[Feature] User Assigned Managed Identitiy with Application Gateway for Containers Addon #5626
Description
Is your feature request related to a problem? Please describe.
I would like to create my own application gateway for containers using IaC and use the AKS Managed Addon "application-load-balancer" for deploying the Helm Chart.
At the moment this addon also creates a identity which shouldn't be modified.
Optional: Set the appropriate GitHub label(s) to indicate the AKS feature or area your feature request relates to.
I cannot do that
Describe the solution you'd like
I would like to use my own user assigned managed identity, because my application gateway for containers and my vnet are both in different resource groups than the aks infrastructure resource group.
Describe alternatives you've considered
Creating the role assignments to the identity created by the addon myself.
data "azurerm_user_assigned_identity" "alb_addon" {
name = "applicationloadbalancer-${local.cluster_name}"
resource_group_name = local.cluster_infrastructure_resource_group_name
}
resource "azurerm_role_assignment" "alb_addon_network_contributor" {
principal_id = data.azurerm_user_assigned_identity.alb_addon.principal_id
role_definition_name = "Network Contributor"
scope = var.cluster_config.network.vnet_resource_id
}
resource "azurerm_role_assignment" "alb_addon_appgw_configuration_manager" {
principal_id = data.azurerm_user_assigned_identity.alb_addon.principal_id
role_definition_name = "AppGw for Containers Configuration Manager"
scope = module.gateway.resource_id
}I would not like to do this because:
A: "It is unsupported to modify the identity or namespace when provisioning integration with the add-on. If you wish to customize your deployment, consider deployment with helm."
B: The node infrastructure resource group shouldn't be configured.
Additional context