feat: add new field federation_id to castai_aks_cluster resource (#621)

* aks_cluster support federation_id

* test federation_id on the same onboarding for faster execution

* use new sub

* generate sdk

* fix env var names

* fix order of steps so that federation_id tested explicitly before being starting NC tests

* datasource azure subnet for node config

* requires explicitly provide empty feature to azurerm provider

* fix node config resource name

* re generate sdk

* format code

* re-generate sdk

---------

Co-authored-by: Furkhat Kasymov Genii Uulu <furkhat@cast.ai>

Author: furkhat

.github/workflows/acceptance-tests.yml

@@ -66,5 +66,8 @@ jobs:
           SSO_CLIENT_SECRET: ${{ secrets.SSO_CLIENT_SECRET }}
           SSO_DOMAIN: ${{ secrets.SSO_DOMAIN }}
           ACCEPTANCE_TEST_ORGANIZATION_ID: ${{ vars.TF_ACCEPTANCE_TEST_ORGANIZATION_ID }}
+          AZURE_TF_ACCEPTANCE_TEST_FEDERATION_ID: ${{ secrets.AZURE_TF_ACCEPTANCE_TEST_FEDERATION_ID }}
+          AZURE_TF_ACCEPTANCE_TEST_FEDERATION_TENANT_ID: ${{ secrets.AZURE_TF_ACCEPTANCE_TEST_ARM_TENANT_ID_V2 }}
+          AZURE_TF_ACCEPTANCE_TEST_FEDERATION_CLIENT_ID: ${{ secrets.AZURE_TF_ACCEPTANCE_TEST_FEDERATION_CLIENT_ID }}
         run: make testacc-${{ matrix.cloud }}
 

castai/resource_aks_cluster.go

@@ -21,6 +21,7 @@ const (
 	FieldAKSClusterNodeResourceGroup = "node_resource_group"
 	FieldAKSClusterClientID          = "client_id"
 	FieldAKSClusterClientSecret      = "client_secret"
+	FieldAKSClusterFederationID      = "federation_id"
 	FieldAKSClusterTenantID          = "tenant_id"
 	FieldAKSHttpProxyConfig          = "http_proxy_config"
 	FieldAKSHttpProxyDestination     = "http_proxy"
@@ -84,10 +85,18 @@ func resourceAKSCluster() *schema.Resource {
 			},
 			FieldAKSClusterClientSecret: {
 				Type:             schema.TypeString,
-				Required:         true,
+				Optional:         true,
 				Sensitive:        true,
 				ValidateDiagFunc: validation.ToDiagFunc(validation.StringIsNotWhiteSpace),
 				Description:      "Azure AD application password that will be used by CAST AI.",
+				ExactlyOneOf:     []string{FieldAKSClusterClientSecret, FieldAKSClusterFederationID},
+			},
+			FieldAKSClusterFederationID: {
+				Type:             schema.TypeString,
+				Optional:         true,
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringIsNotWhiteSpace),
+				Description:      "Azure federation used by CAST AI for secretless auth via impersonation.",
+				ExactlyOneOf:     []string{FieldAKSClusterClientSecret, FieldAKSClusterFederationID},
 			},
 			FieldClusterToken: {
 				Type:        schema.TypeString,
@@ -256,13 +265,14 @@ func updateAKSClusterSettings(ctx context.Context, data *schema.ResourceData, cl
 	if !data.HasChanges(
 		FieldAKSClusterClientID,
 		FieldAKSClusterClientSecret,
-		FieldAKSClusterTenantID,
+		FieldAKSClusterFederationID,
 		FieldAKSClusterSubscriptionID,
-		FieldClusterCredentialsId,
+		FieldAKSClusterTenantID,
 		FieldAKSHttpProxyConfig,
 		FieldAKSHttpProxyDestination,
 		FieldAKSHttpsProxyDestination,
 		FieldAKSNoProxyDestinations,
+		FieldClusterCredentialsId,
 	) {
 		log.Printf("[INFO] Nothing to update in cluster setttings.")
 		return nil
@@ -275,9 +285,10 @@ func updateAKSClusterSettings(ctx context.Context, data *schema.ResourceData, cl
 	clientID := data.Get(FieldAKSClusterClientID).(string)
 	tenantID := data.Get(FieldAKSClusterTenantID).(string)
 	clientSecret := data.Get(FieldAKSClusterClientSecret).(string)
+	federationId := data.Get(FieldAKSClusterFederationID).(string)
 	subscriptionID := data.Get(FieldAKSClusterSubscriptionID).(string)
 
