Support for predefined UAMI in AKS ingress AppGW

[swies0wl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Requesting capability for fully declaring/creating an Application Gateway User Assigned Managed Identity for AKS Cluster consumption. The existing framework appears to create a system Assigned Managed Identity for the Application Gateway.

I want to declare/create the UAMI in TF and have this resource consumed by AKS. My predefined UAMI will already have the appropriate roles, as defined by, https://docs.microsoft.com/en-us/azure/developer/terraform/create-k8s-cluster-with-aks-applicationgateway-ingress (azurerm_application_gateway.network.id - Contributor & azurerm_resource_group.rg.id - Reader), in terraform.

In this manner the AppaGW (already in place) and SAMI (per this feature request) will already be created and there is no need for Azure to spin up the resources. This also ensures resource lifecycle is declared and tracked in terraform by design

New or Affected Resource(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "cluster" {
 ...

  addon_profile {
    enable_application_gateway_ingress_controller {
      enabled       = true
      gateway_id =  [appgw_id]
      **identity        = [uami id]**
    }
  }
}

References

• 0000

[xuzhang3]

@swies0wl You can try with application_gateway.identity to assign the UAMI

[Tbohunek]

@swies0wl can you confirm you use "bring your own" Application Gateway? If so, the UAMI would indeed be part of its configuration. For AGIC then it doesn't matter whether the App GW uses UAMI or SAMI.

[swies0wl]

We are creating our own UAMI and reference this id in the application_gateway_identity configured within the azurerm_application_gateway. However, you cannot use this decalrative in azurerm_kubernetes_cluster. At present azurerm_kubernetes_cluster creates an UAMI and expects the created one to update the appgw vs the one decalratively created.
In the above instance, when creating your own, you have to grant the same permission to the azurerm_kubernetes_cluster-appgw_ID in addition to an MIO role from the azurerm_kubernetes_cluster-appgw_ID on the declared app-gw UAMI. so in essence you create a useless ID if the cluster is creating one for you. I'd rather not hav ethe cluster creap an appgw_id and i declare myown and use the decalred one.