feat: Support adding the managed identity to a security group

Also uses the new terraform module tools for validation with some fixes

Author: dploeger

README.md

@@ -25,13 +25,21 @@ All "System" mode pools must be able to reach all pods/subnets
 
 ## Requirements
 
-No requirements.
+The following requirements are needed by this module:
+
+- terraform (>=1.0.0)
+
+- azuread (>=2.41.0)
+
+- azurerm (>=3.63.0)
 
 ## Providers
 
 The following providers are used by this module:
 
-- azurerm
+- azuread (>=2.41.0)
+
+- azurerm (>=3.63.0)
 
 ## Modules
 
@@ -41,9 +49,11 @@ No modules.
 
 The following resources are used by this module:
 
+- [azuread_group_member.k8smember](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) (resource)
 - [azurerm_kubernetes_cluster.k8s](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) (resource)
 - [azurerm_kubernetes_cluster_node_pool.additional](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) (resource)
 - [azurerm_public_ip.public-ip-outbound](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) (resource)
+- [azuread_group.ownersgroup](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) (data source)
 
 ## Required Inputs
 
@@ -125,6 +135,21 @@ Type: `string`
 
 The following input variables are optional (have default values):
 
+### add\_identity\_to\_group
+
+Description: The name of a group which is assigned to appropriate roles in the subscription to manage resources that are required by the AKS.  
+Setting this to a non empty string will add the AKS managed identity to this group.
+
+You need the following API permissions (with admin consent) on a service prinicpal to make this work:
+
+* Directory.Read.All
+* Group.Read.All
+* Group.ReadWrite.All
+
+Type: `string`
+
+Default: `""`
+
 ### availability\_zones
 
 Description: availability zones to spread the cluster nodes across, if omitted, only one avilability zone is used
@@ -258,53 +283,63 @@ The following outputs are exported:
 
 ### client\_certificate
 
-Description: n/a
+Description: The Kubernetes client certificate for a kubectl config
 
 ### client\_certificate\_admin
 
-Description: n/a
+Description: The Kubernetes client certificate for an admin access
 
 ### client\_key
 
-Description: n/a
+Description: The Kubernetes client private key for a kubectl config
 
 ### client\_key\_admin
 
-Description: n/a
+Description: The Kubernetes client private key for an admin access
 
 ### client\_token
 
-Description: n/a
+Description: A client token for accessing the Cluster using kubectl
 
 ### client\_token\_admin
 
-Description: n/a
+Description: A client token for accessing the Cluster using kubectl with an admin access
 
 ### cluster\_ca\_certificate
 
-Description: n/a
+Description: The Kubernetes cluster ca certificate for a kubectl config
 
 ### cluster\_id
 
-Description: n/a
+Description: The AKS cluster id
 
 ### cluster\_name
 
-Description: n/a
+Description: The AKS cluster name
 
 ### fqdn
 
-Description: n/a
+Description: The FQDN to the Kubernetes API server
 
 ### host
 
-Description: n/a
+Description: The Kubernetes API host for a kubectl config
+
+### managed\_identity\_object\_id
+
+Description: The object ID of the service principal of the managed identity of the AKS
 
 ### node\_resource\_group
 
-Description: n/a
+Description: The resource group the Kubernetes nodes were created in
 
 ### public\_outbound\_ips
 
-Description: n/a
-<!-- END_TF_DOCS -->
+Description: The outbound public IPs
+<!-- END_TF_DOCS -->
+
+## Development
+
+Use [the terraform module tools](https://github.com/dodevops/terraform-module-tools) to check and generate the documentation by running
+
+    docker run -v "$PWD":/terraform ghcr.io/dodevops/terraform-module-tools:latest

managed_identity.tf

@@ -0,0 +1,12 @@
+# Assign the k8s managed identity to a security group
+
+data "azuread_group" "ownersgroup" {
+  count        = var.add_identity_to_group == "" ? 0 : 1
+  display_name = var.add_identity_to_group
+}
+
+resource "azuread_group_member" "k8smember" {
+  count            = var.add_identity_to_group == "" ? 0 : 1
+  group_object_id  = data.azuread_group.ownersgroup[0].object_id
+  member_object_id = azurerm_kubernetes_cluster.k8s.identity[0].principal_id
+}

outputs.tf

@@ -1,51 +1,69 @@
 output "host" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config[0].host
+  value       = azurerm_kubernetes_cluster.k8s.kube_config[0].host
+  description = "The Kubernetes API host for a kubectl config"
 }
 
 output "client_certificate" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate
+  value       = azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate
+  description = "The Kubernetes client certificate for a kubectl config"
 }
 
 output "client_key" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config[0].client_key
+  value       = azurerm_kubernetes_cluster.k8s.kube_config[0].client_key
+  description = "The Kubernetes client private key for a kubectl config"
 }
 
 output "cluster_ca_certificate" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config[0].cluster_ca_certificate
+  value       = azurerm_kubernetes_cluster.k8s.kube_config[0].cluster_ca_certificate
+  description = "The Kubernetes cluster ca certificate for a kubectl config"
 }
 
 output "fqdn" {
-  value = azurerm_kubernetes_cluster.k8s.fqdn
+  value       = azurerm_kubernetes_cluster.k8s.fqdn
+  description = "The FQDN to the Kubernetes API server"
 }
 
 output "node_resource_group" {
-  value = azurerm_kubernetes_cluster.k8s.node_resource_group
+  value       = azurerm_kubernetes_cluster.k8s.node_resource_group
+  description = "The resource group the Kubernetes nodes were created in"
 }
 
 output "cluster_name" {
-  value = azurerm_kubernetes_cluster.k8s.name
+  value       = azurerm_kubernetes_cluster.k8s.name
+  description = "The AKS cluster name"
 }
 
 output "cluster_id" {
-  value = azurerm_kubernetes_cluster.k8s.id
+  value       = azurerm_kubernetes_cluster.k8s.id
+  description = "The AKS cluster id"
 }
 
 output "client_certificate_admin" {
-  value = length(azurerm_kubernetes_cluster.k8s.kube_admin_config) > 0 ? azurerm_kubernetes_cluster.k8s.kube_admin_config[0].client_certificate : azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate
+  value       = length(azurerm_kubernetes_cluster.k8s.kube_admin_config) > 0 ? azurerm_kubernetes_cluster.k8s.kube_admin_config[0].client_certificate : azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate
+  description = "The Kubernetes client certificate for an admin access"
 }
 
 output "client_key_admin" {
-  value = length(azurerm_kubernetes_cluster.k8s.kube_admin_config) > 0 ? azurerm_kubernetes_cluster.k8s.kube_admin_config[0].client_key : azurerm_kubernetes_cluster.k8s.kube_config[0].client_key
+  value       = length(azurerm_kubernetes_cluster.k8s.kube_admin_config) > 0 ? azurerm_kubernetes_cluster.k8s.kube_admin_config[0].client_key : azurerm_kubernetes_cluster.k8s.kube_config[0].client_key
+  description = "The Kubernetes client private key for an admin access"
 }
 
 output "client_token" {
-  value = azurerm_kubernetes_cluster.k8s.kube_config[0].password
+  value       = azurerm_kubernetes_cluster.k8s.kube_config[0].password
+  description = "A client token for accessing the Cluster using kubectl"
 }
 
 output "client_token_admin" {
-  value = length(azurerm_kubernetes_cluster.k8s.kube_admin_config) > 0 ? azurerm_kubernetes_cluster.k8s.kube_admin_config[0].password : ""
+  value       = length(azurerm_kubernetes_cluster.k8s.kube_admin_config) > 0 ? azurerm_kubernetes_cluster.k8s.kube_admin_config[0].password : ""
+  description = "A client token for accessing the Cluster using kubectl with an admin access"
 }
 
 output "public_outbound_ips" {
-  value = ["${azurerm_public_ip.public-ip-outbound.*.ip_address}"]
+  value       = [azurerm_public_ip.public-ip-outbound[*].ip_address]
+  description = "The outbound public IPs"
+}
+
+output "managed_identity_object_id" {
+  value       = azurerm_kubernetes_cluster.k8s.identity[0].principal_id
+  description = "The object ID of the service principal of the managed identity of the AKS"
 }

terraform.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">=1.0.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.63.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = ">=2.41.0"
+    }
+  }
+}

vars.tf

@@ -96,6 +96,7 @@ variable "node_pools" {
 }
 
 variable "load_balancer_sku" {
+  type        = string
   description = "The SKU for the used Load Balancer"
   default     = "basic"
 }
@@ -165,3 +166,18 @@ variable "api_server_ip_ranges" {
   type        = list(string)
   description = "The IP ranges to allow for incoming traffic to the server nodes. To disable the limitation, set an empty list as value."
 }
+
+variable "add_identity_to_group" {
+  type        = string
+  default     = ""
+  description = <<-EOF
+    The name of a group which is assigned to appropriate roles in the subscription to manage resources that are required by the AKS.
+    Setting this to a non empty string will add the AKS managed identity to this group.
+
+    You need the following API permissions (with admin consent) on a service prinicpal to make this work:
+
+    * Directory.Read.All
+    * Group.Read.All
+    * Group.ReadWrite.All
+  EOF
+}