Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_kubernetes_cluster - add managed_cluster_identity support #5168

Merged
merged 6 commits into from
Dec 18, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 76 additions & 1 deletion azurerm/resource_arm_kubernetes_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -560,6 +560,34 @@ func resourceArmKubernetesCluster() *schema.Resource {
Computed: true,
Sensitive: true,
},

"managed_cluster_identity": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
ForceNew: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"type": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validation.StringInSlice([]string{
string(containerservice.None),
string(containerservice.SystemAssigned),
}, false),
},
"principal_id": {
Type: schema.TypeString,
Computed: true,
},
"tenant_id": {
Type: schema.TypeString,
Computed: true,
},
},
},
},
},
}
}
Expand Down Expand Up @@ -640,6 +668,9 @@ func resourceArmKubernetesClusterCreate(d *schema.ResourceData, meta interface{}

enablePodSecurityPolicy := d.Get("enable_pod_security_policy").(bool)

managedClusterIdentityRaw := d.Get("managed_cluster_identity").([]interface{})
managedClusterIdentity := expandKubernetesClusterManagedClusterIdentity(managedClusterIdentityRaw)

parameters := containerservice.ManagedCluster{
Name: &name,
Location: &location,
Expand All @@ -658,7 +689,8 @@ func resourceArmKubernetesClusterCreate(d *schema.ResourceData, meta interface{}
NodeResourceGroup: utils.String(nodeResourceGroup),
EnablePodSecurityPolicy: utils.Bool(enablePodSecurityPolicy),
},
Tags: tags.Expand(t),
Identity: managedClusterIdentity,
Tags: tags.Expand(t),
}

future, err := client.CreateOrUpdate(ctx, resGroup, name, parameters)
Expand Down Expand Up @@ -792,6 +824,12 @@ func resourceArmKubernetesClusterUpdate(d *schema.ResourceData, meta interface{}
existing.ManagedClusterProperties.WindowsProfile = windowsProfile
}

if d.HasChange("managed_cluster_identity") {
updateCluster = true
managedClusterIdentityRaw := d.Get("managed_cluster_identity").([]interface{})
existing.Identity = expandKubernetesClusterManagedClusterIdentity(managedClusterIdentityRaw)
}

if updateCluster {
log.Printf("[DEBUG] Updating the Kubernetes Cluster %q (Resource Group %q)..", name, resourceGroup)
future, err := clusterClient.CreateOrUpdate(ctx, resourceGroup, name, existing)
Expand Down Expand Up @@ -974,6 +1012,10 @@ func resourceArmKubernetesClusterRead(d *schema.ResourceData, meta interface{})
}
}

if err := d.Set("managed_cluster_identity", flattenKubernetesClusterManagedClusterIdentity(resp.Identity)); err != nil {
return fmt.Errorf("Error setting `managed_cluster_identity`: %+v", err)
}

kubeConfigRaw, kubeConfig := flattenKubernetesClusterAccessProfile(profile)
d.Set("kube_config_raw", kubeConfigRaw)
if err := d.Set("kube_config", kubeConfig); err != nil {
Expand Down Expand Up @@ -1403,6 +1445,17 @@ func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, provider
return rbacEnabled, aad
}

func expandKubernetesClusterManagedClusterIdentity(input []interface{}) *containerservice.ManagedClusterIdentity {
if len(input) == 0 || input[0] == nil {
return nil
}
values := input[0].(map[string]interface{})

return &containerservice.ManagedClusterIdentity{
Type: containerservice.ResourceIdentityType(values["type"].(string)),
}
}

func flattenKubernetesClusterRoleBasedAccessControl(input *containerservice.ManagedClusterProperties, d *schema.ResourceData) []interface{} {
rbacEnabled := false
if input.EnableRBAC != nil {
Expand Down Expand Up @@ -1529,3 +1582,25 @@ func flattenKubernetesClusterKubeConfigAAD(config kubernetes.KubeConfigAAD) []in
},
}
}

func flattenKubernetesClusterManagedClusterIdentity(input *containerservice.ManagedClusterIdentity) []interface{} {
if input == nil {
return []interface{}{}
}

identity := make(map[string]interface{})

identity["principal_id"] = ""
if input.PrincipalID != nil {
katbyte marked this conversation as resolved.
Show resolved Hide resolved
identity["principal_id"] = *input.PrincipalID
}

identity["tenant_id"] = ""
if input.TenantID != nil {
identity["tenant_id"] = *input.TenantID
}

identity["type"] = string(input.Type)

return []interface{}{identity}
}
60 changes: 60 additions & 0 deletions azurerm/resource_arm_kubernetes_cluster_other_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,34 @@ func testAccAzureRMKubernetesCluster_windowsProfile(t *testing.T) {
})
}

func testAccAzureRMKubernetesCluster_managedClusterIdentiy(t *testing.T) {
resourceName := "azurerm_kubernetes_cluster.test"
ri := tf.AccRandTimeInt()
clientId := os.Getenv("ARM_CLIENT_ID")
clientSecret := os.Getenv("ARM_CLIENT_SECRET")
location := testLocation()

