Terraform module to create a Managed Kubernetes Cluster.
- Azure Resource Naming Convention
- AKS SSH Keys
- ACI Connector for AKS
- Ingress Application Gateway
- Requirements
- Providers
- Modules
- Resources
- Inputs
- Outputs
Resource names should clearly indicate their type, workload, environment, and region. Using a consistent naming convention ensures clarity, uniformity, and easy identification across all repositories.
<resource_prefix>-<app_or_project>-<environment>-<region>-<optional_unique_suffix>
| Component | Description | Example |
|---|---|---|
resource_prefix |
Short abbreviation for the resource type. | rg (Resource Group) |
app_or_project |
Identifier for the application or project. | qoh |
environment |
Environment where the resource is deployed (prod, dev, test, etc.). |
prod |
region |
Azure region where the resource resides (e.g., cus for centralus). |
cus |
optional_unique_suffix |
Optional unique string for ensuring name uniqueness, often random or incremental. | abcd, a42n |
To create and configure SSH keys for accessing the AKS cluster:
-
Create the directory for storing SSH keys:
mkdir $HOME/.ssh/VeeraBhadraDevOps -
Generate the SSH key pair:
ssh-keygen \ -m PEM \ -t rsa \ -b 4096 \ -C "VeeraBhadraDevOps@LAPTOP-XXXXXXX" \ -f ~/.ssh/VeeraBhadraDevOps/VeeraBhadraDevOps_id_rsa \ -N "mypassphrase" -
Verify the keys are created:
ls -lrt $HOME/.ssh/VeeraBhadraDevOps
To configure the AKS virtual node subnet with delegation for ACI (Azure Container Instances):
-
Add a delegation to the subnet to ensure AKS works with ACI properly and to prevent future issues:
resource "azurerm_subnet" "virtual" { # Add your other subnet configurations here delegation { name = "aciDelegation" service_delegation { name = "Microsoft.ContainerInstance/containerGroups" actions = ["Microsoft.Network/virtualNetworks/subnets/action"] } } }
If using an Application Gateway as an ingress controller, ensure the following configuration:
- The Application Gateway is deployed inside a Virtual Network. The users (and Service Principals) operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/actionpermission on the Virtual Network or Subnet.
For more details, please refer to Virtual Network Permissions.
- When using the ingress_application_gateway, at least one of the following parameters must be specified:
gateway_id,subnet_id, orsubnet_cidr.
Note:
- If using ingress_application_gateway in conjunction with the
only_critical_addons_enabledoption, the AGIC (Azure Application Gateway Ingress Controller) pod will fail to start. In this case, create a separateazurerm_kubernetes_cluster_node_poolto run the AGIC pod successfully, as AGIC is classified as a "non-critical addon."
| Name | Version |
|---|---|
| terraform | >=0.13 |
| azuread | >=3.0.2 |
| azurerm | >=4.0.0 |
| Name | Version |
|---|---|
| azurerm | >=4.0.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_kubernetes_cluster.kubernetes_cluster | resource |
| azurerm_kubernetes_cluster_extension.aks_extension | resource |
| azurerm_kubernetes_cluster_node_pool.kubernetes_cluster_node_pool | resource |
| azurerm_client_config.current | data source |
| azurerm_kubernetes_service_versions.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aci_connector_linux | (Optional) A aci_connector_linux block | any |
{} |
no |
| aks_extension | AKS Extension | any |
{} |
no |
| api_server_access_profile | (Optional) An api_server_access_profile block | any |
{} |
no |
| auto_scaler_profile | (Optional) A auto_scaler_profile block | any |
{} |
no |
| automatic_upgrade_channel | (Optional) The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none. | string |
null |
no |
| azure_active_directory_role_based_access_control | (Optional) A azure_active_directory_role_based_access_control block | any |
{} |
no |
| azure_policy_enabled | (Optional) Should the Azure Policy Add-On be enabled? | bool |
null |
no |
| confidential_computing | (Optional) A confidential_computing block | any |
{} |
no |
| cost_analysis_enabled | (Optional) Should cost analysis be enabled for this Kubernetes Cluster? Defaults to false. The sku_tier must be set to Standard or Premium to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. | bool |
false |
no |
| default_node_pool | (Required) A default_node_pool block | any |
n/a | yes |
| disk_encryption_set_id | (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created. | string |
null |
no |
| dns_prefix_private_cluster | (Optional) Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created. | string |
null |
no |
