KUBE-1856: Expose EncryptionAtHost AKS setting in terraform. (#665)

* Add EncryptionAtHost field to nodeconfig

* Update docs

* Regenerate SDK

Author: Tsonov

castai/resource_node_configuration.go

@@ -48,6 +48,7 @@ const (
 	FieldNodeConfigurationAKSApplicationSecurityGroups = "application_security_groups"
 	FieldNodeConfigurationAKSPublicIP                  = "public_ip"
 	FieldNodeConfigurationAKSPodSubnetID               = "pod_subnet_id"
+	FieldNodeConfigurationAKSEncryptionAtHost          = "enable_encryption_at_host"
 )
 
 const (
@@ -491,6 +492,11 @@ func resourceNodeConfiguration() *schema.Resource {
 							Optional:    true,
 							Description: "ID of pod subnet to be used for provisioned nodes.",
 						},
+						FieldNodeConfigurationAKSEncryptionAtHost: {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "Whether to enable encryption at host for provisioned nodes. See https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data",
+						},
 					},
 				},
 			},
@@ -1190,6 +1196,10 @@ func toAKSSConfig(obj map[string]interface{}) *sdk.NodeconfigV1AKSConfig {
 		out.PodSubnetId = toPtr(v)
 	}
 
+	if v, ok := obj[FieldNodeConfigurationAKSEncryptionAtHost].(bool); ok {
+		out.EnableEncryptionAtHost = toPtr(v)
+	}
+
 	return out
 }
 
@@ -1386,6 +1396,10 @@ func flattenAKSConfig(config *sdk.NodeconfigV1AKSConfig) []map[string]interface{
 		m[FieldNodeConfigurationAKSPodSubnetID] = *v
 	}
 
+	if v := config.EnableEncryptionAtHost; v != nil {
+		m[FieldNodeConfigurationAKSEncryptionAtHost] = *v
+	}
+
 	return []map[string]interface{}{m}
 }
 

castai/resource_node_configuration_test.go

@@ -376,3 +376,55 @@ func Test_NodeConfiguration_UpdateContext(t *testing.T) {
 		})
 	}
 }
+
+func TestToAKSSConfig_EnableEncryptionAtHost(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    any
+		expected any
+	}{
+		{name: "true", input: true, expected: true},
+		{name: "false", input: false, expected: false},
+		{name: "nil", input: nil, expected: nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			out := toAKSSConfig(map[string]any{
+				FieldNodeConfigurationAKSEncryptionAtHost: tt.input,
+			})
+
+			if tt.expected == nil {
+				require.Nil(t, out.EnableEncryptionAtHost)
+			} else {
+				require.Equal(t, tt.expected, *out.EnableEncryptionAtHost)
+			}
+		})
+	}
+
+	t.Run("empty", func(t *testing.T) {
+		out := toAKSSConfig(map[string]any{})
+
+		require.Nil(t, out.EnableEncryptionAtHost)
+	})
+}
+
+func TestFlattenAKSConfig_EnableEncryptionAtHost(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    *bool
+		expected any
+	}{
+		{name: "true", input: toPtr(true), expected: true},
+		{name: "false", input: toPtr(false), expected: false},
+		{name: "nil", input: nil, expected: nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := flattenAKSConfig(&sdk.NodeconfigV1AKSConfig{
+				EnableEncryptionAtHost: tt.input,
+			})
+			require.Len(t, result, 1)
+			require.Equal(t, tt.expected, result[0][FieldNodeConfigurationAKSEncryptionAtHost])
+		})
+	}
+}