diff --git a/internal/services/containers/kubernetes_addons.go b/internal/services/containers/kubernetes_addons.go index 885fd8cfc562..59b6307c8a57 100644 --- a/internal/services/containers/kubernetes_addons.go +++ b/internal/services/containers/kubernetes_addons.go @@ -7,7 +7,6 @@ import ( "github.com/Azure/azure-sdk-for-go/services/preview/containerservice/mgmt/2022-01-02-preview/containerservice" "github.com/Azure/go-autorest/autorest/azure" commonValidate "github.com/hashicorp/terraform-provider-azurerm/helpers/validate" - "github.com/hashicorp/terraform-provider-azurerm/internal/features" containerValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/validate" laparse "github.com/hashicorp/terraform-provider-azurerm/internal/services/loganalytics/parse" logAnalyticsValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/loganalytics/validate" @@ -22,7 +21,6 @@ const ( // note: the casing on these keys is important aciConnectorKey = "aciConnectorLinux" azurePolicyKey = "azurepolicy" - kubernetesDashboardKey = "kubeDashboard" httpApplicationRoutingKey = "httpApplicationRouting" omsAgentKey = "omsagent" ingressApplicationGatewayKey = "ingressApplicationGateway" @@ -45,296 +43,12 @@ var unsupportedAddonsForEnvironment = map[string][]string{ }, } -// CLEANUP: 3.0 - Remove this schema as it's deprecated -func schemaKubernetesAddOnProfiles() *pluginsdk.Schema { - //lintignore:XS003 - return &pluginsdk.Schema{ - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Computed: true, - ConflictsWith: []string{ - "aci_connector_linux", - "azure_policy_enabled", - "http_application_routing_enabled", - "oms_agent", - "ingress_application_gateway", - "open_service_mesh_enabled", - "key_vault_secrets_provider", - }, - Deprecated: "`addon_profile` block has been deprecated and will be removed in version 3.0 of the AzureRM Provider. All properties within the block will move to the top level.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "aci_connector_linux": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`addon_profile.0.aci_connector_linux` block has been deprecated in favour of the `aci_connector_linux` block and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - Deprecated: "`addon_profile.0.aci_connector_linux.0.enabled` has been deprecated and will be removed in version 3.0 of the AzureRM Provider.", - }, - - "subnet_name": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, - Deprecated: "`addon_profile.0.aci_connector_linux.0.subnet_name` has been deprecated in favour of `aci_connector_linux.0.subnet_name` and will be removed in version 3.0 of the AzureRM Provider.", - }, - }, - }, - }, - - "azure_policy": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`addon_profile.0.azure_policy` has been deprecated in favour of `azure_policy_enabled` and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - Deprecated: "`addon_profile.0.azure_policy.0.enabled` has been deprecated and will be removed in version 3.0 of the AzureRM Provider.", - }, - }, - }, - }, - - "kube_dashboard": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`kube_dashboard` has been deprecated since it is no longer supported by Kubernetes versions 1.19 or above, this property will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - }, - }, - }, - }, - - "http_application_routing": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`addon_profile.0.http_application_routing` block has been deprecated in favour of the `http_application_routing_enabled` property and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - Deprecated: "`addon_profile.0.http_application_routing.0.enabled` has been deprecated and will be removed in version 3.0 of the AzureRM Provider.", - }, - "http_application_routing_zone_name": { - Type: pluginsdk.TypeString, - Computed: true, - Deprecated: "`addon_profile.0.http_application_routing.0.http_application_routing_zone_name` has been deprecated in favour of `http_application_routing_zone_name` and will be removed in version 3.0 of the AzureRM Provider.", - }, - }, - }, - }, - - "oms_agent": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`addon_profile.0.oms_agent` block has been deprecated in favour of the `oms_agent` block and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - Deprecated: "`addon_profile.0.oms_agent.0.enabled` has been deprecated and will be removed in version 3.0 of the AzureRM Provider.", - }, - "log_analytics_workspace_id": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: logAnalyticsValidate.LogAnalyticsWorkspaceID, - Deprecated: "`addon_profile.0.oms_agent.0.log_analytics_workspace_id` has been deprecated in favour of `oms_agent.0.log_analytics_workspace_id` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "oms_agent_identity": { - Type: pluginsdk.TypeList, - Computed: true, - Deprecated: "`addon_profile.0.oms_agent.0.oms_agent_identity` has been deprecated in favour of `oms_agent.0.oms_agent_identity` and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "client_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "object_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "user_assigned_identity_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - }, - }, - }, - - "ingress_application_gateway": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`addon_profile.0.ingress_application_gateway` block has been deprecated in favour of the `ingress_application_gateway` block and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - Deprecated: "`addon_profile.0.ingress_application_gateway.0.enabled` has been deprecated and will be removed in version 3.0 of the AzureRM Provider.", - }, - "gateway_id": { - Type: pluginsdk.TypeString, - Optional: true, - ConflictsWith: []string{"addon_profile.0.ingress_application_gateway.0.subnet_cidr", "addon_profile.0.ingress_application_gateway.0.subnet_id"}, - ValidateFunc: applicationGatewayValidate.ApplicationGatewayID, - Deprecated: "`addon_profile.0.ingress_application_gateway.0.gateway_id` has been deprecated in favour of `ingress_application_gateway.0.gateway_id` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "gateway_name": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, - Deprecated: "`addon_profile.0.ingress_application_gateway.0.gateway_name` has been deprecated in favour of `ingress_application_gateway.0.gateway_name` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "subnet_cidr": { - Type: pluginsdk.TypeString, - Optional: true, - ConflictsWith: []string{"addon_profile.0.ingress_application_gateway.0.gateway_id", "addon_profile.0.ingress_application_gateway.0.subnet_id"}, - ValidateFunc: commonValidate.CIDR, - Deprecated: "`addon_profile.0.ingress_application_gateway.0.subnet_cidr` has been deprecated in favour of `ingress_application_gateway.0.subnet_cidr` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "subnet_id": { - Type: pluginsdk.TypeString, - Optional: true, - ConflictsWith: []string{"addon_profile.0.ingress_application_gateway.0.gateway_id", "addon_profile.0.ingress_application_gateway.0.subnet_cidr"}, - ValidateFunc: subnetValidate.SubnetID, - Deprecated: "`addon_profile.0.ingress_application_gateway.0.subnet_id` has been deprecated in favour of `ingress_application_gateway.0.subnet_id` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "effective_gateway_id": { - Type: pluginsdk.TypeString, - Computed: true, - Deprecated: "`addon_profile.0.ingress_application_gateway.0.effective_gateway_id` has been deprecated in favour of `ingress_application_gateway.0.effective_gateway_id` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "ingress_application_gateway_identity": { - Type: pluginsdk.TypeList, - Computed: true, - Deprecated: "`addon_profile.0.ingress_application_gateway.0.ingress_application_gateway_identity` has been deprecated in favour of `ingress_application_gateway.0.ingress_application_gateway_identity` and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "client_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "object_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "user_assigned_identity_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - }, - }, - }, - - "open_service_mesh": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`addon_profile.0.open_service_mesh` has been deprecated in favour of `open_service_mesh_enabled` and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - Deprecated: "`addon_profile.0.open_service_mesh.0.enabled` has been deprecated and will be removed in version 3.0 of the AzureRM Provider.", - }, - }, - }, - }, - - "azure_keyvault_secrets_provider": { - Type: pluginsdk.TypeList, - MaxItems: 1, - Optional: true, - Deprecated: "`addon_profile.0.azure_keyvault_secrets_provider` block has been deprecated in favour of the `key_vault_secrets_provider` block and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - Deprecated: "`addon_profile.0.azure_keyvault_secrets_provider.0.enabled` has been deprecated and will be removed in version 3.0 of the AzureRM Provider.", - }, - "secret_rotation_enabled": { - Type: pluginsdk.TypeBool, - Default: false, - Optional: true, - Deprecated: "`addon_profile.0.azure_keyvault_secrets_provider.0.secret_rotation_enabled` has been deprecated in favour of `key_vault_secrets_provider.0.secret_rotation_enabled` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "secret_rotation_interval": { - Type: pluginsdk.TypeString, - Optional: true, - Default: "2m", - ValidateFunc: containerValidate.Duration, - Deprecated: "`addon_profile.0.azure_keyvault_secrets_provider.0.secret_rotation_interval` has been deprecated in favour of `key_vault_secrets_provider.0.secret_rotation_interval` and will be removed in version 3.0 of the AzureRM Provider.", - }, - "secret_identity": { - Type: pluginsdk.TypeList, - Computed: true, - Deprecated: "`addon_profile.0.azure_keyvault_secrets_provider.0.secret_identity` has been deprecated in favour of `key_vault_secrets_provider.0.secret_identity` and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "client_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "object_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "user_assigned_identity_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - }, - }, - }, - }, - }, - } -} - func schemaKubernetesAddOns() map[string]*pluginsdk.Schema { out := map[string]*pluginsdk.Schema{ "aci_connector_linux": { Type: pluginsdk.TypeList, MaxItems: 1, Optional: true, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"addon_profile"} - } - return []string{} - }(), Elem: &pluginsdk.Resource{ Schema: map[string]*pluginsdk.Schema{ "subnet_name": { @@ -348,24 +62,10 @@ func schemaKubernetesAddOns() map[string]*pluginsdk.Schema { "azure_policy_enabled": { Type: pluginsdk.TypeBool, Optional: true, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"addon_profile"} - } - return []string{} - }(), }, "http_application_routing_enabled": { Type: pluginsdk.TypeBool, Optional: true, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"addon_profile"} - } - return []string{} - }(), }, "http_application_routing_zone_name": { Type: pluginsdk.TypeString, @@ -375,7 +75,6 @@ func schemaKubernetesAddOns() map[string]*pluginsdk.Schema { Type: pluginsdk.TypeList, MaxItems: 1, Optional: true, - Computed: !features.ThreePointOhBeta(), Elem: &pluginsdk.Resource{ Schema: map[string]*pluginsdk.Schema{ "log_analytics_workspace_id": { @@ -405,24 +104,11 @@ func schemaKubernetesAddOns() map[string]*pluginsdk.Schema { }, }, }, - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"addon_profile"} - } - return []string{} - }(), }, "ingress_application_gateway": { Type: pluginsdk.TypeList, MaxItems: 1, Optional: true, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"addon_profile"} - } - return []string{} - }(), Elem: &pluginsdk.Resource{ Schema: map[string]*pluginsdk.Schema{ "gateway_id": { @@ -502,25 +188,11 @@ func schemaKubernetesAddOns() map[string]*pluginsdk.Schema { "open_service_mesh_enabled": { Type: pluginsdk.TypeBool, Optional: true, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"addon_profile"} - } - return []string{} - }(), }, "key_vault_secrets_provider": { Type: pluginsdk.TypeList, MaxItems: 1, Optional: true, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"addon_profile"} - } - return []string{} - }(), Elem: &pluginsdk.Resource{ Schema: map[string]*pluginsdk.Schema{ "secret_rotation_enabled": { @@ -567,167 +239,9 @@ func schemaKubernetesAddOns() map[string]*pluginsdk.Schema { }, } - if !features.ThreePointOhBeta() { - out["addon_profile"] = schemaKubernetesAddOnProfiles() - } - return out } -// CLEANUP: 3.0 - Remove this function -func expandKubernetesAddOnProfiles(input []interface{}, env azure.Environment) (*map[string]*containerservice.ManagedClusterAddonProfile, error) { - disabled := containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(false), - } - - profiles := map[string]*containerservice.ManagedClusterAddonProfile{ - aciConnectorKey: &disabled, - azurePolicyKey: &disabled, - kubernetesDashboardKey: &disabled, - httpApplicationRoutingKey: &disabled, - omsAgentKey: &disabled, - ingressApplicationGatewayKey: &disabled, - openServiceMeshKey: &disabled, - azureKeyvaultSecretsProviderKey: &disabled, - } - - if len(input) == 0 || input[0] == nil { - return filterUnsupportedKubernetesAddOns(profiles, env) - } - - profile := input[0].(map[string]interface{}) - addonProfiles := map[string]*containerservice.ManagedClusterAddonProfile{} - - httpApplicationRouting := profile["http_application_routing"].([]interface{}) - if len(httpApplicationRouting) > 0 && httpApplicationRouting[0] != nil { - value := httpApplicationRouting[0].(map[string]interface{}) - enabled := value["enabled"].(bool) - addonProfiles[httpApplicationRoutingKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - } - } - - omsAgent := profile["oms_agent"].([]interface{}) - if len(omsAgent) > 0 && omsAgent[0] != nil { - value := omsAgent[0].(map[string]interface{}) - config := make(map[string]*string) - enabled := value["enabled"].(bool) - - if workspaceID, ok := value["log_analytics_workspace_id"]; ok && workspaceID != "" { - lawid, err := laparse.LogAnalyticsWorkspaceID(workspaceID.