I'm trying to create an AKS service with static pre-defined public IP. For that I'm using terraform.
The important parts
resource "azurerm_public_ip" "public_ip" {
allocation_method = "Static"
location = azurerm_resource_group.rg.location
name = "${local.resource_name_prefix}-PublicIp1"
resource_group_name = azurerm_resource_group.rg.name
sku = "Standard"
tags = local.common_tags
}
resource "azurerm_kubernetes_cluster" "aks" {
location = azurerm_resource_group.rg.location
name = "${local.resource_name_prefix}-aks"
resource_group_name = azurerm_resource_group.rg.name
default_node_pool {
name = "system"
vm_size = "Standard_DS2_v2"
vnet_subnet_id = azurerm_subnet.app_subnet.id
upgrade_settings {
max_surge = "30"
}
}
network_profile {
network_plugin = "kubenet"
load_balancer_sku = "Standard"
load_balancer_profile {
outbound_ip_address_ids = [ azurerm_public_ip.public_ip.id ]
}
}
role_based_access_control {
enabled = true
}
service_principal {
client_id = var.appId
client_secret = var.password
}
}
the virtual network + subnets are also pre-defined.
now when trying to install istio using istioctl install, istio-ingressgateway Loadbalancer is failing on
{
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client 'xxxxx' with object id 'xxxx' has permission to perform action 'Microsoft.Network/loadBalancers/write' on scope '/subscriptions/xxxx/resourceGroups/xxx_rg/providers/Microsoft.Network/loadBalancers/kubernetes'; however, it does not have permission to perform action 'Microsoft.Network/publicIPAddresses/join/action' on the linked scope(s) '/subscriptions/xxx/resourceGroups/xxx-rg/providers/Microsoft.Network/publicIPAddresses/xxx-PublicIp1' or the linked scope(s) are invalid."
}
}
