diff --git a/internal/services/containers/kubernetes_cluster_network_resource_test.go b/internal/services/containers/kubernetes_cluster_network_resource_test.go index f27b1d5a1051..04a178e2aef9 100644 --- a/internal/services/containers/kubernetes_cluster_network_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_network_resource_test.go @@ -3486,7 +3486,7 @@ func (KubernetesClusterResource) publicNetworkAccess(data acceptance.TestData, e authorizedIPConfig := "" if !enabled { authorizedIPConfig = `api_server_access_profile { - authorized_ip_ranges = ["0.0.0.0/32"] + authorized_ip_ranges = ["0.0.0.0/0"] }` } return fmt.Sprintf(` diff --git a/internal/services/containers/kubernetes_cluster_resource.go b/internal/services/containers/kubernetes_cluster_resource.go index 99439fa8ea7c..f9193fbd9569 100644 --- a/internal/services/containers/kubernetes_cluster_resource.go +++ b/internal/services/containers/kubernetes_cluster_resource.go @@ -366,24 +366,13 @@ func resourceKubernetesCluster() *pluginsdk.Resource { }, }, - "monitor_metrics": { + "custom_ca_trust_certificates_base64": { Type: pluginsdk.TypeList, - MaxItems: 1, Optional: true, - Elem: &pluginsdk.Resource{ - Schema: map[string]*pluginsdk.Schema{ - "annotations_allowed": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, - }, - - "labels_allowed": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, - }, - }, + MaxItems: 10, + Elem: &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + ValidateFunc: validation.StringIsBase64, }, }, @@ -919,6 +908,27 @@ func resourceKubernetesCluster() *pluginsdk.Resource { }, }, + "monitor_metrics": { + Type: pluginsdk.TypeList, + MaxItems: 1, + Optional: true, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "annotations_allowed": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + + "labels_allowed": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + }, + }, + "node_os_channel_upgrade": { Type: pluginsdk.TypeString, Optional: true, @@ -1407,9 +1417,10 @@ func resourceKubernetesCluster() *pluginsdk.Resource { Required: true, ForceNew: true, }, + // This needs to become Required in 4.0 - omitting it isn't accepted by the API "admin_password": { Type: pluginsdk.TypeString, - Optional: true, + Required: true, Sensitive: true, ValidateFunc: validation.StringLenBetween(8, 123), }, @@ -1474,20 +1485,9 @@ func resourceKubernetesCluster() *pluginsdk.Resource { Optional: true, Default: false, }, - - "custom_ca_trust_certificates_base64": { - Type: pluginsdk.TypeList, - Optional: true, - MaxItems: 10, - Elem: &pluginsdk.Schema{ - Type: pluginsdk.TypeString, - ValidateFunc: validation.StringIsBase64, - }, - }, }, } - // CLEANUP: post-3.0 we should inline these? for k, v := range schemaKubernetesAddOns() { resource.Schema[k] = v } @@ -1521,6 +1521,12 @@ func resourceKubernetesCluster() *pluginsdk.Resource { "Overlay", }, false), } + resource.Schema["windows_profile"].Elem.(*pluginsdk.Resource).Schema["admin_password"] = &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + Optional: true, + Sensitive: true, + ValidateFunc: validation.StringLenBetween(8, 123), + } } return resource diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown index 64c681964fb6..dae708263e09 100644 --- a/website/docs/r/kubernetes_cluster.html.markdown +++ b/website/docs/r/kubernetes_cluster.html.markdown @@ -101,6 +101,8 @@ In addition, one of either `identity` or `service_principal` blocks must be spec * `confidential_computing` - (Optional) A `confidential_computing` block as defined below. For more details please [the documentation](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-overview) +* `custom_ca_trust_certificates_base64` - (Optional) A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the `custom_ca_trust_enabled` feature enabled. + * `disk_encryption_set_id` - (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created. * `edge_zone` - (Optional) Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. @@ -231,7 +233,7 @@ resource "azurerm_kubernetes_cluster" "example" { * `public_network_access_enabled` - (Optional) Whether public network access is allowed for this Kubernetes Cluster. Defaults to `true`. Changing this forces a new resource to be created. --> **Note:** When `public_network_access_enabled` is set to `true`, `0.0.0.0/32` must be added to `authorized_ip_ranges` in the `api_server_access_profile` block. +-> **Note:** When `public_network_access_enabled` is set to `true`, `0.0.0.0/0` must be added to `authorized_ip_ranges` in the `api_server_access_profile` block. * `role_based_access_control_enabled` - (Optional) Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to `true`. Changing this forces a new resource to be created. @@ -671,13 +673,13 @@ A `network_profile` block supports the following: ~> **Note:** When `ebpf_data_plane` is set to `cilium`, the `network_plugin` field can only be set to `azure`. -~> **Note:** When `ebpf_data_plane` is set to `cilium`, one of either `network_plugin_mode = "Overlay"` or `pod_subnet_id` must be specified. +~> **Note:** When `ebpf_data_plane` is set to `cilium`, one of either `network_plugin_mode = "overlay"` or `pod_subnet_id` must be specified. -> **Note:** This requires that the Preview Feature `Microsoft.ContainerService/CiliumDataplanePreview` is enabled and the Resource Provider is re-registered, see [the documentation](https://learn.microsoft.com/en-us/azure/aks/azure-cni-powered-by-cilium) for more information. -* `network_plugin_mode` - (Optional) Specifies the network plugin mode used for building the Kubernetes network. Possible value is `Overlay`. Changing this forces a new resource to be created. +* `network_plugin_mode` - (Optional) Specifies the network plugin mode used for building the Kubernetes network. Possible value is `overlay`. Changing this forces a new resource to be created. -~> **Note:** When `network_plugin_mode` is set to `Overlay`, the `network_plugin` field can only be set to `azure`. +~> **Note:** When `network_plugin_mode` is set to `overlay`, the `network_plugin` field can only be set to `azure`. * `outbound_type` - (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are `loadBalancer`, `userDefinedRouting`, `managedNATGateway` and `userAssignedNATGateway`. Defaults to `loadBalancer`. Changing this forces a new resource to be created.