Remove all deprecated variables

README.md

@@ -286,10 +286,8 @@ No modules.
 | <a name="input_agents_proximity_placement_group_id"></a> [agents\_proximity\_placement\_group\_id](#input\_agents\_proximity\_placement\_group\_id) | (Optional) The ID of the Proximity Placement Group of the default Azure AKS agentpool (nodepool). Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_agents_size"></a> [agents\_size](#input\_agents\_size) | The default virtual machine size for the Kubernetes agents. Changing this without specifying `var.temporary_name_for_rotation` forces a new resource to be created. | `string` | `"Standard_D2s_v3"` | no |
 | <a name="input_agents_tags"></a> [agents\_tags](#input\_agents\_tags) | (Optional) A mapping of tags to assign to the Node Pool. | `map(string)` | `{}` | no |
-| <a name="input_agents_taints"></a> [agents\_taints](#input\_agents\_taints) | DEPRECATED, (Optional) A list of the taints added to new nodes during node pool create and scale. Changing this forces a new resource to be created. | `list(string)` | `null` | no |
 | <a name="input_agents_type"></a> [agents\_type](#input\_agents\_type) | (Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. | `string` | `"VirtualMachineScaleSets"` | no |
 | <a name="input_api_server_authorized_ip_ranges"></a> [api\_server\_authorized\_ip\_ranges](#input\_api\_server\_authorized\_ip\_ranges) | (Optional) The IP ranges to allow for incoming traffic to the server nodes. | `set(string)` | `null` | no |
-| <a name="input_api_server_subnet_id"></a> [api\_server\_subnet\_id](#input\_api\_server\_subnet\_id) | DEPRECATED, (Optional) The ID of the Subnet where the API server endpoint is delegated to. | `string` | `null` | no |
 | <a name="input_attached_acr_id_map"></a> [attached\_acr\_id\_map](#input\_attached\_acr\_id\_map) | Azure Container Registry ids that need an authentication mechanism with Azure Kubernetes Service (AKS). Map key must be static string as acr's name, the value is acr's resource id. Changing this forces some new resources to be created. | `map(string)` | `{}` | no |
 | <a name="input_auto_scaler_profile_balance_similar_node_groups"></a> [auto\_scaler\_profile\_balance\_similar\_node\_groups](#input\_auto\_scaler\_profile\_balance\_similar\_node\_groups) | Detect similar node groups and balance the number of nodes between them. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_auto_scaler_profile_empty_bulk_delete_max"></a> [auto\_scaler\_profile\_empty\_bulk\_delete\_max](#input\_auto\_scaler\_profile\_empty\_bulk\_delete\_max) | Maximum number of empty nodes that can be deleted at the same time. Defaults to `10`. | `number` | `10` | no |
@@ -404,17 +402,12 @@ No modules.
 | <a name="input_os_sku"></a> [os\_sku](#input\_os\_sku) | (Optional) Specifies the OS SKU used by the agent pool. Possible values include: `Ubuntu`, `CBLMariner`, `Mariner`, `Windows2019`, `Windows2022`. If not specified, the default is `Ubuntu` if OSType=Linux or `Windows2019` if OSType=Windows. And the default Windows OSSKU will be changed to `Windows2022` after Windows2019 is deprecated. Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_pod_subnet_id"></a> [pod\_subnet\_id](#input\_pod\_subnet\_id) | (Optional) The ID of the Subnet where the pods in the default Node Pool should exist. Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | (Optional) The prefix for the resources created in the specified Azure Resource Group. Omitting this variable requires both `var.cluster_log_analytics_workspace_name` and `var.cluster_name` have been set. Only one of `var.prefix,var.dns_prefix_private_cluster` can be specified. | `string` | `""` | no |
-| <a name="input_private_cluster_enabled"></a> [private\_cluster\_enabled](#input\_private\_cluster\_enabled) | If true cluster API server will be exposed only on internal IP address and available only in cluster vnet. | `bool` | `false` | no |
 | <a name="input_private_cluster_public_fqdn_enabled"></a> [private\_cluster\_public\_fqdn\_enabled](#input\_private\_cluster\_public\_fqdn\_enabled) | (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_public_ssh_key"></a> [public\_ssh\_key](#input\_public\_ssh\_key) | A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created. | `string` | `""` | no |
 | <a name="input_rbac_aad"></a> [rbac\_aad](#input\_rbac\_aad) | (Optional) Is Azure Active Directory integration enabled? | `bool` | `true` | no |
 | <a name="input_rbac_aad_admin_group_object_ids"></a> [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids) | Object ID of groups with admin access. | `list(string)` | `null` | no |
 | <a name="input_rbac_aad_azure_rbac_enabled"></a> [rbac\_aad\_azure\_rbac\_enabled](#input\_rbac\_aad\_azure\_rbac\_enabled) | (Optional) Is Role Based Access Control based on Azure AD enabled? | `bool` | `null` | no |
-| <a name="input_rbac_aad_client_app_id"></a> [rbac\_aad\_client\_app\_id](#input\_rbac\_aad\_client\_app\_id) | DEPRECATED, The Client ID of an Azure Active Directory Application. | `string` | `null` | no |
-| <a name="input_rbac_aad_managed"></a> [rbac\_aad\_managed](#input\_rbac\_aad\_managed) | Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration. | `bool` | `false` | no |
-| <a name="input_rbac_aad_server_app_id"></a> [rbac\_aad\_server\_app\_id](#input\_rbac\_aad\_server\_app\_id) | DEPRECATED, The Server ID of an Azure Active Directory Application. | `string` | `null` | no |
-| <a name="input_rbac_aad_server_app_secret"></a> [rbac\_aad\_server\_app\_secret](#input\_rbac\_aad\_server\_app\_secret) | DEPRECATED, The Server Secret of an Azure Active Directory Application. | `string` | `null` | no |
 | <a name="input_rbac_aad_tenant_id"></a> [rbac\_aad\_tenant\_id](#input\_rbac\_aad\_tenant\_id) | (Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used. | `string` | `null` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The existing resource group name to use | `string` | n/a | yes |
 | <a name="input_role_based_access_control_enabled"></a> [role\_based\_access\_control\_enabled](#input\_role\_based\_access\_control\_enabled) | Enable Role Based Access Control. | `bool` | `false` | no |

