[November 20 Webinar] Detecting & Correcting Infrastructure Drift

➡️ Register Now

Azure

How to Provision Azure AKS Cluster Using Terraform

154.terraform aks

What is AKS?

Azure Kubernetes Service (AKS) is a managed container orchestration service provided by Microsoft Azure. It simplifies the overall provisioning and management of your Kubernetes cluster, and it works seamlessly with other Microsoft Azure services

Why should you use Terraform with AKS?

As for every other infrastructure resource, using Terraform for managing AKS makes the most sense as It allows for version-controlled definitions of AKS clusters and their resources, facilitating team collaboration and change tracking. 

Terraform’s declarative configuration simplifies cloud environment management, and its ecosystem integration streamlines workflows across Azure services.  By automating AKS deployments with Terraform, teams can efficiently manage cluster configurations, scale resources on-demand, and apply updates or rollbacks with minimal downtime, enhancing operational efficiency and reliability.

Prerequisites for provisioning AKS cluster in Terraform

How to create an AKS cluster with Terraform

1. Create the main.tf file

Create a file called main.tf and paste the below:

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.40.0"
    }
  }
}

provider "azurerm" {
   features {}
}

module "aks_example_named_cluster" {
  source  = "Azure/aks/azurerm//examples/named_cluster"
  version = "6.2.0"
}

2. Set up Azure

Login to Azure from the command line:

Select your subscription:

3. Run Terraform

Run through the usual Terraform workflow commands from the same directory as your main.tf file is in:

terraform init terraform aks
terraform apply terraform aks

Your AKS cluster will be created!

terraform aks cluster

4. Explore the Azure portal

Jump into the Azure portal, and you should see a resource group with a randomly created name containing seven resources, as shown below:

terraform aks azure portal
  • Most Azure environments will probably want to hook into and reuse an existing key vault, log analytics workspace, and virtual network for example.
  • You will also likely have a defined naming format you should adhere to rather than the randomly created names for the key vault, managed identity, and virtual network shown above.
  • You might also want to amend the outputs so you can use the values in other parts of your Terraform configuration.
  • You might want to tailor the deployment to adhere to specific policies to harden and secure your AKS deployment.

Diving into the Terraform AKS module

The source code on GitHub for the module is linked from the Terraform registry page.

On the README page, the available inputs and outputs are listed, which, when set, allow you to customize your deployment. These are also listed on the Terraform registry page, as with all modules.

The providers used by the module are listed on the dependencies tab. These are downloaded and installed automatically upon terraform init.

To adhere to recommended security settings when deploying an AKS cluster, the module sets some recommended defaults from the Azure policies section at Bridgecrew by Prisma Cloud, such as ensuring AKS uses a disk encryption set. You can check out their recommendations for your cluster here.

AKS Terraform registry module custom configuration example

To show how to use the Registry module with some custom values, we will run through an example configuration.

On the Terraform registry page, you will notice there are two required inputs, prefix and resource_group_name. These will need to be defined.

I’ll add a prefix of “test” and import a resource group I previously created called “aks-test-rg”.

terraform aks resource group
terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.40.0"
    }
  }
}

provider "azurerm" {
   features {}
}

module "aks_example_named_cluster" {
  source              = "Azure/aks/azurerm/"
  version             = "6.2.0"
  prefix              = "test"
  resource_group_name = "aks-test-rg"
}

From the available optional values, I will set the admin_usernameto “testaksadmin”.

terraform aks admin username

I will turn on the Azure Policy Addon:

terraform aks Azure Policy Addon

I will link my AKS cluster to my previously created log analytics workspace by setting cluster_log_analytics_workspace_name to “test-aks-law”.

terraform aks Azure Policy Addon
terraform aks workspace name

I will set the cluster name to adhere with my naming convention by setting cluster_name to “jr-test-aks”.

terraform aks cluster name
terraform aks ingress name

I will define the locationof my cluster as “uksouth”.

terraform aks cluster location

I will set the log_retention_in_days to “365” days:

terraform aks cluster retention

My code now looks like this:

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.40.0"
    }
  }
}

provider "azurerm" {
   features {}
}

module "aks_example_named_cluster" {
  source                               = "Azure/aks/azurerm"
  version                              = "6.2.0"
  prefix                               = "test"
  resource_group_name                  = "aks-test-rg"
  admin_username                       = "testaksadmin"
  azure_policy_enabled                 = true
  cluster_log_analytics_workspace_name = "test-aks-law"
  cluster_name                         = "jr-test-aks"
  location                             = "uksouth"
  log_retention_in_days                = "365"
}

Run terraform init (make sure you have the latest Terraform version! by typing terraform version to avoid unexpected errors!)

terraform init provider terraform aks
terraform plan terraform aks
terraform destroy terraform aks

Key points

Don’t forget to take a look at how Spacelift helps you manage the complexities and compliance challenges of using Terraform. It brings with it a GitOps flow, so your infrastructure repository is synced with your Terraform Stacks, and pull requests show you a preview of what they’re planning to change. It also has an extensive selection of policies, which lets you automate compliance checks and build complex multi-stack workflows. You may also check how initialization policies work with Spacelift.

Note: New versions of Terraform are placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that expands on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6.

Manage Terraform Better and Faster

If you are struggling with Terraform automation and management, check out Spacelift. It helps you manage Terraform state, build more complex workflows, and adds several must-have capabilities for end-to-end infrastructure management.

Start free trial

The Practitioner’s Guide to Scaling Infrastructure as Code

Transform your IaC management to scale

securely, efficiently, and productively

into the future.

ebook global banner
Share your data and download the guide