I am deploying AKS through terraform. It's working great, but I would like to also enable identity on the VMSS object in order to allow pod level managed identity access (mostly grab keys from key vaults).
I can manually do this by going to the auto-created VMSS object that Azure creates once launching the AKS cluster.
However, I do not see an option for this in the terraform resource.
Has anyone ran into this and found a way to pull it off?
My deployment code is like this:
resource "azurerm_kubernetes_cluster" "main" {
name = "myaks"
location = "centralus"
resource_group_name = "myrg"
dns_prefix = "myaks"
node_resource_group = "aksmanagedrg"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_B2ms"
vnet_subnet_id = "myakssubnetid"
os_disk_size_gb = 128
}
identity {
type = "SystemAssigned"
}
addon_profile {
aci_connector_linux {
enabled = false
}
azure_policy {
enabled = false
}
http_application_routing {
enabled = false
}
kube_dashboard {
enabled = true
}
oms_agent {
enabled = false
}
}
network_profile {
network_plugin = "azure"
load_balancer_sku = "standard"
}
}
Thanks!
It seems you're looking for the pod-managed identities in Azure Kubernetes Service. If so, then, unfortunately, Terraform seems does not support to configure the property. When you follow the article above to configure the pod-managed identities, then you can see the pod identity profile like this:
And there is no such option for you to configure it. But instead, you can run the Azure CLI in the Terraform via the null_resource
and provisioner local-exec
and here is an example:
resource "null_resource" "aks_update" {
provisioner "local-exec" {
command = "az aks update --resource-group ${azurerm_resource_group.aks.name} --name ${azurerm_kubernetes_cluster.aks.name} --enable-pod-identity"
}
}
resource "null_resource" "aks_add_poidentity" {
provisioner "local-exec" {
command = "az aks pod-identity add --resource-group ${azurerm_resource_group.aks.name} --cluster-name ${azurerm_kubernetes_cluster.aks.name} --namespace ${var.pod_identity_namespace} --name ${azurerm_user_assigned_identity.aks.name} --identity-resource-id ${azurerm_user_assigned_identity.aks.id}"
}
}
This could be a way to enable the identity in the pods level for the AKS.