From 7c11c6715672cad9ec8f7e4245e9f1dbe39a903e Mon Sep 17 00:00:00 2001
From: Zim Kalinowski <zikalino@microsoft.com>
Date: Mon, 29 Oct 2018 14:36:38 +0800
Subject: [PATCH] adding enable_rbac option in aks (#47730)

* adding enable_rbac option in aks

* fixes

* addressed comments
---
 .../modules/cloud/azure/azure_rm_aks.py       | 21 +++++++++++++++++--
 .../targets/azure_rm_aks/tasks/main.yml       |  2 ++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/lib/ansible/modules/cloud/azure/azure_rm_aks.py b/lib/ansible/modules/cloud/azure/azure_rm_aks.py
index 27c0b68869..886fd5c4e5 100644
--- a/lib/ansible/modules/cloud/azure/azure_rm_aks.py
+++ b/lib/ansible/modules/cloud/azure/azure_rm_aks.py
@@ -89,6 +89,13 @@ options:
                 description:
                     - The secret password associated with the service principal.
                 required: true
+    enable_rbac:
+        description:
+            - Enable RBAC.
+            - Existing non-RBAC enabled AKS clusters cannot currently be updated for RBAC use.
+        type: bool
+        default: no
+        version_added: 2.8
 
 extends_documentation_fragment:
     - azure
@@ -248,7 +255,8 @@ def create_aks_dict(aks):
         agent_pool_profiles=create_agent_pool_profiles_dict(
             aks.agent_pool_profiles),
         type=aks.type,
-        kube_config=aks.kube_config
+        kube_config=aks.kube_config,
+        enable_rbac=aks.enable_rbac
     )
 
 
@@ -361,6 +369,10 @@ class AzureRMManagedCluster(AzureRMModuleBase):
                 type='dict',
                 options=service_principal_spec
             ),
+            enable_rbac=dict(
+                type='bool',
+                default=False
+            )
         )
 
         self.resource_group = None
@@ -373,6 +385,7 @@ class AzureRMManagedCluster(AzureRMModuleBase):
         self.linux_profile = None
         self.agent_pool_profiles = None
         self.service_principal = None
+        self.enable_rbac = False
 
         required_if = [
             ('state', 'present', [
@@ -455,6 +468,9 @@ class AzureRMManagedCluster(AzureRMModuleBase):
                     if response['kubernetes_version'] != self.kubernetes_version:
                         to_be_updated = True
 
+                    if response['enable_rbac'] != self.enable_rbac:
+                        to_be_updated = True
+
                     for profile_result in response['agent_pool_profiles']:
                         matched = False
                         for profile_self in self.agent_pool_profiles:
@@ -520,7 +536,8 @@ class AzureRMManagedCluster(AzureRMModuleBase):
             tags=self.tags,
             service_principal_profile=service_principal_profile,
             agent_pool_profiles=agentpools,
-            linux_profile=create_linux_profile_instance(self.linux_profile)
+            linux_profile=create_linux_profile_instance(self.linux_profile),
+            enable_rbac=self.enable_rbac
         )
 
         # self.log("service_principal_profile : {0}".format(parameters.service_principal_profile))
diff --git a/test/integration/targets/azure_rm_aks/tasks/main.yml b/test/integration/targets/azure_rm_aks/tasks/main.yml
index 5a38045d54..806e38200b 100644
--- a/test/integration/targets/azure_rm_aks/tasks/main.yml
+++ b/test/integration/targets/azure_rm_aks/tasks/main.yml
@@ -45,6 +45,7 @@
          - name: default
            count: 1
            vm_size: Standard_DS1_v2
+     enable_rbac: yes
    register: output
 
  - name: Assert the AKS instance is well created
@@ -81,6 +82,7 @@
          - name: default
            count: 1
            vm_size: Standard_DS1_v2
+     enable_rbac: yes
    register: output
 
  - name: Assert idempotent