Search code examples
azureterraformuuidazure-aks

azure aks cluster does not offer id in uuid format

I am using terraform to create a role assignment to an aks cluster. However the id of the aks cluster is not in the format of an UUID, it has some other format. Terraform is complaining that it needs an UUID format.

I am using terraform data to get an aks cluster:

data "azurerm_kubernetes_cluster" "akstest001" {
  name = "akstest001"
  resource_group_name = "rgtest001"
}

Then I am trying to create a role assignment, that is using the akstest001 id:

resource "azuread_app_role_assignment" "aks_test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  principal_object_id = data.azuread_group.test_principal.id
  resource_object_id  = data.azurerm_kubernetes_cluster.akstest001.id
}

When I run terraform plan I can see in the logs that terraform is able to read the data from the cluster akstest001 with the following result. However you can see, that the id has no UUID format:

[id=/subscriptions/a5fv567g-7fc0-3d2m-we11-jkl6qw35h46p/resourceGroups/rgtest001/providers/Microsoft.ContainerService/managedClusters/akstest001]

Terraform is complaining that the cluster id does not have the right format:

Error: Value must be a valid UUID │ │ with module.active_directory.azuread_app_role_assignment.azuread_app_role_assignment, │ on active_directory_module\role_assignments.tf line 25, in resource "azuread_app_role_assignment" "aks_test_assignment": │ 25: resource_object_id = data.azurerm_kubernetes_cluster.akstest001.id

When I go to the azure portal I can see in the akstest001 cluster that there is no id with the UUID format, I can only see the id in the format I mentioned above. How can I tell azure that I want the id of my cluster in a UUID format?

Solution

  • When you use the ID from the data object it is the Azure id of the Resource (Resource ID) equals /subscriptions/*/resourcegroups/*/providers/Microsoft.ContainerService/managedClusters/akstest001

    The Terraform resource azuread_app_role_assignment with the specific argument resource_object_id needs the object ID of the service principal representing the resource.

    I dont know what specific role assignment you want to do but basically you need to choose the identity of the AKS that is in the most cases the kubelet identity:

    resource "azuread_app_role_assignment" "aks_test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  principal_object_id = data.azuread_group.test_principal.id
  resource_object_id  = data.azurerm_kubernetes_cluster.akstest001.kubelet_identity[0].object_id
}

    Sometimes it can be that you need the direct Identity (SystemAssignet if you are not using User Assigned) of the AKS:

    resource "azuread_app_role_assignment" "aks_test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  principal_object_id = data.azuread_group.test_principal.id
  resource_object_id  = data.azurerm_kubernetes_cluster.akstest001.identity[0].principal_id
}