From 8407ad7a12286329803c2bf7d68b3387d0af0d9a Mon Sep 17 00:00:00 2001 From: Mike Klebolt Date: Wed, 18 Oct 2023 14:10:54 -0500 Subject: [PATCH 1/5] Add ability to cycle nodepool for fips_enabled --- internal/services/containers/kubernetes_cluster_resource.go | 1 + website/docs/r/kubernetes_cluster.html.markdown | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/services/containers/kubernetes_cluster_resource.go b/internal/services/containers/kubernetes_cluster_resource.go index bae385f06196..e64009a4d105 100644 --- a/internal/services/containers/kubernetes_cluster_resource.go +++ b/internal/services/containers/kubernetes_cluster_resource.go @@ -2394,6 +2394,7 @@ func resourceKubernetesClusterUpdate(d *pluginsdk.ResourceData, meta interface{} "default_node_pool.0.name", "default_node_pool.0.enable_host_encryption", "default_node_pool.0.enable_node_public_ip", + "default_node_pool.0.fips_enabled", "default_node_pool.0.kubelet_config", "default_node_pool.0.linux_os_config", "default_node_pool.0.max_pods", diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown index 5f8fe3c19014..f9563ef66d29 100644 --- a/website/docs/r/kubernetes_cluster.html.markdown +++ b/website/docs/r/kubernetes_cluster.html.markdown @@ -374,7 +374,7 @@ An `monitor_metrics` block supports the following: A `default_node_pool` block supports the following: --> **Note:** Changing certain properties of the `default_node_pool` is done by cycling the system node pool of the cluster. When cycling the system node pool, it doesn't perform cordon and drain, and it will disrupt rescheduling pods currently running on the previous system node pool.`temporary_name_for_rotation` must be specified when changing any of the following properties: `enable_host_encryption`, `enable_node_public_ip`, `kubelet_config`, `linux_os_config`, `max_pods`, `node_taints`, `only_critical_addons_enabled`, `os_disk_size_gb`, `os_disk_type`, `os_sku`, `pod_subnet_id`, `snapshot_id`, `ultra_ssd_enabled`, `vnet_subnet_id`, `vm_size`, `zones`. +-> **Note:** Changing certain properties of the `default_node_pool` is done by cycling the system node pool of the cluster. When cycling the system node pool, it doesn't perform cordon and drain, and it will disrupt rescheduling pods currently running on the previous system node pool.`temporary_name_for_rotation` must be specified when changing any of the following properties: `enable_host_encryption`, `enable_node_public_ip`, `fips_enabled`, `kubelet_config`, `linux_os_config`, `max_pods`, `node_taints`, `only_critical_addons_enabled`, `os_disk_size_gb`, `os_disk_type`, `os_sku`, `pod_subnet_id`, `snapshot_id`, `ultra_ssd_enabled`, `vnet_subnet_id`, `vm_size`, `zones`. * `name` - (Required) The name which should be used for the default Kubernetes Node Pool. @@ -404,7 +404,7 @@ A `default_node_pool` block supports the following: * `linux_os_config` - (Optional) A `linux_os_config` block as defined below. `temporary_name_for_rotation` must be specified when changing this block. -* `fips_enabled` - (Optional) Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created. +* `fips_enabled` - (Optional) Should the nodes in this Node Pool have Federal Information Processing Standard enabled? `temporary_name_for_rotation` must be specified when changing this block. * `kubelet_disk_type` - (Optional) The type of disk used by kubelet. Possible values are `OS` and `Temporary`. From 9238f08e89c29a2260557d8eff5e9da1969a22c7 Mon Sep 17 00:00:00 2001 From: Mike Klebolt Date: Thu, 19 Oct 2023 19:06:15 -0500 Subject: [PATCH 2/5] Add test --- ...ubernetes_cluster_scaling_resource_test.go | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go index debd1d29ebdb..5a38414ab01e 100644 --- a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go @@ -196,6 +196,13 @@ func TestAccKubernetesCluster_cycleSystemNodePool(t *testing.T) { ), }, data.ImportStep("default_node_pool.0.temporary_name_for_rotation"), + { + Config: r.enableFips(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("default_node_pool.0.temporary_name_for_rotation"), }) } @@ -711,6 +718,42 @@ resource "azurerm_kubernetes_cluster" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger) } +func (KubernetesClusterResource) enableFips(data acceptance.TestData) string { + return fmt.Sprintf(` + provider "azurerm" { + features {} + } + + resource "azurerm_resource_group" "test" { + name = "acctestRG-aks-%d" + location = "%s" + } + + resource "azurerm_kubernetes_cluster" "test" { + name = "acctestaks%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + dns_prefix = "acctestaks%d" + + default_node_pool { + fips_enabled = true + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" + } + + identity { + type = "SystemAssigned" + } + + network_profile { + network_plugin = "kubenet" + load_balancer_sku = "standard" + } + } + `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger) +} + func (KubernetesClusterResource) updateOsDisk(data acceptance.TestData, osDiskType string, osDiskSize int) string { return fmt.Sprintf(` provider "azurerm" { From 776d92cf69fbe0ccd9b1528f57dbb5ac70c9e4e8 Mon Sep 17 00:00:00 2001 From: Mike Klebolt Date: Thu, 26 Oct 2023 08:24:00 -0500 Subject: [PATCH 3/5] terrafmt --- ...ubernetes_cluster_scaling_resource_test.go | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go index 5a38414ab01e..27ff14f8986b 100644 --- a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go @@ -720,37 +720,37 @@ resource "azurerm_kubernetes_cluster" "test" { func (KubernetesClusterResource) enableFips(data acceptance.TestData) string { return fmt.Sprintf(` - provider "azurerm" { - features {} - } +provider "azurerm" { + features {} +} - resource "azurerm_resource_group" "test" { - name = "acctestRG-aks-%d" - location = "%s" - } +resource "azurerm_resource_group" "test" { + name = "acctestRG-aks-%d" + location = "%s" +} - resource "azurerm_kubernetes_cluster" "test" { - name = "acctestaks%d" - location = azurerm_resource_group.test.location - resource_group_name = azurerm_resource_group.test.name - dns_prefix = "acctestaks%d" - - default_node_pool { - fips_enabled = true - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } +resource "azurerm_kubernetes_cluster" "test" { + name = "acctestaks%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + dns_prefix = "acctestaks%d" - identity { - type = "SystemAssigned" - } + default_node_pool { + fips_enabled = true + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" + } - network_profile { - network_plugin = "kubenet" - load_balancer_sku = "standard" - } + identity { + type = "SystemAssigned" } + + network_profile { + network_plugin = "kubenet" + load_balancer_sku = "standard" + } +} `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger) } From aea272d2defd505b195e1669ba5a40a13e6cd0d6 Mon Sep 17 00:00:00 2001 From: Mike Klebolt Date: Tue, 7 Nov 2023 12:31:09 -0600 Subject: [PATCH 4/5] add single enableFips test --- .../kubernetes_cluster_scaling_resource_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go index 27ff14f8986b..64afc621c357 100644 --- a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go @@ -196,6 +196,14 @@ func TestAccKubernetesCluster_cycleSystemNodePool(t *testing.T) { ), }, data.ImportStep("default_node_pool.0.temporary_name_for_rotation"), + }) +} + +func TestAccKubernetesCluster_cycleSystemNodePoolFipsEnabled(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") + r := KubernetesClusterResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ { Config: r.enableFips(data), Check: acceptance.ComposeTestCheckFunc( From af3ef107c84cf4ff8d8d1916e2eee27fc463366b Mon Sep 17 00:00:00 2001 From: Steph Date: Wed, 8 Nov 2023 10:19:55 +0100 Subject: [PATCH 5/5] create basic cluster first to test update of fips_enabled on default node pool --- .../containers/kubernetes_cluster_scaling_resource_test.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go index 64afc621c357..a2ce711d1326 100644 --- a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go @@ -204,6 +204,13 @@ func TestAccKubernetesCluster_cycleSystemNodePoolFipsEnabled(t *testing.T) { r := KubernetesClusterResource{} data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), { Config: r.enableFips(data), Check: acceptance.ComposeTestCheckFunc(