This module sets up all needed to run a Haven-compliant Kubernetes cluster in Azure. It includes networking, DNS, AKS and Workload Identity configuration.
| Name | Version |
|---|---|
| terraform | ~> 1.11 |
| azurerm | ~> 4.58 |
| Name | Version |
|---|---|
| azurerm | 4.58.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_kubernetes_cluster.default | resource |
| azurerm_kubernetes_cluster_node_pool.userpool | resource |
| azurerm_log_analytics_workspace.default | resource |
| azurerm_monitor_diagnostic_setting.aks_audit_logs | resource |
| azurerm_public_ip.egress_ipv4 | resource |
| azurerm_public_ip.ingress_ipv4 | resource |
| azurerm_role_assignment.aks_identity_network_contributor | resource |
| azurerm_role_assignment.aks_identity_private_dns_zone_contributor | resource |
| azurerm_subnet.default | resource |
| azurerm_user_assigned_identity.aks_identity | resource |
| azurerm_virtual_network.default | resource |
| azurerm_virtual_network_peering.default | resource |
| azurerm_subnet.existing | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aks_additional_node_pools | (Optional) Map of additional node pools to create for the AKS cluster. | map(object({ |
{} |
no |
| aks_audit_categories | (Optional) List of audit categories to enable for the AKS cluster. This is recommended for security compliance. | list(string) |
[ |
no |
| aks_authorized_ip_ranges | (Optional) List of authorized IP ranges for API server access. For security compliance, specify your organization's IP ranges. | list(string) |
[ |
no |
| aks_azure_active_directory_role_based_access_control | (Optional) Azure Active Directory integration for RBAC. Required when local_account_disabled is true. | object({ |
null |
no |
| aks_default_node_pool | (Required) Configuration for the default node pool in the AKS cluster. | object({ |
n/a | yes |
| automatic_upgrade_channel | (Optional) The automatic upgrade channel for the AKS cluster. | string |
"patch" |
no |
| azure_policy_enabled | (Optional) Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service. Defaults to true. | bool |
true |
no |
| disk_encryption_set_id | (Optional) The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. | string |
null |
no |
| dns_prefix | (Optional) The DNS prefix for the AKS cluster. This will be used to create the DNS records. | string |
null |
no |
| enable_audit_logs | (Optional) Enable audit logs for security compliance. This is recommended for production clusters. | bool |
true |
no |
| existing_log_analytics_workspace_id | (Optional) ID of existing Log Analytics workspace to use for AKS monitoring. If not provided, a new workspace will be created. | string |
null |
no |
| image_cleaner_enabled | (Optional) Enable image cleaner to remove unused images from the AKS cluster. | bool |
true |
no |
| image_cleaner_interval_hours | (Optional) Interval in hours for the image cleaner to run. | number |
48 |
no |
| key_vault_secrets_provider | (Optional) Key Vault Secrets Provider configuration for enhanced secret management. | object({ |
{ |
no |
| kubernetes_version | (Required) The Kubernetes version to use for the AKS cluster. | string |
n/a | yes |
| loadbalancer_ips | (Optional) The loadbalancer IP address(es) of the public ingress controller. If not provided, an azurerm_public_ip will be created. | list(string) |
[] |
no |
| local_account_disabled | (Optional) Disable local accounts for security compliance. This is recommended. | bool |
false |
no |
| location | (Required) Azure region where resources will be created. | string |
n/a | yes |
| log_analytics_destination_type | (Optional) Possible values are AzureDiagnostics and Dedicated. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table. | string |
"Dedicated" |
no |
| microsoft_defender_enabled | (Optional) Enable Microsoft Defender for Containers | bool |
false |
no |
| name | (Required) The name of the AKS cluster. | string |
n/a | yes |
| network_profile | (Optional) Network configuration for the AKS cluster. To use Azure CNI powered by Cilium, set network_data_plane to 'cilium', network_policy to 'cilium', and either network_plugin_mode to 'overlay' or configure pod_subnet_id on the default node pool. | object({ |
{ |
no |
| oidc_issuer_enabled | (Optional) Enable OIDC issuer for the AKS cluster. | bool |
true |
no |
| private_cluster_enabled | (Optional) Enable private cluster mode for the AKS cluster. | bool |
false |
no |
| private_dns_zone_id | (Optional) ID of the private DNS zone to use for the AKS cluster. Required if private_cluster_enabled is true. | string |
null |
no |
| resource_group_name | (Required) Name of the resource group where resources will be created. | string |
n/a | yes |
| role_based_access_control_enabled | (Optional) Enable role-based access control (RBAC) for the AKS cluster. This is recommended for security compliance. | bool |
true |
no |
| sku_tier | (Optional) The SKU tier for the AKS cluster. Standard is recommended for production Haven clusters. | string |
"Standard" |
no |
| storage_profile | (Optional) Storage profile configuration for the AKS cluster. | object({ |
{ |
no |
| tags | (Optional) A map of tags to assign to all resources. | map(string) |
{ |
no |
| virtual_network | (Required) Virtual network configuration for the AKS cluster. If is_existing is true, id must be provided. | object({ |
n/a | yes |
| workload_autoscaler_profile | (Optional) Workload autoscaler profile for the AKS cluster. | object({ |
{ |
no |
| workload_identity_enabled | (Optional) Enable workload identity for the AKS cluster. | bool |
true |
no |
| Name | Description |
|---|---|
| cluster_name | Name of the AKS cluster |
| cluster_oidc_issuer_url | n/a |
| kubeconfig_raw | Raw kubeconfig for the AKS cluster |
| kubelet_identity | The kubelet identity of the AKS cluster used for pulling container images |
| load_balancer_ips | n/a |
| subnet_id | n/a |
This module includes comprehensive examples to help you get started:
- minimal: A complete AKS cluster with all infrastructure created by the module
- existing-infrastructure: AKS cluster using existing VNet, DNS, and Log Analytics workspace
See the CONTRIBUTING.md file for detailed usage instructions and best practices.
This module includes a comprehensive integration test suite that validates both examples:
# Test the minimal example
cd examples && ./integration-test.sh minimal
# Test the existing-infrastructure example
cd examples && ./integration-test.sh existing-infrastructure
# Test all examples
cd examples && ./integration-test.sh all# Dry run (no actual deployment)
DRY_RUN=true ./integration-test.sh all
# Skip infrastructure destruction (for debugging)
SKIP_DESTROY=true ./integration-test.sh minimal
# CI/CD mode (no colors, structured output)
CI_MODE=true ./integration-test.sh allThe integration test suite:
- Validates Terraform configuration and formatting
- Deploys the complete infrastructure
- Tests AKS cluster connectivity and basic operations
- Validates monitoring integration
- Tests DNS configuration (if applicable)
- Generates GitLab CI-compatible JUnit XML reports
- Automatically destroys infrastructure after testing
After running tests, you'll find detailed reports in the test-results/ directory:
integration-test-report.xml- JUnit XML report for CI/CD integrationintegration-test.log- Detailed execution logsummary.txt- Human-readable test summary