如何使用 Terraform 在现有 VNET 中创建专用 AKS 群集
How to create a private AKS cluster in an existing VNET using Terraform
我正在尝试使用 Terraform 提供 私有 AKS 集群。我想将我的私有 AKS 集群连接到我使用 Azure 门户创建的现有 VNET。
Azure 门户中提供了虚拟网络选项。请找到下图。
但是,azurerm_kubernetes_cluster 上的 terraform 文档关于如何实现这一点的信息非常有限。
请在下方找到我的main.tf
resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
name = var.cluster_name
location = var.location
resource_group_name = var.resource_group_name
private_cluster_enabled = true
default_node_pool {
name = "default"
node_count = var.node_count
vm_size = var.vm_size
max_pods = var.max_pods_count
}
kube_dashboard {
enabled = true
}
network_profile {
network_plugin = "azure"
}
}
请注意,VNET和要创建的集群共享相同的位置和资源组。
任何有关如何使用 Terraform 为现有 VNET 提供私有 AKS 集群的帮助都将不胜感激。
我使用了 Github 中的现有代码并进行了一些更改,因为我们已经有了 vnet,所以我使用数据块而不是资源块来获取现有 Vnet 的详细信息,而不是使用默认子网我为 aks 创建了一个子网,为防火墙创建了另一个子网。
terraform {
required_version = ">= 0.14"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=2.50.0"
}
}
}
provider "azurerm" {
features {}
}
#local vars
locals {
environment = "test"
resource_group = "AKS-test"
resource_group_location = "East US"
name_prefix = "private-aks"
aks_node_prefix = ["10.3.1.0/24"]
firewall_prefix = ["10.3.2.0/24"]
}
#Existing vnet with address space "10.3.0.0/16"
data "azurerm_virtual_network" "base" {
name = "existing-vnet"
resource_group_name = "AKS-test"
}
#subnets
resource "azurerm_subnet" "aks" {
name = "snet-${local.name_prefix}-${local.environment}"
resource_group_name = local.resource_group
address_prefixes = local.aks_node_prefix
virtual_network_name = data.azurerm_virtual_network.base.name
}
resource "azurerm_subnet" "firewall" {
name = "AzureFirewallSubnet"
resource_group_name = local.resource_group
virtual_network_name = data.azurerm_virtual_network.base.name
address_prefixes = local.firewall_prefix
}
#user assigned identity
resource "azurerm_user_assigned_identity" "base" {
resource_group_name = local.resource_group
location = local.resource_group_location
name = "mi-${local.name_prefix}-${local.environment}"
}
#role assignment
resource "azurerm_role_assignment" "base" {
scope = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/AKS-test"
role_definition_name = "Network Contributor"
principal_id = azurerm_user_assigned_identity.base.principal_id
}
#route table
resource "azurerm_route_table" "base" {
name = "rt-${local.name_prefix}-${local.environment}"
location = data.azurerm_virtual_network.base.location
resource_group_name = local.resource_group
}
#route
resource "azurerm_route" "base" {
name = "dg-${local.environment}"
resource_group_name = local.resource_group
route_table_name = azurerm_route_table.base.name
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.base.ip_configuration.0.private_ip_address
}
#route table association
resource "azurerm_subnet_route_table_association" "base" {
subnet_id = azurerm_subnet.aks.id
route_table_id = azurerm_route_table.base.id
}
#firewall
resource "azurerm_public_ip" "base" {
name = "pip-firewall"
location = data.azurerm_virtual_network.base.location
resource_group_name = local.resource_group
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall" "base" {
name = "fw-${local.name_prefix}-${local.environment}"
location = data.azurerm_virtual_network.base.location
resource_group_name = local.resource_group
ip_configuration {
name = "ip-${local.name_prefix}-${local.environment}"
subnet_id = azurerm_subnet.firewall.id
public_ip_address_id = azurerm_public_ip.base.id
}
}
#kubernetes_cluster
resource "azurerm_kubernetes_cluster" "base" {
name = "${local.name_prefix}-${local.environment}"
location = local.resource_group_location
resource_group_name = local.resource_group
dns_prefix = "dns-${local.name_prefix}-${local.environment}"
private_cluster_enabled = true
network_profile {
network_plugin = "azure"
outbound_type = "userDefinedRouting"
}
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
vnet_subnet_id = azurerm_subnet.aks.id
}
identity {
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_assigned_identity.base.id
}
depends_on = [
azurerm_route.base,
azurerm_role_assignment.base
]
}
参考: Github
测试前:
在上面的代码上做一个地形规划:
应用代码后:
部署后:
我正在尝试使用 Terraform 提供 私有 AKS 集群。我想将我的私有 AKS 集群连接到我使用 Azure 门户创建的现有 VNET。
Azure 门户中提供了虚拟网络选项。请找到下图。
但是,azurerm_kubernetes_cluster 上的 terraform 文档关于如何实现这一点的信息非常有限。
请在下方找到我的main.tf
resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
name = var.cluster_name
location = var.location
resource_group_name = var.resource_group_name
private_cluster_enabled = true
default_node_pool {
name = "default"
node_count = var.node_count
vm_size = var.vm_size
max_pods = var.max_pods_count
}
kube_dashboard {
enabled = true
}
network_profile {
network_plugin = "azure"
}
}
请注意,VNET和要创建的集群共享相同的位置和资源组。
任何有关如何使用 Terraform 为现有 VNET 提供私有 AKS 集群的帮助都将不胜感激。
我使用了 Github 中的现有代码并进行了一些更改,因为我们已经有了 vnet,所以我使用数据块而不是资源块来获取现有 Vnet 的详细信息,而不是使用默认子网我为 aks 创建了一个子网,为防火墙创建了另一个子网。
terraform {
required_version = ">= 0.14"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=2.50.0"
}
}
}
provider "azurerm" {
features {}
}
#local vars
locals {
environment = "test"
resource_group = "AKS-test"
resource_group_location = "East US"
name_prefix = "private-aks"
aks_node_prefix = ["10.3.1.0/24"]
firewall_prefix = ["10.3.2.0/24"]
}
#Existing vnet with address space "10.3.0.0/16"
data "azurerm_virtual_network" "base" {
name = "existing-vnet"
resource_group_name = "AKS-test"
}
#subnets
resource "azurerm_subnet" "aks" {
name = "snet-${local.name_prefix}-${local.environment}"
resource_group_name = local.resource_group
address_prefixes = local.aks_node_prefix
virtual_network_name = data.azurerm_virtual_network.base.name
}
resource "azurerm_subnet" "firewall" {
name = "AzureFirewallSubnet"
resource_group_name = local.resource_group
virtual_network_name = data.azurerm_virtual_network.base.name
address_prefixes = local.firewall_prefix
}
#user assigned identity
resource "azurerm_user_assigned_identity" "base" {
resource_group_name = local.resource_group
location = local.resource_group_location
name = "mi-${local.name_prefix}-${local.environment}"
}
#role assignment
resource "azurerm_role_assignment" "base" {
scope = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/AKS-test"
role_definition_name = "Network Contributor"
principal_id = azurerm_user_assigned_identity.base.principal_id
}
#route table
resource "azurerm_route_table" "base" {
name = "rt-${local.name_prefix}-${local.environment}"
location = data.azurerm_virtual_network.base.location
resource_group_name = local.resource_group
}
#route
resource "azurerm_route" "base" {
name = "dg-${local.environment}"
resource_group_name = local.resource_group
route_table_name = azurerm_route_table.base.name
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.base.ip_configuration.0.private_ip_address
}
#route table association
resource "azurerm_subnet_route_table_association" "base" {
subnet_id = azurerm_subnet.aks.id
route_table_id = azurerm_route_table.base.id
}
#firewall
resource "azurerm_public_ip" "base" {
name = "pip-firewall"
location = data.azurerm_virtual_network.base.location
resource_group_name = local.resource_group
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall" "base" {
name = "fw-${local.name_prefix}-${local.environment}"
location = data.azurerm_virtual_network.base.location
resource_group_name = local.resource_group
ip_configuration {
name = "ip-${local.name_prefix}-${local.environment}"
subnet_id = azurerm_subnet.firewall.id
public_ip_address_id = azurerm_public_ip.base.id
}
}
#kubernetes_cluster
resource "azurerm_kubernetes_cluster" "base" {
name = "${local.name_prefix}-${local.environment}"
location = local.resource_group_location
resource_group_name = local.resource_group
dns_prefix = "dns-${local.name_prefix}-${local.environment}"
private_cluster_enabled = true
network_profile {
network_plugin = "azure"
outbound_type = "userDefinedRouting"
}
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
vnet_subnet_id = azurerm_subnet.aks.id
}
identity {
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_assigned_identity.base.id
}
depends_on = [
azurerm_route.base,
azurerm_role_assignment.base
]
}
参考: Github
测试前:
在上面的代码上做一个地形规划:
应用代码后:
部署后: