refactor application gw related variables, merge them to one new vari…

…able

examples/application_gateway_ingress/main.tf

@@ -60,7 +60,7 @@ resource "azurerm_public_ip" "pip" {
 }
 
 resource "azurerm_application_gateway" "appgw" {
-  location = local.resource_group.location
+  location            = local.resource_group.location
   #checkov:skip=CKV_AZURE_120:We don't need the WAF for this simple example
   name                = "ingress"
   resource_group_name = local.resource_group.name
@@ -124,20 +124,20 @@ module "aks" {
   #checkov:skip=CKV_AZURE_141:We enable admin account here so we can provision K8s resources directly in this simple example
   source = "../.."
 
-  prefix                    = random_id.name.hex
-  resource_group_name       = local.resource_group.name
-  kubernetes_version        = "1.26" # don't specify the patch version!
-  automatic_channel_upgrade = "patch"
-  agents_availability_zones = ["1", "2"]
-  agents_count              = null
-  agents_max_count          = 2
-  agents_max_pods           = 100
-  agents_min_count          = 1
-  agents_pool_name          = "testnodepool"
+  prefix                       = random_id.name.hex
+  resource_group_name          = local.resource_group.name
+  kubernetes_version           = "1.26" # don't specify the patch version!
+  automatic_channel_upgrade    = "patch"
+  agents_availability_zones    = ["1", "2"]
+  agents_count                 = null
+  agents_max_count             = 2
+  agents_max_pods              = 100
+  agents_min_count             = 1
+  agents_pool_name             = "testnodepool"
   agents_pool_linux_os_configs = [
     {
       transparent_huge_page_enabled = "always"
-      sysctl_configs = [
+      sysctl_configs                = [
         {
           fs_aio_max_nr               = 65536
           fs_file_max                 = 100000
@@ -151,10 +151,11 @@ module "aks" {
   enable_auto_scaling                 = true
   enable_host_encryption              = true
   http_application_routing_enabled    = true
-  ingress_application_gateway_enabled = true
-  application_gateway_for_ingress = {
-    id        = azurerm_application_gateway.appgw.id
-    subnet_id = azurerm_subnet.appgw.id
+  application_gateway_for_ingress     = {
+    existing_gw = {
+      id        = azurerm_application_gateway.appgw.id
+      subnet_id = azurerm_subnet.appgw.id
+    }
   }
   local_account_disabled            = false
   log_analytics_workspace_enabled   = false
@@ -170,7 +171,7 @@ module "aks" {
   role_based_access_control_enabled = true
   sku_tier                          = "Standard"
   vnet_subnet_id                    = azurerm_subnet.test.id
-  depends_on = [
+  depends_on                        = [
     azurerm_subnet.test,
   ]
 }

examples/startup/main.tf

@@ -38,20 +38,20 @@ resource "azurerm_subnet" "test" {
 module "aks" {
   source = "../.."
 
