bug fixes and new aks scenario

0-templates/01-config.tf

@@ -140,6 +140,8 @@ locals {
     ("AppServiceSubnet")              = { address_prefixes = ["10.11.13.0/24", ], address_prefixes_v6 = ["fd00:db8:11:13::/64", ], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")                 = { address_prefixes = ["10.11.16.0/24", ], address_prefixes_v6 = ["fd00:db8:11:16::/64", ], }
     ("TestSubnet")                    = { address_prefixes = ["10.11.17.0/24", ], address_prefixes_v6 = ["fd00:db8:11:17::/64", ], }
+    ("AksSubnet")                     = { address_prefixes = ["10.11.18.0/24", ], address_prefixes_v6 = ["fd00:db8:11:18::/64", ], }
+    ("AksPodSubnet")                  = { address_prefixes = ["10.11.20.0/22", ], address_prefixes_v6 = ["fd00:db8:11:20::/64", ], }
   }
   hub1_default_gw_main      = cidrhost(local.hub1_subnets["MainSubnet"].address_prefixes[0], 1)
   hub1_default_gw_untrust   = cidrhost(local.hub1_subnets["UntrustSubnet"].address_prefixes[0], 1)
@@ -199,6 +201,8 @@ locals {
     ("AppServiceSubnet")              = { address_prefixes = ["10.22.13.0/24", ], address_prefixes_v6 = ["fd00:db8:22:13::/64", ], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")                 = { address_prefixes = ["10.22.16.0/24", ], address_prefixes_v6 = ["fd00:db8:22:16::/64", ], }
     ("TestSubnet")                    = { address_prefixes = ["10.22.17.0/24", ], address_prefixes_v6 = ["fd00:db8:22:17::/64", ], }
+    ("AksSubnet")                     = { address_prefixes = ["10.22.18.0/24", ], address_prefixes_v6 = ["fd00:db8:22:18::/64", ], }
+    ("AksPodSubnet")                  = { address_prefixes = ["10.22.20.0/22", ], address_prefixes_v6 = ["fd00:db8:22:20::/64", ], }
   }
   hub2_default_gw_main      = cidrhost(local.hub2_subnets["MainSubnet"].address_prefixes[0], 1)
   hub2_default_gw_untrust   = cidrhost(local.hub2_subnets["UntrustSubnet"].address_prefixes[0], 1)
@@ -377,6 +381,8 @@ locals {
     ("AppServiceSubnet")         = { address_prefixes = ["10.1.8.0/24", ], address_prefixes_v6 = ["fd00:db8:1:8::/64", ], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")            = { address_prefixes = ["10.1.9.0/24", ], address_prefixes_v6 = ["fd00:db8:1:9::/64", ], }
     ("TestSubnet")               = { address_prefixes = ["10.1.10.0/24"], }
+    ("AksSubnet")                = { address_prefixes = ["10.1.11.0/24", ], address_prefixes_v6 = ["fd00:db8:1:11::/64", ], }
+    ("AksPodSubnet")             = { address_prefixes = ["10.1.12.0/22", ], address_prefixes_v6 = ["fd00:db8:1:12::/64", ], }
   }
   spoke1_vm_addr    = cidrhost(local.spoke1_subnets["MainSubnet"].address_prefixes[0], 5)
   spoke1_ilb_addr   = cidrhost(local.spoke1_subnets["LoadBalancerSubnet"].address_prefixes[0], 99)
@@ -413,6 +419,8 @@ locals {
     ("AppServiceSubnet")         = { address_prefixes = ["10.2.8.0/24", ], address_prefixes_v6 = ["fd00:db8:2:8::/64"], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")            = { address_prefixes = ["10.2.9.0/24", ], address_prefixes_v6 = ["fd00:db8:2:9::/64"], }
     ("TestSubnet")               = { address_prefixes = ["10.2.10.0/24"], }
+    ("AksSubnet")                = { address_prefixes = ["10.2.11.0/24", ], address_prefixes_v6 = ["fd00:db8:2:11::/64", ], }
+    ("AksPodSubnet")             = { address_prefixes = ["10.2.12.0/22", ], address_prefixes_v6 = ["fd00:db8:2:12::/64", ], }
   }
   spoke2_vm_addr    = cidrhost(local.spoke2_subnets["MainSubnet"].address_prefixes[0], 5)
   spoke2_ilb_addr   = cidrhost(local.spoke2_subnets["LoadBalancerSubnet"].address_prefixes[0], 99)
@@ -449,6 +457,8 @@ locals {
     ("AppServiceSubnet")         = { address_prefixes = ["10.3.8.0/24", ], address_prefixes_v6 = ["fd00:db8:3:8::/64"], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")            = { address_prefixes = ["10.3.9.0/24", ], address_prefixes_v6 = ["fd00:db8:3:9::/64"], }
     ("TestSubnet")               = { address_prefixes = ["10.3.10.0/24", ], address_prefixes_v6 = ["fd00:db8:3:10::/64"], use_azapi = [true], default_outbound_access = [false] }
+    ("AksSubnet")                = { address_prefixes = ["10.3.11.0/24", ], address_prefixes_v6 = ["fd00:db8:3:11::/64", ], }
+    ("AksPodSubnet")             = { address_prefixes = ["10.3.12.0/22", ], address_prefixes_v6 = ["fd00:db8:3:12::/64", ], }
   }
   spoke3_vm_addr    = cidrhost(local.spoke3_subnets["MainSubnet"].address_prefixes[0], 5)
   spoke3_ilb_addr   = cidrhost(local.spoke3_subnets["LoadBalancerSubnet"].address_prefixes[0], 99)
@@ -485,6 +495,8 @@ locals {
     ("AppServiceSubnet")         = { address_prefixes = ["10.4.8.0/24", ], address_prefixes_v6 = ["fd00:db8:4:8::/64"], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")            = { address_prefixes = ["10.4.9.0/24", ], address_prefixes_v6 = ["fd00:db8:4:9::/64"], }
     ("TestSubnet")               = { address_prefixes = ["10.4.10.0/24"], }
+    ("AksSubnet")                = { address_prefixes = ["10.4.11.0/24", ], address_prefixes_v6 = ["fd00:db8:4:11::/64", ], }
+    ("AksPodSubnet")             = { address_prefixes = ["10.4.12.0/22", ], address_prefixes_v6 = ["fd00:db8:4:12::/64", ], }
   }
   spoke4_vm_addr    = cidrhost(local.spoke4_subnets["MainSubnet"].address_prefixes[0], 5)
   spoke4_ilb_addr   = cidrhost(local.spoke4_subnets["LoadBalancerSubnet"].address_prefixes[0], 99)
@@ -521,6 +533,8 @@ locals {
     ("AppServiceSubnet")         = { address_prefixes = ["10.5.8.0/24", ], address_prefixes_v6 = ["fd00:db8:5:8::/64"], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")            = { address_prefixes = ["10.5.9.0/24", ], address_prefixes_v6 = ["fd00:db8:5:9::/64"], }
     ("TestSubnet")               = { address_prefixes = ["10.5.10.0/24"], }
+    ("AksSubnet")                = { address_prefixes = ["10.5.11.0/24", ], address_prefixes_v6 = ["fd00:db8:5:11::/64", ], }
+    ("AksPodSubnet")             = { address_prefixes = ["10.5.12.0/22", ], address_prefixes_v6 = ["fd00:db8:5:12::/64", ], }
   }
   spoke5_vm_addr    = cidrhost(local.spoke5_subnets["MainSubnet"].address_prefixes[0], 5)
   spoke5_ilb_addr   = cidrhost(local.spoke5_subnets["LoadBalancerSubnet"].address_prefixes[0], 99)
@@ -557,6 +571,8 @@ locals {
     ("AppServiceSubnet")         = { address_prefixes = ["10.6.8.0/24", ], address_prefixes_v6 = ["fd00:db8:6:8::/64"], delegate = ["Microsoft.Web/serverFarms"] }
     ("GatewaySubnet")            = { address_prefixes = ["10.6.9.0/24", ], address_prefixes_v6 = ["fd00:db8:6:9::/64"], }
     ("TestSubnet")               = { address_prefixes = ["10.6.10.0/24", ], address_prefixes_v6 = ["fd00:db8:6:10::/64"], use_azapi = [true], default_outbound_access = [false] }
+    ("AksSubnet")                = { address_prefixes = ["10.6.11.0/24", ], address_prefixes_v6 = ["fd00:db8:6:11::/64", ], }
+    ("AksPodSubnet")             = { address_prefixes = ["10.6.12.0/22", ], address_prefixes_v6 = ["fd00:db8:6:12::/64", ], }
   }
   spoke6_vm_addr    = cidrhost(local.spoke6_subnets["MainSubnet"].address_prefixes[0], 5)
   spoke6_ilb_addr   = cidrhost(local.spoke6_subnets["LoadBalancerSubnet"].address_prefixes[0], 99)

0-templates/04-spokes-region1.tf

@@ -27,8 +27,8 @@ module "spoke1" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region1"].name
-  network_watcher_name                = "NetworkWatcher_${local.region1}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region1}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
 
   dns_zones_linked_to_vnet = [
     { name = module.common.private_dns_zones[local.region1_dns_zone].name, registration_enabled = true },
@@ -45,6 +45,7 @@ module "spoke1" {
     "PrivateEndpointSubnet"    = module.common.nsg_default["region1"].id
     "AppServiceSubnet"         = module.common.nsg_default["region1"].id
     "TestSubnet"               = module.common.nsg_main["region1"].id
+    "AksSubnet"                = module.common.nsg_main["region1"].id
   }
 
   config_vnet = {
@@ -113,8 +114,8 @@ module "spoke2" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region1"].name
-  network_watcher_name                = "NetworkWatcher_${local.region1}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region1}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
 
   dns_zones_linked_to_vnet = [
     { name = module.common.private_dns_zones[local.region1_dns_zone].name, registration_enabled = true },
@@ -131,6 +132,7 @@ module "spoke2" {
     "PrivateEndpointSubnet"    = module.common.nsg_default["region1"].id
     "AppServiceSubnet"         = module.common.nsg_default["region1"].id
     "TestSubnet"               = module.common.nsg_main["region1"].id
+    "AksSubnet"                = module.common.nsg_main["region1"].id
   }
 
   config_vnet = {
@@ -199,8 +201,8 @@ module "spoke3" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region1"].name
-  network_watcher_name                = "NetworkWatcher_${local.region1}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region1}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
 
   dns_zones_linked_to_vnet = [
     { name = module.common.private_dns_zones[local.region1_dns_zone].name, registration_enabled = true },
@@ -217,6 +219,7 @@ module "spoke3" {
     "PrivateEndpointSubnet"    = module.common.nsg_default["region1"].id
     "AppServiceSubnet"         = module.common.nsg_default["region1"].id
     "TestSubnet"               = module.common.nsg_main["region1"].id
+    "AksSubnet"                = module.common.nsg_main["region1"].id
   }
 
   config_vnet = {

0-templates/04-spokes-region2.tf

@@ -27,8 +27,8 @@ module "spoke4" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region2"].name
-  network_watcher_name                = "NetworkWatcher_${local.region2}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region2}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
 
   dns_zones_linked_to_vnet = [
     { name = module.common.private_dns_zones[local.region2_dns_zone].name, registration_enabled = true },
@@ -45,6 +45,7 @@ module "spoke4" {
     "PrivateEndpointSubnet"    = module.common.nsg_default["region2"].id
     "AppServiceSubnet"         = module.common.nsg_default["region2"].id
     "TestSubnet"               = module.common.nsg_main["region2"].id
+    "AksSubnet"                = module.common.nsg_main["region2"].id
   }
 
