Azure · lonegunmanb · Sep 30, 2022 · Sep 27, 2022 · Sep 28, 2022 · Sep 28, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,4 +20,4 @@ ENHANCEMENTS:
 
 * Add `aci_connector_linux` addon. [#230](https://github.com/Azure/terraform-azurerm-aks/pull/230)
 * Restrict Terraform Core version for example cod to `>= 1.2`. [#253](https://github.com/Azure/terraform-azurerm-aks/pull/253)
-* Adds support for Ultra Disks by enabling the option. [#245](https://github.com/Azure/terraform-azurerm-aks/pull/245)
+* Adds support for Ultra Disks by enabling the option. [#245](https://github.com/Azure/terraform-azurerm-aks/pull/245)
diff --git a/README.md b/README.md
@@ -305,13 +305,12 @@ No modules.
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version)                                                                                    | Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region                                                                                                                                                                                                               | `string`                                                              | `null`                      |    no    |
 | <a name="input_local_account_disabled"></a> [local\_account\_disabled](#input\_local\_account\_disabled)                                                                      | (Optional) - If `true` local accounts will be disabled. Defaults to `false`. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information.                                                                                                                              | `bool`                                                                | `null`                      |    no    |
 | <a name="input_location"></a> [location](#input\_location)                                                                                                                    | Location of cluster, if not defined it will be read from the resource-group                                                                                                                                                                                                                                                      | `string`                                                              | `null`                      |    no    |
-| <a name="input_log_analytics_solution_id"></a> [log\_analytics\_solution\_id](#input\_log\_analytics\_solution\_id)                                                           | (Optional) Existing azurerm\_log\_analytics\_solution ID. Providing ID disables creation of azurerm\_log\_analytics\_solution.                                                                                                                                                                                                   | `string`                                                              | `null`                      |    no    |
 | <a name="input_log_analytics_workspace"></a> [log\_analytics\_workspace](#input\_log\_analytics\_workspace)                                                                   | (Optional) Existing azurerm\_log\_analytics\_workspace to attach azurerm\_log\_analytics\_solution. Providing the config disables creation of azurerm\_log\_analytics\_workspace.                                                                                                                                                | <pre>object({<br>    id   = string<br>    name = string<br>  })</pre> | `null`                      |    no    |
 | <a name="input_log_analytics_workspace_enabled"></a> [log\_analytics\_workspace\_enabled](#input\_log\_analytics\_workspace\_enabled)                                         | Enable the integration of azurerm\_log\_analytics\_workspace and azurerm\_log\_analytics\_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard                                                                                                                                   | `bool`                                                                | `true`                      |    no    |
 | <a name="input_log_analytics_workspace_resource_group_name"></a> [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | (Optional) Resource group name to create azurerm\_log\_analytics\_solution.                                                                                                                                                                                                                                                      | `string`                                                              | `null`                      |    no    |
 | <a name="input_log_analytics_workspace_sku"></a> [log\_analytics\_workspace\_sku](#input\_log\_analytics\_workspace\_sku)                                                     | The SKU (pricing level) of the Log Analytics workspace. For new subscriptions the SKU should be set to PerGB2018                                                                                                                                                                                                                 | `string`                                                              | `"PerGB2018"`               |    no    |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days)                                                                       | The retention period for the logs in days                                                                                                                                                                                                                                                                                        | `number`                                                              | `30`                        |    no    |
-| <a name="input_microsoft_defender_enabled"></a> [microsoft\_defender\_enabled](#input\_microsoft\_defender\_enabled)                                                          | (Optional) Is Microsoft Defender on the cluster enabled?                                                                                                                                                                                                                                                                         | `bool`                                                                | `false`                     |    no    |
+| <a name="input_microsoft_defender_enabled"></a> [microsoft\_defender\_enabled](#input\_microsoft\_defender\_enabled)                                                          | (Optional) Is Microsoft Defender on the cluster enabled? Requires `var.log_analytics_workspace_enabled` to be `true` to set this variable to `true`.                                                                                                                                                                             | `bool`                                                                | `false`                     |    no    |
 | <a name="input_net_profile_dns_service_ip"></a> [net\_profile\_dns\_service\_ip](#input\_net\_profile\_dns\_service\_ip)                                                      | (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.                                                                                                                                                  | `string`                                                              | `null`                      |    no    |
 | <a name="input_net_profile_docker_bridge_cidr"></a> [net\_profile\_docker\_bridge\_cidr](#input\_net\_profile\_docker\_bridge\_cidr)                                          | (Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.                                                                                                                                                                                       | `string`                                                              | `null`                      |    no    |
 | <a name="input_net_profile_outbound_type"></a> [net\_profile\_outbound\_type](#input\_net\_profile\_outbound\_type)                                                           | (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer.                                                                                                                                             | `string`                                                              | `"loadBalancer"`            |    no    |

diff --git a/main.tf b/main.tf
@@ -1,3 +1,27 @@
+locals {
+
+  # Abstract the decision whether to create an Analytics Workspace or not.
+  create_analytics_workspace = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null
+
+  # Abstract the decision whether to use an Analytics Workspace supplied via vars, provision one ourselves or leave it null.
+  # This guarantees that local.log_analytics_workspace will contain a valid `id` and `name` IFF log_analytics_workspace_enabled
+  # is set to `true`.
+  log_analytics_workspace = var.log_analytics_workspace_enabled ? (
+    # The Log Analytics Workspace should be enabled:
+    var.log_analytics_workspace == null ? {
+      # `log_analytics_workspace_enabled` is `true` but `log_analytics_workspace` was not supplied.
+      # Create an `azurerm_log_analytics_workspace` resource and use that.
+      id   = azurerm_log_analytics_workspace.main[0].id
+      name = azurerm_log_analytics_workspace.main[0].name
+      } : {
+      # `log_analytics_workspace` is supplied. Let's use that.
+      id   = var.log_analytics_workspace.id
+      name = var.log_analytics_workspace.name
+    }
+  ) : null # Finally, the Log Analytics Workspace should be disabled.
+
+} # /end locals clause
+
 data "azurerm_resource_group" "main" {
   name = var.resource_group_name
 }
@@ -150,10 +174,11 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "microsoft_defender" {
+
     for_each = var.microsoft_defender_enabled ? ["microsoft_defender"] : []
 
     content {
-      log_analytics_workspace_id = coalesce(try(var.log_analytics_workspace.id, null), azurerm_log_analytics_workspace.main[0].id)
+      log_analytics_workspace_id = local.log_analytics_workspace.id
     }
   }
   network_profile {
@@ -169,7 +194,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     for_each = var.log_analytics_workspace_enabled ? ["oms_agent"] : []
 
     content {
-      log_analytics_workspace_id = var.log_analytics_workspace == null ? azurerm_log_analytics_workspace.main[0].id : var.log_analytics_workspace.id
+      log_analytics_workspace_id = local.log_analytics_workspace.id
     }
   }
   dynamic "service_principal" {
@@ -191,11 +216,15 @@ resource "azurerm_kubernetes_cluster" "main" {
       condition     = (var.client_id != "" && var.client_secret != "") || (var.identity_type == "SystemAssigned") || (var.identity_ids == null ? false : length(var.identity_ids) > 0)
       error_message = "If use identity and `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well."
     }
+    precondition {
+      condition     = !var.microsoft_defender_enabled || var.log_analytics_workspace_enabled
+      error_message = "Enabling Microsoft Defender requires that `log_analytics_workspace_enabled` be set to true."
+    }
   }
 }
 
 resource "azurerm_log_analytics_workspace" "main" {
-  count = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null ? 1 : 0
+  count = local.create_analytics_workspace ? 1 : 0
 
   location            = coalesce(var.location, data.azurerm_resource_group.main.location)
   name                = var.cluster_log_analytics_workspace_name == null ? "${var.prefix}-workspace" : var.cluster_log_analytics_workspace_name
@@ -206,13 +235,13 @@ resource "azurerm_log_analytics_workspace" "main" {
 }
 
 resource "azurerm_log_analytics_solution" "main" {
-  count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0
+  count = local.create_analytics_workspace ? 1 : 0
 
   location              = coalesce(var.location, data.azurerm_resource_group.main.location)
   resource_group_name   = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name)
   solution_name         = "ContainerInsights"
-  workspace_name        = var.log_analytics_workspace != null ? var.log_analytics_workspace.name : azurerm_log_analytics_workspace.main[0].name
-  workspace_resource_id = var.log_analytics_workspace != null ? var.log_analytics_workspace.id : azurerm_log_analytics_workspace.main[0].id
+  workspace_name        = local.log_analytics_workspace.name
+  workspace_resource_id = local.log_analytics_workspace.id
   tags                  = var.tags
 
   plan {

diff --git a/variables.tf b/variables.tf
@@ -227,14 +227,6 @@ variable "location" {
   description = "Location of cluster, if not defined it will be read from the resource-group"
   default     = null
 }
-
-variable "log_analytics_solution_id" {
-  type        = string
-  description = "(Optional) Existing azurerm_log_analytics_solution ID. Providing ID disables creation of azurerm_log_analytics_solution."
-  default     = null
-  nullable    = true
-}
-
 variable "log_analytics_workspace" {
   type = object({
     id   = string
@@ -273,7 +265,7 @@ variable "log_retention_in_days" {
 
 variable "microsoft_defender_enabled" {
   type        = bool
-  description = "(Optional) Is Microsoft Defender on the cluster enabled?"
+  description = "(Optional) Is Microsoft Defender on the cluster enabled? Requires `var.log_analytics_workspace_enabled` to be `true` to set this variable to `true`."
   default     = false
   nullable    = false
 }