-  prefix                    = random_id.name.hex
-  resource_group_name       = local.resource_group.name
-  kubernetes_version        = "1.26" # don't specify the patch version!
-  automatic_channel_upgrade = "patch"
-  agents_availability_zones = ["1", "2"]
-  agents_count              = null
-  agents_max_count          = 2
-  agents_max_pods           = 100
-  agents_min_count          = 1
-  agents_pool_name          = "testnodepool"
+  prefix                       = random_id.name.hex
+  resource_group_name          = local.resource_group.name
+  kubernetes_version           = "1.26" # don't specify the patch version!
+  automatic_channel_upgrade    = "patch"
+  agents_availability_zones    = ["1", "2"]
+  agents_count                 = null
+  agents_max_count             = 2
+  agents_max_pods              = 100
+  agents_min_count             = 1
+  agents_pool_name             = "testnodepool"
   agents_pool_linux_os_configs = [
     {
       transparent_huge_page_enabled = "always"
-      sysctl_configs = [
+      sysctl_configs                = [
         {
           fs_aio_max_nr               = 65536
           fs_file_max                 = 100000
@@ -60,24 +60,27 @@ module "aks" {
       ]
     }
   ]
-  agents_type          = "VirtualMachineScaleSets"
-  azure_policy_enabled = true
-  client_id            = var.client_id
-  client_secret        = var.client_secret
+  agents_type            = "VirtualMachineScaleSets"
+  azure_policy_enabled   = true
+  client_id              = var.client_id
+  client_secret          = var.client_secret
   confidential_computing = {
     sgx_quote_helper_enabled = true
   }
-  disk_encryption_set_id                  = azurerm_disk_encryption_set.des.id
-  enable_auto_scaling                     = true
-  enable_host_encryption                  = true
-  http_application_routing_enabled        = true
-  ingress_application_gateway_enabled     = true
-  ingress_application_gateway_name        = "${random_id.prefix.hex}-agw"
-  ingress_application_gateway_subnet_cidr = "10.52.1.0/24"
-  local_account_disabled                  = true
-  log_analytics_workspace_enabled         = true
-  cluster_log_analytics_workspace_name    = random_id.name.hex
-  maintenance_window = {
+  disk_encryption_set_id           = azurerm_disk_encryption_set.des.id
+  enable_auto_scaling              = true
+  enable_host_encryption           = true
+  http_application_routing_enabled = true
+  application_gateway_for_ingress  = {
+    new_gw = {
+      name        = "${random_id.prefix.hex}-agw"
+      subnet_cidr = "10.52.1.0/24"
+    }
+  }
+  local_account_disabled               = true
+  log_analytics_workspace_enabled      = true
+  cluster_log_analytics_workspace_name = random_id.name.hex
+  maintenance_window                   = {
     allowed = [
       {
         day   = "Sunday",

locals.tf

@@ -1,14 +1,15 @@
 locals {
+  ingress_application_gateway_enabled                             = var.application_gateway_for_ingress != null
   # Application Gateway ID: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/applicationGateways/myGateway1
-  application_gateway_for_ingress_id             = try(var.application_gateway_for_ingress.id, null)
-  application_gateway_resource_group_for_ingress = var.application_gateway_for_ingress == null ? null : local.application_gateway_segments_for_ingress[4]
-  application_gateway_segments_for_ingress       = var.application_gateway_for_ingress == null ? null : split("/", local.application_gateway_for_ingress_id)
-  application_gateway_subnet_resource_group_name = try(local.application_gateway_subnet_segments[4], null)
+  existing_application_gateway_for_ingress_id                     = try(var.application_gateway_for_ingress.existing_gw.id, null)
+  existing_application_gateway_resource_group_for_ingress         = try(var.application_gateway_for_ingress.existing_gw, null) == null ? null : local.existing_application_gateway_segments_for_ingress[4]
+  existing_application_gateway_segments_for_ingress               = try(var.application_gateway_for_ingress.existing_gw, null) == null ? null : split("/", local.existing_application_gateway_for_ingress_id)
+  existing_application_gateway_subnet_resource_group_name                  = try(local.existing_application_gateway_subnet_segments[4], null)
   # Subnet ID: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/virtualNetworks/myvnet1/subnets/mysubnet1
-  application_gateway_subnet_segments                    = try(split("/", var.application_gateway_for_ingress.subnet_id), [])
-  application_gateway_subnet_subscription_id_for_ingress = try(local.application_gateway_subnet_segments[2], null)
-  application_gateway_subnet_vnet_name                   = try(local.application_gateway_subnet_segments[8], null)
-  application_gateway_subscription_id_for_ingress        = var.application_gateway_for_ingress == null ? null : local.application_gateway_segments_for_ingress[2]
+  existing_application_gateway_subnet_segments                    = try(split("/", var.application_gateway_for_ingress.existing_gw.subnet_id), [])
+  existing_application_gateway_subnet_subscription_id_for_ingress = try(local.existing_application_gateway_subnet_segments[2], null)
+  existing_application_gateway_subnet_vnet_name                   = try(local.existing_application_gateway_subnet_segments[8], null)
+  existing_application_gateway_subscription_id_for_ingress        = try(var.application_gateway_for_ingress.new_gw, null) == null ? null : local.existing_application_gateway_segments_for_ingress[2]
   # Abstract if auto_scaler_profile_scale_down_delay_after_delete is not set or null we should use the scan_interval.
   auto_scaler_profile_scale_down_delay_after_delete = var.auto_scaler_profile_scale_down_delay_after_delete == null ? var.auto_scaler_profile_scan_interval : var.auto_scaler_profile_scale_down_delay_after_delete
   # automatic upgrades are either:

main.tf

@@ -330,13 +330,13 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "ingress_application_gateway" {
-    for_each = var.ingress_application_gateway_enabled ? ["ingress_application_gateway"] : []
+    for_each = local.ingress_application_gateway_enabled ? ["ingress_application_gateway"] : []
 
     content {
-      gateway_id   = try(var.application_gateway_for_ingress.id, null)
-      gateway_name = var.ingress_application_gateway_name
-      subnet_cidr  = var.ingress_application_gateway_subnet_cidr
-      subnet_id    = var.ingress_application_gateway_subnet_id
+      gateway_id   = try(var.application_gateway_for_ingress.existing_gw.id, null)
+      gateway_name = try(var.application_gateway_for_ingress.new_gw.name, null)
+      subnet_cidr  = try(var.application_gateway_for_ingress.new_gw.subnet_cidr, null)
+      subnet_id    = try(var.application_gateway_for_ingress.new_gw.subnet_id, null)
     }
   }
   dynamic "key_management_service" {
@@ -768,7 +768,7 @@ resource "azurerm_log_analytics_workspace" "main" {
     avm_git_org              = "Azure"
     avm_git_repo             = "terraform-azurerm-aks"
     avm_yor_trace            = "9bb3ab45-1155-4bea-bc68-6b7d9aa73fbc"
-  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/), (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
+    } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/), (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
     avm_yor_name = "main"
   } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
 
@@ -809,7 +809,7 @@ resource "azurerm_log_analytics_solution" "main" {
     avm_git_org              = "Azure"
     avm_git_repo             = "terraform-azurerm-aks"
     avm_yor_trace            = "72af332c-2eac-4d8e-b895-bf85e31f0e23"
-  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/), (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
+    } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/), (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
     avm_yor_name = "main"
   } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
 
@@ -877,8 +877,8 @@ data "azurerm_client_config" "this" {}
 data "azurerm_virtual_network" "application_gateway_vnet" {
   count = local.create_role_assignments_for_application_gateway ? 1 : 0
 
-  name                = local.application_gateway_subnet_vnet_name
-  resource_group_name = local.application_gateway_subnet_resource_group_name
+  name                = local.existing_application_gateway_subnet_vnet_name
+  resource_group_name = local.existing_application_gateway_subnet_resource_group_name
 }
 
 resource "azurerm_role_assignment" "application_gateway_vnet_network_contributor" {
@@ -890,7 +890,7 @@ resource "azurerm_role_assignment" "application_gateway_vnet_network_contributor
 
   lifecycle {
     precondition {
-      condition     = data.azurerm_client_config.this.subscription_id == local.application_gateway_subnet_subscription_id_for_ingress
+      condition     = data.azurerm_client_config.this.subscription_id == local.existing_application_gateway_subnet_subscription_id_for_ingress
       error_message = "Application Gateway's subnet must be in the same subscription, or `var.application_gateway_for_ingress.create_role_assignments` must be set to `false`."
     }
   }
@@ -900,12 +900,12 @@ resource "azurerm_role_assignment" "application_gateway_contributor" {
   count = local.create_role_assignments_for_application_gateway ? 1 : 0
 
   principal_id         = azurerm_kubernetes_cluster.main.ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id
-  scope                = var.application_gateway_for_ingress.id
+  scope                = var.application_gateway_for_ingress.existing_gw.id
   role_definition_name = "Contributor"
 
   lifecycle {
     precondition {
-      condition     = data.azurerm_client_config.this.subscription_id == local.application_gateway_subscription_id_for_ingress
+      condition     = data.azurerm_client_config.this.subscription_id == local.existing_application_gateway_subscription_id_for_ingress
       error_message = "Application Gateway must be in the same subscription, or `var.application_gateway_for_ingress.create_role_assignments` must be set to `false`."
     }
   }
@@ -914,7 +914,7 @@ resource "azurerm_role_assignment" "application_gateway_contributor" {
 data "azurerm_resource_group" "ingress_appgw" {
   count = local.create_role_assignments_for_application_gateway ? 1 : 0
 
-  name = local.application_gateway_resource_group_for_ingress
+  name = local.existing_application_gateway_resource_group_for_ingress
 }
 
 resource "azurerm_role_assignment" "application_gateway_resource_group_reader" {