Give the cluster perms to create load balancers.

In order for the cluster app registration to create new load balancers,
it needs to have the Network Contributor role for the virtual network.
In the future, we should create a custom policy scoped to exactly the
permissions the cluster needs, per:

https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites

terraform/modules/k8s/main.tf

@@ -81,3 +81,9 @@ resource "azurerm_monitor_diagnostic_setting" "k8s_diagnostic-1" {
     }
   }
 }
+
+resource "azurerm_role_assignment" "k8s_network_contrib" {
+  scope                = var.vnet_id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_kubernetes_cluster.k8s.identity[0].principal_id
+}

terraform/modules/k8s/variables.tf

@@ -66,4 +66,9 @@ variable "client_secret" {
 variable "workspace_id" {
   description = "Log Analytics workspace for this resource to log to"
   type        = string
-}
+}
+
+variable "vnet_id" {
+  description = "The ID of the VNET that the AKS cluster app registration needs to provision load balancers in"
+  type        = string
+}

terraform/modules/vpc/outputs.tf

@@ -6,4 +6,8 @@ output "subnet_list" {
   value = {
     for k, id in azurerm_subnet.subnet : k => id
   }
-}
+}
+
+output "id" {
+  value = azurerm_virtual_network.vpc.id
+}

terraform/providers/dev/k8s.tf

@@ -23,6 +23,7 @@ module "k8s" {
   client_id           = data.azurerm_key_vault_secret.k8s_client_id.value
   client_secret       = data.azurerm_key_vault_secret.k8s_client_secret.value
   workspace_id        = module.logs.workspace_id
+  vnet_id             = module.vpc.id
 }
 
 #module "main_lb" {