Add arguments to azure_active_directory_role_based_access_control block, turn rbac in test code on.

main.tf

@@ -123,6 +123,8 @@ resource "azurerm_kubernetes_cluster" "main" {
     content {
       managed                = true
       admin_group_object_ids = var.rbac_aad_admin_group_object_ids
+      azure_rbac_enabled     = var.rbac_aad_azure_rbac_enabled
+      tenant_id              = var.rbac_aad_tenant_id
     }
   }
 
@@ -133,6 +135,7 @@ resource "azurerm_kubernetes_cluster" "main" {
       client_app_id     = var.rbac_aad_client_app_id
       server_app_id     = var.rbac_aad_server_app_id
       server_app_secret = var.rbac_aad_server_app_secret
+      tenant_id         = var.rbac_aad_tenant_id
     }
   }
 

test/fixture/main.tf

@@ -31,28 +31,30 @@ resource "azurerm_user_assigned_identity" "test" {
 }
 
 module "aks" {
-  source                          = "../.."
-  prefix                          = "prefix-${random_id.prefix.hex}"
-  resource_group_name             = azurerm_resource_group.main.name
-  client_id                       = var.client_id
-  client_secret                   = var.client_secret
-  network_plugin                  = "azure"
-  vnet_subnet_id                  = azurerm_subnet.test.id
-  os_disk_size_gb                 = 60
-  enable_http_application_routing = true
-  enable_azure_policy             = true
-  enable_host_encryption          = true
-  enable_log_analytics_workspace  = true
-  sku_tier                        = "Paid"
-  private_cluster_enabled         = true
-  enable_auto_scaling             = true
-  agents_min_count                = 1
-  agents_max_count                = 2
-  agents_count                    = null
-  agents_max_pods                 = 100
-  agents_pool_name                = "testnodepool"
-  agents_availability_zones       = ["1", "2"]
-  agents_type                     = "VirtualMachineScaleSets"
+  source                           = "../.."
+  prefix                           = "prefix-${random_id.prefix.hex}"
+  resource_group_name              = azurerm_resource_group.main.name
+  client_id                        = var.client_id
+  client_secret                    = var.client_secret
+  network_plugin                   = "azure"
+  vnet_subnet_id                   = azurerm_subnet.test.id
+  os_disk_size_gb                  = 60
+  enable_http_application_routing  = true
+  enable_azure_policy              = true
+  enable_host_encryption           = true
+  enable_role_based_access_control = true
+  rbac_aad_managed                 = true
+  enable_log_analytics_workspace   = true
+  sku_tier                         = "Paid"
+  private_cluster_enabled          = true
+  enable_auto_scaling              = true
+  agents_min_count                 = 1
+  agents_max_count                 = 2
+  agents_count                     = null
+  agents_max_pods                  = 100
+  agents_pool_name                 = "testnodepool"
+  agents_availability_zones        = ["1", "2"]
+  agents_type                      = "VirtualMachineScaleSets"
 
   agents_labels = {
     "node1" : "label1"
@@ -75,20 +77,24 @@ module "aks" {
 }
 
 module "aks_without_monitor" {
-  source                         = "../.."
-  prefix                         = "prefix2-${random_id.prefix.hex}"
-  resource_group_name            = azurerm_resource_group.main.name
+  source                           = "../.."
+  prefix                           = "prefix2-${random_id.prefix.hex}"
+  resource_group_name              = azurerm_resource_group.main.name
+  enable_role_based_access_control = true
+  rbac_aad_managed                 = true
   #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT!
-  enable_log_analytics_workspace = false
-  net_profile_pod_cidr           = "10.1.0.0/16"
-  depends_on                     = [azurerm_resource_group.main]
+  enable_log_analytics_workspace   = false
+  net_profile_pod_cidr             = "10.1.0.0/16"
+  depends_on                       = [azurerm_resource_group.main]
 }
 
 module "aks_cluster_name" {
   source                               = "../.."
   cluster_name                         = "test-cluster"
   prefix                               = "prefix"
   resource_group_name                  = azurerm_resource_group.main.name
+  enable_role_based_access_control     = true
+  rbac_aad_managed                     = true
   enable_log_analytics_workspace       = true
   # Not necessary, just for demo purpose.
   admin_username                       = "azureuser"

test/fixture/outputs.tf

@@ -1,70 +1,76 @@
-output "test_aks_id" {
-  value = module.aks.aks_id
-}
-
-output "test_aks_without_monitor_id" {
-  value = module.aks_without_monitor.aks_id
-}
-
-output "test_aks_without_monitor_identity" {
-  value = module.aks_without_monitor.system_assigned_identity
-}
-
-output "test_admin_client_key" {
-  value = module.aks.admin_client_key
-}
-
-output "test_admin_client_certificate" {
-  value = module.aks.admin_client_certificate
-}
-
-output "test_admin_cluster_ca_certificate" {
-  value = module.aks.admin_client_certificate
-}
-
-output "test_admin_host" {
-  value = module.aks.admin_host
-}
-
-output "test_admin_username" {
-  value = module.aks.admin_username
-}
-
-output "test_admin_password" {
-  value = module.aks.admin_password
-}
-
-output "test_client_key" {
-  sensitive = true
-  value     = module.aks.client_key
-}
-
-output "test_client_certificate" {
-  sensitive = true
-  value     = module.aks.client_certificate
-}
-
-output "test_cluster_ca_certificate" {
-  sensitive = true
-  value     = module.aks.client_certificate
-}
-
-output "test_host" {
-  sensitive = true
-  value     = module.aks.host
-}
-
-output "test_username" {
-  sensitive = true
-  value     = module.aks.username
-}
-
-output "test_password" {
-  sensitive = true
-  value     = module.aks.password
-}
-
-output "test_kube_raw" {
-  sensitive = true
-  value     = module.aks.kube_config_raw
-}
+output "test_aks_id" {
+  value = module.aks.aks_id
+}
+
+output "test_aks_without_monitor_id" {
+  value = module.aks_without_monitor.aks_id
+}
+
+output "test_aks_without_monitor_identity" {
+  value = module.aks_without_monitor.system_assigned_identity
+}
+
+output "test_admin_client_key" {
+  sensitive = true
+  value     = module.aks.admin_client_key
+}
+
+output "test_admin_client_certificate" {
+  sensitive = true
+  value     = module.aks.admin_client_certificate
+}
+
+output "test_admin_cluster_ca_certificate" {
+  sensitive = true
+  value     = module.aks.admin_client_certificate
+}
+
+output "test_admin_host" {
+  sensitive = true
+  value     = module.aks.admin_host
+}
+
+output "test_admin_username" {
+  sensitive = true
+  value     = module.aks.admin_username
+}
+
+output "test_admin_password" {
+  sensitive = true
+  value     = module.aks.admin_password
+}
+
+output "test_client_key" {
+  sensitive = true
+  value     = module.aks.client_key
+}
+
+output "test_client_certificate" {
+  sensitive = true
+  value     = module.aks.client_certificate
+}
+
+output "test_cluster_ca_certificate" {
+  sensitive = true
+  value     = module.aks.client_certificate
+}
+
+output "test_host" {
+  sensitive = true
+  value     = module.aks.host
+}
+
+output "test_username" {
+  sensitive = true
+  value     = module.aks.username
+}
+
+output "test_password" {
+  sensitive = true
+  value     = module.aks.password
+}
+
+output "test_kube_raw" {
+  sensitive = true
+  value     = module.aks.kube_config_raw
+}

variables.tf

@@ -150,6 +150,18 @@ variable "rbac_aad_admin_group_object_ids" {
   default     = null
 }
 
+variable "rbac_aad_azure_rbac_enabled" {
+  description = "(Optional) Is Role Based Access Control based on Azure AD enabled?"
+  type        = bool
+  default     = null
+}
+
+variable "rbac_aad_tenant_id" {
+  description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used."
+  type        = string
+  default     = null
+}
+
 variable "rbac_aad_client_app_id" {
   description = "The Client ID of an Azure Active Directory Application."
   type        = string