diff --git a/.checkov_config.yaml b/.checkov_config.yaml
index 76ef7797..eeccc4b0 100644
--- a/.checkov_config.yaml
+++ b/.checkov_config.yaml
@@ -11,9 +11,16 @@ quiet: true
secrets-scan-file-type: []
skip-check:
- CKV_GHA_3
+ - CKV_AZURE_5
- CKV_AZURE_112
+ - CKV_AZURE_115
+ - CKV_AZURE_116
- CKV_AZURE_168
- CKV_AZURE_170
+ - CKV_AZURE_139
+ - CKV_AZURE_165
+ - CKV_AZURE_166
+ - CKV_AZURE_164
skip-framework:
- dockerfile
summary-position: top
diff --git a/README.md b/README.md
index d5bdc1ef..59490fa4 100644
--- a/README.md
+++ b/README.md
@@ -263,6 +263,7 @@ No modules.
| [azurerm_kubernetes_cluster.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) | resource |
| [azurerm_log_analytics_solution.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) | resource |
| [azurerm_log_analytics_workspace.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
+| [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
@@ -284,6 +285,7 @@ No modules.
| [agents\_tags](#input\_agents\_tags) | (Optional) A mapping of tags to assign to the Node Pool. | `map(string)` | `{}` | no |
| [agents\_type](#input\_agents\_type) | (Optional) The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. | `string` | `"VirtualMachineScaleSets"` | no |
| [api\_server\_authorized\_ip\_ranges](#input\_api\_server\_authorized\_ip\_ranges) | (Optional) The IP ranges to allow for incoming traffic to the server nodes. | `set(string)` | `null` | no |
+| [attached\_acr\_id\_map](#input\_attached\_acr\_id\_map) | Azure Container Registry ids that need an authentication mechanism with Azure Kubernetes Service (AKS). Map key must be static string as acr's name, the value is acr's resource id. Changing this forces some new resources to be created. | `map(string)` | `{}` | no |
| [auto\_scaler\_profile\_balance\_similar\_node\_groups](#input\_auto\_scaler\_profile\_balance\_similar\_node\_groups) | Detect similar node groups and balance the number of nodes between them. Defaults to `false`. | `bool` | `false` | no |
| [auto\_scaler\_profile\_empty\_bulk\_delete\_max](#input\_auto\_scaler\_profile\_empty\_bulk\_delete\_max) | Maximum number of empty nodes that can be deleted at the same time. Defaults to `10`. | `number` | `10` | no |
| [auto\_scaler\_profile\_enabled](#input\_auto\_scaler\_profile\_enabled) | Enable configuring the auto scaler profile | `bool` | `false` | no |
diff --git a/examples/with_acr/main.tf b/examples/with_acr/main.tf
new file mode 100644
index 00000000..7f64b0f2
--- /dev/null
+++ b/examples/with_acr/main.tf
@@ -0,0 +1,69 @@
+resource "random_id" "prefix" {
+ byte_length = 8
+}
+
+resource "azurerm_resource_group" "main" {
+ count = var.create_resource_group ? 1 : 0
+
+ location = var.location
+ name = coalesce(var.resource_group_name, "${random_id.prefix.hex}-rg")
+}
+
+locals {
+ resource_group = {
+ name = var.create_resource_group ? azurerm_resource_group.main[0].name : var.resource_group_name
+ location = var.location
+ }
+}
+
+resource "azurerm_virtual_network" "test" {
+ address_space = ["10.52.0.0/16"]
+ location = local.resource_group.location
+ name = "${random_id.prefix.hex}-vn"
+ resource_group_name = local.resource_group.name
+}
+
+resource "azurerm_subnet" "test" {
+ address_prefixes = ["10.52.0.0/24"]
+ name = "${random_id.prefix.hex}-sn"
+ resource_group_name = local.resource_group.name
+ virtual_network_name = azurerm_virtual_network.test.name
+ enforce_private_link_endpoint_network_policies = true
+}
+
+resource "random_string" "acr_suffix" {
+ length = 8
+ upper = false
+ numeric = true
+ special = false
+}
+
+resource "azurerm_container_registry" "example" {
+ location = local.resource_group.location
+ name = "aksacrtest${random_string.acr_suffix.result}"
+ resource_group_name = local.resource_group.name
+ sku = "Premium"
+
+ retention_policy {
+ days = 7
+ enabled = true
+ }
+}
+
+module "aks" {
+ source = "../.."
+
+ prefix = "prefix-${random_id.prefix.hex}"
+ resource_group_name = local.resource_group.name
+ kubernetes_version = "1.24" # don't specify the patch version!
+ automatic_channel_upgrade = "patch"
+ attached_acr_id_map = {
+ example = azurerm_container_registry.example.id
+ }
+ network_plugin = "azure"
+ network_policy = "azure"
+ os_disk_size_gb = 60
+ sku_tier = "Paid"
+ rbac_aad = false
+ vnet_subnet_id = azurerm_subnet.test.id
+}
\ No newline at end of file
diff --git a/examples/with_acr/outputs.tf b/examples/with_acr/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/with_acr/providers.tf b/examples/with_acr/providers.tf
new file mode 100644
index 00000000..02570a54
--- /dev/null
+++ b/examples/with_acr/providers.tf
@@ -0,0 +1,23 @@
+terraform {
+ required_version = ">=1.2"
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = ">= 3.40, < 4.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = "3.3.2"
+ }
+ }
+}
+
+provider "azurerm" {
+ features {
+ resource_group {
+ prevent_deletion_if_contains_resources = false
+ }
+ }
+}
+
+provider "random" {}
\ No newline at end of file
diff --git a/examples/with_acr/variables.tf b/examples/with_acr/variables.tf
new file mode 100644
index 00000000..d9a1ed26
--- /dev/null
+++ b/examples/with_acr/variables.tf
@@ -0,0 +1,14 @@
+variable "create_resource_group" {
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "location" {
+ default = "eastus"
+}
+
+variable "resource_group_name" {
+ type = string
+ default = null
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index bcb57717..07f57e1c 100644
--- a/main.tf
+++ b/main.tf
@@ -336,3 +336,12 @@ resource "azurerm_log_analytics_solution" "main" {
publisher = "Microsoft"
}
}
+
+resource "azurerm_role_assignment" "acr" {
+ for_each = var.attached_acr_id_map
+
+ principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id
+ scope = each.value
+ role_definition_name = "AcrPull"
+ skip_service_principal_aad_check = true
+}
\ No newline at end of file
diff --git a/test/e2e/terraform_aks_test.go b/test/e2e/terraform_aks_test.go
index d07ef740..3698fea1 100644
--- a/test/e2e/terraform_aks_test.go
+++ b/test/e2e/terraform_aks_test.go
@@ -88,3 +88,9 @@ func TestExamplesNamedCluster(t *testing.T) {
assert.Regexp(t, regexp.MustCompile("/subscriptions/.+/resourceGroups/.+/providers/Microsoft.ManagedIdentity/userAssignedIdentities/.+"), identityIdsArray[0])
})
}
+
+func TestExamplesWithACR(t *testing.T) {
+ test_helper.RunE2ETest(t, "../../", "examples/with_acr", terraform.Options{
+ Upgrade: true,
+ }, nil)
+}
diff --git a/test/upgrade/upgrade_test.go b/test/upgrade/upgrade_test.go
index 5582693b..8b3e6413 100644
--- a/test/upgrade/upgrade_test.go
+++ b/test/upgrade/upgrade_test.go
@@ -74,3 +74,17 @@ func TestExampleUpgrade_named_cluster(t *testing.T) {
Vars: vars,
}, currentMajorVersion)
}
+
+func TestExampleUpgrade_withACR(t *testing.T) {
+ currentRoot, err := test_helper.GetCurrentModuleRootPath()
+ if err != nil {
+ t.FailNow()
+ }
+ currentMajorVersion, err := test_helper.GetCurrentMajorVersionFromEnv()
+ if err != nil {
+ t.FailNow()
+ }
+ test_helper.ModuleUpgradeTest(t, "Azure", "terraform-azurerm-aks", "examples/with_acr", currentRoot, terraform.Options{
+ Upgrade: true,
+ }, currentMajorVersion)
+}
diff --git a/variables.tf b/variables.tf
index 2467808f..b0fd513e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -93,6 +93,13 @@ variable "api_server_authorized_ip_ranges" {
default = null
}
+variable "attached_acr_id_map" {
+ type = map(string)
+ description = "Azure Container Registry ids that need an authentication mechanism with Azure Kubernetes Service (AKS). Map key must be static string as acr's name, the value is acr's resource id. Changing this forces some new resources to be created."
+ default = {}
+ nullable = false
+}
+
variable "auto_scaler_profile_balance_similar_node_groups" {
description = "Detect similar node groups and balance the number of nodes between them. Defaults to `false`."
type = bool