feat: add ICF compatibility to AKS module

grubmeshi · Copilot · grubmeshi · commit 9baab2e333f4 · 2026-02-27T08:37:26.000+01:00
Add manage_meshstack_platform flag, quota_definitions,
documentation_url, support_url, landing_zone tags/quotas,
and infrastructure outputs.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/modules/aks/meshstack_integration.tf b/modules/aks/meshstack_integration.tf
@@ -1,3 +1,9 @@
+variable "manage_meshstack_platform" {
+  description = "Whether to create meshstack_platform and meshstack_landingzone resources. Set to false for infra-only deployments."
+  type    = bool
+  default = true
+}
+
 variable "aks" {
   description = "AKS cluster infrastructure and service principal configuration."
   type = object({
@@ -36,14 +42,17 @@ variable "aks" {
 }
 
 variable "meshstack_platform" {
-  description = "meshStack platform and landing zone registration."
+  description = "meshStack platform and landing zone registration. Required when manage_meshstack_platform is true."
+  default     = null
   type = object({
     owning_workspace_identifier = string
     platform_identifier         = string
     location_identifier         = optional(string, "global")
 
-    display_name = optional(string, "AKS Namespace")
-    description  = optional(string, "Azure Kubernetes Service (AKS). Create a k8s namespace in our AKS cluster.")
+    display_name      = optional(string, "AKS Namespace")
+    description       = optional(string, "Azure Kubernetes Service (AKS). Create a k8s namespace in our AKS cluster.")
+    documentation_url = optional(string)
+    support_url       = optional(string)
 
     disable_ssl_validation     = optional(bool, true)
     group_name_pattern         = optional(string, "aks-#{workspaceIdentifier}.#{projectIdentifier}-#{platformGroupAlias}")
@@ -52,12 +61,27 @@ variable "meshstack_platform" {
     send_azure_invitation_mail = optional(bool, false)
     redirect_url               = optional(string)
 
+    quota_definitions = optional(list(object({
+      quota_key               = string
+      label                   = string
+      description             = string
+      unit                    = string
+      max_value               = number
+      min_value               = number
+      auto_approval_threshold = number
+    })), [])
+
     landing_zone = optional(object({
       name                          = optional(string)
       display_name                  = optional(string, "AKS Default")
       description                   = optional(string, "Default AKS landing zone")
       automate_deletion_approval    = optional(bool, true)
       automate_deletion_replication = optional(bool, true)
+      tags                          = optional(map(list(string)), {})
+      quotas = optional(list(object({
+        key   = string
+        value = number
+      })), [])
       kubernetes_role_mappings = optional(list(object({
         platform_roles   = list(string)
         project_role_ref = object({ name = string })
@@ -84,10 +108,10 @@ terraform {
 }
 
 locals {
-  landing_zone_name = coalesce(
+  landing_zone_name = var.manage_meshstack_platform ? coalesce(
     var.meshstack_platform.landing_zone.name,
     "${var.meshstack_platform.platform_identifier}-default"
-  )
+  ) : null
 }
 
 module "aks_meshplatform" {
@@ -116,15 +140,19 @@ data "azuread_domains" "aad_domains" {
 }
 
 resource "meshstack_platform" "aks" {
+  count = var.manage_meshstack_platform ? 1 : 0
+
   metadata = {
     name               = var.meshstack_platform.platform_identifier
     owned_by_workspace = var.meshstack_platform.owning_workspace_identifier
   }
 
   spec = {
-    description  = var.meshstack_platform.description
-    display_name = var.meshstack_platform.display_name
-    endpoint     = var.aks.base_url
+    description       = var.meshstack_platform.description
+    display_name      = var.meshstack_platform.display_name
+    documentation_url = var.meshstack_platform.documentation_url
+    support_url       = var.meshstack_platform.support_url
+    endpoint          = var.aks.base_url
 
     location_ref = {
       name = var.meshstack_platform.location_identifier
@@ -179,20 +207,25 @@ resource "meshstack_platform" "aks" {
         }
       }
     }
+
+    quota_definitions = var.meshstack_platform.quota_definitions
   }
 }
 
 resource "meshstack_landingzone" "aks_default" {
+  count = var.manage_meshstack_platform ? 1 : 0
+
   metadata = {
     name               = local.landing_zone_name
     owned_by_workspace = var.meshstack_platform.owning_workspace_identifier
+    tags               = var.meshstack_platform.landing_zone.tags
   }
 
   spec = {
     description  = var.meshstack_platform.landing_zone.description
     display_name = var.meshstack_platform.landing_zone.display_name
 
-    platform_ref = meshstack_platform.aks.metadata
+    platform_ref = meshstack_platform.aks[0].metadata
 
     automate_deletion_approval    = var.meshstack_platform.landing_zone.automate_deletion_approval
     automate_deletion_replication = var.meshstack_platform.landing_zone.automate_deletion_replication
@@ -202,14 +235,40 @@ resource "meshstack_landingzone" "aks_default" {
         kubernetes_role_mappings = var.meshstack_platform.landing_zone.kubernetes_role_mappings
       }
     }
+
+    quotas = var.meshstack_platform.landing_zone.quotas
   }
 }
 
 output "aks" {
-  description = "AKS platform identifiers for use as var.aks in the starterkit."
-  value = {
-    full_platform_identifier     = "${meshstack_platform.aks.metadata.name}.${var.meshstack_platform.location_identifier}"
-    landing_zone_dev_identifier  = meshstack_landingzone.aks_default.metadata.name
-    landing_zone_prod_identifier = meshstack_landingzone.aks_default.metadata.name
-  }
+  description = "AKS platform identifiers for use as var.aks in the starterkit. Null when manage_meshstack_platform is false."
+  value = var.manage_meshstack_platform ? {
+    full_platform_identifier     = "${meshstack_platform.aks[0].metadata.name}.${var.meshstack_platform.location_identifier}"
+    landing_zone_dev_identifier  = meshstack_landingzone.aks_default[0].metadata.name
+    landing_zone_prod_identifier = meshstack_landingzone.aks_default[0].metadata.name
+  } : null
+}
+
+output "replicator_token" {
+  description = "Replicator service account token."
+  value       = module.aks_meshplatform.replicator_token
+  sensitive   = true
+}
+
+output "metering_token" {
+  description = "Metering service account token."
+  value       = module.aks_meshplatform.metering_token
+  sensitive   = true
+}
+
+output "replicator_service_principal" {
+  description = "Replicator Service Principal."
+  value       = module.aks_meshplatform.replicator_service_principal
+  sensitive   = true
+}
+
+output "replicator_service_principal_password" {
+  description = "Password for Replicator Service Principal."
+  value       = module.aks_meshplatform.replicator_service_principal_password
+  sensitive   = true
 }
