Reputation: 5
Azure AKS - How to install azure-keyvault-secrets-provider add-on using Terraform
I am in a stuck, Please check the azure rm version which I used.
How can I integrate Azure KeyVault with AKS? If I add under the addon profile, its throwing me error that this was not recognizable
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.75.0"
}
azuread = {
source = "hashicorp/azuread"
version = "=2.6.0"
}
}
}
provider "azurerm" {
features {}
}
My AKS module,
resource "azurerm_kubernetes_cluster" "aks" {
name = local.aks_name
location = local.location
resource_group_name = local.rg_name
dns_prefix = local.dns_prefix
node_resource_group = "${local.rg_name}-AKS-BackEnd"
kubernetes_version = "1.26.0"
default_node_pool {
name = "linux"
node_count = local.linux_node_count
vm_size = local.linux_vm_size
os_disk_size_gb = local.linux_os_disk_size_gb
type = "VirtualMachineScaleSets"
vnet_subnet_id = local.subnet_id
max_pods = 250
tags = merge(
var.additional_aks_tags,
var.additional_tags,
{
location = var.location
},
)
}
linux_profile {
admin_username = local.vm_user_name
ssh_key {
key_data = tls_private_key.ssh.public_key_openssh
}
}
network_profile {
network_plugin = "azure"
service_cidr = "10.30.0.0/16"
docker_bridge_cidr = "172.17.0.1/16"
dns_service_ip = "10.30.0.10"
network_mode = "transparent"
}
addon_profile {
ingress_application_gateway {
enabled = true
gateway_name = var.appgw_name
subnet_id = var.appgw_subnet_id
}
oms_agent {
enabled = "true"
log_analytics_workspace_id = azurerm_log_analytics_workspace.aks.id
}
http_application_routing {
enabled = "false"
}
}
How to make addpn for Key_vault?
My Key_Vault module,
resource "azurerm_key_vault" "key_vault" {
name = local.kv_name
location = local.location
resource_group_name = local.rg_name
enabled_for_disk_encryption = true
tenant_id = local.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = local.tenant_id
object_id = local.aks_sp_object_id #Service Account created for AKS
key_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
]
secret_permissions = [
"get", "list", "delete", "recover", "backup", "restore", "set",
]
certificate_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
tags = merge(
var.additional_kv_tags,
var.additional_tags,
{
location = var.location
},
)
lifecycle {
ignore_changes = [
access_policy
]
}
}
I already used before, as per suggestion,
key_vault_secrets_provider {
secret_rotation_enabled = true
}
But its failed its saying the block is not valid argument
Request you to please help me on this.
Thanks
Upvotes: 1
Views: 1026
Answers (1)
Reputation: 10871
I have created Kubernetes cluster.
Code:
resource "azurerm_kubernetes_cluster" "example" {
name = "kavexkcluster"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
dns_prefix = "kavaexampleaks1"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "Production"
}
}
Checked the addons list for my managed aks cluster through CLI , where the “azure-keyvault-secrets-provider" is shown as disabled .It means for the latest versions of terraform provider , the secrets providers need to be enabled.
Command:
az aks addon show -g myrg -n kavexkcluster -a azure-keyvault-secrets-provider
Response:
Addon "azure-keyvault-secrets-provider" is not enabled in this cluster.
Check the following code by adding key_vault_secrets_provider block with secret rotation enabled.
Main.tf:
Added key_vault_secrets_provider
resource "azurerm_kubernetes_cluster" "example" {
name = "kavexkcluster"
location = data.azurerm_resource_group.example.location
...
key_vault_secrets_provider {
secret_rotation_enabled = true
}
default_node_pool {
...
}
...
}
Checked for add-on using CLI
az aks addon show -g myrg -n kavexkcluster -a azure-keyvault-secrets-provider
{
"api_key": "azureKeyvaultSecretsProvider",
"config": {
"enableSecretRotation": "true",
"rotationPollInterval": "2m"
},
"identity": {
"clientId": "xx8",
"objectId": "xxx6364c3",
"resourceId": "/subscriptions/xx/resourcegroups/MC_xx_kavexkcluster_eastus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azurekeyvaultsecretsprovider-kavexkcluster"
},
"name": "azure-keyvault-secrets-provider"
}
The azure keyvault secret provider addon is enabled.
Upvotes: 0
Related Questions
- Terraform KeyVault Secrets (Error Already Exist)
- Syncing secrets from Keyvault to Azure AKS cluster
- Terraform Azure AKS - How to install azure-keyvault-secrets-provider add-on
- Azure :: Terraform fails on azure keyvault secrets
- Terraform Azure AKS internal load balancer
- Terraform Azure AKS Cluster not exporting kubeconfig file
- Prevent KeyVault from updating secrets using Terraform
- Add secret to freshly created Azure AKS using Terraform Kubernetes provider fails
- Azure AKS Terraform - how to specify VM Size
- AKS Using Terraform - Error waiting for completion