Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure RBAC feature toggle for AKS #10441

Merged
merged 6 commits into from
Apr 28, 2021
Merged

Azure RBAC feature toggle for AKS #10441

merged 6 commits into from
Apr 28, 2021

Conversation

aristosvo
Copy link
Collaborator

@aristosvo aristosvo commented Feb 2, 2021
edited

Fixes #8535

Acceptance Tests

  • Existing RBAC tests succeed:
--- PASS: TestAccKubernetesCluster_roleBasedAccessControl (584.95s)
--- PASS: TestAccKubernetesCluster_roleBasedAccessControlAADManaged (613.16s)
--- PASS: TestAccKubernetesCluster_roleBasedAccessControlAAD (668.37s)
--- PASS: TestAccKubernetesCluster_roleBasedAccessControlAADUpdateToManaged (754.84s)
--- PASS: TestAccKubernetesCluster_roleBasedAccessControlAADManagedChange (881.14s)
PASS
  • Specific test is passing after enabling Preview Feature
# Test fails without registering for the Preview Feature
❯ TF_ACC=1 go test -v ./azurerm/internal/services/containers/ -run=TestAccKubernetesCluster_roleBasedAccessControlAzure -timeout 180m -ldflags="-X=github.com/terraform-providers/terraform-provider-azurerm/version.ProviderVersion=acc"
=== RUN   TestAccKubernetesCluster_roleBasedAccessControlAzure
=== PAUSE TestAccKubernetesCluster_roleBasedAccessControlAzure
=== CONT  TestAccKubernetesCluster_roleBasedAccessControlAzure
    testing.go:684: Step 0 error: errors during apply:
        
        Error: creating Managed Kubernetes Cluster "acctestaks210202221714650343" (Resource Group "acctestRG-aks-210202221714650343"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="aadProfile.enableAzureRBAC requires Microsoft.ContainerService/EnableAzureRBACPreview feature flag."
   
--- FAIL: TestAccKubernetesCluster_roleBasedAccessControlAzure (79.42s)
❯ az feature register --namespace "Microsoft.ContainerService" --name "EnableAzureRBACPreview"
❯ az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableAzureRBACPreview')].{Name:name,State:properties.state}"

# Wait until "Registered"
❯ az provider register --namespace Microsoft.ContainerService
❯ TF_ACC=1 go test -v ./azurerm/internal/services/containers/ -run=TestAccKubernetesCluster_roleBasedAccessControlAzure -timeout 180m -ldflags="-X=github.com/terraform-providers/terraform-provider-azurerm/version.ProviderVersion=acc"
=== RUN   TestAccKubernetesCluster_roleBasedAccessControlAzure
=== PAUSE TestAccKubernetesCluster_roleBasedAccessControlAzure
=== CONT  TestAccKubernetesCluster_roleBasedAccessControlAzure
--- PASS: TestAccKubernetesCluster_roleBasedAccessControlAzure (615.32s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/containers      616.643s

@ghost ghost added the size/M label Feb 2, 2021
Aris van Ommeren added 2 commits February 2, 2021 22:25
@ghost ghost added the documentation label Feb 2, 2021
@tombuildsstuff tombuildsstuff self-assigned this Feb 15, 2021
@aristosvo
Copy link
Collaborator Author

@tombuildsstuff Is there a reason we don't want to merge this one?

katbyte
katbyte requested changes Apr 20, 2021
View reviewed changes
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @aristosvo - aside from one comment this looks good

azurerm/internal/services/containers/kubernetes_cluster_resource.go Show resolved Hide resolved
@aristosvo aristosvo requested a review from katbyte April 20, 2021 22:23
katbyte
katbyte approved these changes Apr 28, 2021
View reviewed changes
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @aristosvo - LGTM 👍

@katbyte katbyte added this to the v2.57.0 milestone Apr 28, 2021
@ghost ghost added size/L and removed size/M labels Apr 28, 2021
@ghost ghost added size/M and removed size/L labels Apr 28, 2021
@katbyte katbyte merged commit c378d95 into hashicorp:master Apr 28, 2021
katbyte added a commit that referenced this pull request Apr 28, 2021
@katbyte
CHANGELOG.md for #10441
2ba0e00
alvintang pushed a commit to alvintang/terraform-provider-azurerm that referenced this pull request Apr 29, 2021
@aristosvo @katbyte @alvintang
Azure RBAC feature toggle for AKS (hashicorp#10441)
710e053 
Co-authored-by: kt <kt@katbyte.me>
alvintang pushed a commit to alvintang/terraform-provider-azurerm that referenced this pull request Apr 29, 2021
@katbyte @alvintang
CHANGELOG.md for hashicorp#10441
211055c
@ghost
Copy link

ghost commented Apr 30, 2021

This has been released in version 2.57.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.57.0"
}
# ... other configuration ...

@harripaalanen
Copy link

Azure RBAC is now GA (Azure/AKS#1786). If I set azure_rbac_enabled=true is it able to update the existing AKS resource or is new resource creation forced?

@aristosvo aristosvo deleted the azure_rbac_enabled-for-AKS branch May 25, 2021 10:29
@aristosvo
Copy link
Collaborator Author

Azure RBAC is now GA (Azure/AKS#1786). If I set azure_rbac_enabled=true is it able to update the existing AKS resource or is new resource creation forced?

New resource creation is forced currently, based on the docs this should be updated as after GA this is not necessary anymore

@aristosvo
Copy link
Collaborator Author

@harripaalanen FYI I checked whether I could loosen up that requirement, but it requires a Preview feature to be enabled:

updating Managed Kubernetes Cluster "acctestaks210526225032917802" (Resource Group "acctestRG-aks-210526225032917802"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 
--
Original Error: Code="BadRequest" Message="aadProfile.enableAzureRBAC requires Microsoft.ContainerService/UpdateAzureRBACPreview feature flag."

For the time being I won't change it and keep an eye on it in the mean time.

@aristosvo aristosvo mentioned this pull request May 26, 2021
Closed
@harripaalanen
Copy link

@aristosvo I think they fixed it. It should't require the preview feature anymore.

@aristosvo
Copy link
Collaborator Author

@harripaalanen Fixed in #12029

@github-actions
Copy link

github-actions bot commented Jul 2, 2021

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@katbyte katbyte katbyte approved these changes

Assignees

@tombuildsstuff tombuildsstuff

Labels
documentation enhancement preview service/kubernetes-cluster size/M
Projects
None yet
Milestone
v2.57.0
Development

Successfully merging this pull request may close these issues.

Support for AAD based RBAC on Azure Kubernetes
4 participants
@aristosvo @harripaalanen @katbyte @tombuildsstuff