Always use UserAssigned identity and monitor metrics

Azure · Mar 28, 2024 · 38bd719 · 38bd719
1 parent c37b56f
commit 38bd719
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 43 deletions.
diff --git a/README.md b/README.md
@@ -66,6 +66,7 @@ The following resources are used by this module:
 - [azurerm_resource_group_template_deployment.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) (resource)
 - [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
+- [azurerm_user_assigned_identity.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) (resource)
 - [null_resource.kubernetes_version_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) (resource)
 - [random_id.telem](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) (resource)
 - [random_string.acr_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) (resource)

diff --git a/examples/default/README.md b/examples/default/README.md
@@ -49,12 +49,6 @@ resource "azurerm_resource_group" "this" {
   name     = module.naming.resource_group.name_unique
 }
 
-resource "azurerm_user_assigned_identity" "this" {
-  location            = azurerm_resource_group.this.location
-  name                = "uami-${var.kubernetes_cluster_name}"
-  resource_group_name = azurerm_resource_group.this.name
-}
-
 # This is the module call
 # Do not specify location here due to the randomization above.
 # Leaving location as `null` will cause the module to use the resource group location
@@ -66,7 +60,6 @@ module "test" {
   name                = module.naming.kubernetes_cluster.name_unique
   resource_group_name = azurerm_resource_group.this.name
   location            = "East US" # Hardcoded instead of using module.regions because The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
-  identity_ids        = [azurerm_user_assigned_identity.this.id]
   pod_cidr            = "192.168.0.0/16"
   node_cidr           = "10.31.0.0/16"
 }
@@ -96,7 +89,6 @@ The following providers are used by this module:
 The following resources are used by this module:
 
 - [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
-- [azurerm_user_assigned_identity.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) (resource)
 - [random_integer.region_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)
 
 <!-- markdownlint-disable MD013 -->
@@ -118,14 +110,6 @@ Type: `bool`
 
 Default: `true`
 
-### <a name="input_kubernetes_cluster_name"></a> [kubernetes\_cluster\_name](#input\_kubernetes\_cluster\_name)
-
-Description: The name of the Kubernetes cluster.
-
-Type: `string`
-
-Default: `"myAks"`
-
 ## Outputs
 
 No outputs.

diff --git a/examples/default/main.tf b/examples/default/main.tf
@@ -43,12 +43,6 @@ resource "azurerm_resource_group" "this" {
   name     = module.naming.resource_group.name_unique
 }
 
-resource "azurerm_user_assigned_identity" "this" {
-  location            = azurerm_resource_group.this.location
-  name                = "uami-${var.kubernetes_cluster_name}"
-  resource_group_name = azurerm_resource_group.this.name
-}
-
 # This is the module call
 # Do not specify location here due to the randomization above.
 # Leaving location as `null` will cause the module to use the resource group location
@@ -60,7 +54,6 @@ module "test" {
   name                = module.naming.kubernetes_cluster.name_unique
   resource_group_name = azurerm_resource_group.this.name
   location            = "East US" # Hardcoded instead of using module.regions because The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
-  identity_ids        = [azurerm_user_assigned_identity.this.id]
   pod_cidr            = "192.168.0.0/16"
   node_cidr           = "10.31.0.0/16"
 }
diff --git a/examples/default/variables.tf b/examples/default/variables.tf
@@ -7,9 +7,3 @@ For more information see <https://aka.ms/avm/telemetryinfo>.
 If it is set to false, then no telemetry will be collected.
 DESCRIPTION
 }
-
-variable "kubernetes_cluster_name" {
-  type        = string
-  default     = "myAks"
-  description = "The name of the Kubernetes cluster."
-}
diff --git a/locals.tf b/locals.tf
@@ -63,4 +63,8 @@ locals {
 }
 locals {
   log_analytics_tables = ["AKSAudit", "AKSAuditAdmin", "AKSControlPlane"]
+}
+
+locals {
+  identity_ids = var.identity_ids != null ? var.identity_ids : azurerm_user_assigned_identity.aks[*].id
 }
diff --git a/main.tf b/main.tf
@@ -25,6 +25,15 @@ resource "azurerm_role_assignment" "acr" {
   skip_service_principal_aad_check = true
 }
 
+resource "azurerm_user_assigned_identity" "aks" {
+  count = var.identity_ids != null ? 0 : 1
+
+  location            = var.location
+  name                = "uami-aks"
+  resource_group_name = var.resource_group_name
+  tags                = var.tags
+}
+
 resource "azurerm_kubernetes_cluster" "this" {
   location                          = var.location
   name                              = var.name
@@ -59,24 +68,16 @@ resource "azurerm_kubernetes_cluster" "this" {
   auto_scaler_profile {
     balance_similar_node_groups = true
   }
-  dynamic "identity" {
-    for_each = var.identity_ids != null ? [var.identity_ids] : []
-    content {
-      type         = "UserAssigned"
-      identity_ids = var.identity_ids
-    }
+  identity {
+    type         = "UserAssigned"
+    identity_ids = local.identity_ids
   }
   key_vault_secrets_provider {
     secret_rotation_enabled = true
   }
-  dynamic "monitor_metrics" {
-
-    for_each = var.monitor_metrics != null ? [var.monitor_metrics] : []
-
-    content {
-      annotations_allowed = var.monitor_metrics.annotations_allowed
-      labels_allowed      = var.monitor_metrics.labels_allowed
-    }
+  monitor_metrics {
+    annotations_allowed = try(var.monitor_metrics.annotations_allowed, null)
+    labels_allowed      = try(var.monitor_metrics.labels_allowed, null)
   }
   network_profile {
     network_plugin      = "azure"