azurerm_kubernetes_cluster_extension: Missing resource provider registration

[Felix-Franz]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.4.6

AzureRM Provider Version

3.63.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster_extension

Terraform Configuration Files

resource "azurerm_kubernetes_cluster_extension" "flux" {
  name           = "flux"
  cluster_id     = azurerm_kubernetes_cluster.main.id
  extension_type = "microsoft.flux"
}

Debug Output/Panic Output

│ Error: creating Extension (Subscription: "<hidden>"
│ Resource Group Name: "RG-M-AKS-felix-test"
│ Provider Name: "Microsoft.ContainerService"
│ Cluster Resource Name: "managedClusters"
│ Cluster Name: "felix-test"
│ Extension Name: "flux"): polling after Create: polling failed: the Azure API returned the following error:
│ 
│ Status: "Failed"
│ Code: "ExtensionOperationFailed"
│ Message: "The extension operation failed with the following error:  Request failed to https://management.azure.com/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux?api-version=2021-03-01. Error code: Forbidden. Reason: Forbidden.{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client 'e64b1a2c-694a-4ff8-aead-a4cde0b5f231' with object id 'e64b1a2c-694a-4ff8-aead-a4cde0b5f231' does not have authorization to perform action 'Microsoft.ContainerService/managedclusters/extensionaddons/read' over scope '/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux' or the scope is invalid. If access was recently granted, please refresh your credentials.\"}}."
│ Activity Id: ""
│ 
│ ---
│ 
│ API Response:
│ 
│ ----[start]----
│ {"id":"/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/ManagedClusters/felix-test/providers/Microsoft.KubernetesConfiguration/extensions/flux/operations/d7c1f7d2-2fc6-4abc-ade3-dd527c05c511","name":"d7c1f7d2-2fc6-4abc-ade3-dd527c05c511","status":"Failed","error":{"code":"ExtensionOperationFailed","message":"The extension operation failed with the following error:  Request failed to https://management.azure.com/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux?api-version=2021-03-01. Error code: Forbidden. Reason: Forbidden.{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client '<hidden>' with object id '<hidden>' does not have authorization to perform action 'Microsoft.ContainerService/managedclusters/extensionaddons/read' over scope '/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux' or the scope is invalid. If access was recently granted, please refresh your credentials.\"}}.","additionalInfo":[]}}
│ -----[end]-----
│ 
│ 
│   with module.debug.azurerm_kubernetes_cluster_extension.flux[0],
│   on ../gitops.tf line 67, in resource "azurerm_kubernetes_cluster_extension" "flux":
│   67: resource "azurerm_kubernetes_cluster_extension" "flux" {
│ 
│ creating Extension (Subscription: "<hidden>"
│ Resource Group Name: "RG-M-AKS-felix-test"
│ Provider Name: "Microsoft.ContainerService"
│ Cluster Resource Name: "managedClusters"
│ Cluster Name: "felix-test"
│ Extension Name: "flux"): polling after Create: polling failed: the Azure API returned the following error:
│ 
│ Status: "Failed"
│ Code: "ExtensionOperationFailed"
│ Message: "The extension operation failed with the following error:  Request failed to
│ https://management.azure.com/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux?api-version=2021-03-01.
│ Error code: Forbidden. Reason: Forbidden.{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client '<hidden>' with object id '<hidden>' does not have
│ authorization to perform action 'Microsoft.ContainerService/managedclusters/extensionaddons/read' over scope
│ '/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux' or the scope is invalid. If access was
│ recently granted, please refresh your credentials.\"}}."
│ Activity Id: ""
│ 
│ ---
│ 
│ API Response:
│ 
│ ----[start]----
│ {"id":"/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/ManagedClusters/felix-test/providers/Microsoft.KubernetesConfiguration/extensions/flux/operations/d7c1f7d2-2fc6-4abc-ade3-dd527c05c511","name":"d7c1f7d2-2fc6-4abc-ade3-dd527c05c511","status":"Failed","error":{"code":"ExtensionOperationFailed","message":"The
│ extension operation failed with the following error:  Request failed to
│ https://management.azure.com/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux?api-version=2021-03-01.
│ Error code: Forbidden. Reason: Forbidden.{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client 'e64b1a2c-694a-4ff8-aead-a4cde0b5f231' with object id 'e64b1a2c-694a-4ff8-aead-a4cde0b5f231' does not have
│ authorization to perform action 'Microsoft.ContainerService/managedclusters/extensionaddons/read' over scope
│ '/subscriptions/<hidden>/resourceGroups/RG-M-AKS-felix-test/providers/Microsoft.ContainerService/managedclusters/felix-test/extensionaddons/flux' or the scope is invalid. If access was
│ recently granted, please refresh your credentials.\"}}.","additionalInfo":[]}}
│ -----[end]-----

Expected Behaviour

Following Resouce Provider should automatically be registered when using the resource:

• Microsoft.Kubernetes
• Microsoft.KubernetesConfiguration

Actual Behaviour

Resource provider keep unregistered

Steps to Reproduce

1. unregister resource providers Microsoft.Kubernetes & Microsoft.KubernetesConfiguration (if already registered)
2. run terraform apply with provided resource configuration
3. ➡ error

Important Factoids

No response

References

No response

[jackofallops]

Hi @Felix-Franz - Just by way of update, we'll be reverting the auto-registration of these two providers in #22580. The "core" resource providers list is a best effort attempt to set up the provider with the highly used RP's that the majority of users are likely to need. In adding these two new RP's we've discovered a significant part of the community have been adversely impacted by this addition.
If you want or need to manage the registration of these providers within your terraform configuration, you can use the azurerm_resource_provider_registration resource.

Thanks in advance for your understanding.

[Felix-Franz]

Too bad, then using azurerm_kubernetes_cluster_extension will be much more complicated for us.
We had no problems with the automatic provider registration in our Microsoft tenant so far.
Thanks a lot for informing me!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.