Add Managed Service Identity (MSI) support to VM Scale Sets #1018
Conversation
…tually identical to recent MSI support for stand-alone VMs
| @@ -803,6 +835,22 @@ func resourceArmVirtualMachineScaleSetDelete(d *schema.ResourceData, meta interf | |||
| return nil | |||
| } | |||
|
|
|||
| func flattenAzureRmVirtualMachineScaleSetIdentity(identity *compute.VirtualMachineScaleSetIdentity) []interface{} { | |||
| log.Printf("[DEBUG] entered flattenAzureRmVirtualMachineScaleSetIdentity") | |||
There was a problem hiding this comment.
can we remove this debug line?
| log.Printf("[DEBUG] attempting to enable MSI") | ||
| scaleSetParams.Identity = expandAzureRmVirtualMachineScaleSetIdentity(d) | ||
| } else { | ||
| log.Printf("[DEBUG] MSI failed") |
There was a problem hiding this comment.
can we remove the unnecessary else statement here?
| @@ -639,6 +662,13 @@ func resourceArmVirtualMachineScaleSetCreate(d *schema.ResourceData, meta interf | |||
| Zones: zones, | |||
| } | |||
|
|
|||
| if _, ok := d.GetOk("identity"); ok { | |||
| log.Printf("[DEBUG] attempting to enable MSI") | |||
There was a problem hiding this comment.
could we remove this log message?
| type_handler_version = "1.0" | ||
| auto_upgrade_minor_version = true | ||
| settings = "{\"port\": 50342}" | ||
| protected_settings = "{}" |
There was a problem hiding this comment.
I may be wrong, but I think we can omit this if it's empty?
There was a problem hiding this comment.
Tested and removed both auto_upgrade_minor_version & protected_settings.
| @@ -270,6 +270,41 @@ The following arguments are supported: | |||
| * `tier` - (Optional) Specifies the tier of virtual machines in a scale set. Possible values, `standard` or `basic`. | |||
| * `capacity` - (Required) Specifies the number of virtual machines in the scale set. | |||
|
|
|||
| `identity` supports the following: | |||
|
|
|||
| * `type` - (Required) Specifies the identity type of the virtual machine. The only allowable value is `SystemAssigned`. To enable Managed Service Identity (MSI) on all machines in the scale set, an extension with the type "ManagedIdentityExtensionForWindows" or "ManagedIdentityExtensionForLinux" must also be added. The scale set's Service Principal ID (SPN) can be retrieved after the scale set has been created. | |||
There was a problem hiding this comment.
of the virtual machine -> of the virtual machine scale set
| @@ -37,6 +37,29 @@ func resourceArmVirtualMachineScaleSet() *schema.Resource { | |||
|
|
|||
| "zones": zonesSchema(), | |||
|
|
|||
| "identity": { | |||
There was a problem hiding this comment.
can we add an acceptance test covering this use-case?
- Removed debug logging statements and some related code - Removed superfluous lines from the example HCL - Copy edit to readme text - Added acceptance test
| @@ -270,6 +270,41 @@ The following arguments are supported: | |||
| * `tier` - (Optional) Specifies the tier of virtual machines in a scale set. Possible values, `standard` or `basic`. | |||
| * `capacity` - (Required) Specifies the number of virtual machines in the scale set. | |||
|
|
|||
| `identity` supports the following: | |||
|
|
|||
| * `type` - (Required) Specifies the identity type of the virtual machine. The only allowable value is `SystemAssigned`. To enable Managed Service Identity (MSI) on all machines in the scale set, an extension with the type "ManagedIdentityExtensionForWindows" or "ManagedIdentityExtensionForLinux" must also be added. The scale set's Service Principal ID (SPN) can be retrieved after the scale set has been created. | |||
| @@ -639,6 +662,13 @@ func resourceArmVirtualMachineScaleSetCreate(d *schema.ResourceData, meta interf | |||
| Zones: zones, | |||
| } | |||
|
|
|||
| if _, ok := d.GetOk("identity"); ok { | |||
| log.Printf("[DEBUG] attempting to enable MSI") | |||
| log.Printf("[DEBUG] attempting to enable MSI") | ||
| scaleSetParams.Identity = expandAzureRmVirtualMachineScaleSetIdentity(d) | ||
| } else { | ||
| log.Printf("[DEBUG] MSI failed") |
| type_handler_version = "1.0" | ||
| auto_upgrade_minor_version = true | ||
| settings = "{\"port\": 50342}" | ||
| protected_settings = "{}" |
There was a problem hiding this comment.
Tested and removed both auto_upgrade_minor_version & protected_settings.
|
All review comments addressed. Ready for round 2. :) |
| @@ -701,6 +728,8 @@ func resourceArmVirtualMachineScaleSetRead(d *schema.ResourceData, meta interfac | |||
| return fmt.Errorf("[DEBUG] Error setting Virtual Machine Scale Set Sku error: %#v", err) | |||
| } | |||
|
|
|||
| d.Set("identity", flattenAzureRmVirtualMachineScaleSetIdentity(resp.Identity)) | |||
There was a problem hiding this comment.
can we change this to:
if err := d.Set("identity", flattenAzureRmVirtualMachineScaleSetIdentity(resp.Identity)); err != nil {
return fmt.Error("Error flattening `identity`: %+v", err)
}
this allows any bugs (such as the schema not matching) to be caught
| Config: config, | ||
| Check: resource.ComposeTestCheckFunc( | ||
| testCheckAzureRMVirtualMachineScaleSetExists(resourceName), | ||
| testCheckAzureRMVirtualMachineScaleSetMSI(resourceName), |
There was a problem hiding this comment.
can we remove this function (which checks the API) in favour of checking the value stored in the state (which users will consume)? we can do this via:
resources.TestCheckResourceAttrSet(resourceName, "identity.0.principal_id"),
|
More good changes, Tom. Thx for the reviews. --Jeff |
|
@dawg89 just to let you know that the tests picked up a bug in the tests, so I've pushed a commit to fix this: 03a9c31 - I hope you don't mind :) |
|
All VM tests before the previous commit:
The final commit fixes the broken test:
This is now good to merge 👍 - thanks for this PR @dawg89 :) |
|
According to https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview, "MSI VM extension endpoint: http://localhost:50342/oauth2/token (to be deprecated)." Since the extension endpoint is being deprecated, will this provider be updated to support enabling MSI without the extension (see also https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/tutorial-linux-vm-access-arm)? |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
This builds on earlier work enabling MSI for VMs. Adds the identity attribute and principal_id property to the VM scale set resource.