Use UserAssigned Identity for AKS cluster (#1259)

go.mod

@@ -19,8 +19,9 @@ require (
 	github.com/pulumi/pulumi-azure-native-sdk/authorization/v2 v2.67.0
 	github.com/pulumi/pulumi-azure-native-sdk/compute/v2 v2.56.0
 	github.com/pulumi/pulumi-azure-native-sdk/containerservice/v2 v2.67.0
+	github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v2 v2.73.1
 	github.com/pulumi/pulumi-azure-native-sdk/network/v2 v2.67.0
-	github.com/pulumi/pulumi-azure-native-sdk/v2 v2.67.0
+	github.com/pulumi/pulumi-azure-native-sdk/v2 v2.73.1
 	github.com/pulumi/pulumi-command/sdk v1.0.1
 	github.com/pulumi/pulumi-docker/sdk/v4 v4.5.5
 	github.com/pulumi/pulumi-eks/sdk/v2 v2.7.8
@@ -30,7 +31,7 @@ require (
 	github.com/pulumi/pulumi-libvirt/sdk v0.4.7
 	github.com/pulumi/pulumi-random/sdk/v4 v4.16.6
 	github.com/pulumi/pulumi-tls/sdk/v4 v4.11.1
-	github.com/pulumi/pulumi/sdk/v3 v3.137.0
+	github.com/pulumi/pulumi/sdk/v3 v3.140.0
 	github.com/pulumiverse/pulumi-time/sdk v0.1.0
 	github.com/samber/lo v1.47.0
 	github.com/stretchr/testify v1.9.0

go.sum

@@ -216,10 +216,12 @@ github.com/pulumi/pulumi-azure-native-sdk/compute/v2 v2.56.0 h1:MFOd6X9FPlixzriy
 github.com/pulumi/pulumi-azure-native-sdk/compute/v2 v2.56.0/go.mod h1:453Ff5wNscroYfq+zxME7Nbt7HdZv+dh0zLZwLyGBws=
 github.com/pulumi/pulumi-azure-native-sdk/containerservice/v2 v2.67.0 h1:jvruQQSO1ESk7APFQ3mAge7C9SWKU9nbBHrilcyeSGU=
 github.com/pulumi/pulumi-azure-native-sdk/containerservice/v2 v2.67.0/go.mod h1:d5nmekK1mrjM9Xo/JGGVlAs7mqqftBo3DmKji+1zbmw=
+github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v2 v2.73.1 h1:rkNZDAik+qlIhbmFoa09ln/oJMXey5+olw8ShmljgXc=
+github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v2 v2.73.1/go.mod h1:P/N/xG2lVxsHdspmKjH+d8d4ln+2arXBmOl3zhjWnnw=
 github.com/pulumi/pulumi-azure-native-sdk/network/v2 v2.67.0 h1:r26Xl6FdOJnbLs1ny9ekuRjFxAocZK8jS8SLrgXKEFE=
 github.com/pulumi/pulumi-azure-native-sdk/network/v2 v2.67.0/go.mod h1:8yXZtmHe2Zet5pb8gZ7D730d0VAm4kYUdwCj7sjhz6g=
-github.com/pulumi/pulumi-azure-native-sdk/v2 v2.67.0 h1:FgfXLypiQ/DKWRPQpyNaftXcGl5HVgA93msBZTQ6Ddk=
-github.com/pulumi/pulumi-azure-native-sdk/v2 v2.67.0/go.mod h1:0y4wJUCX1eA3ZSn0jJIRXtHeJA7qgbPfkrR9qvj+5D4=
+github.com/pulumi/pulumi-azure-native-sdk/v2 v2.73.1 h1:yzXxwwq3tHdtSOi5vjKmKXq7HyKvDaKulF53MFTMbh8=
+github.com/pulumi/pulumi-azure-native-sdk/v2 v2.73.1/go.mod h1:ChjIUNDNeN6jI33ZOivHUFqM6purDiLP01mghMGe1Fs=
 github.com/pulumi/pulumi-command/sdk v1.0.1 h1:ZuBSFT57nxg/fs8yBymUhKLkjJ6qmyN3gNvlY/idiN0=
 github.com/pulumi/pulumi-command/sdk v1.0.1/go.mod h1:C7sfdFbUIoXKoIASfXUbP/U9xnwPfxvz8dBpFodohlA=
 github.com/pulumi/pulumi-docker/sdk/v4 v4.5.5 h1:7OjAfgLz5PAy95ynbgPAlWls5WBe4I/QW/61TdPWRlQ=
@@ -238,8 +240,8 @@ github.com/pulumi/pulumi-random/sdk/v4 v4.16.6 h1:M9BSF13bQxj74C61nBTVITrsgT6oRR
 github.com/pulumi/pulumi-random/sdk/v4 v4.16.6/go.mod h1:l5ew7S/G1GspPLH9KeWXqxQ4ZmS2hh2sEMv3bW9M3yc=
 github.com/pulumi/pulumi-tls/sdk/v4 v4.11.1 h1:tXemWrzeVTqG8zq6hBdv1TdPFXjgZ+dob63a/6GlF1o=
 github.com/pulumi/pulumi-tls/sdk/v4 v4.11.1/go.mod h1:hODo3iEmmXDFOXqPK+V+vwI0a3Ww7BLjs5Tgamp86Ng=
-github.com/pulumi/pulumi/sdk/v3 v3.137.0 h1:bxhYpOY7Z4xt+VmezEpHuhjpOekkaMqOjzxFg/1OhCw=
-github.com/pulumi/pulumi/sdk/v3 v3.137.0/go.mod h1:PvKsX88co8XuwuPdzolMvew5lZV+4JmZfkeSjj7A6dI=
+github.com/pulumi/pulumi/sdk/v3 v3.140.0 h1:+Z/RBvdYg7tBNkBwk4p/FzlV7niBT3TbLAICq/Y0LDU=
+github.com/pulumi/pulumi/sdk/v3 v3.140.0/go.mod h1:PvKsX88co8XuwuPdzolMvew5lZV+4JmZfkeSjj7A6dI=
 github.com/pulumiverse/pulumi-time/sdk v0.1.0 h1:xfi9HKDgV+GgDxQ23oSv9KxC3DQqViGTcMrJICRgJv0=
 github.com/pulumiverse/pulumi-time/sdk v0.1.0/go.mod h1:NUa1zA74DF002WrM6iF111A6UjX9knPpXufVRvBwNyg=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=

resources/azure/aks/cluster.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
 	"github.com/pulumi/pulumi-azure-native-sdk/containerservice/v2"
+	"github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v2"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
@@ -37,6 +38,37 @@ func NewCluster(e azure.Environment, name string, kataNodePoolEnabled bool, opts
 	}
 
 	opts = append(opts, e.WithProviders(config.ProviderAzure))
+
+	// create a user assigned identity to use for the cluster
+	identity, err := managedidentity.NewUserAssignedIdentity(e.Ctx(), "identity", &managedidentity.UserAssignedIdentityArgs{
+		ResourceGroupName: pulumi.String(e.DefaultResourceGroup()),
+	}, opts...)
+	if err != nil {
+		return nil, pulumi.StringOutput{}, err
+	}
+
+	// assign Network Contributor role to the identity
+	nwcontributorRoleAssignment, err := authorization.NewRoleAssignment(e.Ctx(), "role-assignment", &authorization.RoleAssignmentArgs{
+		PrincipalId:      identity.PrincipalId,
+		PrincipalType:    pulumi.String("ServicePrincipal"),
+		Scope:            pulumi.Sprintf("/subscriptions/%s", e.DefaultSubscriptionID()),
+		RoleDefinitionId: pulumi.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", e.DefaultSubscriptionID()), // Network Contributor built-in role
+	}, opts...)
+	if err != nil {
+		return nil, pulumi.StringOutput{}, err
+	}
+
+	// assign ACR Pull role to the identity
+	acrPullRoleAssignment, err := authorization.NewRoleAssignment(e.Ctx(), "role-assignment-acr", &authorization.RoleAssignmentArgs{
+		PrincipalId:      identity.PrincipalId,
+		Scope:            pulumi.String(e.DefaultContainerRegistry()),
+		PrincipalType:    pulumi.String("ServicePrincipal"),
+		RoleDefinitionId: pulumi.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", e.DefaultSubscriptionID()), // AcrPull built-in role
+	}, opts...)
+	if err != nil {
+		return nil, pulumi.StringOutput{}, err
+	}
+
 	cluster, err := containerservice.NewManagedCluster(e.Ctx(), e.Namer.ResourceName(name), &containerservice.ManagedClusterArgs{
 		ResourceName:      e.CommonNamer().DisplayName(math.MaxInt, pulumi.String(name)),
 		ResourceGroupName: pulumi.String(e.DefaultResourceGroup()),
@@ -63,22 +95,14 @@ func NewCluster(e azure.Environment, name string, kataNodePoolEnabled bool, opts
 		NetworkProfile: containerservice.ContainerServiceNetworkProfileArgs{
 			NetworkPlugin: pulumi.String(containerservice.NetworkPluginKubenet),
 		},
-		Identity: containerservice.ManagedClusterIdentityArgs{
-			Type: containerservice.ResourceIdentityTypeSystemAssigned,
+		Identity: &containerservice.ManagedClusterIdentityArgs{
+			Type: containerservice.ResourceIdentityTypeUserAssigned,
+			UserAssignedIdentities: pulumi.StringArray{
+				identity.ID(),
+			},
 		},
 		Tags: e.ResourcesTags(),
-	}, opts...)
-	if err != nil {
-		return nil, pulumi.StringOutput{}, err
-	}
-	_, err = authorization.NewRoleAssignment(e.Ctx(), e.Namer.ResourceName(name), &authorization.RoleAssignmentArgs{
-		PrincipalId: cluster.IdentityProfile.ApplyT(func(identity map[string]containerservice.UserAssignedIdentityResponse) string {
-			return *identity["kubeletidentity"].ObjectId
-		}).(pulumi.StringOutput),
-		PrincipalType:    pulumi.String("ServicePrincipal"),
-		Scope:            pulumi.String(e.DefaultContainerRegistry()),
-		RoleDefinitionId: pulumi.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", e.DefaultSubscriptionID()), // AcrPull built-in role
-	}, e.WithProviders(config.ProviderAzure))
+	}, append(opts, pulumi.DependsOn([]pulumi.Resource{nwcontributorRoleAssignment, acrPullRoleAssignment}))...)
 	if err != nil {
 		return nil, pulumi.StringOutput{}, err
 	}