Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Implement support for KMS arguments #288

Merged
merged 10 commits into from
Jan 29, 2023
Merged

feat: Implement support for KMS arguments #288

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
25c45a7
feat: Implement support for KMS arguments
mkilchhofer Jan 6, 2023
0d2123c
chore: Apply changes from code review
mkilchhofer Jan 23, 2023
eda1086
chore: Update examples with KMS
mkilchhofer Jan 23, 2023
2bb6f10
chore: Set azurerm minimal version to 3.40
mkilchhofer Jan 24, 2023
f61f35c
chore: Fix TF linter errors on named_cluster example
mkilchhofer Jan 24, 2023
7012178
chore: Fulfill checkov checks
mkilchhofer Jan 24, 2023
07f427e
fix: Fixup precondition check for UserAssigned identity type
mkilchhofer Jan 24, 2023
c4a8bb9
fix: Add depends_on for KV access policy in examples
mkilchhofer Jan 27, 2023
05c1b8e
chore: Use "Public" as default instead of null
mkilchhofer Jan 27, 2023
f13b78a
fix: Use private endpoint for vault connection
mkilchhofer Jan 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,9 @@ No modules.
| <a name="input_ingress_application_gateway_subnet_cidr"></a> [ingress\_application\_gateway\_subnet\_cidr](#input\_ingress\_application\_gateway\_subnet\_cidr) | The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
| <a name="input_ingress_application_gateway_subnet_id"></a> [ingress\_application\_gateway\_subnet\_id](#input\_ingress\_application\_gateway\_subnet\_id) | The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
| <a name="input_key_vault_secrets_provider_enabled"></a> [key\_vault\_secrets\_provider\_enabled](#input\_key\_vault\_secrets\_provider\_enabled) | (Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver | `bool` | `false` | no |
| <a name="input_kms_enabled"></a> [kms\_enabled](#input\_kms\_enabled) | (Optional) Enable Azure KeyVault Key Management Service. | `bool` | `false` | no |
| <a name="input_kms_key_vault_key_id"></a> [kms\_key\_vault\_key\_id](#input\_kms\_key\_vault\_key\_id) | (Optional) Identifier of Azure Key Vault key. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. | `string` | `null` | no |
| <a name="input_kms_key_vault_network_access"></a> [kms\_key\_vault\_network\_access](#input\_kms\_key\_vault\_network\_access) | (Optional) Network Access of Azure Key Vault. Possible values are: `Private` and `Public`. If not set, defaults to type `Public`. | `string` | `null` | no |
| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region | `string` | `null` | no |
| <a name="input_load_balancer_profile_enabled"></a> [load\_balancer\_profile\_enabled](#input\_load\_balancer\_profile\_enabled) | (Optional) Enable a load\_balancer\_profile block. This can only be used when load\_balancer\_sku is set to `standard`. | `bool` | `false` | no |
| <a name="input_load_balancer_profile_idle_timeout_in_minutes"></a> [load\_balancer\_profile\_idle\_timeout\_in\_minutes](#input\_load\_balancer\_profile\_idle\_timeout\_in\_minutes) | (Optional) Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between `4` and `120` inclusive. | `number` | `30` | no |
Expand Down
8 changes: 8 additions & 0 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,14 @@ resource "azurerm_kubernetes_cluster" "main" {
subnet_id = var.ingress_application_gateway_subnet_id
}
}
dynamic "key_management_service" {
for_each = var.kms_enabled ? ["key_management_service"] : []
mkilchhofer marked this conversation as resolved.
Show resolved Hide resolved

content {
key_vault_key_id = var.kms_key_vault_key_id
key_vault_network_access = var.kms_key_vault_network_access
}
}
dynamic "key_vault_secrets_provider" {
for_each = var.key_vault_secrets_provider_enabled ? ["key_vault_secrets_provider"] : []

Expand Down
18 changes: 18 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,24 @@ variable "key_vault_secrets_provider_enabled" {
nullable = false
}

variable "kms_enabled" {
type = bool
description = "(Optional) Enable Azure KeyVault Key Management Service."
default = false
mkilchhofer marked this conversation as resolved.
Show resolved Hide resolved
}

variable "kms_key_vault_key_id" {
type = string
description = "(Optional) Identifier of Azure Key Vault key. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier."
default = null
}

variable "kms_key_vault_network_access" {
type = string
description = "(Optional) Network Access of Azure Key Vault. Possible values are: `Private` and `Public`. If not set, defaults to type `Public`."
default = null
mkilchhofer marked this conversation as resolved.
Show resolved Hide resolved
}

variable "kubernetes_version" {
type = string
description = "Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region"
Expand Down