Role Assignment in Azure with Terraform

1
votes

I am creating a terraform plan to setup some resources (among others an AKS cluster) in Azure. For the use of the cluster, I've created a service principal that is allowed "acrpull" role with the docker registry (I did that using the innovationnorway/service-principal/azuread module, while for everything else I created my own stuff).

As my next step, I need to assign a "Network Contributor" role for this service principal on the resource group (which I also create) -> basically to replicate the assignment suggested here.

For that I am doing this

resource "azurerm_role_assignment" "network_contributor" {
  scope                = module.resource_group.resource_group_id
  role_definition_name = "Network Contributor"
  principal_id         = module.service_principal.object_id
}

However, I am not seeing the expected results (eg: the cluster able to use a static IP created in my main resource group from the RG automatically created for the cluster).

Am I doing something wrong? I am not getting errors and the cluster is able to access the registry, for example.

Thanks!

1
azureterraform
when debugging things like this I find it useful to create one manually as you expect to appear and then compare the one that's right with the one that terraform creates. you can easily compare the two using the "export template" option in AzureLiam
well, its impossible to know, since its using some random outputs from some modules, so how are we supposed to know why it doesnt work?4c74356b41
Also make sure you're using the latest Azure providerLiam
@Liam great idea to use the manual export, thanksAndrei Dascalu

1 Answers

1
votes

Seems that in this case the solution was to add a "depends_on" block to ensure it follows the SP