Skip to content

Commit

Permalink
fix: Update parameters to implement non-AAD integrated clusters in Ku…
Browse files Browse the repository at this point in the history
…bernetes (Azure#3828)

## Description
This PR introduces a conditional check for `aadProfile` configuration in
Kubernetes cluster settings. Adds a user-defined type for the
`aadProfile` parameter, and when the `aadProfile` parameter is empty, it
disables AAD (Azure Active Directory). Ensures that AAD integration is
completely skipped when not needed, optimizing resource usage and
configuration complexity.

Requested by the AZD team:
Azure/Azure-Verified-Modules#261, to ensure
consistency with the functionality implemented in the
[aks-managed-cluster.bicep](https://github.com/Azure/azure-dev/blob/main/templates/common/infra/bicep/core/host/aks-managed-cluster.bicep#L81-L85)
file located in infra/core.

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes Azure#123
Fixes Azure#456
Closes Azure#123
Closes Azure#456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.container-service.managed-cluster](https://github.com/Menghua1/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg?branch=fix%2Fadd-aad-profile-conditional)](https://github.com/Menghua1/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

@rajeshkamal5050 for notification.
  • Loading branch information
Menghua1 authored Dec 11, 2024
1 parent b23659a commit 75bf761
Show file tree
Hide file tree
Showing 13 changed files with 458 additions and 132 deletions.
281 changes: 253 additions & 28 deletions avm/res/container-service/managed-cluster/README.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "13504241837980660061"
"version": "0.31.92.45157",
"templateHash": "10548754747426289718"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
Expand Down Expand Up @@ -355,7 +355,10 @@
"vmSize": "[parameters('vmSize')]",
"vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
"workloadRuntime": "[parameters('workloadRuntime')]"
}
},
"dependsOn": [
"managedCluster"
]
}
},
"outputs": {
Expand Down
66 changes: 35 additions & 31 deletions avm/res/container-service/managed-cluster/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -101,34 +101,15 @@ param adminUsername string = 'azureuser'
@description('Optional. Specifies the SSH RSA public key string for the Linux nodes.')
param sshPublicKey string?

@description('Optional. Enable Azure Active Directory integration.')
param aadProfile aadProfileType?

@description('Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster.')
param aksServicePrincipalProfile object?

@description('Optional. The client AAD application ID.')
param aadProfileClientAppID string?

@description('Optional. The server AAD application ID.')
param aadProfileServerAppID string?

@description('Optional. The server AAD application secret.')
#disable-next-line secure-secrets-in-params // Not a secret
param aadProfileServerAppSecret string?

@description('Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication.')
param aadProfileTenantId string = subscription().tenantId

@description('Optional. Specifies the AAD group object IDs that will have admin role of the cluster.')
param aadProfileAdminGroupObjectIDs string[]?

@description('Optional. Specifies whether to enable managed AAD integration.')
param aadProfileManaged bool = true

@description('Optional. Whether to enable Kubernetes Role-Based Access Control.')
param enableRBAC bool = true

@description('Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization.')
param aadProfileEnableAzureRBAC bool = enableRBAC

@description('Optional. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled.')
param disableLocalAccounts bool = true

Expand Down Expand Up @@ -739,15 +720,15 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
}
}
publicNetworkAccess: publicNetworkAccess
aadProfile: {
clientAppID: aadProfileClientAppID
serverAppID: aadProfileServerAppID
serverAppSecret: aadProfileServerAppSecret
managed: aadProfileManaged
enableAzureRBAC: aadProfileEnableAzureRBAC
adminGroupObjectIDs: aadProfileAdminGroupObjectIDs
tenantID: aadProfileTenantId
}
aadProfile: !empty(aadProfile) ? {
clientAppID: aadProfile.?aadProfileClientAppID
serverAppID: aadProfile.?aadProfileServerAppID
serverAppSecret: aadProfile.?aadProfileServerAppSecret
managed: aadProfile.?aadProfileManaged
enableAzureRBAC: aadProfile.?aadProfileEnableAzureRBAC
adminGroupObjectIDs: aadProfile.?aadProfileAdminGroupObjectIDs
tenantID: aadProfile.?aadProfileTenantId
} : null
autoScalerProfile: {
'balance-similar-node-groups': toLower(string(autoScalerProfileBalanceSimilarNodeGroups))
expander: autoScalerProfileExpander
Expand Down Expand Up @@ -1356,3 +1337,26 @@ type istioServiceMeshCertificateAuthorityType = {
@description('Required. Root certificate object name in Azure Key Vault.')
rootCertObjectName: string
}?

