Azure customer managed resources: create user assigned identity for AKS

paulzhang97 · paulzhang97 · commit 28651989495a · 2024-07-29T09:12:09.000-05:00
diff --git a/customer-managed/azure/terraform/identities.tf b/customer-managed/azure/terraform/identities.tf
@@ -22,6 +22,12 @@ resource "azurerm_user_assigned_identity" "redpanda_cluster" {
   resource_group_name = azurerm_resource_group.iam.name
 }
 
+resource "azurerm_user_assigned_identity" "aks" {
+  location            = azurerm_resource_group.iam.location
+  name                = "${var.resource_name_prefix}${var.aks_identity_name}"
+  resource_group_name = azurerm_resource_group.iam.name
+}
+
 resource "azurerm_user_assigned_identity" "redpanda_console" {
   location            = azurerm_resource_group.iam.location
   name                = "${var.resource_name_prefix}${var.redpanda_console_identity_name}"
diff --git a/customer-managed/azure/terraform/role_assignments.tf b/customer-managed/azure/terraform/role_assignments.tf
@@ -56,18 +56,18 @@ resource "azurerm_role_assignment" "redpanda_agent_iam" {
   role_definition_id = azurerm_role_definition.redpanda_agent.role_definition_resource_id
 }
 
-resource "azurerm_role_assignment" "redpanda_cluster_network_contributor" {
+resource "azurerm_role_assignment" "aks_network_contributor" {
   count = local.create_role_assignment
 
   scope                = azurerm_resource_group.network.id
-  principal_id         = azurerm_user_assigned_identity.redpanda_cluster.principal_id
+  principal_id         = azurerm_user_assigned_identity.aks.principal_id
   role_definition_name = "Network Contributor"
 }
 
 resource "azurerm_role_assignment" "redpanda_private_link" {
   count = local.create_role_assignment
 
-  principal_id       = azurerm_user_assigned_identity.redpanda_cluster.principal_id
+  principal_id       = azurerm_user_assigned_identity.aks.principal_id
   scope              = azurerm_resource_group.redpanda.id
   role_definition_id = azurerm_role_definition.redpanda_private_link.role_definition_resource_id
 }
@@ -90,21 +90,6 @@ resource "azurerm_role_assignment" "redpanda_console" {
   role_definition_id = azurerm_role_definition.redpanda_console.role_definition_resource_id
 }
 
-# federated identity is done in TF provisioner.
-# resource "azurerm_federated_identity_credential" "redpanda_cluster" {
-#   count               = local.create_role_assignment
-#   name                = var.redpanda_cluster_workload_identity_name
-#   resource_group_name = azurerm_resource_group.redpanda.name
-#   audience            = ["api://AzureADTokenExchange"]
-#   ## We know the oidc issuer url only after AKS cluster is created.
-#   ## Check whether RP can come up if this resource is created during cluster creation.
-#   ## If yes, we will have to ask customer to apply when we have the oidc issuer url.
-#   ## In TF, issuer is required. But in AZ cli, it is optional in https://learn.microsoft.com/en-us/cli/azure/identity/federated-credential?view=azure-cli-latest
-#   issuer    = local.aks_oidc_issuer_url
-#   parent_id = azurerm_user_assigned_identity.redpanda_cluster.id
-#   subject   = "system:serviceaccount:${local.redpanda_operator_namespace}:${azurerm_user_assigned_identity.redpanda_cluster.name}"
-# }
-
 resource "azurerm_role_assignment" "cert_manager" {
   count = local.create_role_assignment
   # In TF provisioner, the scope is a DNS zone specific resource. We change it to RG here since DNS zone is not avaiable until cluster is being deployed.
diff --git a/customer-managed/azure/terraform/vars.customer_input.tf b/customer-managed/azure/terraform/vars.customer_input.tf
@@ -89,6 +89,14 @@ variable "redpanda_cluster_identity_name" {
   HELP
 }
 
+variable "aks_identity_name" {
+  type        = string
+  default     = "aks-uai"
+  description = <<-HELP
+    The name of user assigned identity for AKS.
+  HELP
+}
+
 variable "redpanda_console_identity_name" {
   type        = string
   default     = "console-uai"