(string)) - if err != nil { - return nil, fmt.Errorf("parsing Log Analytics Workspace ID: %+v", err) - } - config["logAnalyticsWorkspaceResourceID"] = utils.String(lawid.ID()) - } - - addonProfiles[omsAgentKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - Config: config, - } - } - - aciConnector := profile["aci_connector_linux"].([]interface{}) - if len(aciConnector) > 0 && aciConnector[0] != nil { - value := aciConnector[0].(map[string]interface{}) - config := make(map[string]*string) - enabled := value["enabled"].(bool) - - if subnetName, ok := value["subnet_name"]; ok && subnetName != "" { - config["SubnetName"] = utils.String(subnetName.(string)) - } - - addonProfiles[aciConnectorKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - Config: config, - } - } - - kubeDashboard := profile["kube_dashboard"].([]interface{}) - if len(kubeDashboard) > 0 && kubeDashboard[0] != nil { - value := kubeDashboard[0].(map[string]interface{}) - enabled := value["enabled"].(bool) - - addonProfiles[kubernetesDashboardKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - Config: nil, - } - } - - azurePolicy := profile["azure_policy"].([]interface{}) - if len(azurePolicy) > 0 && azurePolicy[0] != nil { - value := azurePolicy[0].(map[string]interface{}) - enabled := value["enabled"].(bool) - - addonProfiles[azurePolicyKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - Config: map[string]*string{ - "version": utils.String("v2"), - }, - } - } - - ingressApplicationGateway := profile["ingress_application_gateway"].([]interface{}) - if len(ingressApplicationGateway) > 0 && ingressApplicationGateway[0] != nil { - value := ingressApplicationGateway[0].(map[string]interface{}) - config := make(map[string]*string) - enabled := value["enabled"].(bool) - - if gatewayId, ok := value["gateway_id"]; ok && gatewayId != "" { - config["applicationGatewayId"] = utils.String(gatewayId.(string)) - } - - if gatewayName, ok := value["gateway_name"]; ok && gatewayName != "" { - config["applicationGatewayName"] = utils.String(gatewayName.(string)) - } - - if subnetCIDR, ok := value["subnet_cidr"]; ok && subnetCIDR != "" { - config["subnetCIDR"] = utils.String(subnetCIDR.(string)) - } - - if subnetId, ok := value["subnet_id"]; ok && subnetId != "" { - config["subnetId"] = utils.String(subnetId.(string)) - } - - addonProfiles[ingressApplicationGatewayKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - Config: config, - } - } - - openServiceMesh := profile["open_service_mesh"].([]interface{}) - if len(openServiceMesh) > 0 && openServiceMesh[0] != nil { - value := openServiceMesh[0].(map[string]interface{}) - enabled := value["enabled"].(bool) - - addonProfiles[openServiceMeshKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - Config: nil, - } - } - - azureKeyvaultSecretsProvider := profile["azure_keyvault_secrets_provider"].([]interface{}) - if len(azureKeyvaultSecretsProvider) > 0 && azureKeyvaultSecretsProvider[0] != nil { - value := azureKeyvaultSecretsProvider[0].(map[string]interface{}) - config := make(map[string]*string) - enabled := value["enabled"].(bool) - - enableSecretRotation := "false" - if value["secret_rotation_enabled"].(bool) { - enableSecretRotation = "true" - } - config["enableSecretRotation"] = utils.String(enableSecretRotation) - config["rotationPollInterval"] = utils.String(value["secret_rotation_interval"].(string)) - - addonProfiles[azureKeyvaultSecretsProviderKey] = &containerservice.ManagedClusterAddonProfile{ - Enabled: utils.Bool(enabled), - Config: config, - } - } - - return filterUnsupportedKubernetesAddOns(addonProfiles, env) -} - func expandKubernetesAddOns(d *pluginsdk.ResourceData, input map[string]interface{}, env azure.Environment) (*map[string]*containerservice.ManagedClusterAddonProfile, error) { disabled := containerservice.ManagedClusterAddonProfile{ Enabled: utils.Bool(false), @@ -874,192 +388,6 @@ func filterUnsupportedKubernetesAddOns(input map[string]*containerservice.Manage return &output, nil } -// CLEANUP: 3.0 - Remove this function -func flattenKubernetesAddOnProfiles(profile map[string]*containerservice.ManagedClusterAddonProfile) []interface{} { - aciConnectors := make([]interface{}, 0) - if aciConnector := kubernetesAddonProfileLocate(profile, aciConnectorKey); aciConnector != nil { - enabled := false - if enabledVal := aciConnector.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - subnetName := "" - if v := aciConnector.Config["SubnetName"]; v != nil { - subnetName = *v - } - - aciConnectors = append(aciConnectors, map[string]interface{}{ - "enabled": enabled, - "subnet_name": subnetName, - }) - } - - azurePolicies := make([]interface{}, 0) - if azurePolicy := kubernetesAddonProfileLocate(profile, azurePolicyKey); azurePolicy != nil { - enabled := false - if enabledVal := azurePolicy.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - azurePolicies = append(azurePolicies, map[string]interface{}{ - "enabled": enabled, - }) - } - - httpApplicationRoutes := make([]interface{}, 0) - if httpApplicationRouting := kubernetesAddonProfileLocate(profile, httpApplicationRoutingKey); httpApplicationRouting != nil { - enabled := false - if enabledVal := httpApplicationRouting.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - zoneName := "" - if v := kubernetesAddonProfilelocateInConfig(httpApplicationRouting.Config, "HTTPApplicationRoutingZoneName"); v != nil { - zoneName = *v - } - - httpApplicationRoutes = append(httpApplicationRoutes, map[string]interface{}{ - "enabled": enabled, - "http_application_routing_zone_name": zoneName, - }) - } - - kubeDashboards := make([]interface{}, 0) - if kubeDashboard := kubernetesAddonProfileLocate(profile, kubernetesDashboardKey); kubeDashboard != nil { - enabled := false - if enabledVal := kubeDashboard.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - kubeDashboards = append(kubeDashboards, map[string]interface{}{ - "enabled": enabled, - }) - } - - omsAgents := make([]interface{}, 0) - if omsAgent := kubernetesAddonProfileLocate(profile, omsAgentKey); omsAgent != nil { - enabled := false - if enabledVal := omsAgent.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - workspaceID := "" - if v := kubernetesAddonProfilelocateInConfig(omsAgent.Config, "logAnalyticsWorkspaceResourceID"); v != nil { - if lawid, err := laparse.LogAnalyticsWorkspaceID(*v); err == nil { - workspaceID = lawid.ID() - } - } - - omsagentIdentity := flattenKubernetesClusterAddOnIdentityProfile(omsAgent.Identity) - - omsAgents = append(omsAgents, map[string]interface{}{ - "enabled": enabled, - "log_analytics_workspace_id": workspaceID, - "oms_agent_identity": omsagentIdentity, - }) - } - - ingressApplicationGateways := make([]interface{}, 0) - if ingressApplicationGateway := kubernetesAddonProfileLocate(profile, ingressApplicationGatewayKey); ingressApplicationGateway != nil { - enabled := false - if enabledVal := ingressApplicationGateway.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - gatewayId := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "applicationGatewayId"); v != nil { - gatewayId = *v - } - - gatewayName := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "applicationGatewayName"); v != nil { - gatewayName = *v - } - - effectiveGatewayId := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "effectiveApplicationGatewayId"); v != nil { - effectiveGatewayId = *v - } - - subnetCIDR := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "subnetCIDR"); v != nil { - subnetCIDR = *v - } - - subnetId := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "subnetId"); v != nil { - subnetId = *v - } - - ingressApplicationGatewayIdentity := flattenKubernetesClusterAddOnIdentityProfile(ingressApplicationGateway.Identity) - - ingressApplicationGateways = append(ingressApplicationGateways, map[string]interface{}{ - "enabled": enabled, - "gateway_id": gatewayId, - "gateway_name": gatewayName, - "effective_gateway_id": effectiveGatewayId, - "subnet_cidr": subnetCIDR, - "subnet_id": subnetId, - "ingress_application_gateway_identity": ingressApplicationGatewayIdentity, - }) - } - - openServiceMeshes := make([]interface{}, 0) - if openServiceMesh := kubernetesAddonProfileLocate(profile, openServiceMeshKey); openServiceMesh != nil { - enabled := false - if enabledVal := openServiceMesh.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - openServiceMeshes = append(openServiceMeshes, map[string]interface{}{ - "enabled": enabled, - }) - } - - azureKeyvaultSecretsProviders := make([]interface{}, 0) - if azureKeyvaultSecretsProvider := kubernetesAddonProfileLocate(profile, azureKeyvaultSecretsProviderKey); azureKeyvaultSecretsProvider != nil { - enabled := false - if enabledVal := azureKeyvaultSecretsProvider.Enabled; enabledVal != nil { - enabled = *enabledVal - } - enableSecretRotation := false - if v := kubernetesAddonProfilelocateInConfig(azureKeyvaultSecretsProvider.Config, "enableSecretRotation"); v != nil && *v != "false" { - enableSecretRotation = true - } - rotationPollInterval := "" - if v := kubernetesAddonProfilelocateInConfig(azureKeyvaultSecretsProvider.Config, "rotationPollInterval"); v != nil { - rotationPollInterval = *v - } - - azureKeyvaultSecretsProviderIdentity := flattenKubernetesClusterAddOnIdentityProfile(azureKeyvaultSecretsProvider.Identity) - - azureKeyvaultSecretsProviders = append(azureKeyvaultSecretsProviders, map[string]interface{}{ - "enabled": enabled, - "secret_rotation_enabled": enableSecretRotation, - "secret_rotation_interval": rotationPollInterval, - "secret_identity": azureKeyvaultSecretsProviderIdentity, - }) - } - - // this is a UX hack, since if the top level block isn't defined everything should be turned off - if len(aciConnectors) == 0 && len(azurePolicies) == 0 && len(httpApplicationRoutes) == 0 && len(kubeDashboards) == 0 && len(omsAgents) == 0 && len(ingressApplicationGateways) == 0 && len(openServiceMeshes) == 0 && len(azureKeyvaultSecretsProviders) == 0 { - return []interface{}{} - } - - return []interface{}{ - map[string]interface{}{ - "aci_connector_linux": aciConnectors, - "azure_policy": azurePolicies, - "http_application_routing": httpApplicationRoutes, - "kube_dashboard": kubeDashboards, - "oms_agent": omsAgents, - "ingress_application_gateway": ingressApplicationGateways, - "open_service_mesh": openServiceMeshes, - "azure_keyvault_secrets_provider": azureKeyvaultSecretsProviders, - }, - } -} - func flattenKubernetesAddOns(profile map[string]*containerservice.ManagedClusterAddonProfile) map[string]interface{} { aciConnectors := make([]interface{}, 0) if aciConnector := kubernetesAddonProfileLocate(profile, aciConnectorKey); aciConnector != nil { diff --git a/internal/services/containers/kubernetes_cluster_addons_resource_test.go b/internal/services/containers/kubernetes_cluster_addons_resource_test.go index 79c5af6531ca..cd2b4b3db1c1 100644 --- a/internal/services/containers/kubernetes_cluster_addons_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_addons_resource_test.go @@ -6,7 +6,6 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance" "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance/check" - "github.com/hashicorp/terraform-provider-azurerm/internal/features" ) var addOnAppGatewaySubnetCIDR string = "10.241.0.0/16" // AKS will use 10.240.0.0/16 for the aks subnet so use 10.241.0.0/16 for the app gateway subnet @@ -73,28 +72,22 @@ func TestAccKubernetesCluster_addonProfileAzurePolicy(t *testing.T) { }) } -func TestAccKubernetesCluster_addonProfileKubeDashboard(t *testing.T) { - if features.ThreePointOhBeta() { - t.Skip("This functionality is not applicable in 3.0 mode") - } - +func TestAccKubernetesCluster_addonProfileOMS(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterResource{} data.ResourceTest(t, r, []acceptance.TestStep{ { - Config: r.addonProfileKubeDashboardConfig(data), + Config: r.addonProfileOMSConfig(data), Check: acceptance.ComposeTestCheckFunc( check.That(data.ResourceName).ExistsInAzure(r), - check.That(data.ResourceName).Key("addon_profile.0.kube_dashboard.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.kube_dashboard.0.enabled").HasValue("false"), ), }, data.ImportStep(), }) } -func TestAccKubernetesCluster_addonProfileOMS(t *testing.T) { +func TestAccKubernetesCluster_addonProfileOMSToggle(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterResource{} @@ -106,71 +99,23 @@ func TestAccKubernetesCluster_addonProfileOMS(t *testing.T) { ), }, data.ImportStep(), + { + Config: r.addonProfileOMSDisabledConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.addonProfileOMSConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), }) } -func TestAccKubernetesCluster_addonProfileOMSToggle(t *testing.T) { - data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") - r := KubernetesClusterResource{} - - if !features.ThreePointOhBeta() { - data.ResourceTest(t, r, []acceptance.TestStep{ - { - Config: r.addonProfileOMSConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), - { - Config: r.addonProfileOMSDisabledConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), - { - Config: r.addonProfileOMSScaleWithoutBlockConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), - { - Config: r.addonProfileOMSConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), - }) - } else { - data.ResourceTest(t, r, []acceptance.TestStep{ - { - Config: r.addonProfileOMSConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), - { - Config: r.addonProfileOMSDisabledConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), - { - Config: r.addonProfileOMSConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), - }) - } -} - func TestAccKubernetesCluster_addonProfileRoutingToggle(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterResource{} @@ -276,7 +221,7 @@ func TestAccKubernetesCluster_addonProfileAzureKeyVaultSecretsProvider(t *testin data.ResourceTest(t, r, []acceptance.TestStep{ { // Enable AzureKeyvaultSecretsProvider - Config: r.addonProfileAzureKeyVaultSecretsProviderConfig(data, true, true, "2m"), + Config: r.addonProfileAzureKeyVaultSecretsProviderConfig(data, true, "2m"), Check: acceptance.ComposeTestCheckFunc( check.That(data.ResourceName).ExistsInAzure(r), ), @@ -284,7 +229,7 @@ func TestAccKubernetesCluster_addonProfileAzureKeyVaultSecretsProvider(t *testin data.ImportStep(), { // Disable AzureKeyvaultSecretsProvider - Config: r.addonProfileAzureKeyVaultSecretsProviderConfig(data, false, false, "2m"), + Config: r.addonProfileAzureKeyVaultSecretsProviderConfig(data, false, "2m"), Check: acceptance.ComposeTestCheckFunc( check.That(data.ResourceName).ExistsInAzure(r), ), @@ -294,8 +239,7 @@ func TestAccKubernetesCluster_addonProfileAzureKeyVaultSecretsProvider(t *testin } func (KubernetesClusterResource) addonProfileAciConnectorLinuxConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` + return fmt.Sprintf(` provider "azurerm" { features {} } @@ -356,11 +300,8 @@ resource "azurerm_kubernetes_cluster" "test" { vnet_subnet_id = azurerm_subnet.test.id } - addon_profile { - aci_connector_linux { - enabled = true - subnet_name = azurerm_subnet.test-aci.name - } + aci_connector_linux { + subnet_name = azurerm_subnet.test-aci.name } identity { @@ -372,7 +313,9 @@ resource "azurerm_kubernetes_cluster" "test" { } } `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } +} + +func (KubernetesClusterResource) addonProfileAciConnectorLinuxDisabledConfig(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { features {} @@ -397,22 +340,6 @@ resource "azurerm_subnet" "test" { address_prefixes = ["172.0.2.0/24"] } -resource "azurerm_subnet" "test-aci" { - name = "acctestsubnet-aci%d" - resource_group_name = azurerm_resource_group.test.name - virtual_network_name = azurerm_virtual_network.test.name - address_prefixes = ["172.0.3.0/24"] - - delegation { - name = "aciDelegation" - - service_delegation { - name = "Microsoft.ContainerInstance/containerGroups" - actions = ["Microsoft.Network/virtualNetworks/subnets/action"] - } - } -} - resource "azurerm_kubernetes_cluster" "test" { name = "acctestaks%d" location = azurerm_resource_group.test.location @@ -421,7 +348,6 @@ resource "azurerm_kubernetes_cluster" "test" { linux_profile { admin_username = "acctestuser%d" - ssh_key { key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" } @@ -434,10 +360,6 @@ resource "azurerm_kubernetes_cluster" "test" { vnet_subnet_id = azurerm_subnet.test.id } - aci_connector_linux { - subnet_name = azurerm_subnet.test-aci.name - } - identity { type = "SystemAssigned" } @@ -446,12 +368,11 @@ resource "azurerm_kubernetes_cluster" "test" { network_plugin = "azure" } } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) } -func (KubernetesClusterResource) addonProfileAciConnectorLinuxDisabledConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` +func (KubernetesClusterResource) addonProfileAzurePolicyConfig(data acceptance.TestData, enabled bool) string { + return fmt.Sprintf(` provider "azurerm" { features {} } @@ -461,20 +382,6 @@ resource "azurerm_resource_group" "test" { location = "%s" } -resource "azurerm_virtual_network" "test" { - name = "acctestvirtnet%d" - address_space = ["172.0.0.0/16"] - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name -} - -resource "azurerm_subnet" "test" { - name = "acctestsubnet%d" - resource_group_name = azurerm_resource_group.test.name - virtual_network_name = azurerm_virtual_network.test.name - address_prefixes = ["172.0.2.0/24"] -} - resource "azurerm_kubernetes_cluster" "test" { name = "acctestaks%d" location = azurerm_resource_group.test.location @@ -490,28 +397,21 @@ resource "azurerm_kubernetes_cluster" "test" { } default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - vnet_subnet_id = azurerm_subnet.test.id + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" } - addon_profile { - aci_connector_linux { - enabled = false - } - } + azure_policy_enabled = %t identity { type = "SystemAssigned" } - - network_profile { - network_plugin = "azure" - } } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled) +} + +func (KubernetesClusterResource) addonProfileOMSConfig(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { features {} @@ -522,18 +422,24 @@ resource "azurerm_resource_group" "test" { location = "%s" } -resource "azurerm_virtual_network" "test" { - name = "acctestvirtnet%d" - address_space = ["172.0.0.0/16"] +resource "azurerm_log_analytics_workspace" "test" { + name = "acctest-%d" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name + sku = "PerGB2018" } -resource "azurerm_subnet" "test" { - name = "acctestsubnet%d" - resource_group_name = azurerm_resource_group.test.name - virtual_network_name = azurerm_virtual_network.test.name - address_prefixes = ["172.0.2.0/24"] +resource "azurerm_log_analytics_solution" "test" { + solution_name = "ContainerInsights" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + workspace_resource_id = azurerm_log_analytics_workspace.test.id + workspace_name = azurerm_log_analytics_workspace.test.name + + plan { + publisher = "Microsoft" + product = "OMSGallery/ContainerInsights" + } } resource "azurerm_kubernetes_cluster" "test" { @@ -544,32 +450,31 @@ resource "azurerm_kubernetes_cluster" "test" { linux_profile { admin_username = "acctestuser%d" + ssh_key { key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" } } default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - vnet_subnet_id = azurerm_subnet.test.id + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" } - identity { - type = "SystemAssigned" + oms_agent { + log_analytics_workspace_id = azurerm_log_analytics_workspace.test.id } - network_profile { - network_plugin = "azure" + identity { + type = "SystemAssigned" } } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) } -func (KubernetesClusterResource) addonProfileAzurePolicyConfig(data acceptance.TestData, enabled bool) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` +func (KubernetesClusterResource) addonProfileOMSDisabledConfig(data acceptance.TestData) string { + return fmt.Sprintf(` provider "azurerm" { features {} } @@ -599,18 +504,14 @@ resource "azurerm_kubernetes_cluster" "test" { vm_size = "Standard_DS2_v2" } - addon_profile { - azure_policy { - enabled = %t - } - } - identity { type = "SystemAssigned" } } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled) - } +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) +} + +func (KubernetesClusterResource) addonProfileRoutingConfig(data acceptance.TestData, enabled bool) string { return fmt.Sprintf(` provider "azurerm" { features {} @@ -641,7 +542,7 @@ resource "azurerm_kubernetes_cluster" "test" { vm_size = "Standard_DS2_v2" } - azure_policy_enabled = %t + http_application_routing_enabled = %t identity { type = "SystemAssigned" @@ -650,10 +551,8 @@ resource "azurerm_kubernetes_cluster" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled) } -// CLEANUP: 3.0 - Remove this test since Kube Dashboard will be removed along with Kubernetes version 1.19 -func (KubernetesClusterResource) addonProfileKubeDashboardConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` +func (KubernetesClusterResource) addonProfileIngressApplicationGatewayAppGatewayConfig(data acceptance.TestData) string { + return fmt.Sprintf(` provider "azurerm" { features {} } @@ -663,6 +562,82 @@ resource "azurerm_resource_group" "test" { location = "%s" } +resource "azurerm_virtual_network" "test" { + name = "acctestvirtnet%d" + address_space = ["172.0.0.0/16"] + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name +} + +resource "azurerm_subnet" "test" { + name = "acctestsubnet%d" + resource_group_name = azurerm_resource_group.test.name + virtual_network_name = azurerm_virtual_network.test.name + address_prefixes = ["172.0.2.0/24"] +} + +resource "azurerm_public_ip" "test" { + name = "acctestpublicip%d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + sku = "Standard" + allocation_method = "Static" +} + +resource "azurerm_application_gateway" "test" { + name = "acctestappgw%d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + + sku { + name = "Standard_v2" + tier = "Standard_v2" + capacity = 2 + } + + gateway_ip_configuration { + name = "gwipcfg" + subnet_id = azurerm_subnet.test.id + } + + frontend_port { + name = "frontendport" + port = 80 + } + + frontend_ip_configuration { + name = "frontendipcfg" + public_ip_address_id = azurerm_public_ip.test.id + } + + backend_address_pool { + name = "backendaddresspool" + } + + backend_http_settings { + name = "backendhttpsettings" + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 60 + } + + http_listener { + name = "httplistener" + frontend_ip_configuration_name = "frontendipcfg" + frontend_port_name = "frontendport" + protocol = "Http" + } + + request_routing_rule { + name = "requestroutingrule" + rule_type = "Basic" + http_listener_name = "httplistener" + backend_address_pool_name = "backendaddresspool" + backend_http_settings_name = "backendhttpsettings" + } +} + resource "azurerm_kubernetes_cluster" "test" { name = "acctestaks%d" location = azurerm_resource_group.test.location @@ -683,18 +658,18 @@ resource "azurerm_kubernetes_cluster" "test" { vm_size = "Standard_DS2_v2" } - addon_profile { - kube_dashboard { - enabled = false - } + ingress_application_gateway { + gateway_id = azurerm_application_gateway.test.id } identity { type = "SystemAssigned" } } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) +} + +func (KubernetesClusterResource) addonProfileIngressApplicationGatewaySubnetCIDRConfig(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { features {} @@ -725,16 +700,20 @@ resource "azurerm_kubernetes_cluster" "test" { vm_size = "Standard_DS2_v2" } + ingress_application_gateway { + gateway_name = "acctestgwn%d" + subnet_cidr = "%s" + } + identity { type = "SystemAssigned" } } -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, addOnAppGatewaySubnetCIDR) } -func (KubernetesClusterResource) addonProfileOMSConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` +func (KubernetesClusterResource) addonProfileIngressApplicationGatewayDisabledConfig(data acceptance.TestData) string { + return fmt.Sprintf(` provider "azurerm" { features {} } @@ -744,760 +723,14 @@ resource "azurerm_resource_group" "test" { location = "%s" } -resource "azurerm_log_analytics_workspace" "test" { - name = "acctest-%d" +resource "azurerm_kubernetes_cluster" "test" { + name = "acctestaks%d" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name - sku = "PerGB2018" -} + dns_prefix = "acctestaks%d" -resource "azurerm_log_analytics_solution" "test" { - solution_name = "ContainerInsights" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - workspace_resource_id = azurerm_log_analytics_workspace.test.id - workspace_name = azurerm_log_analytics_workspace.test.name - - plan { - publisher = "Microsoft" - product = "OMSGallery/ContainerInsights" - } -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - oms_agent { - enabled = true - log_analytics_workspace_id = azurerm_log_analytics_workspace.test.id - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_log_analytics_workspace" "test" { - name = "acctest-%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - sku = "PerGB2018" -} - -resource "azurerm_log_analytics_solution" "test" { - solution_name = "ContainerInsights" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - workspace_resource_id = azurerm_log_analytics_workspace.test.id - workspace_name = azurerm_log_analytics_workspace.test.name - - plan { - publisher = "Microsoft" - product = "OMSGallery/ContainerInsights" - } -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - oms_agent { - log_analytics_workspace_id = azurerm_log_analytics_workspace.test.id - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) -} - -func (KubernetesClusterResource) addonProfileOMSDisabledConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - oms_agent { - enabled = false - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) -} - -// CLEANUP: 3.0 - Remove this since OMS Agent can only be disabled by omitting the config -func (KubernetesClusterResource) addonProfileOMSScaleWithoutBlockConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 2 - vm_size = "Standard_DS2_v2" - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 2 - vm_size = "Standard_DS2_v2" - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) -} - -func (KubernetesClusterResource) addonProfileRoutingConfig(data acceptance.TestData, enabled bool) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - http_application_routing { - enabled = %t - } - kube_dashboard { - enabled = false - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled) - } - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - http_application_routing_enabled = %t - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled) -} - -func (KubernetesClusterResource) addonProfileIngressApplicationGatewayAppGatewayConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_virtual_network" "test" { - name = "acctestvirtnet%d" - address_space = ["172.0.0.0/16"] - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name -} - -resource "azurerm_subnet" "test" { - name = "acctestsubnet%d" - resource_group_name = azurerm_resource_group.test.name - virtual_network_name = azurerm_virtual_network.test.name - address_prefixes = ["172.0.2.0/24"] -} - -resource "azurerm_public_ip" "test" { - name = "acctestpublicip%d" - resource_group_name = azurerm_resource_group.test.name - location = azurerm_resource_group.test.location - sku = "Standard" - allocation_method = "Static" -} - -resource "azurerm_application_gateway" "test" { - name = "acctestappgw%d" - resource_group_name = azurerm_resource_group.test.name - location = azurerm_resource_group.test.location - - sku { - name = "Standard_V2" - tier = "Standard_V2" - capacity = 2 - } - - gateway_ip_configuration { - name = "gwipcfg" - subnet_id = azurerm_subnet.test.id - } - - frontend_port { - name = "frontendport" - port = 80 - } - - frontend_ip_configuration { - name = "frontendipcfg" - public_ip_address_id = azurerm_public_ip.test.id - } - - backend_address_pool { - name = "backendaddresspool" - } - - backend_http_settings { - name = "backendhttpsettings" - cookie_based_affinity = "Disabled" - port = 80 - protocol = "Http" - request_timeout = 60 - } - - http_listener { - name = "httplistener" - frontend_ip_configuration_name = "frontendipcfg" - frontend_port_name = "frontendport" - protocol = "Http" - } - - request_routing_rule { - name = "requestroutingrule" - rule_type = "Basic" - http_listener_name = "httplistener" - backend_address_pool_name = "backendaddresspool" - backend_http_settings_name = "backendhttpsettings" - } -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - ingress_application_gateway { - enabled = true - gateway_id = azurerm_application_gateway.test.id - } - kube_dashboard { - enabled = false - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_virtual_network" "test" { - name = "acctestvirtnet%d" - address_space = ["172.0.0.0/16"] - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name -} - -resource "azurerm_subnet" "test" { - name = "acctestsubnet%d" - resource_group_name = azurerm_resource_group.test.name - virtual_network_name = azurerm_virtual_network.test.name - address_prefixes = ["172.0.2.0/24"] -} - -resource "azurerm_public_ip" "test" { - name = "acctestpublicip%d" - resource_group_name = azurerm_resource_group.test.name - location = azurerm_resource_group.test.location - sku = "Standard" - allocation_method = "Static" -} - -resource "azurerm_application_gateway" "test" { - name = "acctestappgw%d" - resource_group_name = azurerm_resource_group.test.name - location = azurerm_resource_group.test.location - - sku { - name = "Standard_v2" - tier = "Standard_v2" - capacity = 2 - } - - gateway_ip_configuration { - name = "gwipcfg" - subnet_id = azurerm_subnet.test.id - } - - frontend_port { - name = "frontendport" - port = 80 - } - - frontend_ip_configuration { - name = "frontendipcfg" - public_ip_address_id = azurerm_public_ip.test.id - } - - backend_address_pool { - name = "backendaddresspool" - } - - backend_http_settings { - name = "backendhttpsettings" - cookie_based_affinity = "Disabled" - port = 80 - protocol = "Http" - request_timeout = 60 - } - - http_listener { - name = "httplistener" - frontend_ip_configuration_name = "frontendipcfg" - frontend_port_name = "frontendport" - protocol = "Http" - } - - request_routing_rule { - name = "requestroutingrule" - rule_type = "Basic" - http_listener_name = "httplistener" - backend_address_pool_name = "backendaddresspool" - backend_http_settings_name = "backendhttpsettings" - } -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - ingress_application_gateway { - gateway_id = azurerm_application_gateway.test.id - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) -} - -func (KubernetesClusterResource) addonProfileIngressApplicationGatewaySubnetCIDRConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - ingress_application_gateway { - enabled = true - gateway_name = "acctestgwn%d" - subnet_cidr = "%s" - } - kube_dashboard { - enabled = false - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, addOnAppGatewaySubnetCIDR) - } - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - ingress_application_gateway { - gateway_name = "acctestgwn%d" - subnet_cidr = "%s" - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, addOnAppGatewaySubnetCIDR) -} - -func (KubernetesClusterResource) addonProfileIngressApplicationGatewayDisabledConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - ingress_application_gateway { - enabled = false - } - kube_dashboard { - enabled = false - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" + linux_profile { + admin_username = "acctestuser%d" ssh_key { key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" @@ -1518,68 +751,6 @@ resource "azurerm_kubernetes_cluster" "test" { } func (KubernetesClusterResource) addonProfileIngressApplicationGatewaySubnetIdConfig(data acceptance.TestData) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_virtual_network" "test" { - name = "acctestvirtnet%d" - address_space = ["172.0.0.0/16"] - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name -} - -resource "azurerm_subnet" "test" { - name = "acctestsubnet%d" - resource_group_name = azurerm_resource_group.test.name - virtual_network_name = azurerm_virtual_network.test.name - address_prefixes = ["172.0.2.0/24"] -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - ingress_application_gateway { - enabled = true - gateway_name = "acctestgwn%d" - subnet_id = azurerm_subnet.test.id - } - kube_dashboard { - enabled = false - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) - } return fmt.Sprintf(` provider "azurerm" { features {} @@ -1637,49 +808,6 @@ resource "azurerm_kubernetes_cluster" "test" { } func (KubernetesClusterResource) addonProfileOpenServiceMeshConfig(data acceptance.TestData, enabled bool) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - open_service_mesh { - enabled = %t - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled) - } return fmt.Sprintf(` provider "azurerm" { features {} @@ -1719,52 +847,7 @@ resource "azurerm_kubernetes_cluster" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled) } -func (KubernetesClusterResource) addonProfileAzureKeyVaultSecretsProviderConfig(data acceptance.TestData, enabled bool, secretRotation bool, rotationInterval string) string { - if !features.ThreePointOhBeta() { - return fmt.Sprintf(` -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" -} - -resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - linux_profile { - admin_username = "acctestuser%d" - - ssh_key { - key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" - } - } - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - addon_profile { - azure_keyvault_secrets_provider { - enabled = %t - secret_rotation_enabled = %t - secret_rotation_interval = "%s" - } - } - - identity { - type = "SystemAssigned" - } -} -`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, enabled, secretRotation, rotationInterval) - } +func (KubernetesClusterResource) addonProfileAzureKeyVaultSecretsProviderConfig(data acceptance.TestData, secretRotation bool, rotationInterval string) string { return fmt.Sprintf(` provider "azurerm" { features {} diff --git a/internal/services/containers/kubernetes_cluster_data_source.go b/internal/services/containers/kubernetes_cluster_data_source.go index 23e67f49df29..0677947cdac7 100644 --- a/internal/services/containers/kubernetes_cluster_data_source.go +++ b/internal/services/containers/kubernetes_cluster_data_source.go @@ -333,6 +333,19 @@ func dataSourceKubernetesCluster() *pluginsdk.Resource { Computed: true, }, + "microsoft_defender": { + Type: pluginsdk.TypeList, + Computed: true, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "log_analytics_workspace_id": { + Type: pluginsdk.TypeString, + Computed: true, + }, + }, + }, + }, + "oms_agent": { Type: pluginsdk.TypeList, Computed: true, @@ -620,254 +633,6 @@ func dataSourceKubernetesCluster() *pluginsdk.Resource { }, } - if !features.ThreePointOhBeta() { - resource.Schema["addon_profile"] = &pluginsdk.Schema{ - Type: pluginsdk.TypeList, - Computed: true, - Deprecated: "`addon_profile` is deprecated in favour of the properties `https_application_routing_enabled`, `azure_policy_enabled`, `open_service_mesh_enabled` and the blocks `oms_agent`, `ingress_application_gateway` and `key_vault_secrets_provider` and will be removed in version 3.0 of the AzureRM Provider", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "http_application_routing": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - "http_application_routing_zone_name": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - - "oms_agent": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - "log_analytics_workspace_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "oms_agent_identity": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "client_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "object_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "user_assigned_identity_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - }, - }, - }, - - "kube_dashboard": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - }, - }, - }, - - "azure_policy": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - }, - }, - }, - - "ingress_application_gateway": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - "gateway_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "effective_gateway_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "subnet_cidr": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "subnet_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "ingress_application_gateway_identity": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "client_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "object_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "user_assigned_identity_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - }, - }, - }, - - "open_service_mesh": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - }, - }, - }, - "azure_keyvault_secrets_provider": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - "secret_rotation_enabled": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "secret_rotation_interval": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "secret_identity": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "client_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "object_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - "user_assigned_identity_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - }, - }, - }, - }, - }, - } - - resource.Schema["role_based_access_control"] = &pluginsdk.Schema{ - Type: pluginsdk.TypeList, - Computed: true, - Deprecated: "`role_based_access_control` is deprecated in favour of the property `role_based_access_control_enabled` and the block `azure_active_directory_role_based_access_control` and will be removed in version 3.0 of the AzureRM Provider.", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - "azure_active_directory": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "admin_group_object_ids": { - Type: pluginsdk.TypeList, - Computed: true, - Elem: &pluginsdk.Schema{ - Type: pluginsdk.TypeString, - }, - }, - - "client_app_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - - "managed": { - Type: pluginsdk.TypeBool, - Computed: true, - }, - - "server_app_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - - "tenant_id": { - Type: pluginsdk.TypeString, - Computed: true, - }, - }, - }, - }, - }, - }, - } - - resource.Schema["private_link_enabled"] = &pluginsdk.Schema{ - Type: pluginsdk.TypeBool, - Computed: true, - Deprecated: "`private_link_enabled` is deprecated in favour of `private_cluster_enabled` and will be removed in version 3.0 of the AzureRM Provider", - } - } - return resource } @@ -921,13 +686,6 @@ func dataSourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{} d.Set("private_cluster_enabled", accessProfile.EnablePrivateCluster) } - if !features.ThreePointOhBeta() { - addonProfiles := flattenKubernetesClusterDataSourceAddonProfiles(props.AddonProfiles) - if err := d.Set("addon_profile", addonProfiles); err != nil { - return fmt.Errorf("setting `addon_profile`: %+v", err) - } - } - addOns := flattenKubernetesClusterDataSourceAddOns(props.AddonProfiles) d.Set("aci_connector_linux", addOns["aci_connector_linux"]) d.Set("azure_policy_enabled", addOns["azure_policy_enabled"].(bool)) @@ -990,18 +748,16 @@ func dataSourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{} } d.Set("role_based_access_control_enabled", rbacEnabled) + microsoftDefender := flattenKubernetesClusterDataSourceMicrosoftDefender(props.SecurityProfile) + if err := d.Set("microsoft_defender", microsoftDefender); err != nil { + return fmt.Errorf("setting `microsoft_defender`: %+v", err) + } + aadRbac := flattenKubernetesClusterDataSourceAzureActiveDirectoryRoleBasedAccessControl(props) if err := d.Set("azure_active_directory_role_based_access_control", aadRbac); err != nil { return fmt.Errorf("setting `azure_active_directory_role_based_access_control`: %+v", err) } - if !features.ThreePointOhBeta() { - roleBasedAccessControl := flattenKubernetesClusterDataSourceRoleBasedAccessControl(props) - if err := d.Set("role_based_access_control", roleBasedAccessControl); err != nil { - return fmt.Errorf("setting `role_based_access_control`: %+v", err) - } - } - servicePrincipal := flattenKubernetesClusterDataSourceServicePrincipalProfile(props.ServicePrincipalProfile) if err := d.Set("service_principal", servicePrincipal); err != nil { return fmt.Errorf("setting `service_principal`: %+v", err) @@ -1043,53 +799,6 @@ func dataSourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{} return tags.FlattenAndSet(d, resp.Tags) } -func flattenKubernetesClusterDataSourceRoleBasedAccessControl(input *containerservice.ManagedClusterProperties) []interface{} { - rbacEnabled := false - if input.EnableRBAC != nil { - rbacEnabled = *input.EnableRBAC - } - - results := make([]interface{}, 0) - if profile := input.AadProfile; profile != nil { - adminGroupObjectIds := utils.FlattenStringSlice(profile.AdminGroupObjectIDs) - - clientAppId := "" - if profile.ClientAppID != nil { - clientAppId = *profile.ClientAppID - } - - managed := false - if profile.Managed != nil { - managed = *profile.Managed - } - - serverAppId := "" - if profile.ServerAppID != nil { - serverAppId = *profile.ServerAppID - } - - tenantId := "" - if profile.TenantID != nil { - tenantId = *profile.TenantID - } - - results = append(results, map[string]interface{}{ - "admin_group_object_ids": adminGroupObjectIds, - "client_app_id": clientAppId, - "managed": managed, - "server_app_id": serverAppId, - "tenant_id": tenantId, - }) - } - - return []interface{}{ - map[string]interface{}{ - "enabled": rbacEnabled, - "azure_active_directory": results, - }, - } -} - func flattenKubernetesClusterDataSourceAccessProfile(profile containerservice.ManagedClusterAccessProfile) (*string, []interface{}) { if profile.AccessProfile == nil { return nil, []interface{}{} @@ -1258,209 +967,6 @@ func flattenKubernetesClusterDataSourceAddOns(profile map[string]*containerservi } } -func flattenKubernetesClusterDataSourceAddonProfiles(profile map[string]*containerservice.ManagedClusterAddonProfile) interface{} { - values := make(map[string]interface{}) - - routes := make([]interface{}, 0) - if httpApplicationRouting := kubernetesAddonProfileLocate(profile, httpApplicationRoutingKey); httpApplicationRouting != nil { - enabled := false - if enabledVal := httpApplicationRouting.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - zoneName := "" - if v := kubernetesAddonProfilelocateInConfig(httpApplicationRouting.Config, "HTTPApplicationRoutingZoneName"); v != nil { - zoneName = *v - } - - output := map[string]interface{}{ - "enabled": enabled, - "http_application_routing_zone_name": zoneName, - } - routes = append(routes, output) - } - values["http_application_routing"] = routes - - agents := make([]interface{}, 0) - if omsAgent := kubernetesAddonProfileLocate(profile, omsAgentKey); omsAgent != nil { - enabled := false - if enabledVal := omsAgent.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - workspaceID := "" - if v := kubernetesAddonProfilelocateInConfig(omsAgent.Config, "logAnalyticsWorkspaceResourceID"); v != nil { - workspaceID = *v - } - - omsagentIdentity, err := flattenKubernetesClusterDataSourceAddOnIdentityProfile(omsAgent.Identity) - if err != nil { - return err - } - output := map[string]interface{}{ - "enabled": enabled, - "log_analytics_workspace_id": workspaceID, - "oms_agent_identity": omsagentIdentity, - } - agents = append(agents, output) - } - values["oms_agent"] = agents - - kubeDashboards := make([]interface{}, 0) - if kubeDashboard := kubernetesAddonProfileLocate(profile, kubernetesDashboardKey); kubeDashboard != nil { - enabled := false - if enabledVal := kubeDashboard.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - output := map[string]interface{}{ - "enabled": enabled, - } - kubeDashboards = append(kubeDashboards, output) - } - values["kube_dashboard"] = kubeDashboards - - azurePolicies := make([]interface{}, 0) - if azurePolicy := kubernetesAddonProfileLocate(profile, azurePolicyKey); azurePolicy != nil { - enabled := false - if enabledVal := azurePolicy.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - output := map[string]interface{}{ - "enabled": enabled, - } - azurePolicies = append(azurePolicies, output) - } - values["azure_policy"] = azurePolicies - - ingressApplicationGateways := make([]interface{}, 0) - if ingressApplicationGateway := kubernetesAddonProfileLocate(profile, ingressApplicationGatewayKey); ingressApplicationGateway != nil { - enabled := false - if enabledVal := ingressApplicationGateway.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - gatewayId := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "applicationGatewayId"); v != nil { - gatewayId = *v - } - - effectiveGatewayId := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "effectiveApplicationGatewayId"); v != nil { - effectiveGatewayId = *v - } - - subnetCIDR := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "subnetCIDR"); v != nil { - subnetCIDR = *v - } - - subnetId := "" - if v := kubernetesAddonProfilelocateInConfig(ingressApplicationGateway.Config, "subnetId"); v != nil { - subnetId = *v - } - - ingressApplicationGatewayIdentity, err := flattenKubernetesClusterDataSourceAddOnIdentityProfile(ingressApplicationGateway.Identity) - if err != nil { - return err - } - - output := map[string]interface{}{ - "enabled": enabled, - "gateway_id": gatewayId, - "effective_gateway_id": effectiveGatewayId, - "subnet_cidr": subnetCIDR, - "subnet_id": subnetId, - "ingress_application_gateway_identity": ingressApplicationGatewayIdentity, - } - ingressApplicationGateways = append(ingressApplicationGateways, output) - } - values["ingress_application_gateway"] = ingressApplicationGateways - - openServiceMeshes := make([]interface{}, 0) - if openServiceMesh := kubernetesAddonProfileLocate(profile, openServiceMeshKey); openServiceMesh != nil { - enabled := false - if enabledVal := openServiceMesh.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - output := map[string]interface{}{ - "enabled": enabled, - } - openServiceMeshes = append(openServiceMeshes, output) - } - values["open_service_mesh"] = openServiceMeshes - - azureKeyvaultSecretsProviders := make([]interface{}, 0) - if azureKeyvaultSecretsProvider := kubernetesAddonProfileLocate(profile, azureKeyvaultSecretsProviderKey); azureKeyvaultSecretsProvider != nil { - enabled := false - if enabledVal := azureKeyvaultSecretsProvider.Enabled; enabledVal != nil { - enabled = *enabledVal - } - - enableSecretRotation := "false" - if v := kubernetesAddonProfilelocateInConfig(azureKeyvaultSecretsProvider.Config, "enableSecretRotation"); v == utils.String("true") { - enableSecretRotation = *v - } - - rotationPollInterval := "" - if v := kubernetesAddonProfilelocateInConfig(azureKeyvaultSecretsProvider.Config, "rotationPollInterval"); v != nil { - rotationPollInterval = *v - } - - azureKeyvaultSecretsProviderIdentity, err := flattenKubernetesClusterDataSourceAddOnIdentityProfile(azureKeyvaultSecretsProvider.Identity) - if err != nil { - return err - } - - output := map[string]interface{}{ - "enabled": enabled, - "secret_rotation_enabled": enableSecretRotation, - "secret_rotation_interval": rotationPollInterval, - "secret_identity": azureKeyvaultSecretsProviderIdentity, - } - azureKeyvaultSecretsProviders = append(azureKeyvaultSecretsProviders, output) - } - values["azure_keyvault_secrets_provider"] = azureKeyvaultSecretsProviders - - return []interface{}{values} -} - -func flattenKubernetesClusterDataSourceAddOnIdentityProfile(profile *containerservice.ManagedClusterAddonProfileIdentity) ([]interface{}, error) { - if profile == nil { - return []interface{}{}, nil - } - - identity := make([]interface{}, 0) - clientID := "" - if clientid := profile.ClientID; clientid != nil { - clientID = *clientid - } - - objectID := "" - if objectid := profile.ObjectID; objectid != nil { - objectID = *objectid - } - - userAssignedIdentityID := "" - if resourceid := profile.ResourceID; resourceid != nil { - parsedId, err := msiparse.UserAssignedIdentityIDInsensitively(*resourceid) - if err != nil { - return nil, err - } - userAssignedIdentityID = parsedId.ID() - } - - identity = append(identity, map[string]interface{}{ - "client_id": clientID, - "object_id": objectID, - "user_assigned_identity_id": userAssignedIdentityID, - }) - - return identity, nil -} - func flattenKubernetesClusterDataSourceAgentPoolProfiles(input *[]containerservice.ManagedClusterAgentPoolProfile) []interface{} { agentPoolProfiles := make([]interface{}, 0) @@ -1799,3 +1305,20 @@ func flattenClusterDataSourceIdentity(input *containerservice.ManagedClusterIden return identity.FlattenSystemOrUserAssignedMap(transform) } + +func flattenKubernetesClusterDataSourceMicrosoftDefender(input *containerservice.ManagedClusterSecurityProfile) []interface{} { + if input == nil || input.AzureDefender == nil || (input.AzureDefender.Enabled != nil && !*input.AzureDefender.Enabled) { + return []interface{}{} + } + + logAnalyticsWorkspace := "" + if v := input.AzureDefender.LogAnalyticsWorkspaceResourceID; v != nil { + logAnalyticsWorkspace = *v + } + + return []interface{}{ + map[string]interface{}{ + "log_analytics_workspace_id": logAnalyticsWorkspace, + }, + } +} diff --git a/internal/services/containers/kubernetes_cluster_data_source_test.go b/internal/services/containers/kubernetes_cluster_data_source_test.go index 9b875cd5fd60..e2f61aa74d4b 100644 --- a/internal/services/containers/kubernetes_cluster_data_source_test.go +++ b/internal/services/containers/kubernetes_cluster_data_source_test.go @@ -7,7 +7,6 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance" "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance/check" - "github.com/hashicorp/terraform-provider-azurerm/internal/features" ) type KubernetesClusterDataSource struct{} @@ -58,32 +57,17 @@ func TestAccDataSourceKubernetesCluster_roleBasedAccessControl(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.roleBasedAccessControlConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("role_based_access_control.#").HasValue("1"), - check.That(data.ResourceName).Key("role_based_access_control.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.#").HasValue("0"), - check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"), - check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.roleBasedAccessControlConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"), - check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("0"), - check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"), - check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.roleBasedAccessControlConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("0"), + check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"), + check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_roleBasedAccessControlAAD(t *testing.T) { @@ -93,38 +77,20 @@ func TestAccDataSourceKubernetesCluster_roleBasedAccessControlAAD(t *testing.T) clientSecret := os.Getenv("ARM_CLIENT_SECRET") tenantId := os.Getenv("ARM_TENANT_ID") - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.roleBasedAccessControlAADConfig(data, clientId, clientSecret, tenantId), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("role_based_access_control.#").HasValue("1"), - check.That(data.ResourceName).Key("role_based_access_control.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.#").HasValue("1"), - check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.client_app_id").Exists(), - check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.server_app_id").Exists(), - check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.tenant_id").Exists(), - check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("1"), - check.That(data.ResourceName).Key("kube_admin_config_raw").Exists(), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.roleBasedAccessControlAADConfig(data, clientId, clientSecret, tenantId), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"), - check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("1"), - check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.client_app_id").Exists(), - check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.server_app_id").Exists(), - check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.tenant_id").Exists(), - check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("1"), - check.That(data.ResourceName).Key("kube_admin_config_raw").Exists(), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.roleBasedAccessControlAADConfig(data, clientId, clientSecret, tenantId), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("1"), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.client_app_id").Exists(), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.server_app_id").Exists(), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.tenant_id").Exists(), + check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("1"), + check.That(data.ResourceName).Key("kube_admin_config_raw").Exists(), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_localAccountDisabled(t *testing.T) { @@ -132,39 +98,20 @@ func TestAccDataSourceKubernetesCluster_localAccountDisabled(t *testing.T) { r := KubernetesClusterDataSource{} clientData := data.Client() - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.localAccountDisabled(data, clientData.TenantID), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("role_based_access_control.#").HasValue("1"), - check.That(data.ResourceName).Key("role_based_access_control.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.#").HasValue("1"), - check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.managed").HasValue("true"), - check.That(data.ResourceName).Key("kube_config.#").HasValue("1"), - check.That(data.ResourceName).Key("kube_config_raw").Exists(), - check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"), - check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.localAccountDisabled(data, clientData.TenantID), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"), - check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("1"), - check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.managed").HasValue("true"), - check.That(data.ResourceName).Key("kube_config.#").HasValue("1"), - check.That(data.ResourceName).Key("kube_config_raw").Exists(), - check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"), - check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""), - ), - }, - }) - } - + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.localAccountDisabled(data, clientData.TenantID), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("1"), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.managed").HasValue("true"), + check.That(data.ResourceName).Key("kube_config.#").HasValue("1"), + check.That(data.ResourceName).Key("kube_config_raw").Exists(), + check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"), + check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_internalNetwork(t *testing.T) { @@ -345,52 +292,15 @@ func TestAccDataSourceKubernetesCluster_addOnProfileOMS(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileOMSConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.oms_agent.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.oms_agent.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("addon_profile.0.oms_agent.0.log_analytics_workspace_id").Exists(), - check.That(data.ResourceName).Key("addon_profile.0.oms_agent.0.oms_agent_identity.0.client_id").Exists(), - check.That(data.ResourceName).Key("addon_profile.0.oms_agent.0.oms_agent_identity.0.object_id").Exists(), - check.That(data.ResourceName).Key("addon_profile.0.oms_agent.0.oms_agent_identity.0.user_assigned_identity_id").Exists(), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileOMSConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("oms_agent.#").HasValue("1"), - check.That(data.ResourceName).Key("oms_agent.0.log_analytics_workspace_id").Exists(), - check.That(data.ResourceName).Key("oms_agent.0.oms_agent_identity.0.client_id").Exists(), - check.That(data.ResourceName).Key("oms_agent.0.oms_agent_identity.0.object_id").Exists(), - check.That(data.ResourceName).Key("oms_agent.0.oms_agent_identity.0.user_assigned_identity_id").Exists(), - ), - }, - }) - } -} - -func TestAccDataSourceKubernetesCluster_addOnProfileKubeDashboard(t *testing.T) { - data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") - r := KubernetesClusterDataSource{} - - if features.ThreePointOhBeta() { - t.Skip("This functionality is not applicable in 3.0 mode") - } - data.DataSourceTest(t, []acceptance.TestStep{ { - Config: r.addOnProfileKubeDashboardConfig(data), + Config: r.addOnProfileOMSConfig(data), Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.kube_dashboard.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.kube_dashboard.0.enabled").HasValue("false"), + check.That(data.ResourceName).Key("oms_agent.#").HasValue("1"), + check.That(data.ResourceName).Key("oms_agent.0.log_analytics_workspace_id").Exists(), + check.That(data.ResourceName).Key("oms_agent.0.oms_agent_identity.0.client_id").Exists(), + check.That(data.ResourceName).Key("oms_agent.0.oms_agent_identity.0.object_id").Exists(), + check.That(data.ResourceName).Key("oms_agent.0.oms_agent_identity.0.user_assigned_identity_id").Exists(), ), }, }) @@ -400,217 +310,113 @@ func TestAccDataSourceKubernetesCluster_addOnProfileAzurePolicy(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileAzurePolicyConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.0.azure_policy.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.azure_policy.0.enabled").HasValue("true"), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileAzurePolicyConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("azure_policy_enabled").HasValue("true"), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.addOnProfileAzurePolicyConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("azure_policy_enabled").HasValue("true"), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_addOnProfileRouting(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileRoutingConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.http_application_routing.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.http_application_routing.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("addon_profile.0.http_application_routing.0.http_application_routing_zone_name").Exists(), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileRoutingConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("http_application_routing_enabled").HasValue("true"), - check.That(data.ResourceName).Key("http_application_routing_zone_name").Exists(), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.addOnProfileRoutingConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("http_application_routing_enabled").HasValue("true"), + check.That(data.ResourceName).Key("http_application_routing_zone_name").Exists(), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_addOnProfileIngressApplicationGatewayAppGateway(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileIngressApplicationGatewayAppGatewayConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.effective_gateway_id").MatchesOtherKey( - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.gateway_id"), - ), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.subnet_cidr").IsEmpty(), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.subnet_id").IsEmpty(), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.ingress_application_gateway_identity.0.client_id").Exists(), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.ingress_application_gateway_identity.0.object_id").Exists(), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.ingress_application_gateway_identity.0.user_assigned_identity_id").Exists(), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileIngressApplicationGatewayAppGatewayConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("ingress_application_gateway.#").HasValue("1"), - check.That(data.ResourceName).Key("ingress_application_gateway.0.effective_gateway_id").MatchesOtherKey( - check.That(data.ResourceName).Key("ingress_application_gateway.0.gateway_id"), - ), - check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_cidr").IsEmpty(), - check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_id").IsEmpty(), - check.That(data.ResourceName).Key("ingress_application_gateway.0.ingress_application_gateway_identity.0.client_id").Exists(), - check.That(data.ResourceName).Key("ingress_application_gateway.0.ingress_application_gateway_identity.0.object_id").Exists(), - check.That(data.ResourceName).Key("ingress_application_gateway.0.ingress_application_gateway_identity.0.user_assigned_identity_id").Exists(), + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.addOnProfileIngressApplicationGatewayAppGatewayConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("ingress_application_gateway.#").HasValue("1"), + check.That(data.ResourceName).Key("ingress_application_gateway.0.effective_gateway_id").MatchesOtherKey( + check.That(data.ResourceName).Key("ingress_application_gateway.0.gateway_id"), ), - }, - }) - } + check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_cidr").IsEmpty(), + check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_id").IsEmpty(), + check.That(data.ResourceName).Key("ingress_application_gateway.0.ingress_application_gateway_identity.0.client_id").Exists(), + check.That(data.ResourceName).Key("ingress_application_gateway.0.ingress_application_gateway_identity.0.object_id").Exists(), + check.That(data.ResourceName).Key("ingress_application_gateway.0.ingress_application_gateway_identity.0.user_assigned_identity_id").Exists(), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_addOnProfileIngressApplicationGatewaySubnetCIDR(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileIngressApplicationGatewaySubnetCIDRConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.gateway_id").IsEmpty(), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.subnet_cidr").HasValue(addOnAppGatewaySubnetCIDR), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.subnet_id").IsEmpty(), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileIngressApplicationGatewaySubnetCIDRConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("ingress_application_gateway.#").HasValue("1"), - check.That(data.ResourceName).Key("ingress_application_gateway.0.gateway_id").IsEmpty(), - check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_cidr").HasValue(addOnAppGatewaySubnetCIDR), - check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_id").IsEmpty(), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.addOnProfileIngressApplicationGatewaySubnetCIDRConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("ingress_application_gateway.#").HasValue("1"), + check.That(data.ResourceName).Key("ingress_application_gateway.0.gateway_id").IsEmpty(), + check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_cidr").HasValue(addOnAppGatewaySubnetCIDR), + check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_id").IsEmpty(), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_addOnProfileIngressApplicationGatewaySubnetId(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileIngressApplicationGatewaySubnetIdConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.gateway_id").IsEmpty(), - check.That(data.ResourceName).Key("addon_profile.0.ingress_application_gateway.0.subnet_cidr").IsEmpty(), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileIngressApplicationGatewaySubnetIdConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("ingress_application_gateway.#").HasValue("1"), - check.That(data.ResourceName).Key("ingress_application_gateway.0.gateway_id").IsEmpty(), - check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_cidr").IsEmpty(), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.addOnProfileIngressApplicationGatewaySubnetIdConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("ingress_application_gateway.#").HasValue("1"), + check.That(data.ResourceName).Key("ingress_application_gateway.0.gateway_id").IsEmpty(), + check.That(data.ResourceName).Key("ingress_application_gateway.0.subnet_cidr").IsEmpty(), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_addOnProfileOpenServiceMesh(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileOpenServiceMeshConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.open_service_mesh.0.enabled").HasValue("true"), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileOpenServiceMeshConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("open_service_mesh_enabled").HasValue("true"), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.addOnProfileOpenServiceMeshConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("open_service_mesh_enabled").HasValue("true"), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_addOnProfileAzureKeyvaultSecretsProvider(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} - if !features.ThreePointOhBeta() { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileAzureKeyvaultSecretsProviderConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("addon_profile.0.azure_keyvault_secrets_provider.#").HasValue("1"), - check.That(data.ResourceName).Key("addon_profile.0.azure_keyvault_secrets_provider.0.enabled").HasValue("true"), - check.That(data.ResourceName).Key("addon_profile.0.azure_keyvault_secrets_provider.0.secret_rotation_enabled").HasValue("true"), - check.That(data.ResourceName).Key("addon_profile.0.azure_keyvault_secrets_provider.0.secret_rotation_interval").HasValue("2m"), - ), - }, - }) - } else { - data.DataSourceTest(t, []acceptance.TestStep{ - { - Config: r.addOnProfileAzureKeyvaultSecretsProviderConfig(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("key_vault_secrets_provider.0.secret_rotation_enabled").HasValue("true"), - check.That(data.ResourceName).Key("key_vault_secrets_provider.0.secret_rotation_interval").HasValue("2m"), - ), - }, - }) - } + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.addOnProfileAzureKeyvaultSecretsProviderConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("key_vault_secrets_provider.0.secret_rotation_enabled").HasValue("true"), + check.That(data.ResourceName).Key("key_vault_secrets_provider.0.secret_rotation_interval").HasValue("2m"), + ), + }, + }) } func TestAccDataSourceKubernetesCluster_autoscalingNoAvailabilityZones(t *testing.T) { @@ -707,6 +513,20 @@ func TestAccDataSourceKubernetesCluster_oidcIssuerDisabled(t *testing.T) { }) } +func TestAccDataSourceKubernetesCluster_microsoftDefender(t *testing.T) { + data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") + r := KubernetesClusterDataSource{} + + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.microsoftDefender(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("microsoft_defender.0.log_analytics_workspace_id").Exists(), + ), + }, + }) +} + func (KubernetesClusterDataSource) basicConfig(data acceptance.TestData) string { return fmt.Sprintf(` %s @@ -861,17 +681,6 @@ data "azurerm_kubernetes_cluster" "test" { `, KubernetesClusterResource{}.addonProfileOMSConfig(data)) } -func (KubernetesClusterDataSource) addOnProfileKubeDashboardConfig(data acceptance.TestData) string { - return fmt.Sprintf(` -%s - -data "azurerm_kubernetes_cluster" "test" { - name = azurerm_kubernetes_cluster.test.name - resource_group_name = azurerm_kubernetes_cluster.test.resource_group_name -} -`, KubernetesClusterResource{}.addonProfileKubeDashboardConfig(data)) -} - func (KubernetesClusterDataSource) addOnProfileAzurePolicyConfig(data acceptance.TestData) string { return fmt.Sprintf(` %s @@ -946,7 +755,7 @@ data "azurerm_kubernetes_cluster" "test" { name = azurerm_kubernetes_cluster.test.name resource_group_name = azurerm_kubernetes_cluster.test.resource_group_name } -`, KubernetesClusterResource{}.addonProfileAzureKeyVaultSecretsProviderConfig(data, true, true, "2m")) +`, KubernetesClusterResource{}.addonProfileAzureKeyVaultSecretsProviderConfig(data, true, "2m")) } func (KubernetesClusterDataSource) autoScalingNoAvailabilityZonesConfig(data acceptance.TestData) string { @@ -996,10 +805,19 @@ data "azurerm_kubernetes_cluster" "test" { func (KubernetesClusterDataSource) oidcIssuer(data acceptance.TestData, enabled bool) string { return fmt.Sprintf(` %s - data "azurerm_kubernetes_cluster" "test" { name = azurerm_kubernetes_cluster.test.name resource_group_name = azurerm_kubernetes_cluster.test.resource_group_name } `, KubernetesClusterResource{}.oidcIssuer(data, enabled)) } + +func (KubernetesClusterDataSource) microsoftDefender(data acceptance.TestData) string { + return fmt.Sprintf(` +%s +data "azurerm_kubernetes_cluster" "test" { + name = azurerm_kubernetes_cluster.test.name + resource_group_name = azurerm_kubernetes_cluster.test.resource_group_name +} +`, KubernetesClusterResource{}.microsoftDefender(data)) +} diff --git a/internal/services/containers/kubernetes_cluster_other_resource_test.go b/internal/services/containers/kubernetes_cluster_other_resource_test.go index 8526ae30de98..4abdd58e2edc 100644 --- a/internal/services/containers/kubernetes_cluster_other_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_other_resource_test.go @@ -576,6 +576,28 @@ func TestAccKubernetesCluster_osSku(t *testing.T) { }) } +func TestAccKubernetesCluster_microsoftDefender(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") + r := KubernetesClusterResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.microsoftDefender(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.microsoftDefenderDisabled(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccKubernetesCluster_oidcIssuer(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterResource{} @@ -1852,21 +1874,25 @@ func (KubernetesClusterResource) osSku(data acceptance.TestData) string { provider "azurerm" { features {} } + resource "azurerm_resource_group" "test" { name = "acctestRG-aks-%d" location = "%s" } + resource "azurerm_kubernetes_cluster" "test" { name = "acctestaks%d" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name dns_prefix = "acctestaks%d" + default_node_pool { name = "default" node_count = 1 vm_size = "Standard_D2s_v3" os_sku = "Ubuntu" } + identity { type = "SystemAssigned" } @@ -1901,3 +1927,72 @@ resource "azurerm_kubernetes_cluster" "test" { } `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, enabled) } + +func (KubernetesClusterResource) microsoftDefender(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} +resource "azurerm_resource_group" "test" { + name = "acctestRG-aks-%d" + location = "%s" +} +resource "azurerm_log_analytics_workspace" "test" { + name = "acctest-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + sku = "PerGB2018" +} +resource "azurerm_kubernetes_cluster" "test" { + name = "acctestaks%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + dns_prefix = "acctestaks%d" + role_based_access_control_enabled = true + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" + } + identity { + type = "SystemAssigned" + } + microsoft_defender { + log_analytics_workspace_id = azurerm_log_analytics_workspace.test.id + } +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) +} + +func (KubernetesClusterResource) microsoftDefenderDisabled(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} +resource "azurerm_resource_group" "test" { + name = "acctestRG-aks-%d" + location = "%s" +} +resource "azurerm_log_analytics_workspace" "test" { + name = "acctest-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + sku = "PerGB2018" +} +resource "azurerm_kubernetes_cluster" "test" { + name = "acctestaks%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + dns_prefix = "acctestaks%d" + role_based_access_control_enabled = true + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" + } + identity { + type = "SystemAssigned" + } +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) +} diff --git a/internal/services/containers/kubernetes_cluster_resource.go b/internal/services/containers/kubernetes_cluster_resource.go index 7f9e3c44c076..f86f4f04ebef 100644 --- a/internal/services/containers/kubernetes_cluster_resource.go +++ b/internal/services/containers/kubernetes_cluster_resource.go @@ -17,12 +17,12 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/helpers/tf" "github.com/hashicorp/terraform-provider-azurerm/helpers/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" - "github.com/hashicorp/terraform-provider-azurerm/internal/features" computeValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/compute/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/kubernetes" "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/migration" "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/parse" containerValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/validate" + logAnalyticsValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/loganalytics/validate" msiparse "github.com/hashicorp/terraform-provider-azurerm/internal/services/msi/parse" msivalidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/msi/validate" privateDnsValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/privatedns/validate" @@ -253,13 +253,7 @@ func resourceKubernetesCluster() *pluginsdk.Resource { RequiredWith: []string{ "kubelet_identity.0.object_id", "kubelet_identity.0.user_assigned_identity_id", - func() string { - if !features.ThreePointOhBeta() { - return "identity.0.user_assigned_identity_id" - } - - return "identity.0.identity_ids" - }(), + "identity.0.identity_ids", }, ValidateFunc: validation.StringIsNotEmpty, }, @@ -271,13 +265,7 @@ func resourceKubernetesCluster() *pluginsdk.Resource { RequiredWith: []string{ "kubelet_identity.0.client_id", "kubelet_identity.0.user_assigned_identity_id", - func() string { - if !features.ThreePointOhBeta() { - return "identity.0.user_assigned_identity_id" - } - - return "identity.0.identity_ids" - }(), + "identity.0.identity_ids", }, ValidateFunc: validation.StringIsNotEmpty, }, @@ -289,13 +277,7 @@ func resourceKubernetesCluster() *pluginsdk.Resource { RequiredWith: []string{ "kubelet_identity.0.client_id", "kubelet_identity.0.object_id", - func() string { - if !features.ThreePointOhBeta() { - return "identity.0.user_assigned_identity_id" - } - - return "identity.0.identity_ids" - }(), + "identity.0.identity_ids", }, ValidateFunc: msivalidate.UserAssignedIdentityID, }, @@ -406,6 +388,21 @@ func resourceKubernetesCluster() *pluginsdk.Resource { }, }, + "microsoft_defender": { + Type: pluginsdk.TypeList, + Optional: true, + MaxItems: 1, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "log_analytics_workspace_id": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: logAnalyticsValidate.LogAnalyticsWorkspaceID, + }, + }, + }, + }, + "network_profile": { Type: pluginsdk.TypeList, Optional: true, @@ -490,7 +487,7 @@ func resourceKubernetesCluster() *pluginsdk.Resource { ValidateFunc: validation.StringInSlice([]string{ string(containerservice.LoadBalancerSkuBasic), string(containerservice.LoadBalancerSkuStandard), - }, !features.ThreePointOhBeta()), + }, false), }, "outbound_type": { @@ -646,13 +643,6 @@ func resourceKubernetesCluster() *pluginsdk.Resource { Type: pluginsdk.TypeBool, Optional: true, ForceNew: true, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"private_link_enabled"} - } - return []string{} - }(), }, "private_cluster_public_fqdn_enabled": { @@ -682,35 +672,17 @@ func resourceKubernetesCluster() *pluginsdk.Resource { ForceNew: true, }, - "role_based_access_control_enabled": func() *schema.Schema { - if !features.ThreePointOhBeta() { - return &schema.Schema{ - Type: pluginsdk.TypeBool, - Optional: true, - Computed: true, - ForceNew: true, - ConflictsWith: []string{"role_based_access_control"}, - } - } - return &schema.Schema{ - Type: pluginsdk.TypeBool, - Optional: true, - Default: true, - ForceNew: true, - } - }(), + "role_based_access_control_enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + Default: true, + ForceNew: true, + }, "azure_active_directory_role_based_access_control": { Type: pluginsdk.TypeList, Optional: true, MaxItems: 1, - Computed: !features.ThreePointOhBeta(), - ConflictsWith: func() []string { - if !features.ThreePointOhBeta() { - return []string{"role_based_access_control"} - } - return []string{} - }(), Elem: &pluginsdk.Resource{ Schema: map[string]*pluginsdk.Schema{ "client_app_id": { @@ -1004,119 +976,6 @@ func resourceKubernetesCluster() *pluginsdk.Resource { resource.Schema[k] = v } - if !features.ThreePointOhBeta() { - resource.Schema["private_link_enabled"] = &pluginsdk.Schema{ - Type: pluginsdk.TypeBool, - Optional: true, - ForceNew: true, - Computed: true, - ConflictsWith: []string{"private_cluster_enabled"}, - Deprecated: "`private_link_enabled` is deprecated in favour of `private_cluster_enabled` and will be removed in version 3.0 of the AzureRM Provider", - } - - resource.Schema["role_based_access_control"] = &pluginsdk.Schema{ - Type: pluginsdk.TypeList, - Optional: true, - Computed: true, - MaxItems: 1, - ConflictsWith: []string{"role_based_access_control_enabled", "azure_active_directory_role_based_access_control"}, - Deprecated: "`role_based_access_control` is deprecated in favour of the properties `role_based_access_control_enabled` and `azure_active_directory_role_based_access_control` and will be removed in version 3.0 of the AzureRM provider", - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "enabled": { - Type: pluginsdk.TypeBool, - Required: true, - ForceNew: true, - }, - "azure_active_directory": { - Type: pluginsdk.TypeList, - Optional: true, - MaxItems: 1, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "client_app_id": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.IsUUID, - AtLeastOneOf: []string{ - "role_based_access_control.0.azure_active_directory.0.client_app_id", "role_based_access_control.0.azure_active_directory.0.server_app_id", - "role_based_access_control.0.azure_active_directory.0.server_app_secret", "role_based_access_control.0.azure_active_directory.0.tenant_id", - "role_based_access_control.0.azure_active_directory.0.managed", "role_based_access_control.0.azure_active_directory.0.admin_group_object_ids", - }, - }, - - "server_app_id": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.IsUUID, - AtLeastOneOf: []string{ - "role_based_access_control.0.azure_active_directory.0.client_app_id", "role_based_access_control.0.azure_active_directory.0.server_app_id", - "role_based_access_control.0.azure_active_directory.0.server_app_secret", "role_based_access_control.0.azure_active_directory.0.tenant_id", - "role_based_access_control.0.azure_active_directory.0.managed", "role_based_access_control.0.azure_active_directory.0.admin_group_object_ids", - }, - }, - - "server_app_secret": { - Type: pluginsdk.TypeString, - Optional: true, - Sensitive: true, - ValidateFunc: validation.StringIsNotEmpty, - AtLeastOneOf: []string{ - "role_based_access_control.0.azure_active_directory.0.client_app_id", "role_based_access_control.0.azure_active_directory.0.server_app_id", - "role_based_access_control.0.azure_active_directory.0.server_app_secret", "role_based_access_control.0.azure_active_directory.0.tenant_id", - "role_based_access_control.0.azure_active_directory.0.managed", "role_based_access_control.0.azure_active_directory.0.admin_group_object_ids", - }, - }, - - "tenant_id": { - Type: pluginsdk.TypeString, - Optional: true, - Computed: true, - // OrEmpty since this can be sourced from the client config if it's not specified - ValidateFunc: validation.Any(validation.IsUUID, validation.StringIsEmpty), - AtLeastOneOf: []string{ - "role_based_access_control.0.azure_active_directory.0.client_app_id", "role_based_access_control.0.azure_active_directory.0.server_app_id", - "role_based_access_control.0.azure_active_directory.0.server_app_secret", "role_based_access_control.0.azure_active_directory.0.tenant_id", - "role_based_access_control.0.azure_active_directory.0.managed", "role_based_access_control.0.azure_active_directory.0.admin_group_object_ids", - }, - }, - - "managed": { - Type: pluginsdk.TypeBool, - Optional: true, - AtLeastOneOf: []string{ - "role_based_access_control.0.azure_active_directory.0.client_app_id", "role_based_access_control.0.azure_active_directory.0.server_app_id", - "role_based_access_control.0.azure_active_directory.0.server_app_secret", "role_based_access_control.0.azure_active_directory.0.tenant_id", - "role_based_access_control.0.azure_active_directory.0.managed", "role_based_access_control.0.azure_active_directory.0.admin_group_object_ids", - }, - }, - - "azure_rbac_enabled": { - Type: pluginsdk.TypeBool, - Optional: true, - }, - - "admin_group_object_ids": { - Type: pluginsdk.TypeSet, - Optional: true, - ConfigMode: pluginsdk.SchemaConfigModeAttr, - Elem: &pluginsdk.Schema{ - Type: pluginsdk.TypeString, - ValidateFunc: validation.IsUUID, - }, - AtLeastOneOf: []string{ - "role_based_access_control.0.azure_active_directory.0.client_app_id", "role_based_access_control.0.azure_active_directory.0.server_app_id", - "role_based_access_control.0.azure_active_directory.0.server_app_secret", "role_based_access_control.0.azure_active_directory.0.tenant_id", - "role_based_access_control.0.azure_active_directory.0.managed", "role_based_access_control.0.azure_active_directory.0.admin_group_object_ids", - }, - }, - }, - }, - }, - }, - }, - } - } return resource } @@ -1167,17 +1026,6 @@ func resourceKubernetesClusterCreate(d *pluginsdk.ResourceData, meta interface{} return err } - if !features.ThreePointOhBeta() { - // nolint staticcheck - if v, ok := d.GetOkExists("addon_profile"); ok { - addonProfilesRaw := v.([]interface{}) - addonProfiles, err = expandKubernetesAddOnProfiles(addonProfilesRaw, env) - if err != nil { - return err - } - } - } - networkProfileRaw := d.Get("network_profile").([]interface{}) networkProfile, err := expandKubernetesClusterNetworkProfile(networkProfileRaw) if err != nil { @@ -1196,15 +1044,6 @@ func resourceKubernetesClusterCreate(d *pluginsdk.ResourceData, meta interface{} } } - if !features.ThreePointOhBeta() { - if v, ok := d.GetOk("role_based_access_control"); ok { - rbacEnabled, azureADProfile, err = expandKubernetesClusterRoleBasedAccessControl(v.([]interface{}), tenantId) - if err != nil { - return err - } - } - } - t := d.Get("tags").(map[string]interface{}) windowsProfileRaw := d.Get("windows_profile").([]interface{}) @@ -1214,11 +1053,6 @@ func resourceKubernetesClusterCreate(d *pluginsdk.ResourceData, meta interface{} apiServerAuthorizedIPRanges := utils.ExpandStringSlice(apiServerAuthorizedIPRangesRaw) enablePrivateCluster := false - if !features.ThreePointOhBeta() { - if v, ok := d.GetOk("private_link_enabled"); ok { - enablePrivateCluster = v.(bool) - } - } if v, ok := d.GetOk("private_cluster_enabled"); ok { enablePrivateCluster = v.(bool) } @@ -1236,7 +1070,7 @@ func resourceKubernetesClusterCreate(d *pluginsdk.ResourceData, meta interface{} nodeResourceGroup := d.Get("node_resource_group").(string) if d.Get("enable_pod_security_policy").(bool) { - return fmt.Errorf("The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy - as such you'll need to set `enable_pod_security_policy` to `false`") + return fmt.Errorf("the AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy - as such you'll need to set `enable_pod_security_policy` to `false`") } autoScalerProfileRaw := d.Get("auto_scaler_profile").([]interface{}) @@ -1257,6 +1091,9 @@ func resourceKubernetesClusterCreate(d *pluginsdk.ResourceData, meta interface{} publicNetworkAccess = containerservice.PublicNetworkAccessDisabled } + microsoftDefenderRaw := d.Get("microsoft_defender").([]interface{}) + microsoftDefender := expandKubernetesClusterMicrosoftDefender(d, microsoftDefenderRaw) + parameters := containerservice.ManagedCluster{ Name: utils.String(id.ManagedClusterName), Location: utils.String(location), @@ -1281,6 +1118,7 @@ func resourceKubernetesClusterCreate(d *pluginsdk.ResourceData, meta interface{} DisableLocalAccounts: utils.Bool(d.Get("local_account_disabled").(bool)), HTTPProxyConfig: httpProxyConfig, OidcIssuerProfile: oidcIssuerProfile, + SecurityProfile: microsoftDefender, }, Tags: tags.Expand(t), } @@ -1440,48 +1278,6 @@ func resourceKubernetesClusterUpdate(d *pluginsdk.ResourceData, meta interface{} updateCluster := false // RBAC profile updates need to be handled atomically before any call to createUpdate as a diff there will create a PropertyChangeNotAllowed error - if !features.ThreePointOhBeta() { - if d.HasChange("role_based_access_control") { - props := existing.ManagedClusterProperties - // check if we can determine current EnableRBAC state - don't do anything destructive if we can't be sure - if props.EnableRBAC == nil { - return fmt.Errorf("updating %s: RBAC Enabled was nil", *id) - } - rbacRaw := d.Get("role_based_access_control").([]interface{}) - tenantId := meta.(*clients.Client).Account.TenantId - rbacEnabled, azureADProfile, err := expandKubernetesClusterRoleBasedAccessControl(rbacRaw, tenantId) - if err != nil { - return err - } - - // changing rbacEnabled must still force cluster recreation - if *props.EnableRBAC == rbacEnabled { - props.AadProfile = azureADProfile - props.EnableRBAC = utils.Bool(rbacEnabled) - - // Reset AAD profile is only possible if not managed - if props.AadProfile != nil && (props.AadProfile.Managed == nil || !*props.AadProfile.Managed) { - log.Printf("[DEBUG] Updating the RBAC AAD profile") - future, err := clusterClient.ResetAADProfile(ctx, id.ResourceGroup, id.ManagedClusterName, *props.AadProfile) - if err != nil { - return fmt.Errorf("updating Managed Kubernetes Cluster AAD Profile for %s: %+v", *id, err) - } - - if err = future.WaitForCompletionRef(ctx, clusterClient.Client); err != nil { - return fmt.Errorf("waiting for update of RBAC AAD profile of %s: %+v", *id, err) - } - } - } else { - updateCluster = true - } - - if props.AadProfile != nil && props.AadProfile.Managed != nil && *props.AadProfile.Managed { - existing.ManagedClusterProperties.AadProfile = azureADProfile - updateCluster = true - } - } - } - if d.HasChange("role_based_access_control_enabled") { props := existing.ManagedClusterProperties // check if we can determine current EnableRBAC state - don't do anything destructive if we can't be sure @@ -1536,28 +1332,11 @@ func resourceKubernetesClusterUpdate(d *pluginsdk.ResourceData, meta interface{} existing.ManagedClusterProperties.AddonProfiles = *addonProfiles } - if !features.ThreePointOhBeta() { - if d.HasChange("addon_profile") { - updateCluster = true - addOnProfilesRaw := d.Get("addon_profile").([]interface{}) - addonProfiles, err := expandKubernetesAddOnProfiles(addOnProfilesRaw, env) - if err != nil { - return err - } - existing.ManagedClusterProperties.AddonProfiles = *addonProfiles - } - } - if d.HasChange("api_server_authorized_ip_ranges") { updateCluster = true apiServerAuthorizedIPRangesRaw := d.Get("api_server_authorized_ip_ranges").(*pluginsdk.Set).List() enablePrivateCluster := false - if !features.ThreePointOhBeta() { - if v, ok := d.GetOk("private_link_enabled"); ok { - enablePrivateCluster = v.(bool) - } - } if v, ok := d.GetOk("private_cluster_enabled"); ok { enablePrivateCluster = v.(bool) } @@ -1772,7 +1551,20 @@ func resourceKubernetesClusterUpdate(d *pluginsdk.ResourceData, meta interface{} existing.ManagedClusterProperties.OidcIssuerProfile = oidcIssuerProfile } + if d.HasChanges("microsoft_defender") { + updateCluster = true + microsoftDefenderRaw := d.Get("microsoft_defender").([]interface{}) + microsoftDefender := expandKubernetesClusterMicrosoftDefender(d, microsoftDefenderRaw) + existing.ManagedClusterProperties.SecurityProfile = microsoftDefender + } + if updateCluster { + // If Defender was explicitly disabled in a prior update then we should strip security profile from the request + // body to prevent errors in cases where Defender is disabled for the entire subscription + if !d.HasChanges("microsoft_defender") && len(d.Get("microsoft_defender").([]interface{})) == 0 { + existing.ManagedClusterProperties.SecurityProfile = nil + } + log.Printf("[DEBUG] Updating %s..", *id) future, err := clusterClient.CreateOrUpdate(ctx, id.ResourceGroup, id.ManagedClusterName, existing) if err != nil { @@ -1924,9 +1716,6 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{}) return fmt.Errorf("setting `api_server_authorized_ip_ranges`: %+v", err) } - if !features.ThreePointOhBeta() { - d.Set("private_link_enabled", accessProfile.EnablePrivateCluster) - } d.Set("private_cluster_enabled", accessProfile.EnablePrivateCluster) d.Set("private_cluster_public_fqdn_enabled", accessProfile.EnablePrivateClusterPublicFQDN) switch { @@ -1949,13 +1738,6 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{}) d.Set("open_service_mesh_enabled", addOns["open_service_mesh_enabled"].(bool)) d.Set("key_vault_secrets_provider", addOns["key_vault_secrets_provider"]) - if !features.ThreePointOhBeta() { - addonProfiles := flattenKubernetesAddOnProfiles(props.AddonProfiles) - if err := d.Set("addon_profile", addonProfiles); err != nil { - return fmt.Errorf("setting `addon_profile`: %+v", err) - } - } - autoScalerProfile, err := flattenKubernetesClusterAutoScalerProfile(props.AutoScalerProfile) if err != nil { return err @@ -1990,13 +1772,6 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{}) return fmt.Errorf("setting `network_profile`: %+v", err) } - if !features.ThreePointOhBeta() { - roleBasedAccessControl := flattenKubernetesClusterRoleBasedAccessControl(props, d) - if err := d.Set("role_based_access_control", roleBasedAccessControl); err != nil { - return fmt.Errorf("setting `role_based_access_control`: %+v", err) - } - } - rbacEnabled := true if props.EnableRBAC != nil { rbacEnabled = *props.EnableRBAC @@ -2037,6 +1812,11 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{}) d.Set("oidc_issuer_enabled", oidcIssuerEnabled) d.Set("oidc_issuer_url", oidcIssuerUrl) + microsoftDefender := flattenKubernetesClusterMicrosoftDefender(props.SecurityProfile) + if err := d.Set("microsoft_defender", microsoftDefender); err != nil { + return fmt.Errorf("setting `microsoft_defender`: %+v", err) + } + // adminProfile is only available for RBAC enabled clusters with AAD and local account is not disabled if props.AadProfile != nil && (props.DisableLocalAccounts == nil || !*props.DisableLocalAccounts) { adminProfile, err := client.GetAccessProfile(ctx, id.ResourceGroup, id.ManagedClusterName, "clusterAdmin") @@ -2594,71 +2374,6 @@ func flattenKubernetesClusterNetworkProfile(profile *containerservice.NetworkPro } } -func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, providerTenantId string) (bool, *containerservice.ManagedClusterAADProfile, error) { - if len(input) == 0 { - return false, nil, nil - } - - val := input[0].(map[string]interface{}) - - rbacEnabled := val["enabled"].(bool) - azureADsRaw := val["azure_active_directory"].([]interface{}) - - var aad *containerservice.ManagedClusterAADProfile - - if len(azureADsRaw) > 0 { - azureAdRaw := azureADsRaw[0].(map[string]interface{}) - - clientAppId := azureAdRaw["client_app_id"].(string) - serverAppId := azureAdRaw["server_app_id"].(string) - serverAppSecret := azureAdRaw["server_app_secret"].(string) - tenantId := azureAdRaw["tenant_id"].(string) - managed := azureAdRaw["managed"].(bool) - azureRbacEnabled := azureAdRaw["azure_rbac_enabled"].(bool) - adminGroupObjectIdsRaw := azureAdRaw["admin_group_object_ids"].(*pluginsdk.Set).List() - adminGroupObjectIds := utils.ExpandStringSlice(adminGroupObjectIdsRaw) - - if tenantId == "" { - tenantId = providerTenantId - } - - if managed { - aad = &containerservice.ManagedClusterAADProfile{ - TenantID: utils.String(tenantId), - Managed: utils.Bool(managed), - AdminGroupObjectIDs: adminGroupObjectIds, - EnableAzureRBAC: utils.Bool(azureRbacEnabled), - } - - if clientAppId != "" || serverAppId != "" || serverAppSecret != "" { - return false, nil, fmt.Errorf("Can't specify client_app_id or server_app_id or server_app_secret when using managed aad rbac (managed = true)") - } - } else { - aad = &containerservice.ManagedClusterAADProfile{ - ClientAppID: utils.String(clientAppId), - ServerAppID: utils.String(serverAppId), - ServerAppSecret: utils.String(serverAppSecret), - TenantID: utils.String(tenantId), - Managed: utils.Bool(managed), - } - - if len(*adminGroupObjectIds) > 0 { - return false, nil, fmt.Errorf("Can't specify admin_group_object_ids when using managed aad rbac (managed = false)") - } - - if clientAppId == "" || serverAppId == "" || serverAppSecret == "" { - return false, nil, fmt.Errorf("You must specify client_app_id and server_app_id and server_app_secret when using managed aad rbac (managed = false)") - } - - if azureRbacEnabled { - return false, nil, fmt.Errorf("You must enable Managed AAD before Azure RBAC can be enabled") - } - } - } - - return rbacEnabled, aad, nil -} - func expandKubernetesClusterAzureActiveDirectoryRoleBasedAccessControl(input []interface{}, providerTenantId string) (*containerservice.ManagedClusterAADProfile, error) { if len(input) == 0 { return nil, nil @@ -2737,77 +2452,6 @@ func expandKubernetesClusterManagedClusterIdentity(input []interface{}) (*contai return &out, nil } -func flattenKubernetesClusterRoleBasedAccessControl(input *containerservice.ManagedClusterProperties, d *pluginsdk.ResourceData) []interface{} { - rbacEnabled := false - if input.EnableRBAC != nil { - rbacEnabled = *input.EnableRBAC - } - - results := make([]interface{}, 0) - if profile := input.AadProfile; profile != nil { - adminGroupObjectIds := utils.FlattenStringSlice(profile.AdminGroupObjectIDs) - - clientAppId := "" - if profile.ClientAppID != nil { - clientAppId = *profile.ClientAppID - } - - managed := false - if profile.Managed != nil { - managed = *profile.Managed - } - - azureRbacEnabled := false - if profile.EnableAzureRBAC != nil { - azureRbacEnabled = *profile.EnableAzureRBAC - } - - serverAppId := "" - if profile.ServerAppID != nil { - serverAppId = *profile.ServerAppID - } - - serverAppSecret := "" - // since input.ServerAppSecret isn't returned we're pulling this out of the existing state (which won't work for Imports) - // role_based_access_control.0.azure_active_directory.0.server_app_secret - if existing, ok := d.GetOk("role_based_access_control"); ok { - rbacRawVals := existing.([]interface{}) - if len(rbacRawVals) > 0 { - rbacRawVal := rbacRawVals[0].(map[string]interface{}) - if azureADVals, ok := rbacRawVal["azure_active_directory"].([]interface{}); ok && len(azureADVals) > 0 { - azureADVal := azureADVals[0].(map[string]interface{}) - v := azureADVal["server_app_secret"] - if v != nil { - serverAppSecret = v.(string) - } - } - } - } - - tenantId := "" - if profile.TenantID != nil { - tenantId = *profile.TenantID - } - - results = append(results, map[string]interface{}{ - "admin_group_object_ids": pluginsdk.NewSet(pluginsdk.HashString, adminGroupObjectIds), - "client_app_id": clientAppId, - "managed": managed, - "server_app_id": serverAppId, - "server_app_secret": serverAppSecret, - "tenant_id": tenantId, - "azure_rbac_enabled": azureRbacEnabled, - }) - } - - return []interface{}{ - map[string]interface{}{ - "enabled": rbacEnabled, - "azure_active_directory": results, - }, - } -} - func flattenKubernetesClusterAzureActiveDirectoryRoleBasedAccessControl(input *containerservice.ManagedClusterProperties, d *pluginsdk.ResourceData) []interface{} { results := make([]interface{}, 0) if profile := input.AadProfile; profile != nil { @@ -3278,3 +2922,40 @@ func flattenKubernetesClusterHttpProxyConfig(props *containerservice.ManagedClus "trusted_ca": trustedCa, }) } + +func expandKubernetesClusterMicrosoftDefender(d *pluginsdk.ResourceData, input []interface{}) *containerservice.ManagedClusterSecurityProfile { + if (len(input) == 0 || input[0] == nil) && d.HasChange("microsoft_defender") { + return &containerservice.ManagedClusterSecurityProfile{ + AzureDefender: &containerservice.ManagedClusterSecurityProfileAzureDefender{ + Enabled: utils.Bool(false), + }, + } + } else if len(input) == 0 || input[0] == nil { + return nil + } + + config := input[0].(map[string]interface{}) + return &containerservice.ManagedClusterSecurityProfile{ + AzureDefender: &containerservice.ManagedClusterSecurityProfileAzureDefender{ + Enabled: utils.Bool(true), + LogAnalyticsWorkspaceResourceID: utils.String(config["log_analytics_workspace_id"].(string)), + }, + } +} + +func flattenKubernetesClusterMicrosoftDefender(input *containerservice.ManagedClusterSecurityProfile) []interface{} { + if input == nil || input.AzureDefender == nil || (input.AzureDefender.Enabled != nil && !*input.AzureDefender.Enabled) { + return []interface{}{} + } + + logAnalyticsWorkspace := "" + if v := input.AzureDefender.LogAnalyticsWorkspaceResourceID; v != nil { + logAnalyticsWorkspace = *v + } + + return []interface{}{ + map[string]interface{}{ + "log_analytics_workspace_id": logAnalyticsWorkspace, + }, + } +} diff --git a/website/docs/d/kubernetes_cluster.html.markdown b/website/docs/d/kubernetes_cluster.html.markdown index 06d69f84baee..e40f494bb43a 100644 --- a/website/docs/d/kubernetes_cluster.html.markdown +++ b/website/docs/d/kubernetes_cluster.html.markdown @@ -78,6 +78,8 @@ The following attributes are exported: * `location` - The Azure Region in which the managed Kubernetes Cluster exists. +* `microsoft_defender` - A `microsoft_defender` block as defined below. + * `oidc_issuer_enabled` - Whether or not the OIDC feature is enabled or disabled. * `oidc_issuer_url` - The OIDC issuer URL that is associated with the cluster. @@ -221,6 +223,12 @@ A `linux_profile` block exports the following: --- +A `microsoft_defender` block exports the following: + +* `log_analytics_workspace_id` - The ID of the Log Analytics Workspace which Microsoft Defender uses to send audit logs to. + +--- + A `windows_profile` block exports the following: * `admin_username` - The username associated with the administrator account of the Windows VMs. diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown index 37008bfdbf71..458e4f03a764 100644 --- a/website/docs/r/kubernetes_cluster.html.markdown +++ b/website/docs/r/kubernetes_cluster.html.markdown @@ -126,10 +126,14 @@ In addition, one of either `identity` or `service_principal` blocks must be spec * `local_account_disabled` - (Optional) - If `true` local accounts will be disabled. Defaults to `false`. See [the documentation](https://docs.microsoft.com/en-us/azure/aks/managed-aad#disable-local-accounts) for more information. --> **NOTE:** If `local_account_disabled` is set to `true`, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See [the documentation](https://docs.microsoft.com/en-us/azure/aks/managed-aad#azure-ad-authentication-overview) for more information. +-> **Note:** If `local_account_disabled` is set to `true`, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See [the documentation](https://docs.microsoft.com/en-us/azure/aks/managed-aad#azure-ad-authentication-overview) for more information. * `maintenance_window` - (Optional) A `maintenance_window` block as defined below. +* `microsoft_defender` - (Optional) A `microsoft_defender` block as defined below. + +-> **Note:** This requires that the Preview Feature `Microsoft.ContainerService/AKS-AzureDefender` is enabled, see [the documentation](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks) for more information. + * `network_profile` - (Optional) A `network_profile` block as defined below. -> **Note:** If `network_profile` is not defined, `kubenet` profile will be used by default. @@ -463,6 +467,12 @@ A `maintenance_window` block supports the following: --- +A `microsoft_defender` block supports the following: + +* `log_analytics_workspace_id` - (Required) Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to. + +--- + An `allowed` block exports the following: * `day` - (Required) A day in a week. Possible values are `Sunday`, `Monday`, `Tuesday`, `Wednesday`, `Thursday`, `Friday` and `Saturday`.