   config_vnet = {
@@ -113,8 +114,8 @@ module "spoke5" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region2"].name
-  network_watcher_name                = "NetworkWatcher_${local.region2}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region2}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
 
   dns_zones_linked_to_vnet = [
     { name = module.common.private_dns_zones[local.region2_dns_zone].name, registration_enabled = true },
@@ -131,6 +132,7 @@ module "spoke5" {
     "PrivateEndpointSubnet"    = module.common.nsg_default["region2"].id
     "AppServiceSubnet"         = module.common.nsg_default["region2"].id
     "TestSubnet"               = module.common.nsg_main["region2"].id
+    "AksSubnet"                = module.common.nsg_main["region2"].id
   }
 
   config_vnet = {
@@ -199,8 +201,8 @@ module "spoke6" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region2"].name
-  network_watcher_name                = "NetworkWatcher_${local.region2}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region2}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
 
   dns_zones_linked_to_vnet = [
     { name = module.common.private_dns_zones[local.region2_dns_zone].name, registration_enabled = true },
@@ -217,6 +219,7 @@ module "spoke6" {
     "PrivateEndpointSubnet"    = module.common.nsg_default["region2"].id
     "AppServiceSubnet"         = module.common.nsg_default["region2"].id
     "TestSubnet"               = module.common.nsg_main["region2"].id
+    "AksSubnet"                = module.common.nsg_main["region2"].id
   }
 
   config_vnet = {

0-templates/05-hub1.tf

@@ -28,8 +28,8 @@ module "hub1" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region1"].name
-  network_watcher_name                = "NetworkWatcher_${local.region1}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region1}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
   # flow_log_nsg_ids = [
   #   module.common.nsg_main["region1"].id,
   # ]

0-templates/05-hub2.tf

@@ -28,8 +28,8 @@ module "hub2" {
   enable_diagnostics                  = local.enable_diagnostics
   enable_ipv6                         = local.enable_ipv6
   log_analytics_workspace_name        = module.common.log_analytics_workspaces["region2"].name
-  network_watcher_name                = "NetworkWatcher_${local.region2}"
-  network_watcher_resource_group_name = "NetworkWatcherRG"
+  network_watcher_name                = local.enable_vnet_flow_logs ? "NetworkWatcher_${local.region2}" : null
+  network_watcher_resource_group_name = local.enable_vnet_flow_logs ? "NetworkWatcherRG" : null
   # flow_log_nsg_ids = [
   #   module.common.nsg_main["region2"].id,
   # ]

0-templates/hub-spoke/06-conn-hub1.tf

@@ -15,7 +15,7 @@ resource "azurerm_virtual_network_peering" "spoke1_to_hub1_peering" {
   remote_virtual_network_id    = module.hub1.vnet.id
   allow_virtual_network_access = true
   allow_forwarded_traffic      = true
-  use_remote_gateways          = true
+  use_remote_gateways          = local.hub1_features.config_s2s_vpngw.enable ? true : false
   depends_on = [
     module.spoke1,
     module.hub1,
@@ -44,6 +44,7 @@ resource "azurerm_virtual_network_peering" "hub1_to_spoke1_peering" {
 # main
 
 module "spoke1_udr_main" {
+  count          = local.hub1_features.config_firewall.enable ? 1 : 0
   source         = "../../modules/route-table"
   resource_group = azurerm_resource_group.rg.name
   prefix         = "${local.spoke1_prefix}main"
@@ -54,9 +55,9 @@ module "spoke1_udr_main" {
     address_prefix         = r.address_prefix
     next_hop_type          = length(try(r.next_hop_ip, "")) > 0 ? "VirtualAppliance" : "Internet"
     next_hop_in_ip_address = length(try(r.next_hop_ip, "")) > 0 ? r.next_hop_ip : null
-  }]
+  } if local.hub1_features.config_firewall.enable]
 
-  bgp_route_propagation_enabled = false
+  bgp_route_propagation_enabled = local.hub1_features.config_firewall.enable ? false : true
 
   depends_on = [
     time_sleep.hub1,
@@ -79,7 +80,7 @@ resource "azurerm_virtual_network_peering" "spoke2_to_hub1_peering" {
   remote_virtual_network_id    = module.hub1.vnet.id
   allow_virtual_network_access = true
   allow_forwarded_traffic      = true
-  use_remote_gateways          = true
+  use_remote_gateways          = local.hub1_features.config_s2s_vpngw.enable ? true : false
   depends_on = [
     module.spoke2,
     module.hub1,
@@ -112,6 +113,7 @@ resource "azurerm_virtual_network_peering" "hub1_to_spoke2_peering" {
 # main
 
 module "spoke2_udr_main" {
+  count          = local.hub1_features.config_firewall.enable ? 1 : 0
   source         = "../../modules/route-table"
   resource_group = azurerm_resource_group.rg.name
   prefix         = "${local.spoke2_prefix}main"
@@ -122,9 +124,9 @@ module "spoke2_udr_main" {
     address_prefix         = r.address_prefix
     next_hop_type          = length(try(r.next_hop_ip, "")) > 0 ? "VirtualAppliance" : "Internet"
     next_hop_in_ip_address = length(try(r.next_hop_ip, "")) > 0 ? r.next_hop_ip : null
-  }]
+  } if local.hub1_features.config_firewall.enable]
 
-  bgp_route_propagation_enabled = false
+  bgp_route_propagation_enabled = local.hub1_features.config_firewall.enable ? false : true
 
   depends_on = [
     time_sleep.hub1,
@@ -141,6 +143,7 @@ module "spoke2_udr_main" {
 # gateway
 
 module "hub1_gateway_udr" {
+  count          = local.hub1_features.config_firewall.enable ? 1 : 0
   source         = "../../modules/route-table"
   resource_group = azurerm_resource_group.rg.name
   prefix         = "${local.hub1_prefix}gateway"
@@ -151,7 +154,7 @@ module "hub1_gateway_udr" {
     address_prefix         = r.address_prefix
     next_hop_type          = length(try(r.next_hop_ip, "")) > 0 ? "VirtualAppliance" : "Internet"
     next_hop_in_ip_address = length(try(r.next_hop_ip, "")) > 0 ? r.next_hop_ip : null
-  }]
+  } if local.hub1_features.config_firewall.enable]
 
   depends_on = [
     time_sleep.hub1,
@@ -161,6 +164,7 @@ module "hub1_gateway_udr" {
 # main
 
 module "hub1_udr_main" {
+  count          = local.hub1_features.config_firewall.enable ? 1 : 0
   source         = "../../modules/route-table"
   resource_group = azurerm_resource_group.rg.name
   prefix         = "${local.hub1_prefix}main"
@@ -171,9 +175,9 @@ module "hub1_udr_main" {
     address_prefix         = r.address_prefix
     next_hop_type          = length(try(r.next_hop_ip, "")) > 0 ? "VirtualAppliance" : "Internet"
     next_hop_in_ip_address = length(try(r.next_hop_ip, "")) > 0 ? r.next_hop_ip : null
-  }]
+  } if local.hub1_features.config_firewall.enable]
 
-  bgp_route_propagation_enabled = false
+  bgp_route_propagation_enabled = local.hub1_features.config_firewall.enable ? false : true
 
   depends_on = [
     time_sleep.hub1,
@@ -207,6 +211,7 @@ resource "azurerm_local_network_gateway" "hub1_branch1_lng" {
 # branch1
 
 resource "azurerm_virtual_network_gateway_connection" "hub1_branch1_lng" {
+  count                          = local.hub1_features.config_s2s_vpngw.enable ? 1 : 0
   resource_group_name            = azurerm_resource_group.rg.name
   name                           = "${local.hub1_prefix}branch1-lng-conn"
   location                       = local.hub1_location