Makes linux_profile dynamic and NO linux_profile block by default. All existing cluster need to assign admin_username(which default value is azureuser) explicitly OR THE CLUSTER WILL BE REPLACED!

Author: lonegunmanb

main.tf

@@ -22,12 +22,15 @@ resource "azurerm_kubernetes_cluster" "main" {
   sku_tier                = var.sku_tier
   private_cluster_enabled = var.private_cluster_enabled
 
-  linux_profile {
-    admin_username = var.admin_username
+  dynamic "linux_profile" {
+    for_each = var.admin_username == null ? [] : ["linux_profile"]
+    content {
+      admin_username = var.admin_username
 
-    ssh_key {
-      # remove any new lines using the replace interpolation function
-      key_data = replace(coalesce(var.public_ssh_key, tls_private_key.ssh.public_key_openssh), "\n", "")
+      ssh_key {
+        # remove any new lines using the replace interpolation function
+        key_data = replace(coalesce(var.public_ssh_key, tls_private_key.ssh.public_key_openssh), "\n", "")
+      }
     }
   }
 

outputs.tf

@@ -132,11 +132,11 @@ output "open_service_mesh_enabled" {
 
 output "generated_cluster_public_ssh_key" {
   description = "The cluster will use this generated public key as ssh key when `var.public_ssh_key` is empty or null."
-  value       = var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh.public_key_openssh : null
+  value       = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh.public_key_openssh : null) : null
 }
 
 output "generated_cluster_private_ssh_key" {
   description = "The cluster will use this generated private key as ssh key when `var.public_ssh_key` is empty or null."
   sensitive   = true
-  value       = var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh.private_key_pem : null
+  value       = try(azurerm_kubernetes_cluster.main.linux_profile[0], null) != null ? (var.public_ssh_key == "" || var.public_ssh_key == null ? tls_private_key.ssh.private_key_pem : null) : null
 }

test/fixture/main.tf

@@ -88,6 +88,8 @@ module "aks_cluster_name" {
   prefix                               = "prefix"
   resource_group_name                  = azurerm_resource_group.main.name
   enable_log_analytics_workspace       = true
+  # Not necessary, just for demo purpose.
+  admin_username                       = "azureuser"
   cluster_log_analytics_workspace_name = "test-cluster"
   net_profile_pod_cidr                 = "10.1.0.0/16"
   identity_type                        = "UserAssigned"

variables.tf

@@ -39,8 +39,8 @@ variable "client_secret" {
 }
 
 variable "admin_username" {
-  default     = "azureuser"
-  description = "The username of the local administrator to be created on the Kubernetes cluster"
+  default     = null
+  description = "The username of the local administrator to be created on the Kubernetes cluster. Set this variable to `null` to turn off the cluster's `linux_profile`. Changing this forces a new resource to be created."
   type        = string
 }
 
@@ -69,7 +69,7 @@ variable "agents_count" {
 }
 
 variable "public_ssh_key" {
-  description = "A custom ssh key to control access to the AKS cluster"
+  description = "A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created."
   type        = string
   default     = ""
 }