Enable RBAC without AAD

[raphaelquati]

Implementation for #2345

[tombuildsstuff]

hi @raphaelquati

Thanks for this PR :)

During the investigation into RBAC recently it appeared that whilst you can enable/disable RBAC for AKS at this time it's tied to AzureAD. For this reason we've designed the block such that if/when additional methods are available for RBAC in the future that we can support them as nested items in the role_based_access_control block, by making the AzureAD block optional.

As such I believe we should be able to infer the value of the enable_rbac field and as such we should be able to not expose it - do you have a reference which shows that it's possible to Enable RBAC without Azure AD?

Thanks!

[joakimhellum]

To be clear: I completely agree on RBAC being related to Azure AD for user authentication, and we are currently re-deploying all our clusters to enable this. Also because it's in the security best practices .

However it is possible to only enable RBAC without Azure AD integration at the moment.

1. Using the Azure Portal we can in fact only enable RBAC and not the Azure AD integration:
   

2. Using Azure CLI then RBAC is enabled by default (and can be disabled with --disable-rbac). But to enable Azure AD integration you would need to set multiple optional parameters (--aad-client-app-id, --aad-server-app-id, --aad-server-app-secret and --aad-tenant-id).
   Reference: https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-create

So I think multiple users might have an issue with this update unless they upgrade their clusters to enable Azure AD integration.

[raphaelquati]

@tombuildsstuff,

I try to follow the same "block idea" of others blocks (like oms_agent and http_application_routing), with the "enabled" flag, instead of inferring the presence of block.

[timfpark]

it looks like you have a typo here: enaled -> enabled

[tombuildsstuff]

hey @raphaelquati

Thanks for this PR - apologies for the delayed review here, I'd reviewed this but not hit submit.

On the whole this PR looks pretty good - I've left a few comments inline which need to be fixed for us to merge this. Since we're trying to include this in the 1.20 release I'm going to make these changes and include this in a branch which fixes both #2345 and #2421 - so whilst I'd like to thank you for this contribution I'm going to close this in favour of a combined PR for those (I hope you don't mind!).

Thanks!

[tombuildsstuff]

there can only be a single block - so this can be flipped back to 1

[tombuildsstuff]

we can remove this line, since it's not being used

[tombuildsstuff]

there's a crash we should check here

[tombuildsstuff]

we still need to set the azure_active_directory block to an empty list, if it's not enabled (since then it'll show as a diff if necessary)

[tombuildsstuff]

there's a potential crash here which we can nil-check around

[tombuildsstuff]

it'd be good to ensure this is set to false for the basic configuration

[tombuildsstuff]

minor can we fix the formatting here?

[tombuildsstuff]

As discussed above - closing this in favour of #2495

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!