Enable RBAC without AAD

azurerm/resource_arm_kubernetes_cluster.go

@@ -315,12 +315,17 @@ func resourceArmKubernetesCluster() *schema.Resource {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: true,
-				MaxItems: 1,
+				MaxItems: 2,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Required: true,
+							ForceNew: true,
+						},
 						"azure_active_directory": {
 							Type:     schema.TypeList,
-							Required: true,
+							Optional: true,
 							ForceNew: true,
 							MaxItems: 1,
 							Elem: &schema.Resource{
@@ -450,8 +455,8 @@ func resourceArmKubernetesClusterCreateUpdate(d *schema.ResourceData, meta inter
 	}
 
 	rbacRaw := d.Get("role_based_access_control").([]interface{})
-	azureADProfile := expandKubernetesClusterRoleBasedAccessControl(rbacRaw, tenantId)
-	roleBasedAccessControlEnabled := azureADProfile != nil
+	roleBasedAccessControlEnabled, azureADProfile := expandKubernetesClusterRoleBasedAccessControl(rbacRaw, tenantId)
+	//roleBasedAccessControlEnabled := azureADProfile != nil
 
 	parameters := containerservice.ManagedCluster{
 		Name:     &name,
@@ -552,7 +557,7 @@ func resourceArmKubernetesClusterRead(d *schema.ResourceData, meta interface{})
 			return fmt.Errorf("Error setting `network_profile`: %+v", err)
 		}
 
-		roleBasedAccessControl := flattenKubernetesClusterRoleBasedAccessControl(props.AadProfile, d)
+		roleBasedAccessControl := flattenKubernetesClusterRoleBasedAccessControl(props.EnableRBAC, props.AadProfile, d)
 		if err := d.Set("role_based_access_control", roleBasedAccessControl); err != nil {
 			return fmt.Errorf("Error setting `role_based_access_control`: %+v", err)
 		}
@@ -914,14 +919,18 @@ func flattenKubernetesClusterNetworkProfile(profile *containerservice.NetworkPro
 	return []interface{}{values}
 }
 
-func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, providerTenantId string) *containerservice.ManagedClusterAADProfile {
+func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, providerTenantId string) (bool, *containerservice.ManagedClusterAADProfile) {
 	if len(input) == 0 {
-		return nil
+		return false, nil
 	}
 
 	val := input[0].(map[string]interface{})
-
+	enabled := val["enabled"].(bool)
 	azureADsRaw := val["azure_active_directory"].([]interface{})
+	if len(azureADsRaw) == 0 {
+		return enabled, nil
+	}
+
 	azureAdRaw := azureADsRaw[0].(map[string]interface{})
 
 	clientAppId := azureAdRaw["client_app_id"].(string)
@@ -933,17 +942,21 @@ func expandKubernetesClusterRoleBasedAccessControl(input []interface{}, provider
 		tenantId = providerTenantId
 	}
 
-	return &containerservice.ManagedClusterAADProfile{
+	return enabled, &containerservice.ManagedClusterAADProfile{
 		ClientAppID:     utils.String(clientAppId),
 		ServerAppID:     utils.String(serverAppId),
 		ServerAppSecret: utils.String(serverAppSecret),
 		TenantID:        utils.String(tenantId),
 	}
 }
 
-func flattenKubernetesClusterRoleBasedAccessControl(input *containerservice.ManagedClusterAADProfile, d *schema.ResourceData) []interface{} {
+func flattenKubernetesClusterRoleBasedAccessControl(enabledRBAC *bool, input *containerservice.ManagedClusterAADProfile, d *schema.ResourceData) []interface{} {
 	if input == nil {
-		return []interface{}{}
+		return []interface{}{
+			map[string]interface{}{
+				"enabled": *enabledRBAC,
+			},
+		}
 	}
 
 	profile := make(map[string]interface{})
@@ -978,6 +991,7 @@ func flattenKubernetesClusterRoleBasedAccessControl(input *containerservice.Mana
 
 	return []interface{}{
 		map[string]interface{}{
+			"enabled": *enabledRBAC,
 			"azure_active_directory": []interface{}{
 				profile,
 			},

azurerm/resource_arm_kubernetes_cluster_test.go

@@ -122,6 +122,7 @@ func TestAccAzureRMKubernetesCluster_roleBasedAccessControl(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKubernetesClusterExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "role_based_access_control.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "role_based_access_control.0.enabled", "true"),
 					resource.TestCheckResourceAttr(resourceName, "role_based_access_control.0.azure_active_directory.#", "1"),
 					resource.TestCheckResourceAttrSet(resourceName, "role_based_access_control.0.azure_active_directory.0.client_app_id"),
 					resource.TestCheckResourceAttrSet(resourceName, "role_based_access_control.0.azure_active_directory.0.server_app_id"),
@@ -596,6 +597,7 @@ resource "azurerm_kubernetes_cluster" "test" {
   }
 
   role_based_access_control {
+		enabled=true
     azure_active_directory {
       server_app_id     = "%s"
       server_app_secret = "%s"

examples/kubernetes/role-based-access-control/main.tf

@@ -23,6 +23,7 @@ resource "azurerm_kubernetes_cluster" "test" {
   }
 
   role_based_access_control {
+    enabled = true
     azure_active_directory {
       # NOTE: in a Production environment these should be different values
       # but for the purposes of this example, this should be sufficient

website/docs/r/kubernetes_cluster.html.markdown

@@ -167,7 +167,9 @@ A `oms_agent` block supports the following:
 
 A `role_based_access_control` block supports the following:
 
-* `azure_active_directory` - (Required) An `azure_active_directory` block. Changing this forces a new resource to be created.
+* `enabled` - (Required) Is RBAC enabled?. Changing this forces a new resource to be created.
+
+* `azure_active_directory` - (Optional) An `azure_active_directory` block. Changing this forces a new resource to be created.
 
 ---