Search code examples
azurekubernetesterraformazure-aksterraform-provider-azure

Terraform AKS in VNET An argument named "user_assigned_identity_id" is not expected here

I want to create a cluster inside a VNET, so that later I can create a connection to the on-premise resources. I have following problem:

│ Error: Unsupported argument │ │ on main.tf line 130, in resource "azurerm_kubernetes_cluster" "aks": │ 130: user_assigned_identity_id = azurerm_user_assigned_identity.identity.id │ │ An argument named "user_assigned_identity_id" is not expected here.

My main.tf:

`

data "azurerm_resource_group" "aks-rg" {
  name     = var.resource_group_name
}

resource "azurerm_role_assignment" "role_acrpull" {
  scope                            = azurerm_container_registry.acr.id
  role_definition_name             = "AcrPull"
  principal_id                     = azurerm_kubernetes_cluster.aks.kubelet_identity.0.object_id
  #skip_service_principal_aad_check = true
}

resource "azurerm_container_registry" "acr" {
  name                = var.acr_name
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  location            = var.location
  sku                 = "Standard"
  admin_enabled       = false
}

resource "azurerm_network_security_group" "pusg" {
  name                = "Public_Security_Group"
  location            = var.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
}

resource "azurerm_virtual_network" "puvnet" {
  name                = "Public_VNET"
  location            = var.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  address_space       = ["10.19.0.0/16"]
  dns_servers         = ["10.19.0.4", "10.19.0.5"]
}

resource "azurerm_subnet" "osubnet" {
  name                 = "Outer_Subnet"
  resource_group_name  = data.azurerm_resource_group.aks-rg.name
  address_prefixes     = ["10.19.1.0/24"]
  virtual_network_name = azurerm_virtual_network.puvnet.name
}

resource "azurerm_subnet" "isubnet" {
  name                 = "Inner_Subnet"
  resource_group_name  = data.azurerm_resource_group.aks-rg.name
  address_prefixes     = ["10.19.2.0/24"]
  virtual_network_name = azurerm_virtual_network.puvnet.name
}

resource "azurerm_subnet" "firewall_subnet" {
  name                 = "AzureFirewallSubnet"
  resource_group_name  = data.azurerm_resource_group.aks-rg.name
  virtual_network_name = azurerm_virtual_network.puvnet.name
  address_prefixes     = ["10.19.3.0/24"]
}

resource "azurerm_user_assigned_identity" "identity" {
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  location            = var.location
  name                = "identityh"
}

resource "azurerm_role_assignment" "networkRole" {
  scope                = data.azurerm_resource_group.aks-rg.id
  role_definition_name = "Network Contributor"
  principal_id         = azurerm_user_assigned_identity.identity.principal_id
}

resource "azurerm_route_table" "routeTable" {
  name                = "rt-FWall"
  location            = var.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
}

resource "azurerm_route" "route1" {
  name                   = "dg-route1"
  resource_group_name    = data.azurerm_resource_group.aks-rg.name
  route_table_name       = azurerm_route_table.routeTable.name
  address_prefix         = "0.0.0.0/0"
  next_hop_type          = "VirtualAppliance"
  next_hop_in_ip_address = azurerm_firewall.firewall.ip_configuration.0.private_ip_address
}

resource "azurerm_subnet_route_table_association" "base" {
  subnet_id      = azurerm_subnet.osubnet.id
  route_table_id = azurerm_route_table.routeTable.id
}

resource "azurerm_public_ip" "firewall_public_ip" {
  name                = "pip-firewall"
  location            = var.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_firewall" "firewall" {
  name                = "public_firewall"
  location            = var.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  sku_name            = "AZFW_VNet"
  sku_tier            = "Standard"

  ip_configuration {
    name                 = "ipconfig"
    subnet_id            = azurerm_subnet.firewall_subnet.id
    public_ip_address_id = azurerm_public_ip.firewall_public_ip.id
  }
}

resource "azurerm_kubernetes_cluster" "aks" {
  name                = var.cluster_name
  kubernetes_version  = var.kubernetes_version
  location            = var.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  dns_prefix          = var.cluster_name

  network_profile {
    network_plugin = "azure"
    outbound_type  = "userDefinedRouting"
  }

  default_node_pool {
    name                = "system"
    node_count          = var.system_node_count
    vm_size             = "Standard_DS2_v2"
    vnet_subnet_id = azurerm_subnet.osubnet.id
  }

  identity {
    type                      = "UserAssigned"
    user_assigned_identity_id = azurerm_user_assigned_identity.identity.id
  }
}

`

Region is Germany West Central. Kubernetes version 1.24.3, Azurerm 3.33, Terraform 1.3

I have tried different approaches I found over internet, but none seemed to work. Best case scenario is when creation takes too long and terraform stops without creating cluster.

Solution

  • That argument does not seem to be a part of the identity block. The argument that can be used inside of the identity block is identity_ids [1]:

    resource "azurerm_kubernetes_cluster" "aks" {
  name                = var.cluster_name
  kubernetes_version  = var.kubernetes_version
  location            = var.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  dns_prefix          = var.cluster_name

  network_profile {
    network_plugin = "azure"
    outbound_type  = "userDefinedRouting"
  }

  default_node_pool {
    name                = "system"
    node_count          = var.system_node_count
    vm_size             = "Standard_DS2_v2"
    vnet_subnet_id = azurerm_subnet.osubnet.id
  }

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.identity.id]
  }
}

    Note that the identity_ids argument is a list, hence the square brackets around the identity.

    [1] https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#identity_ids