Skip to content

data.azurerm_kubernetes_cluster do not get kube_config from AAD enabled v1.24 cluster #17182

Closed
#18131
Closed
data.azurerm_kubernetes_cluster do not get kube_config from AAD enabled v1.24 cluster#17182
#18131
Labels
v/3.x
Milestone
v3.20.0
@torumakabe

Description

@torumakabe
torumakabe
opened on Jun 9, 2022

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.2

AzureRM Provider Version

3.9.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

data "azurerm_kubernetes_cluster" "default" {
  depends_on          = [module.aks] # refresh cluster state before reading
  name                = module.aks.aks_cluster_name
  resource_group_name = module.aks.resource_group_name
}

provider "kubernetes" {
  host                   = data.azurerm_kubernetes_cluster.default.kube_config.0.host
  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)

  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "kubelogin"
    args = [
      "get-token",
      "--login",
      "azurecli",
      "--server-id",
      "6dae42f8-4368-4678-94ff-3960e28e3630"
    ]
  }
}

Debug Output/Panic Output

data.azurerm_kubernetes_cluster.default: Read complete after 0s [id=/subscriptions/my-sub-id/resourceGroups/rg-aks-playground-blue-dev/providers/Microsoft.ContainerService/managedClusters/my-cluster]
╷
│ Error: Invalid index
│
│   on main.tf line 35, in provider "kubernetes":
│   35:   host                   = data.azurerm_kubernetes_cluster.default.kube_config.0.host
│     ├────────────────
│     │ data.azurerm_kubernetes_cluster.default.kube_config has a sensitive value
│
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Invalid index
│
│   on main.tf line 36, in provider "kubernetes":
│   36:   cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
│     ├────────────────
│     │ data.azurerm_kubernetes_cluster.default.kube_config has a sensitive value
│
│ The given key does not identify an element in this collection value.
╵

Expected Behaviour

Get kube_config properly.

Actual Behaviour

I checked kube_config in tf state. It was empty.

"kube_config": [],

The cause is probably this week's release of AKS. Released kubernetes version 1.24 and changed kube_config format for AAD enabled cluster.

So, I confirmed the difference of kube_config between 1.23.5 and 1.24.0. Certainly, users.user has changed.

[1.23.5]

  user:
    auth-provider:
      config:
        apiserver-id: [my-server-id]
        client-id: [my-client-id]
        config-mode: "1"
        environment: AzurePublicCloud
        tenant-id: [my-tenant-id]
      name: azure

[1.24.0]

 user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - get-token
      - --environment
      - AzurePublicCloud
      - --server-id
      - [my-server-id]
      - --client-id
      - [my-client-id]
      - --tenant-id
      - [my-tenant-id]
      - --login
      - devicecode
      command: kubelogin
      env: null

In the current implementation, it seems that it is judged by "apiserver-id", so I think that kube_config cannot be obtained correctly.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    v/3.x

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions