search

Azure / terraform-azurerm-aks

Terraform Module for deploying an AKS cluster
MIT License
362 stars 468 forks source link

Support for node_network_profile #524

Open RelaxingLoki475 opened 8 months ago

RelaxingLoki475 commented 8 months ago

Is there an existing issue for this?

Description

Have the ability to manage node_network_profile to set application_security_group_ids in order to improve NSG management.

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

No response

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#node_network_profile

zioproto commented 8 months ago

Documentation reference: https://learn.microsoft.com/en-us/azure/aks/use-node-public-ips#use-public-ip-tags-on-node-public-ips-preview

jramacpr commented 1 month ago

I face the same issue when trying to attach an ASG with the node pool of the aks. Though terraform provides option to include the ASG inside the node network profile, it seems it do not work as expected.

  default_node_pool {
      name                   = var.agents_pool_name
      node_count             = var.agents_count
      vm_size                = var.agents_size
      vnet_subnet_id         = data.azurerm_subnet.subnet.id
      auto_scaling_enabled   = var.enable_auto_scaling
      max_count              = var.max_count
      min_count              = var.min_count
      node_public_ip_enabled = var.enable_node_public_ip
      max_pods               = var.agents_max_pods
      node_network_profile {
          application_security_group_ids = [data.azurerm_application_security_group.vm_asg.id]
      }
      upgrade_settings {
        max_surge = "10%"
      }
  }

After applying this ,the default node pool's vm scale set has no ASG's associated with it .Any manual association of the ASG is getting reverted to the original state(state from terraform config ,which sees as NO ASG's to be attached to the vm scale set).So as a result currently attaching the ASG with the node network profile is not working as expected

zioproto commented 1 month ago

@jramacpr I understand you are trying to pass the id of an application security group into the default_node_pool block.

Could you confirm if you are using the module Azure/terraform-azurerm-aks or if you are using the azurerm_kubernetes_cluster resource directly ?

In the module it seems this feature is implemented only for the additional node pools but not for the default node pool:

https://github.com/Azure/terraform-azurerm-aks/blob/495d0abe77443f686fb763186f93b7c10252019e/extra_node_pool.tf#L117

jramacpr commented 1 month ago

@zioproto iam using azurerm_kubernetes_cluster and as per the document it says A node_network_profile block supports the following:

application_security_group_ids - (Optional) A list of Application Security Group IDs which should be associated with this Node Pool.

zioproto commented 1 month ago

@jramacpr I opened PR #598 because it seems the module did not support node_network_profile in the default pool.

However, if you are consuming the resource azurerm_kubernetes_cluster directly you should open an issue at https://github.com/hashicorp/terraform-provider-azurerm/issues because this could be an issue with the upstream provider.

What version of the Hashicorp azurerm provider are you using in your project ?

thanks