From ca1d26cc672434d7c6ddff3917737fd8e72548a5 Mon Sep 17 00:00:00 2001 From: dandds Date: Thu, 30 Jan 2020 16:28:02 -0500 Subject: [PATCH] Give the cluster perms to create load balancers. In order for the cluster app registration to create new load balancers, it needs to have the Network Contributor role for the virtual network. In the future, we should create a custom policy scoped to exactly the permissions the cluster needs, per: https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites --- terraform/modules/k8s/main.tf | 6 ++++++ terraform/modules/k8s/variables.tf | 7 ++++++- terraform/modules/vpc/outputs.tf | 6 +++++- terraform/providers/dev/k8s.tf | 1 + 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/k8s/main.tf index 8ecbb4cd..1d46fc4c 100644 --- a/terraform/modules/k8s/main.tf +++ b/terraform/modules/k8s/main.tf @@ -81,3 +81,9 @@ resource "azurerm_monitor_diagnostic_setting" "k8s_diagnostic-1" { } } } + +resource "azurerm_role_assignment" "k8s_network_contrib" { + scope = var.vnet_id + role_definition_name = "Network Contributor" + principal_id = azurerm_kubernetes_cluster.k8s.identity[0].principal_id +} diff --git a/terraform/modules/k8s/variables.tf b/terraform/modules/k8s/variables.tf index 79bac3de..1445bdae 100644 --- a/terraform/modules/k8s/variables.tf +++ b/terraform/modules/k8s/variables.tf @@ -66,4 +66,9 @@ variable "client_secret" { variable "workspace_id" { description = "Log Analytics workspace for this resource to log to" type = string -} \ No newline at end of file +} + +variable "vnet_id" { + description = "The ID of the VNET that the AKS cluster app registration needs to provision load balancers in" + type = string +} diff --git a/terraform/modules/vpc/outputs.tf b/terraform/modules/vpc/outputs.tf index baa32935..b1f0fe38 100644 --- a/terraform/modules/vpc/outputs.tf +++ b/terraform/modules/vpc/outputs.tf @@ -6,4 +6,8 @@ output "subnet_list" { value = { for k, id in azurerm_subnet.subnet : k => id } -} \ No newline at end of file +} + +output "id" { + value = azurerm_virtual_network.vpc.id +} diff --git a/terraform/providers/dev/k8s.tf b/terraform/providers/dev/k8s.tf index fe3dac18..33cbabe4 100644 --- a/terraform/providers/dev/k8s.tf +++ b/terraform/providers/dev/k8s.tf @@ -23,6 +23,7 @@ module "k8s" { client_id = data.azurerm_key_vault_secret.k8s_client_id.value client_secret = data.azurerm_key_vault_secret.k8s_client_secret.value workspace_id = module.logs.workspace_id + vnet_id = module.vpc.id } #module "main_lb" {