From 75bf76155fa685e1bfb6408697043ca9f8ebb395 Mon Sep 17 00:00:00 2001
From: "Menghua Chen (MSFT)" <111940661+Menghua1@users.noreply.github.com>
Date: Thu, 12 Dec 2024 06:59:20 +0800
Subject: [PATCH] fix: Update parameters to implement non-AAD integrated
 clusters in Kubernetes (#3828)

## Description
This PR introduces a conditional check for `aadProfile` configuration in
Kubernetes cluster settings. Adds a user-defined type for the
`aadProfile` parameter, and when the `aadProfile` parameter is empty, it
disables AAD (Azure Active Directory). Ensures that AAD integration is
completely skipped when not needed, optimizing resource usage and
configuration complexity.

Requested by the AZD team:
https://github.com/Azure/Azure-Verified-Modules/issues/261, to ensure
consistency with the functionality implemented in the
[aks-managed-cluster.bicep](https://github.com/Azure/azure-dev/blob/main/templates/common/infra/bicep/core/host/aks-managed-cluster.bicep#L81-L85)
file located in infra/core.

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #123
Fixes #456
Closes #123
Closes #456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.container-service.managed-cluster](https://github.com/Menghua1/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg?branch=fix%2Fadd-aad-profile-conditional)](https://github.com/Menghua1/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

@rajeshkamal5050 for notification.
---
 .../managed-cluster/README.md                 | 281 ++++++++++++++++--
 .../managed-cluster/agent-pool/main.json      |   9 +-
 .../managed-cluster/main.bicep                |  66 ++--
 .../managed-cluster/main.json                 | 145 ++++-----
 .../maintenance-configurations/main.json      |   4 +-
 .../tests/e2e/automatic/main.test.bicep       |   4 +
 .../tests/e2e/azure/main.test.bicep           |   4 +
 .../tests/e2e/defaults/main.test.bicep        |   4 +
 .../tests/e2e/istio/main.test.bicep           |   4 +
 .../tests/e2e/kubenet/main.test.bicep         |   4 +
 .../tests/e2e/non-aad-cluster/main.test.bicep |  57 ++++
 .../tests/e2e/priv/main.test.bicep            |   4 +
 .../tests/e2e/waf-aligned/main.test.bicep     |   4 +
 13 files changed, 458 insertions(+), 132 deletions(-)
 create mode 100644 avm/res/container-service/managed-cluster/tests/e2e/non-aad-cluster/main.test.bicep

diff --git a/avm/res/container-service/managed-cluster/README.md b/avm/res/container-service/managed-cluster/README.md
index 8ff9e062da..df3ae5fcb5 100644
--- a/avm/res/container-service/managed-cluster/README.md
+++ b/avm/res/container-service/managed-cluster/README.md
@@ -37,8 +37,9 @@ The following section provides usage examples for the module, which were used to
 - [Using only defaults](#example-3-using-only-defaults)
 - [Using Istio Service Mesh add-on](#example-4-using-istio-service-mesh-add-on)
 - [Using Kubenet Network Plugin.](#example-5-using-kubenet-network-plugin)
-- [Using Private Cluster.](#example-6-using-private-cluster)
-- [WAF-aligned](#example-7-waf-aligned)
+- [Deploying Non-AAD Cluster](#example-6-deploying-non-aad-cluster)
+- [Using Private Cluster.](#example-7-using-private-cluster)
+- [WAF-aligned](#example-8-waf-aligned)
 
 ### Example 1: _Using only defaults and use AKS Automatic mode_
 
@@ -64,6 +65,10 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       }
     ]
     // Non-required parameters
+    aadProfile: {
+      aadProfileEnableAzureRBAC: true
+      aadProfileManaged: true
+    }
     autoNodeOsUpgradeProfileUpgradeChannel: 'NodeImage'
     disableLocalAccounts: true
     enableKeyvaultSecretsProvider: true
@@ -136,6 +141,12 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       ]
     },
     // Non-required parameters
+    "aadProfile": {
+      "value": {
+        "aadProfileEnableAzureRBAC": true,
+        "aadProfileManaged": true
+      }
+    },
     "autoNodeOsUpgradeProfileUpgradeChannel": {
       "value": "NodeImage"
     },
@@ -234,6 +245,10 @@ param primaryAgentPoolProfiles = [
   }
 ]
 // Non-required parameters
+param aadProfile = {
+  aadProfileEnableAzureRBAC: true
+  aadProfileManaged: true
+}
 param autoNodeOsUpgradeProfileUpgradeChannel = 'NodeImage'
 param disableLocalAccounts = true
 param enableKeyvaultSecretsProvider = true
@@ -318,6 +333,10 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       }
     ]
     // Non-required parameters
+    aadProfile: {
+      aadProfileEnableAzureRBAC: true
+      aadProfileManaged: true
+    }
     agentPools: [
       {
         availabilityZones: [
@@ -575,6 +594,12 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       ]
     },
     // Non-required parameters
+    "aadProfile": {
+      "value": {
+        "aadProfileEnableAzureRBAC": true,
+        "aadProfileManaged": true
+      }
+    },
     "agentPools": {
       "value": [
         {
@@ -886,6 +911,10 @@ param primaryAgentPoolProfiles = [
   }
 ]
 // Non-required parameters
+param aadProfile = {
+  aadProfileEnableAzureRBAC: true
+  aadProfileManaged: true
+}
 param agentPools = [
   {
     availabilityZones: [
@@ -1127,6 +1156,10 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       }
     ]
     // Non-required parameters
+    aadProfile: {
+      aadProfileEnableAzureRBAC: true
+      aadProfileManaged: true
+    }
     location: '<location>'
     managedIdentities: {
       systemAssigned: true
@@ -1162,6 +1195,12 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       ]
     },
     // Non-required parameters
+    "aadProfile": {
+      "value": {
+        "aadProfileEnableAzureRBAC": true,
+        "aadProfileManaged": true
+      }
+    },
     "location": {
       "value": "<location>"
     },
@@ -1195,6 +1234,10 @@ param primaryAgentPoolProfiles = [
   }
 ]
 // Non-required parameters
+param aadProfile = {
+  aadProfileEnableAzureRBAC: true
+  aadProfileManaged: true
+}
 param location = '<location>'
 param managedIdentities = {
   systemAssigned: true
@@ -1228,6 +1271,10 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       }
     ]
     // Non-required parameters
+    aadProfile: {
+      aadProfileEnableAzureRBAC: true
+      aadProfileManaged: true
+    }
     enableKeyvaultSecretsProvider: true
     enableSecretRotation: true
     istioServiceMeshCertificateAuthority: {
@@ -1277,6 +1324,12 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       ]
     },
     // Non-required parameters
+    "aadProfile": {
+      "value": {
+        "aadProfileEnableAzureRBAC": true,
+        "aadProfileManaged": true
+      }
+    },
     "enableKeyvaultSecretsProvider": {
       "value": true
     },
@@ -1336,6 +1389,10 @@ param primaryAgentPoolProfiles = [
   }
 ]
 // Non-required parameters
+param aadProfile = {
+  aadProfileEnableAzureRBAC: true
+  aadProfileManaged: true
+}
 param enableKeyvaultSecretsProvider = true
 param enableSecretRotation = true
 param istioServiceMeshCertificateAuthority = {
@@ -1396,6 +1453,10 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       }
     ]
     // Non-required parameters
+    aadProfile: {
+      aadProfileEnableAzureRBAC: true
+      aadProfileManaged: true
+    }
     agentPools: [
       {
         availabilityZones: [
@@ -1527,6 +1588,12 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       ]
     },
     // Non-required parameters
+    "aadProfile": {
+      "value": {
+        "aadProfileEnableAzureRBAC": true,
+        "aadProfileManaged": true
+      }
+    },
     "agentPools": {
       "value": [
         {
@@ -1666,6 +1733,10 @@ param primaryAgentPoolProfiles = [
   }
 ]
 // Non-required parameters
+param aadProfile = {
+  aadProfileEnableAzureRBAC: true
+  aadProfileManaged: true
+}
 param agentPools = [
   {
     availabilityZones: [
@@ -1758,7 +1829,118 @@ param tags = {
 </details>
 <p>
 
-### Example 6: _Using Private Cluster._
+### Example 6: _Deploying Non-AAD Cluster_
+
+This instance deploys the module with a non-AAD integrated cluster.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module managedCluster 'br/public:avm/res/container-service/managed-cluster:<version>' = {
+  name: 'managedClusterDeployment'
+  params: {
+    // Required parameters
+    name: 'csnonaad001'
+    primaryAgentPoolProfiles: [
+      {
+        count: 3
+        mode: 'System'
+        name: 'systempool'
+        vmSize: 'Standard_DS2_v2'
+      }
+    ]
+    // Non-required parameters
+    aadProfile: '<aadProfile>'
+    disableLocalAccounts: false
+    location: '<location>'
+    managedIdentities: {
+      systemAssigned: true
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON parameters file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "name": {
+      "value": "csnonaad001"
+    },
+    "primaryAgentPoolProfiles": {
+      "value": [
+        {
+          "count": 3,
+          "mode": "System",
+          "name": "systempool",
+          "vmSize": "Standard_DS2_v2"
+        }
+      ]
+    },
+    // Non-required parameters
+    "aadProfile": {
+      "value": "<aadProfile>"
+    },
+    "disableLocalAccounts": {
+      "value": false
+    },
+    "location": {
+      "value": "<location>"
+    },
+    "managedIdentities": {
+      "value": {
+        "systemAssigned": true
+      }
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via Bicep parameters file</summary>
+
+```bicep-params
+using 'br/public:avm/res/container-service/managed-cluster:<version>'
+
+// Required parameters
+param name = 'csnonaad001'
+param primaryAgentPoolProfiles = [
+  {
+    count: 3
+    mode: 'System'
+    name: 'systempool'
+    vmSize: 'Standard_DS2_v2'
+  }
+]
+// Non-required parameters
+param aadProfile = '<aadProfile>'
+param disableLocalAccounts = false
+param location = '<location>'
+param managedIdentities = {
+  systemAssigned: true
+}
+```
+
+</details>
+<p>
+
+### Example 7: _Using Private Cluster._
 
 This instance deploys the module with a private cluster instance.
 
@@ -1796,6 +1978,10 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       }
     ]
     // Non-required parameters
+    aadProfile: {
+      aadProfileEnableAzureRBAC: true
+      aadProfileManaged: true
+    }
     agentPools: [
       {
         availabilityZones: [
@@ -1896,6 +2082,12 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       ]
     },
     // Non-required parameters
+    "aadProfile": {
+      "value": {
+        "aadProfileEnableAzureRBAC": true,
+        "aadProfileManaged": true
+      }
+    },
     "agentPools": {
       "value": [
         {
@@ -2008,6 +2200,10 @@ param primaryAgentPoolProfiles = [
   }
 ]
 // Non-required parameters
+param aadProfile = {
+  aadProfileEnableAzureRBAC: true
+  aadProfileManaged: true
+}
 param agentPools = [
   {
     availabilityZones: [
@@ -2068,7 +2264,7 @@ param skuTier = 'Standard'
 </details>
 <p>
 
-### Example 7: _WAF-aligned_
+### Example 8: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Well-Architected Framework.
 
@@ -2106,6 +2302,10 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       }
     ]
     // Non-required parameters
+    aadProfile: {
+      aadProfileEnableAzureRBAC: true
+      aadProfileManaged: true
+    }
     agentPools: [
       {
         availabilityZones: [
@@ -2280,6 +2480,12 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       ]
     },
     // Non-required parameters
+    "aadProfile": {
+      "value": {
+        "aadProfileEnableAzureRBAC": true,
+        "aadProfileManaged": true
+      }
+    },
     "agentPools": {
       "value": [
         {
@@ -2486,6 +2692,10 @@ param primaryAgentPoolProfiles = [
   }
 ]
 // Non-required parameters
+param aadProfile = {
+  aadProfileEnableAzureRBAC: true
+  aadProfileManaged: true
+}
 param agentPools = [
   {
     availabilityZones: [
@@ -2640,13 +2850,7 @@ param tags = {
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`aadProfileAdminGroupObjectIDs`](#parameter-aadprofileadmingroupobjectids) | array | Specifies the AAD group object IDs that will have admin role of the cluster. |
-| [`aadProfileClientAppID`](#parameter-aadprofileclientappid) | string | The client AAD application ID. |
-| [`aadProfileEnableAzureRBAC`](#parameter-aadprofileenableazurerbac) | bool | Specifies whether to enable Azure RBAC for Kubernetes authorization. |
-| [`aadProfileManaged`](#parameter-aadprofilemanaged) | bool | Specifies whether to enable managed AAD integration. |
-| [`aadProfileServerAppID`](#parameter-aadprofileserverappid) | string | The server AAD application ID. |
-| [`aadProfileServerAppSecret`](#parameter-aadprofileserverappsecret) | string | The server AAD application secret. |
-| [`aadProfileTenantId`](#parameter-aadprofiletenantid) | string | Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. |
+| [`aadProfile`](#parameter-aadprofile) | object | Enable Azure Active Directory integration. |
 | [`aciConnectorLinuxEnabled`](#parameter-aciconnectorlinuxenabled) | bool | Specifies whether the aciConnectorLinux add-on is enabled or not. |
 | [`adminUsername`](#parameter-adminusername) | string | Specifies the administrator username of Linux virtual machines. |
 | [`agentPools`](#parameter-agentpools) | array | Define one or more secondary/additional agent pools. |
@@ -3140,57 +3344,78 @@ Specifies the resource ID of connected application gateway. Required if `ingress
 - Required: No
 - Type: string
 
-### Parameter: `aadProfileAdminGroupObjectIDs`
+### Parameter: `aadProfile`
 
-Specifies the AAD group object IDs that will have admin role of the cluster.
+Enable Azure Active Directory integration.
 
 - Required: No
-- Type: array
+- Type: object
 
-### Parameter: `aadProfileClientAppID`
+**Required parameters**
 
-The client AAD application ID.
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`aadProfileEnableAzureRBAC`](#parameter-aadprofileaadprofileenableazurerbac) | bool | Specifies whether to enable Azure RBAC for Kubernetes authorization. |
+| [`aadProfileManaged`](#parameter-aadprofileaadprofilemanaged) | bool | Specifies whether to enable managed AAD integration. |
 
-- Required: No
-- Type: string
+**Optional parameters**
 
-### Parameter: `aadProfileEnableAzureRBAC`
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`aadProfileAdminGroupObjectIDs`](#parameter-aadprofileaadprofileadmingroupobjectids) | array | Specifies the AAD group object IDs that will have admin role of the cluster. |
+| [`aadProfileClientAppID`](#parameter-aadprofileaadprofileclientappid) | string | The client AAD application ID. |
+| [`aadProfileServerAppID`](#parameter-aadprofileaadprofileserverappid) | string | The server AAD application ID. |
+| [`aadProfileServerAppSecret`](#parameter-aadprofileaadprofileserverappsecret) | string | The server AAD application secret. |
+| [`aadProfileTenantId`](#parameter-aadprofileaadprofiletenantid) | string | Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. |
+
+### Parameter: `aadProfile.aadProfileEnableAzureRBAC`
 
 Specifies whether to enable Azure RBAC for Kubernetes authorization.
 
-- Required: No
+- Required: Yes
 - Type: bool
-- Default: `[parameters('enableRBAC')]`
 
-### Parameter: `aadProfileManaged`
+### Parameter: `aadProfile.aadProfileManaged`
 
 Specifies whether to enable managed AAD integration.
 
-- Required: No
+- Required: Yes
 - Type: bool
-- Default: `True`
 
-### Parameter: `aadProfileServerAppID`
+### Parameter: `aadProfile.aadProfileAdminGroupObjectIDs`
+
+Specifies the AAD group object IDs that will have admin role of the cluster.
+
+- Required: No
+- Type: array
+
+### Parameter: `aadProfile.aadProfileClientAppID`
+
+The client AAD application ID.
+
+- Required: No
+- Type: string
+
+### Parameter: `aadProfile.aadProfileServerAppID`
 
 The server AAD application ID.
 
 - Required: No
 - Type: string
 
-### Parameter: `aadProfileServerAppSecret`
+### Parameter: `aadProfile.aadProfileServerAppSecret`
 
 The server AAD application secret.
 
 - Required: No
 - Type: string
 
-### Parameter: `aadProfileTenantId`
+### Parameter: `aadProfile.aadProfileTenantId`
 
 Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication.
 
 - Required: No
 - Type: string
-- Default: `[subscription().tenantId]`
 
 ### Parameter: `aciConnectorLinuxEnabled`
 
diff --git a/avm/res/container-service/managed-cluster/agent-pool/main.json b/avm/res/container-service/managed-cluster/agent-pool/main.json
index 11965a3fab..8fc50cd76e 100644
--- a/avm/res/container-service/managed-cluster/agent-pool/main.json
+++ b/avm/res/container-service/managed-cluster/agent-pool/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.31.34.60546",
-      "templateHash": "13504241837980660061"
+      "version": "0.31.92.45157",
+      "templateHash": "10548754747426289718"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
@@ -355,7 +355,10 @@
         "vmSize": "[parameters('vmSize')]",
         "vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
         "workloadRuntime": "[parameters('workloadRuntime')]"
-      }
+      },
+      "dependsOn": [
+        "managedCluster"
+      ]
     }
   },
   "outputs": {
diff --git a/avm/res/container-service/managed-cluster/main.bicep b/avm/res/container-service/managed-cluster/main.bicep
index 3aecff5f78..fcba83df2b 100644
--- a/avm/res/container-service/managed-cluster/main.bicep
+++ b/avm/res/container-service/managed-cluster/main.bicep
@@ -101,34 +101,15 @@ param adminUsername string = 'azureuser'
 @description('Optional. Specifies the SSH RSA public key string for the Linux nodes.')
 param sshPublicKey string?
 
+@description('Optional. Enable Azure Active Directory integration.')
+param aadProfile aadProfileType?
+
 @description('Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster.')
 param aksServicePrincipalProfile object?
 
-@description('Optional. The client AAD application ID.')
-param aadProfileClientAppID string?
-
-@description('Optional. The server AAD application ID.')
-param aadProfileServerAppID string?
-
-@description('Optional. The server AAD application secret.')
-#disable-next-line secure-secrets-in-params // Not a secret
-param aadProfileServerAppSecret string?
-
-@description('Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication.')
-param aadProfileTenantId string = subscription().tenantId
-
-@description('Optional. Specifies the AAD group object IDs that will have admin role of the cluster.')
-param aadProfileAdminGroupObjectIDs string[]?
-
-@description('Optional. Specifies whether to enable managed AAD integration.')
-param aadProfileManaged bool = true
-
 @description('Optional. Whether to enable Kubernetes Role-Based Access Control.')
 param enableRBAC bool = true
 
-@description('Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization.')
-param aadProfileEnableAzureRBAC bool = enableRBAC
-
 @description('Optional. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled.')
 param disableLocalAccounts bool = true
 
@@ -739,15 +720,15 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
       }
     }
     publicNetworkAccess: publicNetworkAccess
-    aadProfile: {
-      clientAppID: aadProfileClientAppID
-      serverAppID: aadProfileServerAppID
-      serverAppSecret: aadProfileServerAppSecret
-      managed: aadProfileManaged
-      enableAzureRBAC: aadProfileEnableAzureRBAC
-      adminGroupObjectIDs: aadProfileAdminGroupObjectIDs
-      tenantID: aadProfileTenantId
-    }
+    aadProfile: !empty(aadProfile) ? {
+      clientAppID: aadProfile.?aadProfileClientAppID
+      serverAppID: aadProfile.?aadProfileServerAppID
+      serverAppSecret: aadProfile.?aadProfileServerAppSecret
+      managed: aadProfile.?aadProfileManaged
+      enableAzureRBAC: aadProfile.?aadProfileEnableAzureRBAC
+      adminGroupObjectIDs: aadProfile.?aadProfileAdminGroupObjectIDs
+      tenantID: aadProfile.?aadProfileTenantId
+    } : null
     autoScalerProfile: {
       'balance-similar-node-groups': toLower(string(autoScalerProfileBalanceSimilarNodeGroups))
       expander: autoScalerProfileExpander
@@ -1356,3 +1337,26 @@ type istioServiceMeshCertificateAuthorityType = {
   @description('Required. Root certificate object name in Azure Key Vault.')
   rootCertObjectName: string
 }?
+
+type aadProfileType = {
+  @description('Optional. The client AAD application ID.')
+  aadProfileClientAppID: string?
+
+  @description('Optional. The server AAD application ID.')
+  aadProfileServerAppID: string?
+
+  @description('Optional. The server AAD application secret.')
+  aadProfileServerAppSecret: string?
+
+  @description('Required. Specifies whether to enable managed AAD integration.')
+  aadProfileManaged: bool
+
+  @description('Required. Specifies whether to enable Azure RBAC for Kubernetes authorization.')
+  aadProfileEnableAzureRBAC: bool
+
+  @description('Optional. Specifies the AAD group object IDs that will have admin role of the cluster.')
+  aadProfileAdminGroupObjectIDs: string[]?
+
+  @description('Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication.')
+  aadProfileTenantId: string?
+}?
diff --git a/avm/res/container-service/managed-cluster/main.json b/avm/res/container-service/managed-cluster/main.json
index 3f20739576..d6ea3b92b7 100644
--- a/avm/res/container-service/managed-cluster/main.json
+++ b/avm/res/container-service/managed-cluster/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.31.34.60546",
-      "templateHash": "178765084464759811"
+      "version": "0.31.92.45157",
+      "templateHash": "10108574510278935914"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Clusters",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
@@ -745,6 +745,62 @@
         }
       },
       "nullable": true
+    },
+    "aadProfileType": {
+      "type": "object",
+      "properties": {
+        "aadProfileClientAppID": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The client AAD application ID."
+          }
+        },
+        "aadProfileServerAppID": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The server AAD application ID."
+          }
+        },
+        "aadProfileServerAppSecret": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The server AAD application secret."
+          }
+        },
+        "aadProfileManaged": {
+          "type": "bool",
+          "metadata": {
+            "description": "Required. Specifies whether to enable managed AAD integration."
+          }
+        },
+        "aadProfileEnableAzureRBAC": {
+          "type": "bool",
+          "metadata": {
+            "description": "Required. Specifies whether to enable Azure RBAC for Kubernetes authorization."
+          }
+        },
+        "aadProfileAdminGroupObjectIDs": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster."
+          }
+        },
+        "aadProfileTenantId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication."
+          }
+        }
+      },
+      "nullable": true
     }
   },
   "parameters": {
@@ -926,56 +982,18 @@
         "description": "Optional. Specifies the SSH RSA public key string for the Linux nodes."
       }
     },
-    "aksServicePrincipalProfile": {
-      "type": "object",
+    "aadProfile": {
+      "$ref": "#/definitions/aadProfileType",
       "nullable": true,
       "metadata": {
-        "description": "Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster."
+        "description": "Optional. Enable Azure Active Directory integration."
       }
     },
-    "aadProfileClientAppID": {
-      "type": "string",
-      "nullable": true,
-      "metadata": {
-        "description": "Optional. The client AAD application ID."
-      }
-    },
-    "aadProfileServerAppID": {
-      "type": "string",
-      "nullable": true,
-      "metadata": {
-        "description": "Optional. The server AAD application ID."
-      }
-    },
-    "aadProfileServerAppSecret": {
-      "type": "string",
-      "nullable": true,
-      "metadata": {
-        "description": "Optional. The server AAD application secret."
-      }
-    },
-    "aadProfileTenantId": {
-      "type": "string",
