Skip to content

azurermKubernetesCluster

Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service)

-> Note: Due to the fast-moving nature of AKS, we recommend using the latest version of the Azure Provider when using AKS - you can find the latest version of the Azure Provider here.

\~> Note: All arguments including the client secret will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

This example provisions a basic Managed Kubernetes Cluster. Other examples of the azurermKubernetesCluster resource can be found in the /examples/kubernetes directory within the GitHub Repository.

An example of how to attach a specific Container Registry to a Managed Kubernetes Cluster can be found in the docs for azurerm_container_registry.

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermKubernetesClusterExample =
  new azurerm.kubernetesCluster.KubernetesCluster(this, "example_1", {
    default_node_pool: [
      {
        name: "default",
        node_count: 1,
        vm_size: "Standard_D2_v2",
      },
    ],
    dns_prefix: "exampleaks1",
    identity: [
      {
        type: "SystemAssigned",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "example-aks1",
    resource_group_name: azurermResourceGroupExample.name,
    tags: {
      Environment: "Production",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKubernetesClusterExample.overrideLogicalId("example");
new cdktf.TerraformOutput(this, "client_certificate", {
  value: `\${${azurermKubernetesClusterExample.kubeConfig}.0.client_certificate}`,
  sensitive: true,
});
new cdktf.TerraformOutput(this, "kube_config", {
  value: azurermKubernetesClusterExample.kubeConfigRaw,
  sensitive: true,
});

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.

  • location - (Required) The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.

  • defaultNodePool - (Required) A defaultNodePool block as defined below.

  • dnsPrefix - (Optional) DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.

  • dnsPrefixPrivateCluster - (Optional) Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

-> Note: You must define either a dnsPrefix or a dnsPrefixPrivateCluster field.

In addition, one of either identity or servicePrincipal blocks must be specified.

  • aciConnectorLinux - (Optional) A aciConnectorLinux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.

  • automaticChannelUpgrade - (Optional) The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, nodeImage and stable. Omitting this field sets this value to none.

!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

-> Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

  • apiServerAccessProfile - (Optional) An apiServerAccessProfile block as defined below.

  • autoScalerProfile - (Optional) A autoScalerProfile block as defined below.

  • azureActiveDirectoryRoleBasedAccessControl - (Optional) A azureActiveDirectoryRoleBasedAccessControl block as defined below.

-> Note: This requires that the Preview Feature microsoftContainerService/aksPrometheusAddonPreview is enabled, see the documentation for more information.

  • azurePolicyEnabled - (Optional) Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service

  • confidentialComputing - (Optional) A confidentialComputing block as defined below. For more details please the documentation

  • diskEncryptionSetId - (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.

  • edgeZone - (Optional) Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.

  • httpApplicationRoutingEnabled - (Optional) Should HTTP Application Routing be enabled?

-> Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

  • httpProxyConfig - (Optional) A httpProxyConfig block as defined below.

  • identity - (Optional) An identity block as defined below. One of either identity or servicePrincipal must be specified.

!> Note: A migration scenario from servicePrincipal to identity is supported. When upgrading servicePrincipal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured servicePrincipal until you upgrade your Node Pool.

  • imageCleanerEnabled - (Optional) Specifies whether Image Cleaner is enabled.

  • imageCleanerIntervalHours - (Optional) Specifies the interval in hours when images should be cleaned up. Defaults to 48.

-> Note: This requires that the Preview Feature microsoftContainerService/enableImageCleanerPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

  • ingressApplicationGateway - (Optional) A ingressApplicationGateway block as defined below.

  • keyManagementService - (Optional) A keyManagementService block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.

  • keyVaultSecretsProvider - (Optional) A keyVaultSecretsProvider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.

  • kubeletIdentity - (Optional) A kubeletIdentity block as defined below.

  • kubernetesVersion - (Optional) Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 122 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

-> Note: Upgrading your cluster may take up to 10 minutes per node.

  • linuxProfile - (Optional) A linuxProfile block as defined below.

  • localAccountDisabled - (Optional) If true local accounts will be disabled. See the documentation for more information.

-> Note: If localAccountDisabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

  • maintenanceWindow - (Optional) A maintenanceWindow block as defined below.

  • microsoftDefender - (Optional) A microsoftDefender block as defined below.

  • monitorMetrics - (Optional) Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitorMetrics block as defined below.

  • networkProfile - (Optional) A networkProfile block as defined below. Changing this forces a new resource to be created.

-> Note: If networkProfile is not defined, kubenet profile will be used by default.

  • nodeResourceGroup - (Optional) The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

-> Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

  • oidcIssuerEnabled - (Optional) Enable or Disable the OIDC issuer URL

  • omsAgent - (Optional) A omsAgent block as defined below.

  • openServiceMeshEnabled - (Optional) Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.

  • privateClusterEnabled - (Optional) Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.

  • privateDnsZoneId - (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, system to have AKS manage this or none. In case of none you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.

  • privateClusterPublicFqdnEnabled - (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

-> Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the privateDnsZoneContributor role and access to this Private DNS Zone. If userAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example",
  }
);
const azurermUserAssignedIdentityExample =
  new azurerm.userAssignedIdentity.UserAssignedIdentity(this, "example_1", {
    location: azurermResourceGroupExample.location,
    name: "aks-example-identity",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermUserAssignedIdentityExample.overrideLogicalId("example");
const azurermPrivateDnsZoneExample = new azurerm.privateDnsZone.PrivateDnsZone(
  this,
  "example_2",
  {
    name: "privatelink.eastus2.azmk8s.io",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPrivateDnsZoneExample.overrideLogicalId("example");
const azurermRoleAssignmentExample = new azurerm.roleAssignment.RoleAssignment(
  this,
  "example_3",
  {
    principal_id: azurermUserAssignedIdentityExample.principalId,
    role_definition_name: "Private DNS Zone Contributor",
    scope: azurermPrivateDnsZoneExample.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRoleAssignmentExample.overrideLogicalId("example");
const azurermKubernetesClusterExample =
  new azurerm.kubernetesCluster.KubernetesCluster(this, "example_4", {
    depends_on: [`\${${azurermRoleAssignmentExample.fqn}}`],
    dns_prefix: "aksexamplednsprefix1",
    location: azurermResourceGroupExample.location,
    name: "aksexamplewithprivatednszone1",
    private_cluster_enabled: true,
    private_dns_zone_id: azurermPrivateDnsZoneExample.id,
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKubernetesClusterExample.overrideLogicalId("example");

  • workloadAutoscalerProfile - (Optional) A workloadAutoscalerProfile block defined below.

  • workloadIdentityEnabled - (Optional) Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

-> Note: To enable Azure AD Workload Identity oidcIssuerEnabled must be set to true.

-> Note: This requires that the Preview Feature microsoftContainerService/enableWorkloadIdentityPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

  • publicNetworkAccessEnabled - (Optional) Whether public network access is allowed for this Kubernetes Cluster. Defaults to true. Changing this forces a new resource to be created.

-> Note: When publicNetworkAccessEnabled is set to true, 0000/32 must be added to authorizedIpRanges in the apiServerAccessProfile block.

  • roleBasedAccessControlEnabled - (Optional) Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.

  • runCommandEnabled - (Optional) Whether to enable run command for the cluster or not. Defaults to true.

  • servicePrincipal - (Optional) A servicePrincipal block as documented below. One of either identity or servicePrincipal must be specified.

!> Note: A migration scenario from servicePrincipal to identity is supported. When upgrading servicePrincipal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured servicePrincipal until you upgrade your Node Pool.

  • skuTier - (Optional) The SKU Tier that should be used for this Kubernetes Cluster. Possible values are free, paid and standard (which includes the Uptime SLA). Defaults to free.

  • storageProfile - (Optional) A storageProfile block as defined below.

  • tags - (Optional) A mapping of tags to assign to the resource.

  • webAppRouting - (Optional) A webAppRouting block as defined below.

  • windowsProfile - (Optional) A windowsProfile block as defined below.

An aciConnectorLinux block supports the following:

  • subnetName - (Required) The subnet name for the virtual nodes to run.

-> Note: At this time ACI Connectors are not supported in Azure China.

-> Note: AKS will add a delegation to the subnet named here. To prevent further runs from failing you should make sure that the subnet you create for virtual nodes has a delegation, like so.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.subnet.Subnet(this, "virtual", {
  delegation: [
    {
      name: "aciDelegation",
      service_delegation: [
        {
          actions: ["Microsoft.Network/virtualNetworks/subnets/action"],
          name: "Microsoft.ContainerInstance/containerGroups",
        },
      ],
    },
  ],
});

An apiServerAccessProfile block supports the following:

  • authorizedIpRanges - (Optional) Set of authorized IP ranges to allow access to API server, e.g. ["198.51.100.0/24"].

  • subnetId - (Optional) The ID of the Subnet where the API server endpoint is delegated to.

  • vnetIntegrationEnabled - (Optional) Should API Server VNet Integration be enabled? For more details please visit Use API Server VNet Integration.

-> Note: This requires that the Preview Feature microsoftContainerService/enableApiServerVnetIntegrationPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

An autoScalerProfile block supports the following:

  • balanceSimilarNodeGroups - (Optional) Detect similar node groups and balance the number of nodes between them. Defaults to false.

  • expander - (Optional) Expander to use. Possible values are leastWaste, priority, mostPods and random. Defaults to random.

  • maxGracefulTerminationSec - (Optional) Maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. Defaults to 600.

  • maxNodeProvisioningTime - (Optional) Maximum time the autoscaler waits for a node to be provisioned. Defaults to 15M.

  • maxUnreadyNodes - (Optional) Maximum Number of allowed unready nodes. Defaults to 3.

  • maxUnreadyPercentage - (Optional) Maximum percentage of unready nodes the cluster autoscaler will stop if the percentage is exceeded. Defaults to 45.

  • newPodScaleUpDelay - (Optional) For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. Defaults to 10S.

  • scaleDownDelayAfterAdd - (Optional) How long after the scale up of AKS nodes the scale down evaluation resumes. Defaults to 10M.

  • scaleDownDelayAfterDelete - (Optional) How long after node deletion that scale down evaluation resumes. Defaults to the value used for scanInterval.

  • scaleDownDelayAfterFailure - (Optional) How long after scale down failure that scale down evaluation resumes. Defaults to 3M.

  • scanInterval - (Optional) How often the AKS Cluster should be re-evaluated for scale up/down. Defaults to 10S.

