Azure AKS Terraform module

SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.

This module simplifies the deployment of AKS clusters, allowing users to quickly create and manage a production-grade Kubernetes cluster on Azure. The module is highly configurable, allowing users to customize various aspects of the AKS cluster, such as the Kubernetes version, worker node instance type, and number of worker nodes. Additionally, the module provides a set of outputs that can be used to configure other resources, such as the Kubernetes config file and the Azure CLI.

This module is ideal for users who want to quickly deploy an AKS cluster on Azure without the need for manual setup and configuration. It is also suitable for users who want to adopt best practices for security and scalability in their AKS deployments.

Setup SSH Keys for AKS nodes

1. Generate SSH keys using Azure CLI:

az sshkey create --name "mySSHKey" --resource-group "myResourceGroup"

The resulting output lists the new key files' paths:

Private key is saved to "/home/user/.ssh/7777777777_9999999".
Public key is saved to "/home/user/.ssh/7777777777_9999999.pub".

2. Create Azure Key Vault using Azure CLI:

az keyvault create --name MyKeyVault --resource-group MyResourceGroup --location "East US"

3. Set SSH public key in Key Vault using Azure CLI:

az keyvault secret set --vault-name "MyKeyVault" --name "mySSHKey" --file /home/user/.ssh/7777777777_9999999.pub

4. Update the Key Vault name and ID in the Terraform data variables: Update the example/complete/main.tf file with the following values for key vault:

data "azurerm_key_vault_secret" "ssh_key" {
  name         = "mySSHKey"
  key_vault_id = "/subscriptions/{subscription-id}/resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/MyKeyVault"
}

Usage Example

data "azurerm_key_vault_secret" "ssh_key" {
  name         = "test-ssh-key"
  key_vault_id = "/subscriptions/{subscription-id}/resourceGroups/prod-skaf-tfstate-rg/providers/Microsoft.KeyVault/vaults/test-ssh-key-skaf"
}

# There are two types of managed idetities "System assigned" & "UserAssigned". User-assigned managed identities can be used on multiple resources.
resource "azurerm_user_assigned_identity" "identity" {
  name                = "aksidentity"
  resource_group_name = "AKS-resource-group"
  location            = "eastus"
}

module "aks_cluster" {
  depends_on = [module.vnet, azurerm_user_assigned_identity.identity]
  source     = "squareops/aks/azurerm"

