• Fork this repo
• Create a new Azure Entra Application and with Federated credentials assigned to your repo.
• Create the following GH Actions secrets:
  • azure_client_id: The Application (client) ID of the Azure AD Application.
  • azure_tenant_id: The Directory (tenant) ID of the Azure AD Application.
  • azure_subscription_id: The Subscription ID of the Azure Subscription.
• Be sure to give the Azure Entra Application you created permissions to the Azure Subscription you are going to use.
• Create a storage account and update the main.tf backend configuration with the storage account name and container name.
• Be sure to give the Azure Entra Application you created permissions to the Storage Account you are going to use with the Storage Blob Data Contributor role and Storage Account Key Operator Service Role role.

❗ The pre-commit hooks are only running on staged files.

To set up pre-commit hooks for terraform files, run the following commands:

brew install pre-commit
pre-commit install

If you want to uninstall the pre-commit hooks, run the following command:

pre-commit uninstall

There are 2 feature flags located in the main variable.tf file that can be used to enable/disable features.

• Enable Bastion
• Enable AKS

ℹ️ Az cli preview: Be sure to install the az cli preview version to be able to use the az aks update command.

The terraform workflow, will create the amongst others, an AKS cluster with VNetIntegration.

If you wanted you can turn on and off the public IP. A bastion host is used to access a private cluster. Following the guide at: https://learn.microsoft.com/en-US/azure/aks/api-server-vnet-integration#enable-or-disable-private-cluster-mode-on-an-existing-cluster-with-api-server-vnet-integration.

For the jump-host this repo creates a Linux VM with the Azure AD SSH Login for Linux extension installed. This enables us to login using our Azure AD credentials, e.g.,

az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"

• AKS Networking Update - John Savill's Technical Training
• Terraform provider
• Azure Kubernetes Service with VNet Integration doc
• Azure Kubernetes Service with VNet Integration - bring your own VNet doc

• It is not possible to enable K8s API server whitelist when using VNet integration and private cluster.
• Due to an Azure Bastion limitation it is not possible to RDP or SSH using Azure AD login through the portal. You have to use the AZ CLI command like the example above.