1

I am not able to create a Azure Kubernetes Service using the following code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.96.0"
    }
  }
}

resource "azurerm_resource_group" "aks-rg" {
  name     = "aks-rg"
  location = "West Europe"
}

resource "azurerm_kubernetes_cluster" "aks-1" {
  name                = "aks-1"
  location            = azurerm_resource_group.aks-rg.location
  resource_group_name = azurerm_resource_group.aks-rg.name
  dns_prefix          = "aks1"
  
  default_node_pool {
    name       = "nodepool1"
    node_count = 3
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  tags = {
    Environment = "Test"
  }
}

The following error occurs:

│ Error: creating Cluster: (Managed Cluster Name "aks-1" / Resource Group "aks-rg"): 
containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending 
request: StatusCode=400 -- Original Error: Code="RequestDisallowedByPolicy" Message=
"Provisioning of resource(s) for container service aks-1 in resource group aks-rg failed. Message: Resource 
'aks-nodepool1-58423643-vmss' was disallowed by policy. Policy identifiers: 
'[{\"policyAssignment\":{\"name\":\"Enforce automatic OS upgrade with app health checks

What am I doing wrong? Do I need to manually create a VMSS first?

Thanks in advance!

Improve this question

1 Answer 1

Reset to default
1

Enforce automatic OS upgrade with app health checks is a built-in policy enforced on your subscription / resource group that denies creating a VMSS without automatic OS upgrade enabled.

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachineScaleSets"
      },
      {
        "field": "Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade",
        "notEquals": "True"
      },
      {
        "field": "Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade",
        "notEquals": "True"
      }
    ]
  },

I've seen others raising same problem for azurerm provider. But it can't be fixed at provider level, as just there is no such param when adding a node pool to AKS (eg. looking though options of Azure CLI).

You can only ask your admins to disable the policy or add an exemption for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks! Unfortunately, it seems to be the only option at the moment. It works.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.