From 862a73bf82db9dbfabcb2e6effaab01a48d952cd Mon Sep 17 00:00:00 2001
From: Dave Curylo <dave@curylo.org>
Date: Tue, 6 Aug 2024 17:12:37 -0400
Subject: [PATCH] Managed Clusters (AKS): Default to use MSI.

---
 RELEASE_NOTES.md                                 |  1 +
 src/Farmer/Builders/Builders.ContainerService.fs |  2 +-
 src/Tests/ContainerService.fs                    | 16 +++++++++-------
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index f6725774f..ef84faf50 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -3,6 +3,7 @@ Release Notes
 
 ## 1.9.1
 * Managed Clusters (AKS): Support for workload identity, OIDC issuer, image cleaner, and Defender.
+* Managed Clusters (AKS): Default to use MSI for the service principal profile to align with CLI and Portal.
 * User Assigned Identities: Support for `depends_on`.
 
 ## 1.9.0
diff --git a/src/Farmer/Builders/Builders.ContainerService.fs b/src/Farmer/Builders/Builders.ContainerService.fs
index aaa1f4f09..35636c10c 100644
--- a/src/Farmer/Builders/Builders.ContainerService.fs
+++ b/src/Farmer/Builders/Builders.ContainerService.fs
@@ -388,7 +388,7 @@ type AksBuilder() =
         NetworkProfile = None
         OidcIssuerProfile = None
         SecurityProfile = None
-        ServicePrincipalClientID = ""
+        ServicePrincipalClientID = "msi"
         WindowsProfileAdminUserName = None
     }
 
diff --git a/src/Tests/ContainerService.fs b/src/Tests/ContainerService.fs
index 3361796aa..dd60d4fe5 100644
--- a/src/Tests/ContainerService.fs
+++ b/src/Tests/ContainerService.fs
@@ -69,13 +69,15 @@ let tests =
 
             Expect.equal identity "None" "Basic cluster with client ID should have no identity assigned."
         }
-        test "Basic AKS cluster needs SP" {
-            Expect.throws
-                (fun _ ->
-                    let myAks = aks { name "aks-cluster" }
-                    let template = arm { add_resource myAks }
-                    template |> Writer.quickWrite "aks-cluster-should-fail")
-                "Error should be raised if there are no service principal settings."
+        test "Basic AKS cluster uses MSI" {
+            let myAks = aks { name "aks-cluster" }
+            let deployment = arm { add_resource myAks }
+            let jobj = deployment.Template |> Writer.toJson |> JToken.Parse
+
+            Expect.equal
+                (jobj.SelectToken "resources[?(@.name=='aks-cluster')].properties.servicePrincipalProfile.clientId")
+                (JValue "msi")
+                "Defaults to MSI when no service principal is set."
         }
         test "Simple AKS cluster" {
             let myAks = aks {