Add role assignments for ingress application gateway and corresponding example

[lonegunmanb]

Describe your changes

This pr added azurerm_role_assignment resources so the existing application gateway could work immediately. It also added a working example.

This pr contains breaking change.

Issue number

#223

Checklist before requesting a review

• The pr title can be used to describe what this pr did in CHANGELOG.md file
• I have executed pre-commit on my machine
• I have passed pr-check on my machine

Thanks for your cooperation!

[github-actions]

Potential Breaking Changes in d1ea167:
[delete] "Variables.ingress_application_gateway_id.Name" from 'ingress_application_gateway_id' to ''

[github-actions]

Potential Breaking Changes in 2b1ff07:
[delete] "Variables.ingress_application_gateway_id.Name" from 'ingress_application_gateway_id' to ''

[github-actions]

Potential Breaking Changes in fb538b0:
[delete] "Variables.ingress_application_gateway_id.Name" from 'ingress_application_gateway_id' to ''

[lonegunmanb]

Hi @zioproto, would you please give this pr a review? Thanks!

[zioproto]

This PR fixes the roles assignments when the Application Gateway is created by user with an external to the module Terraform resource.

The scenario depicted in issue #223 is when we expect the AGIC controller running in the cluster to create the Application Gateway on behalf of the user.

I tried with the following config:

 ingress_application_gateway_enabled   = true
 ingress_application_gateway_subnet_id = module.network-westeurope.vnet_subnets[2]
 ingress_application_gateway_name = "aks-agw-westeurope"

And I still see in my kube-system namespace the Pod ingress-appgw-deployment-c5d78b4f8-6dgtx failing to create the Application Gateway

ingress-appgw-deployment-c5d78b4f8-6dgtx ingress-appgw-container I1123 09:54:13.013152       1 client.go:314] Deploying Gateway
ingress-appgw-deployment-c5d78b4f8-6dgtx ingress-appgw-container I1123 09:54:13.030598       1 client.go:321] Using resource group: MC_istio-aks-westeurope_westeurope-aks_westeurope
ingress-appgw-deployment-c5d78b4f8-6dgtx ingress-appgw-container I1123 09:54:13.030631       1 client.go:324] Starting ARM template deployment: aks-agw-westeurope
ingress-appgw-deployment-c5d78b4f8-6dgtx ingress-appgw-container F1123 09:54:44.072080       1 main.go:168] Failed in deploying Application GatewayCode="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details." Details=[{"code":"Conflict","message":"{\r\n  \"error\": {\r\n    \"code\": \"ApplicationGatewayInsufficientPermissionOnSubnet\",\r\n    \"message\": \"Client with object id d0ba9abb-427c-450b-9bfb-30689a03c3d4 does not have permission on the Virtual Network resource /subscriptions/9b70acd9-975f-44ba-bad6-255a2c8bda37/resourceGroups/istio-aks-westeurope/providers/Microsoft.Network/virtualNetworks/istio-aks-westeurope/subnets/user to perform action Microsoft.Network/virtualNetworks/subnets/join/action. For details on the required permissions, please visit https://aka.ms/agsubnetjoin.\",\r\n    \"details\": []\r\n  }\r\n}"}]

[zioproto]

Is using this output from the AKS module safe ?

The most reliable way to configure the Kubernetes provider is to ensure that the cluster itself and the Kubernetes provider resources can be managed with separate apply operations. Data-sources can be used to convey values between the two stages as needed.

https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#stacking-with-managed-kubernetes-cluster-resources

Just double checking because we don't want to introduce random CI failures

[zioproto]

How this change about azurerm_log_analytics_workspace is related with the role assignments for ingress ? Should this go to a different PR ?

[zioproto]

I understand now you are moving this resource to a different file. You could do this cleanup in a different PR for readability.

[zioproto]

Is this a change in formatting that was applied automatically by terraform fmt ?

[zioproto]

Change in formatting, why ?

[zioproto]

This is used when the Application Gateway is created with a resource outside of the module.

This change is not related to the issue #223 linked in this PR, where it is the AGIC controller running in the AKS cluster that is in charge of creating the Application Gateway.

[zioproto]

The role assignments should be created if var.ingress_application_gateway_enabled = true

[zioproto]

In my testing scenario each nodepool has a dedicated subnet. I have a system and a user nodepool in a system and a user subnet:

https://github.com/zioproto/istio-aks-example/blob/main/multicluster-istio-on-aks/nodepools.tf
https://github.com/zioproto/istio-aks-example/blob/main/multicluster-istio-on-aks/network.tf#L8
https://github.com/zioproto/istio-aks-example/blob/main/multicluster-istio-on-aks/main.tf#L15

When the AGIC creates the Application Gateway I see the error ApplicationGatewayInsufficientPermissionOnSubnet.

ingress-appgw-deployment-c5d78b4f8-6dgtx ingress-appgw-container F1123 10:09:20.881644       1 main.go:168] Failed in deploying Application GatewayCode="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details." Details=[{"code":"Conflict","message":"{\r\n  \"error\": {\r\n    \"code\": \"ApplicationGatewayInsufficientPermissionOnSubnet\",\r\n    \"message\": \"Client with object id d0ba9abb-427c-450b-9bfb-30689a03c3d4 does not have permission on the Virtual Network resource /subscriptions/9b70acd9-975f-44ba-bad6-255a2c8bda37/resourceGroups/istio-aks-westeurope/providers/Microsoft.Network/virtualNetworks/istio-aks-westeurope/subnets/user to perform action Microsoft.Network/virtualNetworks/subnets/join/action. For details on the required permissions, please visit https://aka.ms/agsubnetjoin.\",\r\n    \"details\": []\r\n  }\r\n}"}]

The problem seems to be there only for the user subnet.

[zioproto]

Next steps:

• The application_gateway_for_ingress object should have Optional ID.
• The old variables ingress_application_gateway_enabled ingress_application_gateway_name ingress_application_gateway_subnet_cidr ingress_application_gateway_subnet_id will be removed and will go into the application_gateway_for_ingress object
• The role assignments will be created both in the scenario where the customer brings his own application gateway with an existing ID, and in the scenario where the customer only gives a name, and the application gateway is created by the AGIC Pod in the AKS control plane.

[github-actions]

Potential Breaking Changes in d5a2de4:
[delete] "Variables.ingress_application_gateway_subnet_cidr.Name" from 'ingress_application_gateway_subnet_cidr' to ''
[delete] "Variables.ingress_application_gateway_name.Name" from 'ingress_application_gateway_name' to ''
[delete] "Variables.ingress_application_gateway_enabled.Name" from 'ingress_application_gateway_enabled' to ''
[delete] "Variables.ingress_application_gateway_subnet_id.Name" from 'ingress_application_gateway_subnet_id' to ''
[delete] "Variables.ingress_application_gateway_id.Name" from 'ingress_application_gateway_id' to ''
[update] "Variables.maintenance_window.Type" from 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), []),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})' to 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), [
]),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})'

[github-actions]

Potential Breaking Changes in e388792:
[delete] "Variables.ingress_application_gateway_subnet_id.Name" from 'ingress_application_gateway_subnet_id' to ''
[delete] "Variables.ingress_application_gateway_name.Name" from 'ingress_application_gateway_name' to ''
[delete] "Variables.ingress_application_gateway_id.Name" from 'ingress_application_gateway_id' to ''
[delete] "Variables.ingress_application_gateway_subnet_cidr.Name" from 'ingress_application_gateway_subnet_cidr' to ''
[delete] "Variables.ingress_application_gateway_enabled.Name" from 'ingress_application_gateway_enabled' to ''
[update] "Variables.maintenance_window.Type" from 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), []),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})' to 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), [
]),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})'

[github-actions]

Potential Breaking Changes in b577a56:
[delete] "Variables.ingress_application_gateway_id.Name" from 'ingress_application_gateway_id' to ''
[delete] "Variables.ingress_application_gateway_subnet_id.Name" from 'ingress_application_gateway_subnet_id' to ''
[delete] "Variables.ingress_application_gateway_enabled.Name" from 'ingress_application_gateway_enabled' to ''
[delete] "Variables.ingress_application_gateway_name.Name" from 'ingress_application_gateway_name' to ''
[delete] "Variables.ingress_application_gateway_subnet_cidr.Name" from 'ingress_application_gateway_subnet_cidr' to ''
[update] "Variables.maintenance_window.Type" from 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), []),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})' to 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), [
]),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})'

[lonegunmanb]

Hi @zioproto would you please give this pr another review? Thanks!

[github-actions]

Potential Breaking Changes in 399ab35:
[delete] "Variables.ingress_application_gateway_enabled.Name" from 'ingress_application_gateway_enabled' to ''
[delete] "Variables.ingress_application_gateway_subnet_cidr.Name" from 'ingress_application_gateway_subnet_cidr' to ''
[delete] "Variables.ingress_application_gateway_subnet_id.Name" from 'ingress_application_gateway_subnet_id' to ''
[delete] "Variables.ingress_application_gateway_id.Name" from 'ingress_application_gateway_id' to ''
[delete] "Variables.ingress_application_gateway_name.Name" from 'ingress_application_gateway_name' to ''
[update] "Variables.maintenance_window.Type" from 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), []),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})' to 'object({
allowed = optional(list(object({
day = string
hours = set(number)
})), [
]),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})'