diff --git a/internal/services/containers/kubernetes_cluster_data_source.go b/internal/services/containers/kubernetes_cluster_data_source.go index d00429ac2259..84c4f0fa1b73 100644 --- a/internal/services/containers/kubernetes_cluster_data_source.go +++ b/internal/services/containers/kubernetes_cluster_data_source.go @@ -688,15 +688,14 @@ func dataSourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{} return fmt.Errorf("retrieving %s: %+v", id, err) } - profileId := managedclusters.NewAccessProfileID(subscriptionId, d.Get("resource_group_name").(string), d.Get("name").(string), "clusterUser") - profile, err := client.GetAccessProfile(ctx, profileId) + credentials, err := client.ListClusterUserCredentials(ctx, id, managedclusters.ListClusterUserCredentialsOperationOptions{}) if err != nil { - return fmt.Errorf("retrieving Access Profile for %s: %+v", id, err) + return fmt.Errorf("retrieving User Credentials for %s: %+v", id, err) } - if profile.Model == nil { - return fmt.Errorf("retrieving Access Profile for %s: payload is empty", id) + if credentials.Model == nil { + return fmt.Errorf("retrieving User Credentials for %s: payload is empty", id) } - profileModel := profile.Model + credentialsModel := credentials.Model d.SetId(id.ID()) if model := resp.Model; model != nil { @@ -822,14 +821,13 @@ func dataSourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{} // adminProfile is only available for RBAC enabled clusters with AAD and without local accounts disabled if props.AadProfile != nil && (props.DisableLocalAccounts == nil || !*props.DisableLocalAccounts) { - profileId := managedclusters.NewAccessProfileID(subscriptionId, id.ResourceGroupName, id.ManagedClusterName, "clusterAdmin") - adminProfile, err := client.GetAccessProfile(ctx, profileId) + adminCredentials, err := client.ListClusterAdminCredentials(ctx, id, managedclusters.ListClusterAdminCredentialsOperationOptions{}) if err != nil { - return fmt.Errorf("retrieving Admin Access Profile for %s: %+v", id, err) + return fmt.Errorf("retrieving Admin Credentials for %s: %+v", id, err) } - if adminProfileModel := adminProfile.Model; adminProfileModel != nil { - adminKubeConfigRaw, adminKubeConfig := flattenKubernetesClusterAccessProfile(*adminProfileModel) + if adminCredentialModel := adminCredentials.Model; adminCredentialModel != nil { + adminKubeConfigRaw, adminKubeConfig := flattenKubernetesClusterCredentials(*adminCredentialModel, "clusterAdmin") d.Set("kube_admin_config_raw", adminKubeConfigRaw) if err := d.Set("kube_admin_config", adminKubeConfig); err != nil { return fmt.Errorf("setting `kube_admin_config`: %+v", err) @@ -850,7 +848,7 @@ func dataSourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{} return fmt.Errorf("setting `identity`: %+v", err) } - kubeConfigRaw, kubeConfig := flattenKubernetesClusterDataSourceAccessProfile(*profileModel) + kubeConfigRaw, kubeConfig := flattenKubernetesClusterCredentials(*credentialsModel, "clusterUser") d.Set("kube_config_raw", kubeConfigRaw) if err := d.Set("kube_config", kubeConfig); err != nil { return fmt.Errorf("setting `kube_config`: %+v", err) @@ -926,36 +924,41 @@ func flattenKubernetesClusterDataSourceStorageProfile(input *managedclusters.Man return storageProfile } -func flattenKubernetesClusterDataSourceAccessProfile(profile managedclusters.ManagedClusterAccessProfile) (*string, []interface{}) { - if profile.Properties == nil { +func flattenKubernetesClusterCredentials(model managedclusters.CredentialResults, configName string) (*string, []interface{}) { + if model.Kubeconfigs == nil || len(*model.Kubeconfigs) < 1 { return nil, []interface{}{} } - if kubeConfigRaw := profile.Properties.KubeConfig; kubeConfigRaw != nil { - rawConfig := *kubeConfigRaw - if base64IsEncoded(*kubeConfigRaw) { - rawConfig = base64Decode(*kubeConfigRaw) + for _, c := range *model.Kubeconfigs { + if c.Name == nil || *c.Name != configName { + continue } + if kubeConfigRaw := c.Value; kubeConfigRaw != nil { + rawConfig := *kubeConfigRaw + if base64IsEncoded(*kubeConfigRaw) { + rawConfig = base64Decode(*kubeConfigRaw) + } - var flattenedKubeConfig []interface{} + var flattenedKubeConfig []interface{} - if strings.Contains(rawConfig, "apiserver-id:") || strings.Contains(rawConfig, "exec") { - kubeConfigAAD, err := kubernetes.ParseKubeConfigAAD(rawConfig) - if err != nil { - return utils.String(rawConfig), []interface{}{} - } + if strings.Contains(rawConfig, "apiserver-id:") || strings.Contains(rawConfig, "exec") { + kubeConfigAAD, err := kubernetes.ParseKubeConfigAAD(rawConfig) + if err != nil { + return utils.String(rawConfig), []interface{}{} + } - flattenedKubeConfig = flattenKubernetesClusterDataSourceKubeConfigAAD(*kubeConfigAAD) - } else { - kubeConfig, err := kubernetes.ParseKubeConfig(rawConfig) - if err != nil { - return utils.String(rawConfig), []interface{}{} + flattenedKubeConfig = flattenKubernetesClusterDataSourceKubeConfigAAD(*kubeConfigAAD) + } else { + kubeConfig, err := kubernetes.ParseKubeConfig(rawConfig) + if err != nil { + return utils.String(rawConfig), []interface{}{} + } + + flattenedKubeConfig = flattenKubernetesClusterDataSourceKubeConfig(*kubeConfig) } - flattenedKubeConfig = flattenKubernetesClusterDataSourceKubeConfig(*kubeConfig) + return utils.String(rawConfig), flattenedKubeConfig } - - return utils.String(rawConfig), flattenedKubeConfig } return nil, []interface{}{} diff --git a/internal/services/containers/kubernetes_cluster_resource.go b/internal/services/containers/kubernetes_cluster_resource.go index 6ec69221d02b..6e510b443e18 100644 --- a/internal/services/containers/kubernetes_cluster_resource.go +++ b/internal/services/containers/kubernetes_cluster_resource.go @@ -28,7 +28,6 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/clients" "github.com/hashicorp/terraform-provider-azurerm/internal/features" computeValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/compute/validate" - "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/kubernetes" "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/migration" containerValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/containers/validate" keyVaultClient "github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault/client" @@ -2145,10 +2144,12 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{}) return fmt.Errorf("retrieving %s: no payload delivered", *id) } - accessProfileId := managedclusters.NewAccessProfileID(id.SubscriptionId, id.ResourceGroupName, id.ManagedClusterName, "clusterUser") - profile, err := client.GetAccessProfile(ctx, accessProfileId) + credentials, err := client.ListClusterUserCredentials(ctx, *id, managedclusters.ListClusterUserCredentialsOperationOptions{}) if err != nil { - return fmt.Errorf("retrieving Access Profile for %s: %+v", *id, err) + return fmt.Errorf("retrieving User Credentials for %s: %+v", id, err) + } + if credentials.Model == nil { + return fmt.Errorf("retrieving User Credentials for %s: payload is empty", id) } d.Set("name", id.ManagedClusterName) @@ -2365,16 +2366,14 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{}) // adminProfile is only available for RBAC enabled clusters with AAD and local account is not disabled if props.AadProfile != nil && (props.DisableLocalAccounts == nil || !*props.DisableLocalAccounts) { - accessProfileId := managedclusters.NewAccessProfileID(id.SubscriptionId, id.ResourceGroupName, id.ManagedClusterName, "clusterAdmin") - adminProfile, err := client.GetAccessProfile(ctx, accessProfileId) + adminCredentials, err := client.ListClusterAdminCredentials(ctx, *id, managedclusters.ListClusterAdminCredentialsOperationOptions{}) if err != nil { - return fmt.Errorf("retrieving Admin Access Profile for Managed Kubernetes Cluster %q (Resource Group %q): %+v", id.ManagedClusterName, id.ResourceGroupName, err) + return fmt.Errorf("retrieving Admin Credentials for %s: %+v", id, err) } - - if adminProfile.Model == nil { - return fmt.Errorf("retrieving Admin Access Profile for Managed Kubernetes Cluster %q (Resource Group %q): no payload found", id.ManagedClusterName, id.ResourceGroupName) + if adminCredentials.Model == nil { + return fmt.Errorf("retrieving Admin Credentials for Managed Kubernetes Cluster %q (Resource Group %q): no payload found", id.ManagedClusterName, id.ResourceGroupName) } - adminKubeConfigRaw, adminKubeConfig := flattenKubernetesClusterAccessProfile(*adminProfile.Model) + adminKubeConfigRaw, adminKubeConfig := flattenKubernetesClusterCredentials(*adminCredentials.Model, "clusterAdmin") d.Set("kube_admin_config_raw", adminKubeConfigRaw) if err := d.Set("kube_admin_config", adminKubeConfig); err != nil { return fmt.Errorf("setting `kube_admin_config`: %+v", err) @@ -2394,7 +2393,7 @@ func resourceKubernetesClusterRead(d *pluginsdk.ResourceData, meta interface{}) return fmt.Errorf("setting `identity`: %+v", err) } - kubeConfigRaw, kubeConfig := flattenKubernetesClusterAccessProfile(*profile.Model) + kubeConfigRaw, kubeConfig := flattenKubernetesClusterCredentials(*credentials.Model, "clusterUser") d.Set("kube_config_raw", kubeConfigRaw) if err := d.Set("kube_config", kubeConfig); err != nil { return fmt.Errorf("setting `kube_config`: %+v", err) @@ -2443,37 +2442,6 @@ func resourceKubernetesClusterDelete(d *pluginsdk.ResourceData, meta interface{} return nil } -func flattenKubernetesClusterAccessProfile(profile managedclusters.ManagedClusterAccessProfile) (*string, []interface{}) { - if accessProfile := profile.Properties; accessProfile != nil { - if kubeConfigRaw := accessProfile.KubeConfig; kubeConfigRaw != nil { - rawConfig := *kubeConfigRaw - if base64IsEncoded(*kubeConfigRaw) { - rawConfig = base64Decode(*kubeConfigRaw) - } - var flattenedKubeConfig []interface{} - - if strings.Contains(rawConfig, "apiserver-id:") || strings.Contains(rawConfig, "exec") { - kubeConfigAAD, err := kubernetes.ParseKubeConfigAAD(rawConfig) - if err != nil { - return utils.String(rawConfig), []interface{}{} - } - - flattenedKubeConfig = flattenKubernetesClusterKubeConfigAAD(*kubeConfigAAD) - } else { - kubeConfig, err := kubernetes.ParseKubeConfig(rawConfig) - if err != nil { - return utils.String(rawConfig), []interface{}{} - } - - flattenedKubeConfig = flattenKubernetesClusterKubeConfig(*kubeConfig) - } - - return utils.String(rawConfig), flattenedKubeConfig - } - } - return nil, []interface{}{} -} - func expandKubernetesClusterLinuxProfile(input []interface{}) *managedclusters.ContainerServiceLinuxProfile { if len(input) == 0 { return nil @@ -3333,41 +3301,6 @@ func flattenAzureRmKubernetesClusterServicePrincipalProfile(profile *managedclus } } -func flattenKubernetesClusterKubeConfig(config kubernetes.KubeConfig) []interface{} { - // we don't size-check these since they're validated in the Parse method - cluster := config.Clusters[0].Cluster - user := config.Users[0].User - name := config.Users[0].Name - - return []interface{}{ - map[string]interface{}{ - "client_certificate": user.ClientCertificteData, - "client_key": user.ClientKeyData, - "cluster_ca_certificate": cluster.ClusterAuthorityData, - "host": cluster.Server, - "password": user.Token, - "username": name, - }, - } -} - -func flattenKubernetesClusterKubeConfigAAD(config kubernetes.KubeConfigAAD) []interface{} { - // we don't size-check these since they're validated in the Parse method - cluster := config.Clusters[0].Cluster - name := config.Users[0].Name - - return []interface{}{ - map[string]interface{}{ - "client_certificate": "", - "client_key": "", - "cluster_ca_certificate": cluster.ClusterAuthorityData, - "host": cluster.Server, - "password": "", - "username": name, - }, - } -} - func flattenKubernetesClusterAutoScalerProfile(profile *managedclusters.ManagedClusterPropertiesAutoScalerProfile) ([]interface{}, error) { if profile == nil { return []interface{}{}, nil