Azure · lonegunmanb · Jul 11, 2022 · Jul 8, 2022
diff --git a/main.tf b/main.tf
@@ -22,6 +22,7 @@ resource "azurerm_kubernetes_cluster" "main" {
   sku_tier                = var.sku_tier
   private_cluster_enabled = var.private_cluster_enabled
   private_dns_zone_id     = var.private_dns_zone_id
+  local_account_disabled  = var.local_account_disabled
 
   dynamic "linux_profile" {
     for_each = var.admin_username == null ? [] : ["linux_profile"]

diff --git a/test/fixture/main.tf b/test/fixture/main.tf
@@ -72,6 +72,7 @@ module "aks" {
   net_profile_dns_service_ip     = "10.0.0.10"
   net_profile_docker_bridge_cidr = "170.10.0.1/16"
   net_profile_service_cidr       = "10.0.0.0/16"
+  local_account_disabled         = true
 
   depends_on = [azurerm_resource_group.main]
 }
@@ -85,6 +86,7 @@ module "aks_without_monitor" {
   #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT!
   enable_log_analytics_workspace   = false
   net_profile_pod_cidr             = "10.1.0.0/16"
+  local_account_disabled           = true
   depends_on                       = [azurerm_resource_group.main]
 }
 
@@ -101,6 +103,7 @@ module "aks_cluster_name" {
   cluster_log_analytics_workspace_name = "test-cluster"
   net_profile_pod_cidr                 = "10.1.0.0/16"
   identity_type                        = "UserAssigned"
+  local_account_disabled               = true
   identity_ids                         = [azurerm_user_assigned_identity.test.id]
   depends_on                           = [azurerm_resource_group.main]
 }
diff --git a/variables.tf b/variables.tf
@@ -419,3 +419,9 @@ variable "secret_rotation_interval" {
   default     = "2m"
   nullable    = false
 }
+
+variable "local_account_disabled" {
+  description = "(Optional) - If `true` local accounts will be disabled. Defaults to `false`. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information."
+  type        = bool
+  default     = null
+}