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testCheckAzureRMKubernetesClusterDestroy,
Steps: []resource.TestStep{
{
Config: testAccAzureRMKubernetesCluster_managedClusterIdentityConfig(ri, clientId, clientSecret, location),
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMKubernetesClusterExists(resourceName),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"service_principal.0.client_secret"},
},
},
})
}

func testAccAzureRMKubernetesCluster_basicAvailabilitySetConfig(rInt int, clientId string, clientSecret string, location string) string {
return fmt.Sprintf(`
resource "azurerm_resource_group" "test" {
Expand Down Expand Up @@ -642,3 +670,35 @@ resource "azurerm_kubernetes_cluster" "test" {
}
`, rInt, location, rInt, rInt, rInt, clientId, clientSecret)
}

func testAccAzureRMKubernetesCluster_managedClusterIdentityConfig(rInt int, clientId string, clientSecret string, location string) string {
return fmt.Sprintf(`
resource "azurerm_resource_group" "test" {
name = "acctestRG-%d"
location = "%s"
}

resource "azurerm_kubernetes_cluster" "test" {
name = "acctestaks%d"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
dns_prefix = "acctestaks%d"

default_node_pool {
name = "default"
node_count = 1
type = "AvailabilitySet"
vm_size = "Standard_DS2_v2"
}

service_principal {
client_id = "%s"
client_secret = "%s"
}

managed_cluster_identity {
type = "SystemAssigned"
}
}
`, rInt, location, rInt, rInt, clientId, clientSecret)
}
19 changes: 10 additions & 9 deletions azurerm/resource_arm_kubernetes_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,15 +70,16 @@ func TestAccAzureRMKubernetes_all(t *testing.T) {
"windowsAndLinux": testAccAzureRMKubernetesClusterNodePool_windowsAndLinux,
},
"other": {
"basicAvailabilitySet": testAccAzureRMKubernetesCluster_basicAvailabilitySet,
"basicVMSS": testAccAzureRMKubernetesCluster_basicVMSS,
"requiresImport": testAccAzureRMKubernetesCluster_requiresImport,
"linuxProfile": testAccAzureRMKubernetesCluster_linuxProfile,
"nodeTaints": testAccAzureRMKubernetesCluster_nodeTaints,
"nodeResourceGroup": testAccAzureRMKubernetesCluster_nodeResourceGroup,
"upgradeConfig": testAccAzureRMKubernetesCluster_upgrade,
"tags": testAccAzureRMKubernetesCluster_tags,
"windowsProfile": testAccAzureRMKubernetesCluster_windowsProfile,
"basicAvailabilitySet": testAccAzureRMKubernetesCluster_basicAvailabilitySet,
"basicVMSS": testAccAzureRMKubernetesCluster_basicVMSS,
"requiresImport": testAccAzureRMKubernetesCluster_requiresImport,
"linuxProfile": testAccAzureRMKubernetesCluster_linuxProfile,
"nodeTaints": testAccAzureRMKubernetesCluster_nodeTaints,
"nodeResourceGroup": testAccAzureRMKubernetesCluster_nodeResourceGroup,
"upgradeConfig": testAccAzureRMKubernetesCluster_upgrade,
"tags": testAccAzureRMKubernetesCluster_tags,
"windowsProfile": testAccAzureRMKubernetesCluster_windowsProfile,
"managedClusterIdentity": testAccAzureRMKubernetesCluster_managedClusterIdentiy,
},
"scaling": {
"addAgent": testAccAzureRMKubernetesCluster_addAgent,
Expand Down
18 changes: 17 additions & 1 deletion website/docs/r/kubernetes_cluster.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,8 @@ resource "azurerm_subnet" "virtual" {

* `linux_profile` - (Optional) A `linux_profile` block as defined below.

* `managed_cluster_identity` - (Optional) A `managed_cluster_identity` block as defined below. Changing this forces a new resource to be created.

* `network_profile` - (Optional) A `network_profile` block as defined below.

-> **NOTE:** If `network_profile` is not defined, `kubenet` profile will be used by default.
Expand Down Expand Up @@ -281,6 +283,12 @@ A `linux_profile` block supports the following:

---

A `managed_cluster_identity` block supports the following:

* `type` - The type of identity used for the managed cluster. Valid values are `SystemAssigned` or `None`.

---

A `network_profile` block supports the following:

* `network_plugin` - (Required) Network plugin to use for networking. Currently supported values are `azure` and `kubenet`. Changing this forces a new resource to be created.
Expand Down Expand Up @@ -370,7 +378,7 @@ A `http_application_routing` block exports the following:

---

The `kube_admin_config` and `kube_config` blocks export the following::
The `kube_admin_config` and `kube_config` blocks export the following:

* `client_key` - Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.

Expand All @@ -397,6 +405,14 @@ provider "kubernetes" {
}
```

---

The `managed_cluster_identity` block exports the following:

* `principal_id` - The principal id of the system assigned identity which is used by master components.

* `tenant_id` - The tenant id of the system assigned identity which is used by master components.

## Import

Managed Kubernetes Clusters can be imported using the `resource id`, e.g.
Expand Down