azurerm_kubernetes_cluster support for open_service_mesh (#13462)

Reworked from existing PR #11189 to address remaining comments.

Fixes #13434

internal/services/containers/kubernetes_addons.go

@@ -24,6 +24,7 @@ const (
 	httpApplicationRoutingKey    = "httpApplicationRouting"
 	omsAgentKey                  = "omsagent"
 	ingressApplicationGatewayKey = "ingressApplicationGateway"
+	openServiceMeshKey           = "openServiceMesh"
 )
 
 // The AKS API hard-codes which add-ons are supported in which environment
@@ -36,11 +37,13 @@ var unsupportedAddonsForEnvironment = map[string][]string{
 		aciConnectorKey,           // https://github.com/hashicorp/terraform-provider-azurerm/issues/5510
 		httpApplicationRoutingKey, // https://github.com/hashicorp/terraform-provider-azurerm/issues/5960
 		kubernetesDashboardKey,    // https://github.com/hashicorp/terraform-provider-azurerm/issues/7487
+		openServiceMeshKey,        // Preview features are not supported in Azure China
 	},
 	azure.USGovernmentCloud.Name: {
 		azurePolicyKey,            // https://github.com/hashicorp/terraform-provider-azurerm/issues/6702
 		httpApplicationRoutingKey, // https://github.com/hashicorp/terraform-provider-azurerm/issues/5960
 		kubernetesDashboardKey,    // https://github.com/hashicorp/terraform-provider-azurerm/issues/7136
+		openServiceMeshKey,        // Preview features are not supported in Azure Government
 	},
 }
 
@@ -218,6 +221,20 @@ func schemaKubernetesAddOnProfiles() *pluginsdk.Schema {
 						},
 					},
 				},
+
+				"open_service_mesh": {
+					Type:     pluginsdk.TypeList,
+					MaxItems: 1,
+					Optional: true,
+					Elem: &pluginsdk.Resource{
+						Schema: map[string]*pluginsdk.Schema{
+							"enabled": {
+								Type:     pluginsdk.TypeBool,
+								Required: true,
+							},
+						},
+					},
+				},
 			},
 		},
 	}
@@ -235,6 +252,7 @@ func expandKubernetesAddOnProfiles(input []interface{}, env azure.Environment) (
 		httpApplicationRoutingKey:    &disabled,
 		omsAgentKey:                  &disabled,
 		ingressApplicationGatewayKey: &disabled,
+		openServiceMeshKey:           &disabled,
 	}
 
 	if len(input) == 0 || input[0] == nil {
@@ -341,6 +359,18 @@ func expandKubernetesAddOnProfiles(input []interface{}, env azure.Environment) (
 		}
 	}
 
+	openServiceMesh := profile["open_service_mesh"].([]interface{})
+	if len(openServiceMesh) > 0 && openServiceMesh[0] != nil {
+		value := openServiceMesh[0].(map[string]interface{})
+		enabled := value["enabled"].(bool)
+
+		addonProfiles[openServiceMeshKey] = &containerservice.ManagedClusterAddonProfile{
+			Enabled: utils.Bool(enabled),
+			Config:  nil,
+		}
+
+	}
+
 	return filterUnsupportedKubernetesAddOns(addonProfiles, env)
 }
 
@@ -502,8 +532,20 @@ func flattenKubernetesAddOnProfiles(profile map[string]*containerservice.Managed
 		})
 	}
 
+	openServiceMeshes := make([]interface{}, 0)
+	if openServiceMesh := kubernetesAddonProfileLocate(profile, openServiceMeshKey); openServiceMesh != nil {
+		enabled := false
+		if enabledVal := openServiceMesh.Enabled; enabledVal != nil {
+			enabled = *enabledVal
+		}
+
+		openServiceMeshes = append(openServiceMeshes, map[string]interface{}{
+			"enabled": enabled,
+		})
+	}
+
 	// this is a UX hack, since if the top level block isn't defined everything should be turned off
-	if len(aciConnectors) == 0 && len(azurePolicies) == 0 && len(httpApplicationRoutes) == 0 && len(kubeDashboards) == 0 && len(omsAgents) == 0 && len(ingressApplicationGateways) == 0 {
+	if len(aciConnectors) == 0 && len(azurePolicies) == 0 && len(httpApplicationRoutes) == 0 && len(kubeDashboards) == 0 && len(omsAgents) == 0 && len(ingressApplicationGateways) == 0 && len(openServiceMeshes) == 0 {
 		return []interface{}{}
 	}
 
@@ -515,6 +557,7 @@ func flattenKubernetesAddOnProfiles(profile map[string]*containerservice.Managed
 			"kube_dashboard":              kubeDashboards,
 			"oms_agent":                   omsAgents,
 			"ingress_application_gateway": ingressApplicationGateways,
+			"open_service_mesh":           openServiceMeshes,
 		},
 	}
 }

internal/services/containers/kubernetes_cluster_addons_resource_test.go

@@ -19,6 +19,7 @@ var kubernetesAddOnTests = map[string]func(t *testing.T){
 	"addonProfileAppGatewayAppGatewayId":    testAccKubernetesCluster_addonProfileIngressApplicationGateway_appGatewayId,
 	"addonProfileAppGatewaySubnetCIDR":      testAccKubernetesCluster_addonProfileIngressApplicationGateway_subnetCIDR,
 	"addonProfileAppGatewaySubnetID":        testAccKubernetesCluster_addonProfileIngressApplicationGateway_subnetId,
+	"addonProfileOpenServiceMesh":           testAccKubernetesCluster_addonProfileOpenServiceMesh,
 }
 
 var addOnAppGatewaySubnetCIDR string = "10.241.0.0/16" // AKS will use 10.240.0.0/16 for the aks subnet so use 10.241.0.0/16 for the app gateway subnet
@@ -341,6 +342,39 @@ func testAccKubernetesCluster_addonProfileIngressApplicationGateway_subnetId(t *
 	})
 }
 
+func TestAccKubernetesCluster_addonProfileOpenServiceMesh(t *testing.T) {
+	checkIfShouldRunTestsIndividually(t)
+	testAccKubernetesCluster_addonProfileOpenServiceMesh(t)
+}
+
+func testAccKubernetesCluster_addonProfileOpenServiceMesh(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test")
+	r := KubernetesClusterResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			// Enable OSM
+			Config: r.addonProfileOpenServiceMeshConfig(data, true),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.#").HasValue("1"),
+				check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.0.enabled").HasValue("true"),
+			),
+		},
+		data.ImportStep(),
+		{
+			// Disable OSM
+			Config: r.addonProfileOpenServiceMeshConfig(data, false),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.#").HasValue("1"),
+				check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.0.enabled").HasValue("false"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (KubernetesClusterResource) addonProfileAciConnectorLinuxConfig(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
@@ -1095,3 +1129,47 @@ resource "azurerm_kubernetes_cluster" "test" {
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger)
 }
+
+func (KubernetesClusterResource) addonProfileOpenServiceMeshConfig(data acceptance.TestData, enabled bool) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-aks-%d"
+  location = "%s"
+}
+
+resource "azurerm_kubernetes_cluster" "test" {
+  name                = "acctestaks%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  dns_prefix          = "acctestaks%d"
+
+  linux_profile {
+    admin_username = "acctestuser%d"
+
+    ssh_key {
+      key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt [email protected]"
+    }
+  }
+
+  default_node_pool {
+    name       = "default"
+    node_count = 1
+    vm_size    = "Standard_DS2_v2"
+  }
+
+  addon_profile {
+    open_service_mesh {
+      enabled = %t
+    }
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled)
+}

internal/services/containers/kubernetes_cluster_data_source.go

@@ -167,6 +167,19 @@ func dataSourceKubernetesCluster() *pluginsdk.Resource {
 								},
 							},
 						},
+
+						"open_service_mesh": {
+							Type:     pluginsdk.TypeList,
+							Computed: true,
+							Elem: &pluginsdk.Resource{
+								Schema: map[string]*pluginsdk.Schema{
+									"enabled": {
+										Type:     pluginsdk.TypeBool,
+										Computed: true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -925,6 +938,20 @@ func flattenKubernetesClusterDataSourceAddonProfiles(profile map[string]*contain
 	}
 	values["ingress_application_gateway"] = ingressApplicationGateways
 
+	openServiceMeshes := make([]interface{}, 0)
+	if openServiceMesh := kubernetesAddonProfileLocate(profile, openServiceMeshKey); openServiceMesh != nil {
+		enabled := false
+		if enabledVal := openServiceMesh.Enabled; enabledVal != nil {
+			enabled = *enabledVal
+		}
+
+		output := map[string]interface{}{
+			"enabled": enabled,
+		}
+		openServiceMeshes = append(openServiceMeshes, output)
+	}
+	values["open_service_mesh"] = openServiceMeshes
+
 	return []interface{}{values}
 }
 

internal/services/containers/kubernetes_cluster_data_source_test.go

@@ -33,6 +33,7 @@ var kubernetesDataSourceTests = map[string]func(t *testing.T){
 	"addOnProfileIngressApplicationGateewayAppGateway": testAccDataSourceKubernetesCluster_addOnProfileIngressApplicationGatewayAppGateway,
 	"addOnProfileIngressApplicationGateewaySubnetCIDR": testAccDataSourceKubernetesCluster_addOnProfileIngressApplicationGatewaySubnetCIDR,
 	"addOnProfileIngressApplicationGateewaySubnetId":   testAccDataSourceKubernetesCluster_addOnProfileIngressApplicationGatewaySubnetId,
+	"addOnProfileOpenServiceMesh":                      testAccDataSourceKubernetesCluster_addOnProfileOpenServiceMesh,
 	"autoscalingNoAvailabilityZones":                   testAccDataSourceKubernetesCluster_autoscalingNoAvailabilityZones,
 	"autoscalingWithAvailabilityZones":                 testAccDataSourceKubernetesCluster_autoscalingWithAvailabilityZones,
 	"nodeLabels":                                       testAccDataSourceKubernetesCluster_nodeLabels,
@@ -556,6 +557,26 @@ func testAccDataSourceKubernetesCluster_addOnProfileIngressApplicationGatewaySub
 	})
 }
 
+func TestAccDataSourceKubernetesCluster_addOnProfileOpenServiceMesh(t *testing.T) {
+	checkIfShouldRunTestsIndividually(t)
+	testAccDataSourceKubernetesCluster_addOnProfileOpenServiceMesh(t)
+}
+
+func testAccDataSourceKubernetesCluster_addOnProfileOpenServiceMesh(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test")
+	r := KubernetesClusterDataSource{}
+
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: r.addOnProfileOpenServiceMeshConfig(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.#").HasValue("1"),
+				check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.0.enabled").HasValue("true"),
+			),
+		},
+	})
+}
+
 func TestAccDataSourceKubernetesCluster_autoscalingNoAvailabilityZones(t *testing.T) {
 	checkIfShouldRunTestsIndividually(t)
 	testAccDataSourceKubernetesCluster_autoscalingNoAvailabilityZones(t)
@@ -864,6 +885,17 @@ data "azurerm_kubernetes_cluster" "test" {
 `, KubernetesClusterResource{}.addonProfileIngressApplicationGatewaySubnetIdConfig(data))
 }
 
+func (KubernetesClusterDataSource) addOnProfileOpenServiceMeshConfig(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+data "azurerm_kubernetes_cluster" "test" {
+  name                = azurerm_kubernetes_cluster.test.name
+  resource_group_name = azurerm_kubernetes_cluster.test.resource_group_name
+}
+`, KubernetesClusterResource{}.addonProfileOpenServiceMeshConfig(data, true))
+}
+
 func (KubernetesClusterDataSource) autoScalingNoAvailabilityZonesConfig(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s

website/docs/d/kubernetes_cluster.html.markdown

@@ -100,6 +100,8 @@ A `addon_profile` block exports the following:
 
 * `ingress_application_gateway` - An `ingress_application_gateway` block.
 
+* `open_service_mesh` - An `open_service_mesh` block.
+
 ---
 
 A `agent_pool_profile` block exports the following:
@@ -290,6 +292,12 @@ The `ingress_application_gateway_identity` block exports the following:
 
 ---
 
+An `open_service_mesh` block supports the following:
+
+* `enabled` - Is Open Service Mesh enabled?
+
+---
+
 A `role_based_access_control` block exports the following:
 
 * `azure_active_directory` - A `azure_active_directory` block as documented above.

website/docs/r/kubernetes_cluster.html.markdown

@@ -231,6 +231,12 @@ A `addon_profile` block supports the following:
 
 * `ingress_application_gateway` - (Optional) An `ingress_application_gateway` block as defined below.
 
+* `open_service_mesh` - (Optional) An `open_service_mesh` block as defined below. For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about).
+
+-> **NOTE.** At this time Open Service Mesh is not supported in Azure US government or Azure China.
+
+-> **NOTE.** Open Service Mesh is available on an opt-in preview basis. For more details about how to opt-in, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-deploy-add-on#register-the-aks-openservicemesh-preview-feature)
+
 ---
 
 An `auto_scaler_profile` block supports the following:
@@ -564,6 +570,12 @@ An `ingress_application_gateway` block supports the following:
 
 ---
 
+An `open_service_mesh` block supports the following:
+
+* `enabled` - Is Open Service Mesh enabled?
+
+---
+
 A `role_based_access_control` block supports the following:
 
 * `azure_active_directory` - (Optional) An `azure_active_directory` block.