ingress_application_gateway AKS addon should export managed identity properties

[Flektoma]

Hi all.

Recently, new version of provider has been released that finally allows to install appgw ingress controller as AKS addon via terraform. Sadly, compared to az aks enable-addons -n AKS_NAME -g RG_NAME -a ingress-appgw --appgw-id APPGW_ID command, it does not configure access for ingress controller addon to access appgw objects.

What does it mean? When addon is installed via terraform, managed identity for ingress appgw controller is created in the same resource group where cluster exists, but no role is assigned to it. As a result, ingress controller running in the cluster is not able to configure appgw and is useless. Also, its properties are not exported to terraform code, thus I am unable to retrieve identity ID and assign role by myself in terraform.
I can see only option how to make this addon work and that is by assigning role manually.

Suggestions:

• export identity properties of managed identity that was created (similar to oms_agent_identity) so it can be reference in terraform code and assigned some role
• make user_assigned_identity_id attribute as optional for addon_profile.ingress_application_gateway resource so it can be provided externally (probably more work)

Relevant code in az cli: https://github.com/Azure/azure-cli/blob/561240abe913d98d861453c29640501965614890/src/azure-cli/azure/cli/command_modules/acs/custom.py#L1737

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

terraform: v0.14.9
azurerm provider: v2.57.0

Affected Resource(s)

• azurerm_kubernetes_cluster

Specifically its part:

   addon_profile {
      ingress_application_gateway {
        enabled    = true
        gateway_id = azurerm_application_gateway.ingress_appgw.id
      }
    }

Related to: #11376

[aristosvo]

@Flektoma I'll see if I can file a PR for this, I'll keep you posted!

[mcabrito]

I have the same problem.

[aristosvo]

Almost there 😅

[Flektoma]

@aristosvo Thank you for addressing this! :)

[ghost]

This has been released in version 2.59.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.59.0"
}
# ... other configuration ...

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.