terraform: fix security rule reconciliation on Azure

[elchead]

Context

In #3257, the migration to defining the network security rules as separate resources was started.
Unfortunately, the concurrent usage of inline and security rule resources causes problems (see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group). Terraform cannot resolve which declarative state of the rules should be applied if both inline and resources exist, thus making it a concurrency race which resource overwrites the others.

This bug was first observed as part of the weekly Azure TDX Terraform provider test, but it did indeed also fail during the release test with the CLI (https://github.com/edgelesssys/constellation/actions/runs/11402745527/job/31778136903).
The observed behavior was that the Kube API server was not reachable anymore, because the network security rule was missing.
This bug applies also to Azure SEV-SNP, but since the bug is a concurrency race, its manifestation is not deterministic. In fact, the correct behavior happened to occur during the release test on SEV-SNP (https://github.com/edgelesssys/constellation/actions/runs/11402745527/job/31778136329#step:19:874).

The problem can occur on any cluster on Azure and every terraform apply could cause this bug.

Proposed change(s)

By leaving the inline security rules block of the network security group empty, this resource does not reconcile the rules.
Thus, the solution is to fully migrate to separate resources for the security rules.

I propose to do a patch release where users from 2.18 are required to upgrade to 2.19.1 directly.

• remove the inline network security rules on Azure

Additional info

I tested setting up a new cluster with this change and subsequent applies didn’t result in any terraform diff as expected.
The cluster remained reachable.

Upgrade test from v2.18.0 -> v2.19.1
✅ Azure TDX
✅ Azure SEV-SNP

For upgrades from v2.18.0 on Azure, the old security rules are orphaned and should be manually cleaned up by the user:

#!/bin/bash
name="<insert>"  # the name provided in the config
id="<insert>"    # the cluster id

rules=(
  "kubernetes"
  "bootstrapper"
  "verify"
  "recovery"
  "join"
  "debugd"
  "konnectivity"
)

for rule in "${rules[@]}"; do
  echo "Deleting rule: $rule"
  az network nsg rule delete \
    --resource-group "$name-rg" \
    --nsg-name "$name-$id" \
    --name "$rule"
done

echo "All specified rules have been deleted."

Checklist

• Run the E2E tests that are relevant to this PR's changes
• Update docs
• Add labels (e.g., for changelog category)
• Is PR title adequate for changelog?
• Link to Milestone

[netlify]

✅ Deploy Preview for constellation-docs ready!

Name	Link
🔨 Latest commit	e31af63
🔍 Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/6723ac5a6150500008359a35
😎 Deploy Preview	https://deploy-preview-3454--constellation-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[elchead]

@3u13r I understand that your intention for the dangling konnectivity rule in #3257 was to enforce that the other rules are deleted, but this should not be necessary afais. Or do you see any issue?

[3u13r]

I understand that your intention for the dangling konnectivity rule in #3257 was to enforce that the other rules are deleted, but this should not be necessary afais. Or do you see any issue?

No, if the posted CI runs succeeds this solution is cleaner in general and is likely to cause less problems in the future.

[elchead]

I'm not sure where the best place for the migration script would be (see Additional Information in the description).

[elchead]

the old code was broken because an empty string "" as substitution for a flag breaks the flag parsing

[elchead]

Furthermore, the upgrade CLI (with potentially simulated patch version) should be used. Previously, the target embedded its own CLI that was always tagged with vNEXT-pre. This doesn't work for simulating a patch upgrade.

[3u13r]

This doesn't work for simulating a patch upgrade.

I thought the idea of simulatedTargetVersion is supposed to solve this problem. If we only use the build CLI to migrate the config, I don't thing simulatedTargetVersion works as intended. We should either fix this or remove it.

Also if we pass the cli path as a flag, then this should be the flow of this e2e test and we remove the cli dependency of the test in bazel. What I'd prefer though is to just also use the simulatedTargetVersion here and remove the flag again.

[elchead]

I decided to keep the explicit cli passing, such that the identical CLI is used for "config migrate" and the rest of the upgrade workflow

[elchead]

a flag should take precedence over ENV

[3u13r]

If you are not already on it, changing PR from draft to open is a good point to actually merge the fixup commits and present a neat commit history.

[3u13r]

We should also document the not necessarily required but at least recommended migration steps in docs/docs/reference/migration.md

[3u13r]

This doesn't work for simulating a patch upgrade.

I thought the idea of simulatedTargetVersion is supposed to solve this problem. If we only use the build CLI to migrate the config, I don't thing simulatedTargetVersion works as intended. We should either fix this or remove it.

Also if we pass the cli path as a flag, then this should be the flow of this e2e test and we remove the cli dependency of the test in bazel. What I'd prefer though is to just also use the simulatedTargetVersion here and remove the flag again.

[elchead]

As discussed with @3u13r, we decided to build the target CLI inside the upgrade job itself, because separating this created several consistency issues for the simulated patch version scenario
The main reason being that the upgrade tool itself didn't have the patched version, but referred to its own embedded version to determine some target versions.

Moreover, the extra job didn't save any time because the CLI is built inside the bazel upgrade target too.

[elchead]

I'd recommend to not make this optional, because we could not change the security rule name back and remove the priority offset in Terraform otherwise.

[elchead]

Once approved, I will backport this to the v2.19 docs

[3u13r]

LGTM

[3u13r]

I don't think we currently enforce any rules regarding * vs -. They seem to be interchangeable. Did your linter change this, or do you have a reason for this preference? I know that docs currently favor * (i.e. are used more). I think we can revert this for now to not have the last commit that changed the line updated and revisit this discussion later.

[thomasten]

We agreed on markdownlint, which (unfortunately) picks the character of the topmost list item on the page. So if you wanted to keep the diff small but still use the linter, you would replace the first item with - in this case.

[elchead]

Upgrade test passed again: https://github.com/edgelesssys/constellation/actions/runs/11615051562