Use the actual cluster identity for the role assignment

Azure · Sep 23, 2024 · 46a794c · 46a794c
1 parent 48593d0
commit 46a794c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -62,6 +62,7 @@ The following resources are used by this module:
 - [random_uuid.telemetry](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) (resource)
 - [azurerm_client_config.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
 - [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) (data source)
+- [azurerm_user_assigned_identity.cluster_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) (data source)
 - [local_file.compute_provider](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) (data source)
 - [local_file.locations](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) (data source)
 - [modtm_module_source.telemetry](https://registry.terraform.io/providers/Azure/modtm/latest/docs/data-sources/module_source) (data source)

diff --git a/main.tf b/main.tf
@@ -35,10 +35,15 @@ data "azurerm_resource_group" "this" {
   name = var.resource_group_name
 }
 
+data "azurerm_user_assigned_identity" "cluster_identity" {
+  name                = split("/", one(azurerm_kubernetes_cluster.this.identity[0].identity_ids))[8]
+  resource_group_name = data.azurerm_resource_group.this.name
+}
+
 resource "azurerm_role_assignment" "network_contributor_on_resource_group" {
   #  Use the principal_id from the user assigned identity if it exists, otherwise use the principal_id from the AKS cluster
   #  reference https://github.com/Azure/terraform-azurerm-aks/blob/decb533e2785f965673698b0ac9949faca963f68/role_assignments.tf#L27
-  principal_id         = azurerm_kubernetes_cluster.this.identity[0].principal_id
+  principal_id         = data.azurerm_user_assigned_identity.cluster_identity.principal_id
   scope                = data.azurerm_resource_group.this.id
   role_definition_name = "Network Contributor"
 }