-	credentials, err := sdk.ToCloudCredentialsAzure(clientID, clientSecret, tenantID, subscriptionID)
+	credentials, err := sdk.ToCloudCredentialsAzure(clientID, clientSecret, federationId, tenantID, subscriptionID)
 	if err != nil {
 		return err
 	}

castai/resource_aks_cluster_test.go

@@ -440,6 +440,15 @@ func TestAccAKS_ResourceAKSCluster(t *testing.T) {
 					resource.TestCheckResourceAttrSet(clusterResourceName, "cluster_token"),
 				),
 			},
+			{
+				Config: testAccAKSWithFederationIDConfig(clusterName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(clusterResourceName, "name", clusterName),
+					resource.TestCheckResourceAttrSet(clusterResourceName, "credentials_id"),
+					resource.TestCheckResourceAttr(clusterResourceName, "region", "westeurope"),
+					resource.TestCheckResourceAttrSet(clusterResourceName, "cluster_token"),
+				),
+			},
 			{
 				Config: testAccAKSNodeConfigurationConfig(rName, clusterName, resourceGroupName),
 				Check: resource.ComposeTestCheckFunc(
@@ -510,3 +519,23 @@ resource "castai_aks_cluster" "test" {
 
 `, clusterName, subscriptionID, tenantID, clientID, clientSecret)
 }
+
+func testAccAKSWithFederationIDConfig(clusterName string) string {
+	subscriptionID := os.Getenv("ARM_SUBSCRIPTION_ID")
+	federationID := os.Getenv("AZURE_TF_ACCEPTANCE_TEST_FEDERATION_ID")
+	tenantID := os.Getenv("AZURE_TF_ACCEPTANCE_TEST_FEDERATION_TENANT_ID")
+	clientID := os.Getenv("AZURE_TF_ACCEPTANCE_TEST_FEDERATION_CLIENT_ID")
+
+	return fmt.Sprintf(`
+resource "castai_aks_cluster" "test" {
+  name = %[3]q
+
+  region              = "westeurope"
+  subscription_id     = %[1]q
+  tenant_id           = %[4]q
+  client_id           = %[5]q
+  federation_id       = %[2]q
+  node_resource_group = "%[3]s-ng"
+}
+`, subscriptionID, federationID, clusterName, tenantID, clientID)
+}

castai/resource_node_configuration_aks_test.go

@@ -5,7 +5,7 @@ import (
 )
 
 func testAccAKSNodeConfigurationConfig(rName, clusterName, resourceGroupName string) string {
-	return ConfigCompose(testAccAKSWithClientSecretConfig(clusterName), fmt.Sprintf(`
+	return ConfigCompose(testAccAKSWithFederationIDConfig(clusterName), fmt.Sprintf(`
 provider "azurerm" {
 	features {}		
 }
@@ -38,7 +38,7 @@ resource "castai_node_configuration_default" "test" {
 }
 
 func testAccAKSNodeConfigurationUpdated(rName, clusterName, resourceGroupName string) string {
-	return ConfigCompose(testAccAKSWithClientSecretConfig(clusterName), fmt.Sprintf(`
+	return ConfigCompose(testAccAKSWithFederationIDConfig(clusterName), fmt.Sprintf(`
 provider "azurerm" {
 	features {}		
 }