  • scaleDownUnneeded - (Optional) How long a node should be unneeded before it is eligible for scale down. Defaults to 10M.

  • scaleDownUnready - (Optional) How long an unready node should be unneeded before it is eligible for scale down. Defaults to 20M.

  • scaleDownUtilizationThreshold - (Optional) Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. Defaults to 05.

  • emptyBulkDeleteMax - (Optional) Maximum number of empty nodes that can be deleted at the same time. Defaults to 10.

  • skipNodesWithLocalStorage - (Optional) If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath. Defaults to true.

  • skipNodesWithSystemPods - (Optional) If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods). Defaults to true.

An azureActiveDirectoryRoleBasedAccessControl block supports the following:

  • managed - (Optional) Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration.

  • tenantId - (Optional) The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.

When managed is set to true the following properties can be specified:

  • adminGroupObjectIds - (Optional) A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster.

  • azureRbacEnabled - (Optional) Is Role Based Access Control based on Azure AD enabled?

When managed is set to false the following properties can be specified:

  • clientAppId - (Optional) The Client ID of an Azure Active Directory Application.

  • serverAppId - (Optional) The Server ID of an Azure Active Directory Application.

  • serverAppSecret - (Optional) The Server Secret of an Azure Active Directory Application.

A confidentialComputing block supports the following:

  • sgxQuoteHelperEnabled - (Required) Should the SGX quote helper be enabled?

An monitorMetrics block supports the following:

  • annotationsAllowed - (Optional) Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric.

  • labelsAllowed - (Optional) Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.

A defaultNodePool block supports the following:

  • name - (Required) The name which should be used for the default Kubernetes Node Pool. Changing this forces a new resource to be created.

  • vmSize - (Required) The size of the Virtual Machine, such as standardDs2V2.

-> Note: Resizing the defaultNodePool Virtual Machine is done by cycling the system node pool of the cluster. temporaryNameForRotation must be specified when attempting a resize.

  • capacityReservationGroupId - (Optional) Specifies the ID of the Capacity Reservation Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.

  • customCaTrustEnabled - (Optional) Specifies whether to trust a Custom CA.

-> Note: This requires that the Preview Feature microsoftContainerService/customCaTrustPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

-> Note: This requires that the type is set to virtualMachineScaleSets.

-> Note: If you're using AutoScaling, you may wish to use Terraform's ignoreChanges functionality to ignore changes to the nodeCount field.

  • enableHostEncryption - (Optional) Should the nodes in the Default Node Pool have host encryption enabled? Changing this forces a new resource to be created.

  • enableNodePublicIp - (Optional) Should nodes in this Node Pool have a Public IP Address? Changing this forces a new resource to be created.

  • hostGroupId - (Optional) Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.

  • kubeletConfig - (Optional) A kubeletConfig block as defined below. Changing this forces a new resource to be created.

  • linuxOsConfig - (Optional) A linuxOsConfig block as defined below. Changing this forces a new resource to be created.

  • fipsEnabled - (Optional) Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created.

  • kubeletDiskType - (Optional) The type of disk used by kubelet. Possible values are os and temporary.

  • maxPods - (Optional) The maximum number of pods that can run on each agent. Changing this forces a new resource to be created.

  • messageOfTheDay - (Optional) A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.

  • nodeNetworkProfile - (Optional) A nodeNetworkProfile block as documented below.

  • nodePublicIpPrefixId - (Optional) Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. enableNodePublicIp should be true. Changing this forces a new resource to be created.

  • nodeLabels - (Optional) A map of Kubernetes labels which should be applied to nodes in the Default Node Pool.

  • nodeTaints - (Optional) A list of the taints added to new nodes during node pool create and scale. Changing this forces a new resource to be created.

  • onlyCriticalAddonsEnabled - (Optional) Enabling this option will taint default node pool with criticalAddonsOnly=true:noSchedule taint. Changing this forces a new resource to be created.

  • orchestratorVersion - (Optional) Version of Kubernetes used for the Agents. If not specified, the default node pool will be created with the version specified by kubernetesVersion. If both are unspecified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 122 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

-> Note: This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.

  • osDiskSizeGb - (Optional) The size of the OS Disk which should be used for each agent in the Node Pool. Changing this forces a new resource to be created.

  • osDiskType - (Optional) The type of disk which should be used for the Operating System. Possible values are ephemeral and managed. Defaults to managed. Changing this forces a new resource to be created.

  • osSku - (Optional) Specifies the OS SKU used by the agent pool. Possible values include: ubuntu, cblMariner, mariner, windows2019, windows2022. If not specified, the default is ubuntu if OSType=Linux or windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to windows2022 after Windows2019 is deprecated. Changing this forces a new resource to be created.

  • podSubnetId - (Optional) The ID of the Subnet where the pods in the default Node Pool should exist. Changing this forces a new resource to be created.

  • proximityPlacementGroupId - (Optional) The ID of the Proximity Placement Group. Changing this forces a new resource to be created.

  • scaleDownMode - (Optional) Specifies the autoscaling behaviour of the Kubernetes Cluster. Allowed values are delete and deallocate. Defaults to delete.

  • temporaryNameForRotation - (Optional) Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.

  • type - (Optional) The type of Node Pool which should be created. Possible values are availabilitySet and virtualMachineScaleSets. Defaults to virtualMachineScaleSets. Changing this forces a new resource to be created.

-> Note: When creating a cluster that supports multiple node pools, the cluster must use virtualMachineScaleSets. For more information on the limitations of clusters using multiple node pools see the documentation.

  • tags - (Optional) A mapping of tags to assign to the Node Pool.

\~> At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you may wish to use Terraform's ignoreChanges functionality to ignore changes to the casing until this is fixed in the AKS API.

  • ultraSsdEnabled - (Optional) Used to specify whether the UltraSSD is enabled in the Default Node Pool. Defaults to false. See the documentation for more information. Changing this forces a new resource to be created.

  • upgradeSettings - (Optional) A upgradeSettings block as documented below.

  • vnetSubnetId - (Optional) The ID of a Subnet where the Kubernetes Node Pool should exist. Changing this forces a new resource to be created.

\~> Note: A Route Table must be configured on this Subnet.

If enableAutoScaling is set to true, then the following fields can also be configured:

  • maxCount - (Optional) The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.

  • minCount - (Optional) The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.

  • nodeCount - (Optional) The initial number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000 and between minCount and maxCount.

-> Note: If specified you may wish to use Terraform's ignoreChanges functionality to ignore changes to this field.

If enableAutoScaling is set to false, then the following fields can also be configured:

  • nodeCount - (Optional) The number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.

-> Note: If enableAutoScaling is set to false both minCount and maxCount fields need to be set to null or omitted from the configuration.

  • workloadRuntime - (Optional) Specifies the workload runtime used by the node pool. Possible values are ociContainer.

  • zones - (Optional) Specifies a list of Availability Zones in which this Kubernetes Cluster should be located. Changing this forces a new Kubernetes Cluster to be created.

-> Note: This requires that the type is set to virtualMachineScaleSets and that loadBalancerSku is set to standard.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Kubernetes Cluster. Possible values are systemAssigned or userAssigned.

  • identityIds - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster.

\~> Note: This is required when type is set to userAssigned.

A keyManagementService block supports the following:

  • keyVaultKeyId - (Required) Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When enabled is false, leave the field empty.

  • keyVaultNetworkAccess - (Optional) Network access of the key vault Network access of key vault. The possible values are public and private. public means the key vault allows public access from all networks. private means the key vault disables public access and enables private link. The default value is public.

A keyVaultSecretsProvider block supports the following:

  • secretRotationEnabled - (Optional) Should the secret store CSI driver on the AKS cluster be enabled?

  • secretRotationInterval - (Optional) The interval to poll for secret rotation. This attribute is only set when secretRotation is true and defaults to 2M.

-> Note: To enablekeyVaultSecretsProvider either secretRotationEnabled or secretRotationInterval must be specified.

A kubeletConfig block supports the following:

  • allowedUnsafeSysctls - (Optional) Specifies the allow list of unsafe sysctls command or patterns (ending in *). Changing this forces a new resource to be created.

  • containerLogMaxLine - (Optional) Specifies the maximum number of container log files that can be present for a container. must be at least 2. Changing this forces a new resource to be created.

  • containerLogMaxSizeMb - (Optional) Specifies the maximum size (e.g. 10MB) of container log file before it is rotated. Changing this forces a new resource to be created.

  • cpuCfsQuotaEnabled - (Optional) Is CPU CFS quota enforcement for containers enabled? Changing this forces a new resource to be created.

  • cpuCfsQuotaPeriod - (Optional) Specifies the CPU CFS quota period value. Changing this forces a new resource to be created.

  • cpuManagerPolicy - (Optional) Specifies the CPU Manager policy to use. Possible values are none and static, Changing this forces a new resource to be created.

  • imageGcHighThreshold - (Optional) Specifies the percent of disk usage above which image garbage collection is always run. Must be between 0 and 100. Changing this forces a new resource to be created.

  • imageGcLowThreshold - (Optional) Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between 0 and 100. Changing this forces a new resource to be created.

  • podMaxPid - (Optional) Specifies the maximum number of processes per pod. Changing this forces a new resource to be created.

  • topologyManagerPolicy - (Optional) Specifies the Topology Manager policy to use. Possible values are none, bestEffort, restricted or singleNumaNode. Changing this forces a new resource to be created.

The kubeletIdentity block supports the following:

  • clientId - (Optional) The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

  • objectId - (Optional) The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

  • userAssignedIdentityId - (Optional) The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

-> Note: When kubeletIdentity is enabled - The type field in the identity block must be set to userAssigned and identityIds must be set.

A linuxOsConfig block supports the following:

  • swapFileSizeMb - (Optional) Specifies the size of the swap file on each node in MB. Changing this forces a new resource to be created.

  • sysctlConfig - (Optional) A sysctlConfig block as defined below. Changing this forces a new resource to be created.

  • transparentHugePageDefrag - (Optional) specifies the defrag configuration for Transparent Huge Page. Possible values are always, defer, defer+madvise, madvise and never. Changing this forces a new resource to be created.

  • transparentHugePageEnabled - (Optional) Specifies the Transparent Huge Page enabled configuration. Possible values are always, madvise and never. Changing this forces a new resource to be created.

A nodeNetworkProfile block supports the following:

  • nodePublicIpTags - (Optional) Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.

-> Note: This requires that the Preview Feature microsoftContainerService/nodePublicIpTagsPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

A linuxProfile block supports the following:

  • adminUsername - (Required) The Admin Username for the Cluster. Changing this forces a new resource to be created.

  • sshKey - (Required) An sshKey block. Only one is currently allowed. Changing this will update the key on all node pools. More information can be found in the documentation.

A maintenanceWindow block supports the following:

  • allowed - (Optional) One or more allowed blocks as defined below.

  • notAllowed - (Optional) One or more notAllowed block as defined below.

An allowed block exports the following:

  • day - (Required) A day in a week. Possible values are sunday, monday, tuesday, wednesday, thursday, friday and saturday.

  • hours - (Required) An array of hour slots in a day. For example, specifying 1 will allow maintenance from 1:00am to 2:00am. Specifying 1, 2 will allow maintenance from 1:00am to 3:00m. Possible values are between 0 and 23.

A notAllowed block exports the following:

  • end - (Required) The end of a time span, formatted as an RFC3339 string.

  • start - (Required) The start of a time span, formatted as an RFC3339 string.

A microsoftDefender block supports the following:

  • logAnalyticsWorkspaceId - (Required) Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to.

A networkProfile block supports the following:

  • networkPlugin - (Required) Network plugin to use for networking. Currently supported values are azure, kubenet and none. Changing this forces a new resource to be created.

-> Note: When networkPlugin is set to azure - the vnetSubnetId field in the defaultNodePool block must be set and podCidr must not be set.

  • networkMode - (Optional) Network mode to be used with Azure CNI. Possible values are bridge and transparent. Changing this forces a new resource to be created.

\~> Note: networkMode can only be set to bridge for existing Kubernetes Clusters and cannot be used to provision new Clusters - this will be removed by Azure in the future.

\~> Note: This property can only be set when networkPlugin is set to azure.

\~> Note: When networkPolicy is set to azure, the networkPlugin field can only be set to azure.

  • dnsServiceIp - (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.

  • dockerBridgeCidr - (Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.

-> Note: dockerBridgeCidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

  • ebpfDataPlane - (Optional) Specifies the eBPF data plane used for building the Kubernetes network. Possible value is cilium. Changing this forces a new resource to be created.

\~> Note: When ebpfDataPlane is set to cilium, the networkPlugin field can only be set to azure.

\~> Note: When ebpfDataPlane is set to cilium, one of either networkPluginMode = "overlay" or podSubnetId must be specified.

-> Note: This requires that the Preview Feature microsoftContainerService/ciliumDataplanePreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

  • networkPluginMode - (Optional) Specifies the network plugin mode used for building the Kubernetes network. Possible value is overlay. Changing this forces a new resource to be created.

\~> Note: When networkPluginMode is set to overlay, the networkPlugin field can only be set to azure.

-> Note: This requires that the Preview Feature microsoftContainerService/azureOverlayPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

  • outboundType - (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer, userDefinedRouting, managedNatGateway and userAssignedNatGateway. Defaults to loadBalancer. Changing this forces a new resource to be created.

  • podCidr - (Optional) The CIDR to use for pod IP addresses. This field can only be set when networkPlugin is set to kubenet. Changing this forces a new resource to be created.

  • podCidrs - (Optional) A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

  • serviceCidr - (Optional) The Network Range used by the Kubernetes service. Changing this forces a new resource to be created.

  • serviceCidrs - (Optional) A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

\~> Note: This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. dockerBridgeCidr, dnsServiceIp and serviceCidr should all be empty or all should be set.

Examples of how to use AKS with Advanced Networking can be found in the /examples/kubernetes/ directory in the GitHub repository.

  • ipVersions - (Optional) Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are iPv4 and/or iPv6. iPv4 must always be specified. Changing this forces a new resource to be created.

->Note: To configure dual-stack networking ipVersions should be set to ["iPv4", "iPv6"].

->Note: Dual-stack networking requires that the Preview Feature microsoftContainerService/aksEnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.

  • loadBalancerSku - (Optional) Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to standard. Changing this forces a new resource to be created.

  • loadBalancerProfile - (Optional) A loadBalancerProfile block as defined below. This can only be specified when loadBalancerSku is set to standard. Changing this forces a new resource to be created.

  • natGatewayProfile - (Optional) A natGatewayProfile block as defined below. This can only be specified when loadBalancerSku is set to standard and outboundType is set to managedNatGateway or userAssignedNatGateway. Changing this forces a new resource to be created.

A loadBalancerProfile block supports the following:

\~> Note: The fields managedOutboundIpCount, outboundIpAddressIds and outboundIpPrefixIds are mutually exclusive. Note that when specifying outboundIpAddressIds (azurerm_public_ip) the SKU must be standard.

  • idleTimeoutInMinutes - (Optional) Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 30.

  • managedOutboundIpCount - (Optional) Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.

  • managedOutboundIpv6Count - (Optional) The desired number of IPv6 outbound IPs created and managed by Azure for the cluster load balancer. Must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

\~> Note: managedOutboundIpv6Count requires dual-stack networking. To enable dual-stack networking the Preview Feature microsoftContainerService/aksEnableDualStack needs to be enabled and the Resource Provider re-registered, see the documentation for more information.

  • outboundIpAddressIds - (Optional) The ID of the Public IP Addresses which should be used for outbound communication for the cluster load balancer.

-> Note: Set outboundIpAddressIds to an empty slice [] in order to unlink it from the cluster. Unlinking a outboundIpAddressIds will revert the load balancing for the cluster back to a managed one.

  • outboundIpPrefixIds - (Optional) The ID of the outbound Public IP Address Prefixes which should be used for the cluster load balancer.

-> Note: Set outboundIpPrefixIds to an empty slice [] in order to unlink it from the cluster. Unlinking a outboundIpPrefixIds will revert the load balancing for the cluster back to a managed one.

  • outboundPortsAllocated - (Optional) Number of desired SNAT port for each VM in the clusters load balancer. Must be between 0 and 64000 inclusive. Defaults to 0.

A natGatewayProfile block supports the following:

  • idleTimeoutInMinutes - (Optional) Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 4.

  • managedOutboundIpCount - (Optional) Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.

An omsAgent block supports the following:

  • logAnalyticsWorkspaceId - (Required) The ID of the Log Analytics Workspace which the OMS Agent should send data to.

  • msiAuthForMonitoringEnabled - Is managed identity authentication for monitoring enabled?

An ingressApplicationGateway block supports the following:

  • gatewayId - (Optional) The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. See this page for further details.

  • gatewayName - (Optional) The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

  • subnetCidr - (Optional) The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

  • subnetId - (Optional) The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

-> Note: If specifying ingressApplicationGateway in conjunction with onlyCriticalAddonsEnabled, the AGIC pod will fail to start. A separate azurermKubernetesClusterNodePool is required to run the AGIC pod successfully. This is because AGIC is classed as a "non-critical addon".

A servicePrincipal block supports the following:

  • clientId - (Required) The Client ID for the Service Principal.

  • clientSecret - (Required) The Client Secret for the Service Principal.

A sshKey block supports the following:

  • keyData - (Required) The Public SSH Key used to access the cluster.

A storageProfile block supports the following:

  • blobDriverEnabled - (Optional) Is the Blob CSI driver enabled? Defaults to false.

  • diskDriverEnabled - (Optional) Is the Disk CSI driver enabled? Defaults to true.

  • diskDriverVersion - (Optional) Disk CSI Driver version to be used. Possible values are v1 and v2. Defaults to v1.

-> Note: azureDiskCsiDriverV2 is currently in Public Preview on an opt-in basis. To use it, the feature enableAzureDiskCsiDriverV2 for namespace microsoftContainerService must be requested.

  • fileDriverEnabled - (Optional) Is the File CSI driver enabled? Defaults to true.

  • snapshotControllerEnabled - (Optional) Is the Snapshot Controller enabled? Defaults to true.

A sysctlConfig block supports the following:

\~> For more information, please refer to Linux Kernel Doc.

  • fsAioMaxNr - (Optional) The sysctl setting fs.aio-max-nr. Must be between 65536 and 6553500. Changing this forces a new resource to be created.

  • fsFileMax - (Optional) The sysctl setting fs.file-max. Must be between 8192 and 12000500. Changing this forces a new resource to be created.

  • fsInotifyMaxUserWatches - (Optional) The sysctl setting fs.inotify.max_user_watches. Must be between 781250 and 2097152. Changing this forces a new resource to be created.

  • fsNrOpen - (Optional) The sysctl setting fs.nr_open. Must be between 8192 and 20000500. Changing this forces a new resource to be created.

  • kernelThreadsMax - (Optional) The sysctl setting kernel.threads-max. Must be between 20 and 513785. Changing this forces a new resource to be created.

  • netCoreNetdevMaxBacklog - (Optional) The sysctl setting net.core.netdev_max_backlog. Must be between 1000 and 3240000. Changing this forces a new resource to be created.

  • netCoreOptmemMax - (Optional) The sysctl setting net.core.optmem_max. Must be between 20480 and 4194304. Changing this forces a new resource to be created.

  • netCoreRmemDefault - (Optional) The sysctl setting net.core.rmem_default. Must be between 212992 and 134217728. Changing this forces a new resource to be created.

  • netCoreRmemMax - (Optional) The sysctl setting net.core.rmem_max. Must be between 212992 and 134217728. Changing this forces a new resource to be created.

  • netCoreSomaxconn - (Optional) The sysctl setting net.core.somaxconn. Must be between 4096 and 3240000. Changing this forces a new resource to be created.

  • netCoreWmemDefault - (Optional) The sysctl setting net.core.wmem_default. Must be between 212992 and 134217728. Changing this forces a new resource to be created.

  • netCoreWmemMax - (Optional) The sysctl setting net.core.wmem_max. Must be between 212992 and 134217728. Changing this forces a new resource to be created.

  • netIpv4IpLocalPortRangeMax - (Optional) The sysctl setting net.ipv4.ip_local_port_range max value. Must be between 1024 and 60999. Changing this forces a new resource to be created.

  • netIpv4IpLocalPortRangeMin - (Optional) The sysctl setting net.ipv4.ip_local_port_range min value. Must be between 1024 and 60999. Changing this forces a new resource to be created.

  • netIpv4NeighDefaultGcThresh1 - (Optional) The sysctl setting net.ipv4.neigh.default.gc_thresh1. Must be between 128 and 80000. Changing this forces a new resource to be created.

  • netIpv4NeighDefaultGcThresh2 - (Optional) The sysctl setting net.ipv4.neigh.default.gc_thresh2. Must be between 512 and 90000. Changing this forces a new resource to be created.

  • netIpv4NeighDefaultGcThresh3 - (Optional) The sysctl setting net.ipv4.neigh.default.gc_thresh3. Must be between 1024 and 100000. Changing this forces a new resource to be created.

  • netIpv4TcpFinTimeout - (Optional) The sysctl setting net.ipv4.tcp_fin_timeout. Must be between 5 and 120. Changing this forces a new resource to be created.

  • netIpv4TcpKeepaliveIntvl - (Optional) The sysctl setting net.ipv4.tcp_keepalive_intvl. Must be between 10 and 75. Changing this forces a new resource to be created.

  • netIpv4TcpKeepaliveProbes - (Optional) The sysctl setting net.ipv4.tcp_keepalive_probes. Must be between 1 and 15. Changing this forces a new resource to be created.

  • netIpv4TcpKeepaliveTime - (Optional) The sysctl setting net.ipv4.tcp_keepalive_time. Must be between 30 and 432000. Changing this forces a new resource to be created.

  • netIpv4TcpMaxSynBacklog - (Optional) The sysctl setting net.ipv4.tcp_max_syn_backlog. Must be between 128 and 3240000. Changing this forces a new resource to be created.

  • netIpv4TcpMaxTwBuckets - (Optional) The sysctl setting net.ipv4.tcp_max_tw_buckets. Must be between 8000 and 1440000. Changing this forces a new resource to be created.

  • netIpv4TcpTwReuse - (Optional) The sysctl setting net.ipv4.tcp_tw_reuse. Changing this forces a new resource to be created.

  • netNetfilterNfConntrackBuckets - (Optional) The sysctl setting net.netfilter.nf_conntrack_buckets. Must be between 65536 and 147456. Changing this forces a new resource to be created.

  • netNetfilterNfConntrackMax - (Optional) The sysctl setting net.netfilter.nf_conntrack_max. Must be between 131072 and 1048576. Changing this forces a new resource to be created.

  • vmMaxMapCount - (Optional) The sysctl setting vm.max_map_count. Must be between 65530 and 262144. Changing this forces a new resource to be created.

  • vmSwappiness - (Optional) The sysctl setting vm.swappiness. Must be between 0 and 100. Changing this forces a new resource to be created.

  • vmVfsCachePressure - (Optional) The sysctl setting vm.vfs_cache_pressure. Must be between 0 and 100. Changing this forces a new resource to be created.

A webAppRouting block supports the following:

  • dnsZoneId - (Required) Specifies the ID of the DNS Zone in which DNS entries are created for applications deployed to the cluster when Web App Routing is enabled. For Bring-Your-Own DNS zones this property should be set to an empty string "".

A windowsProfile block supports the following:

  • adminUsername - (Required) The Admin Username for Windows VMs. Changing this forces a new resource to be created.

  • adminPassword - (Optional) The Admin Password for Windows VMs. Length must be between 14 and 123 characters.

  • license - (Optional) Specifies the type of on-premise license which should be used for Node Pool Windows Virtual Machine. At this time the only possible value is windowsServer.

  • gmsa - (Optional) A gmsa block as defined below.

A gmsa block supports the following:

  • dnsServer - (Required) Specifies the DNS server for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

  • rootDomain - (Required) Specifies the root domain name for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

-> Note: The properties dnsServer and rootDomain must both either be set or unset, i.e. empty.

A workloadAutoscalerProfile block supports the following:

  • kedaEnabled - (Optional) Specifies whether KEDA Autoscaler can be used for workloads.

-> Note: This requires that the Preview Feature microsoftContainerService/aksKedaPreview is enabled and the Resource Provider is re-registered, see [the documentation](Microsoft.ContainerService/AKS-KedaPreview for more information.

  • verticalPodAutoscalerEnabled - (Optional) Specifies whether Vertical Pod Autoscaler should be enabled.

-> Note: This requires that the Preview Feature microsoftContainerService/aksVpaPreview is enabled and the Resource Provider is re-registered, see [the documentation](Microsoft.ContainerService/AKS-VPAPreview for more information.

A httpProxyConfig block supports the following:

  • httpProxy - (Optional) The proxy address to be used when communicating over HTTP. Changing this forces a new resource to be created.

  • httpsProxy - (Optional) The proxy address to be used when communicating over HTTPS. Changing this forces a new resource to be created.

  • noProxy - (Optional) The list of domains that will not use the proxy for communication. Changing this forces a new resource to be created.

-> Note: If you specify the defaultNodePool0VnetSubnetId, be sure to include the Subnet CIDR in the noProxy list.

-> Note: You may wish to use Terraform's ignoreChanges functionality to ignore the changes to this field.

  • trustedCa - (Optional) The base64 encoded alternative CA certificate content in PEM format.

A upgradeSettings block supports the following:

  • maxSurge - (Required) The maximum number or percentage of nodes which will be added to the Node Pool size during an upgrade.

-> Note: If a percentage is provided, the number of surge nodes is calculated from the nodeCount value on the current cluster. Node surge can allow a cluster to have more nodes than maxCount during an upgrade. Ensure that your cluster has enough IP space during an upgrade.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The Kubernetes Managed Cluster ID.

  • fqdn - The FQDN of the Azure Kubernetes Managed Cluster.

