diff --git a/README.md b/README.md
index 051d05f4..a95dee3a 100644
--- a/README.md
+++ b/README.md
@@ -265,6 +265,7 @@ No modules.
| [azurerm_log_analytics_solution.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) | resource |
| [azurerm_log_analytics_workspace.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
| [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
@@ -314,6 +315,7 @@ No modules.
| [client\_secret](#input\_client\_secret) | (Optional) The Client Secret (password) for the Service Principal used for the AKS deployment | `string` | `""` | no |
| [cluster\_log\_analytics\_workspace\_name](#input\_cluster\_log\_analytics\_workspace\_name) | (Optional) The name of the Analytics workspace | `string` | `null` | no |
| [cluster\_name](#input\_cluster\_name) | (Optional) The name for the AKS resources created in the specified Azure Resource Group. This variable overwrites the 'prefix' var (The 'prefix' var will still be applied to the dns\_prefix if it is set) | `string` | `null` | no |
+| [create\_role\_assignment\_network\_contributor](#input\_create\_role\_assignment\_network\_contributor) | Create a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster | `bool` | `false` | no |
| [disk\_encryption\_set\_id](#input\_disk\_encryption\_set\_id) | (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created. | `string` | `null` | no |
| [enable\_auto\_scaling](#input\_enable\_auto\_scaling) | Enable node pool autoscaling | `bool` | `false` | no |
| [enable\_host\_encryption](#input\_enable\_host\_encryption) | Enable Host Encryption for default node pool. Encryption at host feature must be enabled on the subscription: https://docs.microsoft.com/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli | `bool` | `false` | no |
diff --git a/locals.tf b/locals.tf
index 6d8fb2ad..c3b154cb 100644
--- a/locals.tf
+++ b/locals.tf
@@ -29,4 +29,12 @@ locals {
name = var.log_analytics_workspace.name
}
) : null # Finally, the Log Analytics Workspace should be disabled.
+
+ subnet_ids = toset(flatten(concat([
+ for pool in var.node_pools : [
+ pool.vnet_subnet_id,
+ pool.pod_subnet_id
+ ]
+ ], [var.vnet_subnet_id])))
}
+
diff --git a/main.tf b/main.tf
index 8508d41d..4a20c4c7 100644
--- a/main.tf
+++ b/main.tf
@@ -558,3 +558,18 @@ resource "azurerm_role_assignment" "acr" {
role_definition_name = "AcrPull"
skip_service_principal_aad_check = true
}
+
+# The AKS cluster identity has the Contributor role on the AKS second resource group (MC_myResourceGroup_myAKSCluster_eastus)
+# However when using a custom VNET, the AKS cluster identity needs the Network Contributor role on the VNET subnets
+# used by the system node pool and by any additional node pools.
+# https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#prerequisites
+# https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites
+# https://github.com/Azure/terraform-azurerm-aks/issues/178
+
+resource "azurerm_role_assignment" "network_contributor" {
+ for_each = var.create_role_assignment_network_contributor ? local.subnet_ids : []
+
+ principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id
+ scope = each.value
+ role_definition_name = "Network Contributor"
+}
diff --git a/variables.tf b/variables.tf
index 6e663317..28c97a0c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -374,6 +374,13 @@ variable "cluster_name" {
default = null
}
+variable "create_role_assignment_network_contributor" {
+ type = bool
+ description = "Create a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster"
+ nullable = false
+ default = false
+}
+
variable "disk_encryption_set_id" {
type = string
description = "(Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created."