Reconciling azure terraform state with what is actually deployed in the sub

marosset · marosset · commit afb3b0b8a66c · 2025-08-28T14:21:52.000-07:00
Signed-off-by: Mark Rossetti &lt;marosset@microsoft.com&gt;
diff --git a/infra/azure/terraform/capz/capz-monitoring/main.tf b/infra/azure/terraform/capz/capz-monitoring/main.tf
@@ -26,13 +26,22 @@ variable "subscription_id" {
   type = string
 }
 
+locals {
+  # reproduce the previous pattern seen in state:
+  # "<first-10-of-rg>-<rg>-<first-6-of-subscription>"
+  computed_dns_prefix = format("%s-%s-%s",
+    substr(var.resource_group_name, 0, 10),
+    var.resource_group_name,
+    substr(var.subscription_id, 0, 6)
+  )
+}
+
 # Create the "capz-monitoring" resource group
 resource "azurerm_resource_group" "capz-monitoring" {
   location = var.location
   name     = var.resource_group_name
   tags = {
     DO-NOT-DELETE     = "contact capz"
-    creationTimestamp = timestamp()
   }
 }
 
@@ -50,7 +59,7 @@ resource "azurerm_role_assignment" "monitoring_reader" {
 }
 
 resource "azurerm_kubernetes_cluster" "capz-monitoring" {
-  dns_prefix            = var.resource_group_name
+  dns_prefix            = local.computed_dns_prefix
   location              = var.location
   name                  = var.resource_group_name
   resource_group_name   = var.resource_group_name
@@ -64,6 +73,8 @@ resource "azurerm_kubernetes_cluster" "capz-monitoring" {
   ]
   kubelet_identity {
     user_assigned_identity_id = azurerm_user_assigned_identity.capz_monitoring_user_identity.id
+    client_id                 = azurerm_user_assigned_identity.capz_monitoring_user_identity.client_id
+    object_id                 = azurerm_user_assigned_identity.capz_monitoring_user_identity.principal_id
   }
   identity {
     type                     = "UserAssigned"
@@ -72,8 +83,14 @@ resource "azurerm_kubernetes_cluster" "capz-monitoring" {
     ]
   }
   default_node_pool {
-    name       = "default"
+    name       = "nodepool1"
     node_count = 1
-    vm_size    = "Standard_Ds2_v2"
+    vm_size    = "Standard_DS2_v2"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      "linux_profile",
+    ]
   }
 }
diff --git a/infra/azure/terraform/capz/cluster-api-gallery/main.tf b/infra/azure/terraform/capz/cluster-api-gallery/main.tf
@@ -62,6 +62,7 @@ resource "azurerm_user_assigned_identity" "pipelines_user_identity" {
   name                = "ado-pipeline-mi"
   resource_group_name = var.resource_group_name
   tags = {
+    DO-NOT-DELETE     = "UpstreamInfra"
     creationTimestamp = "2024-10-24T00:00:00Z"
   }
   depends_on = [
diff --git a/infra/azure/terraform/capz/main.tf b/infra/azure/terraform/capz/main.tf
@@ -140,8 +140,8 @@ module "role_assignments" {
 # Import Cluster API gallery module
 module "cluster_api_gallery" {
   source              = "./cluster-api-gallery"
-  resource_group_name = var.resource_group_name
-  location            = var.location
+  resource_group_name = "cluster-api-gallery"
+  location            = "northcentralus"
   depends_on          = [
     module.role_assignments
   ]
@@ -150,7 +150,7 @@ module "cluster_api_gallery" {
 # Import CAPZ monitoring module
 module "capz_monitoring" {
   source              = "./capz-monitoring"
-  resource_group_name = var.resource_group_name
+  resource_group_name = "capz-monitoring"
   location            = var.location
   subscription_id     = data.azurerm_client_config.current.subscription_id
 }
diff --git a/infra/azure/terraform/capz/role-assignments/main.tf b/infra/azure/terraform/capz/role-assignments/main.tf
@@ -37,19 +37,19 @@ data "azuread_service_principal" "az_service_principal" {
 }
 
 resource "azurerm_role_assignment" "rg_contributor" {
-  principal_id         = data.azuread_service_principal.az_service_principal.id
+  principal_id         = data.azuread_service_principal.az_service_principal.object_id
   role_definition_name = "Contributor"
   scope                = "/subscriptions/${var.subscription_id}"
 }
 
 resource "azurerm_role_assignment" "storage_blob_data_contributor" {
-  principal_id         = data.azuread_service_principal.az_service_principal.id
+  principal_id         = data.azuread_service_principal.az_service_principal.object_id
   role_definition_name = "Storage Blob Data Contributor"
   scope                = "/subscriptions/${var.subscription_id}"
 }
 
 resource "azurerm_role_assignment" "acr_pull" {
-  principal_id         = data.azuread_service_principal.az_service_principal.id
+  principal_id         = data.azuread_service_principal.az_service_principal.object_id
   role_definition_name = "AcrPull"
   scope                = var.container_registry_scope
 }
@@ -71,15 +71,15 @@ resource "azurerm_role_definition" "custom_role" {
 }
 
 resource "azurerm_role_assignment" "sp_custom_role_assignment" {
-  principal_id         = data.azuread_service_principal.az_service_principal.id
+  principal_id         = data.azuread_service_principal.az_service_principal.object_id
   role_definition_name = azurerm_role_definition.custom_role.name
   scope                = "/subscriptions/${var.subscription_id}"
 }
 
 resource "azurerm_key_vault_access_policy" "access_policy_gmsa_sp" {
   key_vault_id = var.key_vault_id
   tenant_id    = data.azuread_service_principal.az_service_principal.application_tenant_id
-  object_id    = data.azuread_service_principal.az_service_principal.id
+  object_id    = data.azuread_service_principal.az_service_principal.object_id
   secret_permissions = [
     "Get",
     "Delete",

Original file line number	Diff line number	Diff line change
`@@ -26,13 +26,22 @@ variable "subscription_id" {`
`26`	`26`	`type = string`
`27`	`27`	`}`
`28`	`28`
	`29`	`+locals {`
	`30`	`+ # reproduce the previous pattern seen in state:`
	`31`	`+ # "<first-10-of-rg>-<rg>-<first-6-of-subscription>"`
	`32`	`+ computed_dns_prefix = format("%s-%s-%s",`
	`33`	`+ substr(var.resource_group_name, 0, 10),`
	`34`	`+ var.resource_group_name,`
	`35`	`+ substr(var.subscription_id, 0, 6)`
	`36`	`+ )`
	`37`	`+}`
	`38`	`+`
`29`	`39`	`# Create the "capz-monitoring" resource group`
`30`	`40`	`resource "azurerm_resource_group" "capz-monitoring" {`
`31`	`41`	`location = var.location`
`32`	`42`	`name = var.resource_group_name`
`33`	`43`	`tags = {`
`34`	`44`	`DO-NOT-DELETE = "contact capz"`
`35`		`- creationTimestamp = timestamp()`
`36`	`45`	`}`
`37`	`46`	`}`
`38`	`47`
`@@ -50,7 +59,7 @@ resource "azurerm_role_assignment" "monitoring_reader" {`
`50`	`59`	`}`
`51`	`60`
`52`	`61`	`resource "azurerm_kubernetes_cluster" "capz-monitoring" {`
`53`		`- dns_prefix = var.resource_group_name`
	`62`	`+ dns_prefix = local.computed_dns_prefix`
`54`	`63`	`location = var.location`
`55`	`64`	`name = var.resource_group_name`
`56`	`65`	`resource_group_name = var.resource_group_name`
`@@ -64,6 +73,8 @@ resource "azurerm_kubernetes_cluster" "capz-monitoring" {`
`64`	`73`	`]`
`65`	`74`	`kubelet_identity {`
`66`	`75`	`user_assigned_identity_id = azurerm_user_assigned_identity.capz_monitoring_user_identity.id`
	`76`	`+ client_id = azurerm_user_assigned_identity.capz_monitoring_user_identity.client_id`
	`77`	`+ object_id = azurerm_user_assigned_identity.capz_monitoring_user_identity.principal_id`
`67`	`78`	`}`
`68`	`79`	`identity {`
`69`	`80`	`type = "UserAssigned"`
`@@ -72,8 +83,14 @@ resource "azurerm_kubernetes_cluster" "capz-monitoring" {`
`72`	`83`	`]`
`73`	`84`	`}`
`74`	`85`	`default_node_pool {`
`75`		`- name = "default"`
	`86`	`+ name = "nodepool1"`
`76`	`87`	`node_count = 1`
`77`		`- vm_size = "Standard_Ds2_v2"`
	`88`	`+ vm_size = "Standard_DS2_v2"`
	`89`	`+ }`
	`90`	`+`
	`91`	`+ lifecycle {`
	`92`	`+ ignore_changes = [`
	`93`	`+ "linux_profile",`
	`94`	`+ ]`
`78`	`95`	`}`
`79`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ resource "azurerm_user_assigned_identity" "pipelines_user_identity" {`
`62`	`62`	`name = "ado-pipeline-mi"`
`63`	`63`	`resource_group_name = var.resource_group_name`
`64`	`64`	`tags = {`
	`65`	`+ DO-NOT-DELETE = "UpstreamInfra"`
`65`	`66`	`creationTimestamp = "2024-10-24T00:00:00Z"`
`66`	`67`	`}`
`67`	`68`	`depends_on = [`