Merge pull request #386 from sassoftware/staging

9.3.0 - May 17, 2024

Dockerfile

@@ -1,4 +1,4 @@
-ARG TERRAFORM_VERSION=1.7.3
+ARG TERRAFORM_VERSION=1.8.2
 ARG AZURECLI_VERSION=2.59.0
 
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform

README.md

@@ -57,7 +57,7 @@ This project supports two options for running Terraform scripts:
 Access to an **Azure Subscription** and an [**Identity**](./docs/user/TerraformAzureAuthentication.md) with the *Contributor* role are required.
 
 #### Terraform Requirements:
-- [Terraform](https://www.terraform.io/downloads.html) - v1.7.3
+- [Terraform](https://www.terraform.io/downloads.html) - v1.8.2
 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.28.7
 - [jq](https://stedolan.github.io/jq/) - v1.6
 - [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.59.0

container-structure-test.yaml

@@ -17,7 +17,7 @@ commandTests:
   - name: "terraform version"
     command: "terraform"
     args: ["--version"]
-    expectedOutput: ["Terraform v1.7.3"]
+    expectedOutput: ["Terraform v1.8.2"]
   - name: "python version"
     command: "python3"
     args: ["--version"]

docs/CONFIG-VARS.md

@@ -8,6 +8,7 @@ Supported configuration variables are listed in the tables below.  All variables
   - [Table of Contents](#table-of-contents)
   - [Required Variables](#required-variables)
     - [Azure Authentication](#azure-authentication)
+  - [Role Based Access Control](#role-based-access-control)
   - [Admin Access](#admin-access)
   - [Security](#security)
   - [Networking](#networking)
@@ -53,6 +54,20 @@ For details on how to retrieve that information, see [Azure Help Topics](./user/
 
 For recommendations on how to set these variables in your environment, see [Authenticating Terraform to Access Azure](./user/TerraformAzureAuthentication.md).
 
+## Role Based Access Control
+
+The ability to manage RBAC for Kubernetes resources from Azure gives you the choice to manage RBAC for the cluster resources either using Azure or native Kubernetes mechanisms. For details see [Azure role-based access control](https://docs.microsoft.com/en-us/azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization).
+
+Following are the possible ways to configure Authentication and Authorization in an AKS cluster:
+1. Authentication using local accounts with Kubernetes RBAC. This is traditionally used and current default, see details [here](https://learn.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-rbac)
+2. Microsoft Entra authentication with Kubernetes RBAC. See details [here](https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac)
+
+| Name | Description | Type | Default |
+| :--- | ---: | ---: | ---: |
+| rbac_aad_enabled | Enables Azure Active Directory integration with Kubernetes RBAC. | bool  | false |
+| rbac_aad_admin_group_object_ids | A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster. | list(string) | null |
+| rbac_aad_tenant_id | (Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.| string  | |
+
 ## Admin Access
 
 By default, the public endpoints of the Azure resources that are being created

main.tf

@@ -167,6 +167,9 @@ module "aks" {
   aks_uai_id                               = local.aks_uai_id
   client_id                                = var.client_id
   client_secret                            = var.client_secret
+  rbac_aad_tenant_id                       = var.rbac_aad_tenant_id
+  rbac_aad_enabled                         = var.rbac_aad_enabled
+  rbac_aad_admin_group_object_ids          = var.rbac_aad_admin_group_object_ids
   aks_private_cluster                      = var.cluster_api_mode == "private" ? true : false
   depends_on                               = [module.vnet]
 }

modules/azure_aks/main.tf

@@ -52,6 +52,16 @@ resource "azurerm_kubernetes_cluster" "aks" {
     }
   }
 
+  dynamic "azure_active_directory_role_based_access_control" {
+    for_each = var.rbac_aad_enabled ? [1] : []
+    content {
+      managed                 = true
+      tenant_id               = var.rbac_aad_tenant_id
+      admin_group_object_ids  = var.rbac_aad_admin_group_object_ids
+      azure_rbac_enabled      = false
+    }
+  }
+
   default_node_pool {
     name                   = "system"
     vm_size                = var.aks_cluster_node_vm_size

modules/azure_aks/outputs.tf

@@ -2,23 +2,23 @@
 # SPDX-License-Identifier: Apache-2.0
 
 output "client_key" {
-  value = azurerm_kubernetes_cluster.aks.kube_config[0].client_key
+  value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].client_key : azurerm_kubernetes_cluster.aks.kube_config[0].client_key
 }
 
 output "client_certificate" {
-  value = azurerm_kubernetes_cluster.aks.kube_config[0].client_certificate
+  value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].client_certificate : azurerm_kubernetes_cluster.aks.kube_config[0].client_certificate
 }
 
 output "cluster_ca_certificate" {
-  value = azurerm_kubernetes_cluster.aks.kube_config[0].cluster_ca_certificate
+  value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].cluster_ca_certificate : azurerm_kubernetes_cluster.aks.kube_config[0].cluster_ca_certificate
 }
 
 output "cluster_username" {
   value = azurerm_kubernetes_cluster.aks.kube_config[0].username
 }
 
 output "cluster_password" {
-  value = azurerm_kubernetes_cluster.aks.kube_config[0].password
+  value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].password : azurerm_kubernetes_cluster.aks.kube_config[0].password
 }
 
 output "kube_config" {

modules/azure_aks/variables.tf

@@ -22,6 +22,24 @@ variable "aks_cluster_location" {
   default     = "eastus"
 }
 
+variable "rbac_aad_enabled" {
+  type        = bool
+  description = "Enables Azure Active Directory integration with Kubernetes RBAC."
+  default     = false
+}
+
+variable "rbac_aad_admin_group_object_ids" {
+  type        = list(string)
+  description = "A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster."
+  default     = null
+}
+
+variable "rbac_aad_tenant_id" {
+  type        = string
+  description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used."
+  default     = null
+}
+
 variable "aks_cluster_sku_tier" {
   description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free"
   type        = string

variables.tf

@@ -58,6 +58,25 @@ variable "location" {
   default     = "eastus"
 }
 
+## Azure AD
+variable "rbac_aad_enabled" {
+  type        = bool
+  description = "Enables Azure Active Directory integration with Kubernetes RBAC."
+  default     = false
+}
+
+variable "rbac_aad_admin_group_object_ids" {
+  type        = list(string)
+  description = "A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster."
+  default     = null
+}
+
+variable "rbac_aad_tenant_id" {
+  type        = string
+  description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used."
+  default     = null
+}
+
 variable "aks_cluster_sku_tier" {
   description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free"
   type        = string

versions.tf

@@ -3,7 +3,7 @@
 
 terraform {
 
-  required_version = ">= 1.7.3"
+  required_version = ">= 1.8.0"
 
   required_providers {
     azurerm = {