diff --git a/examples/kubernetes/monitoring-log-analytics/main.tf b/examples/kubernetes/monitoring-log-analytics/main.tf index 75b80c351322..740d9225a68d 100644 --- a/examples/kubernetes/monitoring-log-analytics/main.tf +++ b/examples/kubernetes/monitoring-log-analytics/main.tf @@ -44,6 +44,7 @@ resource "azurerm_kubernetes_cluster" "example" { } oms_agent { - log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id + msi_auth_for_monitoring_enabled = true } } diff --git a/internal/services/containers/kubernetes_addons.go b/internal/services/containers/kubernetes_addons.go index 7c8fb75bf87a..89c151446312 100644 --- a/internal/services/containers/kubernetes_addons.go +++ b/internal/services/containers/kubernetes_addons.go @@ -115,6 +115,10 @@ func schemaKubernetesAddOns() map[string]*pluginsdk.Schema { Required: true, ValidateFunc: workspaces.ValidateWorkspaceID, }, + "msi_auth_for_monitoring_enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + }, "oms_agent_identity": { Type: pluginsdk.TypeList, Computed: true, @@ -318,6 +322,10 @@ func expandKubernetesAddOns(d *pluginsdk.ResourceData, input map[string]interfac config["logAnalyticsWorkspaceResourceID"] = lawid.ID() } + if useAADAuth, ok := value["msi_auth_for_monitoring_enabled"].(bool); ok { + config["useAADAuth"] = fmt.Sprintf("%t", useAADAuth) + } + addonProfiles[omsAgentKey] = managedclusters.ManagedClusterAddonProfile{ Enabled: true, Config: &config, @@ -489,17 +497,24 @@ func flattenKubernetesAddOns(profile map[string]managedclusters.ManagedClusterAd omsAgent := kubernetesAddonProfileLocate(profile, omsAgentKey) if enabled := omsAgent.Enabled; enabled { workspaceID := "" + useAADAuth := false + if v := kubernetesAddonProfilelocateInConfig(omsAgent.Config, "logAnalyticsWorkspaceResourceID"); v != "" { if lawid, err := workspaces.ParseWorkspaceID(v); err == nil { workspaceID = lawid.ID() } } + if v := kubernetesAddonProfilelocateInConfig(omsAgent.Config, "useAADAuth"); v != "false" && v != "" { + useAADAuth = true + } + omsAgentIdentity := flattenKubernetesClusterAddOnIdentityProfile(omsAgent.Identity) omsAgents = append(omsAgents, map[string]interface{}{ - "log_analytics_workspace_id": workspaceID, - "oms_agent_identity": omsAgentIdentity, + "log_analytics_workspace_id": workspaceID, + "msi_auth_for_monitoring_enabled": useAADAuth, + "oms_agent_identity": omsAgentIdentity, }) } diff --git a/internal/services/containers/kubernetes_cluster_addons_resource_test.go b/internal/services/containers/kubernetes_cluster_addons_resource_test.go index 6356739d12a8..3610ca3f6d76 100644 --- a/internal/services/containers/kubernetes_cluster_addons_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_addons_resource_test.go @@ -87,6 +87,21 @@ func TestAccKubernetesCluster_addonProfileOMS(t *testing.T) { }) } +func TestAccKubernetesCluster_addonProfileOMSWithMSI(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") + r := KubernetesClusterResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.addonProfileOMSConfigWithMSI(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccKubernetesCluster_addonProfileOMSToggle(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterResource{} @@ -509,6 +524,69 @@ resource "azurerm_kubernetes_cluster" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) } +func (KubernetesClusterResource) addonProfileOMSConfigWithMSI(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-aks-%d" + location = "%s" +} + +resource "azurerm_log_analytics_workspace" "test" { + name = "acctest-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + sku = "PerGB2018" +} + +resource "azurerm_log_analytics_solution" "test" { + solution_name = "ContainerInsights" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + workspace_resource_id = azurerm_log_analytics_workspace.test.id + workspace_name = azurerm_log_analytics_workspace.test.name + + plan { + publisher = "Microsoft" + product = "OMSGallery/ContainerInsights" + } +} + +resource "azurerm_kubernetes_cluster" "test" { + name = "acctestaks%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + dns_prefix = "acctestaks%d" + + linux_profile { + admin_username = "acctestuser%d" + + ssh_key { + key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqaZoyiz1qbdOQ8xEf6uEu1cCwYowo5FHtsBhqLoDnnp7KUTEBN+L2NxRIfQ781rxV6Iq5jSav6b2Q8z5KiseOlvKA/RF2wqU0UPYqQviQhLmW6THTpmrv/YkUCuzxDpsH7DUDhZcwySLKVVe0Qm3+5N2Ta6UYH3lsDf9R9wTP2K/+vAnflKebuypNlmocIvakFWoZda18FOmsOoIVXQ8HWFNCuw9ZCunMSN62QGamCe3dL5cXlkgHYv7ekJE15IA9aOJcM7e90oeTqo+7HTcWfdu0qQqPWY5ujyMw/llas8tsXY85LFqRnr3gJ02bAscjc477+X+j/gkpFoN1QEmt terraform@demo.tld" + } + } + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" + } + + oms_agent { + log_analytics_workspace_id = azurerm_log_analytics_workspace.test.id + msi_auth_for_monitoring_enabled = true + } + + identity { + type = "SystemAssigned" + } +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger) +} + func (KubernetesClusterResource) addonProfileOMSDisabledConfig(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/internal/services/containers/kubernetes_cluster_data_source.go b/internal/services/containers/kubernetes_cluster_data_source.go index b55a7ff29412..50429bee4f65 100644 --- a/internal/services/containers/kubernetes_cluster_data_source.go +++ b/internal/services/containers/kubernetes_cluster_data_source.go @@ -983,17 +983,24 @@ func flattenKubernetesClusterDataSourceAddOns(profile map[string]managedclusters omsAgent := kubernetesAddonProfileLocate(profile, omsAgentKey) if enabled := omsAgent.Enabled; enabled { workspaceID := "" + useAADAuth := false + if v := kubernetesAddonProfilelocateInConfig(omsAgent.Config, "logAnalyticsWorkspaceResourceID"); v != "" { if lawid, err := workspaces.ParseWorkspaceID(v); err == nil { workspaceID = lawid.ID() } } + if v := kubernetesAddonProfilelocateInConfig(omsAgent.Config, "useAADAuth"); v != "false" && v != "" { + useAADAuth = true + } + omsAgentIdentity := flattenKubernetesClusterAddOnIdentityProfile(omsAgent.Identity) omsAgents = append(omsAgents, map[string]interface{}{ - "log_analytics_workspace_id": workspaceID, - "oms_agent_identity": omsAgentIdentity, + "log_analytics_workspace_id": workspaceID, + "msi_auth_for_monitoring_enabled": useAADAuth, + "oms_agent_identity": omsAgentIdentity, }) } diff --git a/website/docs/d/kubernetes_cluster.html.markdown b/website/docs/d/kubernetes_cluster.html.markdown index 97031973b07e..42f5f85fb578 100644 --- a/website/docs/d/kubernetes_cluster.html.markdown +++ b/website/docs/d/kubernetes_cluster.html.markdown @@ -269,6 +269,8 @@ An `oms_agent` block exports the following: * `log_analytics_workspace_id` - The ID of the Log Analytics Workspace to which the OMS Agent should send data. +* `msi_auth_for_monitoring_enabled` - Is managed identity authentication for monitoring enabled? + * `oms_agent_identity` - An `oms_agent_identity` block as defined below. --- diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown index 79dbae9e4600..17e38fd66d86 100644 --- a/website/docs/r/kubernetes_cluster.html.markdown +++ b/website/docs/r/kubernetes_cluster.html.markdown @@ -682,6 +682,8 @@ An `oms_agent` block supports the following: * `log_analytics_workspace_id` - (Required) The ID of the Log Analytics Workspace which the OMS Agent should send data to. +* `msi_auth_for_monitoring_enabled` - Is managed identity authentication for monitoring enabled? + --- An `ingress_application_gateway` block supports the following: