AKS: Use managed identities instead of service principals by default

kbst · Mar 13, 2021 · 3e9ffb7 · 3e9ffb7
1 parent c6ce5bb
commit 3e9ffb7
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 25 deletions.
diff --git a/azurerm/_modules/aks/main.tf b/azurerm/_modules/aks/main.tf
@@ -27,24 +27,38 @@ resource "azurerm_kubernetes_cluster" "current" {
 
     vm_size         = var.default_node_pool_vm_size
     os_disk_size_gb = var.default_node_pool_os_disk_size_gb
-    
+
     vnet_subnet_id = var.network_plugin == "azure" ? azurerm_subnet.current[0].id : null
     max_pods       = var.max_pods
   }
 
   network_profile {
-    network_plugin      = var.network_plugin
-    network_policy      = var.network_policy
+    network_plugin = var.network_plugin
+    network_policy = var.network_policy
+
+    docker_bridge_cidr = "172.17.0.1/16"
+    service_cidr       = var.service_cidr
+    dns_service_ip     = var.dns_service_ip
+    pod_cidr           = var.network_plugin == "azure" ? null : var.pod_cidr
+  }
+
+  dynamic "identity" {
+    for_each = var.disable_managed_identities == true ? toset([]) : toset([1])
 
-    docker_bridge_cidr  = "172.17.0.1/16"
-    service_cidr        = var.service_cidr
-    dns_service_ip      = var.dns_service_ip
-    pod_cidr            = var.network_plugin == "azure" ? null : var.pod_cidr
+    content {
+      type = var.user_assigned_identity_id == null ? "SystemAssigned" : "UserAssigned"
+
+      user_assigned_identity_id = var.user_assigned_identity_id
+    }
   }
 
-  service_principal {
-    client_id     = azuread_application.current.application_id
-    client_secret = azuread_service_principal_password.current.value
+  dynamic "service_principal" {
+    for_each = var.disable_managed_identities == true ? toset([1]) : toset([])
+
+    content {
+      client_id     = azuread_application.current[0].application_id
+      client_secret = azuread_service_principal_password.current[0].value
+    }
   }
 
   addon_profile {

diff --git a/azurerm/_modules/aks/service_principal.tf b/azurerm/_modules/aks/service_principal.tf
@@ -1,18 +1,26 @@
 resource "azuread_application" "current" {
+  count = var.disable_managed_identities == true ? 1 : 0
+
   display_name = var.metadata_name
 }
 
 resource "azuread_service_principal" "current" {
-  application_id = azuread_application.current.application_id
+  count = var.disable_managed_identities == true ? 1 : 0
+
+  application_id = azuread_application.current[0].application_id
 }
 
 resource "random_string" "password" {
+  count = var.disable_managed_identities == true ? 1 : 0
+
   length  = 64
   special = true
 }
 
 resource "azuread_service_principal_password" "current" {
-  service_principal_id = azuread_service_principal.current.id
-  value                = random_string.password.result
+  count = var.disable_managed_identities == true ? 1 : 0
+
+  service_principal_id = azuread_service_principal.current[0].id
+  value                = random_string.password[0].result
   end_date_relative    = var.service_principal_end_date_relative
 }
diff --git a/azurerm/_modules/aks/variables.tf b/azurerm/_modules/aks/variables.tf
@@ -136,3 +136,15 @@ variable "service_principal_end_date_relative" {
   type        = string
   description = "Relative time in hours for which the service principal password is valid. Defaults to 1 year."
 }
+
+variable "disable_managed_identities" {
+  type        = bool
+  description = "Keep using legacy service principal instead of new managed identities."
+  default     = false
+}
+
+variable "user_assigned_identity_id" {
+  type        = string
+  description = "ID of the UserAssigned identity to use."
+  default     = null
+}
diff --git a/azurerm/cluster/configuration.tf b/azurerm/cluster/configuration.tf
@@ -17,9 +17,9 @@ locals {
 
   dns_prefix = lookup(local.cfg, "dns_prefix", "api")
 
-  vnet_address_space        = split(",", lookup(local.cfg, "vnet_address_space", "10.0.0.0/8"))
-  subnet_address_prefixes   = split(",", lookup(local.cfg, "subnet_address_prefixes", "10.1.0.0/16"))
-  subnet_service_endpoints  = split(",", lookup(local.cfg, "subnet_service_endpoints", ""))
+  vnet_address_space       = split(",", lookup(local.cfg, "vnet_address_space", "10.0.0.0/8"))
+  subnet_address_prefixes  = split(",", lookup(local.cfg, "subnet_address_prefixes", "10.1.0.0/16"))
+  subnet_service_endpoints = split(",", lookup(local.cfg, "subnet_service_endpoints", ""))
 
   network_plugin = lookup(local.cfg, "network_plugin", "kubenet")
   network_policy = lookup(local.cfg, "network_policy", "calico")
@@ -46,4 +46,7 @@ locals {
   disable_default_ingress = lookup(local.cfg, "disable_default_ingress", false)
 
   service_principal_end_date_relative = lookup(local.cfg, "service_principal_end_date_relative", "8766h")
+
+  disable_managed_identities = lookup(local.cfg, "disable_managed_identities", false)
+  user_assigned_identity_id  = lookup(local.cfg, "user_assigned_identity_id", null)
 }
diff --git a/azurerm/cluster/main.tf b/azurerm/cluster/main.tf
@@ -27,16 +27,16 @@ module "cluster" {
 
   dns_prefix = local.dns_prefix
 
-  vnet_address_space        = local.vnet_address_space
-  subnet_address_prefixes   = local.subnet_address_prefixes
-  subnet_service_endpoints  = local.subnet_service_endpoints
+  vnet_address_space       = local.vnet_address_space
+  subnet_address_prefixes  = local.subnet_address_prefixes
+  subnet_service_endpoints = local.subnet_service_endpoints
 
-  network_plugin            = local.network_plugin
-  network_policy            = local.network_policy
-  service_cidr              = local.service_cidr
-  dns_service_ip            = local.dns_service_ip
-  pod_cidr                  = local.pod_cidr
-  max_pods                  = local.max_pods
+  network_plugin = local.network_plugin
+  network_policy = local.network_policy
+  service_cidr   = local.service_cidr
+  dns_service_ip = local.dns_service_ip
+  pod_cidr       = local.pod_cidr
+  max_pods       = local.max_pods
 
   default_node_pool_name = local.default_node_pool_name
   default_node_pool_type = local.default_node_pool_type
@@ -54,4 +54,7 @@ module "cluster" {
   disable_default_ingress = local.disable_default_ingress
 
   service_principal_end_date_relative = local.service_principal_end_date_relative
+
+  disable_managed_identities = local.disable_managed_identities
+  user_assigned_identity_id  = local.user_assigned_identity_id
 }