Can we use the AKS resource's attributes instead of using aks_msi_client_id_query.sh?

[jpflueger]

Topic: AKS module's output

Question: The aks_msi_client_id_query.sh script queries information that is already provided via the azurerm_kubernetes_cluster resource attributes. Would you accept a pull request that uses modifies the aks module to use those attributes and removes the dependency on the script?

Script -> Attribute Mapping	aks_msi_client_id_query.sh attribute	azurerm_kubernetes_cluster attribute	Comment
msi_client_id	identity.principal_id	The term "MSI" has been replaced by "Managed identity", would it be acceptable for a possible rename to avoid confusion?
kubelet_client_id	kubelet_identity.object_id	The name of this property suggests it is the kubelet's client id but in the current script it is actually the kubelet managed identity's object_id
kubelet_id	kubelet_identity.user_assigned_identity_id	In the script this field and kubelet_resource_id are mapped to the same value
kubelet_resource_id	kubelet_identity.user_assigned_identity_id	In the script this field and kubelet_id are mapped to the same value
node_resource_group	node_resource_group

Suggestion I would suggest that we just export the following attributes directly from the azurerm_kubernetes_cluster resource:

• node_resource_group
• kubelet_identity
• identity
• oms_agent_identity * this would be an addition to the current functionality but is necessary for a role assignment to support container insights

cc: @jmspring @andrebriggs

[jmspring]

Yes. The work that is in the repo we’ve been working on does away with the script. That code should be back ported to Bedrock.

Sent from my iPhone

On Sep 17, 2020, at 10:47 AM, Justin Pflueger notifications@github.com wrote:

 Topic: AKS module's output

Question: The aks_msi_client_id_query.sh script queries information that is already provided via the azurerm_kubernetes_cluster resource attributes. Would you accept a pull request that uses modifies the aks module to use those attributes and removes the dependency on the script?

Script -> Attribute Mapping

aks_msi_client_id_query.sh attribute azurerm_kubernetes_cluster attribute Comment msi_client_id identity.principal_id The term "MSI" has been replaced by "Managed identity", would it be acceptable for a possible rename to avoid confusion? kubelet_client_id kubelet_identity.object_id The name of this property suggests it is the kubelet's client id but in the current script it is actually the kubelet managed identity's object_id kubelet_id kubelet_identity.user_assigned_identity_id In the script this field and kubelet_resource_id are mapped to the same value kubelet_resource_id kubelet_identity.user_assigned_identity_id In the script this field and kubelet_id are mapped to the same value node_resource_group node_resource_group Suggestion I would suggest that we just export the following attributes directly from the azurerm_kubernetes_cluster resource:

node_resource_group kubelet_identity identity oms_agent_identity * this would be an addition to the current functionality but is necessary for a role assignment to support container insights cc: @jmspring @andrebriggs

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.