Make the Azure Key Vault public because private Key Vault requires preview API

zioproto · zioproto · commit 5e255660cb82 · 2024-11-05T10:50:17.000+01:00
Running Microsoft Terraform module AKS end to end tests I get this new error message I have never seen before from the ARM API: https://github.com/Azure/terraform-azurerm-aks/actions/runs/11665268834/job/32477571013?pr=598#step:3:6605 HTTP 400 "Vnet integration should be enabled when KeyVault network access is Private." I believe this is the root cause: https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption#prerequisites ( See yellow warning box) However Vnet Integration is still preview as far as I know. Terraform provider azurerm V4 will not support preview features. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/4.0-upgrade-guide#aks-migration-to-stable-api
diff --git a/examples/named_cluster/key_vault.tf b/examples/named_cluster/key_vault.tf
@@ -29,7 +29,7 @@ resource "azurerm_key_vault" "des_vault" {
 
   network_acls {
     bypass         = "AzureServices"
-    default_action = "Deny"
+    default_action = "Allow"
     ip_rules       = [local.public_ip]
   }
 }
diff --git a/examples/named_cluster/main.tf b/examples/named_cluster/main.tf
@@ -97,7 +97,7 @@ module "aks_cluster_name" {
   # KMS etcd encryption
   kms_enabled                  = true
   kms_key_vault_key_id         = azurerm_key_vault_key.kms.id
-  kms_key_vault_network_access = "Private"
+  kms_key_vault_network_access = "Public"
 
   depends_on = [
     azurerm_key_vault_access_policy.kms,

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ resource "azurerm_key_vault" "des_vault" {`
`29`	`29`
`30`	`30`	`network_acls {`
`31`	`31`	`bypass = "AzureServices"`
`32`		`- default_action = "Deny"`
	`32`	`+ default_action = "Allow"`
`33`	`33`	`ip_rules = [local.public_ip]`
`34`	`34`	`}`
`35`	`35`	`}`