From fd2a715f3bf4eb3858b368a04a6fba386d3d3166 Mon Sep 17 00:00:00 2001
From: Hernan Dominguez <hernan.dc@gmail.com>
Date: Thu, 15 May 2025 01:32:11 +0200
Subject: [PATCH 1/2] Fixes AKS pvc attachment issues

---
 terraform/cluster/azure-aks/main.tf | 36 +++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf
index 06fc9a81..0bde4a19 100644
--- a/terraform/cluster/azure-aks/main.tf
+++ b/terraform/cluster/azure-aks/main.tf
@@ -268,6 +268,12 @@ resource "azurerm_kubernetes_cluster" "main" {
     )
   }
 
+  kubelet_identity {
+    client_id                 = azurerm_user_assigned_identity.cluster.client_id
+    object_id                 = azurerm_user_assigned_identity.cluster.principal_id
+    user_assigned_identity_id = azurerm_user_assigned_identity.cluster.id
+  }
+
   lifecycle {
     ignore_changes = [
       default_node_pool[0].upgrade_settings,
@@ -304,3 +310,33 @@ resource "local_file" "kube_config" {
   content  = azurerm_kubernetes_cluster.main.kube_config_raw
   filename = local.kubeconfig_path
 }
+
+resource "azurerm_role_assignment" "aks_vmss_contributor" {
+  scope                = azurerm_resource_group.aks.id
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "azurerm_disk_encryption_set_key_vault_access" {
+  scope                = azurerm_key_vault.key_vault.id
+  role_definition_name = "Key Vault Crypto Service Encryption User"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "aks_network_contributor" {
+  scope                = azurerm_resource_group.aks.id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "des_reader" {
+  scope                = azurerm_disk_encryption_set.main.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "control_plane_managed_identity_operator_on_kubelet" {
+  scope                = azurerm_user_assigned_identity.cluster.id
+  role_definition_name = "Managed Identity Operator"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}

From bac6b5f9c33e199788d6a48129d02186b246530e Mon Sep 17 00:00:00 2001
From: Hernan Dominguez <hernan.dc@gmail.com>
Date: Thu, 15 May 2025 09:59:26 +0200
Subject: [PATCH 2/2] Fixes docs

---
 docs/terraform/cluster/azure-aks.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/terraform/cluster/azure-aks.md b/docs/terraform/cluster/azure-aks.md
index 715b1a45..4f8db885 100644
--- a/docs/terraform/cluster/azure-aks.md
+++ b/docs/terraform/cluster/azure-aks.md
@@ -31,6 +31,11 @@ No modules.
 | [azurerm_kubernetes_cluster_node_pool.autoscaled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) | resource |
 | [azurerm_log_analytics_workspace.aks_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
 | [azurerm_resource_group.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.aks_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.aks_vmss_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.azurerm_disk_encryption_set_key_vault_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.control_plane_managed_identity_operator_on_kubelet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.des_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_user_assigned_identity.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
 | [local_file.kube_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |