Add network_profile and monitoring

README.md

@@ -25,7 +25,7 @@ The following requirements are needed by this module:
 
 - <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (>= 1.3.0)
 
-- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (>= 3.71.0)
+- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (>= 3.86.0)
 
 - <a name="requirement_local"></a> [local](#requirement\_local) (2.4.1)
 
@@ -35,7 +35,7 @@ The following requirements are needed by this module:
 
 The following providers are used by this module:
 
-- <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) (>= 3.71.0)
+- <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) (>= 3.86.0)
 
 - <a name="provider_local"></a> [local](#provider\_local) (2.4.1)
 
@@ -48,14 +48,18 @@ The following resources are used by this module:
 - [azurerm_container_registry.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) (resource)
 - [azurerm_kubernetes_cluster.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) (resource)
 - [azurerm_kubernetes_cluster_node_pool.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) (resource)
+- [azurerm_log_analytics_workspace.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) (resource)
+- [azurerm_log_analytics_workspace_table.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace_table) (resource)
 - [azurerm_management_lock.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) (resource)
+- [azurerm_monitor_diagnostic_setting.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) (resource)
 - [azurerm_private_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) (resource)
 - [azurerm_private_endpoint_application_security_group_association.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint_application_security_group_association) (resource)
 - [azurerm_resource_group_template_deployment.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) (resource)
 - [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [random_id.telem](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) (resource)
 - [random_string.acr_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) (resource)
+- [azurerm_monitor_diagnostic_categories.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) (data source)
 - [local_file.compute_provider](https://registry.terraform.io/providers/hashicorp/local/2.4.1/docs/data-sources/file) (data source)
 - [local_file.locations](https://registry.terraform.io/providers/hashicorp/local/2.4.1/docs/data-sources/file) (data source)
 
@@ -145,6 +149,14 @@ Type: `list(string)`
 
 Default: `null`
 
+### <a name="input_key_vault_secrets_provider_enabled"></a> [key\_vault\_secrets\_provider\_enabled](#input\_key\_vault\_secrets\_provider\_enabled)
+
+Description: (Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_lock"></a> [lock](#input\_lock)
 
 Description: The lock level to apply. Default is `None`. Possible values are `None`, `CanNotDelete`, and `ReadOnly`.
@@ -160,6 +172,14 @@ object({
 
 Default: `{}`
 
+### <a name="input_log_analytics_workspace_id"></a> [log\_analytics\_workspace\_id](#input\_log\_analytics\_workspace\_id)
+
+Description: (Optional) The ID of the Log Analytics Workspace to use for the OMS agent.
+
+Type: `string`
+
+Default: `null`
+
 ### <a name="input_managed_identities"></a> [managed\_identities](#input\_managed\_identities)
 
 Description: Managed identities to be created for the resource.
@@ -175,6 +195,25 @@ object({
 
 Default: `{}`
 
+### <a name="input_monitor_metrics"></a> [monitor\_metrics](#input\_monitor\_metrics)
+
+Description: (Optional) Specifies a Prometheus add-on profile for the Kubernetes Cluster  
+object({  
+  annotations\_allowed = "(Optional) Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric."  
+  labels\_allowed      = "(Optional) Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric."
+})
+
+Type:
+
+```hcl
+object({
+    annotations_allowed = optional(string)
+    labels_allowed      = optional(string)
+  })
+```
+
+Default: `null`
+
 ### <a name="input_node_pools"></a> [node\_pools](#input\_node\_pools)
 
 Description: A map of node pools that need to be created and attached on the Kubernetes cluster. The key of the map can be the name of the node pool, and the key must be static string. The value of the map is a `node_pool` block as defined below:  

locals.tf

@@ -59,4 +59,7 @@ locals {
       }
     ]
   ])
+}
+locals {
+  log_analytics_tables = ["AKSAudit", "AKSAuditAdmin", "AKSControlPlane"]
 }

main.tf

@@ -43,15 +43,13 @@ resource "azurerm_kubernetes_cluster" "this" {
   workload_identity_enabled         = true
 
