Azure Active Directory RBAC enable/disable with new variable rbac_aad

Author: zioproto

README.md

@@ -342,6 +342,7 @@ No modules.
 | <a name="input_private_cluster_public_fqdn_enabled"></a> [private\_cluster\_public\_fqdn\_enabled](#input\_private\_cluster\_public\_fqdn\_enabled)                                               | (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | `bool`                                                                                                                                                                                                                     | `false`                     |    no    |
 | <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id)                                                                                                 | (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created.                                                                                                                                                                                                                                                                                                                                       | `string`                                                                                                                                                                                                                   | `null`                      |    no    |
 | <a name="input_public_ssh_key"></a> [public\_ssh\_key](#input\_public\_ssh\_key)                                                                                                                  | A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | `string`                                                                                                                                                                                                                   | `""`                        |    no    |
+| <a name="input_rbac_aad"></a> [rbac\_aad](#input\_rbac\_aad)                                                                                                                                      | (Optional) Is Azure Active Directory ingration enabled?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | `bool`                                                                                                                                                                                                                     | `true`                      |    no    |
 | <a name="input_rbac_aad_admin_group_object_ids"></a> [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids)                                                         | Object ID of groups with admin access.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | `list(string)`                                                                                                                                                                                                             | `null`                      |    no    |
 | <a name="input_rbac_aad_azure_rbac_enabled"></a> [rbac\_aad\_azure\_rbac\_enabled](#input\_rbac\_aad\_azure\_rbac\_enabled)                                                                       | (Optional) Is Role Based Access Control based on Azure AD enabled?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | `bool`                                                                                                                                                                                                                     | `null`                      |    no    |
 | <a name="input_rbac_aad_client_app_id"></a> [rbac\_aad\_client\_app\_id](#input\_rbac\_aad\_client\_app\_id)                                                                                      | The Client ID of an Azure Active Directory Application.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | `string`                                                                                                                                                                                                                   | `null`                      |    no    |

examples/named_cluster/main.tf

@@ -74,6 +74,7 @@ module "aks_cluster_name" {
   }
   net_profile_pod_cidr              = "10.1.0.0/16"
   private_cluster_enabled           = true
+  rbac_aad                          = true
   rbac_aad_managed                  = true
   role_based_access_control_enabled = true
 }

examples/startup/main.tf

@@ -78,6 +78,7 @@ module "aks" {
   network_policy                    = "azure"
   os_disk_size_gb                   = 60
   private_cluster_enabled           = true
+  rbac_aad                          = true
   rbac_aad_managed                  = true
   role_based_access_control_enabled = true
   sku_tier                          = "Paid"

examples/without_monitor/main.tf

@@ -43,6 +43,7 @@ module "aks_without_monitor" {
   log_analytics_workspace_enabled   = false
   net_profile_pod_cidr              = "10.1.0.0/16"
   private_cluster_enabled           = true
+  rbac_aad                          = true
   rbac_aad_managed                  = true
   role_based_access_control_enabled = true
 }

main.tf

@@ -98,7 +98,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && var.rbac_aad_managed ? ["rbac"] : []
+    for_each = var.rbac_aad && var.rbac_aad_managed ? ["rbac"] : []
 
     content {
       admin_group_object_ids = var.rbac_aad_admin_group_object_ids
@@ -108,7 +108,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "azure_active_directory_role_based_access_control" {
-    for_each = var.role_based_access_control_enabled && !var.rbac_aad_managed ? ["rbac"] : []
+    for_each = var.rbac_aad && !var.rbac_aad_managed ? ["rbac"] : []
 
     content {
       client_app_id     = var.rbac_aad_client_app_id

variables.tf

@@ -472,6 +472,13 @@ variable "public_ssh_key" {
   default     = ""
 }
 
+variable "rbac_aad" {
+  type        = bool
+  description = "(Optional) Is Azure Active Directory ingration enabled?"
+  default     = true
+  nullable    = false
+}
+
 variable "rbac_aad_admin_group_object_ids" {
   type        = list(string)
   description = "Object ID of groups with admin access."