diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 56cd9f9a..f5f69438 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -61,10 +61,12 @@ The ability to manage RBAC for Kubernetes resources from Azure gives you the cho Following are the possible ways to configure Authentication and Authorization in an AKS cluster: 1. Authentication using local accounts with Kubernetes RBAC. This is traditionally used and current default, see details [here](https://learn.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-rbac) 2. Microsoft Entra authentication with Kubernetes RBAC. See details [here](https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac) +3. Microsoft Entra authentication with Azure RBAC. See details [here](https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac) | Name | Description | Type | Default | | :--- | ---: | ---: | ---: | | rbac_aad_enabled | Enables Azure Active Directory integration with Kubernetes RBAC. | bool | false | +| rbac_aad_azure_rbac_enabled | Enables Azure RBAC. If false, Kubernetes RBAC is used. Only relevant if rbac_aad_enabled is true. | bool | false | | rbac_aad_admin_group_object_ids | A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster. | list(string) | null | | rbac_aad_tenant_id | (Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.| string | | diff --git a/main.tf b/main.tf index 4f47ce6d..5c06ac8c 100644 --- a/main.tf +++ b/main.tf @@ -168,6 +168,7 @@ module "aks" { client_secret = var.client_secret rbac_aad_tenant_id = var.rbac_aad_tenant_id rbac_aad_enabled = var.rbac_aad_enabled + rbac_aad_azure_rbac_enabled = var.rbac_aad_azure_rbac_enabled rbac_aad_admin_group_object_ids = var.rbac_aad_admin_group_object_ids aks_private_cluster = var.cluster_api_mode == "private" ? true : false depends_on = [module.vnet] diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf index 744bab97..5369f78d 100644 --- a/modules/azure_aks/main.tf +++ b/modules/azure_aks/main.tf @@ -62,7 +62,7 @@ resource "azurerm_kubernetes_cluster" "aks" { content { tenant_id = var.rbac_aad_tenant_id admin_group_object_ids = var.rbac_aad_admin_group_object_ids - azure_rbac_enabled = false + azure_rbac_enabled = var.rbac_aad_azure_rbac_enabled } } diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf index 3580aed0..6b2c755b 100644 --- a/modules/azure_aks/variables.tf +++ b/modules/azure_aks/variables.tf @@ -24,7 +24,13 @@ variable "aks_cluster_location" { variable "rbac_aad_enabled" { type = bool - description = "Enables Azure Active Directory integration with Kubernetes RBAC." + description = "Enables Azure Active Directory integration with Kubernetes or Azure RBAC." + default = false +} + +variable "rbac_aad_azure_rbac_enabled" { + type = bool + description = "Enables Azure RBAC. If false, Kubernetes RBAC is used. Only relevant if rbac_aad_enabled is true." default = false } @@ -40,6 +46,7 @@ variable "rbac_aad_tenant_id" { default = null } + variable "aks_cluster_sku_tier" { description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free" type = string diff --git a/variables.tf b/variables.tf index d8ccd296..cda32167 100644 --- a/variables.tf +++ b/variables.tf @@ -61,7 +61,13 @@ variable "location" { ## Azure AD variable "rbac_aad_enabled" { type = bool - description = "Enables Azure Active Directory integration with Kubernetes RBAC." + description = "Enables Azure Active Directory integration with Kubernetes or Azure RBAC." + default = false +} + +variable "rbac_aad_azure_rbac_enabled" { + type = bool + description = "Enables Azure RBAC. If false, Kubernetes RBAC is used. Only relevant if rbac_aad_enabled is true." default = false }