Azure · sumanthreddy29 · Dec 1, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
@@ -73,6 +73,16 @@ locals {
     ""
   )
 
+  aad_parameter = (
+    var.aks_aad_enabled == true ?
+    format(
+      "--enable-aad --enable-azure-rbac --aad-admin-group-object-ids %s --aad-tenant-id %s",
+      data.azurerm_client_config.current.object_id,
+      data.azurerm_client_config.current.tenant_id
+    )
+    : ""
+  )
+
   custom_configurations = (
     var.aks_cli_config.use_custom_configurations && var.aks_cli_custom_config_path != null ?
     format(
@@ -108,6 +118,7 @@ locals {
     local.subnet_id_parameter,
     local.managed_identity_parameter,
     local.api_server_vnet_integration_parameter,
+    local.aad_parameter,
   ], local.default_node_pool_parameters))
 
   aks_cli_destroy_command = join(" ", [
@@ -120,6 +131,8 @@ locals {
   ])
 }
 
+data "azurerm_client_config" "current" {}
+
 resource "azurerm_user_assigned_identity" "userassignedidentity" {
   count               = var.aks_cli_config.managed_identity_name == null ? 0 : 1
   location            = var.location

@@ -28,6 +28,12 @@ variable "aks_cli_custom_config_path" {
   default     = null
 }
 
+variable "aks_aad_enabled" {
+  description = "Indicates whether Azure Active Directory integration is enabled for AKS"
+  type        = bool
+  default     = false
+}
+
 variable "aks_cli_config" {
   type = object({
     role                              = string
@@ -59,7 +65,7 @@ variable "aks_cli_config" {
           value = string
         })), [])
     })), [])
-    optional_parameters = optional(list(object({  # Refer to https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-create(aks-preview) for available parameters
+    optional_parameters = optional(list(object({ # Refer to https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-create(aks-preview) for available parameters
       name  = string
       value = string
     })), [])

@@ -10,7 +10,7 @@ locals {
   aks_custom_headers                = lookup(var.json_input, "aks_custom_headers", [])
   k8s_machine_type                  = lookup(var.json_input, "k8s_machine_type", null)
   k8s_os_disk_type                  = lookup(var.json_input, "k8s_os_disk_type", null)
-  aks_aad_enabled                   = lookup(var.json_input, "aks_aad_enabled", "false")
+  aks_aad_enabled                   = lookup(var.json_input, "aks_aad_enabled", false)
   enable_apiserver_vnet_integration = lookup(var.json_input, "enable_apiserver_vnet_integration", false)
 
   tags = {
@@ -27,6 +27,7 @@ locals {
   aks_cli_custom_config_path = "${path.cwd}/../../../scenarios/${var.scenario_type}/${var.scenario_name}/config/aks_custom_config.json"
 
   all_subnets = merge([for network in var.network_config_list : module.virtual_network[network.role].subnets]...)
+  firewall_config_map = { for fw in var.firewall_config_list : fw.name => fw }
   updated_aks_config_list = length(var.aks_config_list) > 0 ? [
     for aks in var.aks_config_list : merge(
       aks,
@@ -75,8 +76,7 @@ module "virtual_network" {
   network_config      = each.value
   resource_group_name = local.run_id
   location            = local.region
-  public_ips          = module.public_ips.pip_ids
-  public_ip_addresses = module.public_ips.pip_addresses
+  public_ips          = module.public_ips.public_ips
   tags                = local.tags
 }
 
@@ -88,6 +88,22 @@ module "dns_zones" {
   tags                = local.tags
 }
 
+module "firewall" {
+  for_each = local.firewall_config_map
+
+  source              = "./firewall"
+  resource_group_name = local.run_id
+  location            = local.region
+  tags                = local.tags
+
+  firewall_config = merge(each.value, {
+    subnet_id            = local.all_subnets[each.value.subnet_name]
+    public_ip_address_id = module.public_ips.public_ips[each.value.public_ip_name].id
+  })
+
+  depends_on = [module.virtual_network]
+}
+
 module "aks" {
   for_each = local.aks_config_map
 
