-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaks-private-cluster.tf
99 lines (75 loc) · 2.89 KB
/
aks-private-cluster.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# In this scenario, a custom DNS Zone is being created and linked to the Centralized DNS Solution VNET
# Create a DNS Zone for the Private Cluster
resource "azurerm_private_dns_zone" "aks-dns" {
name = var.custom-dns-subdomain-zone-name
resource_group_name = azurerm_resource_group.rg.name
}
# Get info about the Central DNS VNET
# and Link the Zone to the Central DNS VNET
data "azurerm_virtual_network" "central_dns_vnet" {
provider = azurerm.centralized-dns-subscription
name = var.central_dns_vnet
resource_group_name = var.central_dns_vnet_rg
}
resource "azurerm_private_dns_zone_virtual_network_link" "hublink" {
name = "hublink"
resource_group_name = azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.aks-dns.name
virtual_network_id = data.azurerm_virtual_network.central_dns_vnet.id
registration_enabled = false
}
# RBAC for the Custom DNS Zone
resource "azurerm_role_assignment" "aks-to-dnszone" {
scope = azurerm_private_dns_zone.aks-dns.id
role_definition_name = "Private DNS Zone Contributor"
principal_id = azurerm_user_assigned_identity.uaid1.principal_id
}
resource "azurerm_role_assignment" "aks-to-vnet" {
scope = azurerm_virtual_network.spoke_vnet.id
role_definition_name = "Network Contributor"
principal_id = azurerm_user_assigned_identity.uaid1.principal_id
}
resource "azurerm_kubernetes_cluster" "akscluster" {
name = local.cluster_name
location = local.location
resource_group_name = azurerm_resource_group.rg.name
private_cluster_enabled = true
private_dns_zone_id = azurerm_private_dns_zone.aks-dns.id
private_cluster_public_fqdn_enabled = false
dns_prefix = "aks"
default_node_pool {
name = "defaultpool"
vm_size = "Standard_B2as_v2"
os_disk_size_gb = 30
type = "VirtualMachineScaleSets"
node_count = 2
vnet_subnet_id = azurerm_subnet.spoke_akscni.id
zones = [1,2,3]
}
network_profile {
network_plugin = "azure"
outbound_type = "userDefinedRouting"
dns_service_ip = "192.168.100.10"
service_cidr = "192.168.100.0/24"
docker_bridge_cidr = "172.17.0.1/16"
}
role_based_access_control_enabled = true
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.uaid1.id]
}
depends_on = [
# needed because AKS creation checks for Route table
azurerm_subnet_route_table_association.FWRouteAssoc,
# needed for DNS resolution
azurerm_role_assignment.aks-to-vnet,
azurerm_role_assignment.aks-to-dnszone,
# Needed to establish the connection to the VWAN
azurerm_virtual_hub_connection.hubconnection
]
lifecycle {
ignore_changes = [
default_node_pool
]
}
}