examples/application_gateway_ingress/main.tf

@@ -181,10 +181,8 @@ module "aks" {
   network_plugin                                  = "azure"
   network_policy                                  = "azure"
   os_disk_size_gb                                 = 60
-  private_cluster_enabled                         = false
-  rbac_aad                                        = true
-  rbac_aad_managed                                = true
   role_based_access_control_enabled               = true
+  rbac_aad                                        = true
   sku_tier                                        = "Standard"
   vnet_subnet_id                                  = var.bring_your_own_vnet ? azurerm_subnet.test[0].id : null
   depends_on = [

examples/multiple_node_pools/main.tf

@@ -49,8 +49,8 @@ module "aks" {
   resource_group_name  = local.resource_group.name
   location             = local.resource_group.location
   os_disk_size_gb      = 60
+  rbac_aad             = true
   sku_tier             = "Standard"
-  rbac_aad             = false
   vnet_subnet_id       = azurerm_subnet.test.id
   node_pools           = local.nodes
   kubernetes_version   = var.kubernetes_version

examples/named_cluster/main.tf

@@ -89,9 +89,7 @@ module "aks_cluster_name" {
     not_allowed = []
   }
   net_profile_pod_cidr              = "10.1.0.0/16"
-  private_cluster_enabled           = true
   rbac_aad                          = true
-  rbac_aad_managed                  = true
   role_based_access_control_enabled = true
 
   # KMS etcd encryption

examples/startup/main.tf

@@ -104,9 +104,7 @@ module "aks" {
   network_policy                    = "azure"
   node_os_channel_upgrade           = "NodeImage"
   os_disk_size_gb                   = 60
-  private_cluster_enabled           = true
   rbac_aad                          = true
-  rbac_aad_managed                  = true
   role_based_access_control_enabled = true
   sku_tier                          = "Standard"
   vnet_subnet_id                    = azurerm_subnet.test.id

examples/startup/outputs.tf

@@ -51,10 +51,6 @@ output "test_cluster_portal_fqdn" {
   value = module.aks.cluster_portal_fqdn
 }
 
-output "test_cluster_private_fqdn" {
-  value = module.aks.cluster_private_fqdn
-}
-
 output "test_host" {
   sensitive = true
   value     = module.aks.host

examples/uai_and_assign_role_on_subnet/main.tf

@@ -35,7 +35,6 @@ module "aks" {
   identity_ids        = [azurerm_user_assigned_identity.main.id]
   identity_type       = "UserAssigned"
   vnet_subnet_id      = azurerm_subnet.subnet.id
-  rbac_aad            = false
   network_contributor_role_assigned_subnet_ids = {
     vnet_subnet = azurerm_subnet.subnet.id
   }

