From 4b38f677e2ac26cda7a9012e09fae24a63c44ff6 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:12:39 -0500 Subject: [PATCH 1/8] feat(aks): Leverage OIDC roles for kubelet and workloads * Enable oidc issuer and workload identity * Use system-assigned managed identities * Add required disk manager role (breaks cluster otherwise) Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- terraform/cluster/azure-aks/main.tf | 81 ++++++++++++++++----- terraform/cluster/azure-aks/test.tftest.hcl | 41 +++++------ terraform/cluster/azure-aks/variables.tf | 28 ++----- 3 files changed, 89 insertions(+), 61 deletions(-) diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index cc729630a..e23bdb700 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -55,9 +55,16 @@ data "azurerm_subnet" "private" { #----------------------------------------------------------------------------------------------------------------------- locals { - kubeconfig_path = "${var.context_path}/.kube/config" - rg_name = var.resource_group_name == null ? "${var.name}-${var.context_id}" : var.resource_group_name - cluster_name = var.cluster_name == null ? "${var.name}-${var.context_id}" : var.cluster_name + kubeconfig_path = "${var.context_path}/.kube/config" + rg_name = var.resource_group_name == null ? "${var.name}-${var.context_id}" : var.resource_group_name + cluster_name = var.cluster_name == null ? "${var.name}-${var.context_id}" : var.cluster_name + node_resource_group_name = split("/", azurerm_kubernetes_cluster.main.node_resource_group_id)[4] + node_pool_names = concat( + [var.default_node_pool.name], + var.autoscaled_node_pool.enabled ? [var.autoscaled_node_pool.name] : [] + ) + # Safely access kubelet identity (may not be available during plan in tests) + kubelet_object_id = try(azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id, "00000000-0000-0000-0000-000000000000") tags = merge({ WindsorContextID = var.context_id }, var.tags) @@ -274,6 +281,9 @@ resource "azurerm_kubernetes_cluster" "main" { vertical_pod_autoscaler_enabled = var.workload_autoscaler_profile.vertical_pod_autoscaler_enabled } + oidc_issuer_enabled = var.oidc_issuer_enabled + workload_identity_enabled = var.workload_identity_enabled + network_profile { network_plugin = "azure" network_policy = "cilium" @@ -281,22 +291,11 @@ resource "azurerm_kubernetes_cluster" "main" { dns_service_ip = var.dns_service_ip } - oms_agent { - log_analytics_workspace_id = azurerm_log_analytics_workspace.aks_logs.id - } - + # Use system-assigned managed identity (Microsoft default and best practice) + # AKS automatically creates Contributor role on node RG for control plane + # AKS automatically creates Virtual Machine Contributor role on node RG for kubelet identity { - type = length(var.user_assigned_identity_ids) > 0 ? "UserAssigned" : "SystemAssigned" - identity_ids = var.user_assigned_identity_ids - } - - dynamic "kubelet_identity" { - for_each = var.kubelet_user_assigned_identity_id != null ? [1] : [] - content { - client_id = var.kubelet_client_id - object_id = var.kubelet_object_id - user_assigned_identity_id = var.kubelet_user_assigned_identity_id - } + type = "SystemAssigned" } tags = merge({ @@ -330,6 +329,52 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscaled" { }, local.tags) } +# AKS automatically creates Virtual Machine Contributor role assignment on node resource group for the kubelet identity. +# However, disk attachment operations require additional permissions beyond Virtual Machine Contributor. +# Create a custom role with minimal permissions for VMSS disk operations. +resource "azurerm_role_definition" "aks_kubelet_vmss_disk_manager" { + name = "AKS Kubelet VMSS Disk Manager - ${var.context_id}" + scope = azurerm_kubernetes_cluster.main.node_resource_group_id + description = "Minimal permissions for AKS kubelet identity to manage VMSS disk attachments" + + permissions { + actions = concat( + [ + # VMSS virtual machine operations for disk attachment (REQUIRED) + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write", + # Core disk operations (REQUIRED for basic disk attachment) + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/delete", + "Microsoft.Compute/disks/beginGetAccess/action", + "Microsoft.Compute/disks/endGetAccess/action", + # Location/operation queries (may be needed for operation status checks) + "Microsoft.Compute/locations/DiskOperations/read", + "Microsoft.Compute/locations/vmSizes/read", + "Microsoft.Compute/locations/operations/read" + ], + var.enable_volume_snapshots ? [ + # Snapshot operations (only included if volume snapshots are enabled) + "Microsoft.Compute/snapshots/read", + "Microsoft.Compute/snapshots/write", + "Microsoft.Compute/snapshots/delete" + ] : [] + ) + not_actions = [] + } + + assignable_scopes = [ + azurerm_kubernetes_cluster.main.node_resource_group_id + ] +} + +resource "azurerm_role_assignment" "kubelet_vmss_disk_manager" { + scope = azurerm_kubernetes_cluster.main.node_resource_group_id + role_definition_id = azurerm_role_definition.aks_kubelet_vmss_disk_manager.role_definition_resource_id + principal_id = local.kubelet_object_id +} + resource "local_file" "kube_config" { content = azurerm_kubernetes_cluster.main.kube_config_raw filename = local.kubeconfig_path diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index 3a3a6885e..cc3c38ce1 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -84,6 +84,16 @@ run "minimal_configuration" { condition = azurerm_kubernetes_cluster.main.identity[0].type == "SystemAssigned" error_message = "Cluster should use system-assigned identity by default" } + + assert { + condition = azurerm_kubernetes_cluster.main.oidc_issuer_enabled == true + error_message = "OIDC issuer should be enabled by default" + } + + assert { + condition = azurerm_kubernetes_cluster.main.workload_identity_enabled == true + error_message = "Workload Identity should be enabled by default" + } } # Tests a full configuration with all optional variables explicitly set, @@ -97,13 +107,8 @@ run "full_configuration" { cluster_name = "test-cluster" resource_group_name = "test-rg" kubernetes_version = "1.32" - user_assigned_identity_ids = [ - "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity-1", - "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity-2" - ] - kubelet_client_id = "test-client-id" - kubelet_object_id = "test-object-id" - kubelet_user_assigned_identity_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity-1" + oidc_issuer_enabled = true + workload_identity_enabled = true default_node_pool = { name = "system" vm_size = "Standard_D2s_v3" @@ -208,28 +213,18 @@ run "full_configuration" { } assert { - condition = azurerm_kubernetes_cluster.main.identity[0].type == "UserAssigned" - error_message = "Cluster should use user-assigned identity when IDs are provided" - } - - assert { - condition = length(azurerm_kubernetes_cluster.main.identity[0].identity_ids) == 2 - error_message = "Cluster should have 2 user-assigned identity IDs" - } - - assert { - condition = azurerm_kubernetes_cluster.main.kubelet_identity[0].client_id == "test-client-id" - error_message = "Kubelet client ID should match input" + condition = azurerm_kubernetes_cluster.main.identity[0].type == "SystemAssigned" + error_message = "Cluster should use system-assigned identity" } assert { - condition = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id == "test-object-id" - error_message = "Kubelet object ID should match input" + condition = azurerm_kubernetes_cluster.main.oidc_issuer_enabled == true + error_message = "OIDC issuer should be enabled" } assert { - condition = azurerm_kubernetes_cluster.main.kubelet_identity[0].user_assigned_identity_id == "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity-1" - error_message = "Kubelet user-assigned identity ID should match input" + condition = azurerm_kubernetes_cluster.main.workload_identity_enabled == true + error_message = "Workload Identity should be enabled" } } diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index 44e0a5947..a2f149115 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -205,12 +205,6 @@ variable "expiration_date" { default = null } -variable "user_assigned_identity_ids" { - type = list(string) - description = "User assigned identity IDs for the AKS cluster. If provided, the cluster will use only user-assigned identities." - default = [] -} - variable "soft_delete_retention_days" { type = number description = "The number of days to retain the AKS cluster's key vault" @@ -241,20 +235,14 @@ variable "endpoint_private_access" { default = false } -variable "kubelet_client_id" { - description = "Client ID of the user-assigned identity to use for the kubelet. If not provided, the cluster will use the system-assigned identity." - type = string - default = null -} - -variable "kubelet_object_id" { - description = "Object ID of the user-assigned identity to use for the kubelet. If not provided, the cluster will use the system-assigned identity." - type = string - default = null +variable "oidc_issuer_enabled" { + description = "Enable OIDC issuer for the AKS cluster" + type = bool + default = true } -variable "kubelet_user_assigned_identity_id" { - description = "Resource ID of the user-assigned identity to use for the kubelet. If not provided, the cluster will use the system-assigned identity." - type = string - default = null +variable "workload_identity_enabled" { + description = "Enable Workload Identity for the AKS cluster" + type = bool + default = true } From 3be405255d884bc73ee3846165f68b1983f1c67f Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:20:44 -0500 Subject: [PATCH 2/8] fmt Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- terraform/cluster/azure-aks/test.tftest.hcl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index cc3c38ce1..ebbe0a5da 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -102,12 +102,12 @@ run "full_configuration" { command = plan variables { - context_id = "test" - name = "windsor-aks" - cluster_name = "test-cluster" - resource_group_name = "test-rg" - kubernetes_version = "1.32" - oidc_issuer_enabled = true + context_id = "test" + name = "windsor-aks" + cluster_name = "test-cluster" + resource_group_name = "test-rg" + kubernetes_version = "1.32" + oidc_issuer_enabled = true workload_identity_enabled = true default_node_pool = { name = "system" From b4abe4ee48ad31100d5a5ecba65b2533a33bc3c7 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:00:40 -0500 Subject: [PATCH 3/8] Add enable_volume_snapshots var Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- terraform/cluster/azure-aks/test.tftest.hcl | 54 +++++++++++++++++++++ terraform/cluster/azure-aks/variables.tf | 6 +++ 2 files changed, 60 insertions(+) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index ebbe0a5da..ae6a90080 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -94,6 +94,16 @@ run "minimal_configuration" { condition = azurerm_kubernetes_cluster.main.workload_identity_enabled == true error_message = "Workload Identity should be enabled by default" } + + assert { + condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/read") + error_message = "Snapshot permissions should be included when enable_volume_snapshots is true (default)" + } + + assert { + condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") + error_message = "Snapshot write permissions should be included when enable_volume_snapshots is true (default)" + } } # Tests a full configuration with all optional variables explicitly set, @@ -135,6 +145,7 @@ run "full_configuration" { private_cluster_enabled = false azure_policy_enabled = true local_account_disabled = false + enable_volume_snapshots = true } assert { @@ -226,6 +237,16 @@ run "full_configuration" { condition = azurerm_kubernetes_cluster.main.workload_identity_enabled == true error_message = "Workload Identity should be enabled" } + + assert { + condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/read") + error_message = "Snapshot permissions should be included when enable_volume_snapshots is true" + } + + assert { + condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") + error_message = "Snapshot write permissions should be included when enable_volume_snapshots is true" + } } # Tests the private cluster configuration, ensuring that enabling the private_cluster_enabled @@ -295,3 +316,36 @@ run "multiple_invalid_inputs" { kubernetes_version = "v1.32" } } + +# Tests that when enable_volume_snapshots is false, snapshot permissions are not included in the role definition. +# This verifies the conditional logic that excludes snapshot operations when volume snapshots are disabled. +run "volume_snapshots_disabled" { + command = plan + + variables { + context_id = "test" + name = "windsor-aks" + kubernetes_version = "1.32" + enable_volume_snapshots = false + } + + assert { + condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/read") + error_message = "Snapshot read permissions should not be included when enable_volume_snapshots is false" + } + + assert { + condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") + error_message = "Snapshot write permissions should not be included when enable_volume_snapshots is false" + } + + assert { + condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/delete") + error_message = "Snapshot delete permissions should not be included when enable_volume_snapshots is false" + } + + assert { + condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/disks/read") + error_message = "Core disk permissions should still be included when enable_volume_snapshots is false" + } +} diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index a2f149115..ae6203aaa 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -235,6 +235,12 @@ variable "endpoint_private_access" { default = false } +variable "enable_volume_snapshots" { + description = "Enable volume snapshot permissions for the kubelet identity. Set to false to use minimal permissions if volume snapshots are not needed." + type = bool + default = true +} + variable "oidc_issuer_enabled" { description = "Enable OIDC issuer for the AKS cluster" type = bool From cdb8a483d1654da1e0df979e85145b99b1a0005e Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:02:56 -0500 Subject: [PATCH 4/8] fmt Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- terraform/cluster/azure-aks/test.tftest.hcl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index ae6a90080..5c02fa529 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -145,7 +145,7 @@ run "full_configuration" { private_cluster_enabled = false azure_policy_enabled = true local_account_disabled = false - enable_volume_snapshots = true + enable_volume_snapshots = true } assert { @@ -323,9 +323,9 @@ run "volume_snapshots_disabled" { command = plan variables { - context_id = "test" - name = "windsor-aks" - kubernetes_version = "1.32" + context_id = "test" + name = "windsor-aks" + kubernetes_version = "1.32" enable_volume_snapshots = false } From 34841d26925f7b5e30a8c10baadfa8981b91d10f Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:03:34 -0500 Subject: [PATCH 5/8] checkov Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- terraform/cluster/azure-aks/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index e23bdb700..ae3f9525b 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -228,6 +228,7 @@ resource "azurerm_kubernetes_cluster" "main" { resource_group_name = azurerm_resource_group.aks.name dns_prefix = local.cluster_name # checkov:skip=CKV_AZURE_339: Kubernetes version is populated from the cloud provider's stable version via Renovate. + # checkov:skip=CKV_AZURE_4: Log Analytics workspace is created but diagnostic settings are configured separately or via alternative monitoring solutions kubernetes_version = var.kubernetes_version role_based_access_control_enabled = var.role_based_access_control_enabled automatic_upgrade_channel = var.automatic_upgrade_channel