Fix #405 incorrect role assignment resource

examples/uai_and_assign_role_on_subnet/main.tf

@@ -0,0 +1,41 @@
+resource "random_pet" "this" {}
+
+resource "azurerm_resource_group" "rg" {
+  location = var.location
+  name     = "${var.resource_group_name}-${random_pet.this.id}"
+}
+
+resource "azurerm_virtual_network" "vnet" {
+  address_space       = ["192.168.0.0/16"]
+  location            = var.location
+  name                = "vnet"
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+resource "azurerm_subnet" "subnet" {
+  address_prefixes     = ["192.168.0.0/24"]
+  name                 = "subnet"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+}
+
+resource "azurerm_user_assigned_identity" "main" {
+  location            = azurerm_resource_group.rg.location
+  name                = "uami-${var.kubernetes_cluster_name}"
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+module "aks" {
+  source = "../../"
+
+  cluster_name        = var.kubernetes_cluster_name
+  prefix              = var.kubernetes_cluster_name
+  resource_group_name = azurerm_resource_group.rg.name
+  identity_ids        = [azurerm_user_assigned_identity.main.id]
+  identity_type       = "UserAssigned"
+  vnet_subnet_id      = azurerm_subnet.subnet.id
+  rbac_aad            = false
+  network_contributor_role_assigned_subnet_ids = {
+    vnet_subnet = azurerm_subnet.subnet.id
+  }
+}

examples/uai_and_assign_role_on_subnet/providers.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_version = ">=1.3"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.51, < 4.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.3.2"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "random" {}

examples/uai_and_assign_role_on_subnet/variables.tf

@@ -0,0 +1,11 @@
+variable "kubernetes_cluster_name" {
+  default = "myAks"
+}
+
+variable "location" {
+  default = "eastus"
+}
+
+variable "resource_group_name" {
+  default = "tfmod-aks"
+}

main.tf

@@ -764,16 +764,46 @@ resource "azurerm_role_assignment" "acr" {
   skip_service_principal_aad_check = true
 }
 
+# /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/acceptanceTestResourceGroup1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testIdentity
+data "azurerm_user_assigned_identity" "cluster_identity" {
+  count = (var.client_id == "" || var.client_secret == "") && var.identity_type == "UserAssigned" ? 1 : 0
+
+  name                = split("/", var.identity_ids[0])[8]
+  resource_group_name = split("/", var.identity_ids[0])[4]
+}
+
 # The AKS cluster identity has the Contributor role on the AKS second resource group (MC_myResourceGroup_myAKSCluster_eastus)
 # However when using a custom VNET, the AKS cluster identity needs the Network Contributor role on the VNET subnets
 # used by the system node pool and by any additional node pools.
 # https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#prerequisites
 # https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites
 # https://github.com/Azure/terraform-azurerm-aks/issues/178
 resource "azurerm_role_assignment" "network_contributor" {
-  for_each = var.create_role_assignment_network_contributor ? local.subnet_ids : []
+  for_each = var.create_role_assignment_network_contributor && (var.client_id == "" || var.client_secret == "") ? local.subnet_ids : []
+
+  principal_id         = coalesce(try(data.azurerm_user_assigned_identity.cluster_identity[0].principal_id, azurerm_kubernetes_cluster.main.identity[0].principal_id), var.client_id)
+  scope                = each.value
+  role_definition_name = "Network Contributor"
+
+  lifecycle {
+    precondition {
+      condition     = length(var.network_contributor_role_assigned_subnet_ids) == 0
+      error_message = "Cannot set both of `var.create_role_assignment_network_contributor` and `var.network_contributor_role_assigned_subnet_ids`."
+    }
+  }
+}
 
-  principal_id         = azurerm_kubernetes_cluster.main.identity[0].principal_id
+resource "azurerm_role_assignment" "network_contributor_on_subnet" {
+  for_each = var.network_contributor_role_assigned_subnet_ids
+
+  principal_id         = coalesce(try(data.azurerm_user_assigned_identity.cluster_identity[0].principal_id, azurerm_kubernetes_cluster.main.identity[0].principal_id), var.client_id)
   scope                = each.value
   role_definition_name = "Network Contributor"
+
+  lifecycle {
+    precondition {
+      condition     = !var.create_role_assignment_network_contributor
+      error_message = "Cannot set both of `var.create_role_assignment_network_contributor` and `var.network_contributor_role_assigned_subnet_ids`."
+    }
+  }
 }

variables.tf

@@ -391,7 +391,7 @@ variable "cluster_name" {
 variable "create_role_assignment_network_contributor" {
   type        = bool
   default     = false
-  description = "Create a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster"
+  description = "(Deprecated) Create a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster"
   nullable    = false
 }
 
@@ -690,6 +690,13 @@ variable "net_profile_service_cidr" {
   description = "(Optional) The Network Range used by the Kubernetes service. Changing this forces a new resource to be created."
 }
 
+variable "network_contributor_role_assigned_subnet_ids" {
+  type        = map(string)
+  default     = {}
+  description = "Create role assignments for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster, key should be static string, value should be subnet's id"
+  nullable    = false
+}
+
 variable "network_plugin" {
   type        = string
   default     = "kubenet"