azure - Azure 角色分配 - AKS 到 ACR - Terraform

Question

我正在使用下面的 Terraform 代码来创建资源组、创建 AKS 集群，并且我正在尝试允许 AKS 集群使用数据 {} 引用在同一订阅中使用现有 ACR。没有角色分配块它可以正常工作，但是当我使用它时，我不断收到以下错误

Error: Invalid index

  on main.tf line 40, in resource "azurerm_role_assignment" "aks_to_acr_role":
  40:   principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
    |----------------
    | azurerm_kubernetes_cluster.aks.kubelet_identity is empty list of object

The given key does not identify an element in this collection value.

我查看了堆栈交换、Microsoft azure 文档和 Terraform 问题以及大量博客文章，老实说，我现在不知道出了什么问题。任何建议将不胜感激。

resource "azurerm_resource_group" "rg" {
      name     = var.resource_group_name
      location = var.location
    }

    resource "azurerm_kubernetes_cluster" "aks" {
      name                = var.cluster_name
      kubernetes_version  = var.kubernetes_version
      location            = var.location
      resource_group_name = azurerm_resource_group.rg.name
      dns_prefix          = var.cluster_name

      default_node_pool {
        name                = "system"
        node_count          = var.system_node_count
        vm_size             = "Standard_B2ms"
        type                = "VirtualMachineScaleSets"
        availability_zones  = [1, 2, 3]
        enable_auto_scaling = false
      }

      service_principal {
        client_id     = var.appId
        client_secret = var.password
      }

    }
    data "azurerm_container_registry" "acr_name" {
      name = "xxxxx"
      resource_group_name = "xxxxx"
    }
    resource "azurerm_role_assignment" "aks_to_acr_role" {
      scope                = data.azurerm_container_registry.acr_name.id
      role_definition_name = "AcrPull"
      principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
      skip_service_principal_aad_check = true
    }

ACR 名称和 RG 名称为 xxxxx 出于隐私考虑

Answer 1

在将Service Principal用作 Kubernetes 集群的标识时，由于您在创建 AKS 集群时尚未定义块，因此该字段kubelet_identity将为空。identity与 so的Identity block冲突Service Principal Block，不能一起使用。

解决方案：

1. 您可以将Identity 用作 SystemAssigned 而不是 Service Principal，那么您不必配置该kubelet_identity 块，它将自动进行预配置，您可以 azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id 成功使用。因此，您的代码将如下所示：

   provider"azurerm"{
       features{}
   }
   data "azurerm_resource_group" "rg" {
         name     = "ansumantest"
   }
   
       resource "azurerm_kubernetes_cluster" "aks" {
         name                = "ansumantestaks"
         location            = data.azurerm_resource_group.rg.location
         resource_group_name = data.azurerm_resource_group.rg.name
         dns_prefix          = "ansumantestaks-dns"
   
         default_node_pool {
           name                = "system"
           node_count          = 1
           vm_size             = "Standard_B2ms"
           type                = "VirtualMachineScaleSets"
           availability_zones  = [1, 2, 3]
           enable_auto_scaling = false
         }
          identity{
              type = "SystemAssigned"
          }
       }
       data "azurerm_container_registry" "acr_name" {
         name = "ansumantestacr"
         resource_group_name = data.azurerm_resource_group.rg.name
       }
       resource "azurerm_role_assignment" "aks_to_acr_role" {
         scope                = data.azurerm_container_registry.acr_name.id
         role_definition_name = "AcrPull"
         principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
         skip_service_principal_aad_check = true
       }
   

   输出：

   

   

   

---

2. 如果您只想使用服务主体而不是身份，那么您必须在角色分配中使用服务主体对象 ID，因为 aks 也使用相同的服务主体。带有服务主体块的代码如下所示：

   provider"azurerm"{
       features{}
   }
   provider"azuread"{}
   # Service Principal Which is being used by AKS.
   data "azuread_service_principal" "akssp"{
       display_name = "aksspansuman"
   }
   data "azurerm_resource_group" "rg" {
         name     = "ansumantest"
   }
   
       resource "azurerm_kubernetes_cluster" "aks" {
         name                = "ansumantestaks"
         location            = data.azurerm_resource_group.rg.location
         resource_group_name = data.azurerm_resource_group.rg.name
         dns_prefix          = "ansumantestaks-dns"
   
         default_node_pool {
           name                = "system"
           node_count          = 1
           vm_size             = "Standard_B2ms"
           type                = "VirtualMachineScaleSets"
           availability_zones  = [1, 2, 3]
           enable_auto_scaling = false
         }
   
         service_principal {
         client_id = data.azuread_service_principal.akssp.application_id
         client_secret = "e997Q~xxxxxxxx"
         }
   
       }
       data "azurerm_container_registry" "acr_name" {
         name = "ansumantestacr"
         resource_group_name = data.azurerm_resource_group.rg.name
       }
       resource "azurerm_role_assignment" "aks_to_acr_role" {
         scope                = data.azurerm_container_registry.acr_name.id
         role_definition_name = "AcrPull"
         principal_id         = data.azuread_service_principal.akssp.object_id
         skip_service_principal_aad_check = true
       }
   

   输出：