From 3f848acc9f360669ac96c22c3bd2bbb89b166819 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 16 Mar 2023 14:03:58 +0100 Subject: [PATCH] Create a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster --- README.md | 2 ++ locals.tf | 8 ++++++++ main.tf | 15 +++++++++++++++ variables.tf | 7 +++++++ 4 files changed, 32 insertions(+) diff --git a/README.md b/README.md index 051d05f4..a95dee3a 100644 --- a/README.md +++ b/README.md @@ -265,6 +265,7 @@ No modules. | [azurerm_log_analytics_solution.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) | resource | | [azurerm_log_analytics_workspace.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource | | [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | | [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | @@ -314,6 +315,7 @@ No modules. | [client\_secret](#input\_client\_secret) | (Optional) The Client Secret (password) for the Service Principal used for the AKS deployment | `string` | `""` | no | | [cluster\_log\_analytics\_workspace\_name](#input\_cluster\_log\_analytics\_workspace\_name) | (Optional) The name of the Analytics workspace | `string` | `null` | no | | [cluster\_name](#input\_cluster\_name) | (Optional) The name for the AKS resources created in the specified Azure Resource Group. This variable overwrites the 'prefix' var (The 'prefix' var will still be applied to the dns\_prefix if it is set) | `string` | `null` | no | +| [create\_role\_assignment\_network\_contributor](#input\_create\_role\_assignment\_network\_contributor) | Create a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster | `bool` | `false` | no | | [disk\_encryption\_set\_id](#input\_disk\_encryption\_set\_id) | (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created. | `string` | `null` | no | | [enable\_auto\_scaling](#input\_enable\_auto\_scaling) | Enable node pool autoscaling | `bool` | `false` | no | | [enable\_host\_encryption](#input\_enable\_host\_encryption) | Enable Host Encryption for default node pool. Encryption at host feature must be enabled on the subscription: https://docs.microsoft.com/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli | `bool` | `false` | no | diff --git a/locals.tf b/locals.tf index 6d8fb2ad..c3b154cb 100644 --- a/locals.tf +++ b/locals.tf @@ -29,4 +29,12 @@ locals { name = var.log_analytics_workspace.name } ) : null # Finally, the Log Analytics Workspace should be disabled. + + subnet_ids = toset(flatten(concat([ + for pool in var.node_pools : [ + pool.vnet_subnet_id, + pool.pod_subnet_id + ] + ], [var.vnet_subnet_id]))) } + diff --git a/main.tf b/main.tf index 8508d41d..4a20c4c7 100644 --- a/main.tf +++ b/main.tf @@ -558,3 +558,18 @@ resource "azurerm_role_assignment" "acr" { role_definition_name = "AcrPull" skip_service_principal_aad_check = true } + +# The AKS cluster identity has the Contributor role on the AKS second resource group (MC_myResourceGroup_myAKSCluster_eastus) +# However when using a custom VNET, the AKS cluster identity needs the Network Contributor role on the VNET subnets +# used by the system node pool and by any additional node pools. +# https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#prerequisites +# https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites +# https://github.com/Azure/terraform-azurerm-aks/issues/178 + +resource "azurerm_role_assignment" "network_contributor" { + for_each = var.create_role_assignment_network_contributor ? local.subnet_ids : [] + + principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id + scope = each.value + role_definition_name = "Network Contributor" +} diff --git a/variables.tf b/variables.tf index 6e663317..28c97a0c 100644 --- a/variables.tf +++ b/variables.tf @@ -374,6 +374,13 @@ variable "cluster_name" { default = null } +variable "create_role_assignment_network_contributor" { + type = bool + description = "Create a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster" + nullable = false + default = false +} + variable "disk_encryption_set_id" { type = string description = "(Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created."