This module manages a Azure Kubernetes Services cluser. Besides the cluster itself it manages a defined amount of outbound IPs
Instantiate the module by calling it from Terraform like this:
module "azure-k8s" {
source = "dodevops/kubernetes/azure"
version = "<version>"
When using more than one node pool, the load balancer sku "Basic" is not supported. It needs to be at least "Standard", see
All "System" mode pools must be able to reach all pods/subnets
The following requirements are needed by this module:
terraform (>=1.0.0)
azuread (>=2.41.0)
azurerm (>=3.63.0)
The following providers are used by this module:
azuread (>=2.41.0)
azurerm (>=3.63.0)
The following resources are used by this module:
- azuread_group_member.k8smember (resource)
- azurerm_kubernetes_cluster.k8s (resource)
- azurerm_kubernetes_cluster_node_pool.additional (resource)
- azurerm_public_ip.public-ip-outbound (resource)
- azurerm_role_assignment.aksacr (resource)
- azuread_group.ownersgroup (data source)
The following input variables are required:
Description: Version of kubernetes for the default node pool
Type: string
Description: Version of kubernetes of the control plane
Type: string
Description: Azure location to use
Type: string
Description: Number of Kubernetes cluster nodes to use
Type: string
Description: Three letter project key
Type: string
Description: The group IDs that have admin access to the cluster. Have to be specified if rbac_enabled is true
Type: list(string)
Description: Azure Resource Group to use
Type: string
Description: Stage for this ip
Type: string
Description: ID of subnet to host the nodes, pods and services in.
Type: string
Description: Type of vm to use. Use az vm list-sizes --location to list all available sizes
Type: string
The following input variables are optional (have default values):
Description: Defines RBAC for block azure_active_directory_role_based_access_control explicitly if set.
Else RBAC for block azure_active_directory_role_based_access_control is set by "rbac_enabled"
Type: bool
Default: null
Description: The IP ranges to allow for incoming traffic to the server nodes. To disable the limitation, set an empty list as value (default).
Type: list(string)
Default: []
Description: Enable auto-scaling of node pool
Type: bool
Default: false
Description: Enable auto-scaling of node pool
Type: string
Default: "1"
Description: Enable auto-scaling of node pool
Type: string
Default: "1"
Description: Values:
none, patch, stable, rapid, node-image
Type: string
Default: "none"
Description: availability zones to spread the cluster nodes across, if omitted, only one avilability zone is used
Type: list(number)
Default: []
Description: IDs of the azure container registries that the AKS should have pull access to
Type: list(string)
Default: []
Description: Name of the default node pool
Type: string
Default: "default"
Description: soak_duration_in_minutes is a optional parameter for an upgrade_settings block
Example: "30"
Type: number
Default: 0
Description: drain_timeout_in_minutes is a optional parameter for an upgrade_settings block
Example: "30"
Type: number
Default: 30
Description: If true, an upgrade_settings block will be added to default_node_pool.
Type: bool
Default: false
Description: max_surge is a required parameter for an upgrade_settings block
Example: "10%"
Type: string
Default: "10%"
Description: DNS-Prefix to use. Defaults to cluster name
Type: string
Default: "NONE"
Description: Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive.
Type: number
Default: 5
Description: Azure default settings
Type: bool
Default: false
Description: Azure default settings
Type: number
Default: 48
Description: The SKU for the used Load Balancer
Type: string
Default: "basic"
Description: see
Type: string
Default: "Monday"
Description: see
Type: string
Default: "4"
Description: Example: "04:00"
Type: string
Default: "04:00"
Description: Example: "+00:00"
Type: string
Default: "+00:00"
Description: The name of a group which is assigned to appropriate roles in the subscription to manage resources that are required by the AKS.
Setting this to a non empty string will add the AKS managed identity to this group.
You need the following API permissions (with admin consent) on a service prinicpal to make this work:
- Directory.Read.All
- Group.Read.All
- Group.ReadWrite.All
Type: string
Default: ""
Description: Amount of pods allowed on each node (be aware that kubernetes system pods are also counted
Type: string
Default: "30"
Description: Network policy to use, currently only azure and callico are supported
Type: string
Default: "azure"
Description: Additional node pools to set up
vm_size : string,
count : number,
os_disk_size_gb : number,
k8s_version : string,
node_labels : map(string),
max_pods : number,
mode : string,
taints : list(string),
availability_zones : list(number)
Default: {}
Description: Disk size in GB
Type: string
Default: "30"
Description: Pre-allocated ports (AKS default: 0)
Type: number
Default: 0
Description: Enables RBAC on the cluster. If true, rbac_managed_admin_groups have to be specified.
Type: bool
Default: true
Type: string
Default: "Free"
Description: SSH public key to access the kubernetes node with
Type: string
Default: ""
Description: On a lot of outgoing connections use this together with the maximum for outbound_ports_allocated of 64000 to not fall into network
bottlenecks. Recommended in that case is to set the count at least +5 more than the count of kubernetes nodes.
Type: number
Default: 0
Description: Map of tags for the resources
Type: map(any)
Default: {}
Description: Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.
Type: string
Default: "rotationtmp"
The following outputs are exported:
Description: The Kubernetes client certificate for a kubectl config
Description: The Kubernetes client certificate for an admin access
Description: The Kubernetes client private key for a kubectl config
Description: The Kubernetes client private key for an admin access
Description: A client token for accessing the Cluster using kubectl
Description: A client token for accessing the Cluster using kubectl with an admin access
Description: The Kubernetes cluster ca certificate for a kubectl config
Description: The AKS cluster id
Description: The AKS cluster name
Description: The FQDN to the Kubernetes API server
Description: The Kubernetes API host for a kubectl config
Description: The object ID of the service principal of the managed identity of the AKS
Description: The resource group the Kubernetes nodes were created in
Description: The outbound public IPs
Use the terraform module tools to check and generate the documentation by running
docker run -v "$PWD":/terraform