diff --git a/caf_solution/add-ons/aks_secure_baseline_v2/aks-pod-identity-assignment.tf b/caf_solution/add-ons/aks_secure_baseline_v2/aks-pod-identity-assignment.tf index eab82971..ed6818de 100644 --- a/caf_solution/add-ons/aks_secure_baseline_v2/aks-pod-identity-assignment.tf +++ b/caf_solution/add-ons/aks_secure_baseline_v2/aks-pod-identity-assignment.tf @@ -1,67 +1,67 @@ -# Get the details of the node pool's resource group created by AKS -data "azurerm_resource_group" "noderg" { - for_each = var.aks_clusters - name = local.remote.aks_clusters[each.value.lz_key][each.value.key].node_resource_group -} +# # Get the details of the node pool's resource group created by AKS +# data "azurerm_resource_group" "noderg" { +# for_each = var.aks_clusters +# name = local.remote.aks_clusters[each.value.lz_key][each.value.key].node_resource_group +# } -# -# Set permissions to the kubelet and cluster identity -# -resource "azurerm_role_assignment" "kubelet_noderg_miop" { - for_each = var.aks_clusters +# # +# # Set permissions to the kubelet and cluster identity +# # +# resource "azurerm_role_assignment" "kubelet_noderg_miop" { +# for_each = var.aks_clusters - scope = data.azurerm_resource_group.noderg[each.key].id - role_definition_name = "Managed Identity Operator" - principal_id = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id -} +# scope = data.azurerm_resource_group.noderg[each.key].id +# role_definition_name = "Managed Identity Operator" +# principal_id = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id +# } -resource "azurerm_role_assignment" "kubelet_noderg_vmcontrib" { - for_each = var.aks_clusters +# resource "azurerm_role_assignment" "kubelet_noderg_vmcontrib" { +# for_each = var.aks_clusters - scope = data.azurerm_resource_group.noderg[each.key].id - role_definition_name = "Virtual Machine Contributor" - principal_id = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id -} +# scope = data.azurerm_resource_group.noderg[each.key].id +# role_definition_name = "Virtual Machine Contributor" +# principal_id = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id +# } -# Separate subnet -resource "azurerm_role_assignment" "kubelet_subnets_networkcontrib" { - for_each = lookup(var.vnets[var.aks_cluster_vnet_key],"subnet_keys",{vnet=true}) +# # Separate subnet +# resource "azurerm_role_assignment" "kubelet_subnets_networkcontrib" { +# for_each = lookup(var.vnets[var.aks_cluster_vnet_key],"subnet_keys",{vnet=true}) - scope = try(each.value==true, false) ? local.remote.vnets[var.vnets[var.aks_cluster_vnet_key].lz_key][var.vnets[var.aks_cluster_vnet_key].key].id : local.remote.vnets[var.vnets[var.aks_cluster_vnet_key].lz_key][var.vnets[var.aks_cluster_vnet_key].key].subnets[each.value].id - role_definition_name = "Network Contributor" - principal_id = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_cluster_key].identity[0].principal_id -} - -# # Whole vnet -# resource "azurerm_role_assignment" "kubelet_vnet_networkcontrib" { -# for_each = lookup(var.vnets[var.aks_cluster_vnet_key],"subnet_keys",null) == null ? var.vnets : {} - -# scope = local.remote.vnets[var.vnets[var.aks_cluster_vnet_key].lz_key][var.vnets[var.aks_cluster_vnet_key].key].id +# scope = try(each.value==true, false) ? local.remote.vnets[var.vnets[var.aks_cluster_vnet_key].lz_key][var.vnets[var.aks_cluster_vnet_key].key].id : local.remote.vnets[var.vnets[var.aks_cluster_vnet_key].lz_key][var.vnets[var.aks_cluster_vnet_key].key].subnets[each.value].id # role_definition_name = "Network Contributor" # principal_id = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_cluster_key].identity[0].principal_id # } -resource "azurerm_role_assignment" "kubelet_user_msi" { - for_each = local.msi_to_grant_permissions +# # # Whole vnet +# # resource "azurerm_role_assignment" "kubelet_vnet_networkcontrib" { +# # for_each = lookup(var.vnets[var.aks_cluster_vnet_key],"subnet_keys",null) == null ? var.vnets : {} - scope = each.value.id - role_definition_name = "Managed Identity Operator" - principal_id = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_cluster_key].kubelet_identity[0].object_id -} +# # scope = local.remote.vnets[var.vnets[var.aks_cluster_vnet_key].lz_key][var.vnets[var.aks_cluster_vnet_key].key].id +# # role_definition_name = "Network Contributor" +# # principal_id = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_cluster_key].identity[0].principal_id +# # } -locals { - msi_to_grant_permissions = { - for msi in flatten( - [ - for key, value in var.managed_identities : [ - for msi_key in value.msi_keys : { - key = key - msi_key = msi_key - id = local.remote.managed_identities[value.lz_key][msi_key].id - } - ] - ] - ) : format("%s-%s", msi.key, msi.msi_key) => msi - } -} +# resource "azurerm_role_assignment" "kubelet_user_msi" { +# for_each = local.msi_to_grant_permissions + +# scope = each.value.id +# role_definition_name = "Managed Identity Operator" +# principal_id = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_cluster_key].kubelet_identity[0].object_id +# } + +# locals { +# msi_to_grant_permissions = { +# for msi in flatten( +# [ +# for key, value in var.managed_identities : [ +# for msi_key in value.msi_keys : { +# key = key +# msi_key = msi_key +# id = local.remote.managed_identities[value.lz_key][msi_key].id +# } +# ] +# ] +# ) : format("%s-%s", msi.key, msi.msi_key) => msi +# } +# }