Add run command enabled parameter to AKS cluster

internal/services/containers/kubernetes_cluster_resource.go

@@ -651,6 +651,12 @@ func resourceKubernetesCluster() *pluginsdk.Resource {
 				Default:  false,
 			},
 
+			"run_command_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
+
 			"private_dns_zone_id": {
 				Type:     pluginsdk.TypeString,
 				Optional: true,
@@ -1061,6 +1067,7 @@ func resourceKubernetesClusterCreate(d *pluginsdk.ResourceData, meta interface{}
 		EnablePrivateCluster:           &enablePrivateCluster,
 		AuthorizedIPRanges:             apiServerAuthorizedIPRanges,
 		EnablePrivateClusterPublicFQDN: utils.Bool(d.Get("private_cluster_public_fqdn_enabled").(bool)),
+		DisableRunCommand:              utils.Bool(!d.Get("run_command_enabled").(bool)),
 	}
 
 	nodeResourceGroup := d.Get("node_resource_group").(string)
@@ -1350,6 +1357,11 @@ func resourceKubernetesClusterUpdate(d *pluginsdk.ResourceData, meta interface{}
 		existing.ManagedClusterProperties.APIServerAccessProfile.EnablePrivateClusterPublicFQDN = utils.Bool(d.Get("private_cluster_public_fqdn_enabled").(bool))
 	}
 
+	if d.HasChange("run_command_enabled") {
+		updateCluster = true
+		existing.ManagedClusterProperties.APIServerAccessProfile.DisableRunCommand = utils.Bool(!d.Get("run_command_enabled").(bool))
+	}
+
 	if d.HasChange("auto_scaler_profile") {
 		updateCluster = true
 		autoScalerProfileRaw := d.Get("auto_scaler_profile").([]interface{})
@@ -1714,6 +1726,7 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{})
 
 			d.Set("private_cluster_enabled", accessProfile.EnablePrivateCluster)
 			d.Set("private_cluster_public_fqdn_enabled", accessProfile.EnablePrivateClusterPublicFQDN)
+			d.Set("run_command_enabled", !utils.BoolDefault(accessProfile.DisableRunCommand, false))
 			switch {
 			case accessProfile.PrivateDNSZone != nil && strings.EqualFold("System", *accessProfile.PrivateDNSZone):
 				d.Set("private_dns_zone_id", "System")

utils/pointer.go

@@ -23,3 +23,10 @@ func Float(input float64) *float64 {
 func String(input string) *string {
 	return &input
 }
+
+func BoolDefault(input *bool, d bool) bool {
+	if input == nil {
+		return d
+	}
+	return *input
+}

utils/pointer_test.go

@@ -0,0 +1,34 @@
+package utils
+
+import "testing"
+
+func TestBoolDefault(t *testing.T) {
+	cases := []struct {
+		Name    string
+		Input   *bool
+		Default bool
+		Output  bool
+	}{
+		{
+			Name:    "input true",
+			Input:   Bool(true),
+			Default: false,
+			Output:  true,
+		},
+		{
+			Name:    "input nil",
+			Input:   nil,
+			Default: true,
+			Output:  true,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.Name, func(t *testing.T) {
+			o := BoolDefault(tc.Input, tc.Default)
+			if tc.Output != o {
+				t.Fatalf("Expected BoolDefault to return '%v' for input '%v' and default '%v' (got '%v')", tc.Output, tc.Input, tc.Default, o)
+			}
+		})
+	}
+}

website/docs/r/kubernetes_cluster.html.markdown

@@ -206,7 +206,9 @@ resource "azurerm_kubernetes_cluster" "example" {
 
 * `role_based_access_control_enabled` (Optional) - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to `true`. Changing this forces a new resource to be created.
 
-* `service_principal` - (Optional) A `service_principal` block as documented below. One of either `identity` or `service_principal` must be specified. 
+* `run_command_enabled` - (Optional) Whether to enable run command for the cluster or not. True by default.
+
+* `service_principal` - (Optional) A `service_principal` block as documented below. One of either `identity` or `service_principal` must be specified.
 
 !> **Note:** A migration scenario from `service_principal` to `identity` is supported. When upgrading `service_principal` to `identity`, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured `service_principal` until you upgrade your Node Pool.