feat(aks): Added AKS outputs (#343)

* Added check to disabled pod identity * in aks added output for resource group * for workload identity added outputs for principal id * added more outputs for workload identity * added verbose to pod identity delete * added verbose to pod identity delete * minor fix * pre-commit fixs
pagopa · Sep 2, 2024 · 2334835 · 2334835
1 parent 61c239b
commit 2334835
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 20 deletions.
diff --git a/kubernetes_cluster/03_pod_identity_extension.tf b/kubernetes_cluster/03_pod_identity_extension.tf
@@ -27,22 +27,32 @@ resource "null_resource" "enable_pod_identity" {
     EOT
   }
 
-  # provisioner "local-exec" {
-  #   when    = destroy
-  #   command = <<EOT
-  #     if az extension list-available | grep aks-preview > /dev/null
-  #     then
-  #       az aks update \
-  #         -g ${self.triggers.resource_group_name} \
-  #         -n ${self.triggers.cluster_name} \
-  #         --disable-pod-identity \
-  #         --no-wait \
-  #         --yes
-  #     else
-  #       echo "addon: aks-preview not avaible"
-  #     fi
-  #   EOT
-  # }
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+      if az extension list-available | grep aks-preview > /dev/null
+      then
+        if [ $(az aks pod-identity list \
+                --resource-group ${self.triggers.resource_group_name} \
+                --name ${self.triggers.cluster_name} \
+                --query 'podIdentityProfile.userAssignedIdentities[].{name:name, state:provisioningState}' \
+                --output json | jq 'length') -eq 0 ]; then
+
+            echo "🔨 [INFO] No pod identity founds"
+            az aks update \
+              -g ${self.triggers.resource_group_name} \
+              -n ${self.triggers.cluster_name} \
+              --disable-pod-identity \
+              --no-wait \
+              --yes && echo "✅ Pod Identity feature disabled" || echo "⚠️ Impossible to disable pod identity"
+        else
+            echo "❌ There are pod identities, disable is not possible"
+        fi
+      else
+        echo "addon: aks-preview not avaible"
+      fi
+    EOT
+  }
 
   depends_on = [
     azurerm_kubernetes_cluster.this

diff --git a/kubernetes_cluster/10_outputs.tf b/kubernetes_cluster/10_outputs.tf
@@ -37,3 +37,8 @@ output "managed_resource_group_id" {
   value       = azurerm_kubernetes_cluster.this.node_resource_group_id
   description = "The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster."
 }
+
+output "aks_resource_group_name" {
+  value       = azurerm_kubernetes_cluster.this.resource_group_name
+  description = "AKS resource group name where the aks was installed"
+}
diff --git a/kubernetes_cluster/README.md b/kubernetes_cluster/README.md
@@ -761,6 +761,7 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_aks_resource_group_name"></a> [aks\_resource\_group\_name](#output\_aks\_resource\_group\_name) | AKS resource group name where the aks was installed |
 | <a name="output_fqdn"></a> [fqdn](#output\_fqdn) | The FQDN of the Azure Kubernetes Managed Cluster. |
 | <a name="output_id"></a> [id](#output\_id) | n/a |
 | <a name="output_identity_principal_id"></a> [identity\_principal\_id](#output\_identity\_principal\_id) | The Principal ID associated with this Managed Service Identity. |

diff --git a/kubernetes_pod_identity/main.tf b/kubernetes_pod_identity/main.tf
@@ -34,12 +34,14 @@ resource "null_resource" "create_pod_identity" {
 
   provisioner "local-exec" {
     command = <<EOT
+      echo "🔨 start creation pod Identity"
       az aks pod-identity add \
         --resource-group ${self.triggers.resource_group} \
         --cluster-name ${self.triggers.cluster_name} \
         --namespace ${self.triggers.namespace} \
         --name ${self.triggers.name} \
-        --identity-resource-id ${self.triggers.identity_id}
+        --verbose \
+        --identity-resource-id ${self.triggers.identity_id} && echo "✅ podIdentity created" || echo "❌ Error during podIdentity creation"
 
       echo "✅ pod identity created"
 
