Support for az aks command invoke

[jkroepke]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

az aks command invoke is very useful for deploy something against a private AKS where terraforms runs outside of the internal network, e.g. Terraform cloud.

When you access a private AKS cluster, you must connect to the cluster from the cluster virtual network, from a peered network, or via a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a jumpbox within the cluster virtual network, or creating a private endpoint inside of another virtual network. You can also use command invoke to access private clusters without the need to configure a VPN or Express Route. command invoke allows you to remotely invoke commands, like kubectl and helm, on your private cluster through the Azure API without directly connecting to the cluster.

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster_command_invoke

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster_command_invoke" "this" {
  cluster_id     = azurerm_kubernetes_cluster.example.id
  command        = "kubectl get pods"
  files          = {"file.txt": "content"}

  token          = null
}

References

• https://learn.microsoft.com/en-us/azure/aks/command-invoke
• https://learn.microsoft.com/en-us/cli/azure/aks/command?view=azure-cli-latest
• https://learn.microsoft.com/en-us/rest/api/aks/managed-clusters/run-command?tabs=HTTP

Semi-functional example with azapi. azapi is not able to issue the token for AKS.

resource "azapi_resource_action" "runCommand" {
  type        = "Microsoft.ContainerService/managedClusters@2022-07-01"
  resource_id = data.azurerm_kubernetes_cluster.jok.id
  action      = "runCommand"

  response_export_values = ["*"]

  body = jsonencode({
    command      = "kubectl get pods",
    context      = ""
    clusterToken = var.clusterToken
  })
}

output "command_output" {
  value = jsondecode(azapi_resource_action.runCommand.output)
}

[jkroepke]

Is there an example to issue additional tokens?

I have to issue a token with scope 6dae42f8-4368-4678-94ff-3960e28e3630

[bscholtes1A]

+1 Support for az aks command invoke would be highly appreciated

[jkroepke]

A workaround: I wrote a own provider for that use-case: https://github.com/jkroepke/terraform-provider-azureakscommand