@@ -117,4 +133,5 @@ module "aks-cli" {
   tags                       = local.tags
   subnets_map                = local.all_subnets
   aks_cli_custom_config_path = local.aks_cli_custom_config_path
+  aks_aad_enabled     = local.aks_aad_enabled
 }
@@ -1,4 +1,6 @@
 locals {
+  public_ip_ids       = { for name, ip in var.public_ips : name => ip.id }
+  public_ip_addresses = { for name, ip in var.public_ips : name => ip.ip_address }
   nsr_rules_map                = { for rule in var.network_config.nsr_rules : rule.name => rule }
   nat_gateway_associations_map = var.network_config.nat_gateway_associations == null ? {} : { for nat in var.network_config.nat_gateway_associations : nat.nat_gateway_name => nat }
   input_route_tables_map             = var.network_config.route_tables == null ? {} : { for rt in var.network_config.route_tables : rt.name => rt }
@@ -8,7 +10,6 @@ locals {
     for subnet in azurerm_virtual_network.vnet.subnet :
     split("/", subnet.id)[length(split("/", subnet.id)) - 1] => subnet
   }
-  firewalls_input = var.network_config.firewalls == null ? {} : { for fw in var.network_config.firewalls : fw.name => fw }
   network_security_group_name = var.network_config.network_security_group_name
   expanded_nic_association_map = flatten([
     for nic in var.network_config.nic_public_ip_associations : [
@@ -79,7 +80,7 @@ resource "azurerm_network_interface" "nic" {
     name                          = each.value.ip_configuration_name
     subnet_id                     = local.subnets_map[each.value.subnet_name].id
     private_ip_address_allocation = "Dynamic"
-    public_ip_address_id          = each.value.public_ip_name != null ? var.public_ips[each.value.public_ip_name] : null
+    public_ip_address_id          = each.value.public_ip_name != null ? local.public_ip_ids[each.value.public_ip_name] : null
   }
 }
 
@@ -113,22 +114,6 @@ module "nat_gateway" {
   tags                    = local.tags
 }
 
-module "firewall" {
-  source   = "./firewall"
-  for_each = local.firewalls_input
-
-  firewall_config = merge(each.value, {
-    subnet_id            = local.subnets_map[each.value.subnet_name].id
-    public_ip_address_id = var.public_ips[each.value.public_ip_name]
-  })
-
-  resource_group_name = var.resource_group_name
-  location            = var.location
-  tags                = local.tags
-
-  depends_on = [azurerm_virtual_network.vnet]
-}
-
 module "route_table" {
   source   = "./route-table"
   for_each = local.input_route_tables_map

@@ -9,13 +9,8 @@ variable "location" {
 }
 
 variable "public_ips" {
-  description = "Map of public IP names to IDs"
-  type        = map(string)
-}
-
-variable "public_ip_addresses" {
-  description = "Map of public IP names to IP addresses"
-  type        = map(string)
+  description = "Map of public IP names to their objects containing id and ip_address"
+  type        = map(any)
 }
 
 variable "accelerated_networking" {
@@ -64,64 +59,6 @@ variable "network_config" {
       public_ip_names  = list(string)
       subnet_names     = list(string)
     })))
-    firewalls = optional(list(object({
-      name                  = string
-      sku_name              = optional(string, "AZFW_VNet")
-      sku_tier              = optional(string, "Standard")
-      firewall_policy_id    = optional(string, null)
-      threat_intel_mode     = optional(string, "Alert")
-      dns_proxy_enabled     = optional(bool, false)
-      dns_servers           = optional(list(string), null)
-      subnet_name           = string
-      public_ip_name        = string
-      ip_configuration_name = optional(string, "firewall-ipconfig")
-      nat_rule_collections = optional(list(object({
-        name     = string
-        priority = number
-        action   = optional(string, "Dnat")
-        rules = list(object({
-          name                  = string
-          source_addresses      = optional(list(string), [])
-          source_ip_groups      = optional(list(string), [])
-          destination_ports     = list(string)
-          destination_addresses = list(string)
-          translated_address    = string
-          translated_port       = string
-          protocols             = list(string)
-        }))
-      })), [])
-      network_rule_collections = optional(list(object({
-        name     = string
-        priority = number
-        action   = string # "Allow" or "Deny"
-        rules = list(object({
-          name                  = string
-          source_addresses      = optional(list(string), [])
-          source_ip_groups      = optional(list(string), [])
-          destination_ports     = list(string)
-          destination_addresses = optional(list(string), [])
-          destination_fqdns     = optional(list(string), [])
-          destination_ip_groups = optional(list(string), [])
-          protocols             = list(string) # "TCP", "UDP", "ICMP", "Any"
-        }))
-      })), [])
-      application_rule_collections = optional(list(object({
-        name     = string
-        priority = number
-        action   = string # "Allow" or "Deny"
-        rules = list(object({
-          name             = string
-          source_addresses = optional(list(string), [])
-          source_ip_groups = optional(list(string), [])
-          target_fqdns     = optional(list(string), [])
-          fqdn_tags        = optional(list(string), [])
-          protocols = optional(list(object({
-            port = string
-            type = string # "Http" or "Https"
-          })), [])
-        }))
-      })), [])
-    })), [])
     route_tables = optional(list(object({
       name                          = string
       bgp_route_propagation_enabled = optional(bool, true)

@@ -1,8 +1,9 @@
-output "pip_ids" {
-  value = { for ip in azurerm_public_ip.pip : ip.name => ip.id }
-}
-
-output "pip_addresses" {
-  description = "Map of public IP names to their IP addresses"
-  value       = { for ip in azurerm_public_ip.pip : ip.name => ip.ip_address }
+output "public_ips" {
+  description = "Map of public IP names to their objects containing id and ip_address"
+  value = {
+    for ip in azurerm_public_ip.pip : ip.name => {
+      id         = ip.id
+      ip_address = ip.ip_address
+    }
+  }
 }