diff --git a/Dockerfile b/Dockerfile index 5131a64e..0a2591f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG TERRAFORM_VERSION=1.7.3 +ARG TERRAFORM_VERSION=1.8.2 ARG AZURECLI_VERSION=2.59.0 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform diff --git a/README.md b/README.md index 578668fc..49b415c9 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ This project supports two options for running Terraform scripts: Access to an **Azure Subscription** and an [**Identity**](./docs/user/TerraformAzureAuthentication.md) with the *Contributor* role are required. #### Terraform Requirements: -- [Terraform](https://www.terraform.io/downloads.html) - v1.7.3 +- [Terraform](https://www.terraform.io/downloads.html) - v1.8.2 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.28.7 - [jq](https://stedolan.github.io/jq/) - v1.6 - [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.59.0 diff --git a/container-structure-test.yaml b/container-structure-test.yaml index 0ad03445..f513c3d8 100644 --- a/container-structure-test.yaml +++ b/container-structure-test.yaml @@ -17,7 +17,7 @@ commandTests: - name: "terraform version" command: "terraform" args: ["--version"] - expectedOutput: ["Terraform v1.7.3"] + expectedOutput: ["Terraform v1.8.2"] - name: "python version" command: "python3" args: ["--version"] diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 0347f1db..9b6d247a 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -8,6 +8,7 @@ Supported configuration variables are listed in the tables below. All variables - [Table of Contents](#table-of-contents) - [Required Variables](#required-variables) - [Azure Authentication](#azure-authentication) + - [Role Based Access Control](#role-based-access-control) - [Admin Access](#admin-access) - [Security](#security) - [Networking](#networking) @@ -53,6 +54,20 @@ For details on how to retrieve that information, see [Azure Help Topics](./user/ For recommendations on how to set these variables in your environment, see [Authenticating Terraform to Access Azure](./user/TerraformAzureAuthentication.md). +## Role Based Access Control + +The ability to manage RBAC for Kubernetes resources from Azure gives you the choice to manage RBAC for the cluster resources either using Azure or native Kubernetes mechanisms. For details see [Azure role-based access control](https://docs.microsoft.com/en-us/azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization). + +Following are the possible ways to configure Authentication and Authorization in an AKS cluster: +1. Authentication using local accounts with Kubernetes RBAC. This is traditionally used and current default, see details [here](https://learn.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-rbac) +2. Microsoft Entra authentication with Kubernetes RBAC. See details [here](https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac) + +| Name | Description | Type | Default | +| :--- | ---: | ---: | ---: | +| rbac_aad_enabled | Enables Azure Active Directory integration with Kubernetes RBAC. | bool | false | +| rbac_aad_admin_group_object_ids | A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster. | list(string) | null | +| rbac_aad_tenant_id | (Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.| string | | + ## Admin Access By default, the public endpoints of the Azure resources that are being created diff --git a/docs/images/viya4-iac-azure-diag.png b/docs/images/viya4-iac-azure-diag.png index cfa84d5f..1d020c67 100644 Binary files a/docs/images/viya4-iac-azure-diag.png and b/docs/images/viya4-iac-azure-diag.png differ diff --git a/main.tf b/main.tf index 37825c4c..28ee7a23 100644 --- a/main.tf +++ b/main.tf @@ -167,6 +167,9 @@ module "aks" { aks_uai_id = local.aks_uai_id client_id = var.client_id client_secret = var.client_secret + rbac_aad_tenant_id = var.rbac_aad_tenant_id + rbac_aad_enabled = var.rbac_aad_enabled + rbac_aad_admin_group_object_ids = var.rbac_aad_admin_group_object_ids aks_private_cluster = var.cluster_api_mode == "private" ? true : false depends_on = [module.vnet] } diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf index dd6cbef8..c186b26b 100644 --- a/modules/azure_aks/main.tf +++ b/modules/azure_aks/main.tf @@ -52,6 +52,16 @@ resource "azurerm_kubernetes_cluster" "aks" { } } + dynamic "azure_active_directory_role_based_access_control" { + for_each = var.rbac_aad_enabled ? [1] : [] + content { + managed = true + tenant_id = var.rbac_aad_tenant_id + admin_group_object_ids = var.rbac_aad_admin_group_object_ids + azure_rbac_enabled = false + } + } + default_node_pool { name = "system" vm_size = var.aks_cluster_node_vm_size diff --git a/modules/azure_aks/outputs.tf b/modules/azure_aks/outputs.tf index a067abf9..10055557 100644 --- a/modules/azure_aks/outputs.tf +++ b/modules/azure_aks/outputs.tf @@ -2,15 +2,15 @@ # SPDX-License-Identifier: Apache-2.0 output "client_key" { - value = azurerm_kubernetes_cluster.aks.kube_config[0].client_key + value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].client_key : azurerm_kubernetes_cluster.aks.kube_config[0].client_key } output "client_certificate" { - value = azurerm_kubernetes_cluster.aks.kube_config[0].client_certificate + value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].client_certificate : azurerm_kubernetes_cluster.aks.kube_config[0].client_certificate } output "cluster_ca_certificate" { - value = azurerm_kubernetes_cluster.aks.kube_config[0].cluster_ca_certificate + value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].cluster_ca_certificate : azurerm_kubernetes_cluster.aks.kube_config[0].cluster_ca_certificate } output "cluster_username" { @@ -18,7 +18,7 @@ output "cluster_username" { } output "cluster_password" { - value = azurerm_kubernetes_cluster.aks.kube_config[0].password + value = var.rbac_aad_enabled ? azurerm_kubernetes_cluster.aks.kube_admin_config[0].password : azurerm_kubernetes_cluster.aks.kube_config[0].password } output "kube_config" { diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf index 60882508..c9a2f584 100644 --- a/modules/azure_aks/variables.tf +++ b/modules/azure_aks/variables.tf @@ -22,6 +22,24 @@ variable "aks_cluster_location" { default = "eastus" } +variable "rbac_aad_enabled" { + type = bool + description = "Enables Azure Active Directory integration with Kubernetes RBAC." + default = false +} + +variable "rbac_aad_admin_group_object_ids" { + type = list(string) + description = "A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster." + default = null +} + +variable "rbac_aad_tenant_id" { + type = string + description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used." + default = null +} + variable "aks_cluster_sku_tier" { description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free" type = string diff --git a/variables.tf b/variables.tf index dfbc8e17..445100fb 100644 --- a/variables.tf +++ b/variables.tf @@ -58,6 +58,25 @@ variable "location" { default = "eastus" } +## Azure AD +variable "rbac_aad_enabled" { + type = bool + description = "Enables Azure Active Directory integration with Kubernetes RBAC." + default = false +} + +variable "rbac_aad_admin_group_object_ids" { + type = list(string) + description = "A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster." + default = null +} + +variable "rbac_aad_tenant_id" { + type = string + description = "(Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used." + default = null +} + variable "aks_cluster_sku_tier" { description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free" type = string diff --git a/versions.tf b/versions.tf index 3e1f5097..2c62cbbe 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { - required_version = ">= 1.7.3" + required_version = ">= 1.8.0" required_providers { azurerm = {