feat: Implement support for KMS arguments

[mkilchhofer]

Describe your changes

This implements Add Key Management Service (KMS) etcd encryption to an Azure Kubernetes Service (AKS) cluster.

Feature is not yet available in azurerm provider, but also opened a PR over there:

• azurerm_kubernetes_cluster - Support for KMS arguments hashicorp/terraform-provider-azurerm#19893

Issue number

-

Checklist before requesting a review

• The pr title can be used to describe what this pr did in CHANGELOG.md file
• I have executed pre-commit on my machine
• I have passed pr-check on my machine

Thanks for your cooperation!

[lonegunmanb]

Thanks @mkilchhofer for opening this pr and submitting a new resource pr to terraform-azurerm-provider's repo, I've left some comments on provider's pr, once the pr has been merged into the provider, we can continue the code review for this pr.

Btw the review comments for your provider's pr are my personal suggestions, there's no guarantee that your pr would be accepted by HashiCorp if you accepted my suggestion.

[lonegunmanb]

Since we could turn enabled to false meanwhile keeping this key_vault_kms, I would recommend the following toggle expression:

for_each = var.key_vault_kms_enabled != null ? ["key_vault_kms"] : []

[mkilchhofer]

refactored this anyways (source was the upstream implementation)

[mkilchhofer]

PR is now updated after the upstream provider PR got merged AND released ;-)

@lonegunmanb can you please review again?

[lonegunmanb]

Thanks @mkilchhofer for updating this pr, some issues need to be solved.

It would be nice if we could have an new example to demonstrate this new feature. We have already created a KeyValut in startup example, but for disk encryption key management for now, would you please estimate whether if we can make that KeyVault work for this new feature? We might need to update azurerm provider's restriction in providers.tf file in startup folder. Or we can just crate a new example folder to do so, your call.

Again, thanks for your contribution!

[mkilchhofer]

I cannot test the examples as we @swisspost have no subscriptions which allows usage of public IPs.
Can someone test that for us?

[zioproto]

@mkilchhofer I can do that ! thanks

[zioproto]

@mkilchhofer could you please run the pre-commit step on your local machine ?:

docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

You patched the example and you have duplicated definitions for identity_type and identity_ids. See the error:

Error: Attribute redefined
│
│   on examples/named_cluster/main.tf line 88, in module "aks_cluster_name":
│   88:   identity_type         = "UserAssigned"
│
│ The argument "identity_type" was already set at
│ examples/named_cluster/main.tf:66,3-16. Each argument may be set only once.
╵

╷
│ Error: Attribute redefined
│
│   on examples/named_cluster/main.tf line 89, in module "aks_cluster_name":
│   89:   identity_ids          = [azurerm_user_assigned_identity.test.id]
│
│ The argument "identity_ids" was already set at
│ examples/named_cluster/main.tf:65,3-15. Each argument may be set only once.

[zioproto]

Could you patch only the named_cluster example ?

We dont need to the KMS in the others, it would also require more work because the needed UserAssigned identity_type is not set in the others. Thanks

[zioproto]

commit 7012178 is now passing both pre-commit and pr-check steps.

@lonegunmanb could you please review and run the e2e tests ? thanks

[mkilchhofer]

@lonegunmanb can you trigger E2E again? 😇

[lonegunmanb]

Thanks @mkilchhofer for this update, we've met some issues when we ran the test.

We've added network_acl on the KeyVault to restrict the source IP which can access this Key Vault, but the Aks's public IP is unpredictable so the original code would meet a 403 error.

We need config the aks to access the KeyVault via private network as this document described.

[lonegunmanb]

We need the following line below line 31:

service_endpoints                              = ["Microsoft.KeyVault"]

[mkilchhofer]

Service endpoint is not needed (at least in our scenario). I think its only needed if some part inside the VNET wants to access the keyvault.

[lonegunmanb]

Thanks @mkilchhofer, LGTM! 🚀

[mkilchhofer]

Thanks alot for your patience with me 👍