SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.
This module simplifies the deployment of AKS clusters, allowing users to quickly create and manage a production-grade Kubernetes cluster on Azure. The module is highly configurable, allowing users to customize various aspects of the AKS cluster, such as the Kubernetes version, worker node instance type, and number of worker nodes. Additionally, the module provides a set of outputs that can be used to configure other resources, such as the Kubernetes config file and the Azure CLI.
This module is ideal for users who want to quickly deploy an AKS cluster on Azure without the need for manual setup and configuration. It is also suitable for users who want to adopt best practices for security and scalability in their AKS deployments.
Setup SSH Keys for AKS nodes
- Generate SSH keys using Azure CLI:
az sshkey create --name "mySSHKey" --resource-group "myResourceGroup"The resulting output lists the new key files' paths:
Private key is saved to "/home/user/.ssh/7777777777_9999999".
Public key is saved to "/home/user/.ssh/7777777777_9999999.pub".- Create Azure Key Vault using Azure CLI:
az keyvault create --name MyKeyVault --resource-group MyResourceGroup --location "East US"- Set SSH public key in Key Vault using Azure CLI:
az keyvault secret set --vault-name "MyKeyVault" --name "mySSHKey" --file /home/user/.ssh/7777777777_9999999.pub- Update the Key Vault name and ID in the Terraform data variables:
Update the
example/complete/main.tffile with the following values for key vault:
data "azurerm_key_vault_secret" "ssh_key" {
name = "mySSHKey"
key_vault_id = "/subscriptions/{subscription-id}/resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/MyKeyVault"
}To get the value for key_vault_id use the following Azure CLI command:
az keyvault show --name "MyKeyVault" --query "id"data "azurerm_key_vault_secret" "ssh_key" {
name = "test-ssh-key"
key_vault_id = "/subscriptions/{subscription-id}/resourceGroups/prod-skaf-tfstate-rg/providers/Microsoft.KeyVault/vaults/test-ssh-key-skaf"
}
# There are two types of managed idetities "System assigned" & "UserAssigned". User-assigned managed identities can be used on multiple resources.
resource "azurerm_user_assigned_identity" "identity" {
name = "aksidentity"
resource_group_name = "AKS-resource-group"
location = "eastus"
}
module "aks_cluster" {
depends_on = [module.vnet, azurerm_user_assigned_identity.identity]
source = "squareops/aks/azurerm"
name = "aks-cluster"
environment = "prod"
kubernetes_version = "1.26.3"
create_resource_group = false # Enable if you want to a create resource group for AKS cluster.
existing_resource_group_name = "AKS-resource-group"
resource_group_location = "eastus"
user_assigned_identity_id = azurerm_user_assigned_identity.identity.id
principal_id = azurerm_user_assigned_identity.identity.principal_id
network_plugin = "azure"
net_profile_dns_service_ip = "192.168.0.10" # IP address within the Kubernetes service address range that will be used by cluster service discovery. Don't use the first IP address in your address range. The first address in your subnet range is used for the kubernetes.default.svc.cluster.local address.
net_profile_pod_cidr = "10.244.0.0/16" # For aks pods cidr, when choosen "azure" network plugin these value will be passed as null.
net_profile_docker_bridge_cidr = "172.17.0.1/16" # It's required to select a CIDR for the Docker bridge network address because otherwise Docker will pick a subnet automatically, which could conflict with other CIDRs. You must pick an address space that doesn't collide with the rest of the CIDRs on your networks, including the cluster's service CIDR and pod CIDR. Default of 172.17.0.1/16.
net_profile_service_cidr = "192.168.0.0/16" # This range shouldn't be used by any network element on or connected to this virtual network. Service address CIDR must be smaller than /12. You can reuse this range across different AKS clusters.
default_agent_pool_name = "infra"
default_agent_pool_count = "1"
default_agent_pool_size = "Standard_DS2_v2"
host_encryption_enabled = false
default_node_labels = { Addon-Services = "true" }
os_disk_size_gb = 30
auto_scaling_enabled = true
agents_min_count = 1
agents_max_count = 2
node_public_ip_enabled = false # If we want to create public nodes set this value "true"
agents_availability_zones = ["1", "2", "3"] # Does not applies to all regions please verify the availablity zones for the respective region.
