From 5e255660cb828f64d9370b55bb69d6f72de95704 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Tue, 5 Nov 2024 10:49:51 +0100 Subject: [PATCH 1/2] Make the Azure Key Vault public because private Key Vault requires preview API Running Microsoft Terraform module AKS end to end tests I get this new error message I have never seen before from the ARM API: https://github.com/Azure/terraform-azurerm-aks/actions/runs/11665268834/job/32477571013?pr=598#step:3:6605 HTTP 400 "Vnet integration should be enabled when KeyVault network access is Private." I believe this is the root cause: https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption#prerequisites ( See yellow warning box) However Vnet Integration is still preview as far as I know. Terraform provider azurerm V4 will not support preview features. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/4.0-upgrade-guide#aks-migration-to-stable-api --- examples/named_cluster/key_vault.tf | 2 +- examples/named_cluster/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/named_cluster/key_vault.tf b/examples/named_cluster/key_vault.tf index 6462406d..db72e55f 100644 --- a/examples/named_cluster/key_vault.tf +++ b/examples/named_cluster/key_vault.tf @@ -29,7 +29,7 @@ resource "azurerm_key_vault" "des_vault" { network_acls { bypass = "AzureServices" - default_action = "Deny" + default_action = "Allow" ip_rules = [local.public_ip] } } diff --git a/examples/named_cluster/main.tf b/examples/named_cluster/main.tf index 1c1659d8..d51a0211 100644 --- a/examples/named_cluster/main.tf +++ b/examples/named_cluster/main.tf @@ -97,7 +97,7 @@ module "aks_cluster_name" { # KMS etcd encryption kms_enabled = true kms_key_vault_key_id = azurerm_key_vault_key.kms.id - kms_key_vault_network_access = "Private" + kms_key_vault_network_access = "Public" depends_on = [ azurerm_key_vault_access_policy.kms, From 1cd4e6c8ad53fbfe566fc41bc33c08640da5b2a7 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Wed, 6 Nov 2024 10:12:38 +0100 Subject: [PATCH 2/2] Bump terraform-module-test-helper to v0.27.0 --- test/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/go.mod b/test/go.mod index a914e5cc..a8afb8b3 100644 --- a/test/go.mod +++ b/test/go.mod @@ -5,7 +5,7 @@ go 1.22.0 toolchain go1.22.5 require ( - github.com/Azure/terraform-module-test-helper v0.26.0 + github.com/Azure/terraform-module-test-helper v0.27.0 github.com/gruntwork-io/terratest v0.47.1 github.com/hashicorp/go-retryablehttp v0.7.7 github.com/stretchr/testify v1.9.0