-      "defaultValue": "[subscription().tenantId]",
-      "metadata": {
-        "description": "Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication."
-      }
-    },
-    "aadProfileAdminGroupObjectIDs": {
-      "type": "array",
-      "items": {
-        "type": "string"
-      },
+    "aksServicePrincipalProfile": {
+      "type": "object",
       "nullable": true,
       "metadata": {
-        "description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster."
-      }
-    },
-    "aadProfileManaged": {
-      "type": "bool",
-      "defaultValue": true,
-      "metadata": {
-        "description": "Optional. Specifies whether to enable managed AAD integration."
+        "description": "Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster."
       }
     },
     "enableRBAC": {
@@ -985,13 +1003,6 @@
         "description": "Optional. Whether to enable Kubernetes Role-Based Access Control."
       }
     },
-    "aadProfileEnableAzureRBAC": {
-      "type": "bool",
-      "defaultValue": "[parameters('enableRBAC')]",
-      "metadata": {
-        "description": "Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization."
-      }
-    },
     "disableLocalAccounts": {
       "type": "bool",
       "defaultValue": true,
@@ -1678,7 +1689,10 @@
       "apiVersion": "2023-02-01",
       "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]",
       "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]",
-      "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]"
+      "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]",
+      "dependsOn": [
+        "cMKKeyVault"
+      ]
     },
     "avmTelemetry": {
       "condition": "[parameters('enableTelemetry')]",
@@ -1803,15 +1817,7 @@
           }
         },
         "publicNetworkAccess": "[parameters('publicNetworkAccess')]",
-        "aadProfile": {
-          "clientAppID": "[parameters('aadProfileClientAppID')]",
-          "serverAppID": "[parameters('aadProfileServerAppID')]",
-          "serverAppSecret": "[parameters('aadProfileServerAppSecret')]",
-          "managed": "[parameters('aadProfileManaged')]",
-          "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]",
-          "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]",
-          "tenantID": "[parameters('aadProfileTenantId')]"
-        },
+        "aadProfile": "[if(not(empty(parameters('aadProfile'))), createObject('clientAppID', tryGet(parameters('aadProfile'), 'aadProfileClientAppID'), 'serverAppID', tryGet(parameters('aadProfile'), 'aadProfileServerAppID'), 'serverAppSecret', tryGet(parameters('aadProfile'), 'aadProfileServerAppSecret'), 'managed', tryGet(parameters('aadProfile'), 'aadProfileManaged'), 'enableAzureRBAC', tryGet(parameters('aadProfile'), 'aadProfileEnableAzureRBAC'), 'adminGroupObjectIDs', tryGet(parameters('aadProfile'), 'aadProfileAdminGroupObjectIDs'), 'tenantID', tryGet(parameters('aadProfile'), 'aadProfileTenantId')), null())]",
         "autoScalerProfile": {
           "balance-similar-node-groups": "[toLower(string(parameters('autoScalerProfileBalanceSimilarNodeGroups')))]",
           "expander": "[parameters('autoScalerProfileExpander')]",
@@ -2005,8 +2011,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.31.34.60546",
-              "templateHash": "3191846535289543816"
+              "version": "0.31.92.45157",
+              "templateHash": "17300977997310482979"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
@@ -2202,8 +2208,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.31.34.60546",
-              "templateHash": "13504241837980660061"
+              "version": "0.31.92.45157",
+              "templateHash": "10548754747426289718"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
@@ -2552,7 +2558,10 @@
                 "vmSize": "[parameters('vmSize')]",
                 "vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
                 "workloadRuntime": "[parameters('workloadRuntime')]"
-              }
+              },
+              "dependsOn": [
+                "managedCluster"
+              ]
             }
           },
           "outputs": {
diff --git a/avm/res/container-service/managed-cluster/maintenance-configurations/main.json b/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
index 64b5e4c229..0ce7a6ebea 100644
--- a/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
+++ b/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.31.34.60546",
-      "templateHash": "3191846535289543816"
+      "version": "0.31.92.45157",
+      "templateHash": "17300977997310482979"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/automatic/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/automatic/main.test.bicep
index 1e45f1c1bf..ae07f983d5 100644
--- a/avm/res/container-service/managed-cluster/tests/e2e/automatic/main.test.bicep
+++ b/avm/res/container-service/managed-cluster/tests/e2e/automatic/main.test.bicep
@@ -45,6 +45,10 @@ module testDeployment '../../../main.bicep' = [
       enableSecretRotation: true
       kedaAddon: true
       kubernetesVersion: '1.28'
+      aadProfile: {
+        aadProfileEnableAzureRBAC: true
+        aadProfileManaged: true
+      }
       maintenanceConfigurations: [
         {
           name: 'aksManagedAutoUpgradeSchedule'
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep
index d21dfdcb2d..2661197b64 100644
--- a/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep
+++ b/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep
@@ -76,6 +76,10 @@ module testDeployment '../../../main.bicep' = [
     params: {
       location: resourceLocation
       name: '${namePrefix}${serviceShort}001'
+      aadProfile: {
+        aadProfileEnableAzureRBAC: true
+        aadProfileManaged: true
+      }
       primaryAgentPoolProfiles: [
         {
           availabilityZones: [
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep
index 48b0faca8c..e102cf788a 100644
--- a/avm/res/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep
+++ b/avm/res/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep
@@ -50,6 +50,10 @@ module testDeployment '../../../main.bicep' = [
           mode: 'System'
         }
       ]
+      aadProfile: {
+        aadProfileEnableAzureRBAC: true
+        aadProfileManaged: true
+      }
     }
   }
 ]
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/istio/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/istio/main.test.bicep
index 9753edb426..b84fd45cf9 100644
--- a/avm/res/container-service/managed-cluster/tests/e2e/istio/main.test.bicep
+++ b/avm/res/container-service/managed-cluster/tests/e2e/istio/main.test.bicep
@@ -52,6 +52,10 @@ module testDeployment '../../../main.bicep' = [
     params: {
       name: '${namePrefix}${serviceShort}001'
       location: resourceLocation
+      aadProfile: {
+        aadProfileEnableAzureRBAC: true
+        aadProfileManaged: true
+      }
       managedIdentities: {
         systemAssigned: true
       }
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep
index 03235dc22b..2c7ab3d445 100644
--- a/avm/res/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep
+++ b/avm/res/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep
@@ -177,6 +177,10 @@ module testDeployment '../../../main.bicep' = [
         Environment: 'Non-Prod'
         Role: 'DeploymentValidation'
       }
+      aadProfile: {
+        aadProfileEnableAzureRBAC: true
+        aadProfileManaged: true
+      }
     }
     dependsOn: [
       nestedDependencies
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/non-aad-cluster/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/non-aad-cluster/main.test.bicep
new file mode 100644
index 0000000000..8ff8dea9d2
--- /dev/null
+++ b/avm/res/container-service/managed-cluster/tests/e2e/non-aad-cluster/main.test.bicep
@@ -0,0 +1,57 @@
+targetScope = 'subscription'
+
+metadata name = 'Deploying Non-AAD Cluster'
+metadata description = 'This instance deploys the module with a non-AAD integrated cluster.'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param resourceLocation string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'csnonaad'
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+  name: resourceGroupName
+  location: resourceLocation
+}
+
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+  for iteration in ['init', 'idem']: {
+    scope: resourceGroup
+    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    params: {
+      name: '${namePrefix}${serviceShort}001'
+      location: resourceLocation
+      managedIdentities: {
+        systemAssigned: true
+      }
+      primaryAgentPoolProfiles: [
+        {
+          name: 'systempool'
+          count: 3
+          vmSize: 'Standard_DS2_v2'
+          mode: 'System'
+        }
+      ]
+      aadProfile: null
+      disableLocalAccounts: false
+    }
+  }
+]
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/priv/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/priv/main.test.bicep
index 555258a93b..4ec0952e53 100644
--- a/avm/res/container-service/managed-cluster/tests/e2e/priv/main.test.bicep
+++ b/avm/res/container-service/managed-cluster/tests/e2e/priv/main.test.bicep
@@ -55,6 +55,10 @@ module testDeployment '../../../main.bicep' = [
       name: '${namePrefix}${serviceShort}001'
       location: resourceLocation
       enablePrivateCluster: true
+      aadProfile: {
+        aadProfileEnableAzureRBAC: true
+        aadProfileManaged: true
+      }
       primaryAgentPoolProfiles: [
         {
           availabilityZones: [
diff --git a/avm/res/container-service/managed-cluster/tests/e2e/waf-aligned/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/waf-aligned/main.test.bicep
index 4b88dc1c87..91dc51b876 100644
--- a/avm/res/container-service/managed-cluster/tests/e2e/waf-aligned/main.test.bicep
+++ b/avm/res/container-service/managed-cluster/tests/e2e/waf-aligned/main.test.bicep
@@ -220,6 +220,10 @@ module testDeployment '../../../main.bicep' = [
         Environment: 'Non-Prod'
         Role: 'DeploymentValidation'
       }
+      aadProfile: {
+        aadProfileEnableAzureRBAC: true
+        aadProfileManaged: true
+      }
     }
     dependsOn: [
       nestedDependencies