Terraform-provider-azurerm: Support for user assigned identites for AKS
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
azurerm_kubernetes_cluster currently supports SystemAssigned identities and service principals for AKS clusters. There is a new AKS preview feature that supports BYO identity: https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-control-plane-mi-preview which is a prerequisit for BYO routing table without service principals.
In an enterprise context this closes the loop of deploying AKS in a VNET with UDRs without the hassle of dealing with a service principal (and its credentials).
New or Affected Resource(s)
- azurerm_kubernetes_cluster
Potential Terraform Configuration
resource "azurerm_user_assigned_identity" "aks_identity" {
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
name = "aks_identity"
}
resource "azurerm_kubernetes_cluster" "example" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "UserAssigned"
id = azurerm_user_assigned_identity.aks_identity.id
}
tags = {
Environment = "Production"
}
}
References
flo-02-mu
All 7 comments
I had a quick look at it. Initial dependency seems to be:
- github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2020-06-01/containerservice
- which is included in azure-sdk-for-go >= 45.0.0
flo-02-mu
on 14 Aug 2020
@flo-02-mu just a heads up that unfortunately we're blocked from using v45 of the Azure SDK since it's broken (and it appears we'll be blocked from using v46 too) - so we're blocked from upgrading to that API version (by nature of being blocked upgrading to the SDK) at present
tombuildsstuff
on 14 Aug 2020
@tombuildsstuff is there an upstream issue or azurerm issue that can be tracked/helped with if this is still blocked? It looks like a new SDK version was vendored recently that should allow this functionality to be added now?
JasonWhall
on 23 Sep 2020
I think the needed upgrade was released with https://github.com/terraform-providers/terraform-provider-azurerm/pull/8411 in 2.29.0
flo-02-mu
on 29 Sep 2020
@tombuildsstuff Since the api and sdk are upgraded: Could you please remove the two labels?
flo-02-mu
on 14 Nov 2020
is it still the case that this is blocked..?
Also, I believe this is now GA and not preview: https://github.com/Azure/AKS/releases/tag/2020-11-30
jemag
on 14 Dec 2020
@jemag the docs mention as GA except for gov and China.
https://github.com/terraform-providers/terraform-provider-azurerm/issues/7979
mpanthofer
on 21 Dec 2020
Related issues
Lachlan-White
路
3Comments
alant94
路
3Comments
MMollyy
路
3Comments
mlazowik
路
3Comments
bentterp
路
3Comments
Most helpful comment
is it still the case that this is blocked..?
Also, I believe this is now GA and not preview: https://github.com/Azure/AKS/releases/tag/2020-11-30