FrankS77
Reputation: 311
Cannot create a simple Azure AKS with Terraform anymore
I am not able to create a Azure Kubernetes Service using the following code:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.96.0"
}
}
}
resource "azurerm_resource_group" "aks-rg" {
name = "aks-rg"
location = "West Europe"
}
resource "azurerm_kubernetes_cluster" "aks-1" {
name = "aks-1"
location = azurerm_resource_group.aks-rg.location
resource_group_name = azurerm_resource_group.aks-rg.name
dns_prefix = "aks1"
default_node_pool {
name = "nodepool1"
node_count = 3
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "Test"
}
}
The following error occurs:
│ Error: creating Cluster: (Managed Cluster Name "aks-1" / Resource Group "aks-rg"):
containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending
request: StatusCode=400 -- Original Error: Code="RequestDisallowedByPolicy" Message=
"Provisioning of resource(s) for container service aks-1 in resource group aks-rg failed. Message: Resource
'aks-nodepool1-58423643-vmss' was disallowed by policy. Policy identifiers:
'[{\"policyAssignment\":{\"name\":\"Enforce automatic OS upgrade with app health checks
What am I doing wrong? Do I need to manually create a VMSS first?
Thanks in advance!
Upvotes: 1
Views: 798
Answers (1)
Kombajn zbożowy
Reputation: 10703
Enforce automatic OS upgrade with app health checks is a built-in policy enforced on your subscription / resource group that denies creating a VMSS without automatic OS upgrade enabled.
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachineScaleSets"
},
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade",
"notEquals": "True"
},
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade",
"notEquals": "True"
}
]
},
I've seen others raising same problem for azurerm provider. But it can't be fixed at provider level, as just there is no such param when adding a node pool to AKS (eg. looking though options of Azure CLI).
You can only ask your admins to disable the policy or add an exemption for you.
Upvotes: 1
Related Questions
- Unable to create a namespace for AKS cluster using Terraform reports no such host
- Getting Unsupported block type while installing AKS using Terraform
- azure aks with terraform gives me error Due to a configuration change made by your administrator, or because you moved to a new location
- Aks Creation on Azure takes a long time before getting the following error message
- Error while provisioning Terraform subnet using azurerm
- AKS via Terraform Error: Code="CustomRouteTableWithUnsupportedMSIType"
- Namespace creation failing in Terraform
- Error 'no such host' when adding a volume to Terraform AKS cluster on Azure
- unable to create AKS cluster using "UserDefinedRouting" using terraform
- Cannot create AKS in azure with command "az aks create"