Skip to content
This repository has been archived by the owner on Sep 22, 2022. It is now read-only.

Commit

Permalink
Merge pull request #1 from FairwindsOps/fix-admin-consent
Browse files Browse the repository at this point in the history
Fix AAD privs in cluster module
  • Loading branch information
bambash authored Feb 5, 2020
2 parents 5d505e9 + 600a0e2 commit 5315a72
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 15 deletions.
4 changes: 2 additions & 2 deletions aks_cluster/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# AKS Cluster
This module provisions an AKS cluster within Azure. By default, this module will provision three AAD Applications and tie the cluster to Azure Active Directory. A `clusteradmin` group is created in AAD, where AKS administrators can be added.
This module provisions an AKS cluster within Azure. By default, this module will provision three AAD Applications and tie the cluster to Azure Active Directory. A `clusteradmin` group is created in AAD, where AKS administrators can be added. If your AZ account does not have AAD privileges, Terraform will exit with an error. An AAD administrator will need to approve the API request, then Terraform can be run again.

## Requirements

Expand All @@ -8,7 +8,7 @@ This module provisions an AKS cluster within Azure. By default, this module will
- Logged into the Azure cli
- Azure resource group
- Azure virtual network and subnet
- Azure AAD Admin
- Azure AAD Admin Privilges

## Example Usage
```
Expand Down
20 changes: 7 additions & 13 deletions aks_cluster/aad.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,8 @@ resource "azuread_group" "aks-aad-clusteradmins" {
# We need to wait for service principals to propagate in Azure
resource "null_resource" "delay_after_sp_created" {
provisioner "local-exec" {
command = "sleep 60"
interpreter = ["bash", "-c"]
command = "sleep 60"
}
depends_on = [
azuread_service_principal.server_sp,
Expand All @@ -128,15 +129,8 @@ resource "null_resource" "delay_after_sp_created" {
# Terraform does not provide a way to override Admin consent, we need to shell out to az cli
resource "null_resource" "grant_server_application_privs" {
provisioner "local-exec" {
command = "az ad app permission admin-consent --id ${azuread_application.ad_server_application.application_id}"
}
depends_on = [
null_resource.delay_after_sp_created
]
}
resource "null_resource" "grant_client_application_privs" {
provisioner "local-exec" {
command = "az ad app permission admin-consent --id ${azuread_application.ad_client_application.application_id}"
interpreter = ["bash", "-c"]
command = "GRANTS=$(az ad app permission list-grants --id ${azuread_application.ad_server_application.application_id}); if [[ $GRANTS == \"[]\" ]]; then az ad app permission admin-consent --id ${azuread_application.ad_server_application.application_id}; else true; fi"
}
depends_on = [
null_resource.delay_after_sp_created
Expand All @@ -146,10 +140,10 @@ resource "null_resource" "grant_client_application_privs" {
# Wait for privs to propagate
resource "null_resource" "consent_delay" {
provisioner "local-exec" {
command = "sleep 60"
interpreter = ["bash", "-c"]
command = "sleep 60"
}
depends_on = [
null_resource.grant_server_application_privs,
null_resource.grant_client_application_privs
null_resource.grant_server_application_privs
]
}

0 comments on commit 5315a72

Please sign in to comment.