hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.64k forks source link

Support for AKS application routing add-on Key Vault integration (GA) #24131

Open zioproto opened 11 months ago

zioproto commented 11 months ago

Is there an existing issue for this?

Community Note

Description

The Managed nginx Ingress with the application routing add-on has a Key Vault integration (GA).

Documentation page: https://learn.microsoft.com/en-us/azure/aks/app-routing-dns-ssl#enable-azure-key-vault-integration

Equivalent Azure CLI command:

az aks approuting update -g <ResourceGroupName> -n <ClusterName> --enable-kv --attach-kv ${KEYVAULTID}

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

web_app_routing {
  dns_zone_id = ""
  keyvault_id = azurerm_key_vault.main.id
}


### References

_No response_
zioproto commented 11 months ago

@ms-henglu @lonegunmanb

related to #18667

bartholomew-gander commented 5 months ago

Hi, I have found how Azure CLI achieves this action. It basically creates connection in two steps.

  1. It enables key vault integration
  2. Grants proper identity access to the key vault separately.

See below as sample

resource "azurerm_kubernetes_cluster" "cluster" {
    ...
    key_vault_secrets_provider { # This enabless key vault integration
        secret_rotation_enabled = true
    }
}

data "azurerm_key_vault" "kv" { ... }

resource "azurerm_role_assignment" "role_for_kv" {
    scope = <key_vault_id>
    role_definition_name = "Key Vault Secrets User" # This is not mistake, it's secrets not certificates
    principal_id = azurerm_kubernetes_cluster.cluster.web_app_routing[0].web_app_routing_identity[0].object_id
}

After that, you can point your ingress to the key vault certificate in the annotation. Eg.

data "azurerm_key_vault_certificate" "cert" { # reference to your certificate
    name = <your_secret_name>
    key_vault_id = data.azurerm_key_vault.kv.id
}

resource "kubernetes_ingress_v1" "ingress" {
    ...
    metadata {
        annotations = {
            # value eg. https://keyvault-name.vault.azure.net/certificates/yourcertificatename
            "kubernetes.azure.com/tls-cert-keyvault-uri" = data. azurerm_key_vault_certificate.cert.versionless_id
            ...
        }
        ...
    }
}

Cheers, Bartek