Option in azure_rm_aks to set tags for agent_pool_profiles

[Ezopek]

SUMMARY

Add option for agent_pools vmss to inherits tags from main azure_rm_aks object.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

azure_rm_aks

ADDITIONAL INFORMATION

Hi, my company requires that every object created in Azure should have specific tags when we deploy it. And right now, when I try create AKS using azure_rm_aks it ultimately fails with ResourceOperationFailure -> RequestDisallowedByPolicy and message requesting adding required tags on resource aks-master-69745823-vmss. Other objects created by AKS (like new Resource Group or Load Balancer) do inherit those tags, but for some reason, azure_rm_aks tries to create agent_pools VMSS without providing them.

vars/main.yml:

az_default_tags:
  env: "{{ env }}"
  created-date: "{{ '%Y-%m-%d' | strftime }}"
  iac: ansible

aks_system_pools:
  - name: master
    enable_auto_scaling: false
    count: 1
    mode: System
    vm_size: Standard_B2s
    node_labels:
      master: ""
    os_type: Linux
    type: VirtualMachineScaleSets
    availability_zones:
      - 1
      - 2
      - 3
    vnet_subnet_id: "{{ subnets_4_id }}"

task/main.yml:

- name: Create AKS
  environment:
    HTTP_PROXY: "{{ http_proxy }}"
    HTTPS_PROXY: "{{ https_proxy }}"
    NO_PROXY: "{{ no_proxy }}"
    AZURE_SUBSCRIPTION_ID: "{{ az_subscription_id }}"
    AZURE_CLIENT_ID: "{{ az_client_id }}"
    AZURE_SECRET: "{{ az_client_secret }}"
    AZURE_TENANT: "{{ az_tenant_id }}"
  azure_rm_aks:
    name: "{{ aks_name }}"
    location: "{{ location }}"
    resource_group: "{{ resource_group }}"
    dns_prefix: "{{ aks_name }}"
    kubernetes_version: "{{ aks_version }}"
    linux_profile:
      admin_username: "{{ aks_host_admin_username }}"
      ssh_key: "{{ aks_ssh_key_public }}"
    agent_pool_profiles: "{{ aks_system_pools }}"
    enable_rbac: true
    tags: "{{ az_default_tags }}"

With configuration like that I get following error:

TASK [az-create-aks : Create AKS] ***************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => changed=false
  msg: |-
    Error creating the AKS instance: (RequestDisallowedByPolicy) Code="RequestDisallowedByPolicy" Message="Resource 'aks-master-69745823-vmss' was disallowed by policy. Reasons: 'Please add tag 'created-date' on resource with YYYY-MM-DD format','Please add tag 'created-date' on resource with  YYYY-MM-DD format','Please add tag 'iac' on resource'. See error details for policy resource IDs." Target="aks-master-69745823-vmss" [...]

[Fred-sun]

@Ezopek Thank you for submitting the problem, but I can manage the AKS resource in your way, and the resource was created successfully. But from your error, is your error because the policy does not allow your subscription to manage this resource? Thank you!

[Ezopek]

@Fred-sun AKS resource itself is created, but with failed agent(s)_pool. The error I posted is targeted on deployment of VMSS (VirtualMachineScaleSets) for the agent_pool - my company doesn't allow creating that resource since it doesn't have required custom tags.

So yea, as a workaround I could just handle this specific error and create needed agent_pools later with azure_rm_aksagentpool with those tags. But it would be nice-to-have to do that with just azure_rm_aks without errors since the option is there (and it needs atleast one system agent_pool).

To speak more plainly - I would like the VirtualMachineScaleSets created by azure_rm_aks for agent_pools to have the tags that we provide in the properties of azure_rm_aks, as at the moment they seem to be created without them. It is possible to do so via Azure GUI:

[Fred-sun]

@Ezopek Currently the SDK does not support defining tags in this way, so it is not possible to do so for the time being. Thank you!

[Ezopek]

@Fred-sun I can see in SDK documentation for azure-mgmt-containerservice > ManagedClustersOperations > begin_create_or_update > ManagedCluster object > ManagedClusterAgentPoolProfile object used in list for agent_pool_profiles - and there is an option for specifying tags

Also, this is possible via Terraform azurerm provider (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#default_node_pool) same as with REST API (https://learn.microsoft.com/en-us/rest/api/aks/managed-clusters/create-or-update?view=rest-aks-2024-07-01&tabs=HTTP#managedclusteragentpoolprofile)

[Ezopek]

Actually after some thought I might have overcomplicate this issue a little. All that I actually want to achieve is to be able to set tags on agent_pool_profiles like that:

- name: Create AKS
  azure_rm_aks:
    name: "{{ aks_name }}"
    location: "{{ location }}"
    resource_group: "{{ resource_group }}"
    # [...]
    agent_pool_profiles:
      - name: master
        mode: System
        vm_size: Standard_B2s
        type: VirtualMachineScaleSets
        # [...]
        tags: # <-- this right now is not possible in ansible azure_rm_aks, yet it is via REST API, Terraform azurerm provider or Python Azure SDK
          some: custom
          tags: aks
    tags:
      some: custom
      tags: aks

Sorry for all the confusion with "inheriting" stuff... At first I thought simply of copying tags from main azure_rm_aks properties to agent_pool_profiles, but simply being able to set them manually will be well and enough

[Ezopek]

@Fred-sun can you look at it once again and verify 'hold' label - there are available features for agent-pools tags in Azure Python SDK - https://github.com/ansible-collections/azure/issues/1713#issuecomment-2351016095

[Fred-sun]

@Ezopek You mean to add tags to the parameter 'agent_pool_profiles', right?

[Fred-sun]

@Ezopek As created on portal, a parameter 'tags_for_all_resources' should be required. The tag used to inherit the Kuberneter Service service.

[Fred-sun]

@Ezopek What you're asking for is something like #1713, add tags to agent_pools ？