- Fork this repo
- Create a new Azure Entra Application and with Federated credentials assigned to your repo.
- Create the following GH Actions secrets:
azure_client_id: The Application (client) ID of the Azure AD Application.azure_tenant_id: The Directory (tenant) ID of the Azure AD Application.azure_subscription_id: The Subscription ID of the Azure Subscription.
- Be sure to give the Azure Entra Application you created permissions to the Azure Subscription you are going to use.
- Create a storage account and update the main.tf backend configuration with the storage account name and container name.
- Be sure to give the Azure Entra Application you created permissions to the Storage Account you are going to use with the Storage Blob Data Contributor role and Storage Account Key Operator Service Role role.
❗ The pre-commit hooks are only running on staged files.
To set up pre-commit hooks for terraform files, run the following commands:
brew install pre-commit
pre-commit installIf you want to uninstall the pre-commit hooks, run the following command:
pre-commit uninstallThere are 2 feature flags located in the main variable.tf file that can be used to enable/disable features.
- Enable Bastion
- Enable AKS
The terraform workflow, will create the amongst others, an AKS cluster with VNetIntegration.
Now the AKS cluster has a public IP but the communication between the API server and the nodes are private.
Next let's see how we can turn off the public IP and use a bastion host to access the cluster. Following the guide at: https://learn.microsoft.com/en-US/azure/aks/api-server-vnet-integration#enable-or-disable-private-cluster-mode-on-an-existing-cluster-with-api-server-vnet-integration
- AKS Networking Update - John Savill's Technical Training
- Terraform provider
- Azure Kubernetes Service with VNet Integration doc
- Azure Kubernetes Service with VNet Integration - bring your own VNet doc
