terraform: azure node groups (#1955)

* init

* migration working

* make tf variables with default value optional in go through ptr type

* fix CI build

* pr feedback

* add azure targets tf

* skip migration for empty targets

* make instance_count optional

* change role naming to dashed + add validation

* make node_group.zones optional

* Update cli/internal/terraform/terraform/azure/main.tf

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

* malte feedback

---------

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

cli/internal/terraform/terraform/azure/main.tf

@@ -221,58 +221,46 @@ resource "azurerm_network_security_group" "security_group" {
   }
 }
 
-module "scale_set_control_plane" {
-  source = "./modules/scale_set"
-
-  name            = "${local.name}-control-plane"
-  instance_count  = var.control_plane_count
-  state_disk_size = var.state_disk_size
-  state_disk_type = var.state_disk_type
-  resource_group  = var.resource_group
-  location        = var.location
-  instance_type   = var.instance_type
-  confidential_vm = var.confidential_vm
-  secure_boot     = var.secure_boot
+module "scale_set_group" {
+  source          = "./modules/scale_set"
+  for_each        = var.node_groups
+  base_name       = local.name
+  node_group_name = each.key
+  role            = each.value.role
+  zones           = each.value.zones
   tags = merge(
     local.tags,
-    { constellation-role = "control-plane" },
     { constellation-init-secret-hash = local.initSecretHash },
     { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" },
   )
-  image_id                  = var.image_id
+
+  instance_count            = each.value.instance_count
+  state_disk_size           = each.value.disk_size
+  state_disk_type           = each.value.disk_type
+  location                  = var.location
+  instance_type             = each.value.instance_type
+  confidential_vm           = var.confidential_vm
+  secure_boot               = var.secure_boot
+  resource_group            = var.resource_group
   user_assigned_identity    = var.user_assigned_identity
+  image_id                  = var.image_id
   network_security_group_id = azurerm_network_security_group.security_group.id
   subnet_id                 = azurerm_subnet.node_subnet.id
-  backend_address_pool_ids = [
+  backend_address_pool_ids = each.value.role == "control-plane" ? [
     azurerm_lb_backend_address_pool.all.id,
     module.loadbalancer_backend_control_plane.backendpool_id
-  ]
-}
-
-module "scale_set_worker" {
-  source = "./modules/scale_set"
-
-  name            = "${local.name}-worker"
-  instance_count  = var.worker_count
-  state_disk_size = var.state_disk_size
-  state_disk_type = var.state_disk_type
-  resource_group  = var.resource_group
-  location        = var.location
-  instance_type   = var.instance_type
-  confidential_vm = var.confidential_vm
-  secure_boot     = var.secure_boot
-  tags = merge(
-    local.tags,
-    { constellation-role = "worker" },
-    { constellation-init-secret-hash = local.initSecretHash },
-    { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" },
-  )
-  image_id                  = var.image_id
-  user_assigned_identity    = var.user_assigned_identity
-  network_security_group_id = azurerm_network_security_group.security_group.id
-  subnet_id                 = azurerm_subnet.node_subnet.id
-  backend_address_pool_ids = [
+    ] : [
     azurerm_lb_backend_address_pool.all.id,
-    module.loadbalancer_backend_worker.backendpool_id,
+    module.loadbalancer_backend_worker.backendpool_id
   ]
 }
+
+moved {
+  from = module.scale_set_control_plane
+  to   = module.scale_set_group["control_plane_default"]
+}
+
+moved {
+  from = module.scale_set_worker
+  to   = module.scale_set_group["worker_default"]
+}

cli/internal/terraform/terraform/azure/modules/scale_set/main.tf

@@ -11,6 +11,19 @@ terraform {
   }
 }
 
+locals {
+  tags = merge(
+    var.tags,
+    { constellation-role = var.role },
+    { constellation-node-group = var.node_group_name },
+  )
+  group_uid = random_id.uid.hex
+  name      = "${var.base_name}-${var.role}${local.group_uid}"
+}
+
+resource "random_id" "uid" {
+  byte_length = 4
+}
 resource "random_password" "password" {
   length      = 16
   min_lower   = 1
@@ -20,7 +33,7 @@ resource "random_password" "password" {
 }
 
 resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
-  name                            = var.name
+  name                            = local.name
   resource_group_name             = var.resource_group
   location                        = var.location
   sku                             = var.instance_type
@@ -34,8 +47,8 @@ resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
   upgrade_mode                    = "Manual"
   secure_boot_enabled             = var.secure_boot
   source_image_id                 = var.image_id
-  tags                            = var.tags
-
+  tags                            = local.tags
+  zones                           = var.zones
   identity {
     type         = "UserAssigned"
     identity_ids = [var.user_assigned_identity]
@@ -81,6 +94,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
 
   lifecycle {
     ignore_changes = [
+      name,            # required. Allow legacy scale sets to keep their old names
       instances,       # required. autoscaling modifies the instance count externally
       source_image_id, # required. update procedure modifies the image id externally
     ]

cli/internal/terraform/terraform/azure/modules/scale_set/variables.tf

@@ -1,7 +1,31 @@
-variable "name" {
+variable "base_name" {
   type        = string
-  default     = "constell"
-  description = "Base name of the cluster."
+  description = "Base name of the instance group."
+}
+
+variable "node_group_name" {
+  type        = string
+  description = "Constellation name for the node group (used for configuration and CSP-independent naming)."
+}
+
+variable "role" {
+  type        = string
+  description = "The role of the instance group."
+  validation {
+    condition     = contains(["control-plane", "worker"], var.role)
+    error_message = "The role has to be 'control-plane' or 'worker'."
+  }
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to include in the scale_set."
+}
+
+variable "zones" {
+  type        = list(string)
+  description = "List of availability zones."
+  default     = null
 }
 
 variable "instance_count" {
@@ -61,11 +85,6 @@ variable "subnet_id" {
   description = "The ID of the subnet to use for the scale set."
 }
 
-variable "tags" {
-  type        = map(string)
-  description = "The tags to add to the scale set."
-}
-
 variable "confidential_vm" {
   type        = bool
   default     = true

cli/internal/terraform/terraform/azure/variables.tf

@@ -1,28 +1,22 @@
 variable "name" {
   type        = string
-  default     = "constell"
   description = "Base name of the cluster."
 }
 
-variable "control_plane_count" {
-  type        = number
-  description = "The number of control plane nodes to deploy."
-}
-
-variable "worker_count" {
-  type        = number
-  description = "The number of worker nodes to deploy."
-}
-
-variable "state_disk_size" {
-  type        = number
-  default     = 30
-  description = "The size of the state disk in GB."
-}
-
-variable "resource_group" {
-  type        = string
-  description = "The name of the Azure resource group to create the Constellation cluster in."
+variable "node_groups" {
+  type = map(object({
+    role           = string
+    instance_count = optional(number)
+    instance_type  = string
+    disk_size      = number
+    disk_type      = string
+    zones          = optional(list(string))
+  }))
+  description = "A map of node group names to node group configurations."
+  validation {
+    condition     = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
+    error_message = "The role has to be 'control-plane' or 'worker'."
+  }
 }
 
 variable "location" {
@@ -30,27 +24,23 @@ variable "location" {
   description = "The Azure location to deploy the cluster in."
 }
 
-variable "user_assigned_identity" {
-  type        = string
-  description = "The name of the user assigned identity to attache to the nodes of the cluster."
-}
-
-variable "instance_type" {
-  type        = string
-  description = "The Azure instance type to deploy."
-}
-
-variable "state_disk_type" {
-  type        = string
-  default     = "Premium_LRS"
-  description = "The type of the state disk."
-}
-
 variable "image_id" {
   type        = string
   description = "The image to use for the cluster nodes."
 }
 
+variable "create_maa" {
+  type        = bool
+  default     = false
+  description = "Whether to create a Microsoft Azure attestation provider."
+}
+
+variable "debug" {
+  type        = bool
+  default     = false
+  description = "Enable debug mode. This opens up a debugd port that can be used to deploy a custom bootstrapper."
+}
+
 variable "confidential_vm" {
   type        = bool
   default     = true
@@ -63,14 +53,11 @@ variable "secure_boot" {
   description = "Whether to deploy the cluster nodes with secure boot."
 }
 
-variable "create_maa" {
-  type        = bool
-  default     = false
-  description = "Whether to create a Microsoft Azure attestation provider."
+variable "resource_group" {
+  type        = string
+  description = "The name of the Azure resource group to create the Constellation cluster in."
 }
-
-variable "debug" {
-  type        = bool
-  default     = false
-  description = "Enable debug mode. This opens up a debugd port that can be used to deploy a custom bootstrapper."
+variable "user_assigned_identity" {
+  type        = string
+  description = "The name of the user assigned identity to attache to the nodes of the cluster."
 }