terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

v4 removed private vnet integration for API server in azurerm_kubernetes_cluster

Open LiamLeane opened this issue 4 months ago • 5 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Community Note

  • Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

Tofu 1.8.2

AzureRM Provider Version

4.4.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

resource "azurerm_kubernetes_cluster" "k8s" {
  api_server_access_profile {
    subnet_id                = var.api_server_subnet_id # Does not exist
    vnet_integration_enabled = true # Does not exist
  }
}

Debug Output/Panic Output

│ Error: Unsupported argument
│ 
│   on ..\..\k8.tf line 118, in resource "azurerm_kubernetes_cluster" "k8s":
│  118:     subnet_id                = var.api_server_subnet_id
│ 
│ An argument named "subnet_id" is not expected here.
╵
╷
│ Error: Unsupported argument
│ 
│   on ..\..\k8.tf line 119, in resource "azurerm_kubernetes_cluster" "k8s":
│  119:     vnet_integration_enabled = true
│ 
│ An argument named "vnet_integration_enabled" is not expected here.

Expected Behaviour

Can vnet integrate API server

Actual Behaviour

Can't integrate API server.

I understand why this occurred with the migration to the stable API. However, this specific case should have been exempted as API vnet integration is required for key_management_service.key_vault_network_access = "Private" which is required for every security & compliance standard that exists.

Unless egress is using a user defined resource the IP that will originate the KMS calls will not be known until after the cluster is created which requires an unsafe azurerm_key_vault configuration with a default allow rule. Having public internet access enabled to AKV at all is inherently unsafe but this compounds that problem.

As it currently stands this resource is not usable in professional cloud settings (currently entirely unusable in gov cloud, it wont meet 800-53) and azapi or ARM/bicep has to be used in place of this.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

LiamLeane avatar Oct 12 '24 23:10 LiamLeane