| edge_zone | (Optional) Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. | string |
null |
no |
| http_application_routing_enabled | (Optional) Should HTTP Application Routing be enabled? | bool |
null |
no |
| http_proxy_config | (Optional) A http_proxy_config block | any |
{} |
no |
| identity | (Optional) An identity block | any |
{} |
no |
| image_cleaner_enabled | (Optional) Specifies whether Image Cleaner is enabled. | bool |
null |
no |
| image_cleaner_interval_hours | (Optional) Specifies the interval in hours when images should be cleaned up. Defaults to 48. | number |
48 |
no |
| ingress_application_gateway | (Optional) A ingress_application_gateway block | any |
{} |
no |
| key_management_service | (Optional) A key_management_service block | any |
{} |
no |
| key_vault_secrets_provider | (Optional) A key_vault_secrets_provider block | any |
{} |
no |
| kubelet_identity | (Optional) A kubelet_identity block | any |
{} |
no |
| kubernetes_cluster_node_pool | One or more kubernetes_cluster_node_pool blocks | map |
{} |
no |
| linux_profile | (Optional) A linux_profile block | any |
{} |
no |
| local_account_disabled | (Optional) If true local accounts will be disabled. | bool |
null |
no |
| location | (Required) The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created. | string |
n/a | yes |
| maintenance_window | (Optional) A maintenance_window block | any |
{} |
no |
| maintenance_window_auto_upgrade | (Optional) A maintenance_window_auto_upgrade block | any |
{} |
no |
| maintenance_window_node_os | (Optional) A maintenance_window_node_os block | any |
{} |
no |
| microsoft_defender | (Optional) A microsoft_defender block | any |
{} |
no |
| monitor_metrics | (Optional) A monitor_metrics block | any |
{} |
no |
| name | (Required) The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created. | string |
n/a | yes |
| network_profile | (Optional) A network_profile block | any |
{} |
no |
| node_os_upgrade_channel | (Optional) The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None. | string |
"NodeImage" |
no |
| node_resource_group | (Optional) The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created. | string |
null |
no |
| nodepool_subnet_id | AKS Nodepool Subnet ID | string |
null |
no |
| oidc_issuer_enabled | (Optional) Enable or Disable the OIDC issuer URL | bool |
null |
no |
| oms_agent | (Optional) A oms_agent block | any |
{} |
no |
| open_service_mesh_enabled | (Optional) Is Open Service Mesh enabled? | bool |
null |
no |
| private_cluster_enabled | (Optional) Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created. | bool |
false |
no |
| private_cluster_public_fqdn_enabled | (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false. | bool |
false |
no |
| private_dns_zone_id | (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. | string |
null |
no |
| resource_group_name | (Required) Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. | string |
n/a | yes |
| role_based_access_control_enabled | (Optional) Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created. | bool |
true |
no |
| run_command_enabled | (Optional) Whether to enable run command for the cluster or not. Defaults to true. | bool |
true |
no |
| service_mesh_profile | (Optional) A service_mesh_profile block | any |
{} |
no |
| service_principal | (Optional) A service_principal block | any |
{} |
no |
| sku_tier | (Optional) The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free. | string |
null |
no |
| storage_profile | (Optional) A storage_profile block | any |
{} |
no |
| support_plan | (Optional) Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial. | string |
"KubernetesOfficial" |
no |
| tags | (Optional) A mapping of tags to assign to the resource. | map(any) |
{} |
no |
| web_app_routing | (Optional) A web_app_routing block | any |
{} |
no |
| windows_profile | (Optional) A windows_profile block | any |
{} |
no |
| workload_autoscaler_profile | (Optional) A workload_autoscaler_profile block | any |
{} |
no |
| workload_identity_enabled | (Optional) Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false. | bool |
false |
no |
| Name | Description |
|---|---|
| default_version | The N-1 minor non-preview version and latest patch. |
| id | n/a |
| kubernetes_cluster_node_pool | --------------- AKS Node Pool --------------- |
| latest_version | The most recent version available. If include_preview == false, this is the most recent non-preview version available. |
| name | -------------------------- Azure Kubernetes Cluster -------------------------- |
| versions | The list of all supported versions. |