@@ -53,13 +55,13 @@ resource "null_resource" "create_pod_identity" {
   provisioner "local-exec" {
     when    = destroy
     command = <<EOT
+      echo "🔨 start destroy pod Identity"
       az aks pod-identity delete \
+        --verbose \
         --resource-group ${self.triggers.resource_group} \
         --cluster-name ${self.triggers.cluster_name} \
         --namespace ${self.triggers.namespace} \
-        --name ${self.triggers.name}
-
-      echo "✅ pod identity deleted"
+        --name ${self.triggers.name} && echo "✅ podIdentity deleted" || echo "❌ Error during podIdentity delete"
 
       az aks pod-identity list \
         --resource-group ${self.triggers.resource_group} \

diff --git a/kubernetes_workload_identity/README.md b/kubernetes_workload_identity/README.md
@@ -83,8 +83,12 @@ No modules.
 |------|-------------|
 | <a name="output_user_assigned_identity_client_id"></a> [user\_assigned\_identity\_client\_id](#output\_user\_assigned\_identity\_client\_id) | n/a |
 | <a name="output_user_assigned_identity_id"></a> [user\_assigned\_identity\_id](#output\_user\_assigned\_identity\_id) | n/a |
+| <a name="output_user_assigned_identity_name"></a> [user\_assigned\_identity\_name](#output\_user\_assigned\_identity\_name) | n/a |
+| <a name="output_user_assigned_identity_principal_id"></a> [user\_assigned\_identity\_principal\_id](#output\_user\_assigned\_identity\_principal\_id) | n/a |
+| <a name="output_user_assigned_identity_resource_group_name"></a> [user\_assigned\_identity\_resource\_group\_name](#output\_user\_assigned\_identity\_resource\_group\_name) | n/a |
 | <a name="output_workload_identity_client_id"></a> [workload\_identity\_client\_id](#output\_workload\_identity\_client\_id) | n/a |
 | <a name="output_workload_identity_client_id_secret_name"></a> [workload\_identity\_client\_id\_secret\_name](#output\_workload\_identity\_client\_id\_secret\_name) | n/a |
+| <a name="output_workload_identity_principal_id"></a> [workload\_identity\_principal\_id](#output\_workload\_identity\_principal\_id) | n/a |
 | <a name="output_workload_identity_service_account_name"></a> [workload\_identity\_service\_account\_name](#output\_workload\_identity\_service\_account\_name) | n/a |
 | <a name="output_workload_identity_service_account_namespace"></a> [workload\_identity\_service\_account\_namespace](#output\_workload\_identity\_service\_account\_namespace) | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/kubernetes_workload_identity/outputs.tf b/kubernetes_workload_identity/outputs.tf
@@ -2,6 +2,14 @@ output "user_assigned_identity_id" {
   value = azurerm_user_assigned_identity.this.id
 }
 
+output "user_assigned_identity_name" {
+  value = azurerm_user_assigned_identity.this.name
+}
+
+output "user_assigned_identity_resource_group_name" {
+  value = azurerm_user_assigned_identity.this.resource_group_name
+}
+
 output "user_assigned_identity_client_id" {
   value = azurerm_user_assigned_identity.this.client_id
 }
@@ -10,6 +18,14 @@ output "workload_identity_client_id" {
   value = azurerm_user_assigned_identity.this.client_id
 }
 
+output "user_assigned_identity_principal_id" {
+  value = azurerm_user_assigned_identity.this.principal_id
+}
+
+output "workload_identity_principal_id" {
+  value = azurerm_user_assigned_identity.this.principal_id
+}
+
 output "workload_identity_service_account_name" {
   value = try(kubernetes_service_account_v1.workload_identity_sa[0].metadata[0].name, null)
 }