Skip to content

Instantly share code, notes, and snippets.

@robinmanuelthiel

robinmanuelthiel/aadpodidentity-keyvault-demo.tf

Last active August 16, 2022 05:43
Show Gist options
  • Save robinmanuelthiel/2b6ff87b5aa1e32e98bd1a9516ed2219 to your computer and use it in GitHub Desktop.
Save robinmanuelthiel/2b6ff87b5aa1e32e98bd1a9516ed2219 to your computer and use it in GitHub Desktop.
Download ZIP
Terraform Setup AAD Pod Identity in AKS clusters with Managed Identity
Raw
aadpodidentity-keyvault-demo.tf
# Azure Key Vault for Testing Access
resource "azurerm_key_vault" "default" {
name = "rothietftestvault"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
}
# Azure Key Vault Access Policy for Managed Identity for yourself
resource "azurerm_key_vault_access_policy" "current_user" {
key_vault_id = azurerm_key_vault.default.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"get", "list", "set", "delete"
]
}
# Azure Key Vault Access Policy for Managed Identity for AAD Pod Identity
resource "azurerm_key_vault_access_policy" "aad_pod_identity" {
key_vault_id = azurerm_key_vault.default.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.aks_pod_identity.principal_id
secret_permissions = [
"get", "list"
]
}
# Azure KeyVault secret with a test value
resource "azurerm_key_vault_secret" "test_secret" {
name = "TestSecret"
value = "Hello from Terraform"
key_vault_id = azurerm_key_vault.default.id
}
# Outputs
output "key_vault_url" {
value = azurerm_key_vault.default.vault_uri
description = "Azure KeyVault URI for the Demo Container"
}
Raw
aadpodidentity-keyvault-demo.yaml
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: demopodid
spec:
type: 0
resourceID: /subscriptions/0ec6dbb0-b89b-4bb3-9140-14e3d244e0ee/resourcegroups/tftest/providers/Microsoft.ManagedIdentity/userAssignedIdentities/rothietftestakspodidentity
clientID: 4e6d803c-42f7-447d-bd76-5180adc2dbb6
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: demopodid-binding
spec:
azureIdentity: demopodid
selector: demopodid
---
apiVersion: v1
kind: Pod
metadata:
name: demo
labels:
aadpodidbinding: demopodid
spec:
containers:
- name: azurekeyvaulttester
image: robinmanuelthiel/azurekeyvaulttester
env:
- name: AzureKeyVaultUri
value: "https://rothietftestvault.vault.azure.net"
- name: TestSecretId
value: "TestSecret"
Raw
aadpodidentity-setup.tf
# Azure Kubernetes Service
resource "azurerm_kubernetes_cluster" "default" {
name = "rothietftestaks"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
dns_prefix = "rothietftestaks"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_DS2_v2"
}
identity {
type = "SystemAssigned"
}
role_based_access_control {
enabled = true
}
}
# Managed Identity for Pod Identity
resource "azurerm_user_assigned_identity" "aks_pod_identity" {
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
name = "rothietftestakspodidentity"
}
# Role assignments
# Details: https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.role-assignment.md
resource "azurerm_role_assignment" "aks_identity_operator" {
scope = azurerm_user_assigned_identity.aks_pod_identity.id
role_definition_name = "Managed Identity Operator"
principal_id = azurerm_kubernetes_cluster.default.kubelet_identity[0].object_id
}
resource "azurerm_role_assignment" "aks_vm_contributor" {
scope = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourcegroups/${azurerm_kubernetes_cluster.default.node_resource_group}"
role_definition_name = "Virtual Machine Contributor"
principal_id = azurerm_kubernetes_cluster.default.kubelet_identity[0].object_id
}
# Outputs
output "aad_pod_identity_resource_id" {
value = azurerm_user_assigned_identity.aks_pod_identity.id
description = "Resource ID for the Managed Identity for AAD Pod Identity"
}
output "aad_pod_identity_client_id" {
value = azurerm_user_assigned_identity.aks_pod_identity.client_id
description = "Client ID for the Managed Identity for AAD Pod Identity"
}
Raw
main.tf
# Azure Provider
provider "azurerm" {
version = "=2.8.0"
features {}
}
# Current Azure Account Data Source
data "azurerm_client_config" "current" {}
# Azure Resource Group
resource "azurerm_resource_group" "default" {
name = "tftest"
location = "westeurope"
}
@robinmanuelthiel
Copy link
Author

Instructions

  1. To setup install AAD Pod Identity in AKS with Terraform, only main.tf and aadpodidentity-setup.tf are needed.

  2. To test the setup, I have created a little Key Vault Demo, where the Key Vault store is only accessible from the AAD Pod Identity. To test this, include the aadpodidentity-keyvault-demo.tf.

  3. Once complete, log into the cluster and install the AAD Pod identity Helm Chart

    helm repo add aad-pod-identity https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts
helm install aad-pod-identity aad-pod-identity/aad-pod-identity

  4. Adjust resourceID and clientID in the aadpodidentity-keyvault-demo.yaml file (use the Outputs from Terraform)

  5. Install the Demo App

    kubectl apply -f aadpodidentity-keyvault-demo.yaml

  6. After a few seconds, test the output

    kubectl logs demo

    You should see

    You secret 'TestSecret' value is: Hello from Terraform
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment