feat: Add support for managed identity authentication in OMS agent co…

…nfiguration (#4360)

## Description

- Added a new parameter omsAgentUseAADAuth to specify whether the OMS
agent should use managed identity authentication. Documentation:

https://learn.microsoft.com/en-us/azure/azure-monitor/containers/kubernetes-monitoring-enable?tabs=arm#enable-container-insights

https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/scripts/onboarding/aks/onboarding-msi-bicep/existingClusterOnboarding.bicep

- Updated the omsagent configuration to include the useAADAuth property
if the new parameter is set to true.

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|          |

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

avm/res/container-service/managed-cluster/README.md

@@ -2785,6 +2785,7 @@ param tags = {
 | [`nodeResourceGroup`](#parameter-noderesourcegroup) | string | Name of the resource group containing agent pool nodes. |
 | [`nodeResourceGroupProfile`](#parameter-noderesourcegroupprofile) | object | The node resource group configuration profile. |
 | [`omsAgentEnabled`](#parameter-omsagentenabled) | bool | Specifies whether the OMS agent is enabled. |
+| [`omsAgentUseAADAuth`](#parameter-omsagentuseaadauth) | bool | Specifies whether the OMS agent is using managed identity authentication. |
 | [`openServiceMeshEnabled`](#parameter-openservicemeshenabled) | bool | Specifies whether the openServiceMesh add-on is enabled or not. |
 | [`outboundType`](#parameter-outboundtype) | string | Specifies outbound (egress) routing method. |
 | [`podCidr`](#parameter-podcidr) | string | Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. |
@@ -4757,6 +4758,15 @@ Specifies whether the OMS agent is enabled.
 - Default: `True`
 - MinValue: 24
 
+### Parameter: `omsAgentUseAADAuth`
+
+Specifies whether the OMS agent is using managed identity authentication.
+
+- Required: No
+- Type: bool
+- Default: `False`
+- MinValue: 24
+
 ### Parameter: `openServiceMeshEnabled`
 
 Specifies whether the openServiceMesh add-on is enabled or not.

avm/res/container-service/managed-cluster/agent-pool/main.json

@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.33.13.18514",
-      "templateHash": "3772142304849625200"
+      "version": "0.33.93.31351",
+      "templateHash": "3323013309772683046"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool."

avm/res/container-service/managed-cluster/main.bicep

@@ -344,6 +344,9 @@ param diagnosticSettings diagnosticSettingFullType[]?
 @description('Optional. Specifies whether the OMS agent is enabled.')
 param omsAgentEnabled bool = true
 
+@description('Optional. Specifies whether the OMS agent is using managed identity authentication.')
+param omsAgentUseAADAuth bool = false
+
 @description('Optional. Resource ID of the monitoring log analytics workspace.')
 param monitoringWorkspaceResourceId string?
 
@@ -657,6 +660,11 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-09-02-p
         config: omsAgentEnabled && !empty(monitoringWorkspaceResourceId)
           ? {
               logAnalyticsWorkspaceResourceID: monitoringWorkspaceResourceId!
+              ...(omsAgentUseAADAuth
+                ? {
+                    useAADAuth: 'true'
+                  }
+                : {})
             }
           : null
       }

avm/res/container-service/managed-cluster/main.json

@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.33.13.18514",
-      "templateHash": "12618640856903207312"
+      "version": "0.33.93.31351",
+      "templateHash": "5916819919470014658"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Clusters",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster."
@@ -1478,6 +1478,13 @@
         "description": "Optional. Specifies whether the OMS agent is enabled."
       }
     },
+    "omsAgentUseAADAuth": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Optional. Specifies whether the OMS agent is using managed identity authentication."
+      }
+    },
     "monitoringWorkspaceResourceId": {
       "type": "string",
       "nullable": true,
@@ -1738,7 +1745,7 @@
           },
           "omsagent": {
             "enabled": "[and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceResourceId'))))]",
-            "config": "[if(and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceResourceId')))), createObject('logAnalyticsWorkspaceResourceID', parameters('monitoringWorkspaceResourceId')), null())]"
+            "config": "[if(and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceResourceId')))), shallowMerge(createArray(createObject('logAnalyticsWorkspaceResourceID', parameters('monitoringWorkspaceResourceId')), if(parameters('omsAgentUseAADAuth'), createObject('useAADAuth', 'true'), createObject()))), null())]"
           },
           "aciConnectorLinux": {
             "enabled": "[parameters('aciConnectorLinuxEnabled')]"
@@ -1984,8 +1991,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.33.13.18514",
-              "templateHash": "8370238557121472803"
+              "version": "0.33.93.31351",
+              "templateHash": "17573192747850353863"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations."
@@ -2180,8 +2187,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.33.13.18514",
-              "templateHash": "3772142304849625200"
+              "version": "0.33.93.31351",
+              "templateHash": "3323013309772683046"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool."

avm/res/container-service/managed-cluster/maintenance-configurations/main.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.33.13.18514",
-      "templateHash": "8370238557121472803"
+      "version": "0.33.93.31351",
+      "templateHash": "17573192747850353863"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations."