add msi_auth_for_monitoring_enabled (Azure#446)

admincasper · skolobov · commit 8de23a7f5f6d · 2023-10-30T00:57:56.000+01:00
* add msi_auth_for_monitoring_enabled
diff --git a/README.md b/README.md
@@ -336,6 +336,7 @@ No modules.
 | <a name="input_maintenance_window_node_os"></a> [maintenance\_window\_node\_os](#input\_maintenance\_window\_node\_os) | - `day_of_month` -<br>- `day_of_week` - (Optional) The day of the week for the maintenance run. Options are `Monday`, `Tuesday`, `Wednesday`, `Thurday`, `Friday`, `Saturday` and `Sunday`. Required in combination with weekly frequency.<br>- `duration` - (Required) The duration of the window for maintenance to run in hours.<br>- `frequency` - (Required) Frequency of maintenance. Possible options are `Daily`, `Weekly`, `AbsoluteMonthly` and `RelativeMonthly`.<br>- `interval` - (Required) The interval for maintenance runs. Depending on the frequency this interval is week or month based.<br>- `start_date` - (Optional) The date on which the maintenance window begins to take effect.<br>- `start_time` - (Optional) The time for maintenance to begin, based on the timezone determined by `utc_offset`. Format is `HH:mm`.<br>- `utc_offset` - (Optional) Used to determine the timezone for cluster maintenance.<br>- `week_index` - (Optional) The week in the month used for the maintenance run. Options are `First`, `Second`, `Third`, `Fourth`, and `Last`.<br><br>---<br>`not_allowed` block supports the following:<br>- `end` - (Required) The end of a time span, formatted as an RFC3339 string.<br>- `start` - (Required) The start of a time span, formatted as an RFC3339 string. | <pre>object({<br>    day_of_month = optional(number)<br>    day_of_week  = optional(string)<br>    duration     = number<br>    frequency    = string<br>    interval     = number<br>    start_date   = optional(string)<br>    start_time   = optional(string)<br>    utc_offset   = optional(string)<br>    week_index   = optional(string)<br>    not_allowed = optional(set(object({<br>      end   = string<br>      start = string<br>    })))<br>  })</pre> | `null` | no |
 | <a name="input_microsoft_defender_enabled"></a> [microsoft\_defender\_enabled](#input\_microsoft\_defender\_enabled) | (Optional) Is Microsoft Defender on the cluster enabled? Requires `var.log_analytics_workspace_enabled` to be `true` to set this variable to `true`. | `bool` | `false` | no |
 | <a name="input_monitor_metrics"></a> [monitor\_metrics](#input\_monitor\_metrics) | (Optional) Specifies a Prometheus add-on profile for the Kubernetes Cluster<br>object({<br>  annotations\_allowed = "(Optional) Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric."<br>  labels\_allowed      = "(Optional) Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric."<br>}) | <pre>object({<br>    annotations_allowed = optional(string)<br>    labels_allowed      = optional(string)<br>  })</pre> | `null` | no |
+| <a name="input_msi_auth_for_monitoring_enabled"></a> [msi\_auth\_for\_monitoring\_enabled](#input\_msi\_auth\_for\_monitoring\_enabled) | (Optional) Is managed identity authentication for monitoring enabled? | `bool` | `null` | no |
 | <a name="input_net_profile_dns_service_ip"></a> [net\_profile\_dns\_service\_ip](#input\_net\_profile\_dns\_service\_ip) | (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_net_profile_outbound_type"></a> [net\_profile\_outbound\_type](#input\_net\_profile\_outbound\_type) | (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer. | `string` | `"loadBalancer"` | no |
 | <a name="input_net_profile_pod_cidr"></a> [net\_profile\_pod\_cidr](#input\_net\_profile\_pod\_cidr) | (Optional) The CIDR to use for pod IP addresses. This field can only be set when network\_plugin is set to kubenet. Changing this forces a new resource to be created. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -445,7 +445,8 @@ resource "azurerm_kubernetes_cluster" "main" {
     for_each = var.log_analytics_workspace_enabled ? ["oms_agent"] : []
 
     content {
-      log_analytics_workspace_id = local.log_analytics_workspace.id
+      log_analytics_workspace_id      = local.log_analytics_workspace.id
+      msi_auth_for_monitoring_enabled = var.msi_auth_for_monitoring_enabled
     }
   }
   dynamic "service_principal" {
diff --git a/variables.tf b/variables.tf
@@ -689,6 +689,12 @@ variable "maintenance_window_node_os" {
 EOT
 }
 
+variable "msi_auth_for_monitoring_enabled" {
+  type        = bool
+  default     = null
+  description = "(Optional) Is managed identity authentication for monitoring enabled?"
+}
+
 variable "microsoft_defender_enabled" {
   type        = bool
   default     = false

Original file line number	Diff line number	Diff line change
`@@ -445,7 +445,8 @@ resource "azurerm_kubernetes_cluster" "main" {`
`445`	`445`	`for_each = var.log_analytics_workspace_enabled ? ["oms_agent"] : []`
`446`	`446`
`447`	`447`	`content {`
`448`		`- log_analytics_workspace_id = local.log_analytics_workspace.id`
	`448`	`+ log_analytics_workspace_id = local.log_analytics_workspace.id`
	`449`	`+ msi_auth_for_monitoring_enabled = var.msi_auth_for_monitoring_enabled`
`449`	`450`	`}`
`450`	`451`	`}`
`451`	`452`	`dynamic "service_principal" {`