aks_cluster support federation_id

Author: Furkhat Kasymov Genii Uulu

castai/provider_test.go

@@ -88,8 +88,8 @@ func testAccPreCheck(t *testing.T) {
 	})
 }
 
-// ConfigCompose can be called to concatenate multiple strings to build test configurations
-func ConfigCompose(config ...string) string {
+// concatenateConfigs can be called to concatenate multiple strings to build test configurations
+func concatenateConfigs(config ...string) string {
 	var str strings.Builder
 	for _, conf := range config {
 		str.WriteString(conf)

castai/resource_aks_cluster.go

@@ -21,6 +21,7 @@ const (
 	FieldAKSClusterNodeResourceGroup = "node_resource_group"
 	FieldAKSClusterClientID          = "client_id"
 	FieldAKSClusterClientSecret      = "client_secret"
+	FieldAKSClusterFederationID      = "federation_id"
 	FieldAKSClusterTenantID          = "tenant_id"
 	FieldAKSHttpProxyConfig          = "http_proxy_config"
 	FieldAKSHttpProxyDestination     = "http_proxy"
@@ -84,10 +85,18 @@ func resourceAKSCluster() *schema.Resource {
 			},
 			FieldAKSClusterClientSecret: {
 				Type:             schema.TypeString,
-				Required:         true,
+				Optional:         true,
 				Sensitive:        true,
 				ValidateDiagFunc: validation.ToDiagFunc(validation.StringIsNotWhiteSpace),
 				Description:      "Azure AD application password that will be used by CAST AI.",
+				ExactlyOneOf:     []string{FieldAKSClusterClientSecret, FieldAKSClusterFederationID},
+			},
+			FieldAKSClusterFederationID: {
+				Type:             schema.TypeString,
+				Optional:         true,
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringIsNotWhiteSpace),
+				Description:      "Azure federation used by CAST AI for secretless auth via impersonation.",
+				ExactlyOneOf:     []string{FieldAKSClusterClientSecret, FieldAKSClusterFederationID},
 			},
 			FieldClusterToken: {
 				Type:        schema.TypeString,
@@ -256,13 +265,14 @@ func updateAKSClusterSettings(ctx context.Context, data *schema.ResourceData, cl
 	if !data.HasChanges(
 		FieldAKSClusterClientID,
 		FieldAKSClusterClientSecret,
-		FieldAKSClusterTenantID,
+		FieldAKSClusterFederationID,
 		FieldAKSClusterSubscriptionID,
-		FieldClusterCredentialsId,
+		FieldAKSClusterTenantID,
 		FieldAKSHttpProxyConfig,
 		FieldAKSHttpProxyDestination,
 		FieldAKSHttpsProxyDestination,
 		FieldAKSNoProxyDestinations,
+		FieldClusterCredentialsId,
 	) {
 		log.Printf("[INFO] Nothing to update in cluster setttings.")
 		return nil
@@ -275,9 +285,10 @@ func updateAKSClusterSettings(ctx context.Context, data *schema.ResourceData, cl
 	clientID := data.Get(FieldAKSClusterClientID).(string)
 	tenantID := data.Get(FieldAKSClusterTenantID).(string)
 	clientSecret := data.Get(FieldAKSClusterClientSecret).(string)
+	federationId := data.Get(FieldAKSClusterFederationID).(string)
 	subscriptionID := data.Get(FieldAKSClusterSubscriptionID).(string)
 
-	credentials, err := sdk.ToCloudCredentialsAzure(clientID, clientSecret, tenantID, subscriptionID)
+	credentials, err := sdk.ToCloudCredentialsAzure(clientID, clientSecret, federationId, tenantID, subscriptionID)
 	if err != nil {
 		return err
 	}

castai/resource_aks_cluster_test.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"os"
 	"testing"
 
 	"github.com/golang/mock/gomock"
@@ -414,7 +415,7 @@ func TestAKSClusterResourceUpdateContext(t *testing.T) {
 	})
 }
 
-func TestAccAKS_ResourceAKSCluster(t *testing.T) {
+func TestAccAKS_ResourceAKSCluster_SecretFlow(t *testing.T) {
 	rName := fmt.Sprintf("%v-aks-%v", ResourcePrefix, acctest.RandString(8))
 	resourceName := "castai_aks_cluster.test"
 	clusterName := "core-tf-acc"
@@ -452,7 +453,7 @@ func TestAccAKS_ResourceAKSCluster(t *testing.T) {
 }
 
 func testAccAKSClusterConfig(rName string, clusterName string, resourceGroupName, nodeResourceGroup string) string {
-	return ConfigCompose(testAccAzureConfig(rName, resourceGroupName, nodeResourceGroup), fmt.Sprintf(`
+	return concatenateConfigs(testAccAzureConfigUsingClientSecret(rName, resourceGroupName, nodeResourceGroup), fmt.Sprintf(`
 resource "castai_aks_cluster" "test" {
   name            = %[1]q
 
@@ -468,7 +469,52 @@ resource "castai_aks_cluster" "test" {
 `, clusterName, nodeResourceGroup))
 }
 
-func testAccAzureConfig(rName, rgName, ngName string) string {
+func TestAccAKS_ResourceAKSCluster_ImpersonationFlow(t *testing.T) {
+	const resourceName = "castai_aks_cluster.test"
+	const clusterName = "terraform-tests-december-2025"
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureClusterWithFederationID(clusterName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", clusterName),
+					resource.TestCheckResourceAttrSet(resourceName, "credentials_id"),
+					resource.TestCheckResourceAttr(resourceName, "region", "westeurope"),
+					resource.TestCheckResourceAttrSet(resourceName, "cluster_token"),
+				),
+			},
+		},
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"azurerm": {
+				Source: "hashicorp/azurerm",
+			},
+		},
+	})
+}
+
+func testAccAzureClusterWithFederationID(clusterName string) string {
+	subscriptionID := os.Getenv("ARM_SUBSCRIPTION_ID")
+	federationID := os.Getenv("AZURE_TF_ACCEPTANCE_TEST_FEDERATION_ID")
+	tenantID := os.Getenv("AZURE_TF_ACCEPTANCE_TEST_FEDERATION_TENANT_ID")
+	clientID := os.Getenv("AZURE_TF_ACCEPTANCE_TEST_FEDERATION_CLIENT_ID")
+
+	return fmt.Sprintf(`
+resource "castai_aks_cluster" "test" {
+  name = %[3]q
+
+  region              = "westeurope"
+  subscription_id     = %[1]q
+  tenant_id           = %[4]q
+  client_id           = %[5]q
+  federation_id       = %[2]q
+  node_resource_group = "%[3]s-ng"
+}
+`, subscriptionID, federationID, clusterName, tenantID, clientID)
+}
+
+func testAccAzureConfigUsingClientSecret(rName, rgName, ngName string) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {}

castai/resource_allocation_group_test.go

@@ -93,7 +93,7 @@ func allocationGroupWithAllClusterIds() string {
 		cluster_ids = []
 	}
 	`
-	return ConfigCompose(cfg)
+	return concatenateConfigs(cfg)
 }
 
 func allocationGroupConfig() string {
@@ -116,7 +116,7 @@ func allocationGroupConfig() string {
 	}
 	`
 
-	return ConfigCompose(cfg)
+	return concatenateConfigs(cfg)
 }
 
 func allocationGroupUpdatedConfig() string {
@@ -140,5 +140,5 @@ func allocationGroupUpdatedConfig() string {
 	}
 	`
 
-	return ConfigCompose(cfg)
+	return concatenateConfigs(cfg)
 }

castai/resource_autoscaler_test.go

@@ -1046,7 +1046,7 @@ func testAccAutoscalerConfig(rName, clusterName string, enabled bool, updated bo
 		delaySeconds = 300
 	}
 
-	return ConfigCompose(testAccEKSClusterConfig(rName, clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testAccEKSClusterConfig(rName, clusterName), fmt.Sprintf(`
 resource "castai_autoscaler" "test" {
   cluster_id = castai_eks_cluster.test.id
 

castai/resource_edge_location_test.go

@@ -203,7 +203,7 @@ func testAccEdgeLocationAWSConfigWithParams(rName, clusterName, description stri
 	}
 	zonesConfig += "]"
 
