Skip to content

Commit

Permalink
fix: WAF Test for AKS Module - `avm/res/container-service/managed-clu…
Browse files Browse the repository at this point in the history 
…ster` (Azure#1534)

## Description

Update Test depolyments to match WAF rule set
- Add default value for `autoUpgradeProfileUpgradeChannel`
- Change the minimum agent count up to `3`

## Pipeline Reference

| Pipeline |
| -------- |
|
[![avm.res.container-service.managed-cluster](https://github.com/JPEasier/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg?branch=users%2Fjpeasier%2Favm-aks)](https://github.com/JPEasier/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)
|

## Type of Change

<!-- Use the check-boxes [x] on the options that are relevant. -->

- [x] Azure Verified Module updates:
- [x] Bugfix containing backwards compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [x] The bug was found by the module author, and no one has opened an
issue to report it yet.
  

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to day with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Alexander Sehr <[email protected]>
  • Loading branch information
@JPEasier @AlexanderSehr
JPEasier and AlexanderSehr authored Apr 9, 2024
1 parent df99b77 commit 7e12e0a
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 21 deletions.
42 changes: 30 additions & 12 deletions avm/res/container-service/managed-cluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -562,7 +562,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
name: 'csmin001'
primaryAgentPoolProfile: [
{
count: 1
count: 3
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS2_v2'
Expand Down Expand Up @@ -596,7 +596,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"primaryAgentPoolProfile": {
"value": [
{
"count": 1,
"count": 3,
"mode": "System",
"name": "systempool",
"vmSize": "Standard_DS2_v2"
Expand Down Expand Up @@ -1149,7 +1149,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
minCount: 3
mode: 'System'
name: 'systempool'
osDiskSizeGB: 0
Expand All @@ -1166,11 +1166,11 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
availabilityZones: [
'3'
]
count: 2
count: 3
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool1'
Expand All @@ -1191,11 +1191,11 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
availabilityZones: [
'3'
]
count: 2
count: 3
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool2'
Expand Down Expand Up @@ -1293,7 +1293,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 50,
"minCount": 1,
"minCount": 3,
"mode": "System",
"name": "systempool",
"osDiskSizeGB": 0,
Expand All @@ -1312,11 +1312,11 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"availabilityZones": [
"3"
],
"count": 2,
"count": 3,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 50,
"minCount": 1,
"minCount": 3,
"minPods": 2,
"mode": "User",
"name": "userpool1",
Expand All @@ -1337,11 +1337,11 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"availabilityZones": [
"3"
],
"count": 2,
"count": 3,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 50,
"minCount": 1,
"minCount": 3,
"minPods": 2,
"mode": "User",
"name": "userpool2",
Expand Down Expand Up @@ -1559,6 +1559,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
| [`podIdentityProfileUserAssignedIdentities`](#parameter-podidentityprofileuserassignedidentities) | array | The pod identities to use in the cluster. |
| [`podIdentityProfileUserAssignedIdentityExceptions`](#parameter-podidentityprofileuserassignedidentityexceptions) | array | The pod identity exceptions to allow. |
| [`privateDNSZone`](#parameter-privatednszone) | string | Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. |
| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Allow or deny public network access for AKS. |
| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
| [`serviceCidr`](#parameter-servicecidr) | string | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. |
| [`skuTier`](#parameter-skutier) | string | Tier of a managed cluster SKU. |
Expand Down Expand Up @@ -2210,6 +2211,7 @@ Auto-upgrade channel on the AKS cluster.

- Required: No
- Type: string
- Default: `'stable'`
- Allowed:
```Bicep
[
Expand Down Expand Up @@ -3056,6 +3058,22 @@ Private DNS Zone configuration. Set to 'system' and AKS will create a private DN
- Required: No
- Type: string

### Parameter: `publicNetworkAccess`

Allow or deny public network access for AKS.

- Required: No
- Type: string
- Default: `'Disabled'`
- Allowed:
```Bicep
[
'Disabled'
'Enabled'
'SecuredByPerimeter'
]
```

### Parameter: `roleAssignments`

Array of role assignments to create.
Expand Down
11 changes: 10 additions & 1 deletion avm/res/container-service/managed-cluster/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,14 @@ param authorizedIPRanges array?
@description('Optional. Whether to disable run command for the cluster or not.')
param disableRunCommand bool = false

@description('Optional. Allow or deny public network access for AKS.')
@allowed([
'Enabled'
'Disabled'
'SecuredByPerimeter'
])
param publicNetworkAccess string = 'Disabled'

@description('Optional. Specifies whether to create the cluster as a private cluster or not.')
param enablePrivateCluster bool = false

Expand Down Expand Up @@ -263,7 +271,7 @@ param autoScalerProfileSkipNodesWithSystemPods string = 'true'
'stable'
])
@description('Optional. Auto-upgrade channel on the AKS cluster.')
param autoUpgradeProfileUpgradeChannel string?
param autoUpgradeProfileUpgradeChannel string = 'stable'

@description('Optional. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing.')
param podIdentityProfileAllowNetworkPluginKubenet bool = false
Expand Down Expand Up @@ -615,6 +623,7 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-p
}
: null
}
publicNetworkAccess: publicNetworkAccess
aadProfile: {
clientAppID: aadProfileClientAppID
serverAppID: aadProfileServerAppID
Expand Down
17 changes: 15 additions & 2 deletions avm/res/container-service/managed-cluster/main.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "1556415774507310743"
"templateHash": "4896491646814133286"
},
"name": "Azure Kubernetes Service (AKS) Managed Clusters",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
Expand Down Expand Up @@ -912,6 +912,18 @@
"description": "Optional. Whether to disable run command for the cluster or not."
}
},
"publicNetworkAccess": {
"type": "string",
"defaultValue": "Disabled",
"allowedValues": [
"Enabled",
"Disabled",
"SecuredByPerimeter"
],
"metadata": {
"description": "Optional. Allow or deny public network access for AKS."
}
},
"enablePrivateCluster": {
"type": "bool",
"defaultValue": false,
Expand Down Expand Up @@ -1179,7 +1191,7 @@
},
"autoUpgradeProfileUpgradeChannel": {
"type": "string",
"nullable": true,
"defaultValue": "stable",
"allowedValues": [
"node-image",
"none",
Expand Down Expand Up @@ -1563,6 +1575,7 @@
"loadBalancerSku": "[parameters('loadBalancerSku')]",
"loadBalancerProfile": "[if(not(equals(parameters('managedOutboundIPCount'), 0)), createObject('managedOutboundIPs', createObject('count', parameters('managedOutboundIPCount')), 'effectiveOutboundIPs', createArray()), null())]"
},
"publicNetworkAccess": "[parameters('publicNetworkAccess')]",
"aadProfile": {
"clientAppID": "[parameters('aadProfileClientAppID')]",
"serverAppID": "[parameters('aadProfileServerAppID')]",
Expand Down
2 changes: 1 addition & 1 deletion avm/res/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ module testDeployment '../../../main.bicep' = [
primaryAgentPoolProfile: [
{
name: 'systempool'
count: 1
count: 3
vmSize: 'Standard_DS2_v2'
mode: 'System'
}
Expand Down
10 changes: 5 additions & 5 deletions avm/res/container-service/managed-cluster/tests/e2e/waf-aligned/main.test.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ module testDeployment '../../../main.bicep' = [
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
minCount: 3
mode: 'System'
name: 'systempool'
osDiskSizeGB: 0
Expand All @@ -96,11 +96,11 @@ module testDeployment '../../../main.bicep' = [
availabilityZones: [
'3'
]
count: 2
count: 3
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool1'
Expand All @@ -121,11 +121,11 @@ module testDeployment '../../../main.bicep' = [
availabilityZones: [
'3'
]
count: 2
count: 3
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool2'
Expand Down

0 comments on commit 7e12e0a

Please sign in to comment.