This is the repository for our Azure Kubernetes Service (AKS) Terraform module.
The following requirements are needed by this module:
#trivy:ignore:avd-azu-0041
module "kubernetes" {
source = "fortytwoservices/aks/azurerm"
version = "3.5.0"
name = "demo-prod-westeu"
resource_group_name = azurerm_resource_group.demo.name
location = azurerm_resource_group.demo.location
tags = {
environment = "production"
}
}
#trivy:ignore:avd-azu-0041
module "kubernetes" {
source = "fortytwoservices/aks/azurerm"
version = "3.5.0"
name = "demo-prod-westeu"
resource_group_name = azurerm_resource_group.demo.name
location = azurerm_resource_group.demo.location
service_principal = {
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "client_secret_value"
}
automatic_bump_kubernetes_version = {
enabled = true
version_prefix = "1.23"
include_preview = false
}
additional_node_pools = [
{ name = "pool1" },
{ name = "pool2" }
]
tags = {
environment = "production"
}
}
The following providers are used by this module:
- azurerm (>= 4.0.0)
The following resources are used by this module:
- azurerm_kubernetes_cluster.main (resource)
- azurerm_kubernetes_cluster_node_pool.additional (resource)
- azurerm_log_analytics_workspace.main (resource)
- azurerm_kubernetes_service_versions.current (data source)
The following input variables are required:
Description: The location where all resources will be created
Type: string
Description: The name of the managed Kubernetes cluster.
Type: string
Description: Name of the resource group to create the resources in
Type: string
The following input variables are optional (have default values):
Description: (Optional) Used to fill the azure_active_directory_role_based_access_control block for the Kubernetes cluster.
If nothing is specified, managed AAD RBAC will be enabled.
If managed is set to true, the admin_group_object_ids properties can be specified to a group that will have admin access to the cluster.
Type:
object({
tenant_id = optional(string)
admin_group_object_ids = optional(list(string))
azure_rbac_enabled = optional(bool, true)
})
Default:
{
"admin_group_object_ids": null,
"azure_rbac_enabled": true
}
Description: (Optional) A list of additional node pools to add to the Kubernetes cluster.
Each node pool can have the following properties:
name - (Required) The name of the node pool.
node_count - (optional) The number of nodes in the node pool, defaults to 1.
vm_size - (optional) The size of the virtual machines to use for the node pool, defaults to the same as the default node pool.
Type:
list(object({
name = string
mode = optional(string)
orchestrator_version = optional(string)
os_type = optional(string)
os_sku = optional(string)
node_labels = optional(map(string))
node_count = optional(number)
auto_scaling_enabled = optional(bool, false)
min_count = optional(number)
max_count = optional(number)
vm_size = optional(string)
os_disk_size_gb = optional(number)
os_disk_type = optional(string)
vnet_subnet_id = optional(string)
pod_subnet_id = optional(string)
max_pods = optional(number)
zones = optional(list(string))
scale_down_mode = optional(string)
ultra_ssd_enabled = optional(bool)
kubelet_disk_type = optional(string)
node_taints = optional(list(string))
tags = optional(map(string))
priority = optional(string)
spot_max_price = optional(string)
eviction_policy = optional(string)
linux_os_config = optional(object({
swap_file_size_mb = optional(number)
transparent_huge_page_enabled = optional(bool)
transparent_huge_page_defrag = optional(string)
sysctl_config = optional(object({
vm_max_map_count = optional(number)
}))
}))
upgrade_settings = optional(object({
max_surge = optional(string)
}))
}))
Default: []
Description: n/a
Type:
object({
authorized_ip_ranges = optional(list(string))
})
Default: null
Description: (Optional) A list of authorized IP ranges to access the Kubernetes API server
Type: list(string)
Default: null
Description: The auto scaler profile for the Kubernetes cluster.
Type:
object({
balance_similar_node_groups = optional(bool)
expander = optional(string)
max_graceful_termination_sec = optional(number)
max_node_provisioning_time = optional(string)
max_unready_nodes = optional(number)
new_pod_scale_up_delay = optional(string)
scale_down_delay_after_add = optional(string)
scale_down_delay_after_delete = optional(string)
scale_down_delay_after_failure = optional(string)
scale_down_unneeded = optional(string)
scale_down_unready = optional(string)
scale_down_utilization_threshold = optional(string)
empty_bulk_delete_max = optional(number)
skip_nodes_with_local_storage = optional(bool)
skip_nodes_with_system_pods = optional(bool)
})
Default: null
Description: Automatically bump the Kubernetes version to the latest available version
Type:
object({
enabled = bool
version_prefix = string
include_preview = bool
})
Default:
{
"enabled": false,
"include_preview": false,
"version_prefix": "1.23"
}
Description: (Optional) The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.