  name                               = "aks-cluster"
  environment                        = "prod"
  kubernetes_version                 = "1.26.3"
  create_resource_group              = false  # Enable if you want to a create resource group for AKS cluster.
  existing_resource_group_name       = "AKS-resource-group"
  resource_group_location            = "eastus"
  user_assigned_identity_id          = azurerm_user_assigned_identity.identity.id
  principal_id                       = azurerm_user_assigned_identity.identity.principal_id
  network_plugin                     = "azure"
  net_profile_dns_service_ip         = "192.168.0.10" # IP address within the Kubernetes service address range that will be used by cluster service discovery. Don't use the first IP address in your address range. The first address in your subnet range is used for the kubernetes.default.svc.cluster.local address.
  net_profile_pod_cidr               = "10.244.0.0/16" # For aks pods cidr, when choosen "azure" network plugin these value will be passed as null.
  net_profile_docker_bridge_cidr     = "172.17.0.1/16" # It's required to select a CIDR for the Docker bridge network address because otherwise Docker will pick a subnet automatically, which could conflict with other CIDRs. You must pick an address space that doesn't collide with the rest of the CIDRs on your networks, including the cluster's service CIDR and pod CIDR. Default of 172.17.0.1/16.
  net_profile_service_cidr           = "192.168.0.0/16" # This range shouldn't be used by any network element on or connected to this virtual network. Service address CIDR must be smaller than /12. You can reuse this range across different AKS clusters.
  default_agent_pool_name            = "infra"
  default_agent_pool_count           = "1"
  default_agent_pool_size            = "Standard_DS2_v2"
  host_encryption_enabled            = false
  default_node_labels                = { Addon-Services = "true" }
  os_disk_size_gb                    = 30
  auto_scaling_enabled               = true
  agents_min_count                   = 1
  agents_max_count                   = 2
  node_public_ip_enabled             = false  # If we want to create public nodes set this value "true"
  agents_availability_zones          = ["1", "2", "3"] # Does not applies to all regions please verify the availablity zones for the respective region.
  rbac_enabled                       = true
  oidc_issuer_enabled                = true
  open_service_mesh_enabled          = false  # Add on for the open service mesh (istio)
  private_cluster_enabled            = false  # AKS Cluster endpoint access, Disable for public access
  sku_tier                           = "Free"
  subnet_id                          = ["10.0.0.0/24", "10.0.0.1/24"]
  admin_username                     = "azureuser"  # node pool username
  public_ssh_key                     = data.azurerm_key_vault_secret.ssh_key.value
  agents_type                        = "VirtualMachineScaleSets"  # Creates an Agent Pool backed by a Virtual Machine Scale Set.
  net_profile_outbound_type          = "loadBalancer"   # The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer.
  log_analytics_workspace_sku        = "PerGB2018" # refer https://azure.microsoft.com/pricing/details/monitor/ for log analytics pricing
  log_analytics_solution_enabled     = true # Log analytics solutions are typically software solutions with data visualization and insights tools.
  control_plane_logs_scrape_enabled  = true # Scrapes logs of the aks control plane
  control_plane_monitor_name         = format("%s-%s-aks-control-plane-logs-monitor", local.name, local.environment) # Control plane logs monitoring such as "kube-apiserver", "cloud-controller-manager", "kube-scheduler"
  additional_tags                    = local.additional_tags
}

module "aks_managed_node_pool" {
  depends_on = [module.aks_cluster]
  source     = "squareops/aks/azurerm//modules/managed_node_pools"

  resource_group_name   = "AKS-resource-group"
  orchestrator_version  = "1.26.3"
  location              = "eastus"
  vnet_subnet_id        = ["10.0.0.0/24", "10.0.0.1/24"]
  kubernetes_cluster_id = module.aks_cluster.kubernetes_cluster_id
  node_pools = {
    app = {
      vm_size                  = "Standard_DS2_v2"
      auto_scaling_enabled     = true
      os_disk_size_gb          = 50
      os_disk_type             = "Managed"
      node_count               = 1
      min_count                = 1
      max_count                = 2
      availability_zones       = ["1", "2", "3"]
      enable_node_public_ip    = false # if set to true node_public_ip_prefix_id is required
      node_public_ip_prefix_id = ""
      node_labels              = { App-service = "true" }
      node_taints              = ["workload=example:NoSchedule"]
      host_encryption_enabled  = false
      max_pods                 = 30
      agents_tags              = local.additional_tags
    },
 }
}

Refer example for more details.

Permissions

The required permissions to create resources from this module can be found here

Requirements

Name	Version
azurerm	~> 3.0
helm	>=2.6
kubernetes	>=2.13.0

Providers

Name	Version
azurerm	~> 3.0
null	n/a
random	n/a

Modules

Name	Source	Version
resource-group	./modules/resource-group	n/a

Resources

Name	Type
azurerm_kubernetes_cluster.aks_cluster	resource
azurerm_log_analytics_solution.logs	resource
azurerm_log_analytics_workspace.logs	resource
azurerm_monitor_diagnostic_setting.control_plane	resource
azurerm_role_assignment.network_contributor	resource
null_resource.open_service_mesh_addon	resource
random_id.log_analytics_workspace_name_suffix	resource
azurerm_subscription.primary	data source

Inputs

Name	Description	Type	Default	Required
name	The name of the deployment or resource. (e.g., AKS cluster name, resource group name)	string	""	no
host	The host or endpoint for the resource.	string	""	no
client_certificate	The client certificate for authentication.	string	""	no
client_key	The client key for authentication.	string	""	no
cluster_ca_certificate	The CA certificate used by the cluster.	string	""	no
environment	The environment in which the resources are deployed.	string	""	no
resource_group_name	The name of the Azure resource group.	string	""	no
user_assigned_identity_id	The ID of the user-assigned identity.	string	""	no
resource_group_location	The location of the Azure resource group.	string	""	no
create_resource_group	To create a new resource group. Value in existing_resource_group will be ignored if this is true.	bool	false	no
existing_resource_group_name	Name of existing resource group that has to be used. Leave empty if new resource group has to be created.	string	""	no
tags	The tags to associate with your network and subnets and aks resources.	map(string)	{ "tag1": "", "tag2": "" }	no
kubernetes_cluster_id	The ID of the Kubernetes cluster.	string	""	no
client_id	The Azure Active Directory (AAD) client ID for authentication.	string	""	no
client_secret	The Azure Active Directory (AAD) client secret for authentication.	string	""	no
cluster_name	The name of the cluster for AAD configuration.	string	""	no
kubernetes_version	The version of Kubernetes to use in the AKS cluster.	string	""	no
admin_username	The username for the AKS cluster's admin user.	string	""	no
public_ssh_key	The public SSH key for the AKS cluster's admin user.	string	""	no
sku_tier	The SKU tier for the AKS cluster.	string	""	no
private_cluster_enabled	Indicates whether the AKS cluster is private or public.	bool	false	no
enable_http_application_routing	Enables or disables HTTP application routing.	bool	false	no
enable_kube_dashboard	Enables or disables the Kubernetes dashboard.	bool	false	no
balance_similar_node_groups	Indicates whether to balance similar node groups.	bool	true	no
oidc_issuer_enabled	Indicates whether to oidc issuer is enabled.	bool	true	no
max_graceful_termination_sec	The maximum time for graceful termination in seconds.	number	600	no
scale_down_delay_after_add	The delay duration after adding a node.	string	"10m"	no
scale_down_delay_after_delete	The delay duration after deleting a node.	string	"10s"	no
scale_down_delay_after_failure	The delay duration after a failure.	string	"3m"	no
scan_interval	The interval duration for scanning.	string	"10s"	no
scale_down_unneeded	The duration before scaling down unneeded nodes.	string	"10m"	no
scale_down_unready	The duration before scaling down unready nodes.	string	"20m"	no
scale_down_utilization_threshold	The utilization threshold for scaling down.	number	0.5	no
agents_pool_name	The names of the agent pools.	list(string)	[ "" ]	no
agents_count	The desired number of agents.	number	2	no
agents_min_count	The minimum number of agents.	number	1	no
agents_max_count	The maximum number of agents.	number	3	no
agents_size	The sizes of the agent pools.	list(string)	[ "" ]	no
node_taints	The taints for the nodes.	list(string)	[ "" ]	no
subnet_id	The IDs of the subnets.	list(string)	[ "" ]	no
os_disk_size_gb	The size of the OS disk in gigabytes.	number	20	no
auto_scaling_enabled	Enables or disables auto-scaling.	bool	false	no
node_public_ip_enabled	Indicates whether nodes have public IP addresses.	bool	true	no
agents_availability_zones	The availability zones for the agent pools.	list(string)	null	no
agents_type	The type of agents.	string	""	no
agents_max_pods	The maximum number of pods per agent.	number	50	no
network_plugin	The network plugin to use.	string	""	no
net_profile_dns_service_ip	The DNS service IP address.	string	""	no
net_profile_docker_bridge_cidr	The Docker bridge CIDR.	string	""	no
net_profile_outbound_type	The outbound type for the network profile.	string	""	no
net_profile_pod_cidr	The pod CIDR.	string	""	no
net_profile_service_cidr	The service CIDR.	string	""	no
node_pool	The configuration for the node pool.	any	{}	no
rbac_enabled	Indicates whether RBAC (Role-Based Access Control) is enabled.	bool	false	no
log_analytics_workspace_sku	Name of the log analytics workspace sku tier	string	"PerGB2018"	no
log_analytics_solution_enabled	Enable or disable log analytics solution	bool	true	no
