New Resource - azurerm_kubernetes_cluster_pod_identity

[njuCZ]

fix #9885

Based on work by @feliperoveran #10206

Support enabling ad-pod-identity, creating pod identities, and pod exceptions.

through doc https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity and discussion from thread #10206, and creating pod identity needs role assignment first, it's better to make a seperate resource

to test this resource, you must enable the feature Microsoft.ContainerService/EnablePodIdentityPreview in your subscription.
you could do this through azure cli

az feature register --namespace Microsoft.ContainerService --name EnablePodIdentityPreview

poll until the status is registered by

az feature list | grep -C 5 "EnablePodIdentityPreview"

then execute

az provider register -n Microsoft.ContainerService

[magodo]

@njuCZ Thanks for this PR!
I've taken a look through and left some comments inline, but this is mostly looking good to me 👍

[magodo]

Is this redundent given both properties are Required?

[magodo]

Can we add a comment above this line for this special handling, mentioning issue: hashicorp/terraform-plugin-sdk#588?

[magodo]

Persumably this only exists when your containing block has a Map (see: hashicorp/terraform-plugin-sdk#588). Therefore, it is safe to remove these lines here.

[magodo]

Can we add a comment above this line for this special handling, mentioning issue: hashicorp/terraform-plugin-sdk#588?

[magodo]

Thank you @njuCZ, LGTM 👍

[tiwood]

@magodo Any chance this can be added in the next version?

[piotr-muzyka]

@magodo Any chance this can be added in the next version?

+1, also waiting for this to be implemented.

[magodo]

@njuCZ Could you please resolve the conflicts?

[njuCZ]

@magodo have rebased the code and fix all conflicts.

[magodo]

@njuCZ Thank you! The tests are passing.

[tombuildsstuff]

@magodo @njuCZ unfortunately we're going to need to revert this, since this should not be a separate resource - but needs to instead be inlined within the azurerm_kubernetes_cluster resource

[njuCZ]

@tombuildsstuff May I ask why it should not be a separate resource? and setting pod identity needs a role assignment first.

[tombuildsstuff]

@njuCZ firstly this feature (V1) is deprecated and will be removed by AKS in favour of V2 as detailed in the document above - so supporting this functionality for a couple of months to remove it is debatable.

Secondly - since this is a User Assigned Identity that's a Managed Identity - the Managed Identity can have be created and have it's Role Assignment created prior to the cluster creation (or change) - this means (for example) during deletion, the Role Assignment will be removed once the Cluster has been deleted, not beforehand which could cause Pods to fail during runtime.

Whilst arguably there's some minor usability benefits to splitting this out, the runtime trade-off and where only a single Pod Security Policy can be configured) - this makes more sense as a separate resource.

As such I think the larger question at this point is should we support this functionality, given it's in Preview and is scheduled to be replaced by a new version the near future (which presumably has a different schema):

The feature described in this document, pod-managed identities (preview), will be replaced with pod-managed identities V2 (preview)

[jrxs-cg]

@tombuildsstuff Your point about this feature being preview and scheduled for deprecation in favor of v2 makes sense and is a decision that you and the other maintainers will need to make. But I'm having trouble following your other arguments around why this should not be a separate resource.

this means (for example) during deletion, the Role Assignment will be removed once the Cluster has been deleted, not beforehand which could cause Pods to fail during runtime.

Isn't deletion of the identities after the cluster is deleted desirable? Why are we concerned about pods failing after the cluster has been deleted? There won't be any more pods at that point.

Whilst arguably there's some minor usability benefits to splitting this out, the runtime trade-off and where only a single Pod Security Policy can be configured) - this makes more sense as a separate resource.

I'm having trouble parsing this at all... it sounds like you're arguing in favor of it being a separate resource.

Regardless of whether this particular PR is accepted due to the v1 vs v2 issue, these design decisions will likely apply to the future v2 implementation as well.

In any case, since this was reverted can we reopen #9885 please?

[github-actions]

This functionality has been released in v2.64.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.