terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

AKS Private DNS Permissions error

Open qaiserali opened this issue 1 year ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We're getting a permission issue similar to this one AKS Private DNS while creating the AKS private cluster. We enable private dns zone and assign the private DNS zone ID as below.

private_cluster_enabled = true
private_dns_zone_id     = data.azurerm_private_dns_zone.azmk8s.id

However, upon running the Terraform code to create the private cluster, we get the customPrivateDNSZoneMissingPermission error, as shown below. Service principal or user-assigned identity must be given permission to read and write to custom private dns zone /subscriptions/{sub-id}/resourceGroups/rg-dns-connectivity/providers/Microsoft.Network/privateDnsZones/privatelink.westeurope.azmk8s.io. Check access result not allowed for action Microsoft.Network/privateDnsZones/write

One way to solve this is to assign the "Private DNS Contributor" permissions to the AKS user-assigned identity, but that doesn't seem to be a good solution following the hub-spoke approach, as in this case, we will be allowing landing zone corp subscriptions services to get permissions over the private DNS zones in the connectivity subscription.

Another way I am thinking of solving this is to delegate the private DNS zones to the land-zones subscriptions, but the CAF module doesn't have any such feature to enable this.

Following the CAF best practices, any suggestions or help for solving this issue would be appreciated.

qaiserali avatar Feb 17 '24 15:02 qaiserali

Hi I think this is the wrong repo - you want https://github.com/aztfmod/terraform-azurerm-caf

matt-FFFFFF avatar Feb 27 '24 11:02 matt-FFFFFF

@matt-FFFFFF We are not using https://github.com/aztfmod/terraform-azurerm-caf

We use this terraform-azurerm-caf-enterprise-scale module to deploy the management group hierarchy, including the governance, policies, and access controls. The module also deploys private DNS zones in the connectivity subscription.

The issue is that whenever we provision a private AKS cluster or enable a private endpoint for any of the CORP landing zone subscription services, we are prompted to grant Private DNS Contributor permissions on the private DNS zones in the connectivity subscriptions.

qaiserali avatar Feb 27 '24 16:02 qaiserali

This what we did in our code to get round it, use a data source to the actual aks private dns zone and then add a role assignment before creating aks cluster

For example:


data "azurerm_private_dns_zone" "azmk8s" {
  name                = local.dns.azk8s_dns_zone_name
  resource_group_name = local.dns.dns_rg_name
  provider            = azurerm.connectivity
}

resource "azurerm_role_assignment" "assign_identity_private_dns_contributor" {
  scope                = data.azurerm_private_dns_zone.azmk8s.id
  role_definition_name = "Private DNS Zone Contributor"
  principal_id         = azurerm_user_assigned_identity.managed_identity.principal_id
}

anwarnk avatar Feb 28 '24 14:02 anwarnk

@anwarnk Yes, this is how we solved it as well. However, granting AKS permissions over the private DNS zones in the connectivity subscription is not a good idea.

qaiserali avatar Mar 04 '24 10:03 qaiserali