Merge pull request #245 from aztfmod/HN-aks

Hn aks

application_gateways.tf

@@ -1,4 +1,4 @@
-module application_gateways {
+module "application_gateways" {
   source   = "./modules/networking/application_gateway"
   for_each = local.networking.application_gateways
 
@@ -16,19 +16,21 @@ module application_gateways {
   public_ip_addresses   = local.combined_objects_public_ip_addresses
   app_services          = local.combined_objects_app_services
   managed_identities    = local.combined_objects_managed_identities
+  keyvaults             = local.combined_objects_keyvaults
+  dns_zones             = local.combined_objects_dns_zones
   keyvault_certificates = module.keyvault_certificates
   application_gateway_applications = {
     for key, value in local.networking.application_gateway_applications : key => value
     if value.application_gateway_key == each.key
   }
 }
 
-output application_gateways {
+output "application_gateways" {
   value = module.application_gateways
 
 }
 
-output application_gateway_applications {
+output "application_gateway_applications" {
   value = local.networking.application_gateway_applications
 
 }

front_doors.tf

@@ -30,10 +30,14 @@ locals {
 #   "az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037"
 
 data "azuread_service_principal" "front_door" {
+  for_each = {
+    for key, value in local.networking.front_doors : key => value
+    if try(value.keyvault_key, null) != null
+  }
   application_id = local.front_door_application_id
 }
 
-module front_doors_keyvault_access_policy {
+module "front_doors_keyvault_access_policy" {
   source = "./modules/security/keyvault_access_policies"
   for_each = {
     for key, value in local.networking.front_doors : key => value
@@ -45,9 +49,9 @@ module front_doors_keyvault_access_policy {
 
   access_policies = {
     front_door_certificate = {
-      object_id               = data.azuread_service_principal.front_door.object_id
+      object_id               = data.azuread_service_principal.front_door[each.key].object_id
       certificate_permissions = ["Get"]
       secret_permissions      = ["Get"]
     }
   }
-}
+}

keyvault_certificate_requests.tf

@@ -8,10 +8,10 @@ module keyvault_certificate_requests {
   for_each   = local.security.keyvault_certificate_requests
 
   keyvault_id         = try(local.combined_objects_keyvaults[each.value.lz_key][each.value.keyvault_key].id, local.combined_objects_keyvaults[local.client_config.landingzone_key][each.value.keyvault_key].id)
-  certificate_issuers = var.security.keyvault_certificate_issuers
+  certificate_issuers = try(var.security.keyvault_certificate_issuers, {})
   settings            = each.value
 }
 
 output keyvault_certificate_requests {
   value = module.keyvault_certificate_requests
-}
+}

main.tf

@@ -42,4 +42,4 @@ resource "random_string" "alpha1" {
 data "azuread_service_principal" "logged_in_app" {
   count          = try(data.azurerm_client_config.current.object_id, null) == null ? 1 : 0
   application_id = data.azurerm_client_config.current.client_id
-}
+}

modules/compute/aks/aks.tf

@@ -39,9 +39,9 @@ resource "azurecaf_name" "rg_node" {
 
 resource "azurerm_kubernetes_cluster" "aks" {
 
-  name                = azurecaf_name.aks.result
-  location            = var.resource_group.location
-  resource_group_name = var.resource_group.name
+  name                    = azurecaf_name.aks.result
+  location                = var.resource_group.location
+  resource_group_name     = var.resource_group.name
 
   default_node_pool {
     name                  = var.settings.default_node_pool.name //azurecaf_name.default_node_pool.result
@@ -60,53 +60,53 @@ resource "azurerm_kubernetes_cluster" "aks" {
     tags                  = merge(try(var.settings.default_node_pool.tags, {}), local.tags)
   }
 
-  dns_prefix = try(var.settings.dns_prefix, random_string.prefix.result)
+  dns_prefix              = try(var.settings.dns_prefix, random_string.prefix.result)
 
   dynamic "addon_profile" {
-    for_each = try(var.settings.addon_profile, {})
-
+    for_each = lookup(var.settings, "addon_profile", null) == null ? [] : [1]
+    
     content {
       dynamic "aci_connector_linux" {
         for_each = try(var.settings.addon_profile.aci_connector_linux[*], {})
-
+        
         content {
           enabled     = aci_connector_linux.value.enabled
           subnet_name = aci_connector_linux.value.subnet_name
         }
       }
-
+      
       dynamic "azure_policy" {
         for_each = try(var.settings.addon_profile.azure_policy[*], {})
-
+        
         content {
-          enabled = azure_policy.value.enabled
+          enabled     = azure_policy.value.enabled
         }
       }
 
       dynamic "http_application_routing" {
         for_each = try(var.settings.addon_profile.http_application_routing[*], {})
-
+        
         content {
-          enabled = http_application_routing.value.enabled
+          enabled     = http_application_routing.value.enabled
         }
       }
 
       dynamic "kube_dashboard" {
-        for_each = try(var.settings.addon_profile.kube_dashboard[*], {})
-
+        for_each = try(var.settings.addon_profile.kube_dashboard[*], [{enabled = false}])
+        
         content {
-          enabled = kube_dashboard.value.enabled
+          enabled     = kube_dashboard.value.enabled
         }
       }
 
       dynamic "oms_agent" {
         for_each = try(var.settings.addon_profile.oms_agent[*], {})
-
+        
         content {
-          enabled                    = oms_agent.value.enabled
-          log_analytics_workspace_id = try(oms_agent.value.log_analytics_workspace_id, try(var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id, null))
+          enabled                       = oms_agent.value.enabled
+          log_analytics_workspace_id    = try(oms_agent.value.log_analytics_workspace_id, try(var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id,null))
           dynamic "oms_agent_identity" {
-            for_each = try(oms_agent.value.oms_agent_identity[*], {})
+            for_each = try(oms_agent.value.oms_agent_identity[*],{})
 
             content {
               client_id                 = oms_agent_identity.value.client_id
@@ -119,28 +119,28 @@ resource "azurerm_kubernetes_cluster" "aks" {
     }
   }
 
-  api_server_authorized_ip_ranges = try(var.settings.api_server_authorized_ip_ranges, null)
+  api_server_authorized_ip_ranges = try(var.settings.api_server_authorized_ip_ranges,null)
 
   dynamic "auto_scaler_profile" {
     for_each = try(var.settings.auto_scaler_profile[*], {})
-
+    
     content {
-      balance_similar_node_groups      = try(auto_scaler_profile.value.balance_similar_node_groups, null)
-      max_graceful_termination_sec     = try(auto_scaler_profile.value.max_graceful_termination_sec, null)
-      scale_down_delay_after_add       = try(auto_scaler_profile.value.scale_down_delay_after_add, null)
-      scale_down_delay_after_delete    = try(auto_scaler_profile.value.scale_down_delay_after_delete, null)
-      scale_down_delay_after_failure   = try(auto_scaler_profile.value.scale_down_delay_after_failure, null)
-      scan_interval                    = try(auto_scaler_profile.value.scan_interval, null)
-      scale_down_unneeded              = try(auto_scaler_profile.value.scale_down_unneeded, null)
-      scale_down_unready               = try(auto_scaler_profile.value.scale_down_unready, null)
-      scale_down_utilization_threshold = try(auto_scaler_profile.value.scale_down_utilization_threshold, null)
+      balance_similar_node_groups           = try(auto_scaler_profile.value.balance_similar_node_groups,null)
+      max_graceful_termination_sec          = try(auto_scaler_profile.value.max_graceful_termination_sec,null)
+      scale_down_delay_after_add            = try(auto_scaler_profile.value.scale_down_delay_after_add,null)
+      scale_down_delay_after_delete         = try(auto_scaler_profile.value.scale_down_delay_after_delete,null)
+      scale_down_delay_after_failure        = try(auto_scaler_profile.value.scale_down_delay_after_failure,null)
+      scan_interval                         = try(auto_scaler_profile.value.scan_interval,null)
+      scale_down_unneeded                   = try(auto_scaler_profile.value.scale_down_unneeded,null)
+      scale_down_unready                    = try(auto_scaler_profile.value.scale_down_unready,null)
+      scale_down_utilization_threshold      = try(auto_scaler_profile.value.scale_down_utilization_threshold,null)
     }
   }
 
   disk_encryption_set_id = try(var.settings.disk_encryption_set_id, null)
 
   dynamic "identity" {
-    for_each = try(var.settings.identity[*], {})
+    for_each = try(var.settings.identity[*],{})
 
     content {
       type = identity.value.type
@@ -149,14 +149,14 @@ resource "azurerm_kubernetes_cluster" "aks" {
 
   # Enabled RBAC
   dynamic "role_based_access_control" {
-    for_each = try(var.settings.role_based_access_control[*], {})
+    for_each = try(var.settings.role_based_access_control[*],{})
 
     content {
       enabled = try(role_based_access_control.value.enabled, true)
-
+      
       dynamic "azure_active_directory" {
-        for_each = try(var.settings.role_based_access_control.azure_active_directory[*], {})
-
+        for_each = try(var.settings.role_based_access_control.azure_active_directory[*],{})
+        
         content {
           managed                = azure_active_directory.value.managed
           tenant_id              = try(azure_active_directory.value.tenant_id, null)
@@ -169,7 +169,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
     }
   }
 
-  kubernetes_version = try(var.settings.kubernetes_version, null)
+  kubernetes_version      = try(var.settings.kubernetes_version, null)
 
   # dynamic "linux_profile" {
   #   for_each = var.settings.linux_profile == null ? [] : [1]
@@ -179,21 +179,21 @@ resource "azurerm_kubernetes_cluster" "aks" {
   #     ssh_key         = try(var.settings.linux_profile.ssh_key,null)
   #   }
   # }
-
+  
   dynamic "network_profile" {
     for_each = try(var.settings.network_profile[*], {})
     content {
-      network_plugin     = try(network_profile.value.network_plugin, null)
-      network_mode       = try(network_profile.value.network_mode, null)
-      network_policy     = try(network_profile.value.network_policy, null)
-      dns_service_ip     = try(network_profile.value.dns_service_ip, null)
-      docker_bridge_cidr = try(network_profile.value.docker_bridge_cidr, null)
-      outbound_type      = try(network_profile.value.outbound_type, null)
-      pod_cidr           = try(network_profile.value.network_profile.pod_cidr, null)
-      service_cidr       = try(network_profile.value.network_profile.service_cidr, null)
-      load_balancer_sku  = try(network_profile.value.network_profile.load_balancer_sku, null)
-
-      dynamic "load_balancer_profile" {
+      network_plugin        = try(network_profile.value.network_plugin,null)
+      network_mode          = try(network_profile.value.network_mode, null)
+      network_policy        = try(network_profile.value.network_policy, null)
+      dns_service_ip        = try(network_profile.value.dns_service_ip, null)
+      docker_bridge_cidr    = try(network_profile.value.docker_bridge_cidr, null)
+      outbound_type         = try(network_profile.value.outbound_type, null)
+      pod_cidr              = try(network_profile.value.network_profile.pod_cidr, null)
+      service_cidr          = try(network_profile.value.network_profile.service_cidr, null)
+      load_balancer_sku     = try(network_profile.value.network_profile.load_balancer_sku, null)
+
+      dynamic "load_balancer_profile"{
         for_each = try(network_profile.value.load_balancer_profile[*], {})
         content {
           managed_outbound_ip_count = try(load_balancer_profile.value.managed_outbound_ip_count, null)