Merge pull request #1376 from dod-ccpo/k8s-perms-for-load-balancers

Give the cluster perms to create load balancers.
2020-01-31 10:27:05 -05:00 · 2020-01-31 10:27:05 -05:00 · 62d8a89eb1
commit 62d8a89eb1
parent 36da6fff32 60fe6615c7
4 changed files with 18 additions and 2 deletions
--- a/terraform/modules/k8s/main.tf
+++ b/terraform/modules/k8s/main.tf
@ -81,3 +81,9 @@ resource "azurerm_monitor_diagnostic_setting" "k8s_diagnostic-1" {
    }
  }
 }
+
+resource "azurerm_role_assignment" "k8s_network_contrib" {
+  scope                = var.vnet_id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_kubernetes_cluster.k8s.identity[0].principal_id
+}
--- a/terraform/modules/k8s/variables.tf
+++ b/terraform/modules/k8s/variables.tf
@ -66,4 +66,9 @@ variable "client_secret" {
 variable "workspace_id" {
  description = "Log Analytics workspace for this resource to log to"
  type        = string
-}
+}
+
+variable "vnet_id" {
+  description = "The ID of the VNET that the AKS cluster app registration needs to provision load balancers in"
+  type        = string
+}
--- a/terraform/modules/vpc/outputs.tf
+++ b/terraform/modules/vpc/outputs.tf
@ -6,4 +6,8 @@ output "subnet_list" {
  value = {
    for k, id in azurerm_subnet.subnet : k => id
  }
-}
+}
+
+output "id" {
+  value = azurerm_virtual_network.vpc.id
+}
--- a/terraform/providers/dev/k8s.tf
+++ b/terraform/providers/dev/k8s.tf
@ -23,6 +23,7 @@ module "k8s" {
  client_id           = data.azurerm_key_vault_secret.k8s_client_id.value
  client_secret       = data.azurerm_key_vault_secret.k8s_client_secret.value
  workspace_id        = module.logs.workspace_id
+  vnet_id             = module.vpc.id
 }

 #module "main_lb" {