   default_node_pool {
-    name                = "agentpool"
-    vm_size             = "Standard_D4d_v5"
-    enable_auto_scaling = true
-    # autoscaler profile setting on the old module use the configuration
+    name                   = "agentpool"
+    vm_size                = "Standard_D4d_v5"
+    enable_auto_scaling    = true
     enable_host_encryption = true
-    max_count              = 5
+    max_count              = 9
     max_pods               = 110
-    min_count              = 2
-    node_count             = 5
+    min_count              = 3
     os_sku                 = "Ubuntu"
     tags                   = merge(var.tags, var.agents_tags)
     zones                  = try([for zone in local.regions_by_name_or_display_name[var.location].zones : zone], null)
@@ -69,6 +67,101 @@ resource "azurerm_kubernetes_cluster" "this" {
   key_vault_secrets_provider {
     secret_rotation_enabled = true
   }
+  dynamic "monitor_metrics" {
+
+    for_each = var.monitor_metrics != null ? [var.monitor_metrics] : []
+
+    content {
+      annotations_allowed = var.monitor_metrics.annotations_allowed
+      labels_allowed      = var.monitor_metrics.labels_allowed
+    }
+  }
+  network_profile {
+    network_plugin      = "azure"
+    load_balancer_sku   = "standard"
+    network_plugin_mode = "overlay"
+    network_policy      = "calico"
+    outbound_type       = "managedNATGateway"
+  }
+  oms_agent {
+    log_analytics_workspace_id      = azurerm_log_analytics_workspace.this.id
+    msi_auth_for_monitoring_enabled = true
+  }
+}
+
+data "azurerm_monitor_diagnostic_categories" "aks" {
+  resource_id = azurerm_kubernetes_cluster.this.id
+}
+
+resource "azurerm_log_analytics_workspace" "this" {
+  location            = var.location
+  name                = "${var.name}-aks"
+  resource_group_name = var.resource_group_name
+  sku                 = "PerGB2018"
+  tags                = var.tags
+}
+
+resource "azurerm_log_analytics_workspace_table" "this" {
+  for_each = toset(local.log_analytics_tables)
+
+  name         = each.value
+  workspace_id = azurerm_log_analytics_workspace.this.id
+  plan         = "Basic"
+}
+
+resource "azurerm_monitor_diagnostic_setting" "aks" {
+  name                           = "${var.name}-aks"
+  target_resource_id             = azurerm_kubernetes_cluster.this.id
+  log_analytics_destination_type = "Dedicated"
+  log_analytics_workspace_id     = azurerm_log_analytics_workspace.this.id
+
+  # Kubernetes API Server
+  enabled_log {
+    category = "kube-apiserver"
+  }
+  # Kubernetes Audit
+  enabled_log {
+    category = "kube-audit"
+  }
+  # Kubernetes Audit Admin Logs
+  enabled_log {
+    category = "kube-audit-admin"
+  }
+  # Kubernetes Controller Manager
+  enabled_log {
+    category = "kube-controller-manager"
+  }
+  # Kubernetes Scheduler
+  enabled_log {
+    category = "kube-scheduler"
+  }
+  #Kubernetes Cluster Autoscaler
+  enabled_log {
+    category = "cluster-autoscaler"
+  }
+  #Kubernetes Cloud Controller Manager
+  enabled_log {
+    category = "cloud-controller-manager"
+  }
+  #guard
+  enabled_log {
+    category = "guard"
+  }
+  #csi-azuredisk-controller
+  enabled_log {
+    category = "csi-azuredisk-controller"
+  }
+  #csi-azurefile-controller
+  enabled_log {
+    category = "csi-azurefile-controller"
+  }
+  #csi-snapshot-controller
+  enabled_log {
+    category = "csi-snapshot-controller"
+  }
+  metric {
+    category = "AllMetrics"
+  }
 }
 
 # required AVM resources interfaces
@@ -118,4 +211,4 @@ data "local_file" "compute_provider" {
 
 data "local_file" "locations" {
   filename = "${path.module}/data/locations.json"
-}
+}

terraform.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.71.0"
+      version = ">= 3.86.0"
     }
     local = {
       source  = "hashicorp/local"

variables.tf

@@ -71,6 +71,13 @@ variable "identity_ids" {
   description = "(Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster."
 }
 
+variable "key_vault_secrets_provider_enabled" {
+  type        = bool
+  default     = false
+  description = "(Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver"
+  nullable    = false
+}
+
 variable "lock" {
   type = object({
     name = optional(string, null)
@@ -86,6 +93,12 @@ variable "lock" {
   }
 }
 
+variable "log_analytics_workspace_id" {
+  type        = string
+  default     = null
+  description = "(Optional) The ID of the Log Analytics Workspace to use for the OMS agent."
+}
+
 # tflint-ignore: terraform_unused_declarations
 variable "managed_identities" {
   type = object({
@@ -96,6 +109,21 @@ variable "managed_identities" {
   description = "Managed identities to be created for the resource."
 }
 
+variable "monitor_metrics" {
+  type = object({
+    annotations_allowed = optional(string)
+    labels_allowed      = optional(string)
+  })
+  default     = null
+  description = <<-EOT
+  (Optional) Specifies a Prometheus add-on profile for the Kubernetes Cluster
+  object({
+    annotations_allowed = "(Optional) Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric."
+    labels_allowed      = "(Optional) Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric."
+  })
+EOT
+}
+
 variable "node_pools" {
   type = map(object({
     name    = string