azure - How to enable managed identity for the virtual machine scale set on a terraform kubernetes deploy

Question

I am deploying AKS through terraform. It's working great, but I would like to also enable identity on the VMSS object in order to allow pod level managed identity access (mostly grab keys from key vaults).

I can manually do this by going to the auto-created VMSS object that Azure creates once launching the AKS cluster.

However, I do not see an option for this in the terraform resource.

Has anyone ran into this and found a way to pull it off?

My deployment code is like this:

resource "azurerm_kubernetes_cluster" "main" {
  name                = "myaks"
  location            = "centralus"
  resource_group_name = "myrg"
  dns_prefix          = "myaks"

  node_resource_group = "aksmanagedrg"

  default_node_pool {
    name            = "default"
    node_count      = 1
    vm_size         = "Standard_B2ms"
    vnet_subnet_id  = "myakssubnetid"
    os_disk_size_gb = 128
  }

  identity {
    type = "SystemAssigned"
  }

  addon_profile {
    aci_connector_linux {
      enabled = false
    }

    azure_policy {
      enabled = false
    }

    http_application_routing {
      enabled = false
    }

    kube_dashboard {
      enabled = true
    }

    oms_agent {
      enabled = false
    }
  }

  network_profile {
    network_plugin = "azure"
    load_balancer_sku = "standard"
  }

}

Thanks!

question from:https://stackoverflow.com/questions/65944380/how-to-enable-managed-identity-for-the-virtual-machine-scale-set-on-a-terraform

Answer 1

It seems you're looking for the pod-managed identities in Azure Kubernetes Service. If so, then, unfortunately, Terraform seems does not support to configure the property. When you follow the article above to configure the pod-managed identities, then you can see the pod identity profile like this:

And there is no such option for you to configure it. But instead, you can run the Azure CLI in the Terraform via the null_resource and provisioner local-exec and here is an example:

resource "null_resource" "aks_update" {
  provisioner "local-exec" {
    command = "az aks update --resource-group ${azurerm_resource_group.aks.name} --name ${azurerm_kubernetes_cluster.aks.name} --enable-pod-identity"
  }
}

resource "null_resource" "aks_add_poidentity" {
  provisioner "local-exec" {
    command = "az aks pod-identity add --resource-group ${azurerm_resource_group.aks.name} --cluster-name ${azurerm_kubernetes_cluster.aks.name} --namespace ${var.pod_identity_namespace} --name ${azurerm_user_assigned_identity.aks.name} --identity-resource-id ${azurerm_user_assigned_identity.aks.id}"
  }
}

This could be a way to enable the identity in the pods level for the AKS.