Add support for azure-keyvault-secrets-provider AKS addon

[LP0101]

Resolves #12783

[djsly]

@katbyte / @tombuildsstuff up for review! if we can have that in this' week release that would be awesome!

[stephybun]

Thanks for this PR @LP0101. This is off to a good start! I've left a few comments and suggestions, once they're addressed we can look over this again 🙂 .

[nerddtvg]

Hi @LP0101, can you also make sure this supports exporting the managed identtiy information created?

Example:

      "azureKeyvaultSecretsProvider": {
        "enabled": true,
        "config": {
          "enableSecretRotation": "true"
        },
        "identity": {
          "resourceId": "/subscriptions/<subscription>/resourcegroups/MC_<resource_group>_<cluster_name>_<location>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azurekeyvaultsecretsprovider-<cluster_name>",
          "clientId": "6510b307-edd9-44c8-bc4a-2e9b443a0d73",
          "objectId": "a5a771e1-4d59-4545-bb9c-352b7c6a01f6"
        }
      }

[LP0101]

Hey @nerddtvg

Good call, I totally forgot about that. Added it in the latest commit.

[nerddtvg]

Wow that was fast! Thank you!

[LP0101]

Any update on this PR? We would love to have it merged in this week's release.

[stephybun]

Looks like there is a test failure

------- Stdout: -------
=== RUN   TestAccKubernetesCluster_addonProfileAzureKeyvaultSecretsProvider
=== PAUSE TestAccKubernetesCluster_addonProfileAzureKeyvaultSecretsProvider
=== CONT  TestAccKubernetesCluster_addonProfileAzureKeyvaultSecretsProvider
testcase.go:110: Step 1/4 error: Error running pre-apply refresh: exit status 1
Error: Missing newline after argument
on terraform_plugin_test.tf line 35, in resource "azurerm_kubernetes_cluster" "test":
35:       rotation_interval       = 2m
An argument definition must end with a newline.
testing_new.go:63: Error retrieving state, there may be dangling resources: exit status 1
Error: Missing newline after argument
on terraform_plugin_test.tf line 35, in resource "azurerm_kubernetes_cluster" "test":
35:       rotation_interval       = 2m
An argument definition must end with a newline.
--- FAIL: TestAccKubernetesCluster_addonProfileAzureKeyvaultSecretsProvider (1.81s)
FAIL

[LP0101]

@stephybun acceptance tests are fixed now.

Looks like the golint failed due to a timeout :( Can someone with the ability to rerun checks restart it?

[stephybun]

Sorry I missed this one in the initial review, since this block is already called azure_keyvault_secrets_provider could we rename this to just identity

[LP0101]

Sure, I was just following the convention with the other addons, where we have ingress_application_gateway_identity and oms_agent_identity

[LP0101]

I think the convention might be there to prevent confusion?

Looking at the AKS module docs, it might get a bit confusing if there were multiple The identity block exports the following: sections, which I guess is why each identity has its own name?

[stephybun]

If the schemas for each identity block were different I would agree, but they're all identical so I don't really see an issue if they all point to the same block in the docs. To be sure I will clarify internally whether there is any other reason for that naming convention. If not it should be renamed and the other two properties will also need to be renamed and deprecated (in a separate PR).

[LP0101]

Could also be that the AKS cluster itself already exports an identity block, which does have a different schema from the addon identity blocks?

[nerddtvg]

I think it would add confusion with the AKS identity and kubelet_identity blocks like you said. Maybe something more generic for the addons (in a future PR) like addon_identity? It's always going to be the same with a user_assigned_managed_identity anyways.

[tombuildsstuff]

Yeah the background on this is each identity block currently has a distinct name because of how these are represented in the docs - as such I'd agree this probably should be secret_identity here.

To call out the comment above too, we'll be making the add-on blocks consistent with the rest of the provider where possible in a future release, that is, having the presence of the block mean enabled = true and the omission of the block meaning enabled = false. This is required since there's a tri-state in the Azure API currently which needs resolving (e.g. the block being omitted in the API, or enabled=false mean the same thing - and then there's enabled=true - but we need to consolidate these into Terraform.

[tombuildsstuff]

hey @LP0101

Thanks for this PR - I've taken a look through and left some comments in addition to the ones that @stephybun has left, if we can fix those up then this should otherwise be good to go 👍

Thanks!

[tombuildsstuff]

rather than exposing this field - we can take the presence of the parent block to mean enabled=true (and it's false if it's omitted)

[nerddtvg]

@tombuildsstuff, @stephybun asked a similar question earlier: #14308 (comment)

This wouldn't match with the other addon blocks which have their own enabled status. Plus I worry if we have existing clusters that have it manually enabled but the Terraform isn't updated, it may try to disable them on subsequent applies.

[nerddtvg]

I just saw your below comment about consistency with other blocks. I'm still worried how this will play out as more addons are created and manually applied during previews. I realize that with a diff or preview, we should catch these possible changes, but if it is being automated it may not be.

[tombuildsstuff]

Yeah the background on this is each identity block currently has a distinct name because of how these are represented in the docs - as such I'd agree this probably should be secret_identity here.

To call out the comment above too, we'll be making the add-on blocks consistent with the rest of the provider where possible in a future release, that is, having the presence of the block mean enabled = true and the omission of the block meaning enabled = false. This is required since there's a tri-state in the Azure API currently which needs resolving (e.g. the block being omitted in the API, or enabled=false mean the same thing - and then there's enabled=true - but we need to consolidate these into Terraform.

[tombuildsstuff]

this'll also want a default value set of false?

[LP0101]

I tried to match the provider's behaviour with what the CLI does. In that case, when disabling secret rotation (or just not enabling it), the field is completely omitted from the API response.

I can also set it to false, if that's preferable.

[tombuildsstuff]

this means this won't be unset in the API config (so will always have a value?)

[LP0101]

Hm, yeah. It does keep the secretRotationInterval value set in the API. However, that doesn't do anything without the enableSecretRotation flag being set to true.

[LP0101]

Fixed the docs and renamed the identity block. 👍

[stephybun]

Thanks for fixing up some of those suggestions @LP0101. There are a few finishing touches missing but once those are addressed this should be good to go!

[stephybun]

Resolved this last review comment and the tests are passing. Thanks for your patience @LP0101, LGTM! 🚀

[github-actions]

This functionality has been released in v2.89.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.