From 623368b8dda5b8a2ffa4f6210e9704b69ed31194 Mon Sep 17 00:00:00 2001
From: Rob Gil <dds@rem5.com>
Date: Wed, 8 Jan 2020 15:05:23 -0500
Subject: [PATCH] 169163334 - Switches to SystemAssigned managed identity

The SystemAssigned managed identity requires a preview feature to be
enabled.

```
rgil@rem5:~/atst/terraform/providers/dev$ az feature list|grep MSIPreview
    "id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
    "name": "Microsoft.ContainerService/MSIPreview",
rgil@rem5:~/atst/terraform/providers/dev$ az feature register --namespace Microsoft.ContainerService --name MSIPreview
Once the feature 'MSIPreview' is registered, invoking 'az provider register -n Microsoft.ContainerService' is required to get the change propagated
{
  "id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
  "name": "Microsoft.ContainerService/MSIPreview",
  "properties": {
    "state": "Registering"
  },
  "type": "Microsoft.Features/providers/features"
}
rgil@rem5:~/atst/terraform/providers/dev$ az provider register -n Microsoft.ContainerService
rgil@rem5:~/atst/terraform/providers/dev$
```

This also now integrates the policy for keyvault with the k8s managed
identity (system assigned).
---
 terraform/modules/k8s/main.tf           | 3 +++
 terraform/modules/k8s/outputs.tf        | 3 +++
 terraform/modules/keyvault/main.tf      | 8 ++------
 terraform/modules/keyvault/variables.tf | 5 +++++
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/k8s/main.tf
index 21ef4841..9eb7b68d 100644
--- a/terraform/modules/k8s/main.tf
+++ b/terraform/modules/k8s/main.tf
@@ -25,6 +25,9 @@ resource "azurerm_kubernetes_cluster" "k8s" {
     min_count             = var.min_count # FIXME: if auto_scaling disabled, set to 0
   }
 
+  identity {
+    type = "SystemAssigned"
+  }
   lifecycle {
     ignore_changes = [
       default_node_pool.0.node_count
diff --git a/terraform/modules/k8s/outputs.tf b/terraform/modules/k8s/outputs.tf
index e69de29b..a4ecf2a5 100644
--- a/terraform/modules/k8s/outputs.tf
+++ b/terraform/modules/k8s/outputs.tf
@@ -0,0 +1,3 @@
+output "principal_id" {
+  value = azurerm_kubernetes_cluster.k8s.identity[0].principal_id
+}
diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf
index 53df7d85..51437c45 100644
--- a/terraform/modules/keyvault/main.tf
+++ b/terraform/modules/keyvault/main.tf
@@ -22,19 +22,15 @@ resource "azurerm_key_vault" "keyvault" {
 resource "azurerm_key_vault_access_policy" "keyvault" {
   key_vault_id = azurerm_key_vault.keyvault.id
 
-  tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3"
-  object_id = "ca8cfc48-9995-4973-a8cc-6c7f755e84de"
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = var.principal_id
 
   key_permissions = [
     "get",
-    "list",
-    "create",
   ]
 
   secret_permissions = [
     "get",
-    "list",
-    "set",
   ]
 }
 
diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf
index f6b7b429..2333d228 100644
--- a/terraform/modules/keyvault/variables.tf
+++ b/terraform/modules/keyvault/variables.tf
@@ -22,3 +22,8 @@ variable "tenant_id" {
   type        = string
   description = "The Tenant ID"
 }
+
+variable "principal_id" {
+  type        = string
+  description = "The service principal_id of the k8s cluster"
+}