Azure Kubernetes Cluster API failed to automatically create Application Gateway when ingressApplicationGateway.config.applicationGatewayName is set

[neil-yechenwei]

Hi team,

Per my understanding, service API would create the Kubernetes Cluster and the Application Gateway when "ingressApplicationGateway.config.applicationGatewayName" is set. But actually, though the Kubernetes Cluster is created but the Application Gateway isn't automatically created, and service API doesn't return the error message. However, we can find the error message from the activity log in Azure Portal. The error indicates that service failed to automatically provision the Application Gateway due to insufficient permission. Hence, seems the service doesn't correctly assign the permission to the account that automatically deploys the Application Gateway before automatically provisioning the Application Gateway. So could you take a look this issue? Thanks.

Request Payload:

PUT https://management.azure.com/subscriptions/xx-xx-xx-xx-xx/resourceGroups/acctestRG-aks-test16/providers/Microsoft.ContainerService/managedClusters/acctestakstest16

{
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/xx-xx-xx-xx-xx/resourceGroups/acctestRG-aks-test16/providers/Microsoft.ManagedIdentity/userAssignedIdentities/acctestuaitest16": {}
        }
    },
    "location": "westeurope",
    "properties": {
        "addonProfiles": {
            "ingressApplicationGateway": {
                "config": {
                    "applicationGatewayName": "ingress-appgateway",
                    "subnetId": "/subscriptions/xx-xx-xx-xx-xx/resourceGroups/acctestRG-aks-test16/providers/Microsoft.Network/virtualNetworks/acctestvirtnettest16/subnets/acctestsubnettest16"
                },
                "enabled": true
            }
        },
        "agentPoolProfiles": [
            {
                "count": 1,
                "enableAutoScaling": false,
                "enableCustomCATrust": false,
                "enableEncryptionAtHost": false,
                "enableFIPS": false,
                "enableNodePublicIP": false,
                "enableUltraSSD": false,
                "kubeletDiskType": "",
                "mode": "System",
                "name": "default",
                "nodeLabels": {},
                "nodeTaints": [],
                "osDiskType": "Managed",
                "osType": "Linux",
                "scaleDownMode": "Delete",
                "tags": {},
                "type": "VirtualMachineScaleSets",
                "upgradeSettings": {},
                "vmSize": "Standard_DS2_v2"
            }
        ],
        "apiServerAccessProfile": {
            "authorizedIPRanges": [],
            "disableRunCommand": false,
            "enablePrivateCluster": false,
            "enablePrivateClusterPublicFQDN": false
        },
        "autoUpgradeProfile": {
            "upgradeChannel": "none"
        },
        "azureMonitorProfile": {
            "metrics": {
                "enabled": false
            }
        },
        "disableLocalAccounts": false,
        "dnsPrefix": "acctestakstest16",
        "enableRBAC": true,
        "kubernetesVersion": "",
        "linuxProfile": {
            "adminUsername": "acctestusertest16",
            "ssh": {
                "publicKeys": [
                    {
                        "keyData": "xxxx"
                    }
                ]
            }
        },
        "networkProfile": {
            "loadBalancerSku": "standard",
            "networkMode": "",
            "networkPlugin": "azure",
            "networkPolicy": "",
            "outboundType": "loadBalancer",
            "podCidrs": [],
            "serviceCidrs": []
        },
        "nodeResourceGroup": "",
        "publicNetworkAccess": "Enabled",
        "securityProfile": {
            "imageCleaner": {
                "enabled": false,
                "intervalHours": 48
            }
        },
        "servicePrincipalProfile": {
            "clientId": "msi"
        }
    },
    "sku": {
        "name": "Base",
        "tier": "Free"
    },
    "tags": {}
}

The error message in activity log of Azure Portal:

{
    "operationName": {
        "value": "Microsoft.Network/applicationGateways/write",
        "localizedValue": "Create or Update Application Gateway"
    },
    "resourceGroupName": "MC_acctestRG-aks-test16_acctestakstest16_westeurope",
    "resourceProviderName": {
        "value": "Microsoft.Network",
        "localizedValue": "Microsoft.Network"
    },
    "resourceType": {
        "value": "Microsoft.Network/applicationGateways",
        "localizedValue": "Microsoft.Network/applicationGateways"
    },
    "resourceId": "/subscriptions/xx-xx-xx-xx-xx/resourcegroups/MC_acctestRG-aks-test16_acctestakstest16_westeurope/providers/Microsoft.Network/applicationGateways/ingress-appgateway",
    "status": {
        "value": "Failed",
        "localizedValue": "Failed"
    },
    "subStatus": {
        "value": "Conflict",
        "localizedValue": "Conflict (HTTP Status Code: 409)"
    },
    "properties": {
        "statusCode": "Conflict",
        "statusMessage": "{\"error\":{\"code\":\"ApplicationGatewayInsufficientPermissionOnSubnet\",\"message\":\"Client with object id xx-xx-xx-xx-xx does not have permission on the Virtual Network resource /subscriptions/xx-xx-xx-xx-xx/resourceGroups/acctestRG-aks-test16/providers/Microsoft.Network/virtualNetworks/acctestvirtnettest16/subnets/acctestsubnettest16 to perform action Microsoft.Network/virtualNetworks/subnets/join/action. For details on the required permissions, please visit https://aka.ms/agsubnetjoin.\",\"details\":[]}}"
    }
}

[craigmark0]

Is there a resolution to this issue yet? I am also currently seeing this issue running terraform on azurerm version 3.112.0

-- EDIT --
This is how to resolve:
hashicorp/terraform-provider-azurerm#22831 (comment)