Skip to content

Commit

Permalink
feat: azure rbac
Browse files Browse the repository at this point in the history
  • Loading branch information
johanneswuerbach committed Feb 7, 2024
1 parent 4d22048 commit 449e947
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 13 deletions.
4 changes: 2 additions & 2 deletions modules/base/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,12 @@ Module that provides the reference architecture.
| [azuread_application.main](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
| [azuread_group.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
| [azuread_group_member.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource |
| [azuread_group_member.humanitec_cluster_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource |
| [azuread_service_principal.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
| [azuread_service_principal_password.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
| [azurerm_public_ip.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_role_assignment.humanitec_cluster_user_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.humanitec_cluster_admin_permissions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.humanitec_cluster_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [humanitec_resource_definition.k8s_cluster_driver](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
| [humanitec_resource_definition.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
Expand Down
25 changes: 14 additions & 11 deletions modules/base/main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
locals {
aks_cluster_user_role_name = "Azure Kubernetes Service Cluster User Role"
}

data "azuread_service_principal" "aks" {
# The ID of the managed "Azure Kubernetes Service AAD Server" application
# https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
Expand Down Expand Up @@ -36,9 +32,13 @@ module "azure_aks" {
resource_group_name = azurerm_resource_group.main.name
automatic_channel_upgrade = "stable"

local_account_disabled = true
local_account_disabled = true

# Configure as "Azure AD authentication with Azure RBAC"
# https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac
rbac_aad_managed = true
role_based_access_control_enabled = true
rbac_aad_azure_rbac_enabled = true
rbac_aad_admin_group_object_ids = [
azuread_group.cluster_admins.id
]
Expand Down Expand Up @@ -71,13 +71,16 @@ resource "azuread_service_principal_password" "humanitec" {
service_principal_id = azuread_service_principal.humanitec.id
}

resource "azurerm_role_assignment" "humanitec_cluster_user_role" {
scope = azurerm_resource_group.main.id
role_definition_name = local.aks_cluster_user_role_name
# Required to fetch AKS credentials
resource "azurerm_role_assignment" "humanitec_cluster_user" {
scope = module.azure_aks.aks_id
role_definition_name = "Azure Kubernetes Service Cluster User Role"
principal_id = azuread_service_principal.humanitec.id
}

resource "azuread_group_member" "humanitec_cluster_admin" {
group_object_id = azuread_group.cluster_admins.id
member_object_id = azuread_service_principal.humanitec.id
# Admin permissions for the entire cluster
resource "azurerm_role_assignment" "humanitec_cluster_admin_permissions" {
scope = module.azure_aks.aks_id
role_definition_name = "Azure Kubernetes Service RBAC Cluster Admin"
principal_id = azuread_service_principal.humanitec.id
}

0 comments on commit 449e947

Please sign in to comment.