feat(aks): Allow converting kubeconfig using kubelogin

terraform/cluster/azure-aks/main.tf

@@ -9,6 +9,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = "~> 4.55.0"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2"
+    }
   }
 }
 
@@ -540,9 +544,44 @@ resource "azurerm_role_assignment" "node_pool_disk_encryption_set_reader" {
   principal_id         = local.kubelet_object_id
 }
 
-resource "local_file" "kube_config" {
-  content  = azurerm_kubernetes_cluster.main.kube_config_raw
-  filename = local.kubeconfig_path
+#-----------------------------------------------------------------------------------------------------------------------
+# Kubeconfig
+#-----------------------------------------------------------------------------------------------------------------------
+
+# Write kubeconfig as generated by Azure (uses kubelogin with devicecode by default)
+# The kubeconfig already includes kubelogin in the exec block.
+resource "local_sensitive_file" "kubeconfig" {
+  count = local.kubeconfig_path != "" ? 1 : 0
+
+  content         = azurerm_kubernetes_cluster.main.kube_config_raw
+  filename        = local.kubeconfig_path
+  file_permission = "0600"
+
+  lifecycle {
+    ignore_changes = [content]
+  }
+}
+
+# Convert kubeconfig to specified login mode if kubelogin_mode is set
+# This runs after the kubeconfig file is created
+resource "null_resource" "convert_kubeconfig" {
+  count = local.kubeconfig_path != "" && var.kubelogin_mode != "" ? 1 : 0
+
+  provisioner "local-exec" {
+    command = "kubelogin convert-kubeconfig -l ${var.kubelogin_mode} --kubeconfig ${local.kubeconfig_path}"
+    environment = {
+      KUBECONFIG = local.kubeconfig_path
+    }
+  }
+
+  depends_on = [
+    local_sensitive_file.kubeconfig
+  ]
+
+  triggers = {
+    kubeconfig_content = azurerm_kubernetes_cluster.main.kube_config_raw
+    login_mode         = var.kubelogin_mode
+  }
 }
 
 # Automatically assign "Azure Kubernetes Service RBAC Cluster Admin" to the

terraform/cluster/azure-aks/test.tftest.hcl

@@ -170,6 +170,11 @@ run "minimal_configuration" {
     condition     = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 48
     error_message = "Image Cleaner interval should default to 48 hours"
   }
+
+  assert {
+    condition     = length(null_resource.convert_kubeconfig) == 0
+    error_message = "convert_kubeconfig resource should not be created when kubelogin_mode is empty (default)"
+  }
 }
 
 # Tests a full configuration with all optional variables explicitly set,
@@ -221,6 +226,8 @@ run "full_configuration" {
     enable_volume_snapshots           = true
     image_cleaner_enabled             = true
     image_cleaner_interval_hours      = 24
+    context_path                      = "/tmp"
+    kubelogin_mode                    = "azurecli"
   }
 
   assert {
@@ -397,6 +404,16 @@ run "full_configuration" {
     condition     = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 24
     error_message = "Image Cleaner interval should match input value"
   }
+
+  assert {
+    condition     = length(null_resource.convert_kubeconfig) == 1
+    error_message = "convert_kubeconfig resource should be created when kubelogin_mode is set"
+  }
+
+  assert {
+    condition     = null_resource.convert_kubeconfig[0].triggers.login_mode == "azurecli"
+    error_message = "convert_kubeconfig trigger should include login_mode set to azurecli"
+  }
 }
 
 # Tests the private cluster configuration, ensuring that enabling the private_cluster_enabled
@@ -431,7 +448,7 @@ run "config_file_created" {
   }
 
   assert {
-    condition     = length(local_file.kube_config) >= 1
+    condition     = length(local_sensitive_file.kubeconfig) >= 1
     error_message = "Kubeconfig file should be generated when context path is provided"
   }
 }

terraform/cluster/azure-aks/variables.tf

@@ -340,3 +340,23 @@ variable "image_cleaner_interval_hours" {
   default     = 48
 }
 
+variable "kubelogin_mode" {
+  description = "Login mode for kubelogin convert-kubeconfig. If set, converts the kubeconfig to use this login mode. Valid values: devicecode, interactive, spn, ropc, msi, azurecli, azd, workloadidentity, azurepipelines. Leave empty to skip conversion and use the default devicecode mode from Azure."
+  type        = string
+  default     = ""
+  validation {
+    condition = var.kubelogin_mode == "" || contains([
+      "devicecode",
+      "interactive",
+      "spn",
+      "ropc",
+      "msi",
+      "azurecli",
+      "azd",
+      "workloadidentity",
+      "azurepipelines"
+    ], var.kubelogin_mode)
+    error_message = "kubelogin_mode must be empty or one of: devicecode, interactive, spn, ropc, msi, azurecli, azd, workloadidentity, azurepipelines."
+  }
+}
+