pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

169163334 - Switches to SystemAssigned managed identity

Browse Source 
The SystemAssigned managed identity requires a preview feature to be
enabled.

```
rgil@rem5:~/atst/terraform/providers/dev$ az feature list|grep MSIPreview
    "id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
    "name": "Microsoft.ContainerService/MSIPreview",
rgil@rem5:~/atst/terraform/providers/dev$ az feature register --namespace Microsoft.ContainerService --name MSIPreview
Once the feature 'MSIPreview' is registered, invoking 'az provider register -n Microsoft.ContainerService' is required to get the change propagated
{
  "id": "/subscriptions/95934d54-980d-47cc-9bce-3a96bf9a2d1b/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/MSIPreview",
  "name": "Microsoft.ContainerService/MSIPreview",
  "properties": {
    "state": "Registering"
  },
  "type": "Microsoft.Features/providers/features"
}
rgil@rem5:~/atst/terraform/providers/dev$ az provider register -n Microsoft.ContainerService
rgil@rem5:~/atst/terraform/providers/dev$
```

This also now integrates the policy for keyvault with the k8s managed
identity (system assigned).
This commit is contained in:
Rob Gil 2020-01-08 15:05:23 -05:00
parent c403dc557c
commit 623368b8dd
4 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
terraform/modules/k8s/main.tf
View File

@ -25,6 +25,9 @@ resource "azurerm_kubernetes_cluster" "k8s" {
min_count = var.min_count # FIXME: if auto_scaling disabled, set to 0
}
identity {
type = "SystemAssigned"
}
lifecycle {
ignore_changes = [
default_node_pool.0.node_count

3
terraform/modules/k8s/outputs.tf
View File

@ -0,0 +1,3 @@
output "principal_id" {
value = azurerm_kubernetes_cluster.k8s.identity[0].principal_id
}

8
terraform/modules/keyvault/main.tf
View File

@ -22,19 +22,15 @@ resource "azurerm_key_vault" "keyvault" {
resource "azurerm_key_vault_access_policy" "keyvault" {
key_vault_id = azurerm_key_vault.keyvault.id
tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3"
object_id = "ca8cfc48-9995-4973-a8cc-6c7f755e84de"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = var.principal_id
key_permissions = [
"get",
"list",
"create",
]
secret_permissions = [
"get",
"list",
"set",
]
}

5
terraform/modules/keyvault/variables.tf
View File

@ -22,3 +22,8 @@ variable "tenant_id" {
type = string
description = "The Tenant ID"
}
variable "principal_id" {
type = string
description = "The service principal_id of the k8s cluster"
}