Added aad auth to AKS

aks.tf

@@ -4,6 +4,14 @@ resource "tls_private_key" "ssh" {
   rsa_bits  = 4096
 }
 
+# NOTE: Requires "Azure Active Directory Graph" "Directory.ReadWrite.All" Application API permission
+resource "azuread_group" "aks_admins" {
+  count = var.aad_auth_enabled ? 1 : 0
+
+  name        = "${var.name}-aks-administrators"
+  description = "${var.name} Kubernetes cluster administrators"
+}
+
 resource "azurerm_kubernetes_cluster" "aks" {
   name                = var.name
   location            = var.location
@@ -49,13 +57,16 @@ resource "azurerm_kubernetes_cluster" "aks" {
   role_based_access_control {
     enabled = true
 
-    # TODO: Enable AAD auth: https://app.zenhub.com/workspaces/aks-nexus-velero-5e602702ee332f0fc76d35dd/issues/adamrushuk/aks-nexus-velero/105
-    # azure_active_directory {
-    #   managed = true
-    #   admin_group_object_ids = [
-    #     data.azuread_group.aks.id
-    #   ]
-    # }
+    # conditional dynamic block
+    dynamic "azure_active_directory" {
+      for_each = var.aad_auth_enabled ? [1] : []
+      content {
+        managed = true
+        admin_group_object_ids = [
+          azuread_group.aks_admins[0].id
+        ]
+      }
+    }
   }
 
   addon_profile {

locals.tf

@@ -1,4 +1,3 @@
-
 locals {
   # TODO: consider moving defaults to object var, as per: https://binx.io/blog/2020/01/02/module-parameter-defaults-with-the-terraform-object-type/
   default_agent_profile = {

outputs.tf

@@ -1,6 +1,6 @@
 output "name" {
   description = "Name of the AKS cluster"
-  value       = azurerm_kubernetes_cluster.aks.node_resource_group
+  value       = azurerm_kubernetes_cluster.aks.name
 }
 
 output "node_resource_group" {
@@ -25,4 +25,10 @@ output "kube_config" {
   sensitive   = true
 }
 
+output "full_object" {
+  description = "Full AKS object"
+  value       = azurerm_kubernetes_cluster.aks
+  sensitive   = true
+}
+
 # TODO: add "kube_admin_config" and "kube_admin_config_raw" once Role Based Access Control with Azure Active Directory is enabled

test/main.tf

@@ -1,6 +1,6 @@
 # Test AKS module
 provider "azurerm" {
-  version = "2.35.0"
+  version = "2.36.0"
   features {}
 }
 
@@ -34,6 +34,7 @@ module "aks" {
   location            = azurerm_resource_group.aks.location
   resource_group_name = azurerm_resource_group.aks.name
   name                = local.name
+  aad_auth_enabled    = true
   tags                = local.tags
 
   # override defaults

test/outputs.tf

@@ -1,3 +1,8 @@
-output "aks" {
-  value = module.aks
+output "aks_credentials_command" {
+  value = "az aks get-credentials --resource-group ${azurerm_resource_group.aks.name} --name ${module.aks.name} --overwrite-existing"
+}
+
+output "full_object" {
+  value     = module.aks.full_object
+  sensitive = true
 }

variables.tf

@@ -22,6 +22,13 @@ variable "kubernetes_version" {
   default     = "1.16.15"
 }
 
+# http://man.hubwiz.com/docset/Terraform.docset/Contents/Resources/Documents/docs/providers/azurerm/r/kubernetes_cluster.html#azure_active_directory
+variable "aad_auth_enabled" {
+  description = "Should AAD authentication be enabled"
+  type        = bool
+  default     = true
+}
+
 variable "sla_sku" {
   description = "Defines the SLA under which the managed master control plane of AKS is running"
   type        = string

versions.tf

@@ -1,10 +1,20 @@
 terraform {
   # versioning syntax: https://www.terraform.io/docs/configuration/version-constraints.html#version-constraint-syntax
   required_version = ">= 0.12"
+
+  # providers (pin all versions)
+  # versioning syntax: https://www.terraform.io/docs/configuration/modules.html#module-versions
+  # ~> 1.0 = 1.x
+  required_providers {
+    # https://github.com/terraform-providers/terraform-provider-azuread/releases
+    azuread = "~> 1.0"
+    random  = "~> 2.2"
+    tls     = "~> 2.1"
+  }
 }
 
 # https://github.com/terraform-providers/terraform-provider-azurerm/releases
 provider "azurerm" {
-  version  = "~> 2.12"
+  version = "~> 2.20"
   features {}
 }