AKS Private DNS Permissions error about terraform-azurerm-caf-enterprise-scale HOT 5 CLOSED

Hi I think this is the wrong repo - you want https://github.com/aztfmod/terraform-azurerm-caf

from terraform-azurerm-caf-enterprise-scale.

@matt-FFFFFF We are not using https://github.com/aztfmod/terraform-azurerm-caf

We use this terraform-azurerm-caf-enterprise-scale module to deploy the management group hierarchy, including the governance, policies, and access controls. The module also deploys private DNS zones in the connectivity subscription.

The issue is that whenever we provision a private AKS cluster or enable a private endpoint for any of the CORP landing zone subscription services, we are prompted to grant Private DNS Contributor permissions on the private DNS zones in the connectivity subscriptions.

from terraform-azurerm-caf-enterprise-scale.

This what we did in our code to get round it, use a data source to the actual aks private dns zone and then add a role assignment before creating aks cluster

For example:

data "azurerm_private_dns_zone" "azmk8s" {
  name                = local.dns.azk8s_dns_zone_name
  resource_group_name = local.dns.dns_rg_name
  provider            = azurerm.connectivity
}

resource "azurerm_role_assignment" "assign_identity_private_dns_contributor" {
  scope                = data.azurerm_private_dns_zone.azmk8s.id
  role_definition_name = "Private DNS Zone Contributor"
  principal_id         = azurerm_user_assigned_identity.managed_identity.principal_id
}

from terraform-azurerm-caf-enterprise-scale.

@anwarnk
Yes, this is how we solved it as well. However, granting AKS permissions over the private DNS zones in the connectivity subscription is not a good idea.

from terraform-azurerm-caf-enterprise-scale.

fixed by #919

from terraform-azurerm-caf-enterprise-scale.