revert file refactor

main.tf

@@ -261,7 +261,9 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "api_server_access_profile" {
-    for_each = var.api_server_authorized_ip_ranges != null || var.api_server_subnet_id != null ? ["api_server_access_profile"] : []
+    for_each = var.api_server_authorized_ip_ranges != null || var.api_server_subnet_id != null ? [
+      "api_server_access_profile"
+    ] : []
 
     content {
       authorized_ip_ranges = var.api_server_authorized_ip_ranges
@@ -435,7 +437,9 @@ resource "azurerm_kubernetes_cluster" "main" {
     service_cidr        = var.net_profile_service_cidr
 
     dynamic "load_balancer_profile" {
-      for_each = var.load_balancer_profile_enabled && var.load_balancer_sku == "standard" ? ["load_balancer_profile"] : []
+      for_each = var.load_balancer_profile_enabled && var.load_balancer_sku == "standard" ? [
+        "load_balancer_profile"
+      ] : []
 
       content {
         idle_timeout_in_minutes     = var.load_balancer_profile_idle_timeout_in_minutes
@@ -749,10 +753,174 @@ resource "null_resource" "pool_name_keeper" {
   }
 }
 
+resource "azurerm_log_analytics_workspace" "main" {
+  count = local.create_analytics_workspace ? 1 : 0
+
+  location            = coalesce(var.location, data.azurerm_resource_group.main.location)
+  name                = coalesce(var.cluster_log_analytics_workspace_name, trim("${var.prefix}-workspace", "-"))
+  resource_group_name = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name)
+  retention_in_days   = var.log_retention_in_days
+  sku                 = var.log_analytics_workspace_sku
+  tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
+    avm_git_commit           = "0ae8a663f1dc1dc474b14c10d9c94c77a3d1e234"
+    avm_git_file             = "main.tf"
+    avm_git_last_modified_at = "2023-06-05 02:21:33"
+    avm_git_org              = "Azure"
+    avm_git_repo             = "terraform-azurerm-aks"
+    avm_yor_trace            = "9bb3ab45-1155-4bea-bc68-6b7d9aa73fbc"
+  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/), (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
+    avm_yor_name = "main"
+  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
+
+  lifecycle {
+    precondition {
+      condition     = can(coalesce(var.cluster_log_analytics_workspace_name, var.prefix))
+      error_message = "You must set one of `var.cluster_log_analytics_workspace_name` and `var.prefix` to create `azurerm_log_analytics_workspace.main`."
+    }
+  }
+}
+
+locals {
+  azurerm_log_analytics_workspace_id                  = try(azurerm_log_analytics_workspace.main[0].id, null)
+  azurerm_log_analytics_workspace_location            = try(azurerm_log_analytics_workspace.main[0].location, null)
+  azurerm_log_analytics_workspace_name                = try(azurerm_log_analytics_workspace.main[0].name, null)
+  azurerm_log_analytics_workspace_resource_group_name = try(azurerm_log_analytics_workspace.main[0].resource_group_name, null)
+}
+
+data "azurerm_log_analytics_workspace" "main" {
+  count = local.query_datasource_for_log_analytics_workspace_location ? 1 : 0
+
+  name                = var.log_analytics_workspace.name
+  resource_group_name = local.log_analytics_workspace.resource_group_name
+}
+
+resource "azurerm_log_analytics_solution" "main" {
+  count = local.create_analytics_solution ? 1 : 0
+
+  location              = coalesce(local.log_analytics_workspace.location, try(data.azurerm_log_analytics_workspace.main[0].location, null))
+  resource_group_name   = local.log_analytics_workspace.resource_group_name
+  solution_name         = "ContainerInsights"
+  workspace_name        = local.log_analytics_workspace.name
+  workspace_resource_id = local.log_analytics_workspace.id
+  tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
+    avm_git_commit           = "886c26d95843149cc2a58ae72edb31478faa2a8c"
+    avm_git_file             = "main.tf"
+    avm_git_last_modified_at = "2023-07-20 06:04:07"
+    avm_git_org              = "Azure"
+    avm_git_repo             = "terraform-azurerm-aks"
+    avm_yor_trace            = "72af332c-2eac-4d8e-b895-bf85e31f0e23"
+  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/), (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
+    avm_yor_name = "main"
+  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
+
+  plan {
+    product   = "OMSGallery/ContainerInsights"
+    publisher = "Microsoft"
+  }
+}
+
+resource "azurerm_role_assignment" "acr" {
+  for_each = var.attached_acr_id_map
+
+  principal_id                     = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id
+  scope                            = each.value
+  role_definition_name             = "AcrPull"
+  skip_service_principal_aad_check = true
+}
+
 # /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/acceptanceTestResourceGroup1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testIdentity
 data "azurerm_user_assigned_identity" "cluster_identity" {
   count = (var.client_id == "" || var.client_secret == "") && var.identity_type == "UserAssigned" ? 1 : 0
 