-	return ConfigCompose(testOmniClusterConfig(clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testOmniClusterConfig(clusterName), fmt.Sprintf(`
 resource "castai_edge_location" "test" {
   organization_id = %[5]q
   cluster_id      = castai_omni_cluster.test.id
@@ -292,7 +292,7 @@ func testAccEdgeLocationGCPConfigWithParams(rName, clusterName, description stri
 		networkTagsConfig += fmt.Sprintf("%q", tag)
 	}
 
-	return ConfigCompose(testOmniClusterConfig(clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testOmniClusterConfig(clusterName), fmt.Sprintf(`
 resource "castai_edge_location" "test" {
   organization_id = %[6]q
   cluster_id      = castai_omni_cluster.test.id
@@ -337,7 +337,7 @@ func testAccEdgeLocationOCIConfigWithParams(rName, description, ociCredentials s
 	organizationID := testAccGetOrganizationID()
 	clusterName := "test-oci-cluster"
 
-	return ConfigCompose(testOmniClusterConfig(clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testOmniClusterConfig(clusterName), fmt.Sprintf(`
 resource "castai_edge_location" "test" {
   organization_id = %[3]q
   cluster_id      = castai_omni_cluster.test.id

castai/resource_node_configuration_aks_test.go

@@ -73,7 +73,7 @@ func TestAccAKS_ResourceNodeConfiguration(t *testing.T) {
 }
 
 func testAccAKSNodeConfigurationConfig(rName, clusterName, rgName, ngName string) string {
-	return ConfigCompose(testAccAKSClusterConfig(rName, clusterName, rgName, ngName), fmt.Sprintf(`
+	return concatenateConfigs(testAccAKSClusterConfig(rName, clusterName, rgName, ngName), fmt.Sprintf(`
 resource "castai_node_configuration" "test" {
   name   		    = %[1]q
   cluster_id        = castai_aks_cluster.test.id
@@ -97,7 +97,7 @@ resource "castai_node_configuration_default" "test" {
 }
 
 func testAccAKSNodeConfigurationUpdated(rName, clusterName, rgName, ngName string) string {
-	return ConfigCompose(testAccAKSClusterConfig(rName, clusterName, rgName, ngName), fmt.Sprintf(`
+	return concatenateConfigs(testAccAKSClusterConfig(rName, clusterName, rgName, ngName), fmt.Sprintf(`
 resource "castai_node_configuration" "test" {
   name   		    = %[2]q
   cluster_id        = castai_aks_cluster.test.id

castai/resource_node_configuration_eks_test.go

@@ -102,7 +102,7 @@ func TestAccEKS_ResourceNodeConfiguration(t *testing.T) {
 }
 
 func testAccEKSNodeConfigurationConfig(rName, clusterName string) string {
-	return ConfigCompose(testAccEKSClusterConfig(rName, clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testAccEKSClusterConfig(rName, clusterName), fmt.Sprintf(`
 variable "init_script" {
   type = string
   default = <<EOF
@@ -159,7 +159,7 @@ resource "castai_node_configuration_default" "test" {
 }
 
 func testAccEKSNodeConfigurationUpdated(rName, clusterName string) string {
-	return ConfigCompose(testAccEKSClusterConfig(rName, clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testAccEKSClusterConfig(rName, clusterName), fmt.Sprintf(`
 resource "castai_node_configuration" "test" {
   name   		    = %[1]q
   cluster_id        = castai_eks_cluster.test.id
@@ -186,7 +186,7 @@ resource "castai_node_configuration" "test" {
 }
 
 func testAccEKSClusterConfig(rName string, clusterName string) string {
-	return ConfigCompose(testAccAWSConfig(rName), fmt.Sprintf(`
+	return concatenateConfigs(testAccAWSConfig(rName), fmt.Sprintf(`
 resource "castai_eks_clusterid" "test" {
   account_id   = data.aws_caller_identity.current.account_id
   region       = "eu-central-1"

castai/resource_node_configuration_gke_test.go

@@ -150,7 +150,7 @@ func testAccGKENodeConfigurationConfigWithMaxPodsFormula(rName, clusterName, pro
 }
 