Type: string
Default: null
Description: (Optional) Enable or disable Azure Monitor for the cluster. Defaults to true.
If neither azure_monitor.log_analytics_workspace_id nor default_log_analytics_workspace_id is specified, a new Log Analytics Workspace will be created with the same name as the AKS cluster and in the same resource group.
Type:
object({
enabled = optional(bool, true)
log_analytics_workspace_id = optional(string, null)
msi_auth_for_monitoring_enabled = optional(bool, false)
})
Default:
{
"enabled": true,
"log_analytics_workspace_id": null,
"msi_auth_for_monitoring_enabled": false
}
Description: Enable or disable Azure Policy for the cluster. Defaults to true.
Type: bool
Default: true
Description: (Optional) The id of the Log Analytics Workspace to use as default for Defender and Azure Monitor.
Each of these services can be configured to use a different Log Analytics Workspace, which will override this setting.
If neither this nor the service spesific variable is specified, and the services are enabled, a new Log Analytics Workspace will be created.
Type: string
Default: null
Description: (Optional) The default node pool for the Kubernetes cluster.
If not specified, the default node pool will have one Standard_d2s_v4 node.
Type:
object({
name = string
vm_size = string
# Autoscale or manual scaling
node_count = optional(number)
auto_scaling_enabled = optional(bool)
autoscale = optional(object({
min_count = number
max_count = number
}))
# Optional settings
max_pods = optional(number)
capacity_reservation_group_id = optional(string)
host_encryption_enabled = optional(bool)
node_public_ip_enabled = optional(bool)
fips_enabled = optional(bool)
kubelet_disk_type = optional(string)
node_public_ip_prefix_id = optional(string)
node_labels = optional(map(string))
only_critical_addons_enabled = optional(bool)
orchestrator_version = optional(string)
os_disk_size_gb = optional(number)
os_disk_type = optional(string)
os_sku = optional(string)
pod_subnet_id = optional(string)
scale_down_mode = optional(string)
type = optional(string)
tags = optional(map(string))
ultra_ssd_enabled = optional(bool)
zones = optional(list(string))
kubelet_config = optional(object(
{
cpu_manager_policy = optional(string)
cpu_cfs_quota_enabled = optional(bool)
cpu_cfs_quota_period = optional(string)
image_gc_high_threshold = optional(number)
image_gc_low_threshold = optional(number)
topology_manager_policy = optional(string)
allowed_unsafe_sysctls = optional(list(string))
container_log_max_size_mb = optional(number)
container_log_max_line = optional(number)
pod_max_pid = optional(number)
}
))
linux_os_config = optional(object({
# sysctl will not be implemented, until someone needs it
swap_file_size_mb = optional(number)
transparent_huge_page_enabled = optional(bool)
transparent_huge_page_defrag = optional(string)
}))
upgrade_settings = optional(object({
max_surge = optional(string)
}))
})
Default:
{
"name": "default",
"node_count": 1,
"vm_size": "Standard_D2s_v4"
}
Description: (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
Type: string
Default: null
Description: (Optional) The identity block for the Kubernetes cluster.
If not specified, the identity will be of type SystemAssigned.
Type:
object({
type = string
identity_ids = optional(list(string))
})
Default:
{
"identity_ids": null,
"type": "SystemAssigned"
}
Description: (Optional) Enable or disable Image Cleaner for the cluster. Defaults to false.
Type: bool
Default: false
Description: (Optional) Specifies the interval in hours when images should be cleaned up. Defaults to 48.
Type: number
Default: 48
Description: Values used for deployment of the ingress application gateway
Type:
object({
gateway_id = optional(string)
gateway_name = optional(string)
subnet_cidr = optional(string)
subnet_id = optional(string)
})
Default: null
Description: (Optional) Enable or disable Azure Key Vault Secret Providers for the cluster. Defaults to false.
Type:
object({
enabled = optional(bool, false)
secret_rotation_enabled = optional(bool, false)
secret_rotation_interval = optional(string, null)
})
Default: {}
Description: (Optional) Enable Azure Key Vault Key Management Service.
Type: bool
Default: false
Description: (Optional) Identifier of Azure Key Vault key. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier.
Type: string
Default: null
Description: (Optional) Network Access of Azure Key Vault. Possible values are: 'Private' and 'Public'. The default value is 'Private'.
