diff --git a/.checkov_config.yaml b/.checkov_config.yaml
index eeccc4b0..7a922476 100644
--- a/.checkov_config.yaml
+++ b/.checkov_config.yaml
@@ -12,6 +12,7 @@ secrets-scan-file-type: []
skip-check:
- CKV_GHA_3
- CKV_AZURE_5
+ - CKV_AZURE_6
- CKV_AZURE_112
- CKV_AZURE_115
- CKV_AZURE_116
diff --git a/README.md b/README.md
index 700cc72c..e1be22fe 100644
--- a/README.md
+++ b/README.md
@@ -242,7 +242,6 @@ No modules.
| [null_resource.kubernetes_version_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.pool_name_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
-| [azurerm_log_analytics_workspace.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
## Inputs
@@ -266,6 +265,7 @@ No modules.
| [agents\_taints](#input\_agents\_taints) | (Optional) A list of the taints added to new nodes during node pool create and scale. Changing this forces a new resource to be created. | `list(string)` | `null` | no |
| [agents\_type](#input\_agents\_type) | (Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. | `string` | `"VirtualMachineScaleSets"` | no |
| [api\_server\_authorized\_ip\_ranges](#input\_api\_server\_authorized\_ip\_ranges) | (Optional) The IP ranges to allow for incoming traffic to the server nodes. | `set(string)` | `null` | no |
+| [api\_server\_subnet\_id](#input\_api\_server\_subnet\_id) | (Optional) The ID of the Subnet where the API server endpoint is delegated to. | `string` | `null` | no |
| [attached\_acr\_id\_map](#input\_attached\_acr\_id\_map) | Azure Container Registry ids that need an authentication mechanism with Azure Kubernetes Service (AKS). Map key must be static string as acr's name, the value is acr's resource id. Changing this forces some new resources to be created. | `map(string)` | `{}` | no |
| [auto\_scaler\_profile\_balance\_similar\_node\_groups](#input\_auto\_scaler\_profile\_balance\_similar\_node\_groups) | Detect similar node groups and balance the number of nodes between them. Defaults to `false`. | `bool` | `false` | no |
| [auto\_scaler\_profile\_empty\_bulk\_delete\_max](#input\_auto\_scaler\_profile\_empty\_bulk\_delete\_max) | Maximum number of empty nodes that can be deleted at the same time. Defaults to `10`. | `number` | `10` | no |
diff --git a/main.tf b/main.tf
index 51cfe3b1..4d248c0e 100644
--- a/main.tf
+++ b/main.tf
@@ -18,7 +18,6 @@ resource "azurerm_kubernetes_cluster" "main" {
location = coalesce(var.location, data.azurerm_resource_group.main.location)
name = coalesce(var.cluster_name, trim("${var.prefix}-aks", "-"))
resource_group_name = data.azurerm_resource_group.main.name
- api_server_authorized_ip_ranges = var.api_server_authorized_ip_ranges
automatic_channel_upgrade = var.automatic_channel_upgrade
azure_policy_enabled = var.azure_policy_enabled
disk_encryption_set_id = var.disk_encryption_set_id
@@ -237,6 +236,14 @@ resource "azurerm_kubernetes_cluster" "main" {
subnet_name = var.aci_connector_linux_subnet_name
}
}
+ dynamic "api_server_access_profile" {
+ for_each = var.api_server_authorized_ip_ranges != null || var.api_server_subnet_id != null ? ["api_server_access_profile"] : []
+
+ content {
+ authorized_ip_ranges = var.api_server_authorized_ip_ranges
+ subnet_id = var.api_server_subnet_id
+ }
+ }
dynamic "auto_scaler_profile" {
for_each = var.auto_scaler_profile_enabled ? ["default_auto_scaler_profile"] : []
@@ -374,9 +381,7 @@ resource "azurerm_kubernetes_cluster" "main" {
service_cidr = var.net_profile_service_cidr
dynamic "load_balancer_profile" {
- for_each = var.load_balancer_profile_enabled && var.load_balancer_sku == "standard" ? [
- "load_balancer_profile"
- ] : []
+ for_each = var.load_balancer_profile_enabled && var.load_balancer_sku == "standard" ? ["load_balancer_profile"] : []
content {
idle_timeout_in_minutes = var.load_balancer_profile_idle_timeout_in_minutes
diff --git a/variables.tf b/variables.tf
index 40cd7f1f..c0fe1765 100644
--- a/variables.tf
+++ b/variables.tf
@@ -204,6 +204,12 @@ variable "api_server_authorized_ip_ranges" {
description = "(Optional) The IP ranges to allow for incoming traffic to the server nodes."
}
+variable "api_server_subnet_id" {
+ type = string
+ default = null
+ description = "(Optional) The ID of the Subnet where the API server endpoint is delegated to."
+}
+
variable "attached_acr_id_map" {
type = map(string)
default = {}