 func testAccGKENodeConfigurationConfigWithGKEConfig(rName, clusterName, projectID, gkeParams string) string {
-	return ConfigCompose(testAccGKEClusterConfig(rName, clusterName, projectID), fmt.Sprintf(`
+	return concatenateConfigs(testAccGKEClusterConfig(rName, clusterName, projectID), fmt.Sprintf(`
 resource "castai_node_configuration" "test" {
   name   		    = %[1]q
   cluster_id        = castai_gke_cluster.test.id
@@ -174,7 +174,7 @@ resource "castai_node_configuration_default" "test" {
 }
 
 func testAccGKENodeConfigurationUpdated(rName, clusterName, projectID string) string {
-	return ConfigCompose(testAccGKEClusterConfig(rName, clusterName, projectID), fmt.Sprintf(`
+	return concatenateConfigs(testAccGKEClusterConfig(rName, clusterName, projectID), fmt.Sprintf(`
 resource "castai_node_configuration" "test" {
   name   		    = %[1]q
   cluster_id        = castai_gke_cluster.test.id
@@ -213,7 +213,7 @@ resource "castai_node_configuration" "test" {
 `, rName))
 }
 func testAccGKEClusterConfig(rName string, clusterName string, projectID string) string {
-	return ConfigCompose(testAccGCPConfig(rName, clusterName, projectID), fmt.Sprintf(`
+	return concatenateConfigs(testAccGCPConfig(rName, clusterName, projectID), fmt.Sprintf(`
 resource "castai_gke_cluster" "test" {
   project_id                 = %[1]q
   location                   = "us-central1-c" 

castai/resource_node_template_test.go

@@ -383,17 +383,17 @@ func Test_flattenPriceAdjustmentConfiguration(t *testing.T) {
 			name: "configuration with adjustments",
 			input: &sdk.NodetemplatesV1PriceAdjustmentConfiguration{
 				InstanceTypeAdjustments: &map[string]string{
-					"r7a.xlarge":  "1.0",
-					"r7i.xlarge":  "1.20",
-					"c6a.xlarge":  "0.90",
+					"r7a.xlarge": "1.0",
+					"r7i.xlarge": "1.20",
+					"c6a.xlarge": "0.90",
 				},
 			},
 			want: []map[string]any{
 				{
 					FieldNodeTemplateInstanceTypeAdjustments: map[string]string{
-						"r7a.xlarge":  "1.0",
-						"r7i.xlarge":  "1.20",
-						"c6a.xlarge":  "0.90",
+						"r7a.xlarge": "1.0",
+						"r7i.xlarge": "1.20",
+						"c6a.xlarge": "0.90",
 					},
 				},
 			},
@@ -898,7 +898,7 @@ func TestAccEKS_ResourceNodeTemplate_basic(t *testing.T) {
 }
 
 func testAccNodeTemplateConfig(rName, clusterName string) string {
-	return ConfigCompose(testAccEKSClusterConfig(rName, clusterName), testAccNodeConfig(rName), testAccEdgeLocationsConfig(rName, clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testAccEKSClusterConfig(rName, clusterName), testAccNodeConfig(rName), testAccEdgeLocationsConfig(rName, clusterName), fmt.Sprintf(`
 		resource "castai_node_template" "test" {
 			cluster_id        = castai_eks_cluster.test.id
 			name = %[1]q
@@ -1054,7 +1054,7 @@ resource "castai_edge_location" "test_2" {
 }
 
 func testNodeTemplateUpdated(rName, clusterName string) string {
-	return ConfigCompose(testAccEKSClusterConfig(rName, clusterName), testAccNodeConfig(rName), testAccEdgeLocationsConfig(rName, clusterName), fmt.Sprintf(`
+	return concatenateConfigs(testAccEKSClusterConfig(rName, clusterName), testAccNodeConfig(rName), testAccEdgeLocationsConfig(rName, clusterName), fmt.Sprintf(`
 		resource "castai_node_template" "test" {
 			cluster_id        = castai_eks_cluster.test.id
 			name = %[1]q
@@ -1170,7 +1170,7 @@ func testAccCheckNodeTemplateDestroy(templateName string) func(s *terraform.Stat
 }
 
 func testAccNodeConfig(rName string) string {
-	return ConfigCompose(fmt.Sprintf(`
+	return concatenateConfigs(fmt.Sprintf(`
 data "aws_subnets" "cost" {
 	tags = {
 		Name = "*cost-terraform-cluster/SubnetPublic*"