From aadeba73100df534b49a241719aa528c3818fd00 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:26:39 -0500 Subject: [PATCH 6/8] chore: Cleanup and adding misc. vars * Removes unnecessary `repostiroy` block from blueprint * Adds upgrade settings so they don't impact terraform state diff * Parameterize image cleaner Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- contexts/_template/blueprint.yaml | 5 -- terraform/backend/azurerm/.terraform.lock.hcl | 26 ++++----- terraform/backend/s3/.terraform.lock.hcl | 26 ++++----- terraform/cluster/aws-eks/.terraform.lock.hcl | 27 ++++----- .../aws-eks/additions/.terraform.lock.hcl | 2 + .../cluster/azure-aks/.terraform.lock.hcl | 26 ++++----- terraform/cluster/azure-aks/main.tf | 15 ++++- terraform/cluster/azure-aks/variables.tf | 13 +++++ .../talos/modules/machine/.terraform.lock.hcl | 58 +++++++++---------- 9 files changed, 110 insertions(+), 88 deletions(-) diff --git a/contexts/_template/blueprint.yaml b/contexts/_template/blueprint.yaml index 6c6089c26..939e011b8 100644 --- a/contexts/_template/blueprint.yaml +++ b/contexts/_template/blueprint.yaml @@ -3,11 +3,6 @@ apiVersion: blueprints.windsorcli.dev/v1alpha1 metadata: name: template description: Base blueprint template for core services -repository: - url: "" - ref: - branch: main - secretName: flux-system sources: [] terraform: [] kustomize: [] diff --git a/terraform/backend/azurerm/.terraform.lock.hcl b/terraform/backend/azurerm/.terraform.lock.hcl index c9c50e70a..66c65fdaf 100644 --- a/terraform/backend/azurerm/.terraform.lock.hcl +++ b/terraform/backend/azurerm/.terraform.lock.hcl @@ -32,20 +32,20 @@ provider "registry.terraform.io/hashicorp/azurerm" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/backend/s3/.terraform.lock.hcl b/terraform/backend/s3/.terraform.lock.hcl index 5c3242452..326ee52f3 100644 --- a/terraform/backend/s3/.terraform.lock.hcl +++ b/terraform/backend/s3/.terraform.lock.hcl @@ -38,20 +38,20 @@ provider "registry.terraform.io/hashicorp/aws" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/cluster/aws-eks/.terraform.lock.hcl b/terraform/cluster/aws-eks/.terraform.lock.hcl index dc46df27a..1b8fdf93f 100644 --- a/terraform/cluster/aws-eks/.terraform.lock.hcl +++ b/terraform/cluster/aws-eks/.terraform.lock.hcl @@ -14,6 +14,7 @@ provider "registry.terraform.io/hashicorp/aws" { "h1:QAcpv9yoqEtVaBVyQ3hHsTc558AchV5/8lfAGoqmUkA=", "h1:QJEljz77aB459tng0v+5xIdV6mkmCM4RZO6ztk3pOEA=", "h1:RB3r7K1PgJ6S3J0l4u5/nB7G/inM2goPWY+QHesxuGo=", + "h1:RO/wwMYOIpQpC7Jum3tHSi3SS7+XWEuhEHgHlYwBTao=", "h1:UT4pxGbPuANnxyCeDn5/Ybr476EkyxcsYsU+q0iYt/Q=", "h1:Uv/PPkYgnjKcsesOVWiTHaY/1R5/OgH1UYnXvtu0K58=", "h1:XuB0R/84+T3iEUVh5EHBQ+P+FdmgrC9DxQ0BmaNttS0=", @@ -38,21 +39,21 @@ provider "registry.terraform.io/hashicorp/aws" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/cluster/aws-eks/additions/.terraform.lock.hcl b/terraform/cluster/aws-eks/additions/.terraform.lock.hcl index 1b9a05ce3..88a7739c8 100644 --- a/terraform/cluster/aws-eks/additions/.terraform.lock.hcl +++ b/terraform/cluster/aws-eks/additions/.terraform.lock.hcl @@ -8,6 +8,7 @@ provider "registry.terraform.io/hashicorp/aws" { "h1:+hGrZFOwhO5Wa60cy9tntT0qkBf81rHJIF2ErJ5JkQg=", "h1:0XEc9eHELD/BtPNybqkzzaS3bYp2HSv9LwAfaGyCpOU=", "h1:4/MVfJTHXMUw0znz+eTdWdScMZkLiMZ0IkY4wPzx5Bc=", + "h1:4XyaPG5JbJjn2hgVS9PWkX0+Kz3+R+wnVLjoAGSkkOM=", "h1:5Y+OtKRotuCIjbVW6rYrGIU1u8+zK5zyvar9t7L6aqc=", "h1:67vo1NVFcVzi0BcCd7uEOc5thGm22JE7xb7ph/XwUxI=", "h1:PQ3jzG6VNrfS35adtrBeLnVTnJef3f2t5SUV7XNikgo=", @@ -18,6 +19,7 @@ provider "registry.terraform.io/hashicorp/aws" { "h1:Uv/PPkYgnjKcsesOVWiTHaY/1R5/OgH1UYnXvtu0K58=", "h1:XuB0R/84+T3iEUVh5EHBQ+P+FdmgrC9DxQ0BmaNttS0=", "h1:p/zt5FRJNZg6oqJmh+ZCMx/Fn7kjefz1sCdbZaarunw=", + "h1:qOZVo7KQ4bnlUn3kAzzmUNtJgGD5ffCCEgQxle30xFU=", "h1:v9FRXpj8ZndNpDmiJX3mDwGvGw8WMCatv/7vlp50U2E=", "zh:0f9621f719ec2051eabb94ca59aa4f13574487fbc1517b183293431c9d388e38", "zh:2ffbedb2e3afcd82da8bfc540bd74e9611527bdafd00d6d1885f62e7d13bac74", diff --git a/terraform/cluster/azure-aks/.terraform.lock.hcl b/terraform/cluster/azure-aks/.terraform.lock.hcl index ae51b1537..84e7aa022 100644 --- a/terraform/cluster/azure-aks/.terraform.lock.hcl +++ b/terraform/cluster/azure-aks/.terraform.lock.hcl @@ -32,21 +32,21 @@ provider "registry.terraform.io/hashicorp/azurerm" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index ae3f9525b..617b4a39a 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -263,6 +263,15 @@ resource "azurerm_kubernetes_cluster" "main" { # checkov:skip=CKV_AZURE_168: This is set in the variable by default to 50 max_pods = var.default_node_pool.max_pods temporary_name_for_rotation = "rotate" + + dynamic "upgrade_settings" { + for_each = var.default_node_pool.upgrade_settings != null ? [var.default_node_pool.upgrade_settings] : [] + content { + drain_timeout_in_minutes = upgrade_settings.value.drain_timeout_in_minutes + max_surge = upgrade_settings.value.max_surge + node_soak_duration_in_minutes = upgrade_settings.value.node_soak_duration_in_minutes + } + } } auto_scaler_profile { @@ -282,8 +291,10 @@ resource "azurerm_kubernetes_cluster" "main" { vertical_pod_autoscaler_enabled = var.workload_autoscaler_profile.vertical_pod_autoscaler_enabled } - oidc_issuer_enabled = var.oidc_issuer_enabled - workload_identity_enabled = var.workload_identity_enabled + oidc_issuer_enabled = var.oidc_issuer_enabled + workload_identity_enabled = var.workload_identity_enabled + image_cleaner_enabled = var.image_cleaner_enabled + image_cleaner_interval_hours = var.image_cleaner_interval_hours network_profile { network_plugin = "azure" diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index ae6203aaa..c2c8684e3 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -252,3 +252,16 @@ variable "workload_identity_enabled" { type = bool default = true } + +variable "image_cleaner_enabled" { + description = "Enable Image Cleaner for the AKS cluster" + type = bool + default = true +} + +variable "image_cleaner_interval_hours" { + description = "Interval in hours for Image Cleaner to run" + type = number + default = 48 +} + diff --git a/terraform/cluster/talos/modules/machine/.terraform.lock.hcl b/terraform/cluster/talos/modules/machine/.terraform.lock.hcl index 2418f3804..8f21e4bf9 100644 --- a/terraform/cluster/talos/modules/machine/.terraform.lock.hcl +++ b/terraform/cluster/talos/modules/machine/.terraform.lock.hcl @@ -2,21 +2,21 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } @@ -40,23 +40,23 @@ provider "registry.terraform.io/hashicorp/null" { } provider "registry.terraform.io/siderolabs/talos" { - version = "0.8.0" + version = "0.9.0" hashes = [ - "h1:5Ik5stEr3alQjCwSs+hU7poVoa+CZh/Z2IH3MtiyHf4=", - "zh:0273010292fc4faa8c9c4c1f406a5c962a494f931fb2570ce880dc19af04342c", - "zh:0785a8cdb72c917da99ab8795cf5312ecfcf73fd06d9d9893e25867ca1af136f", + "h1:50TaymX/KnjXcURmpKsVd7JUyLRrMDNXMHFgqzSe88U=", "zh:0fa82a384b25a58b65523e0ea4768fa1212b1f5cfc0c9379d31162454fedcc9d", - "zh:3936387665b16ab7e9ac08e1b25f1c65fdc1f8be54e6fb7dd4fa414bf1dfa261", - "zh:46ebd13aee6b5fa5abdcadb5e641125b69e9c48014d4625057e7bd5dc4d0a283", - "zh:5aabeb7c8f4dfcc8696aa4c6278043611e11f27dec42c3c0e090a495767bc274", - "zh:5f7acfe13775c29250f1cc37eddfc6cf7ee7e4cc58097f66ef6dc3dbe723fad8", - "zh:6170c27dce21ac47561755646b5fd821d14590fe503c100d73caaa5a34cba5a9", - "zh:7adc17bfb63a5ea7ce04785eb5374c0342ab8b5017538ecf77a3312feb3d4d6a", - "zh:944cd1a1fe3333bd97482b5b82e97b363b8b977d72e9b44f8e04c6e8d272a527", - "zh:a1e6c8e628847a583f6426d8d56be18e5da086630db9cb531c49f0fbf6db4ea4", - "zh:c920fff2336819ffffb81597bf3cf7d3b20cd07b0419a3dd20c62f2aed9696ac", - "zh:cfc260e85c3c88605b7705cdb2aefdd07f9b933bd98e26497f27c928a1232673", - "zh:d1927de9116cd9dbcdb1f550058e651c28c3b7dea58cae83feb79ddb69dbcb4c", - "zh:e9e11260645c35dc97b20a45b014ea279945ad4e09bc4f4fd898b32689c529e1", + "zh:249ab08b810bb96ef7c35354a12622907df7cbda59c83ff314ee85e8b851128d", + "zh:4f284c21f0cb4b7012fdb231ebba4803e5c389f7ea380fb5958