azurerm_kubernetes_cluster - add managed_cluster_identity s… (#5168)

Address #4506

azurerm/resource_arm_kubernetes_cluster.go

@@ -563,6 +563,34 @@ func resourceArmKubernetesCluster() *schema.Resource {
 				Computed:  true,
 				Sensitive: true,
 			},
+
+			"managed_cluster_identity": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				ForceNew: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"type": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								string(containerservice.None),
+								string(containerservice.SystemAssigned),
+							}, false),
+						},
+						"principal_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"tenant_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -643,6 +671,9 @@ func resourceArmKubernetesClusterCreate(d *schema.ResourceData, meta interface{}
 
 	enablePodSecurityPolicy := d.Get("enable_pod_security_policy").(bool)
 
+	managedClusterIdentityRaw := d.Get("managed_cluster_identity").([]interface{})
+	managedClusterIdentity := expandKubernetesClusterManagedClusterIdentity(managedClusterIdentityRaw)
+
 	parameters := containerservice.ManagedCluster{
 		Name:     &name,
 		Location: &location,
@@ -661,7 +692,8 @@ func resourceArmKubernetesClusterCreate(d *schema.ResourceData, meta interface{}
 			NodeResourceGroup:           utils.String(nodeResourceGroup),
 			EnablePodSecurityPolicy:     utils.Bool(enablePodSecurityPolicy),
 		},
-		Tags: tags.Expand(t),
+		Identity: managedClusterIdentity,
+		Tags:     tags.Expand(t),
 	}
 
 	future, err := client.CreateOrUpdate(ctx, resGroup, name, parameters)
@@ -795,6 +827,12 @@ func resourceArmKubernetesClusterUpdate(d *schema.ResourceData, meta interface{}
 		existing.ManagedClusterProperties.WindowsProfile = windowsProfile
 	}
 
+	if d.HasChange("managed_cluster_identity") {
+		updateCluster = true
+		managedClusterIdentityRaw := d.Get("managed_cluster_identity").([]interface{})
+		existing.Identity = expandKubernetesClusterManagedClusterIdentity(managedClusterIdentityRaw)
+	}
+
 	if updateCluster {
 		log.Printf("[DEBUG] Updating the Kubernetes Cluster %q (Resource Group %q)..", name, resourceGroup)
 		future, err := clusterClient.CreateOrUpdate(ctx, resourceGroup, name, existing)
@@ -977,6 +1015,10 @@ func resourceArmKubernetesClusterRead(d *schema.ResourceData, meta interface{})
 		}
 	}
 
+	if err := d.Set("managed_cluster_identity", flattenKubernetesClusterManagedClusterIdentity(resp.Identity)); err != nil {
+		return fmt.Errorf("Error setting `managed_cluster_identity`: %+v", err)
+	}
+
 	kubeConfigRaw, kubeConfig := flattenKubernetesClusterAccessProfile(profile)
 	d.Set("kube_config_raw", kubeConfigRaw)
 	if err := d.Set("kube_config", kubeConfig); err != nil {
@@ -1406,6 +1448,17 @@ func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, provider
 	return rbacEnabled, aad
 }
 
+func expandKubernetesClusterManagedClusterIdentity(input []interface{}) *containerservice.ManagedClusterIdentity {
+	if len(input) == 0 || input[0] == nil {
+		return nil
+	}
+	values := input[0].(map[string]interface{})
+
+	return &containerservice.ManagedClusterIdentity{
+		Type: containerservice.ResourceIdentityType(values["type"].(string)),
+	}
+}
+
 func flattenKubernetesClusterRoleBasedAccessControl(input *containerservice.ManagedClusterProperties, d *schema.ResourceData) []interface{} {
 	rbacEnabled := false
 	if input.EnableRBAC != nil {
@@ -1532,3 +1585,25 @@ func flattenKubernetesClusterKubeConfigAAD(config kubernetes.KubeConfigAAD) []in
 		},
 	}
 }
+
+func flattenKubernetesClusterManagedClusterIdentity(input *containerservice.ManagedClusterIdentity) []interface{} {
+	if input == nil {
+		return []interface{}{}
+	}
+
+	identity := make(map[string]interface{})
+
+	identity["principal_id"] = ""
+	if input.PrincipalID != nil {
+		identity["principal_id"] = *input.PrincipalID
+	}
+
+	identity["tenant_id"] = ""
+	if input.TenantID != nil {
+		identity["tenant_id"] = *input.TenantID
+	}
+
+	identity["type"] = string(input.Type)
+
+	return []interface{}{identity}
+}

azurerm/resource_arm_kubernetes_cluster_other_test.go

@@ -323,6 +323,34 @@ func testAccAzureRMKubernetesCluster_windowsProfile(t *testing.T) {
 	})
 }
 
+func testAccAzureRMKubernetesCluster_managedClusterIdentiy(t *testing.T) {
+	resourceName := "azurerm_kubernetes_cluster.test"
+	ri := tf.AccRandTimeInt()
+	clientId := os.Getenv("ARM_CLIENT_ID")
+	clientSecret := os.Getenv("ARM_CLIENT_SECRET")
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKubernetesClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMKubernetesCluster_managedClusterIdentityConfig(ri, clientId, clientSecret, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKubernetesClusterExists(resourceName),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"service_principal.0.client_secret"},
+			},
+		},
+	})
+}
+
 func testAccAzureRMKubernetesCluster_basicAvailabilitySetConfig(rInt int, clientId string, clientSecret string, location string) string {
 	return fmt.Sprintf(`
 resource "azurerm_resource_group" "test" {
@@ -642,3 +670,35 @@ resource "azurerm_kubernetes_cluster" "test" {
 }
 `, rInt, location, rInt, rInt, rInt, clientId, clientSecret)
 }
+
+func testAccAzureRMKubernetesCluster_managedClusterIdentityConfig(rInt int, clientId string, clientSecret string, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_kubernetes_cluster" "test" {
+  name                = "acctestaks%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  dns_prefix          = "acctestaks%d"
+
+  default_node_pool {
+    name       = "default"
+    node_count = 1
+  	type       = "AvailabilitySet"
+    vm_size    = "Standard_DS2_v2"
+  }
+
+  service_principal {
+    client_id     = "%s"
+    client_secret = "%s"
+  }
+
+  managed_cluster_identity {
+    type = "SystemAssigned"
+  }
+}
+`, rInt, location, rInt, rInt, clientId, clientSecret)
+}

azurerm/resource_arm_kubernetes_cluster_test.go

@@ -70,15 +70,16 @@ func TestAccAzureRMKubernetes_all(t *testing.T) {
 			"windowsAndLinux":                testAccAzureRMKubernetesClusterNodePool_windowsAndLinux,
 		},
 		"other": {
-			"basicAvailabilitySet": testAccAzureRMKubernetesCluster_basicAvailabilitySet,
-			"basicVMSS":            testAccAzureRMKubernetesCluster_basicVMSS,
-			"requiresImport":       testAccAzureRMKubernetesCluster_requiresImport,
-			"linuxProfile":         testAccAzureRMKubernetesCluster_linuxProfile,
-			"nodeTaints":           testAccAzureRMKubernetesCluster_nodeTaints,
-			"nodeResourceGroup":    testAccAzureRMKubernetesCluster_nodeResourceGroup,
-			"upgradeConfig":        testAccAzureRMKubernetesCluster_upgrade,
-			"tags":                 testAccAzureRMKubernetesCluster_tags,
-			"windowsProfile":       testAccAzureRMKubernetesCluster_windowsProfile,
+			"basicAvailabilitySet":   testAccAzureRMKubernetesCluster_basicAvailabilitySet,
+			"basicVMSS":              testAccAzureRMKubernetesCluster_basicVMSS,
+			"requiresImport":         testAccAzureRMKubernetesCluster_requiresImport,
+			"linuxProfile":           testAccAzureRMKubernetesCluster_linuxProfile,
+			"nodeTaints":             testAccAzureRMKubernetesCluster_nodeTaints,
+			"nodeResourceGroup":      testAccAzureRMKubernetesCluster_nodeResourceGroup,
+			"upgradeConfig":          testAccAzureRMKubernetesCluster_upgrade,
+			"tags":                   testAccAzureRMKubernetesCluster_tags,
+			"windowsProfile":         testAccAzureRMKubernetesCluster_windowsProfile,
+			"managedClusterIdentity": testAccAzureRMKubernetesCluster_managedClusterIdentiy,
 		},
 		"scaling": {
 			"addAgent":                         testAccAzureRMKubernetesCluster_addAgent,

website/docs/r/kubernetes_cluster.html.markdown

@@ -122,6 +122,8 @@ resource "azurerm_subnet" "virtual" {
 
 * `linux_profile` - (Optional) A `linux_profile` block as defined below.
 
+* `managed_cluster_identity` - (Optional) A `managed_cluster_identity` block as defined below. Changing this forces a new resource to be created.
+
 * `network_profile` - (Optional) A `network_profile` block as defined below.
 
 -> **NOTE:** If `network_profile` is not defined, `kubenet` profile will be used by default.
@@ -283,6 +285,12 @@ A `linux_profile` block supports the following:
 
 ---
 
+A `managed_cluster_identity` block supports the following:
+
+* `type` - The type of identity used for the managed cluster. Valid values are `SystemAssigned` or `None`. 
+
+---
+
 A `network_profile` block supports the following:
 
 * `network_plugin` - (Required) Network plugin to use for networking. Currently supported values are `azure` and `kubenet`. Changing this forces a new resource to be created.
@@ -372,7 +380,7 @@ A `http_application_routing` block exports the following:
 
 ---
 
-The `kube_admin_config` and `kube_config` blocks export the following::
+The `kube_admin_config` and `kube_config` blocks export the following:
 
 * `client_key` - Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
 
@@ -399,6 +407,14 @@ provider "kubernetes" {
 }
 ```
 
+---
+
+The `managed_cluster_identity` block exports the following: 
+
+* `principal_id` - The principal id of the system assigned identity which is used by master components.
+
+* `tenant_id` - The tenant id of the system assigned identity which is used by master components.
+
 ## Import
 
 Managed Kubernetes Clusters can be imported using the `resource id`, e.g.