From 654afe1c3a8b6b30cb12639371b6b9d36edb5825 Mon Sep 17 00:00:00 2001 From: Raphael Couto Date: Sat, 17 Nov 2018 00:19:08 -0200 Subject: [PATCH 1/2] Enable RBAC without AAD --- azurerm/resource_arm_kubernetes_cluster.go | 36 +++++++++++++------ .../resource_arm_kubernetes_cluster_test.go | 2 ++ .../role-based-access-control/main.tf | 1 + .../docs/r/kubernetes_cluster.html.markdown | 4 ++- 4 files changed, 31 insertions(+), 12 deletions(-) diff --git a/azurerm/resource_arm_kubernetes_cluster.go b/azurerm/resource_arm_kubernetes_cluster.go index 90c496d31447..2eaa761f552e 100644 --- a/azurerm/resource_arm_kubernetes_cluster.go +++ b/azurerm/resource_arm_kubernetes_cluster.go @@ -315,12 +315,17 @@ func resourceArmKubernetesCluster() *schema.Resource { Type: schema.TypeList, Optional: true, ForceNew: true, - MaxItems: 1, + MaxItems: 2, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "enabled": { + Type: schema.TypeBool, + Required: true, + ForceNew: true, + }, "azure_active_directory": { Type: schema.TypeList, - Required: true, + Optional: true, ForceNew: true, MaxItems: 1, Elem: &schema.Resource{ @@ -450,8 +455,8 @@ func resourceArmKubernetesClusterCreateUpdate(d *schema.ResourceData, meta inter } rbacRaw := d.Get("role_based_access_control").([]interface{}) - azureADProfile := expandKubernetesClusterRoleBasedAccessControl(rbacRaw, tenantId) - roleBasedAccessControlEnabled := azureADProfile != nil + roleBasedAccessControlEnabled, azureADProfile := expandKubernetesClusterRoleBasedAccessControl(rbacRaw, tenantId) + //roleBasedAccessControlEnabled := azureADProfile != nil parameters := containerservice.ManagedCluster{ Name: &name, @@ -552,7 +557,7 @@ func resourceArmKubernetesClusterRead(d *schema.ResourceData, meta interface{}) return fmt.Errorf("Error setting `network_profile`: %+v", err) } - roleBasedAccessControl := flattenKubernetesClusterRoleBasedAccessControl(props.AadProfile, d) + roleBasedAccessControl := flattenKubernetesClusterRoleBasedAccessControl(props.EnableRBAC, props.AadProfile, d) if err := d.Set("role_based_access_control", roleBasedAccessControl); err != nil { return fmt.Errorf("Error setting `role_based_access_control`: %+v", err) } @@ -914,14 +919,18 @@ func flattenKubernetesClusterNetworkProfile(profile *containerservice.NetworkPro return []interface{}{values} } -func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, providerTenantId string) *containerservice.ManagedClusterAADProfile { +func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, providerTenantId string) (bool, *containerservice.ManagedClusterAADProfile) { if len(input) == 0 { - return nil + return false, nil } val := input[0].(map[string]interface{}) - + enabled := val["enabled"].(bool) azureADsRaw := val["azure_active_directory"].([]interface{}) + if len(azureADsRaw) == 0 { + return enabled, nil + } + azureAdRaw := azureADsRaw[0].(map[string]interface{}) clientAppId := azureAdRaw["client_app_id"].(string) @@ -933,7 +942,7 @@ func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, provider tenantId = providerTenantId } - return &containerservice.ManagedClusterAADProfile{ + return enabled, &containerservice.ManagedClusterAADProfile{ ClientAppID: utils.String(clientAppId), ServerAppID: utils.String(serverAppId), ServerAppSecret: utils.String(serverAppSecret), @@ -941,9 +950,13 @@ func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, provider } } -func flattenKubernetesClusterRoleBasedAccessControl(input *containerservice.ManagedClusterAADProfile, d *schema.ResourceData) []interface{} { +func flattenKubernetesClusterRoleBasedAccessControl(enabledRBAC *bool, input *containerservice.ManagedClusterAADProfile, d *schema.ResourceData) []interface{} { if input == nil { - return []interface{}{} + return []interface{}{ + map[string]interface{}{ + "enabled": *enabledRBAC, + }, + } } profile := make(map[string]interface{}) @@ -978,6 +991,7 @@ func flattenKubernetesClusterRoleBasedAccessControl(input *containerservice.Mana return []interface{}{ map[string]interface{}{ + "enabled": *enabledRBAC, "azure_active_directory": []interface{}{ profile, }, diff --git a/azurerm/resource_arm_kubernetes_cluster_test.go b/azurerm/resource_arm_kubernetes_cluster_test.go index 72126d040cc3..1f540b8b6dc1 100644 --- a/azurerm/resource_arm_kubernetes_cluster_test.go +++ b/azurerm/resource_arm_kubernetes_cluster_test.go @@ -122,6 +122,7 @@ func TestAccAzureRMKubernetesCluster_roleBasedAccessControl(t *testing.T) { Check: resource.ComposeTestCheckFunc( testCheckAzureRMKubernetesClusterExists(resourceName), resource.TestCheckResourceAttr(resourceName, "role_based_access_control.#", "1"), + resource.TestCheckResourceAttr(resourceName, "role_based_access_control.0.enabled", "true"), resource.TestCheckResourceAttr(resourceName, "role_based_access_control.0.azure_active_directory.#", "1"), resource.TestCheckResourceAttrSet(resourceName, "role_based_access_control.0.azure_active_directory.0.client_app_id"), resource.TestCheckResourceAttrSet(resourceName, "role_based_access_control.0.azure_active_directory.0.server_app_id"), @@ -596,6 +597,7 @@ resource "azurerm_kubernetes_cluster" "test" { } role_based_access_control { + enaled=true azure_active_directory { server_app_id = "%s" server_app_secret = "%s" diff --git a/examples/kubernetes/role-based-access-control/main.tf b/examples/kubernetes/role-based-access-control/main.tf index ca7128f6373c..223bcd77fe58 100644 --- a/examples/kubernetes/role-based-access-control/main.tf +++ b/examples/kubernetes/role-based-access-control/main.tf @@ -23,6 +23,7 @@ resource "azurerm_kubernetes_cluster" "test" { } role_based_access_control { + enabled = true azure_active_directory { # NOTE: in a Production environment these should be different values # but for the purposes of this example, this should be sufficient diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown index 20f69d162095..181d90bbf002 100644 --- a/website/docs/r/kubernetes_cluster.html.markdown +++ b/website/docs/r/kubernetes_cluster.html.markdown @@ -167,7 +167,9 @@ A `oms_agent` block supports the following: A `role_based_access_control` block supports the following: -* `azure_active_directory` - (Required) An `azure_active_directory` block. Changing this forces a new resource to be created. +* `enabled` - (Required) Is RBAC enabled?. Changing this forces a new resource to be created. + +* `azure_active_directory` - (Optional) An `azure_active_directory` block. Changing this forces a new resource to be created. --- From 34a8fc726720f70ee3c02efbe5ae5176202d8f76 Mon Sep 17 00:00:00 2001 From: Raphael Couto Date: Tue, 4 Dec 2018 14:14:15 -0200 Subject: [PATCH 2/2] Fix typo --- azurerm/resource_arm_kubernetes_cluster_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/resource_arm_kubernetes_cluster_test.go b/azurerm/resource_arm_kubernetes_cluster_test.go index 1f540b8b6dc1..e5b77c103e8e 100644 --- a/azurerm/resource_arm_kubernetes_cluster_test.go +++ b/azurerm/resource_arm_kubernetes_cluster_test.go @@ -597,7 +597,7 @@ resource "azurerm_kubernetes_cluster" "test" { } role_based_access_control { - enaled=true + enabled=true azure_active_directory { server_app_id = "%s" server_app_secret = "%s"