ebfa6b822d055", + "zh:6049f8d06bc92ab1a46d56c2b37799e6a1b7ce3c61905acf8f0c2009942be8ac", + "zh:7de5f0a6429c6856ade3c7e59d5041a7fe8e0010aea14a2074e91f8a526283ce", + "zh:9760420cf5feec0550556664962bc6f1af45115b9ea5bcbf47aa9bffd3dd4ac2", + "zh:9860272a9fbcea65393c478dc579ad2677a44338de24677702ce699a027801aa", + "zh:a60311a8bf267b18dcf1c8250f45e371b51c6aef086e037a3f9496602f190187", + "zh:b74c119b2a964cae8d17b5b5f14c8eecf44708e3817c1f65ac89b813856aed98", + "zh:bc33e14650052c246ac2e6492a0a24755d4e8d27cb7259e3996f07b0537f2c77", + "zh:c4bc2c65b3dcef2508c14dbbfc18937c5ede11670c02a644cbc28c83a57de92b", + "zh:c98bf4809220568d76ea2db232a88a60c29fd90d4c9e2f8c8a68cf91ceed066a", + "zh:de0179ee9c55bf36d3474049ceac3a105ed7bc1fb9c4787d4076c4b15d268b66", + "zh:e99e019d950131c2c4259c1cbca1d072cb813bdfdbbbf9359f5901d6b7542a0d", + "zh:feb941cc673692c6858f96590f3ca082683a62aa2d2842b9bfffcd327eb840d3", ] } From be89412c825e81154fc3c62bc361f991866a75ee Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:30:01 -0500 Subject: [PATCH 7/8] Fix tests Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- terraform/cluster/azure-aks/test.tftest.hcl | 22 +++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index 5c02fa529..4b92c7ef3 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -104,6 +104,16 @@ run "minimal_configuration" { condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") error_message = "Snapshot write permissions should be included when enable_volume_snapshots is true (default)" } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_enabled == true + error_message = "Image Cleaner should be enabled by default" + } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 48 + error_message = "Image Cleaner interval should default to 48 hours" + } } # Tests a full configuration with all optional variables explicitly set, @@ -146,6 +156,8 @@ run "full_configuration" { azure_policy_enabled = true local_account_disabled = false enable_volume_snapshots = true + image_cleaner_enabled = true + image_cleaner_interval_hours = 24 } assert { @@ -247,6 +259,16 @@ run "full_configuration" { condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") error_message = "Snapshot write permissions should be included when enable_volume_snapshots is true" } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_enabled == true + error_message = "Image Cleaner should be enabled" + } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 24 + error_message = "Image Cleaner interval should match input value" + } } # Tests the private cluster configuration, ensuring that enabling the private_cluster_enabled From 3b377fdf073069bc66883bc013f6ec79be6c8793 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:32:37 -0500 Subject: [PATCH 8/8] fmt, msc Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- terraform/cluster/azure-aks/test.tftest.hcl | 4 ++-- terraform/cluster/azure-aks/variables.tf | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index 4b92c7ef3..049e7ece7 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -156,8 +156,8 @@ run "full_configuration" { azure_policy_enabled = true local_account_disabled = false enable_volume_snapshots = true - image_cleaner_enabled = true - image_cleaner_interval_hours = 24 + image_cleaner_enabled = true + image_cleaner_interval_hours = 24 } assert { diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index c2c8684e3..aec3e4e99 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -73,6 +73,11 @@ variable "default_node_pool" { max_count = number node_count = number only_critical_addons_enabled = bool + upgrade_settings = optional(object({ + drain_timeout_in_minutes = number + max_surge = string + node_soak_duration_in_minutes = number + })) }) default = { name = "system" @@ -84,6 +89,11 @@ variable "default_node_pool" { max_count = 3 node_count = 1 only_critical_addons_enabled = true + upgrade_settings = { + drain_timeout_in_minutes = 30 + max_surge = "10%" + node_soak_duration_in_minutes = 10 + } } }