log_analytics_solution_name	Name of the log analytics solution resource	string	""	no
control_plane_logs_scrape_enabled	Enable or disable control plane logs scraping	bool	true	no
control_plane_monitor_name	Name of the azure monitor diagostic setting resource which scraps logs of control plane logs monitoring such as kube-apiserver, cloud-controller-manager, kube-scheduler, kube-controller-manager etc.	string	""	no
additional_tags	Additional tags for best practices	any	{}	no
principal_id	AKS identity principal ID	string	""	no
node_labels_app	The node labels to be attached to be attached to the aks app node pool	map(string)	{}	no
node_labels_infra	The node labels to be attached to be attached to the aks infra node pool	map(string)	{}	no
auto_scaling_app_enabled	Whether to enable auto scaling for the app node pool	bool	true	no
agents_count_app	The initial number of agents for the app node pool	string	"1"	no
agents_min_count_app	The minimum number of agents for the app node pool	string	"1"	no
agents_max_count_app	The maximum number of agents for the app node pool	string	"3"	no
agents_availability_zones_app	The availability zones for the app node pool	list(string)	[ "1", "2" ]	no
auto_scaling_monitor_enabled	Whether to enable auto scaling for the monitor node pool	bool	true	no
agents_count_monitor	The initial number of agents for the monitor node pool	string	"1"	no
agents_min_count_monitor	The minimum number of agents for the monitor node pool	string	"1"	no
agents_max_count_monitor	The maximum number of agents for the monitor node pool	string	"3"	no
agents_availability_zones_monitor	The availability zones for the monitor node pool	list(string)	[ "1", "2" ]	no
node_labels_monitor	The labels for the monitor node pool	map(string)	{ "Monitor-Services": "true" }	no
auto_scaling_database_enabled	Whether to enable auto scaling for the database node pool	bool	true	no
agents_count_database	The initial number of agents for the database node pool	string	"1"	no
agents_min_count_database	The minimum number of agents for the database node pool	string	"1"	no
agents_max_count_database	The maximum number of agents for the database node pool	string	"3"	no
agents_availability_zones_database	The availability zones for the database node pool	list(string)	[ "1", "2" ]	no
node_labels_database	The labels for the database node pool	map(string)	{ "Database-Services": "true" }	no
default_agent_pool_name	The name of the default agent pool	string	"infra"	no
default_agent_pool_count	The number of agents in the default agent pool	string	"1"	no
default_agent_pool_size	The size of the default agent pool	string	"Standard_DS2_v2"	no
default_node_labels	The labels for the default agent pool	map(string)	{ "Infra-Services": "true" }	no
host_encryption_enabled	The enable the encryption of the hosts	bool	false	no
open_service_mesh_enabled	The enable the open service mesg (istio)	bool	true	no

Outputs

Name	Description
cluster_name	Cluster Name
default_ng_rg_name	Default Node Group Resource Group Name
kubernetes_cluster_id	kubernetes cluster id
host	host
client_certificate	client_certificate
client_key	client_key
cluster_ca_certificate	cluster_ca_certificate

Contribution & Issue Reporting

To report an issue with a project:

1. Check the repository's issue tracker on GitHub
2. Search to see if the issue has already been reported
3. If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Be sure to provide enough context and details so others can understand your problem.

License

Apache License, Version 2.0, January 2004 (http://www.apache.org/licenses/).

Support Us

To support a GitHub project by liking it, you can follow these steps:

1. Visit the repository: Navigate to the GitHub repository.

2. Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.

3. Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.

Starring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.

Who we are

We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.

1. We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 4 years.
2. Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
3. Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
4. DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
5. Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
6. 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.

We provide support on all of our projects, no matter how small or large they may be.

To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.