From 4b4c873c8245de847ca5ad01a9573fe091e6ada2 Mon Sep 17 00:00:00 2001
From: Adam Power <apower@pivotal.io>
Date: Tue, 31 Mar 2020 15:28:25 +0100
Subject: [PATCH] Adding Azure VM read permission to PKS workers

This permission seems to be required for provisioning PersistentVolumes
when using a StorageClass that uses Azure managed disks. This feature
only became available in Azure v1.7.2, so it's possible our old testing
only included the old StorageClass configuration.

If this permission is missing from the k8s workers, Pods will not be able
to mount PersistentVolumes, and an error will appear in the k8s events
saying that the worker VM "does not have authorization to perform action
'Microsoft.Compute/virtualMachines/read'" on the disk.
---
 azure/iam.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/azure/iam.tf b/azure/iam.tf
index 9cf2820..d899df6 100644
--- a/azure/iam.tf
+++ b/azure/iam.tf
@@ -27,6 +27,7 @@ resource "azurerm_role_definition" "pks-worker" {
   permissions {
     actions = [
       "Microsoft.Storage/storageAccounts/*",
+      "Microsoft.Compute/virtualMachines/read",
     ]
     not_actions = []
   }