rbac_enabled = true
oidc_issuer_enabled = true
open_service_mesh_enabled = false # Add on for the open service mesh (istio)
private_cluster_enabled = false # AKS Cluster endpoint access, Disable for public access
sku_tier = "Free"
subnet_id = ["10.0.0.0/24", "10.0.0.1/24"]
admin_username = "azureuser" # node pool username
public_ssh_key = data.azurerm_key_vault_secret.ssh_key.value
agents_type = "VirtualMachineScaleSets" # Creates an Agent Pool backed by a Virtual Machine Scale Set.
net_profile_outbound_type = "loadBalancer" # The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer.
log_analytics_workspace_sku = "PerGB2018" # refer https://azure.microsoft.com/pricing/details/monitor/ for log analytics pricing
log_analytics_solution_enabled = true # Log analytics solutions are typically software solutions with data visualization and insights tools.
control_plane_logs_scrape_enabled = true # Scrapes logs of the aks control plane
control_plane_monitor_name = format("%s-%s-aks-control-plane-logs-monitor", local.name, local.environment) # Control plane logs monitoring such as "kube-apiserver", "cloud-controller-manager", "kube-scheduler"
additional_tags = local.additional_tags
}
module "aks_managed_node_pool" {
depends_on = [module.aks_cluster]
source = "squareops/aks/azurerm//modules/managed_node_pools"
resource_group_name = "AKS-resource-group"
orchestrator_version = "1.26.3"
location = "eastus"
vnet_subnet_id = ["10.0.0.0/24", "10.0.0.1/24"]
kubernetes_cluster_id = module.aks_cluster.kubernetes_cluster_id
node_pools = {
app = {
vm_size = "Standard_DS2_v2"
auto_scaling_enabled = true
os_disk_size_gb = 50
os_disk_type = "Managed"
node_count = 1
min_count = 1
max_count = 2
availability_zones = ["1", "2", "3"]
enable_node_public_ip = false # if set to true node_public_ip_prefix_id is required
node_public_ip_prefix_id = ""
node_labels = { App-service = "true" }
node_taints = ["workload=example:NoSchedule"]
host_encryption_enabled = false
max_pods = 30
agents_tags = local.additional_tags
},
}
}Refer example for more details.
The required permissions to create resources from this module can be found here
| Name | Version |
|---|---|
| azurerm | ~> 3.0 |
| helm | >=2.6 |
| kubernetes | >=2.13.0 |
| Name | Version |
|---|---|
| azurerm | ~> 3.0 |
| null | n/a |
| random | n/a |
| Name | Source | Version |
|---|---|---|
| resource-group | ./modules/resource-group | n/a |
| Name | Type |
|---|---|
| azurerm_kubernetes_cluster.aks_cluster | resource |
| azurerm_log_analytics_solution.logs | resource |
| azurerm_log_analytics_workspace.logs | resource |
| azurerm_monitor_diagnostic_setting.control_plane | resource |
| azurerm_role_assignment.network_contributor | resource |
| null_resource.open_service_mesh_addon | resource |
| random_id.log_analytics_workspace_name_suffix | resource |
| azurerm_subscription.primary | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | The name of the deployment or resource. (e.g., AKS cluster name, resource group name) | string |
"" |
no |
| host | The host or endpoint for the resource. | string |
"" |
no |
| client_certificate | The client certificate for authentication. | string |
"" |
no |
| client_key | The client key for authentication. | string |
"" |
no |
| cluster_ca_certificate | The CA certificate used by the cluster. | string |
"" |
no |
| environment | The environment in which the resources are deployed. | string |
"" |
no |
| resource_group_name | The name of the Azure resource group. | string |
"" |
no |
| user_assigned_identity_id | The ID of the user-assigned identity. | string |
"" |
no |
| resource_group_location | The location of the Azure resource group. | string |
"" |
no |
| create_resource_group | To create a new resource group. Value in existing_resource_group will be ignored if this is true. | bool |
false |
no |
| existing_resource_group_name | Name of existing resource group that has to be used. Leave empty if new resource group has to be created. | string |
"" |
no |
| tags | The tags to associate with your network and subnets and aks resources. | map(string) |
{ |
no |
| kubernetes_cluster_id | The ID of the Kubernetes cluster. | string |
"" |
no |
| client_id | The Azure Active Directory (AAD) client ID for authentication. | string |
"" |
no |
| client_secret | The Azure Active Directory (AAD) client secret for authentication. | string |
"" |
no |
| cluster_name | The name of the cluster for AAD configuration. | string |
"" |
no |
| kubernetes_version | The version of Kubernetes to use in the AKS cluster. | string |
"" |
no |
| admin_username | The username for the AKS cluster's admin user. | string |
"" |
no |
| public_ssh_key | The public SSH key for the AKS cluster's admin user. | string |
"" |
no |
| sku_tier | The SKU tier for the AKS cluster. | string |
"" |
no |
| private_cluster_enabled | Indicates whether the AKS cluster is private or public. | bool |
false |
no |
| enable_http_application_routing | Enables or disables HTTP application routing. | bool |
false |
no |
| enable_kube_dashboard | Enables or disables the Kubernetes dashboard. | bool |
false |
no |
| balance_similar_node_groups | Indicates whether to balance similar node groups. | bool |
true |
no |
| oidc_issuer_enabled | Indicates whether to oidc issuer is enabled. | bool |
true |
no |
| max_graceful_termination_sec | The maximum time for graceful termination in seconds. | number |
600 |
no |
| scale_down_delay_after_add | The delay duration after adding a node. | string |
"10m" |
no |
| scale_down_delay_after_delete | The delay duration after deleting a node. | string |
"10s" |
no |
| scale_down_delay_after_failure | The delay duration after a failure. | string |
"3m" |
no |
| scan_interval | The interval duration for scanning. | string |
"10s" |
no |
| scale_down_unneeded | The duration before scaling down unneeded nodes. | string |
"10m" |
no |
| scale_down_unready | The duration before scaling down unready nodes. | string |
"20m" |
no |
| scale_down_utilization_threshold | The utilization threshold for scaling down. | number |
0.5 |
no |
| agents_pool_name | The names of the agent pools. | list(string) |
[ |
no |
| agents_count | The desired number of agents. | number |
2 |
no |
| agents_min_count | The minimum number of agents. | number |
1 |
no |
| agents_max_count | The maximum number of agents. | number |
3 |
no |
| agents_size | The sizes of the agent pools. | list(string) |
[ |
no |
| node_taints | The taints for the nodes. | list(string) |
[ |
no |
| subnet_id | The IDs of the subnets. | list(string) |
[ |
no |
| os_disk_size_gb | The size of the OS disk in gigabytes. | number |
20 |
no |
| auto_scaling_enabled | Enables or disables auto-scaling. | bool |
false |
no |
| node_public_ip_enabled | Indicates whether nodes have public IP addresses. | bool |
true |
no |
| agents_availability_zones | The availability zones for the agent pools. | list(string) |
null |
no |
| agents_type | The type of agents. | string |
"" |
no |
| agents_max_pods | The maximum number of pods per agent. | number |
50 |
no |
| network_plugin | The network plugin to use. | string |
"" |
no |
| net_profile_dns_service_ip | The DNS service IP address. | string |
"" |
no |
| net_profile_docker_bridge_cidr | The Docker bridge CIDR. | string |
"" |
no |
| net_profile_outbound_type | The outbound type for the network profile. | string |
"" |
no |
| net_profile_pod_cidr | The pod CIDR. | string |
"" |
no |
| net_profile_service_cidr | The service CIDR. | string |
"" |
no |
| node_pool | The configuration for the node pool. | any |
{} |
no |
| rbac_enabled | Indicates whether RBAC (Role-Based Access Control) is enabled. | bool |
false |
no |
| log_analytics_workspace_sku | Name of the log analytics workspace sku tier | string |
"PerGB2018" |
no |
| log_analytics_solution_enabled | Enable or disable log analytics solution | bool |
true |
no |
| log_analytics_solution_name | Name of the log analytics solution resource | string |
"" |
no |
| control_plane_logs_scrape_enabled | Enable or disable control plane logs scraping | bool |
true |
no |
| control_plane_monitor_name | Name of the azure monitor diagostic setting resource which scraps logs of control plane logs monitoring such as kube-apiserver, cloud-controller-manager, kube-scheduler, kube-controller-manager etc. | string |
"" |
no |
| additional_tags | Additional tags for best practices | any |
{} |
no |
| principal_id | AKS identity principal ID | string |
"" |
no |
| node_labels_app | The node labels to be attached to be attached to the aks app node pool | map(string) |
{} |
no |
| node_labels_infra | The node labels to be attached to be attached to the aks infra node pool | map(string) |
{} |
no |
| auto_scaling_app_enabled | Whether to enable auto scaling for the app node pool | bool |
true |
no |
| agents_count_app | The initial number of agents for the app node pool | string |
"1" |
no |
| agents_min_count_app | The minimum number of agents for the app node pool | string |
"1" |
no |
| agents_max_count_app | The maximum number of agents for the app node pool | string |
"3" |
no |
| agents_availability_zones_app | The availability zones for the app node pool | list(string) |
[ |
no |
| auto_scaling_monitor_enabled | Whether to enable auto scaling for the monitor node pool | bool |
true |
no |
| agents_count_monitor | The initial number of agents for the monitor node pool | string |
"1" |
no |
| agents_min_count_monitor | The minimum number of agents for the monitor node pool | string |
"1" |
no |
| agents_max_count_monitor | The maximum number of agents for the monitor node pool | string |
"3" |
no |
| agents_availability_zones_monitor | The availability zones for the monitor node pool | list(string) |
[ |
no |
| node_labels_monitor | The labels for the monitor node pool | map(string) |
{ |
no |
| auto_scaling_database_enabled | Whether to enable auto scaling for the database node pool | bool |
true |
no |
| agents_count_database | The initial number of agents for the database node pool | string |
"1" |
no |
| agents_min_count_database | The minimum number of agents for the database node pool | string |
"1" |
no |
| agents_max_count_database | The maximum number of agents for the database node pool | string |
"3" |
no |
| agents_availability_zones_database | The availability zones for the database node pool | list(string) |
[ |
no |
| node_labels_database | The labels for the database node pool | map(string) |
{ |
no |
| default_agent_pool_name | The name of the default agent pool | string |
"infra" |
no |
| default_agent_pool_count | The number of agents in the default agent pool | string |
"1" |
no |
| default_agent_pool_size | The size of the default agent pool | string |
"Standard_DS2_v2" |
no |
| default_node_labels | The labels for the default agent pool | map(string) |
{ |
no |
| host_encryption_enabled | The enable the encryption of the hosts | bool |
false |
no |
| open_service_mesh_enabled | The enable the open service mesg (istio) | bool |
true |
no |
| Name | Description |
|---|---|
| cluster_name | Cluster Name |
| default_ng_rg_name | Default Node Group Resource Group Name |
| kubernetes_cluster_id | kubernetes cluster id |
| host | host |
| client_certificate | client_certificate |
| client_key | client_key |
| cluster_ca_certificate | cluster_ca_certificate |
To report an issue with a project:
- Check the repository's issue tracker on GitHub
- Search to see if the issue has already been reported
- If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Be sure to provide enough context and details so others can understand your problem.
Apache License, Version 2.0, January 2004 (http://www.apache.org/licenses/).
To support a GitHub project by liking it, you can follow these steps:
-
Visit the repository: Navigate to the GitHub repository.
-
Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.
-
Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.
Starring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.
We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.
- We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 4 years.
- Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
- Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
- DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
- Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
- 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.
We provide support on all of our projects, no matter how small or large they may be.
To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.