hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.64k forks source link

Support for az aks command invoke #22639

Open jkroepke opened 1 year ago

jkroepke commented 1 year ago

Is there an existing issue for this?

Community Note

Description

az aks command invoke is very useful for deploy something against a private AKS where terraforms runs outside of the internal network, e.g. Terraform cloud.

When you access a private AKS cluster, you must connect to the cluster from the cluster virtual network, from a peered network, or via a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a jumpbox within the cluster virtual network, or creating a private endpoint inside of another virtual network. You can also use command invoke to access private clusters without the need to configure a VPN or Express Route. command invoke allows you to remotely invoke commands, like kubectl and helm, on your private cluster through the Azure API without directly connecting to the cluster.

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster_command_invoke

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster_command_invoke" "this" {
  cluster_id     = azurerm_kubernetes_cluster.example.id
  command        = "kubectl get pods"
  files          = {"file.txt": "content"}

  token          = null
}

References

Semi-functional example with azapi. azapi is not able to issue the token for AKS.

resource "azapi_resource_action" "runCommand" {
  type        = "Microsoft.ContainerService/managedClusters@2022-07-01"
  resource_id = data.azurerm_kubernetes_cluster.jok.id
  action      = "runCommand"

  response_export_values = ["*"]

  body = jsonencode({
    command      = "kubectl get pods",
    context      = ""
    clusterToken = var.clusterToken
  })
}

output "command_output" {
  value = jsondecode(azapi_resource_action.runCommand.output)
}
jkroepke commented 1 year ago

Is there an example to issue additional tokens?

I have to issue a token with scope 6dae42f8-4368-4678-94ff-3960e28e3630

bscholtes1A commented 1 year ago

+1 Support for az aks command invoke would be highly appreciated

jkroepke commented 8 months ago

A workaround: I wrote a own provider for that use-case: https://github.com/jkroepke/terraform-provider-azureakscommand