From 53e1b759e5ae5ad5ec87cc2b3577c76d57e5eb3b Mon Sep 17 00:00:00 2001
From: Adam Rush <adamrushuk@gmail.com>
Date: Sat, 14 Nov 2020 16:51:48 +0000
Subject: [PATCH] Added aad auth to AKS

---
 aks.tf          | 25 ++++++++++++++++++-------
 locals.tf       |  1 -
 outputs.tf      |  8 +++++++-
 test/main.tf    |  3 ++-
 test/outputs.tf |  9 +++++++--
 variables.tf    |  7 +++++++
 versions.tf     | 12 +++++++++++-
 7 files changed, 52 insertions(+), 13 deletions(-)

diff --git a/aks.tf b/aks.tf
index ceed43e..6394c80 100644
--- a/aks.tf
+++ b/aks.tf
@@ -4,6 +4,14 @@ resource "tls_private_key" "ssh" {
   rsa_bits  = 4096
 }
 
+# NOTE: Requires "Azure Active Directory Graph" "Directory.ReadWrite.All" Application API permission
+resource "azuread_group" "aks_admins" {
+  count = var.aad_auth_enabled ? 1 : 0
+
+  name        = "${var.name}-aks-administrators"
+  description = "${var.name} Kubernetes cluster administrators"
+}
+
 resource "azurerm_kubernetes_cluster" "aks" {
   name                = var.name
   location            = var.location
@@ -49,13 +57,16 @@ resource "azurerm_kubernetes_cluster" "aks" {
   role_based_access_control {
     enabled = true
 
-    # TODO: Enable AAD auth: https://app.zenhub.com/workspaces/aks-nexus-velero-5e602702ee332f0fc76d35dd/issues/adamrushuk/aks-nexus-velero/105
-    # azure_active_directory {
-    #   managed = true
-    #   admin_group_object_ids = [
-    #     data.azuread_group.aks.id
-    #   ]
-    # }
+    # conditional dynamic block
+    dynamic "azure_active_directory" {
+      for_each = var.aad_auth_enabled ? [1] : []
+      content {
+        managed = true
+        admin_group_object_ids = [
+          azuread_group.aks_admins[0].id
+        ]
+      }
+    }
   }
 
   addon_profile {
diff --git a/locals.tf b/locals.tf
index da49644..bdec2da 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,4 +1,3 @@
-
 locals {
   # TODO: consider moving defaults to object var, as per: https://binx.io/blog/2020/01/02/module-parameter-defaults-with-the-terraform-object-type/
   default_agent_profile = {
diff --git a/outputs.tf b/outputs.tf
index a8bba0e..6eb26d8 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,6 +1,6 @@
 output "name" {
   description = "Name of the AKS cluster"
-  value       = azurerm_kubernetes_cluster.aks.node_resource_group
+  value       = azurerm_kubernetes_cluster.aks.name
 }
 
 output "node_resource_group" {
@@ -25,4 +25,10 @@ output "kube_config" {
   sensitive   = true
 }
 
+output "full_object" {
+  description = "Full AKS object"
+  value       = azurerm_kubernetes_cluster.aks
+  sensitive   = true
+}
+
 # TODO: add "kube_admin_config" and "kube_admin_config_raw" once Role Based Access Control with Azure Active Directory is enabled
diff --git a/test/main.tf b/test/main.tf
index ac1c37b..c4d91ea 100644
--- a/test/main.tf
+++ b/test/main.tf
@@ -1,6 +1,6 @@
 # Test AKS module
 provider "azurerm" {
-  version = "2.35.0"
+  version = "2.36.0"
   features {}
 }
 
@@ -34,6 +34,7 @@ module "aks" {
   location            = azurerm_resource_group.aks.location
   resource_group_name = azurerm_resource_group.aks.name
   name                = local.name
+  aad_auth_enabled    = true
   tags                = local.tags
 
   # override defaults
diff --git a/test/outputs.tf b/test/outputs.tf
index 0f1a262..e5db70f 100644
--- a/test/outputs.tf
+++ b/test/outputs.tf
@@ -1,3 +1,8 @@
-output "aks" {
-  value = module.aks
+output "aks_credentials_command" {
+  value = "az aks get-credentials --resource-group ${azurerm_resource_group.aks.name} --name ${module.aks.name} --overwrite-existing"
+}
+
+output "full_object" {
+  value     = module.aks.full_object
+  sensitive = true
 }
diff --git a/variables.tf b/variables.tf
index 4d7c175..4141ad3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -22,6 +22,13 @@ variable "kubernetes_version" {
   default     = "1.16.15"
 }
 
+# http://man.hubwiz.com/docset/Terraform.docset/Contents/Resources/Documents/docs/providers/azurerm/r/kubernetes_cluster.html#azure_active_directory
+variable "aad_auth_enabled" {
+  description = "Should AAD authentication be enabled"
+  type        = bool
+  default     = true
+}
+
 variable "sla_sku" {
   description = "Defines the SLA under which the managed master control plane of AKS is running"
   type        = string
diff --git a/versions.tf b/versions.tf
index af32a50..3b52b5c 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,10 +1,20 @@
 terraform {
   # versioning syntax: https://www.terraform.io/docs/configuration/version-constraints.html#version-constraint-syntax
   required_version = ">= 0.12"
+
+  # providers (pin all versions)
+  # versioning syntax: https://www.terraform.io/docs/configuration/modules.html#module-versions
+  # ~> 1.0 = 1.x
+  required_providers {
+    # https://github.com/terraform-providers/terraform-provider-azuread/releases
+    azuread = "~> 1.0"
+    random  = "~> 2.2"
+    tls     = "~> 2.1"
+  }
 }
 
 # https://github.com/terraform-providers/terraform-provider-azurerm/releases
 provider "azurerm" {
-  version  = "~> 2.12"
+  version = "~> 2.20"
   features {}
 }