This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 42%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Is it possible to make ARM template deployment for "Microsoft.ContainerService/managedClusters" to be entirely idempotent when azureKeyvaultSecretsProvider and/or azurepolicy addonProfiles are being enabled?
If I run template once, it works perfectly well. If I run that second time, I need to wait 10 minutes to get response even there is zero need to change anything. I know when azureKeyvaultSecretsProvider or azurepolicy are enabled, it will create automatically managed identity and assigns it for the VMSS. Can't be prevented. Because of that it isn't possible to assign into addonProfile identity block, just read its output. That would be fine, if it wouldn't change cluster into updating mode when redeploying the same template and no further changes can be made during that.
Few screenshots to illustrate how Activity Log is showing when deployment starts and its outcome (hidden changes are just cluster/nodepool state changes). It does remove identity from keyvault secrets provider and then exactly the same comes back.
Currently running deployments for this from Crossplane with ResourceGroupTemplateDeployment (resources.azure.upbound.io/v1beta1) resource, which is using TF SDK and AzureRM's azurerm_resource_group_template_deployment resource in the background. But exactly the same behavior can be experienced with raw ARM template only.
Any suggestions how to resolve this would be highly appreciated.
Actual ARM template with masked GUIDs:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {
"clusterFqdn": {
"type": "string",
"value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', 'aks-hpixpspoke01-aks')).fqdn]"
},
"id": {
"type": "string",
"value": "[resourceId('Microsoft.ContainerService/managedClusters', 'aks-hpixpspoke01-aks')]"
},
"oidcIssuerUrl": {
"type": "string",
"value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', 'aks-hpixpspoke01-aks')).oidcIssuerProfile.issuerUrl]"
}
},
"parameters": {},
"resources": [
{
"apiVersion": "2024-06-02-preview",
"identity": {
"UserAssignedIdentities": {
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-hpixpspoke01-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-aks-hpixpspoke01-aks-ctrlplane": {}
},
"type": "UserAssigned"
},
"location": "westeurope",
"name": "aks-hpixpspoke01-aks",
"properties": {
"aadProfile": {
"adminGroupObjectIDs": [
"00000000-0000-0000-0000-000000000000"
],
"enableAzureRbac": true,
"managed": true,
"tenantID": "00000000-0000-0000-0000-000000000000"
},
"addonProfiles": {
"azureKeyvaultSecretsProvider": {
"config": {
"enableSecretRotation": "true",
"rotationPollInterval": "2m"
},
"enabled": true
},
"azurepolicy": {
"enabled": false
}
},
"agentPoolProfiles": [
{
"availabilityZones": [
"1",
"2",
"3"
],
"count": 1,
"enableAutoScaling": true,
"enableFIPS": false,
"enableNodePublicIP": false,
"kubeletDiskType": "OS",
"maxCount": 2,
"maxPods": 110,
"minCount": 1,
"mode": "System",
"name": "nodepool1",
"osDiskSizeGB": 0,
"osDiskType": "Managed",
"osSKU": "AzureLinux",
"osType": "Linux",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_D2as_v4",
"vnetSubnetID": "[resourceId('rg-hpixpspoke01-default', 'Microsoft.Network/virtualNetworks/subnets', 'vnet-hpixpspoke01', 'aks-system')]"
}
],
"autoScalerProfile": {
"balance-similar-node-groups": "false",
"daemonset-eviction-for-occupied-nodes": true,
"max-node-provision-time": "15m",
"scale-down-delay-after-add": "10m",
"skip-nodes-with-local-storage": "false"
},
"autoUpgradeProfile": {
"nodeOSUpgradeChannel": "NodeImage",
"upgradeChannel": "patch"
},
"disableLocalAccounts": true,
"dnsPrefix": "hpixpspoke01-aks",
"enableRBAC": true,
"identityProfile": {
"kubeletidentity": {
"clientId": "00000000-0000-0000-0000-000000000000",
"objectId": "00000000-0000-0000-0000-000000000000",
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-hpixpspoke01-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-aks-hpixpspoke01-aks-kubelet"
}
},
"kubernetesVersion": "1.30",
"networkProfile": {
"dnsServiceIP": "10.222.0.10",
"ipFamilies": [
"IPv4"
],
"kubeProxyConfig": {
"enabled": false,
"ipvsConfig": {
"scheduler": "LeastConnection",
"tcpFinTimeoutSeconds": 120,
"tcpTimeoutSeconds": 900,
"udpTimeoutSeconds": 300
},
"mode": "IPVS"
},
"loadBalancerSku": "standard",
"networkPlugin": "none",
"networkPolicy": "none",
"outboundType": "loadBalancer",
"podCidr": "10.223.0.0/16",
"podCidrs": [
"10.223.0.0/16"
],
"serviceCidr": "10.222.0.0/24",
"serviceCidrs": [
"10.222.0.0/24"
]
},
"oidcIssuerProfile": {
"enabled": true
},
"publicNetworkAccess": "Enabled",
"securityProfile": {
"workloadIdentity": {
"enabled": true
}
},
"servicePrincipalProfile": {
"clientId": "msi"
},
"storageProfile": {
"diskCSIDriver": {
"enabled": true
},
"fileCSIDriver": {
"enabled": true
},
"snapshotController": {
"enabled": true
}
},
"supportPlan": "KubernetesOfficial",
"upgradeSettings": {
"overrideSettings": {}
}
},
"sku": {
"name": "Base",
"tier": "Standard"
},
"type": "Microsoft.ContainerService/managedClusters"
}
],
"variables": {}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 35%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi Hannu Piki,
Welcome to the Microsoft Q&A Platform. Thank you for posting your query here. We are looking into it and will get back to you soon.
Thank you.
Hi Hannu Piki,
Based upon your query When deploying "Microsoft.ContainerService/managedClusters" with the azureKeyvaultSecretsProvider and/or azurepolicy addonProfiles enabled, achieving idempotency can be difficult. The creation of a managed identity and its assignment to the VMSS may cause the cluster to enter an updating state, which prevents further modifications during that time.
The removal and re-creation of the identity by the Key Vault secrets provider can also result in unnecessary updates. The issue arises when you redeploy the same template even if no changes have been made, the cluster still enters an updating state. This occurs because the managed identity creation and its assignment to the VMSS are triggered again, even if they already exist.
This behavior may be due to the fact that managed identity creation and assignment are not idempotent. When you redeploy the template, Azure attempts to recreate the managed identity and reassign it to the VMSS, initiating the update process.
A potential workaround is to use a separate deployment for creating and assigning the managed identity. This allows you to manage the identity lifecycle independently of the cluster deployment. For the Key Vault secrets provider, consider using a conditional deployment, where the provider is only deployed if it does not already exist.
If the information is helpful, please consider by clicking the "Upvote" on the post.
Thank you
Thank you for the reply @Srinud
I would gladly create everything with managed identities I do assign myself, but I fail to find documentation how to do that with Key Vault and Azure Policy profiles. Even documentation is saying "It's not supported to prevent creation of the identity" in here: https://zcusa.951200.xyz/en-us/azure/aks/csi-secrets-store-driver.
Hi Hannu Piki,
Thank you for providing the update on this progress.
Please refer the below link it might be helpful to you.
https://zcusa.951200.xyz/en-us/azure/governance/policy/concepts/policy-for-kubernetes
If the information is helpful, please consider by clicking the "Upvote" on the post.
Hi Hannu Piki,
Hope you are doing well.
Just checking to see if you had a chance to see my response to your question. If you have any further queries, do let us know.
If the information is helpful, please consider by clicking the "Upvote" on the post.
Thank you.
None of these did resolve the issue as identity is being automatically being created anyway. I was able to make Terraform in the end recognize with resource_group_template_deployment the changes by changing output types from string to String (due to one bug), so now instead of 10 minutes it takes seconds to figure out the actual state.
Hi Hannu Piki,
Thanks for the update.
I hope your issue is resolved with terraform. Please let us know if you have any quires.