ppanyukov · September 15, 2021 12:22
diff --git a/data_cluster_identity_hack.tf b/data_cluster_identity_hack.tf
 # This is a hack to obtain azurerm_user_assigned_identity data item from
 # the cluster.identity object. 
 # 
 # The reason we need this is depending on the kind of identity (SystemAssigned, 
 # UserAssigned) we have different fields in that object. In particular if we
 # have UserAssigned identity, the value of principal_id will be empty, and
 # we need to assign roles to it like Network Contributor.
 # 
 # To use:
 #   # Grab the cluster data item
 #   data "azurerm_kubernetes_cluster" "cluster" {
 #     name                = var.cluster_name
 #     resource_group_name = var.cluster_resource_group_name
 #   }
 # 
 #   # Use the module
 #   module "data_cluster_identity" {
 #     source  = "./modules/data_cluster_identity"
 #     cluster = data.azurerm_kubernetes_cluster.cluster
 #   }
 # 
 #   # The module will return output fields, with principal_id and tenant_id
 #   # populated.
 #   # - type
 #   # - user_assigned_identity_id
 #   # - principal_id
 #   # - tenant_id
 # 
 terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=2.40.0"
    }
  }
 }

 variable "cluster" {
  type = object({
    identity = list(object({
      type                      = string
      user_assigned_identity_id = string
      principal_id              = string
      tenant_id                 = string
    }))
  })
  description = "(Required) Reference to the cluster."
 }

 locals {
  identity = var.cluster.identity[0]

  is_identity_user_assigned = lower(local.identity.type) == lower("UserAssigned")

  identity_principal_id = local.is_identity_user_assigned ? data.azurerm_user_assigned_identity.cluster[0].principal_id : local.identity.principal_id
  identity_tenant_id    = local.is_identity_user_assigned ? data.azurerm_user_assigned_identity.cluster[0].tenant_id : local.identity.tenant_id
 }

 data "azurerm_user_assigned_identity" "cluster" {
  count               = local.is_identity_user_assigned ? 1 : 0
  name                = element((split("/", local.identity.user_assigned_identity_id)), 8)
  resource_group_name = element((split("/", local.identity.user_assigned_identity_id)), 4)
 }

 output "type" {
  value = local.identity.type
 }

 output "user_assigned_identity_id" {
  value = local.identity.user_assigned_identity_id
 }

 output "principal_id" {
  value = local.identity_principal_id
 }

 output "tenant_id" {
  value = local.identity_tenant_id
 }
	# This is a hack to obtain azurerm_user_assigned_identity data item from
	# the cluster.identity object.
	#
	# The reason we need this is depending on the kind of identity (SystemAssigned,
	# UserAssigned) we have different fields in that object. In particular if we
	# have UserAssigned identity, the value of principal_id will be empty, and
	# we need to assign roles to it like Network Contributor.
	#
	# To use:
	# # Grab the cluster data item
	# data "azurerm_kubernetes_cluster" "cluster" {
	# name = var.cluster_name
	# resource_group_name = var.cluster_resource_group_name
	# }
	#
	# # Use the module
	# module "data_cluster_identity" {
	# source = "./modules/data_cluster_identity"
	# cluster = data.azurerm_kubernetes_cluster.cluster
	# }
	#
	# # The module will return output fields, with principal_id and tenant_id
	# # populated.
	# # - type
	# # - user_assigned_identity_id
	# # - principal_id
	# # - tenant_id
	#
	terraform {
	required_providers {
	azurerm = {
	source = "hashicorp/azurerm"
	version = ">=2.40.0"
	}
	}
	}

	variable "cluster" {
	type = object({
	identity = list(object({
	type = string
	user_assigned_identity_id = string
	principal_id = string
	tenant_id = string
	}))
	})
	description = "(Required) Reference to the cluster."
	}

	locals {
	identity = var.cluster.identity[0]

	is_identity_user_assigned = lower(local.identity.type) == lower("UserAssigned")

	identity_principal_id = local.is_identity_user_assigned ? data.azurerm_user_assigned_identity.cluster[0].principal_id : local.identity.principal_id
	identity_tenant_id = local.is_identity_user_assigned ? data.azurerm_user_assigned_identity.cluster[0].tenant_id : local.identity.tenant_id
	}

	data "azurerm_user_assigned_identity" "cluster" {
	count = local.is_identity_user_assigned ? 1 : 0
	name = element((split("/", local.identity.user_assigned_identity_id)), 8)
	resource_group_name = element((split("/", local.identity.user_assigned_identity_id)), 4)
	}

	output "type" {
	value = local.identity.type
	}

	output "user_assigned_identity_id" {
	value = local.identity.user_assigned_identity_id
	}

	output "principal_id" {
	value = local.identity_principal_id
	}

	output "tenant_id" {
	value = local.identity_tenant_id
	}