adrianstrat
commented
1 year ago Currently when you spin up an AKS cluster through the portal or through terraform it automatically creates a storage account along with other resources. Some of the resource you have the ability to modify indirectly through the AKS configuration however currently the Storage Account used for CSI storage is not customizable ( https://learn.microsoft.com/en-us/azure/aks/azure-files-csi ) . For an enterprise deployment there are certain features we would want to have control over including:
- Whether or not the storage account is publicly accessible
- Whether the storage account is deployed with a private endpoint
- What encryption key is used for the storage account
- What Soft Delete policy is set on the storage account
At minimum I'd expect these settings to be exposed through the AKS deployment or alternatively if this is too difficult having the option to opt for Azure to not create a Storage Account for the AKS would be suitable and then the actual SA resource creation could be manual and configured as required.
microsoft-github-policy-service[bot]
Is your feature request related to a problem? Please describe. There's an interest in managing (prior to the deployment) the default Storage Account (SA) created in the MC_ Resource Group via Terraform. This will help the customer set the behavior in the SA such as enabling private link, setting soft delete retention policies and using a customer managed key for encryption.
Describe the solution you'd like Adding the capability to the AKS ARM APIs by using the current resources from Storage for example.
Describe alternatives you've considered As of now, creating every resource individually is the only workaround which makes the deployment harder to track.
Additional context N/A