viv-4
commented
1 year ago Managed Identity of type SystemIdentity appears the most appropriate
Using this method terraform can create a managed identity for use with the deployed resources which is then removed when the resources are.
It also requires less manual steps for deployment as secrets don't need to be created and then copied by the deployer.
There does not appear to be any downsides compared to deploying a Service Principal manually, they are still used in the backend so can still be customised/restricted if ever required via Azure IAM. This resolves the issue of the manually deployed Service Principals expiring with time
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/managed_service_identity#what-is-a-managed-identity " Azure AD then creates a service principal to represent the resource for role-based access control (RBAC) and access control (IAM). The lifecycle of a system-assigned identity is tied to the resource it is enabled for: it is created when the resource is created and it is automatically removed when the resource is deleted. "
Branch (of k8s-terraform) created for testing managed identity deployement: https://github.com/place-labs/k8s-terraform/tree/feat/azure-managed-identity Pull request: https://github.com/place-labs/k8s-terraform/pull/9
AKS: Switch from Service Principal to Managed Identity to avoid having to renew service principal creds every year.
Are there any major downsides? Should we switch or not? Should we support both options or just 1?
https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#update-an-aks-cluster-to-managed-identities