Add Azure AAD object schema

nebari-dev · Dec 16, 2024 · 404eea3 · 404eea3
1 parent b42a903
commit 404eea3
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 0 deletions.
diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
@@ -90,6 +90,27 @@ class AzureNodeGroupInputVars(schema.Base):
     max_nodes: int
 
 
+class AzureRBAC(schema.Base):
+    """
+    Represents the configuration for Azure Active Directory Role-Based Access Control
+    (RBAC) integration in a Kubernetes cluster.
+
+    Attributes:
+        enabled (bool): Indicates whether Azure AD-based Role-Based Access Control is
+        enabled.
+        managed (bool): Specifies if the Azure AD integration is managed by Azure.
+            When set to True, Azure creates and manages the Service Principal used for
+            integration.
+        admin_group_object_ids (List[str]): A list of Object IDs of Azure AD groups assigned
+            administrative roles on the cluster. This property is only applicable when
+            `managed` is set to True.
+    """
+
+    enabled: bool
+    managed: bool
+    admin_group_object_ids: List[str]
+
+
 class AzureInputVars(schema.Base):
     name: str
     environment: str
@@ -105,6 +126,7 @@ class AzureInputVars(schema.Base):
     max_pods: Optional[int] = None
     network_profile: Optional[Dict[str, str]] = None
     workload_identity_enabled: bool = False
+    azure_rbac: Optional[AzureRBAC] = None
 
 
 class AWSAmiTypes(str, enum.Enum):
@@ -370,6 +392,7 @@ class AzureProvider(schema.Base):
     network_profile: Optional[Dict[str, str]] = None
     max_pods: Optional[int] = None
     workload_identity_enabled: bool = False
+    azure_rbac: Optional[AzureRBAC] = None
 
     @model_validator(mode="before")
     @classmethod
@@ -809,6 +832,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
                 network_profile=self.config.azure.network_profile,
                 max_pods=self.config.azure.max_pods,
                 workload_identity_enabled=self.config.azure.workload_identity_enabled,
+                azure_rbac=self.config.azure.azure_rbac,
             ).model_dump()
         elif self.config.provider == schema.ProviderEnum.aws:
             return AWSInputVars(

diff --git a/src/_nebari/stages/infrastructure/template/azure/main.tf b/src/_nebari/stages/infrastructure/template/azure/main.tf
@@ -43,4 +43,5 @@ module "kubernetes" {
   vnet_subnet_id            = var.vnet_subnet_id
   private_cluster_enabled   = var.private_cluster_enabled
   workload_identity_enabled = var.workload_identity_enabled
+  azure_rbac                = var.azure_rbac
 }
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
@@ -1,3 +1,7 @@
+data "azure_client_config" "current" {
+  count = var.azure_rbac.enabled ? 1 : 0
+}
+
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster
 resource "azurerm_kubernetes_cluster" "main" {
   name                = var.name
@@ -61,6 +65,15 @@ resource "azurerm_kubernetes_cluster" "main" {
     ]
   }
 
+  dynamic "azure_active_directory_role_based_access_control" {
+    for_each = var.azure_rbac.enabled ? [var.azure_rbac] : []
+    content {
+      azure_rbac_enabled     = var.azure_rbac.azure_rbac_enabled
+      admin_group_object_ids = var.azure_rbac.admin_group_object_ids
+      tenant_id              = data.azure_client_config.current[0].tenant_id
+      managed                = var.azure_rbac.managed
+    }
+  }
 }
 
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool

diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
@@ -76,3 +76,17 @@ variable "workload_identity_enabled" {
   type        = bool
   default     = false
 }
+
+variable "azure_rbac" {
+  description = "Azure Active Directory Role-Based Access Control (RBAC) integration in a Kubernetes cluster"
+  type = object({
+    enabled : bool
+    managed : bool
+    admin_group_object_ids : list(string)
+  })
+  default = {
+    enabled : false
+    managed : false
+    admin_group_object_ids : []
+  }
+}
diff --git a/src/_nebari/stages/infrastructure/template/azure/variables.tf b/src/_nebari/stages/infrastructure/template/azure/variables.tf
@@ -82,3 +82,17 @@ variable "workload_identity_enabled" {
   type        = bool
   default     = false
 }
+
+variable "azure_rbac" {
+  description = "Azure Active Directory Role-Based Access Control (RBAC) integration in a Kubernetes cluster"
+  type = object({
+    enabled : bool
+    managed : bool
+    admin_group_object_ids : list(string)
+  })
+  default = {
+    enabled : false
+    managed : false
+    admin_group_object_ids : []
+  }
+}