  • privateFqdn - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.

  • portalFqdn - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.

  • kubeAdminConfig - A kubeAdminConfig block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.

  • kubeAdminConfigRaw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.

  • kubeConfig - A kubeConfig block as defined below.

  • kubeConfigRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.

  • httpApplicationRoutingZoneName - The Zone Name of the HTTP Application Routing.

  • oidcIssuerUrl - The OIDC issuer URL that is associated with the cluster.

  • nodeResourceGroup - The auto-generated Resource Group which contains the resources for this Managed Kubernetes Cluster.

  • nodeResourceGroupId - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.

  • networkProfile - A networkProfile block as defined below.

  • ingressApplicationGateway - An ingressApplicationGateway block as defined below.

  • omsAgent - An omsAgent block as defined below.

  • keyVaultSecretsProvider - A keyVaultSecretsProvider block as defined below.

The aciConnectorLinux block exports the following:

  • connectorIdentity - A connectorIdentity block is exported. The exported attributes are defined below.

The connectorIdentity block exports the following:

  • clientId - The Client ID of the user-defined Managed Identity used by the ACI Connector.

  • objectId - The Object ID of the user-defined Managed Identity used by the ACI Connector.

  • userAssignedIdentityId - The ID of the User Assigned Identity used by the ACI Connector.

A loadBalancerProfile block exports the following:

  • effectiveOutboundIps - The outcome (resource IDs) of the specified arguments.

A networkProfile block supports the following:

  • natGatewayProfile - A natGatewayProfile block as defined below.

A natGatewayProfile block exports the following:

  • effectiveOutboundIps - The outcome (resource IDs) of the specified arguments.

An identity block exports the following:

  • principalId - The Principal ID associated with this Managed Service Identity.

  • tenantId - The Tenant ID associated with this Managed Service Identity.

The kubeAdminConfig and kubeConfig blocks export the following:

  • clientKey - Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.

  • clientCertificate - Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.

  • clusterCaCertificate - Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.

  • host - The Kubernetes cluster server host.

  • username - A username used to authenticate to the Kubernetes cluster.

  • password - A password or token used to authenticate to the Kubernetes cluster.

-> Note: It's possible to use these credentials with the Kubernetes Provider like so:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as kubernetes from "./.gen/providers/kubernetes";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: kubernetes.
For a more precise conversion please use the --provider flag in convert.*/
new kubernetes.provider.KubernetesProvider(this, "kubernetes", {
  client_certificate:
    "${base64decode(azurerm_kubernetes_cluster.main.kube_config.0.client_certificate)}",
  client_key:
    "${base64decode(azurerm_kubernetes_cluster.main.kube_config.0.client_key)}",
  cluster_ca_certificate:
    "${base64decode(azurerm_kubernetes_cluster.main.kube_config.0.cluster_ca_certificate)}",
  host: "${azurerm_kubernetes_cluster.main.kube_config.0.host}",
  password: "${azurerm_kubernetes_cluster.main.kube_config.0.password}",
  username: "${azurerm_kubernetes_cluster.main.kube_config.0.username}",
});

The ingressApplicationGateway block exports the following:

  • effectiveGatewayId - The ID of the Application Gateway associated with the ingress controller deployed to this Kubernetes Cluster.

  • ingressApplicationGatewayIdentity - An ingressApplicationGatewayIdentity block is exported. The exported attributes are defined below.

The ingressApplicationGatewayIdentity block exports the following:

  • clientId - The Client ID of the user-defined Managed Identity used by the Application Gateway.

  • objectId - The Object ID of the user-defined Managed Identity used by the Application Gateway.

  • userAssignedIdentityId - The ID of the User Assigned Identity used by the Application Gateway.

The omsAgent block exports the following:

  • omsAgentIdentity - An omsAgentIdentity block is exported. The exported attributes are defined below.

The omsAgentIdentity block exports the following:

  • clientId - The Client ID of the user-defined Managed Identity used by the OMS Agents.

  • objectId - The Object ID of the user-defined Managed Identity used by the OMS Agents.

  • userAssignedIdentityId - The ID of the User Assigned Identity used by the OMS Agents.

The keyVaultSecretsProvider block exports the following:

  • secretIdentity - An secretIdentity block is exported. The exported attributes are defined below.

The secretIdentity block exports the following:

  • clientId - The Client ID of the user-defined Managed Identity used by the Secret Provider.

  • objectId - The Object ID of the user-defined Managed Identity used by the Secret Provider.

  • userAssignedIdentityId - The ID of the User Assigned Identity used by the Secret Provider.

A workloadAutoscalerProfile block exports the following:

  • verticalPodAutoscalerControlledValues - Which resources values should be controlled.

  • verticalPodAutoscalerUpdateMode - How the autoscaler applies changes to pod resources.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 90 minutes) Used when creating the Kubernetes Cluster.
  • update - (Defaults to 90 minutes) Used when updating the Kubernetes Cluster.
  • read - (Defaults to 5 minutes) Used when retrieving the Kubernetes Cluster.
  • delete - (Defaults to 90 minutes) Used when deleting the Kubernetes Cluster.

Import

Managed Kubernetes Clusters can be imported using the resourceId, e.g.

terraform import azurerm_kubernetes_cluster.cluster1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.ContainerService/managedClusters/cluster1