From 93f6e8440fcb4532732064bf0a5d7fc15744d0bb Mon Sep 17 00:00:00 2001 From: Steph Date: Fri, 18 Mar 2022 10:37:08 +0100 Subject: [PATCH] mark kube_config and kube_admin_config as sensitive with env variable --- .../kubernetes_cluster_data_source.go | 82 +++++++++++++++++++ .../kubernetes_cluster_data_source_test.go | 72 ++++++++++++++++ .../docs/d/kubernetes_cluster.html.markdown | 4 + 3 files changed, 158 insertions(+) diff --git a/internal/services/containers/kubernetes_cluster_data_source.go b/internal/services/containers/kubernetes_cluster_data_source.go index cb61dd51fe5c5..df61de3a863b9 100644 --- a/internal/services/containers/kubernetes_cluster_data_source.go +++ b/internal/services/containers/kubernetes_cluster_data_source.go @@ -877,6 +877,88 @@ func dataSourceKubernetesCluster() *pluginsdk.Resource { } } + if features.KubeConfigsAreSensitive() { + resource.Schema["kube_config"] = &pluginsdk.Schema{ + Type: pluginsdk.TypeList, + Computed: true, + Sensitive: true, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "host": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "username": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "password": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "client_certificate": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "client_key": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "cluster_ca_certificate": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + }, + }, + } + + resource.Schema["kube_admin_config"] = &pluginsdk.Schema{ + Type: pluginsdk.TypeList, + Computed: true, + Sensitive: true, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "host": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "username": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "password": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "client_certificate": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "client_key": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + "cluster_ca_certificate": { + Type: pluginsdk.TypeString, + Computed: true, + Sensitive: true, + }, + }, + }, + } + } + return resource } diff --git a/internal/services/containers/kubernetes_cluster_data_source_test.go b/internal/services/containers/kubernetes_cluster_data_source_test.go index 14b92d92ae741..c2ad80dd78a78 100644 --- a/internal/services/containers/kubernetes_cluster_data_source_test.go +++ b/internal/services/containers/kubernetes_cluster_data_source_test.go @@ -39,6 +39,35 @@ func TestAccDataSourceKubernetesCluster_basic(t *testing.T) { }) } +func TestAccDataSourceKubernetesCluster_basicSensitive(t *testing.T) { + data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") + r := KubernetesClusterDataSource{} + + os.Setenv("ARM_AKS_KUBE_CONFIGS_SENSITIVE", "true") + + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.basicConfig(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("kube_config.0.client_key").Exists(), + check.That(data.ResourceName).Key("kube_config.0.client_certificate").Exists(), + check.That(data.ResourceName).Key("kube_config.0.cluster_ca_certificate").Exists(), + check.That(data.ResourceName).Key("kube_config.0.host").Exists(), + check.That(data.ResourceName).Key("kube_config.0.username").Exists(), + check.That(data.ResourceName).Key("kube_config.0.password").Exists(), + check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"), + check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""), + check.That(data.ResourceName).Key("kubelet_identity.0.object_id").Exists(), + check.That(data.ResourceName).Key("kubelet_identity.0.client_id").Exists(), + check.That(data.ResourceName).Key("kubelet_identity.0.user_assigned_identity_id").Exists(), + check.That(data.ResourceName).Key("identity.0.type").HasValue("SystemAssigned"), + check.That(data.ResourceName).Key("identity.0.principal_id").Exists(), + check.That(data.ResourceName).Key("identity.0.tenant_id").Exists(), + ), + }, + }) +} + func TestAccDataSourceKubernetesCluster_privateCluster(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") @@ -127,6 +156,49 @@ func TestAccDataSourceKubernetesCluster_roleBasedAccessControlAAD(t *testing.T) } } +func TestAccDataSourceKubernetesCluster_roleBasedAccessControlAADSensitive(t *testing.T) { + data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") + r := KubernetesClusterDataSource{} + clientId := os.Getenv("ARM_CLIENT_ID") + clientSecret := os.Getenv("ARM_CLIENT_SECRET") + tenantId := os.Getenv("ARM_TENANT_ID") + + os.Setenv("ARM_AKS_KUBE_CONFIGS_SENSITIVE", "true") + + if !features.ThreePointOhBeta() { + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.roleBasedAccessControlAADConfig(data, clientId, clientSecret, tenantId), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("role_based_access_control.#").HasValue("1"), + check.That(data.ResourceName).Key("role_based_access_control.0.enabled").HasValue("true"), + check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.#").HasValue("1"), + check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.client_app_id").Exists(), + check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.server_app_id").Exists(), + check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.tenant_id").Exists(), + check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("1"), + check.That(data.ResourceName).Key("kube_admin_config_raw").Exists(), + ), + }, + }) + } else { + data.DataSourceTest(t, []acceptance.TestStep{ + { + Config: r.roleBasedAccessControlAADConfig(data, clientId, clientSecret, tenantId), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("1"), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.client_app_id").Exists(), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.server_app_id").Exists(), + check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.tenant_id").Exists(), + check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("1"), + check.That(data.ResourceName).Key("kube_admin_config_raw").Exists(), + ), + }, + }) + } +} + func TestAccDataSourceKubernetesCluster_localAccountDisabled(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test") r := KubernetesClusterDataSource{} diff --git a/website/docs/d/kubernetes_cluster.html.markdown b/website/docs/d/kubernetes_cluster.html.markdown index fee0b922128d9..715e2b44cd90c 100644 --- a/website/docs/d/kubernetes_cluster.html.markdown +++ b/website/docs/d/kubernetes_cluster.html.markdown @@ -66,10 +66,14 @@ The following attributes are exported: * `kube_admin_config` - A `kube_admin_config` block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts are not disabled. +~> **NOTE:** To mark the whole of `kube_admin_config` as Sensitive in State, set the environment variable `ARM_AKS_KUBE_CONFIGS_SENSITIVE` to `true`. Any values from this block used in `outputs` will then also need to be marked as sensitive. + * `kube_admin_config_raw` - Raw Kubernetes config for the admin account to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts are not disabled. * `kube_config` - A `kube_config` block as defined below. +~> **NOTE:** To mark the whole of `kube_config` as Sensitive in State, set the environment variable `ARM_AKS_KUBE_CONFIGS_SENSITIVE` to `true`. Any values from this block used in `outputs` will then also need to be marked as sensitive. + * `kube_config_raw` - Base64 encoded Kubernetes configuration. * `kubernetes_version` - The version of Kubernetes used on the managed Kubernetes Cluster.