Rename var.system_assigned_identity to cluster_identity, add vali…

…dation and precondition for identity-related variables. Bump Terraform required version to 1.2.0 since we've used precondition.
Azure · Jul 13, 2022 · 5b0feb6 · 5b0feb6
1 parent da2918f
commit 5b0feb6
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 4 deletions.
diff --git a/main.tf b/main.tf
@@ -170,8 +170,19 @@ resource "azurerm_kubernetes_cluster" "main" {
   oidc_issuer_enabled = var.oidc_issuer_enabled
 
   tags = var.tags
-}
 
+  lifecycle {
+    precondition {
+      condition     = (var.client_id != "" && var.client_secret != "") || (var.identity_type != "")
+      error_message = "Either `client_id` and `client_secret` or `identity_type` must be set."
+    }
+    precondition {
+      # Why don't use var.identity_ids != null && length(var.identity_ids)>0 ? Because bool expression in Terraform is not short circuit so even var.identity_ids is null Terraform will still invoke length function with null and cause error. https://github.com/hashicorp/terraform/issues/24128
+      condition     = (var.client_id != "" && var.client_secret != "") || (var.identity_type == "SystemAssigned") || (var.identity_ids == null ? false :length(var.identity_ids) > 0)
+      error_message = "If use identity and `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well."
+    }
+  }
+}
 
 resource "azurerm_log_analytics_workspace" "main" {
   count               = var.enable_log_analytics_workspace && var.log_analytics_workspace == null ? 1 : 0

diff --git a/outputs.tf b/outputs.tf
@@ -54,7 +54,7 @@ output "http_application_routing_zone_name" {
   value = azurerm_kubernetes_cluster.main.http_application_routing_zone_name != null ? azurerm_kubernetes_cluster.main.http_application_routing_zone_name : ""
 }
 
-output "system_assigned_identity" {
+output "cluster_identity" {
   value = azurerm_kubernetes_cluster.main.identity
 }
 

diff --git a/variables.tf b/variables.tf
@@ -30,12 +30,14 @@ variable "client_id" {
   description = "(Optional) The Client ID (appId) for the Service Principal used for the AKS deployment"
   type        = string
   default     = ""
+  nullable    = false
 }
 
 variable "client_secret" {
   description = "(Optional) The Client Secret (password) for the Service Principal used for the AKS deployment"
   type        = string
   default     = ""
+  nullable    = false
 }
 
 variable "api_server_authorized_ip_ranges" {
@@ -364,9 +366,14 @@ variable "ingress_application_gateway_subnet_id" {
 }
 
 variable "identity_type" {
-  description = "(Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned` and `UserAssigned`. If `UserAssigned` is set, a `user_assigned_identity_id` must be set as well."
+  description = "(Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both). If `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well."
   type        = string
   default     = "SystemAssigned"
+
+  validation {
+    condition     = var.identity_type == "SystemAssigned" || var.identity_type == "UserAssigned" || var.identity_type == "SystemAssigned, UserAssigned"
+    error_message = "`identity_type`'s possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both)."
+  }
 }
 
 variable "identity_ids" {

diff --git a/versions.tf b/versions.tf
@@ -7,5 +7,5 @@ terraform {
     }
   }
 
-  required_version = ">= 1.1.0"
+  required_version = ">= 1.2"
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,5 +7,5 @@ terraform { @@
         }
       }
-      required_version = ">= 1.1.0"
+      required_version = ">= 1.2"
     }