/azure-vnet/test.tftest.hcl @@ -26,18 +26,18 @@ run "minimal_configuration" { } assert { - condition = length(azurerm_subnet.public) == 3 - error_message = "Three public subnets should be created by default" + condition = length(azurerm_subnet.public) == 1 + error_message = "One public subnet should be created by default" } assert { - condition = length(azurerm_subnet.private) == 3 - error_message = "Three private subnets should be created by default" + condition = length(azurerm_subnet.private) == 1 + error_message = "One private subnet should be created by default" } assert { - condition = length(azurerm_subnet.isolated) == 3 - error_message = "Three isolated subnets should be created by default" + condition = length(azurerm_subnet.isolated) == 1 + error_message = "One isolated subnet should be created by default" } assert { @@ -118,6 +118,81 @@ run "nat_gateway_configuration" { } } +run "automatic_subnet_creation" { + command = plan + + variables { + context_id = "test" + name = "test-network" + vnet_zones = 3 + vnet_subnets = { + private = [] + isolated = [] + public = [] + } + } + + assert { + condition = length(azurerm_subnet.private) == 3 + error_message = "Should create 3 private subnets" + } + + assert { + condition = azurerm_subnet.private[0].address_prefixes[0] == "10.0.0.0/20" + error_message = "First private subnet should be 10.0.0.0/20" + } + + assert { + condition = azurerm_subnet.private[1].address_prefixes[0] == "10.0.16.0/20" + error_message = "Second private subnet should be 10.0.16.0/20" + } + + assert { + condition = azurerm_subnet.private[2].address_prefixes[0] == "10.0.32.0/20" + error_message = "Third private subnet should be 10.0.32.0/20" + } + + assert { + condition = length(azurerm_subnet.isolated) == 3 + error_message = "Should create 3 isolated subnets" + } + + assert { + condition = azurerm_subnet.isolated[0].address_prefixes[0] == "10.0.48.0/24" + error_message = "First isolated subnet should be 10.0.48.0/24" + } + + assert { + condition = azurerm_subnet.isolated[1].address_prefixes[0] == "10.0.49.0/24" + error_message = "Second isolated subnet should be 10.0.49.0/24" + } + + assert { + condition = azurerm_subnet.isolated[2].address_prefixes[0] == "10.0.50.0/24" + error_message = "Third isolated subnet should be 10.0.50.0/24" + } + + assert { + condition = length(azurerm_subnet.public) == 3 + error_message = "Should create 3 public subnets" + } + + assert { + condition = azurerm_subnet.public[0].address_prefixes[0] == "10.0.51.0/24" + error_message = "First public subnet should be 10.0.51.0/24" + } + + assert { + condition = azurerm_subnet.public[1].address_prefixes[0] == "10.0.52.0/24" + error_message = "Second public subnet should be 10.0.52.0/24" + } + + assert { + condition = azurerm_subnet.public[2].address_prefixes[0] == "10.0.53.0/24" + error_message = "Third public subnet should be 10.0.53.0/24" + } +} + # Tests validation rules for required variables run "multiple_invalid_inputs" { command = plan diff --git a/terraform/network/azure-vnet/variables.tf b/terraform/network/azure-vnet/variables.tf index c6ad8eba..f6c5a99a 100644 --- a/terraform/network/azure-vnet/variables.tf +++ b/terraform/network/azure-vnet/variables.tf @@ -43,21 +43,9 @@ variable "vnet_subnets" { description = "Subnets to create in the VNET" type = map(list(string)) default = { - private = [ - "10.0.0.0/20", # 10.0.0.0 - 10.0.15.255 - "10.0.16.0/20", # 10.0.16.0 - 10.0.31.255 - "10.0.32.0/20" # 10.0.32.0 - 10.0.47.255 - ] - isolated = [ - "10.0.48.0/24", # 10.0.48.0 - 10.0.48.255 - "10.0.49.0/24", # 10.0.49.0 - 10.0.49.255 - "10.0.50.0/24" # 10.0.50.0 - 10.0.50.255 - ] - public = [ - "10.0.51.0/24", # 10.0.51.0 - 10.0.51.255 - "10.0.52.0/24", # 10.0.52.0 - 10.0.52.255 - "10.0.53.0/24" # 10.0.53.0 - 10.0.53.255 - ] + private = [] + isolated = [] + public = [] } validation { condition = alltrue([for subnet in var.vnet_subnets["private"] : can(cidrhost(subnet, 0))]) @@ -75,9 +63,8 @@ variable "vnet_subnets" { } } -# Only used if vnet_subnets is not defined variable "vnet_zones" { - description = "Number of availability zones to create" + description = "Number of availability zones to create. Only used if vnet_subnets is not defined" type = number default = 1 } From 9cf4db3dd9e61261dff3b86fd88b3612dbe9785c Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 14:51:41 -0400 Subject: [PATCH 09/10] docs --- docs/terraform/network/azure-vnet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/terraform/network/azure-vnet.md b/docs/terraform/network/azure-vnet.md index 7f591a3b..00a81db1 100644 --- a/docs/terraform/network/azure-vnet.md +++ b/docs/terraform/network/azure-vnet.md @@ -41,8 +41,8 @@ No modules. | [tags](#input\_tags) | Tags to apply to the resources | `map(string)` | `{}` | no | | [vnet\_cidr](#input\_vnet\_cidr) | CIDR block for the VNET | `string` | `"10.0.0.0/16"` | no | | [vnet\_name](#input\_vnet\_name) | Name of the VNET | `string` | `null` | no | -| [vnet\_subnets](#input\_vnet\_subnets) | Subnets to create in the VNET | `map(list(string))` | 
{
  "isolated": [
    "10.0.48.0/24",
    "10.0.49.0/24",
    "10.0.50.0/24"
  ],
  "private": [
    "10.0.0.0/20",
    "10.0.16.0/20",
    "10.0.32.0/20"
  ],
  "public": [
    "10.0.51.0/24",
    "10.0.52.0/24",
    "10.0.53.0/24"
  ]
}
| no | -| [vnet\_zones](#input\_vnet\_zones) | Number of availability zones to create | `number` | `1` | no | +| [vnet\_subnets](#input\_vnet\_subnets) | Subnets to create in the VNET | `map(list(string))` | 
{
  "isolated": [],
  "private": [],
  "public": []
}
| no | +| [vnet\_zones](#input\_vnet\_zones) | Number of availability zones to create. Only used if vnet\_subnets is not defined | `number` | `1` | no | ## Outputs From 7c1e868551164c938d466bd33b7d5601b5fdfffe Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 20 May 2025 16:11:57 -0400 Subject: [PATCH 10/10] fmt --- terraform/backend/azurerm/test.tftest.hcl | 16 ++++++++-------- terraform/cluster/azure-aks/test.tftest.hcl | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/backend/azurerm/test.tftest.hcl b/terraform/backend/azurerm/test.tftest.hcl index d3e3f728..736890b8 100644 --- a/terraform/backend/azurerm/test.tftest.hcl +++ b/terraform/backend/azurerm/test.tftest.hcl @@ -9,8 +9,8 @@ run "minimal_configuration" { command = plan variables { - context_id = "test" - location = "eastus2" + context_id = "test" + location = "eastus2" container_name = "tfstate-test" } @@ -113,9 +113,9 @@ run "backend_config_generation" { command = plan variables { - context_id = "test" - location = "eastus2" - context_path = "test" + context_id = "test" + location = "eastus2" + context_path = "test" container_name = "tfstate-test" } @@ -141,9 +141,9 @@ run "backend_config_without_context_path" { command = plan variables { - context_id = "test-nopath" - location = "eastus2" - context_path = "" + context_id = "test-nopath" + location = "eastus2" + context_path = "" container_name = "tfstate-test-nopath" } diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index bf18b2e1..475bb70d 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -223,7 +223,7 @@ run "network_configuration" { command = plan variables { - context_id = "test" + context_id = "test" service_cidr = "10.0.0.0/16" dns_service_ip = "10.0.0.10" }