Skip to content

Azure AD RBAC enable/disable with variable rbac_aad #269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lonegunmanb merged 1 commit into from
Jan 13, 2023
Merged

Azure AD RBAC enable/disable with variable rbac_aad #269

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,7 @@ No modules.
| <a name="input_private_cluster_public_fqdn_enabled"></a> [private\_cluster\_public\_fqdn\_enabled](#input\_private\_cluster\_public\_fqdn\_enabled) | (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`. | `bool` | `false` | no |
| <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created. | `string` | `null` | no |
| <a name="input_public_ssh_key"></a> [public\_ssh\_key](#input\_public\_ssh\_key) | A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created. | `string` | `""` | no |
| <a name="input_rbac_aad"></a> [rbac\_aad](#input\_rbac\_aad) | (Optional) Is Azure Active Directory ingration enabled? | `bool` | `true` | no |
| <a name="input_rbac_aad_admin_group_object_ids"></a> [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids) | Object ID of groups with admin access. | `list(string)` | `null` | no |
| <a name="input_rbac_aad_azure_rbac_enabled"></a> [rbac\_aad\_azure\_rbac\_enabled](#input\_rbac\_aad\_azure\_rbac\_enabled) | (Optional) Is Role Based Access Control based on Azure AD enabled? | `bool` | `null` | no |
| <a name="input_rbac_aad_client_app_id"></a> [rbac\_aad\_client\_app\_id](#input\_rbac\_aad\_client\_app\_id) | The Client ID of an Azure Active Directory Application. | `string` | `null` | no |
Expand Down
1 change: 1 addition & 0 deletions examples/named_cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ module "aks_cluster_name" {
}
net_profile_pod_cidr = "10.1.0.0/16"
private_cluster_enabled = true
rbac_aad = true
rbac_aad_managed = true
role_based_access_control_enabled = true
}
1 change: 1 addition & 0 deletions examples/startup/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ module "aks" {
network_policy = "azure"
os_disk_size_gb = 60
private_cluster_enabled = true
rbac_aad = true
rbac_aad_managed = true
role_based_access_control_enabled = true
sku_tier = "Paid"
Expand Down
1 change: 1 addition & 0 deletions examples/without_monitor/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ module "aks_without_monitor" {
log_analytics_workspace_enabled = false
net_profile_pod_cidr = "10.1.0.0/16"
private_cluster_enabled = true
rbac_aad = true
rbac_aad_managed = true
role_based_access_control_enabled = true
}
8 changes: 6 additions & 2 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ resource "azurerm_kubernetes_cluster" "main" {
}
}
dynamic "azure_active_directory_role_based_access_control" {
for_each = var.role_based_access_control_enabled && var.rbac_aad_managed ? ["rbac"] : []
for_each = var.role_based_access_control_enabled && var.rbac_aad && var.rbac_aad_managed ? ["rbac"] : []

content {
admin_group_object_ids = var.rbac_aad_admin_group_object_ids
Expand All @@ -108,7 +108,7 @@ resource "azurerm_kubernetes_cluster" "main" {
}
}
dynamic "azure_active_directory_role_based_access_control" {
for_each = var.role_based_access_control_enabled && !var.rbac_aad_managed ? ["rbac"] : []
for_each = var.role_based_access_control_enabled && var.rbac_aad && !var.rbac_aad_managed ? ["rbac"] : []

content {
client_app_id = var.rbac_aad_client_app_id
Expand Down Expand Up @@ -256,6 +256,10 @@ resource "azurerm_kubernetes_cluster" "main" {
condition = local.automatic_channel_upgrade_check
error_message = "Either disable automatic upgrades, or only specify up to the minor version when using `automatic_channel_upgrade=patch` or don't specify `kubernetes_version` at all when using `automatic_channel_upgrade=stable|rapid|node-image`. With automatic upgrades `orchestrator_version` must be set to `null`."
}
precondition {
condition = var.role_based_access_control_enabled || !var.rbac_aad
error_message = "Enabling Azure Active Directory integration requires that `role_based_access_control_enabled` be set to true."
}
}
}

Expand Down
7 changes: 7 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -472,6 +472,13 @@ variable "public_ssh_key" {
default = ""
}

variable "rbac_aad" {
type = bool
description = "(Optional) Is Azure Active Directory ingration enabled?"
default = true
nullable = false
}

variable "rbac_aad_admin_group_object_ids" {
type = list(string)
description = "Object ID of groups with admin access."
Expand Down