examples/with_acr/main.tf

@@ -58,7 +58,7 @@ module "aks" {
   network_plugin  = "azure"
   network_policy  = "azure"
   os_disk_size_gb = 60
-  sku_tier        = "Standard"
   rbac_aad        = false
+  sku_tier        = "Standard"
   vnet_subnet_id  = azurerm_subnet.test.id
 }

examples/without_monitor/disk_encryption_set.tf

@@ -8,13 +8,15 @@ resource "random_string" "key_vault_prefix" {
 }
 
 module "public_ip" {
+  count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0
+
   source  = "lonegunmanb/public-ip/lonegunmanb"
   version = "0.1.0"
 }
 
 locals {
   # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
-  public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? module.public_ip.public_ip : var.key_vault_firewall_bypass_ip_cidr
+  public_ip = try(module.public_ip[0].public_ip, var.key_vault_firewall_bypass_ip_cidr)
 }
 
 resource "azurerm_key_vault" "des_vault" {

examples/without_monitor/main.tf

@@ -47,9 +47,6 @@ module "aks_without_monitor" {
   #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT!
   log_analytics_workspace_enabled   = false
   net_profile_pod_cidr              = "10.1.0.0/16"
-  private_cluster_enabled           = true
-  rbac_aad                          = true
-  rbac_aad_managed                  = true
   role_based_access_control_enabled = true
   web_app_routing = {
     dns_zone_ids = [azurerm_dns_zone.aks_web_app_routing.id]

main.tf

@@ -26,7 +26,6 @@ resource "azurerm_kubernetes_cluster" "main" {
   node_resource_group                 = var.node_resource_group
   oidc_issuer_enabled                 = var.oidc_issuer_enabled
   open_service_mesh_enabled           = var.open_service_mesh_enabled
-  private_cluster_enabled             = var.private_cluster_enabled
   private_cluster_public_fqdn_enabled = var.private_cluster_public_fqdn_enabled
   private_dns_zone_id                 = var.private_dns_zone_id
   role_based_access_control_enabled   = var.role_based_access_control_enabled
@@ -51,7 +50,6 @@ resource "azurerm_kubernetes_cluster" "main" {
       min_count                    = null
       node_count                   = var.agents_count
       node_labels                  = var.agents_labels
-      node_taints                  = var.agents_taints
       only_critical_addons_enabled = var.only_critical_addons_enabled
       orchestrator_version         = var.orchestrator_version
       os_disk_size_gb              = var.os_disk_size_gb
@@ -172,7 +170,6 @@ resource "azurerm_kubernetes_cluster" "main" {
       max_pods                     = var.agents_max_pods
       min_count                    = var.agents_min_count
       node_labels                  = var.agents_labels
-      node_taints                  = var.agents_taints
       only_critical_addons_enabled = var.only_critical_addons_enabled
       orchestrator_version         = var.orchestrator_version
       os_disk_size_gb              = var.os_disk_size_gb
@@ -269,13 +266,12 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "api_server_access_profile" {
-    for_each = var.api_server_authorized_ip_ranges != null || var.api_server_subnet_id != null ? [
+    for_each = var.api_server_authorized_ip_ranges != null ? [
       "api_server_access_profile"
     ] : []
 
     content {
       authorized_ip_ranges = var.api_server_authorized_ip_ranges
-      subnet_id            = var.api_server_subnet_id
     }
   }
   dynamic "auto_scaler_profile" {
@@ -302,7 +298,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && var.rbac_aad && var.rbac_aad_managed ? ["rbac"] : []
+    for_each = var.role_based_access_control_enabled && var.rbac_aad ? ["rbac"] : []
 
     content {
       admin_group_object_ids = var.rbac_aad_admin_group_object_ids
@@ -311,17 +307,6 @@ resource "azurerm_kubernetes_cluster" "main" {
       tenant_id              = var.rbac_aad_tenant_id
     }
   }
-  dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && var.rbac_aad && !var.rbac_aad_managed ? ["rbac"] : []
-
-    content {
-      client_app_id     = var.rbac_aad_client_app_id
-      managed           = false
-      server_app_id     = var.rbac_aad_server_app_id
-      server_app_secret = var.rbac_aad_server_app_secret
-      tenant_id         = var.rbac_aad_tenant_id
-    }
-  }
   dynamic "confidential_computing" {
     for_each = var.confidential_computing == null ? [] : [var.confidential_computing]
 
@@ -574,7 +559,6 @@ resource "azurerm_kubernetes_cluster" "main" {
       http_application_routing_enabled,
       http_proxy_config[0].no_proxy,
       kubernetes_version,
-      public_network_access_enabled,
       # we might have a random suffix in cluster's name so we have to ignore it here, but we've traced user supplied cluster name by `null_resource.kubernetes_cluster_name_keeper` so when the name is changed we'll recreate this resource.
       name,
     ]
@@ -607,10 +591,6 @@ resource "azurerm_kubernetes_cluster" "main" {
       condition     = local.automatic_channel_upgrade_check
       error_message = "Either disable automatic upgrades, or specify `kubernetes_version` or `orchestrator_version` only up to the minor version when using `automatic_channel_upgrade=patch`. You don't need to specify `kubernetes_version` at all when using `automatic_channel_upgrade=stable|rapid|node-image`, where `orchestrator_version` always must be set to `null`."
     }
-    precondition {
-      condition     = var.role_based_access_control_enabled || !var.rbac_aad
-      error_message = "Enabling Azure Active Directory integration requires that `role_based_access_control_enabled` be set to true."
-    }
     precondition {
       condition     = !(var.kms_enabled && var.identity_type != "UserAssigned")
       error_message = "KMS etcd encryption doesn't work with system-assigned managed identity."
@@ -660,10 +640,6 @@ resource "azurerm_kubernetes_cluster" "main" {
       condition     = var.prefix == null || var.dns_prefix_private_cluster == null
       error_message = "Only one of `var.prefix,var.dns_prefix_private_cluster` can be specified."
     }
-    precondition {
-      condition     = var.dns_prefix_private_cluster == null || var.private_cluster_enabled
-      error_message = "When `dns_prefix_private_cluster` is set, `private_cluster_enabled` must be set to `true`."
-    }
     precondition {
       condition     = var.dns_prefix_private_cluster == null || var.identity_type == "UserAssigned" || var.client_id != ""
       error_message = "A user assigned identity or a service principal must be used when using a custom private dns zone"

test/e2e/terraform_aks_test.go

@@ -35,7 +35,6 @@ func TestExamplesStartup(t *testing.T) {
 		assert.True(t, ok)
 		assert.Regexp(t, regexp.MustCompile("/subscriptions/.+/resourceGroups/.+/providers/Microsoft.ContainerService/managedClusters/.+"), aksId)
 		assertOutputNotEmpty(t, output, "test_cluster_portal_fqdn")
-		assertOutputNotEmpty(t, output, "test_cluster_private_fqdn")
 	})
 }
 

v4/main_override.tf

@@ -229,21 +229,14 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && var.rbac_aad && var.rbac_aad_managed ? ["rbac"] : []
+    for_each = var.role_based_access_control_enabled ? ["rbac"] : []
 
     content {
       admin_group_object_ids = var.rbac_aad_admin_group_object_ids
       azure_rbac_enabled     = var.rbac_aad_azure_rbac_enabled
       tenant_id              = var.rbac_aad_tenant_id
     }
   }
-  dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && var.rbac_aad && !var.rbac_aad_managed ? ["rbac"] : []
-
-    content {
-      tenant_id = var.rbac_aad_tenant_id
-    }
-  }
   network_profile {
     network_plugin      = var.network_plugin
     dns_service_ip      = var.net_profile_dns_service_ip

variables.tf

@@ -1356,12 +1356,6 @@ variable "prefix" {
   description = "(Optional) The prefix for the resources created in the specified Azure Resource Group. Omitting this variable requires both `var.cluster_log_analytics_workspace_name` and `var.cluster_name` have been set. Only one of `var.prefix,var.dns_prefix_private_cluster` can be specified."
 }
 
-variable "private_cluster_enabled" {
-  type        = bool
-  default     = false
-  description = "If true cluster API server will be exposed only on internal IP address and available only in cluster vnet."
-}
-
 variable "private_cluster_public_fqdn_enabled" {
   type        = bool
   default     = false
@@ -1380,13 +1374,6 @@ variable "public_ssh_key" {
   description = "A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created."
 }
 
-variable "rbac_aad" {
-  type        = bool
-  default     = true
-  description = "(Optional) Is Azure Active Directory integration enabled?"
-  nullable    = false
-}
-
 variable "rbac_aad_admin_group_object_ids" {
   type        = list(string)
   default     = null
@@ -1399,10 +1386,10 @@ variable "rbac_aad_azure_rbac_enabled" {
   description = "(Optional) Is Role Based Access Control based on Azure AD enabled?"
 }
 
-variable "rbac_aad_managed" {
+variable "rbac_aad" {
   type        = bool
-  default     = false
-  description = "Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration."
+  default     = true
+  description = "(Optional) Is Azure Active Directory integration enabled?"
   nullable    = false
 }