terraform-provider-azurerm: data.azurerm_kubernetes_cluster do not get kube_config from AAD enabled v1.24 cluster

Is there an existing issue for this?

I have searched the existing issues

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.2

AzureRM Provider Version

3.9.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

data "azurerm_kubernetes_cluster" "default" {
  depends_on          = [module.aks] # refresh cluster state before reading
  name                = module.aks.aks_cluster_name
  resource_group_name = module.aks.resource_group_name
}

provider "kubernetes" {
  host                   = data.azurerm_kubernetes_cluster.default.kube_config.0.host
  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)

  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "kubelogin"
    args = [
      "get-token",
      "--login",
      "azurecli",
      "--server-id",
      "6dae42f8-4368-4678-94ff-3960e28e3630"
    ]
  }
}

Debug Output/Panic Output

data.azurerm_kubernetes_cluster.default: Read complete after 0s [id=/subscriptions/my-sub-id/resourceGroups/rg-aks-playground-blue-dev/providers/Microsoft.ContainerService/managedClusters/my-cluster]
╷
│ Error: Invalid index
│
│   on main.tf line 35, in provider "kubernetes":
│   35:   host                   = data.azurerm_kubernetes_cluster.default.kube_config.0.host
│     ├────────────────
│     │ data.azurerm_kubernetes_cluster.default.kube_config has a sensitive value
│
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Invalid index
│
│   on main.tf line 36, in provider "kubernetes":
│   36:   cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
│     ├────────────────
│     │ data.azurerm_kubernetes_cluster.default.kube_config has a sensitive value
│
│ The given key does not identify an element in this collection value.
╵

Expected Behaviour

Get kube_config properly.

Actual Behaviour

I checked kube_config in tf state. It was empty.

“kube_config”: [],

The cause is probably this week’s release of AKS. Released kubernetes version 1.24 and changed kube_config format for AAD enabled cluster.

So, I confirmed the difference of kube_config between 1.23.5 and 1.24.0. Certainly, users.user has changed.

[1.23.5]

  user:
    auth-provider:
      config:
        apiserver-id: [my-server-id]
        client-id: [my-client-id]
        config-mode: "1"
        environment: AzurePublicCloud
        tenant-id: [my-tenant-id]
      name: azure

[1.24.0]

 user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - get-token
      - --environment
      - AzurePublicCloud
      - --server-id
      - [my-server-id]
      - --client-id
      - [my-client-id]
      - --tenant-id
      - [my-tenant-id]
      - --login
      - devicecode
      command: kubelogin
      env: null

In the current implementation, it seems that it is judged by “apiserver-id”, so I think that kube_config cannot be obtained correctly.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 15
Comments: 21 (1 by maintainers)

Most upvoted comments

@mbfrahry Does this also fix the kube_config property on the azurerm_kubernetes_cluster resouce? I cannot use the data provider immediately after creating an AKS cluster.

On Aug 25, 2022, at 5:38 PM, Matthew Frahry @.***> wrote:

Closed #17182 as completed via #18131.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

kkizer on Aug 26, 2022

At MetLife are also experiencing a similar issue now that Kubernetes 1.24.0 and 1.24.3 have gone GA for AKS. Microsoft changed the cluster configuration format in 1.24 so that it requires the use of kubelogin so I am not surprised that this is broken. However, our clients are going to need to be on the latest GA version of Kubernetes so this has to be fixed ASAP.

kkizer on Aug 23, 2022

Any update on this?

DaleyKD on Aug 1, 2022

This functionality has been released in v3.20.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] on Aug 26, 2022

@DaleyKD Unfortunately I cannot answer your question. We are just now piloting Terraform and immediately ran into this issue. Kind of good timing actually since it will see what level of support we get from Hashicorp and Microsoft. We are investigating how to empower our developers to provision the infrastructure they need and not hurt themselves or others. Currently we have a separate engineering group that provisions infrastructure, you have to create tickets, etc. A long, painful process for everyone. Currently we use Azure DevOps pipelines and ARM templates. Blech.

kkizer on Aug 25, 2022

@joberget format optional query parameter is for Azure CLI, so I don’t think the option will solve the problem we are discussing.

torumakabe on Aug 24, 2022