Terraform module to integrate AKS as a meshPlatform into a meshStack instance. The output of this module is a set of Service Account credentials that need to be configured in meshStack as described in meshcloud public docs.
To run this module, you need:
- Cluster admin permissions on the cluster
- Terraform installed
- kubectl installed
To integrate an AKS cluster, you additionally need:
- An AKS cluster with Azure AD enabled
- Integrate RBAC-based user access with the AKS cluster
Below is an example of how to use this module in your Terraform configuration:
module "aks_meshplatform" {
source = "path/to/this/module"
namespace = "meshcloud"
metering_enabled = true
replicator_enabled = true
scope = "your-aks-subscription-id"
service_principal_name = "replicator-service-principal"
create_password = true
workload_identity_federation = {
issuer = "https://issuer.example.com"
subject = "subject-claim"
}
application_owners = ["user1@example.com", "user2@example.com"]
}After applying the configuration, you can retrieve the following outputs using terraform output:
-
Replicator Service Principal Credentials
terraform output replicator_service_principal
-
Replicator Service Principal Password
terraform output replicator_service_principal_password
-
Metering Service Account Token
terraform output metering_token
-
Replicator Service Account Token
terraform output replicator_token
| Name | Version |
|---|---|
| azuread | >=3.0.2 |
| azurerm | >=4.26.0 |
| kubernetes | >=2.15.0 |
| time | 0.13.0 |
| Name | Source | Version |
|---|---|---|
| meshcloud-service-account-meshfed-metering | git::https://github.com/meshcloud/terraform-kubernetes-meshplatform.git//modules/meshcloud-service-account-meshfed-metering | v0.1.0 |
| meshcloud-service-account-meshfed-replicator | git::https://github.com/meshcloud/terraform-kubernetes-meshplatform.git//modules/meshcloud-service-account-meshfed-replicator | v0.1.0 |
| replicator_service_principal | ./modules/meshcloud-replicator-service-principal | n/a |
| Name | Type |
|---|---|
| kubernetes_namespace.meshcloud | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_owners | List of user principals that should be added as owners to the replicator service principal. | list(string) |
[] |
no |
| create_password | Create a password for the enterprise application. | bool |
n/a | yes |
| metering_additional_rules | n/a | list(object({ |
[] |
no |
| metering_enabled | n/a | bool |
true |
no |
| namespace | name of the namespace where the replicator and metering components should be deployed | string |
"meshcloud" |
no |
| replicator_additional_rules | n/a | list(object({ |
[] |
no |
| replicator_enabled | n/a | bool |
true |
no |
| scope | The scope of the service principal. The scope is usually the id of the aks subscription | string |
n/a | yes |
| service_principal_name | Display name of the replicator service principal. | string |
n/a | yes |
| workload_identity_federation | Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. | object({ issuer = string, access_subject = string }) |
null |
no |
| Name | Description |
|---|---|
| metering_expose_token | n/a |
| metering_token | # METERING |
| replicator_expose_token | n/a |
| replicator_service_principal | Replicator Service Principal. |
| replicator_service_principal_password | Password for Replicator Service Principal. |
| replicator_token | n/a |