Support for data Source: azurerm_kubernetes_cluster without cluster user

[damienpontifex]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Wanting to use the resource data "azurerm_kubernetes_cluster" to lookup ARM related properties without getting kube credentials.
Today, my service principal has Reader scope on the group with a kubernetes cluster in it, but gets

managedclusters.ManagedClustersClient#GetAccessProfile: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '' with object id '' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action' over scope '/subscriptions//resourceGroups//providers/Microsoft.ContainerService/managedClusters//accessProfiles/clusterUser' or the scope is invalid. If access was recently granted, please refresh your credentials."

If the account doesn't have cluster user permissions, but read permissions to the resource, it should still retrieve ARM properties without kube credentials to perform kubernetes based provider actions

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster (data source)

Potential Terraform Configuration

data "azurerm_kubernetes_cluster" "example" {
  name                = "myakscluster"
  resource_group_name = "my-example-resource-group"
  exclude_kube_log    = true  # default false to retain current behaviour
}

References

Location where cluster credentials are retrieved after the ARM lookup

terraform-provider-azurerm/internal/services/containers/kubernetes_cluster_data_source.go

Lines 686 to 700 in 38746c3

	id := managedclusters.NewManagedClusterID(subscriptionId, d.Get("resource_group_name").(string), d.Get("name").(string))
	resp, err := client.Get(ctx, id)
	if err != nil {
	if response.WasNotFound(resp.HttpResponse) {
	return fmt.Errorf("%s was not found", id)
	}
	return fmt.Errorf("retrieving %s: %+v", id, err)
	}
	userCredentialsResp, err := client.ListClusterUserCredentials(ctx, id, managedclusters.ListClusterUserCredentialsOperationOptions{})
	// only raise the error if it's not a limited permissions error, since this is the Data Source
	if err != nil && !response.WasStatusCode(userCredentialsResp.HttpResponse, http.StatusForbidden) {
	return fmt.Errorf("retrieving User Credentials for %s: %+v", id, err)
	}

[damienpontifex]

Actually, I believe is duplicate/resolved by #21229

Just had to update provider to > 3.51 to get that change

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.