Azure · lonegunmanb · Jul 13, 2022 · Jun 22, 2022 · Jun 23, 2022 · zioproto
diff --git a/main.tf b/main.tf
@@ -152,8 +152,19 @@ resource "azurerm_kubernetes_cluster" "main" {
   oidc_issuer_enabled = var.oidc_issuer_enabled
 
   tags = var.tags
-}
 
+  lifecycle {
+    precondition {
+      condition     = (var.client_id != "" && var.client_secret != "") || (var.identity_type != "")
+      error_message = "Either `client_id` and `client_secret` or `identity_type` must be set."
+    }
+    precondition {
+      # Why don't use var.identity_ids != null && length(var.identity_ids)>0 ? Because bool expression in Terraform is not short circuit so even var.identity_ids is null Terraform will still invoke length function with null and cause error. https://github.com/hashicorp/terraform/issues/24128
+      condition     = (var.client_id != "" && var.client_secret != "") || (var.identity_type == "SystemAssigned") || (var.identity_ids == null ? false :length(var.identity_ids) > 0)
+      error_message = "If use identity and `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well."
+    }
+  }
+}
 
 resource "azurerm_log_analytics_workspace" "main" {
   count               = var.enable_log_analytics_workspace ? 1 : 0

diff --git a/outputs.tf b/outputs.tf
@@ -54,8 +54,8 @@ output "http_application_routing_zone_name" {
   value = azurerm_kubernetes_cluster.main.http_application_routing_zone_name != null ? azurerm_kubernetes_cluster.main.http_application_routing_zone_name : ""
 }
 
-output "system_assigned_identity" {
-  value = azurerm_kubernetes_cluster.main.identity
+output "cluster_identity" {
+  value = try(azurerm_kubernetes_cluster.main.identity[0], null)
 }
 
 output "kubelet_identity" {

diff --git a/test/fixture/outputs.tf b/test/fixture/outputs.tf
@@ -7,7 +7,7 @@ output "test_aks_without_monitor_id" {
 }
 
 output "test_aks_without_monitor_identity" {
-  value = module.aks_without_monitor.system_assigned_identity
+  value = module.aks_without_monitor.cluster_identity
 }
 
 output "test_admin_client_key" {

diff --git a/variables.tf b/variables.tf
@@ -30,12 +30,14 @@ variable "client_id" {
   description = "(Optional) The Client ID (appId) for the Service Principal used for the AKS deployment"
   type        = string
   default     = ""
+  nullable    = false
 }
 
 variable "client_secret" {
   description = "(Optional) The Client Secret (password) for the Service Principal used for the AKS deployment"
   type        = string
   default     = ""
+  nullable    = false
 }
 
 variable "admin_username" {
@@ -328,9 +330,14 @@ variable "ingress_application_gateway_subnet_id" {
 }
 
 variable "identity_type" {
-  description = "(Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned` and `UserAssigned`. If `UserAssigned` is set, a `user_assigned_identity_id` must be set as well."
+  description = "(Optional) The type of identity used for the managed cluster. Conflict with `client_id` and `client_secret`. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both). If `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well."
   type        = string
   default     = "SystemAssigned"
+
+  validation {
+    condition     = var.identity_type == "SystemAssigned" || var.identity_type == "UserAssigned" || var.identity_type == "SystemAssigned, UserAssigned"
+    error_message = "`identity_type`'s possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`(to enable both)."
+  }
 }
 
 variable "identity_ids" {

diff --git a/versions.tf b/versions.tf
@@ -7,5 +7,5 @@ terraform {
     }
   }
 
-  required_version = ">= 1.1.0"
+  required_version = ">= 1.2"
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,5 +7,5 @@ terraform { @@
         }
       }
-      required_version = ">= 1.1.0"
+      required_version = ">= 1.2"
     }