https://github.com/meshcloud/terraform-aks-meshplatform

https://github.com/meshcloud/terraform-aks-meshplatform

Last synced: 5 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/meshcloud/terraform-aks-meshplatform
• Owner: meshcloud
• Created: 2025-04-10T12:18:12.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-04-29T11:20:28.000Z (about 1 year ago)
• Last Synced: 2025-12-01T06:46:51.881Z (7 months ago)
• Language: HCL
• Size: 49.8 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# AKS meshPlatform Module

Terraform module to integrate AKS as a meshPlatform into a meshStack instance. The output of this module is a set of Service Account credentials that need to be configured in meshStack as described in [meshcloud public docs](https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform.html).

## Prerequisites

To run this module, you need:

- Cluster admin permissions on the cluster

- [Terraform installed](https://learn.hashicorp.com/tutorials/terraform/install-cli)

- [kubectl installed](https://kubernetes.io/docs/tasks/tools/#kubectl)

To integrate an AKS cluster, you additionally need:

- An AKS cluster with [Azure AD enabled](https://learn.microsoft.com/en-us/azure/aks/managed-aad)

- Integrate [RBAC-based user access](https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac) with the AKS cluster

## Usage

Below is an example of how to use this module in your Terraform configuration:

```terraform

module "aks_meshplatform" {

  source = "path/to/this/module"

  namespace                  = "meshcloud"

  metering_enabled           = true

  replicator_enabled         = true

  scope                      = "your-aks-subscription-id"

  service_principal_name     = "replicator-service-principal"

  create_password            = true

  workload_identity_federation = {

    issuer  = "https://issuer.example.com"

    subject = "subject-claim"

  }

  application_owners = ["user1@example.com", "user2@example.com"]

}

```

## Outputs

After applying the configuration, you can retrieve the following outputs using `terraform output`:

- **Replicator Service Principal Credentials**

  ```bash

  terraform output replicator_service_principal

  ```

- **Replicator Service Principal Password**

  ```bash

  terraform output replicator_service_principal_password

  ```

- **Metering Service Account Token**

  ```bash

  terraform output metering_token

  ```

- **Replicator Service Account Token**

  ```bash

  terraform output replicator_token

  ```

## Requirements

| Name | Version |

|------|---------|

|  [azuread](#requirement\_azuread) | >=3.0.2 |

|  [azurerm](#requirement\_azurerm) | >=4.26.0 |

|  [kubernetes](#requirement\_kubernetes) | >=2.15.0 |

|  [time](#requirement\_time) | 0.13.0 |

## Modules

| Name | Source | Version |

|------|--------|---------|

|  [meshcloud-service-account-meshfed-metering](#module\_meshcloud-service-account-meshfed-metering) | git::https://github.com/meshcloud/terraform-kubernetes-meshplatform.git//modules/meshcloud-service-account-meshfed-metering | v0.2.0 |

|  [meshcloud-service-account-meshfed-replicator](#module\_meshcloud-service-account-meshfed-replicator) | git::https://github.com/meshcloud/terraform-kubernetes-meshplatform.git//modules/meshcloud-service-account-meshfed-replicator | v0.2.0 |

|  [replicator\_service\_principal](#module\_replicator\_service\_principal) | ./modules/meshcloud-replicator-service-principal | n/a |

## Resources

| Name | Type |

|------|------|

| [kubernetes_namespace.meshcloud](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [application\_owners](#input\_application\_owners) | List of user principals that should be added as owners to the replicator service principal. | `list(string)` | `[]` | no |

|  [create\_password](#input\_create\_password) | Create a password for the enterprise application. | `bool` | n/a | yes |

|  [existing\_clusterrole\_name\_metering](#input\_existing\_clusterrole\_name\_metering) | Name of an existing ClusterRole to use for metering instead of creating a new one. If empty, a new ClusterRole will be created. | `string` | `""` | no |

|  [existing\_clusterrole\_name\_replicator](#input\_existing\_clusterrole\_name\_replicator) | Name of an existing ClusterRole to use for replicator instead of creating a new one. If empty, a new ClusterRole will be created. | `string` | `""` | no |

|  [kubernetes\_name\_suffix\_metering](#input\_kubernetes\_name\_suffix\_metering) | Suffix to append to ClusterRole and ClusterRoleBinding names to support multiple metering instances | `string` | `""` | no |

|  [kubernetes\_name\_suffix\_replicator](#input\_kubernetes\_name\_suffix\_replicator) | Suffix to append to ClusterRole and ClusterRoleBinding names to support multiple replicator instances | `string` | `""` | no |

|  [metering\_additional\_rules](#input\_metering\_additional\_rules) | n/a | 
list(object({
    api_groups        = list(string)
    resources         = list(string)
    verbs             = list(string)
    resource_names    = optional(list(string))
    non_resource_urls = optional(list(string))
  }))
 | `[]` | no |

|  [metering\_enabled](#input\_metering\_enabled) | n/a | `bool` | `true` | no |

|  [namespace](#input\_namespace) | name of the namespace where the replicator and metering components should be deployed | `string` | `"meshcloud"` | no |

|  [replicator\_additional\_rules](#input\_replicator\_additional\_rules) | n/a | 
list(object({
    api_groups        = list(string)
    resources         = list(string)
    verbs             = list(string)
    resource_names    = optional(list(string))
    non_resource_urls = optional(list(string))
  }))
 | `[]` | no |

|  [replicator\_enabled](#input\_replicator\_enabled) | n/a | `bool` | `true` | no |

|  [scope](#input\_scope) | The scope of the service principal. The scope is usually the id of the aks subscription | `string` | n/a | yes |

|  [service\_principal\_name](#input\_service\_principal\_name) | Display name of the replicator service principal. | `string` | n/a | yes |

|  [workload\_identity\_federation](#input\_workload\_identity\_federation) | Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. | `object({ issuer = string, access_subject = string })` | `null` | no |


## Outputs

| Name | Description |

|------|-------------|

|  [metering\_expose\_token](#output\_metering\_expose\_token) | n/a |

|  [metering\_token](#output\_metering\_token) | # METERING |

|  [replicator\_expose\_token](#output\_replicator\_expose\_token) | n/a |

|  [replicator\_service\_principal](#output\_replicator\_service\_principal) | Replicator Service Principal. |

|  [replicator\_service\_principal\_password](#output\_replicator\_service\_principal\_password) | Password for Replicator Service Principal. |

|  [replicator\_token](#output\_replicator\_token) | n/a |