   name                = split("/", var.identity_ids[0])[8]
   resource_group_name = split("/", var.identity_ids[0])[4]
 }
+
+# The AKS cluster identity has the Contributor role on the AKS second resource group (MC_myResourceGroup_myAKSCluster_eastus)
+# However when using a custom VNET, the AKS cluster identity needs the Network Contributor role on the VNET subnets
+# used by the system node pool and by any additional node pools.
+# https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#prerequisites
+# https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites
+# https://github.com/Azure/terraform-azurerm-aks/issues/178
+resource "azurerm_role_assignment" "network_contributor" {
+  for_each = var.create_role_assignment_network_contributor && (var.client_id == "" || var.client_secret == "") ? local.subnet_ids : []
+
+  principal_id         = coalesce(try(data.azurerm_user_assigned_identity.cluster_identity[0].principal_id, azurerm_kubernetes_cluster.main.identity[0].principal_id), var.client_id)
+  scope                = each.value
+  role_definition_name = "Network Contributor"
+
+  lifecycle {
+    precondition {
+      condition     = length(var.network_contributor_role_assigned_subnet_ids) == 0
+      error_message = "Cannot set both of `var.create_role_assignment_network_contributor` and `var.network_contributor_role_assigned_subnet_ids`."
+    }
+  }
+}
+
+resource "azurerm_role_assignment" "network_contributor_on_subnet" {
+  for_each = var.network_contributor_role_assigned_subnet_ids
+
+  principal_id         = coalesce(try(data.azurerm_user_assigned_identity.cluster_identity[0].principal_id, azurerm_kubernetes_cluster.main.identity[0].principal_id), var.client_id)
+  scope                = each.value
+  role_definition_name = "Network Contributor"
+
+  lifecycle {
+    precondition {
+      condition     = !var.create_role_assignment_network_contributor
+      error_message = "Cannot set both of `var.create_role_assignment_network_contributor` and `var.network_contributor_role_assigned_subnet_ids`."
+    }
+  }
+}
+
+data "azurerm_client_config" "this" {}
+
+data "azurerm_virtual_network" "application_gateway_vnet" {
+  count = local.create_role_assignments_for_application_gateway ? 1 : 0
+
+  name                = local.application_gateway_subnet_vnet_name
+  resource_group_name = local.application_gateway_subnet_resource_group_name
+}
+
+resource "azurerm_role_assignment" "application_gateway_vnet_network_contributor" {
+  count = local.create_role_assignments_for_application_gateway ? 1 : 0
+
+  principal_id         = azurerm_kubernetes_cluster.main.ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id
+  scope                = data.azurerm_virtual_network.application_gateway_vnet[0].id
+  role_definition_name = "Network Contributor"
+
+  lifecycle {
+    precondition {
+      condition     = data.azurerm_client_config.this.subscription_id == local.application_gateway_subnet_subscription_id_for_ingress
+      error_message = "Application Gateway's subnet must be in the same subscription, or `var.application_gateway_for_ingress.create_role_assignments` must be set to `false`."
+    }
+  }
+}
+
+resource "azurerm_role_assignment" "application_gateway_contributor" {
+  count = local.create_role_assignments_for_application_gateway ? 1 : 0
+
+  principal_id         = azurerm_kubernetes_cluster.main.ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id
+  scope                = var.application_gateway_for_ingress.id
+  role_definition_name = "Contributor"
+
+  lifecycle {
+    precondition {
+      condition     = data.azurerm_client_config.this.subscription_id == local.application_gateway_subscription_id_for_ingress
+      error_message = "Application Gateway must be in the same subscription, or `var.application_gateway_for_ingress.create_role_assignments` must be set to `false`."
+    }
+  }
+}
+
+data "azurerm_resource_group" "ingress_appgw" {
+  count = local.create_role_assignments_for_application_gateway ? 1 : 0
+
+  name = local.application_gateway_resource_group_for_ingress
+}
+
+resource "azurerm_role_assignment" "application_gateway_resource_group_reader" {
+  count = local.create_role_assignments_for_application_gateway ? 1 : 0
+
+  principal_id         = azurerm_kubernetes_cluster.main.ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id
+  scope                = data.azurerm_resource_group.ingress_appgw[0].id
+  role_definition_name = "Reader"
+}