type aadProfileType = {
@description('Optional. The client AAD application ID.')
aadProfileClientAppID: string?

@description('Optional. The server AAD application ID.')
aadProfileServerAppID: string?

@description('Optional. The server AAD application secret.')
aadProfileServerAppSecret: string?

@description('Required. Specifies whether to enable managed AAD integration.')
aadProfileManaged: bool

@description('Required. Specifies whether to enable Azure RBAC for Kubernetes authorization.')
aadProfileEnableAzureRBAC: bool

@description('Optional. Specifies the AAD group object IDs that will have admin role of the cluster.')
aadProfileAdminGroupObjectIDs: string[]?

@description('Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication.')
aadProfileTenantId: string?
}?
145 changes: 77 additions & 68 deletions avm/res/container-service/managed-cluster/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "178765084464759811"
"version": "0.31.92.45157",
"templateHash": "10108574510278935914"
},
"name": "Azure Kubernetes Service (AKS) Managed Clusters",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
Expand Down Expand Up @@ -745,6 +745,62 @@
}
},
"nullable": true
},
"aadProfileType": {
"type": "object",
"properties": {
"aadProfileClientAppID": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The client AAD application ID."
}
},
"aadProfileServerAppID": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The server AAD application ID."
}
},
"aadProfileServerAppSecret": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The server AAD application secret."
}
},
"aadProfileManaged": {
"type": "bool",
"metadata": {
"description": "Required. Specifies whether to enable managed AAD integration."
}
},
"aadProfileEnableAzureRBAC": {
"type": "bool",
"metadata": {
"description": "Required. Specifies whether to enable Azure RBAC for Kubernetes authorization."
}
},
"aadProfileAdminGroupObjectIDs": {
"type": "array",
"items": {
"type": "string"
},
"nullable": true,
"metadata": {
"description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster."
}
},
"aadProfileTenantId": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication."
}
}
},
"nullable": true
}
},
"parameters": {
Expand Down Expand Up @@ -926,56 +982,18 @@
"description": "Optional. Specifies the SSH RSA public key string for the Linux nodes."
}
},
"aksServicePrincipalProfile": {
"type": "object",
"aadProfile": {
"$ref": "#/definitions/aadProfileType",
"nullable": true,
"metadata": {
"description": "Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster."
"description": "Optional. Enable Azure Active Directory integration."
}
},
"aadProfileClientAppID": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The client AAD application ID."
}
},
"aadProfileServerAppID": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The server AAD application ID."
}
},
"aadProfileServerAppSecret": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The server AAD application secret."
}
},
"aadProfileTenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication."
}
},
"aadProfileAdminGroupObjectIDs": {
"type": "array",
"items": {
"type": "string"
},
"aksServicePrincipalProfile": {
"type": "object",
"nullable": true,
"metadata": {
"description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster."
}
},
"aadProfileManaged": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Optional. Specifies whether to enable managed AAD integration."
"description": "Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster."
}
},
"enableRBAC": {
Expand All @@ -985,13 +1003,6 @@
"description": "Optional. Whether to enable Kubernetes Role-Based Access Control."
}
},
"aadProfileEnableAzureRBAC": {
"type": "bool",
"defaultValue": "[parameters('enableRBAC')]",
"metadata": {
"description": "Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization."
}
},
"disableLocalAccounts": {
"type": "bool",
"defaultValue": true,
Expand Down Expand Up @@ -1678,7 +1689,10 @@
"apiVersion": "2023-02-01",
"subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]",
"resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]",
"name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]"
"name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]",
"dependsOn": [
"cMKKeyVault"
]
},
"avmTelemetry": {
"condition": "[parameters('enableTelemetry')]",
Expand Down Expand Up @@ -1803,15 +1817,7 @@
}
},
"publicNetworkAccess": "[parameters('publicNetworkAccess')]",
"aadProfile": {
"clientAppID": "[parameters('aadProfileClientAppID')]",
"serverAppID": "[parameters('aadProfileServerAppID')]",
"serverAppSecret": "[parameters('aadProfileServerAppSecret')]",
"managed": "[parameters('aadProfileManaged')]",
"enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]",
"adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]",
"tenantID": "[parameters('aadProfileTenantId')]"
},
"aadProfile": "[if(not(empty(parameters('aadProfile'))), createObject('clientAppID', tryGet(parameters('aadProfile'), 'aadProfileClientAppID'), 'serverAppID', tryGet(parameters('aadProfile'), 'aadProfileServerAppID'), 'serverAppSecret', tryGet(parameters('aadProfile'), 'aadProfileServerAppSecret'), 'managed', tryGet(parameters('aadProfile'), 'aadProfileManaged'), 'enableAzureRBAC', tryGet(parameters('aadProfile'), 'aadProfileEnableAzureRBAC'), 'adminGroupObjectIDs', tryGet(parameters('aadProfile'), 'aadProfileAdminGroupObjectIDs'), 'tenantID', tryGet(parameters('aadProfile'), 'aadProfileTenantId')), null())]",
"autoScalerProfile": {
"balance-similar-node-groups": "[toLower(string(parameters('autoScalerProfileBalanceSimilarNodeGroups')))]",
"expander": "[parameters('autoScalerProfileExpander')]",
Expand Down Expand Up @@ -2005,8 +2011,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "3191846535289543816"
"version": "0.31.92.45157",
"templateHash": "17300977997310482979"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
Expand Down Expand Up @@ -2202,8 +2208,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "13504241837980660061"
"version": "0.31.92.45157",
"templateHash": "10548754747426289718"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
Expand Down Expand Up @@ -2552,7 +2558,10 @@
"vmSize": "[parameters('vmSize')]",
"vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
"workloadRuntime": "[parameters('workloadRuntime')]"
}
},
"dependsOn": [
"managedCluster"
]
}
},
"outputs": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "3191846535289543816"
"version": "0.31.92.45157",
"templateHash": "17300977997310482979"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ module testDeployment '../../../main.bicep' = [
enableSecretRotation: true
kedaAddon: true
kubernetesVersion: '1.28'
aadProfile: {
aadProfileEnableAzureRBAC: true
aadProfileManaged: true
}
maintenanceConfigurations: [
{
name: 'aksManagedAutoUpgradeSchedule'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ module testDeployment '../../../main.bicep' = [
params: {
location: resourceLocation
name: '${namePrefix}${serviceShort}001'
aadProfile: {
aadProfileEnableAzureRBAC: true
aadProfileManaged: true
}
primaryAgentPoolProfiles: [
{
availabilityZones: [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,10 @@ module testDeployment '../../../main.bicep' = [
mode: 'System'
}
]
aadProfile: {
aadProfileEnableAzureRBAC: true
aadProfileManaged: true
}
}
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ module testDeployment '../../../main.bicep' = [
params: {
name: '${namePrefix}${serviceShort}001'
location: resourceLocation
aadProfile: {
aadProfileEnableAzureRBAC: true
aadProfileManaged: true
}
managedIdentities: {
systemAssigned: true
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,10 @@ module testDeployment '../../../main.bicep' = [
Environment: 'Non-Prod'
Role: 'DeploymentValidation'
}
aadProfile: {
aadProfileEnableAzureRBAC: true
aadProfileManaged: true
}
}
dependsOn: [
nestedDependencies
Expand Down
Loading

0 comments on commit 75bf761

Please sign in to comment.