Azure 角色分配 - AKS 到 ACR - Terraform
Azure Role Assignment - AKS to ACR - Terraform
我正在使用下面的 Terraform 代码来创建资源组、创建 AKS 集群,并且我正在尝试允许 AKS 集群使用同一订阅中的现有 ACR,使用数据 {} 引用。它在没有角色分配块的情况下工作正常,但是当我使用它时,我不断收到以下错误
Error: Invalid index
on main.tf line 40, in resource "azurerm_role_assignment" "aks_to_acr_role":
40: principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
|----------------
| azurerm_kubernetes_cluster.aks.kubelet_identity is empty list of object
The given key does not identify an element in this collection value.
我查看了堆栈交换、microsoft azure docs 和 Terraform 问题以及许多博客文章,老实说,我现在不知道哪里出了问题。任何建议将不胜感激。
resource "azurerm_resource_group" "rg" {
name = var.resource_group_name
location = var.location
}
resource "azurerm_kubernetes_cluster" "aks" {
name = var.cluster_name
kubernetes_version = var.kubernetes_version
location = var.location
resource_group_name = azurerm_resource_group.rg.name
dns_prefix = var.cluster_name
default_node_pool {
name = "system"
node_count = var.system_node_count
vm_size = "Standard_B2ms"
type = "VirtualMachineScaleSets"
availability_zones = [1, 2, 3]
enable_auto_scaling = false
}
service_principal {
client_id = var.appId
client_secret = var.password
}
}
data "azurerm_container_registry" "acr_name" {
name = "xxxxx"
resource_group_name = "xxxxx"
}
resource "azurerm_role_assignment" "aks_to_acr_role" {
scope = data.azurerm_container_registry.acr_name.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
skip_service_principal_aad_check = true
}
出于隐私考虑,ACR 名称和 RG 名称为 xxxxx 代码
当使用 Service Principal 作为 Kubernetes 集群的标识时,kubelet_identity 将是 empty 因为你没有定义 identity 块创建 AKS 集群。 Identity block 与 Service Principal Block 冲突,所以不能一起使用。
解法:
您可以使用 Identity 作为 SystemAssigned 而不是 Service
Principal 那么你就不用配置 kubelet_identity
块,它将自动进行预配置,您可以使用
azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
成功地。因此,您的代码将如下所示:
provider"azurerm"{
features{}
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "ansumantestaks"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
dns_prefix = "ansumantestaks-dns"
default_node_pool {
name = "system"
node_count = 1
vm_size = "Standard_B2ms"
type = "VirtualMachineScaleSets"
availability_zones = [1, 2, 3]
enable_auto_scaling = false
}
identity{
type = "SystemAssigned"
}
}
data "azurerm_container_registry" "acr_name" {
name = "ansumantestacr"
resource_group_name = data.azurerm_resource_group.rg.name
}
resource "azurerm_role_assignment" "aks_to_acr_role" {
scope = data.azurerm_container_registry.acr_name.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
skip_service_principal_aad_check = true
}
输出:
如果您只想使用服务主体而不是身份,那么您必须在角色分配中使用 服务主体对象 ID
因为 aks 也使用相同的服务 Principal.The 代码
服务主体块将如下所示:
provider"azurerm"{
features{}
}
provider"azuread"{}
# Service Principal Which is being used by AKS.
data "azuread_service_principal" "akssp"{
display_name = "aksspansuman"
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "ansumantestaks"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
dns_prefix = "ansumantestaks-dns"
default_node_pool {
name = "system"
node_count = 1
vm_size = "Standard_B2ms"
type = "VirtualMachineScaleSets"
availability_zones = [1, 2, 3]
enable_auto_scaling = false
}
service_principal {
client_id = data.azuread_service_principal.akssp.application_id
client_secret = "e997Q~xxxxxxxx"
}
}
data "azurerm_container_registry" "acr_name" {
name = "ansumantestacr"
resource_group_name = data.azurerm_resource_group.rg.name
}
resource "azurerm_role_assignment" "aks_to_acr_role" {
scope = data.azurerm_container_registry.acr_name.id
role_definition_name = "AcrPull"
principal_id = data.azuread_service_principal.akssp.object_id
skip_service_principal_aad_check = true
}
输出:
我正在使用下面的 Terraform 代码来创建资源组、创建 AKS 集群,并且我正在尝试允许 AKS 集群使用同一订阅中的现有 ACR,使用数据 {} 引用。它在没有角色分配块的情况下工作正常,但是当我使用它时,我不断收到以下错误
Error: Invalid index
on main.tf line 40, in resource "azurerm_role_assignment" "aks_to_acr_role":
40: principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
|----------------
| azurerm_kubernetes_cluster.aks.kubelet_identity is empty list of object
The given key does not identify an element in this collection value.
我查看了堆栈交换、microsoft azure docs 和 Terraform 问题以及许多博客文章,老实说,我现在不知道哪里出了问题。任何建议将不胜感激。
resource "azurerm_resource_group" "rg" {
name = var.resource_group_name
location = var.location
}
resource "azurerm_kubernetes_cluster" "aks" {
name = var.cluster_name
kubernetes_version = var.kubernetes_version
location = var.location
resource_group_name = azurerm_resource_group.rg.name
dns_prefix = var.cluster_name
default_node_pool {
name = "system"
node_count = var.system_node_count
vm_size = "Standard_B2ms"
type = "VirtualMachineScaleSets"
availability_zones = [1, 2, 3]
enable_auto_scaling = false
}
service_principal {
client_id = var.appId
client_secret = var.password
}
}
data "azurerm_container_registry" "acr_name" {
name = "xxxxx"
resource_group_name = "xxxxx"
}
resource "azurerm_role_assignment" "aks_to_acr_role" {
scope = data.azurerm_container_registry.acr_name.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
skip_service_principal_aad_check = true
}
出于隐私考虑,ACR 名称和 RG 名称为 xxxxx 代码
当使用 Service Principal 作为 Kubernetes 集群的标识时,kubelet_identity 将是 empty 因为你没有定义 identity 块创建 AKS 集群。 Identity block 与 Service Principal Block 冲突,所以不能一起使用。
解法:
您可以使用 Identity 作为 SystemAssigned 而不是 Service Principal 那么你就不用配置
kubelet_identity块,它将自动进行预配置,您可以使用azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id成功地。因此,您的代码将如下所示:provider"azurerm"{ features{} } data "azurerm_resource_group" "rg" { name = "ansumantest" } resource "azurerm_kubernetes_cluster" "aks" { name = "ansumantestaks" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name dns_prefix = "ansumantestaks-dns" default_node_pool { name = "system" node_count = 1 vm_size = "Standard_B2ms" type = "VirtualMachineScaleSets" availability_zones = [1, 2, 3] enable_auto_scaling = false } identity{ type = "SystemAssigned" } } data "azurerm_container_registry" "acr_name" { name = "ansumantestacr" resource_group_name = data.azurerm_resource_group.rg.name } resource "azurerm_role_assignment" "aks_to_acr_role" { scope = data.azurerm_container_registry.acr_name.id role_definition_name = "AcrPull" principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id skip_service_principal_aad_check = true }输出:
如果您只想使用服务主体而不是身份,那么您必须在角色分配中使用 服务主体对象 ID 因为 aks 也使用相同的服务 Principal.The 代码 服务主体块将如下所示:
provider"azurerm"{ features{} } provider"azuread"{} # Service Principal Which is being used by AKS. data "azuread_service_principal" "akssp"{ display_name = "aksspansuman" } data "azurerm_resource_group" "rg" { name = "ansumantest" } resource "azurerm_kubernetes_cluster" "aks" { name = "ansumantestaks" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name dns_prefix = "ansumantestaks-dns" default_node_pool { name = "system" node_count = 1 vm_size = "Standard_B2ms" type = "VirtualMachineScaleSets" availability_zones = [1, 2, 3] enable_auto_scaling = false } service_principal { client_id = data.azuread_service_principal.akssp.application_id client_secret = "e997Q~xxxxxxxx" } } data "azurerm_container_registry" "acr_name" { name = "ansumantestacr" resource_group_name = data.azurerm_resource_group.rg.name } resource "azurerm_role_assignment" "aks_to_acr_role" { scope = data.azurerm_container_registry.acr_name.id role_definition_name = "AcrPull" principal_id = data.azuread_service_principal.akssp.object_id skip_service_principal_aad_check = true }输出: