start managing azure infra with terraform by upodroid · Pull Request #8974 · kubernetes/k8s.io

upodroid · 2026-01-20T21:04:34Z

This PR introduces a few changes:

Adds a new Terraform layer called root that handles entra id and privileged resources such as subscriptions, management groups
Allows Atlantis to access Azure via WI
All prow CI runs in the same sub where our build cluster runs. This PR creates the scaffolding to move CI to its own subscription and allows it to run directly from our build cluster.

k8s-ci-robot · 2026-01-20T21:04:50Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~infra/azure/OWNERS~~ [upodroid]
~~kubernetes/OWNERS~~ [upodroid]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-infra-ci-robot · 2026-01-20T21:56:17Z

Argo CD Diff Preview

Summary:

Total: 2 files changed

Modified (2):
± aks-prow-build (+16)
± atlantis (+21)

aks-prow-build (kubernetes/apps/prow.yaml)

@@ Application modified: aks-prow-build (kubernetes/apps/prow.yaml) @@
       }
     }
 kind: ConfigMap
 metadata:
   name: google-adc
   namespace: test-pods
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    azure.workload.identity/client-id: 333bb18b-207b-4abd-9ed0-e7e3834378b1
+  name: azure
+  namespace: test-pods
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    azure.workload.identity/client-id: f23f8fcc-855b-40fd-a41b-b329ccdb95a1
+  name: rg-cleanup
+  namespace: test-pods
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/boskos/pull/105
   name: dynamicresourcelifecycles.boskos.k8s.io
 spec:

atlantis (kubernetes/apps/atlantis.yaml)

@@ Application modified: atlantis (kubernetes/apps/atlantis.yaml) @@
       - env:
         - name: AWS_ROLE_ARN
           value: arn:aws:iam::348685125169:role/atlantis
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/aws-iam-token/serviceaccount/token
         - name: AWS_REGION
           value: us-east-2
+        - name: ARM_USE_AKS_WORKLOAD_IDENTITY
+          value: "true"
+        - name: ARM_SUBSCRIPTION_ID
+          value: 46678f10-4bbb-447e-98e8-d2829589f2d8
+        - name: AZURE_CLIENT_ID
+          value: 6fe87cee-6470-45d8-accc-57687193e504
+        - name: AZURE_FEDERATED_TOKEN_FILE
+          value: /var/run/secrets/azure-token/serviceaccount/token
+        - name: AZURE_TENANT_ID
+          value: d1aa7522-0959-442e-80ee-8c4f7fb4c184
         - name: ATLANTIS_CONFIG
           value: /config/atlantis.yaml
         - name: ATLANTIS_GH_TOKEN
           valueFrom:
             secretKeyRef:
               key: token
               name: atlantis-vcs
@@ skipped 32 lines (41 -> 72) @@
             memory: 1Gi
         volumeMounts:
         - mountPath: /config
           name: config
         - mountPath: /var/run/secrets/aws-iam-token/serviceaccount
           name: aws-iam-token
           readOnly: true
+        - mountPath: /var/run/secrets/azure-token/serviceaccount
+          name: azure-token
+          readOnly: true
         - mountPath: /atlantis
           name: atlantis-data
       securityContext:
         fsGroup: 1000
       serviceAccountName: atlantis
       volumes:
       - configMap:
           name: atlantis-config-4mc949mdm2
         name: config
       - name: aws-iam-token
         projected:
           defaultMode: 420
           sources:
           - serviceAccountToken:
               audience: sts.amazonaws.com
+              expirationSeconds: 86400
+              path: token
+      - name: azure-token
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              audience: api://AzureADTokenExchange
               expirationSeconds: 86400
               path: token
   updateStrategy:
     rollingUpdate:
       partition: 0
     type: RollingUpdate
   volumeClaimTemplates:

Stats:
[Applications: 74], [Full Run: 1m34s], [Rendering: 1m29s], [Cluster: 0s], [Argo CD: 1s]

upodroid · 2026-01-20T22:02:17Z

atlantis plan

upodroid · 2026-01-20T22:12:07Z

atlantis plan

upodroid · 2026-01-20T22:15:44Z

atlantis plan

upodroid · 2026-01-20T22:19:00Z

atlantis plan

upodroid · 2026-01-20T22:28:10Z

atlantis plan

k8s-infra-ci-robot · 2026-01-20T22:28:50Z

Ran Plan for dir: infra/azure/terraform/root workspace: default

Plan Error

Show Output

running 'sh -c' '/usr/local/bin/terraform plan -input=false -refresh -out "/atlantis/repos/kubernetes/k8s.io/8974/default/infra/azure/terraform/root/default.tfplan"' in '/atlantis/repos/kubernetes/k8s.io/8974/default/infra/azure/terraform/root': exit status 1
Acquiring state lock. This may take a few moments...
module.role_assignments.data.modtm_module_source.telemetry[0]: Reading...
module.role_assignments.random_uuid.telemetry[0]: Refreshing state... [id=016e026a-dbc2-ff65-38c6-8554c6161445]
module.role_assignments.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["owner"]: Reading...
module.role_assignments.data.azurerm_client_config.telemetry[0]: Reading...
module.role_assignments.data.azurerm_client_config.current: Reading...
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["contributor"]: Reading...
module.role_assignments.data.azurerm_management_group.management_groups_by_id_or_display_name["root"]: Reading...
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["monitoring-reader"]: Reading...
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["reader"]: Reading...
module.role_assignments.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD02ZmU4N2NlZS02NDcwLTQ1ZDgtYWNjYy01NzY4NzE5M2U1MDQ7b2JqZWN0SWQ9NDE4MDk0MTYtZTI4MC00OGUxLTgzNTQtODQ4M2FmMTkwZmJjO3N1YnNjcmlwdGlvbklkPTQ2Njc4ZjEwLTRiYmItNDQ3ZS05OGU4LWQyODI5NTg5ZjJkODt0ZW5hbnRJZD1kMWFhNzUyMi0wOTU5LTQ0MmUtODBlZS04YzRmN2ZiNGMxODQ=]
module.role_assignments.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD02ZmU4N2NlZS02NDcwLTQ1ZDgtYWNjYy01NzY4NzE5M2U1MDQ7b2JqZWN0SWQ9NDE4MDk0MTYtZTI4MC00OGUxLTgzNTQtODQ4M2FmMTkwZmJjO3N1YnNjcmlwdGlvbklkPTQ2Njc4ZjEwLTRiYmItNDQ3ZS05OGU4LWQyODI5NTg5ZjJkODt0ZW5hbnRJZD1kMWFhNzUyMi0wOTU5LTQ0MmUtODBlZS04YzRmN2ZiNGMxODQ=]
module.role_assignments.modtm_telemetry.telemetry[0]: Refreshing state... [id=af03c3da-3051-4ba2-b39b-f9d89929dbf6]
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["reader"]: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7]
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["contributor"]: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c]
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["owner"]: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635]
module.role_assignments.data.azurerm_role_definition.role_definitions_by_name["monitoring-reader"]: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05]
module.role_assignments.data.azurerm_management_group.management_groups_by_id_or_display_name["root"]: Read complete after 0s [id=/providers/Microsoft.Management/managementGroups/d1aa7522-0959-442e-80ee-8c4f7fb4c184]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: unable to build authorizer: no Authorizer could be configured, please check your configuration
│ 
│   with provider["registry.terraform.io/hashicorp/azuread"],
│   on providers.tf line 59, in provider "azuread":
│   59: provider "azuread" {
│ 
╵
Releasing state lock. This may take a few moments...

k8s-triage-robot · 2026-04-20T22:52:36Z

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle stale
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot · 2026-05-20T23:12:40Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle rotten
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-ci-robot requested review from aojea and jbpratt January 20, 2026 21:04

This comment has been minimized.

Sign in to view

nojnhuh reviewed Jan 20, 2026

View reviewed changes

Comment thread infra/azure/terraform/README.md Outdated

upodroid force-pushed the az-terraform branch from ab49a22 to 6a013be Compare January 20, 2026 21:34

This comment has been minimized.

Sign in to view

start managing azure infra with terraform

ba08330

upodroid force-pushed the az-terraform branch from 6a013be to ba08330 Compare January 20, 2026 21:55

This comment has been minimized.

Sign in to view

upodroid removed the request for review from aojea January 20, 2026 22:15

This comment has been minimized.

Sign in to view

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 20, 2026

k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 20, 2026

Conversation

upodroid commented Jan 20, 2026

Uh oh!

k8s-ci-robot commented Jan 20, 2026

Uh oh!

This comment has been minimized.

Uh oh!

This comment has been minimized.

k8s-infra-ci-robot commented Jan 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Argo CD Diff Preview

Uh oh!

upodroid commented Jan 20, 2026

Uh oh!

This comment has been minimized.

upodroid commented Jan 20, 2026

Uh oh!

This comment has been minimized.

upodroid commented Jan 20, 2026

Uh oh!

This comment has been minimized.

upodroid commented Jan 20, 2026

Uh oh!

This comment has been minimized.

upodroid commented Jan 20, 2026

Uh oh!

k8s-infra-ci-robot commented Jan 20, 2026

Uh oh!

k8s-triage-robot commented Apr 20, 2026

Uh oh!

k8s-triage-robot commented May 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

k8s-infra-ci-robot commented Jan 20, 2026 •

edited

Loading