Type: string
Default: "Private"
Description: n/a
Type:
object({
client_id = optional(string)
object_id = optional(string)
user_assigned_identity_id = optional(string)
})
Default:
{
"client_id": null,
"object_id": null,
"user_assigned_identity_id": null
}
Description: Kubernetes version to use for the cluster
Type: string
Default: null
Description: (Optional) Enable or disable local account for the cluster. Defaults to true.
Type: bool
Default: true
Description: (Optional) Maintenance windows allowed and not allowed configuration of the managed cluster.
Type:
object({
allowed = optional(list(object({
day = string
hours = set(number)
})), []),
not_allowed = optional(list(object({
end = string
start = string
})), []),
})
Default: null
Description: (Optional) Maintenance window for auto upgrade of the managed AKS cluster.
Type:
object({
day_of_month = optional(number)
day_of_week = optional(string)
duration = number
frequency = string
interval = number
start_date = optional(string)
start_time = optional(string)
utc_offset = optional(string)
week_index = optional(string)
not_allowed = optional(set(object({
end = string
start = string
})))
})
Default: null
Description: (Optional) Maintenance window for auto upgrade of the managed AKS cluster nodes OS.
Type:
object({
day_of_month = optional(number)
day_of_week = optional(string)
duration = number
frequency = string
interval = number
start_date = optional(string)
start_time = optional(string)
utc_offset = optional(string)
week_index = optional(string)
not_allowed = optional(set(object({
end = string
start = string
})))
})
Default: null
Description: (Optional) Enable or disable Microsoft Defender (Security profile) for the cluster. Defaults to false.
If neither microsoft_defender.log_analytics_workspace_id nor default_log_analytics_workspace_id is specified, a new Log Analytics Workspace will be created with the same name as the AKS cluster and in the same resource group.
Type:
object({
enabled = optional(bool, false)
log_analytics_workspace_id = optional(string, null)
})
Default:
{
"enabled": false,
"log_analytics_workspace_id": null
}
Description: (Optional) The network profile block for the Kubernetes cluster.
If not specified, the network profile will be of type Azure.
Type:
object({
network_plugin = string
network_data_plane = optional(string)
network_plugin_mode = optional(string)
network_policy = optional(string)
network_mode = optional(string)
vnet_subnet_id = optional(string)
load_balancer_sku = optional(string)
outbound_type = optional(string)
dns_service_ip = optional(string)
service_cidr = optional(string)
service_cidrs = optional(list(string))
pod_cidr = optional(string)
pod_cidrs = optional(list(string))
ip_versions = optional(list(string))
})
Default:
{
"network_plugin": "azure"
}
Description: (Optional) The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged
, SecurityPatch
, NodeImage
and None
. Defaults to NodeImage
.
Type: string
Default: "NodeImage"
Description: (Optional) Enable or disable private cluster for the cluster. Defaults to false.
Type: bool
Default: false
Description: (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
Type: string
Default: null
Description: (Optional) Enable or disable Run Command for the cluster. Defaults to false.
Type: bool
Default: false
Description: (Optional) The service principal block for the Kubernetes cluster.
Do not specify this block if you want already defined the identity block, or if you want to use the SystemAssigned identity.
Type:
object({
client_id = string
client_secret = string
})
Default: null
Description: (Optional) The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, and Standard (which includes the Uptime SLA). Defaults to Free.
Type: string
Default: "Free"
Description: (Optional) The storage profile block for the Kubernetes cluster.
Type:
object({
blob_driver_enabled = optional(bool)
disk_driver_enabled = optional(bool)
file_driver_enabled = optional(bool)
snapshot_controller_enabled = optional(bool)
})
Default: null
Description: (Optional) A mapping of tags to assign to the resources
Type: map(string)
Default: {}
Description: (Optional) Enable or disable workload identity for the cluster. Enabling this also sets oidc_issuer_enabled to true.
Type: bool
Default: null
The following outputs are exported:
Description: The AZ CLI command to get credentials from your new cluster.
Description: The Kubernetes Managed Cluster ID.
Description: Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
Description: Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
Description: Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
Description: The Kubernetes cluster server host.
Description: Block of the parameters from the Managed Service Identity.
Description: The raw kube admin config, used with kubectl and other tools.
Description: The raw kubelet identity. Used for Azure role assignments.
Description: The OIDC issuer URL that is associated with the cluster.
Description: Block of the parameters from the Key Vault Secrets Provider.
No modules.