azurerm_kubernetes_cluster

Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service)

Example Usage

This example provisions a basic Managed Kubernetes Cluster. Other examples of the azurerm_kubernetes_cluster resource can be found in the ./examples/kubernetes directory within the GitHub Repository.

An example of how to attach a specific Container Registry to a Managed Kubernetes Cluster can be found in the docs for azurerm_container_registry.

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_kubernetes_cluster" "example" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  tags = {
    Environment = "Production"
  }
}

output "client_certificate" {
  value     = azurerm_kubernetes_cluster.example.kube_config[0].client_certificate
  sensitive = true
}

output "kube_config" {
  value = azurerm_kubernetes_cluster.example.kube_config_raw

  sensitive = true
}

Argument Reference

The following arguments are supported:

In addition, one of either identity or service_principal blocks must be specified.


resource "azurerm_resource_group" "example" {
  name     = "example"
  location = "West Europe"
}

resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.eastus2.azmk8s.io"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_user_assigned_identity" "example" {
  name                = "aks-example-identity"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
}

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_private_dns_zone.example.id
  role_definition_name = "Private DNS Zone Contributor"
  principal_id         = azurerm_user_assigned_identity.example.principal_id
}

resource "azurerm_kubernetes_cluster" "example" {
  name                    = "aksexamplewithprivatednszone1"
  location                = azurerm_resource_group.example.location
  resource_group_name     = azurerm_resource_group.example.name
  dns_prefix              = "aksexamplednsprefix1"
  private_cluster_enabled = true
  private_dns_zone_id     = azurerm_private_dns_zone.example.id

  # rest of configuration omitted for brevity

  depends_on = [
    azurerm_role_assignment.example,
  ]
}

An aci_connector_linux block supports the following:

resource "azurerm_subnet" "virtual" {

  #...

  delegation {
    name = "aciDelegation"
    service_delegation {
      name    = "Microsoft.ContainerInstance/containerGroups"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

An api_server_access_profile block supports the following:


An auto_scaler_profile block supports the following:


An azure_active_directory_role_based_access_control block supports the following:

When managed is set to true the following properties can be specified:


A confidential_computing block supports the following:


An monitor_metrics block supports the following:


A default_node_pool block supports the following:

If enable_auto_scaling is set to true, then the following fields can also be configured:


An identity block supports the following:


A key_management_service block supports the following:


A key_vault_secrets_provider block supports the following:


A kubelet_config block supports the following:


The kubelet_identity block supports the following:


A linux_os_config block supports the following:


A node_network_profile block supports the following:


An allowed_host_ports block supports the following:


A linux_profile block supports the following:


A maintenance_window block supports the following:


A maintenance_window_auto_upgrade block supports the following:


A maintenance_window_node_os block supports the following:


An allowed block supports the following:


A not_allowed block supports the following:


A microsoft_defender block supports the following:


A network_profile block supports the following:

Examples of how to use AKS with Advanced Networking can be found in the ./examples/kubernetes/ directory in the GitHub repository.

->Note: To configure dual-stack networking ip_versions should be set to ["IPv4", "IPv6"].

->Note: Dual-stack networking requires that the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.


A load_balancer_profile block supports the following:


A nat_gateway_profile block supports the following:


An oms_agent block supports the following:


An ingress_application_gateway block supports the following:


A service_mesh_profile block supports the following:


A service_principal block supports the following:


A ssh_key block supports the following:


A storage_profile block supports the following:


A sysctl_config block supports the following:


A web_app_routing block supports the following:


A windows_profile block supports the following:


A gmsa block supports the following:


A workload_autoscaler_profile block supports the following:


A http_proxy_config block supports the following:


A upgrade_settings block supports the following:

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:


The aci_connector_linux block exports the following:


The connector_identity block exports the following:


The kubelet_identity block exports the following:


A load_balancer_profile block exports the following:


A network_profile block supports the following:


A nat_gateway_profile block exports the following:


An identity block exports the following:


The kube_admin_config and kube_config blocks export the following:

provider "kubernetes" {
  host                   = azurerm_kubernetes_cluster.main.kube_config[0].host
  username               = azurerm_kubernetes_cluster.main.kube_config[0].username
  password               = azurerm_kubernetes_cluster.main.kube_config[0].password
  client_certificate     = base64decode(azurerm_kubernetes_cluster.main.kube_config[0].client_certificate)
  client_key             = base64decode(azurerm_kubernetes_cluster.main.kube_config[0].client_key)
  cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.main.kube_config[0].cluster_ca_certificate)
}

The ingress_application_gateway block exports the following:


The ingress_application_gateway_identity block exports the following:


The oms_agent block exports the following:


The oms_agent_identity block exports the following:


The key_vault_secrets_provider block exports the following:


The secret_identity block exports the following:


A web_app_routing block exports the following:


The web_app_routing_identity block exports the following:


A workload_autoscaler_profile block exports the following:


Timeouts

The timeouts block allows you to specify timeouts for certain actions:

Import

Managed Kubernetes Clusters can be imported using the resource id, e.g.

terraform import azurerm_kubernetes_cluster.cluster1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.ContainerService/managedClusters/cluster1