In this article, we will show how to create an AKS cluster on Azure using Terraform with just four lines of code!
The simplest way to provision an AKS cluster using Terraform is to call the official azurermregistry module. This way, you can create a group with just four lines of code (assuming you accept all the defaults)!
A module is simply a collection of .tf configuration files that define multiple related resources, coded in such a way that the code can be reused. These files are held in a folder.
The Terraform registry has a huge collection of ready-to-use modules, saving you time and effort when it comes to coding for common tasks, e.g., instead of defining code for creating a VM in Azure, you could call the Azure VM module from the public registry.
There are downsides to using registry modules, rather than creating and maintaining your own module or alternatively creating the individual resources in your Terraform code. It can be considered less flexible to use public modules as you don’t have direct control over the module code. In an enterprise scenario, using modules created by the enterprise is generally the preferred approach because of this. However, they are a good option for testing, and well-maintained public modules can still be a great option for production scenarios.
To try it out, we will use the ‘named_cluster’ submodule example provided on the registry page of the public AKS module.
- Create a file called
main.tfand paste the below:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.40.0"
}
}
}
provider "azurerm" {
features {}
}
module "aks_example_named_cluster" {
source = "Azure/aks/azurerm//examples/named_cluster"
version = "6.2.0"
}- Login to Azure from the command line:
az login
- Select your subscription:
az account set -subscriptionid <id>
- Run through the usual Terraform workflow commands from the same directory as your main.tf file is in:
terraform init
terraform planterraform apply
Your AKS cluster will be created!
Jump into the Azure portal, and you should see a resource group with a randomly created name containing seven resources, as shown below:
We can see that the module has not just created the AKS cluster itself but also the supporting services required by the AKS cluster for secure operation, including a disk encryption set, key vault, log analytics workspace, container insights solution, and managed identity. It also created the virtual network the AKS cluster is attached to.
For test purposes to quickly spin up an AKS cluster, this is clearly awesome. However, in the real world, you’re going to want to tailor the deployment a little to work in your environment.
- Most Azure environments will probably want to hook into and reuse an existing key vault, log analytics workspace, and virtual network for example.
- You will also likely have a defined naming format you should adhere to rather than the randomly created names for the key vault, managed identity, and virtual network shown above.
- You might also want to amend the outputs so you can use the values in other parts of your Terraform configuration.
- You might want to tailor the deployment to adhere to specific policies to harden and secure your AKS deployment.
To get an idea of how much configuration effort you save using a registry module, check out the official Microsoft documentation showing how to create an AKS cluster with Terraform.
Note that there is much more configuration required, but once created, you have more flexibility and control over the code. You also have more code to maintain!
Let’s dive into the registry module source code to look at the defaults and explore the available options.
The source code on GitHub for the module is linked from the Terraform registry page.
On the README page, the available inputs and outputs are listed, which, when set, allow you to customize your deployment. These are also listed on the Terraform registry page, as with all modules.
The providers used by the module are listed on the dependencies tab. These are downloaded and installed automatically upon terraform init.
To adhere to recommended security settings when deploying an AKS cluster, the module sets some recommended defaults from the Azure policies section at Bridgecrew by Prisma Cloud, such as ensuring AKS uses a disk encryption set. You can check out their recommendations for your cluster here.
To show how to use the Registry module with some custom values, we will run through an example configuration.
On the Terraform registry page, you will notice there are two required inputs, prefix and resource_group_name. These will need to be defined.
I’ll add a prefix of “test” and import a resource group I previously created called “aks-test-rg”.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.40.0"
}
}
}
provider "azurerm" {
features {}
}
module "aks_example_named_cluster" {
source = "Azure/aks/azurerm/"
version = "6.2.0"
prefix = "test"
resource_group_name = "aks-test-rg"
}From the available optional values, I will set the admin_usernameto “testaksadmin”.
I will turn on the Azure Policy Addon:
I will link my AKS cluster to my previously created log analytics workspace by setting cluster_log_analytics_workspace_name to “test-aks-law”.
I will set the cluster name to adhere with my naming convention by setting cluster_name to “jr-test-aks”.
I will define the locationof my cluster as “uksouth”.
I will set the log_retention_in_days to “365” days:
My code now looks like this:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.40.0"
}
}
}
provider "azurerm" {
features {}
}
module "aks_example_named_cluster" {
source = "Azure/aks/azurerm"
version = "6.2.0"
prefix = "test"
resource_group_name = "aks-test-rg"
admin_username = "testaksadmin"
azure_policy_enabled = true
cluster_log_analytics_workspace_name = "test-aks-law"
cluster_name = "jr-test-aks"
location = "uksouth"
log_retention_in_days = "365"
}Run terraform init (make sure you have the latest Terraform version! by typing terraform version to avoid unexpected errors!)
terraform plan
Take a look at the resources the module will create. For example, it includes an SSH private key to support your deployment!
terraform apply
Of course, there are many more options and outputs to explore, enabling you to tailor your AKS deployment to your requirements.
Don’t forget to clean up!
terraform destroy
Using the official azurerm AKS Terraform public registry module is the fastest and arguably easiest way to create a Kubernetes cluster on Azure. You can customize your deployment as required by adding inputs and outputs to your configuration, as shown in the example above.
However, for full control and flexibility, creating and maintaining your own AKS module or configuration may be preferable as you have full control over the code.
Don’t forget to take a look at how Spacelift helps you manage the complexities and compliance challenges of using Terraform. It brings with it a GitOps flow, so your infrastructure repository is synced with your Terraform Stacks, and pull requests show you a preview of what they’re planning to change. It also has an extensive selection of policies, which lets you automate compliance checks and build complex multi-stack workflows. You may also check how initialization policies work with Spacelift.
Thanks for reading!
Manage Terraform Better and Faster
If you are struggling with Terraform automation and management, check out Spacelift. It helps you manage Terraform state, build more complex workflows, and adds several must-have capabilities for end-to-end infrastructure management.
