Introduce variable rbac_aad

Author: zioproto

README.md

@@ -333,6 +333,7 @@ No modules.
 | <a name="input_private_cluster_public_fqdn_enabled"></a> [private\_cluster\_public\_fqdn\_enabled](#input\_private\_cluster\_public\_fqdn\_enabled)                           | (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`.                                                                                                                                                                                                                        | `bool`                                                                                                                                                                                                                     | `false`                     |    no    |
 | <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id)                                                                             | (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created. | `string`                                                                                                                                                                                                                   | `null`                      |    no    |
 | <a name="input_public_ssh_key"></a> [public\_ssh\_key](#input\_public\_ssh\_key)                                                                                              | A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created.                                                                                                                                                                                                                        | `string`                                                                                                                                                                                                                   | `""`                        |    no    |
+| <a name="input_rbac_aad"></a> [rbac\_aad](#input\_rbac\_aad)                                                                                                                  | (Optional) Is Azure Active Directory ingration enabled?                                                                                                                                                                                                                                                                          | `bool`                                                                                                                                                                                                                     | `false`                     |    no    |
 | <a name="input_rbac_aad_admin_group_object_ids"></a> [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids)                                     | Object ID of groups with admin access.                                                                                                                                                                                                                                                                                           | `list(string)`                                                                                                                                                                                                             | `null`                      |    no    |
 | <a name="input_rbac_aad_azure_rbac_enabled"></a> [rbac\_aad\_azure\_rbac\_enabled](#input\_rbac\_aad\_azure\_rbac\_enabled)                                                   | (Optional) Is Role Based Access Control based on Azure AD enabled?                                                                                                                                                                                                                                                               | `bool`                                                                                                                                                                                                                     | `null`                      |    no    |
 | <a name="input_rbac_aad_client_app_id"></a> [rbac\_aad\_client\_app\_id](#input\_rbac\_aad\_client\_app\_id)                                                                  | The Client ID of an Azure Active Directory Application.                                                                                                                                                                                                                                                                          | `string`                                                                                                                                                                                                                   | `null`                      |    no    |

examples/named_cluster/main.tf

@@ -74,6 +74,7 @@ module "aks_cluster_name" {
   }
   net_profile_pod_cidr              = "10.1.0.0/16"
   private_cluster_enabled           = true
+  rbac_aad                          = true
   rbac_aad_managed                  = true
   role_based_access_control_enabled = true
 }

examples/startup/main.tf

@@ -76,6 +76,7 @@ module "aks" {
   network_policy                    = "azure"
   os_disk_size_gb                   = 60
   private_cluster_enabled           = true
+  rbac_aad                          = true
   rbac_aad_managed                  = true
   role_based_access_control_enabled = true
   sku_tier                          = "Paid"
@@ -87,4 +88,4 @@ module "aks" {
   agents_tags = {
     "Agent" : "agentTag"
   }
-}
+}

examples/without_monitor/main.tf

@@ -43,6 +43,7 @@ module "aks_without_monitor" {
   log_analytics_workspace_enabled   = false
   net_profile_pod_cidr              = "10.1.0.0/16"
   private_cluster_enabled           = true
+  rbac_aad                          = true
   rbac_aad_managed                  = true
   role_based_access_control_enabled = true
 }

main.tf

@@ -95,7 +95,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && local.rbac_aad_azure_rbac_enabled && var.rbac_aad_managed ? ["rbac"] : []
+    for_each = var.rbac_aad && var.rbac_aad_managed ? ["rbac"] : []
 
     content {
       admin_group_object_ids = var.rbac_aad_admin_group_object_ids
@@ -105,7 +105,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && local.rbac_aad_azure_rbac_enabled && !var.rbac_aad_managed ? ["rbac"] : []
+    for_each = var.rbac_aad && !var.rbac_aad_managed ? ["rbac"] : []
 
     content {
       client_app_id     = var.rbac_aad_client_app_id

variables.tf

@@ -409,6 +409,13 @@ variable "public_ssh_key" {
   default     = ""
 }
 
+variable "rbac_aad" {
+  type        = bool
+  description = "(Optional) Is Azure Active Directory ingration enabled?"
+  default     = false
+  nullable    = false
+}
+
 variable "rbac_aad_admin_group_object_ids" {
   type        = list(string)
   description = "Object ID of groups with admin access."
@@ -501,4 +508,4 @@ variable "workload_identity_enabled" {
   description = "Enable or Disable Workload Identity. Defaults to false."
   type        = bool
   default     = false
-}
+}