Support for user assigned identites for AKS

[flo-02-mu]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

azurerm_kubernetes_cluster currently supports SystemAssigned identities and service principals for AKS clusters. There is a new AKS preview feature that supports BYO identity: https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-control-plane-mi-preview which is a prerequisit for BYO routing table without service principals.
In an enterprise context this closes the loop of deploying AKS in a VNET with UDRs without the hassle of dealing with a service principal (and its credentials).

New or Affected Resource(s)

• azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_user_assigned_identity" "aks_identity" {
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  name = "aks_identity"
}

resource "azurerm_kubernetes_cluster" "example" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "UserAssigned"
    id = azurerm_user_assigned_identity.aks_identity.id
  }

  tags = {
    Environment = "Production"
  }

}

References

• [Feature Request] AKS support of BYO user-assigned-identity for Managed Identity support Azure/AKS#1591

[flo-02-mu]

I had a quick look at it. Initial dependency seems to be:

• github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2020-06-01/containerservice
• which is included in azure-sdk-for-go >= 45.0.0

[tombuildsstuff]

@flo-02-mu just a heads up that unfortunately we're blocked from using v45 of the Azure SDK since it's broken (and it appears we'll be blocked from using v46 too) - so we're blocked from upgrading to that API version (by nature of being blocked upgrading to the SDK) at present

[JasonWhall]

@tombuildsstuff is there an upstream issue or azurerm issue that can be tracked/helped with if this is still blocked? It looks like a new SDK version was vendored recently that should allow this functionality to be added now?

[flo-02-mu]

I think the needed upgrade was released with #8411 in 2.29.0

[flo-02-mu]

@tombuildsstuff Since the api and sdk are upgraded: Could you please remove the two labels?

[jemag]

is it still the case that this is blocked..?

Also, I believe this is now GA and not preview: https://github.com/Azure/AKS/releases/tag/2020-11-30

[mpanthofer]

@jemag the docs mention as GA except for gov and China.
#7979

[ghost]

This has been released in version 2.44.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.44.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!