Comments (5)
Hi I think this is the wrong repo - you want https://github.com/aztfmod/terraform-azurerm-caf
from terraform-azurerm-caf-enterprise-scale.
@matt-FFFFFF We are not using https://github.com/aztfmod/terraform-azurerm-caf
We use this terraform-azurerm-caf-enterprise-scale module to deploy the management group hierarchy, including the governance, policies, and access controls. The module also deploys private DNS zones in the connectivity subscription.
The issue is that whenever we provision a private AKS cluster or enable a private endpoint for any of the CORP landing zone subscription services, we are prompted to grant Private DNS Contributor permissions on the private DNS zones in the connectivity subscriptions.
from terraform-azurerm-caf-enterprise-scale.
This what we did in our code to get round it, use a data source to the actual aks private dns zone and then add a role assignment before creating aks cluster
For example:
data "azurerm_private_dns_zone" "azmk8s" {
name = local.dns.azk8s_dns_zone_name
resource_group_name = local.dns.dns_rg_name
provider = azurerm.connectivity
}
resource "azurerm_role_assignment" "assign_identity_private_dns_contributor" {
scope = data.azurerm_private_dns_zone.azmk8s.id
role_definition_name = "Private DNS Zone Contributor"
principal_id = azurerm_user_assigned_identity.managed_identity.principal_id
}
from terraform-azurerm-caf-enterprise-scale.
@anwarnk
Yes, this is how we solved it as well. However, granting AKS permissions over the private DNS zones in the connectivity subscription is not a good idea.
from terraform-azurerm-caf-enterprise-scale.
fixed by #919
from terraform-azurerm-caf-enterprise-scale.
Related Issues (20)
- Feature Request - On/Off switch to control policy assignments HOT 6
- use existing management group as a parent HOT 5
- How to change the default virtual hub attribute HOT 3
- How to reference custom role in policy? HOT 2
- How to assign roles to policy with SystemAssigned identity? HOT 1
- Error: Invalid index error: archetype_definition = local.archetype_definitions[local.archetype_id] on tf apply/delete etc HOT 3
- `root_name` limited to 24 characters, should be 90 HOT 2
- Bug report: threat_intelligence_allowlist HOT 4
- Error: Invalid for_each argument" because local.azurerm_policy_definition_external_lookup will be known only after apply HOT 13
- Policy Definition 'Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace' incorrectly reports non-compliance HOT 1
- Policy Assignment User assigned Managed Identity was not working as expected HOT 2
- Unable to create Default InvalidSubscriptionId - Message="The provided subscription identifier XXX is malformed or invalid." HOT 4
- Bug Report: Non Compliance message for kubernetes policies HOT 4
- Feature Request: Enable Specifying Role Assignment Principal Type
- How to avoid Decommissioned, Landing Zones and Sandboxes Management Groups creation HOT 2
- Bug Report: Policy Sets not found in Azure Government HOT 3
- Unable to associate NSG's with Subnets
- Importing Subscriptions into Management Groups HOT 2
- Bug Report : Unable to create policy for custom landing zone HOT 6
- Bug Report/ How to : Not able to create Custom Policy definition and assignment using Custom Landing Zones HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-azurerm-caf-enterprise-scale.