--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # azure_aks_cluster{% #azure_aks_cluster %} ## `aad_profile`{% #aad_profile %} **Type**: `STRUCT`**Provider name**: `properties.aadProfile`**Description**: The Azure Active Directory configuration. - `admin_group_object_i_ds`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `adminGroupObjectIDs`**Description**: The list of AAD group object IDs that will have admin role of the cluster. - `client_app_id`**Type**: `STRING`**Provider name**: `clientAppID`**Description**: (DEPRECATED) The client AAD application ID. Learn more at [https://aka.ms/aks/aad-legacy](https://aka.ms/aks/aad-legacy). - `enable_azure_rbac`**Type**: `BOOLEAN`**Provider name**: `enableAzureRBAC`**Description**: Whether to enable Azure RBAC for Kubernetes authorization. - `managed`**Type**: `BOOLEAN`**Provider name**: `managed`**Description**: Whether to enable managed AAD. - `server_app_id`**Type**: `STRING`**Provider name**: `serverAppID`**Description**: (DEPRECATED) The server AAD application ID. Learn more at [https://aka.ms/aks/aad-legacy](https://aka.ms/aks/aad-legacy). - `server_app_secret`**Type**: `STRING`**Provider name**: `serverAppSecret`**Description**: (DEPRECATED) The server AAD application secret. Learn more at [https://aka.ms/aks/aad-legacy](https://aka.ms/aks/aad-legacy). - `tenant_id`**Type**: `STRING`**Provider name**: `tenantID`**Description**: The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. ## `agent_pool_profiles`{% #agent_pool_profiles %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `properties.agentPoolProfiles`**Description**: The agent pool properties. - `availability_zones`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `properties.availabilityZones`**Description**: The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. - `capacity_reservation_group_id`**Type**: `STRING`**Provider name**: `properties.capacityReservationGroupID`**Description**: AKS will associate the specified agent pool with the Capacity Reservation Group. - `count`**Type**: `INT32`**Provider name**: `properties.count`**Description**: Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. - `creation_data`**Type**: `STRUCT`**Provider name**: `properties.creationData`**Description**: CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. - `source_resource_id`**Type**: `STRING`**Provider name**: `sourceResourceId`**Description**: This is the ARM ID of the source object to be used to create the target object. - `current_orchestrator_version`**Type**: `STRING`**Provider name**: `properties.currentOrchestratorVersion`**Description**: If orchestratorVersion is a fully specified version , this field will be exactly equal to it. If orchestratorVersion is , this field will contain the full version being used. - `e_tag`**Type**: `STRING`**Provider name**: `properties.eTag`**Description**: Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal etag convention. - `enable_auto_scaling`**Type**: `BOOLEAN`**Provider name**: `properties.enableAutoScaling`**Description**: Whether to enable auto-scaler - `enable_encryption_at_host`**Type**: `BOOLEAN`**Provider name**: `properties.enableEncryptionAtHost`**Description**: This is only supported on certain VM sizes and in certain Azure regions. For more information, see: [https://docs.microsoft.com/azure/aks/enable-host-encryption](https://docs.microsoft.com/azure/aks/enable-host-encryption) - `enable_fips`**Type**: `BOOLEAN`**Provider name**: `properties.enableFIPS`**Description**: See [Add a FIPS-enabled node pool](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. - `enable_node_public_ip`**Type**: `BOOLEAN`**Provider name**: `properties.enableNodePublicIP`**Description**: Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see [assigning a public IP per node](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The default is false. - `enable_ultra_ssd`**Type**: `BOOLEAN`**Provider name**: `properties.enableUltraSSD`**Description**: Whether to enable UltraSSD - `gpu_instance_profile`**Type**: `STRING`**Provider name**: `properties.gpuInstanceProfile`**Description**: GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. - `gpu_profile`**Type**: `STRUCT`**Provider name**: `properties.gpuProfile`**Description**: GPU settings for the Agent Pool. - `driver`**Type**: `STRING`**Provider name**: `driver`**Description**: Whether to install GPU drivers. When it's not specified, default is Install. - `host_group_id`**Type**: `STRING`**Provider name**: `properties.hostGroupID`**Description**: This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see [Azure dedicated hosts](https://docs.microsoft.com/azure/virtual-machines/dedicated-hosts). - `kubelet_config`**Type**: `STRUCT`**Provider name**: `properties.kubeletConfig`**Description**: The Kubelet configuration on the agent pool nodes. - `allowed_unsafe_sysctls`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `allowedUnsafeSysctls`**Description**: Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in `*`). - `container_log_max_files`**Type**: `INT32`**Provider name**: `containerLogMaxFiles`**Description**: The maximum number of container log files that can be present for a container. The number must be ≥ 2. - `container_log_max_size_mb`**Type**: `INT32`**Provider name**: `containerLogMaxSizeMB`**Description**: The maximum size (e.g. 10Mi) of container log file before it is rotated. - `cpu_cfs_quota`**Type**: `BOOLEAN`**Provider name**: `cpuCfsQuota`**Description**: The default is true. - `cpu_cfs_quota_period`**Type**: `STRING`**Provider name**: `cpuCfsQuotaPeriod`**Description**: The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. - `cpu_manager_policy`**Type**: `STRING`**Provider name**: `cpuManagerPolicy`**Description**: The default is 'none'. See [Kubernetes CPU management policies](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#cpu-management-policies) for more information. Allowed values are 'none' and 'static'. - `fail_swap_on`**Type**: `BOOLEAN`**Provider name**: `failSwapOn`**Description**: If set to true it will make the Kubelet fail to start if swap is enabled on the node. - `image_gc_high_threshold`**Type**: `INT32`**Provider name**: `imageGcHighThreshold`**Description**: To disable image garbage collection, set to 100. The default is 85% - `image_gc_low_threshold`**Type**: `INT32`**Provider name**: `imageGcLowThreshold`**Description**: This cannot be set higher than imageGcHighThreshold. The default is 80% - `pod_max_pids`**Type**: `INT32`**Provider name**: `podMaxPids`**Description**: The maximum number of processes per pod. - `topology_manager_policy`**Type**: `STRING`**Provider name**: `topologyManagerPolicy`**Description**: For more information see [Kubernetes Topology Manager](https://kubernetes.io/docs/tasks/administer-cluster/topology-manager). The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. - `kubelet_disk_type`**Type**: `STRING`**Provider name**: `properties.kubeletDiskType` - `linux_os_config`**Type**: `STRUCT`**Provider name**: `properties.linuxOSConfig`**Description**: The OS configuration of Linux agent nodes. - `swap_file_size_mb`**Type**: `INT32`**Provider name**: `swapFileSizeMB`**Description**: The size in MB of a swap file that will be created on each node. - `sysctls`**Type**: `STRUCT`**Provider name**: `sysctls`**Description**: Sysctl settings for Linux agent nodes. - `fs_aio_max_nr`**Type**: `INT32`**Provider name**: `fsAioMaxNr`**Description**: Sysctl setting fs.aio-max-nr. - `fs_file_max`**Type**: `INT32`**Provider name**: `fsFileMax`**Description**: Sysctl setting fs.file-max. - `fs_inotify_max_user_watches`**Type**: `INT32`**Provider name**: `fsInotifyMaxUserWatches`**Description**: Sysctl setting fs.inotify.max_user_watches. - `fs_nr_open`**Type**: `INT32`**Provider name**: `fsNrOpen`**Description**: Sysctl setting fs.nr_open. - `kernel_threads_max`**Type**: `INT32`**Provider name**: `kernelThreadsMax`**Description**: Sysctl setting kernel.threads-max. - `net_core_netdev_max_backlog`**Type**: `INT32`**Provider name**: `netCoreNetdevMaxBacklog`**Description**: Sysctl setting net.core.netdev_max_backlog. - `net_core_optmem_max`**Type**: `INT32`**Provider name**: `netCoreOptmemMax`**Description**: Sysctl setting net.core.optmem_max. - `net_core_rmem_default`**Type**: `INT32`**Provider name**: `netCoreRmemDefault`**Description**: Sysctl setting net.core.rmem_default. - `net_core_rmem_max`**Type**: `INT32`**Provider name**: `netCoreRmemMax`**Description**: Sysctl setting net.core.rmem_max. - `net_core_somaxconn`**Type**: `INT32`**Provider name**: `netCoreSomaxconn`**Description**: Sysctl setting net.core.somaxconn. - `net_core_wmem_default`**Type**: `INT32`**Provider name**: `netCoreWmemDefault`**Description**: Sysctl setting net.core.wmem_default. - `net_core_wmem_max`**Type**: `INT32`**Provider name**: `netCoreWmemMax`**Description**: Sysctl setting net.core.wmem_max. - `net_ipv4_ip_local_port_range`**Type**: `STRING`**Provider name**: `netIpv4IpLocalPortRange`**Description**: Sysctl setting net.ipv4.ip_local_port_range. - `net_ipv4_neigh_default_gc_thresh1`**Type**: `INT32`**Provider name**: `netIpv4NeighDefaultGcThresh1`**Description**: Sysctl setting net.ipv4.neigh.default.gc_thresh1. - `net_ipv4_neigh_default_gc_thresh2`**Type**: `INT32`**Provider name**: `netIpv4NeighDefaultGcThresh2`**Description**: Sysctl setting net.ipv4.neigh.default.gc_thresh2. - `net_ipv4_neigh_default_gc_thresh3`**Type**: `INT32`**Provider name**: `netIpv4NeighDefaultGcThresh3`**Description**: Sysctl setting net.ipv4.neigh.default.gc_thresh3. - `net_ipv4_tcp_fin_timeout`**Type**: `INT32`**Provider name**: `netIpv4TcpFinTimeout`**Description**: Sysctl setting net.ipv4.tcp_fin_timeout. - `net_ipv4_tcp_keepalive_probes`**Type**: `INT32`**Provider name**: `netIpv4TcpKeepaliveProbes`**Description**: Sysctl setting net.ipv4.tcp_keepalive_probes. - `net_ipv4_tcp_keepalive_time`**Type**: `INT32`**Provider name**: `netIpv4TcpKeepaliveTime`**Description**: Sysctl setting net.ipv4.tcp_keepalive_time. - `net_ipv4_tcp_max_syn_backlog`**Type**: `INT32`**Provider name**: `netIpv4TcpMaxSynBacklog`**Description**: Sysctl setting net.ipv4.tcp_max_syn_backlog. - `net_ipv4_tcp_max_tw_buckets`**Type**: `INT32`**Provider name**: `netIpv4TcpMaxTwBuckets`**Description**: Sysctl setting net.ipv4.tcp_max_tw_buckets. - `net_ipv4_tcp_tw_reuse`**Type**: `BOOLEAN`**Provider name**: `netIpv4TcpTwReuse`**Description**: Sysctl setting net.ipv4.tcp_tw_reuse. - `net_ipv4_tcpkeepalive_intvl`**Type**: `INT32`**Provider name**: `netIpv4TcpkeepaliveIntvl`**Description**: Sysctl setting net.ipv4.tcp_keepalive_intvl. - `net_netfilter_nf_conntrack_buckets`**Type**: `INT32`**Provider name**: `netNetfilterNfConntrackBuckets`**Description**: Sysctl setting net.netfilter.nf_conntrack_buckets. - `net_netfilter_nf_conntrack_max`**Type**: `INT32`**Provider name**: `netNetfilterNfConntrackMax`**Description**: Sysctl setting net.netfilter.nf_conntrack_max. - `vm_max_map_count`**Type**: `INT32`**Provider name**: `vmMaxMapCount`**Description**: Sysctl setting vm.max_map_count. - `vm_swappiness`**Type**: `INT32`**Provider name**: `vmSwappiness`**Description**: Sysctl setting vm.swappiness. - `vm_vfs_cache_pressure`**Type**: `INT32`**Provider name**: `vmVfsCachePressure`**Description**: Sysctl setting vm.vfs_cache_pressure. - `transparent_huge_page_defrag`**Type**: `STRING`**Provider name**: `transparentHugePageDefrag`**Description**: Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see [Transparent Hugepages](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge). - `transparent_huge_page_enabled`**Type**: `STRING`**Provider name**: `transparentHugePageEnabled`**Description**: Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see [Transparent Hugepages](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge). - `max_count`**Type**: `INT32`**Provider name**: `properties.maxCount`**Description**: The maximum number of nodes for auto-scaling - `max_pods`**Type**: `INT32`**Provider name**: `properties.maxPods`**Description**: The maximum number of pods that can run on a node. - `message_of_the_day`**Type**: `STRING`**Provider name**: `properties.messageOfTheDay`**Description**: A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). - `min_count`**Type**: `INT32`**Provider name**: `properties.minCount`**Description**: The minimum number of nodes for auto-scaling - `mode`**Type**: `STRING`**Provider name**: `properties.mode` - `name`**Type**: `STRING`**Provider name**: `name`**Description**: Windows agent pool names must be 6 characters or less. - `network_profile`**Type**: `STRUCT`**Provider name**: `properties.networkProfile`**Description**: Network-related settings of an agent pool. - `allowed_host_ports`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `allowedHostPorts`**Description**: The port ranges that are allowed to access. The specified ranges are allowed to overlap. - `port_end`**Type**: `INT32`**Provider name**: `portEnd`**Description**: The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. - `port_start`**Type**: `INT32`**Provider name**: `portStart`**Description**: The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. - `protocol`**Type**: `STRING`**Provider name**: `protocol`**Description**: The network protocol of the port. - `application_security_groups`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `applicationSecurityGroups`**Description**: The IDs of the application security groups which agent pool will associate when created. - `node_public_ip_tags`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `nodePublicIPTags`**Description**: IPTags of instance-level public IPs. - `ip_tag_type`**Type**: `STRING`**Provider name**: `ipTagType`**Description**: The IP tag type. Example: RoutingPreference. - `tag`**Type**: `STRING`**Provider name**: `tag`**Description**: The value of the IP tag associated with the public IP. Example: Internet. - `node_image_version`**Type**: `STRING`**Provider name**: `properties.nodeImageVersion`**Description**: The version of node image - `node_public_ip_prefix_id`**Type**: `STRING`**Provider name**: `properties.nodePublicIPPrefixID`**Description**: This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} - `node_taints`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `properties.nodeTaints`**Description**: The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. - `orchestrator_version`**Type**: `STRING`**Provider name**: `properties.orchestratorVersion`**Description**: Both patch version (e.g. 1.20.13) and (e.g. 1.20) are supported. When is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see [upgrading a node pool](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#upgrade-a-node-pool). - `os_disk_size_gb`**Type**: `INT32`**Provider name**: `properties.osDiskSizeGB` - `os_disk_type`**Type**: `STRING`**Provider name**: `properties.osDiskType` - `os_sku`**Type**: `STRING`**Provider name**: `properties.osSKU` - `os_type`**Type**: `STRING`**Provider name**: `properties.osType` - `pod_subnet_id`**Type**: `STRING`**Provider name**: `properties.podSubnetID`**Description**: If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} - `power_state`**Type**: `STRUCT`**Provider name**: `properties.powerState`**Description**: When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded - `code`**Type**: `STRING`**Provider name**: `code`**Description**: Tells whether the cluster is Running or Stopped - `provisioning_state`**Type**: `STRING`**Provider name**: `properties.provisioningState`**Description**: The current deployment or provisioning state. - `proximity_placement_group_id`**Type**: `STRING`**Provider name**: `properties.proximityPlacementGroupID`**Description**: The ID for Proximity Placement Group. - `scale_down_mode`**Type**: `STRING`**Provider name**: `properties.scaleDownMode`**Description**: This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. - `scale_set_eviction_policy`**Type**: `STRING`**Provider name**: `properties.scaleSetEvictionPolicy`**Description**: This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. - `scale_set_priority`**Type**: `STRING`**Provider name**: `properties.scaleSetPriority`**Description**: The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. - `security_profile`**Type**: `STRUCT`**Provider name**: `properties.securityProfile`**Description**: The security settings of an agent pool. - `enable_secure_boot`**Type**: `BOOLEAN`**Provider name**: `enableSecureBoot`**Description**: Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. - `enable_vtpm`**Type**: `BOOLEAN`**Provider name**: `enableVTPM`**Description**: vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. - `spot_max_price`**Type**: `DOUBLE`**Provider name**: `properties.spotMaxPrice`**Description**: Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see [spot VMs pricing](https://docs.microsoft.com/azure/virtual-machines/spot-vms#pricing) - `type`**Type**: `STRING`**Provider name**: `properties.type` - `upgrade_settings`**Type**: `STRUCT`**Provider name**: `properties.upgradeSettings`**Description**: Settings for upgrading the agentpool - `drain_timeout_in_minutes`**Type**: `INT32`**Provider name**: `drainTimeoutInMinutes`**Description**: The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. - `max_surge`**Type**: `STRING`**Provider name**: `maxSurge`**Description**: This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 10%. For more information, including best practices, see: [https://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade](https://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade) - `node_soak_duration_in_minutes`**Type**: `INT32`**Provider name**: `nodeSoakDurationInMinutes`**Description**: The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. - `vm_size`**Type**: `STRING`**Provider name**: `properties.vmSize`**Description**: VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: [https://docs.microsoft.com/azure/aks/quotas-skus-regions](https://docs.microsoft.com/azure/aks/quotas-skus-regions) - `vnet_subnet_id`**Type**: `STRING`**Provider name**: `properties.vnetSubnetID`**Description**: If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} - `windows_profile`**Type**: `STRUCT`**Provider name**: `properties.windowsProfile`**Description**: The Windows agent pool's specific profile. - `disable_outbound_nat`**Type**: `BOOLEAN`**Provider name**: `disableOutboundNat`**Description**: The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. - `workload_runtime`**Type**: `STRING`**Provider name**: `properties.workloadRuntime` ## `api_server_access_profile`{% #api_server_access_profile %} **Type**: `STRUCT`**Provider name**: `properties.apiServerAccessProfile`**Description**: The access profile for managed cluster API server. - `authorized_ip_ranges`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `authorizedIPRanges`**Description**: IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see [API server authorized IP ranges](https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges). - `disable_run_command`**Type**: `BOOLEAN`**Provider name**: `disableRunCommand`**Description**: Whether to disable run command for the cluster or not. - `enable_private_cluster`**Type**: `BOOLEAN`**Provider name**: `enablePrivateCluster`**Description**: For more details, see [Creating a private AKS cluster](https://docs.microsoft.com/azure/aks/private-clusters). - `enable_private_cluster_public_fqdn`**Type**: `BOOLEAN`**Provider name**: `enablePrivateClusterPublicFQDN`**Description**: Whether to create additional public FQDN for private cluster or not. - `private_dns_zone`**Type**: `STRING`**Provider name**: `privateDNSZone`**Description**: The default is System. For more details see [configure private DNS zone](https://docs.microsoft.com/azure/aks/private-clusters#configure-private-dns-zone). Allowed values are 'system' and 'none'. ## `auto_scaler_profile`{% #auto_scaler_profile %} **Type**: `STRUCT`**Provider name**: `properties.autoScalerProfile`**Description**: Parameters to be applied to the cluster-autoscaler when enabled - `balance-similar-node-groups`**Type**: `STRING`**Provider name**: `balance-similar-node-groups`**Description**: Valid values are 'true' and 'false' - `daemonset-eviction-for-empty-nodes`**Type**: `BOOLEAN`**Provider name**: `daemonset-eviction-for-empty-nodes`**Description**: If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. - `daemonset-eviction-for-occupied-nodes`**Type**: `BOOLEAN`**Provider name**: `daemonset-eviction-for-occupied-nodes`**Description**: If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. - `expander`**Type**: `STRING`**Provider name**: `expander`**Description**: If not specified, the default is 'random'. See [expanders](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-expanders) for more information. - `ignore-daemonsets-utilization`**Type**: `BOOLEAN`**Provider name**: `ignore-daemonsets-utilization`**Description**: If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. - `max-empty-bulk-delete`**Type**: `STRING`**Provider name**: `max-empty-bulk-delete`**Description**: The default is 10. - `max-graceful-termination-sec`**Type**: `STRING`**Provider name**: `max-graceful-termination-sec`**Description**: The default is 600. - `max-node-provision-time`**Type**: `STRING`**Provider name**: `max-node-provision-time`**Description**: The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - `max-total-unready-percentage`**Type**: `STRING`**Provider name**: `max-total-unready-percentage`**Description**: The default is 45. The maximum is 100 and the minimum is 0. - `new-pod-scale-up-delay`**Type**: `STRING`**Provider name**: `new-pod-scale-up-delay`**Description**: For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). - `ok-total-unready-count`**Type**: `STRING`**Provider name**: `ok-total-unready-count`**Description**: This must be an integer. The default is 3. - `scale-down-delay-after-add`**Type**: `STRING`**Provider name**: `scale-down-delay-after-add`**Description**: The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - `scale-down-delay-after-delete`**Type**: `STRING`**Provider name**: `scale-down-delay-after-delete`**Description**: The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - `scale-down-delay-after-failure`**Type**: `STRING`**Provider name**: `scale-down-delay-after-failure`**Description**: The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - `scale-down-unneeded-time`**Type**: `STRING`**Provider name**: `scale-down-unneeded-time`**Description**: The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - `scale-down-unready-time`**Type**: `STRING`**Provider name**: `scale-down-unready-time`**Description**: The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - `scale-down-utilization-threshold`**Type**: `STRING`**Provider name**: `scale-down-utilization-threshold`**Description**: The default is '0.5'. - `scan-interval`**Type**: `STRING`**Provider name**: `scan-interval`**Description**: The default is '10'. Values must be an integer number of seconds. - `skip-nodes-with-local-storage`**Type**: `STRING`**Provider name**: `skip-nodes-with-local-storage`**Description**: The default is true. - `skip-nodes-with-system-pods`**Type**: `STRING`**Provider name**: `skip-nodes-with-system-pods`**Description**: The default is true. ## `auto_upgrade_profile`{% #auto_upgrade_profile %} **Type**: `STRUCT`**Provider name**: `properties.autoUpgradeProfile`**Description**: The auto upgrade configuration. - `node_os_upgrade_channel`**Type**: `STRING`**Provider name**: `nodeOSUpgradeChannel`**Description**: Manner in which the OS on your nodes is updated. The default is NodeImage. - `upgrade_channel`**Type**: `STRING`**Provider name**: `upgradeChannel`**Description**: For more information see [setting the AKS cluster auto-upgrade channel](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel). ## `azure_monitor_profile`{% #azure_monitor_profile %} **Type**: `STRUCT`**Provider name**: `properties.azureMonitorProfile` - `metrics`**Type**: `STRUCT`**Provider name**: `metrics` - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling. - `kube_state_metrics`**Type**: `STRUCT`**Provider name**: `kubeStateMetrics` - `metric_annotations_allow_list`**Type**: `STRING`**Provider name**: `metricAnnotationsAllowList`**Description**: Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,…],pods=[kubernetes.io/team],…'). By default the metric contains only resource name and namespace labels. - `metric_labels_allowlist`**Type**: `STRING`**Provider name**: `metricLabelsAllowlist`**Description**: Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,…],pods=[app],…'). By default the metric contains only resource name and namespace labels. ## `azure_portal_fqdn`{% #azure_portal_fqdn %} **Type**: `STRING`**Provider name**: `properties.azurePortalFQDN`**Description**: The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly. ## `bootstrap_profile`{% #bootstrap_profile %} **Type**: `STRUCT`**Provider name**: `properties.bootstrapProfile`**Description**: Profile of the cluster bootstrap configuration. - `artifact_source`**Type**: `STRING`**Provider name**: `artifactSource`**Description**: The source where the artifacts are downloaded from. - `container_registry_id`**Type**: `STRING`**Provider name**: `containerRegistryId`**Description**: The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. ## `current_kubernetes_version`{% #current_kubernetes_version %} **Type**: `STRING`**Provider name**: `properties.currentKubernetesVersion`**Description**: If kubernetesVersion was a fully specified version , this field will be exactly equal to it. If kubernetesVersion was , this field will contain the full version being used. ## `disable_local_accounts`{% #disable_local_accounts %} **Type**: `BOOLEAN`**Provider name**: `properties.disableLocalAccounts`**Description**: If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see [disable local accounts](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts-preview). ## `disk_encryption_set_id`{% #disk_encryption_set_id %} **Type**: `STRING`**Provider name**: `properties.diskEncryptionSetID`**Description**: This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' ## `dns_prefix`{% #dns_prefix %} **Type**: `STRING`**Provider name**: `properties.dnsPrefix`**Description**: This cannot be updated once the Managed Cluster has been created. ## `e_tag`{% #e_tag %} **Type**: `STRING`**Provider name**: `eTag`**Description**: Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal etag convention. ## `enable_pod_security_policy`{% #enable_pod_security_policy %} **Type**: `BOOLEAN`**Provider name**: `properties.enablePodSecurityPolicy`**Description**: (DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at [https://aka.ms/k8s/psp](https://aka.ms/k8s/psp) and [https://aka.ms/aks/psp](https://aka.ms/aks/psp). ## `enable_rbac`{% #enable_rbac %} **Type**: `BOOLEAN`**Provider name**: `properties.enableRBAC`**Description**: Whether to enable Kubernetes Role-Based Access Control. ## `fqdn`{% #fqdn %} **Type**: `STRING`**Provider name**: `properties.fqdn`**Description**: The FQDN of the master pool. ## `fqdn_subdomain`{% #fqdn_subdomain %} **Type**: `STRING`**Provider name**: `properties.fqdnSubdomain`**Description**: This cannot be updated once the Managed Cluster has been created. ## `http_proxy_config`{% #http_proxy_config %} **Type**: `STRUCT`**Provider name**: `properties.httpProxyConfig`**Description**: Configurations for provisioning the cluster with HTTP proxy servers. - `http_proxy`**Type**: `STRING`**Provider name**: `httpProxy`**Description**: The HTTP proxy server endpoint to use. - `https_proxy`**Type**: `STRING`**Provider name**: `httpsProxy`**Description**: The HTTPS proxy server endpoint to use. - `no_proxy`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `noProxy`**Description**: The endpoints that should not go through proxy. - `trusted_ca`**Type**: `STRING`**Provider name**: `trustedCa`**Description**: Alternative CA cert to use for connecting to proxy servers. ## `id`{% #id %} **Type**: `STRING`**Provider name**: `id`**Description**: Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" ## `identity`{% #identity %} **Type**: `STRUCT`**Provider name**: `identity`**Description**: The identity of the managed cluster, if configured. - `principal_id`**Type**: `STRING`**Provider name**: `principalId`**Description**: The principal id of the system assigned identity which is used by master components. - `tenant_id`**Type**: `STRING`**Provider name**: `tenantId`**Description**: The tenant id of the system assigned identity which is used by master components. - `type`**Type**: `STRING`**Provider name**: `type`**Description**: For more information see [use managed identities in AKS](https://docs.microsoft.com/azure/aks/use-managed-identity). ## `ingress_profile`{% #ingress_profile %} **Type**: `STRUCT`**Provider name**: `properties.ingressProfile`**Description**: Ingress profile for the managed cluster. - `web_app_routing`**Type**: `STRUCT`**Provider name**: `webAppRouting`**Description**: App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at [https://learn.microsoft.com/en-us/azure/aks/app-routing?tabs=default%2Cdeploy-app-default](https://learn.microsoft.com/en-us/azure/aks/app-routing?tabs=default%2Cdeploy-app-default). - `dns_zone_resource_ids`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `dnsZoneResourceIds`**Description**: Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable the Application Routing add-on. - `identity`**Type**: `STRUCT`**Provider name**: `identity`**Description**: Managed identity of the Application Routing add-on. This is the identity that should be granted permissions, for example, to manage the associated Azure DNS resource and get certificates from Azure Key Vault. See [this overview of the add-on](https://learn.microsoft.com/en-us/azure/aks/web-app-routing?tabs=with-osm) for more instructions. - `client_id`**Type**: `STRING`**Provider name**: `clientId`**Description**: The client ID of the user assigned identity. - `object_id`**Type**: `STRING`**Provider name**: `objectId`**Description**: The object ID of the user assigned identity. - `resource_id`**Type**: `STRING`**Provider name**: `resourceId`**Description**: The resource ID of the user assigned identity. - `nginx`**Type**: `STRUCT`**Provider name**: `nginx`**Description**: Configuration for the default NginxIngressController. See more at [https://learn.microsoft.com/en-us/azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller](https://learn.microsoft.com/en-us/azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller). - `default_ingress_controller_type`**Type**: `STRING`**Provider name**: `defaultIngressControllerType`**Description**: Ingress type for the default NginxIngressController custom resource ## `kubernetes_version`{% #kubernetes_version %} **Type**: `STRING`**Provider name**: `properties.kubernetesVersion`**Description**: Both patch version (e.g. 1.20.13) and (e.g. 1.20) are supported. When is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See [upgrading an AKS cluster](https://docs.microsoft.com/azure/aks/upgrade-cluster) for more details. ## `linux_profile`{% #linux_profile %} **Type**: `STRUCT`**Provider name**: `properties.linuxProfile`**Description**: The profile for Linux VMs in the Managed Cluster. - `admin_username`**Type**: `STRING`**Provider name**: `adminUsername`**Description**: The administrator username to use for Linux VMs. - `ssh`**Type**: `STRUCT`**Provider name**: `ssh`**Description**: The SSH configuration for Linux-based VMs running on Azure. - `public_keys`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `publicKeys`**Description**: The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. - `key_data`**Type**: `STRING`**Provider name**: `keyData`**Description**: Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. ## `location`{% #location %} **Type**: `STRING`**Provider name**: `location`**Description**: The geo-location where the resource lives ## `max_agent_pools`{% #max_agent_pools %} **Type**: `INT64`**Provider name**: `properties.maxAgentPools`**Description**: The max number of agent pools for the managed cluster. ## `metrics_profile`{% #metrics_profile %} **Type**: `STRUCT`**Provider name**: `properties.metricsProfile`**Description**: Optional cluster metrics configuration. - `cost_analysis`**Type**: `STRUCT`**Provider name**: `costAnalysis` - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: The name of the resource ## `network_profile`{% #network_profile %} **Type**: `STRUCT`**Provider name**: `properties.networkProfile`**Description**: The network configuration profile. - `advanced_networking`**Type**: `STRUCT`**Provider name**: `advancedNetworking` - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. - `observability`**Type**: `STRUCT`**Provider name**: `observability` - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Indicates the enablement of Advanced Networking observability functionalities on clusters. - `security`**Type**: `STRUCT`**Provider name**: `security` - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. - `dns_service_ip`**Type**: `STRING`**Provider name**: `dnsServiceIP`**Description**: An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. - `ip_families`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `ipFamilies`**Description**: IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. - `load_balancer_profile`**Type**: `STRUCT`**Provider name**: `loadBalancerProfile`**Description**: Profile of the cluster load balancer. - `allocated_outbound_ports`**Type**: `INT32`**Provider name**: `allocatedOutboundPorts`**Description**: The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. - `backend_pool_type`**Type**: `STRING`**Provider name**: `backendPoolType`**Description**: The type of the managed inbound Load Balancer BackendPool. - `effective_outbound_ips`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `effectiveOutboundIPs`**Description**: The effective outbound IP resources of the cluster load balancer. - `id`**Type**: `STRING`**Provider name**: `id`**Description**: The fully qualified Azure resource id. - `enable_multiple_standard_load_balancers`**Type**: `BOOLEAN`**Provider name**: `enableMultipleStandardLoadBalancers`**Description**: Enable multiple standard load balancers per AKS cluster or not. - `idle_timeout_in_minutes`**Type**: `INT32`**Provider name**: `idleTimeoutInMinutes`**Description**: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. - `managed_outbound_ips`**Type**: `STRUCT`**Provider name**: `managedOutboundIPs`**Description**: Desired managed outbound IPs for the cluster load balancer. - `count`**Type**: `INT32`**Provider name**: `count`**Description**: The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. - `count_i_pv6`**Type**: `INT32`**Provider name**: `countIPv6`**Description**: The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. - `outbound_ip_prefixes`**Type**: `STRUCT`**Provider name**: `outboundIPPrefixes`**Description**: Desired outbound IP Prefix resources for the cluster load balancer. - `public_ip_prefixes`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `publicIPPrefixes`**Description**: A list of public IP prefix resources. - `id`**Type**: `STRING`**Provider name**: `id`**Description**: The fully qualified Azure resource id. - `outbound_ips`**Type**: `STRUCT`**Provider name**: `outboundIPs`**Description**: Desired outbound IP resources for the cluster load balancer. - `public_ips`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `publicIPs`**Description**: A list of public IP resources. - `id`**Type**: `STRING`**Provider name**: `id`**Description**: The fully qualified Azure resource id. - `load_balancer_sku`**Type**: `STRING`**Provider name**: `loadBalancerSku`**Description**: The default is 'standard'. See [Azure Load Balancer SKUs](https://docs.microsoft.com/azure/load-balancer/skus) for more information about the differences between load balancer SKUs. - `nat_gateway_profile`**Type**: `STRUCT`**Provider name**: `natGatewayProfile`**Description**: Profile of the cluster NAT gateway. - `effective_outbound_ips`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `effectiveOutboundIPs`**Description**: The effective outbound IP resources of the cluster NAT gateway. - `id`**Type**: `STRING`**Provider name**: `id`**Description**: The fully qualified Azure resource id. - `idle_timeout_in_minutes`**Type**: `INT32`**Provider name**: `idleTimeoutInMinutes`**Description**: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. - `managed_outbound_ip_profile`**Type**: `STRUCT`**Provider name**: `managedOutboundIPProfile`**Description**: Profile of the managed outbound IP resources of the cluster NAT gateway. - `count`**Type**: `INT32`**Provider name**: `count`**Description**: The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. - `network_dataplane`**Type**: `STRING`**Provider name**: `networkDataplane`**Description**: Network dataplane used in the Kubernetes cluster. - `network_mode`**Type**: `STRING`**Provider name**: `networkMode`**Description**: This cannot be specified if networkPlugin is anything other than 'azure'. - `network_plugin`**Type**: `STRING`**Provider name**: `networkPlugin`**Description**: Network plugin used for building the Kubernetes network. - `network_plugin_mode`**Type**: `STRING`**Provider name**: `networkPluginMode`**Description**: The mode the network plugin should use. - `network_policy`**Type**: `STRING`**Provider name**: `networkPolicy`**Description**: Network policy used for building the Kubernetes network. - `outbound_type`**Type**: `STRING`**Provider name**: `outboundType`**Description**: This can only be set at cluster creation time and cannot be changed later. For more information see [egress outbound type](https://docs.microsoft.com/azure/aks/egress-outboundtype). - `pod_cidr`**Type**: `STRING`**Provider name**: `podCidr`**Description**: A CIDR notation IP range from which to assign pod IPs when kubenet is used. - `pod_cidrs`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `podCidrs`**Description**: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. - `service_cidr`**Type**: `STRING`**Provider name**: `serviceCidr`**Description**: A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. - `service_cidrs`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `serviceCidrs`**Description**: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. ## `node_resource_group`{% #node_resource_group %} **Type**: `STRING`**Provider name**: `properties.nodeResourceGroup`**Description**: The name of the resource group containing agent pool nodes. ## `node_resource_group_profile`{% #node_resource_group_profile %} **Type**: `STRUCT`**Provider name**: `properties.nodeResourceGroupProfile`**Description**: Profile of the node resource group configuration. - `restriction_level`**Type**: `STRING`**Provider name**: `restrictionLevel`**Description**: The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' ## `oidc_issuer_profile`{% #oidc_issuer_profile %} **Type**: `STRUCT`**Provider name**: `properties.oidcIssuerProfile`**Description**: The OIDC issuer profile of the Managed Cluster. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether the OIDC issuer is enabled. - `issuer_url`**Type**: `STRING`**Provider name**: `issuerURL`**Description**: The OIDC issuer url of the Managed Cluster. ## `pod_identity_profile`{% #pod_identity_profile %} **Type**: `STRUCT`**Provider name**: `properties.podIdentityProfile`**Description**: See [use AAD pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) for more details on AAD pod identity integration. - `allow_network_plugin_kubenet`**Type**: `BOOLEAN`**Provider name**: `allowNetworkPluginKubenet`**Description**: Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See [using Kubenet network plugin with AAD Pod Identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity#using-kubenet-network-plugin-with-azure-active-directory-pod-managed-identities) for more information. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether the pod identity addon is enabled. - `user_assigned_identities`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `userAssignedIdentities`**Description**: The pod identities to use in the cluster. - `binding_selector`**Type**: `STRING`**Provider name**: `bindingSelector`**Description**: The binding selector to use for the AzureIdentityBinding resource. - `identity`**Type**: `STRUCT`**Provider name**: `identity`**Description**: The user assigned identity details. - `client_id`**Type**: `STRING`**Provider name**: `clientId`**Description**: The client ID of the user assigned identity. - `object_id`**Type**: `STRING`**Provider name**: `objectId`**Description**: The object ID of the user assigned identity. - `resource_id`**Type**: `STRING`**Provider name**: `resourceId`**Description**: The resource ID of the user assigned identity. - `name`**Type**: `STRING`**Provider name**: `name`**Description**: The name of the pod identity. - `namespace`**Type**: `STRING`**Provider name**: `namespace`**Description**: The namespace of the pod identity. - `provisioning_info`**Type**: `STRUCT`**Provider name**: `provisioningInfo` - `error`**Type**: `STRUCT`**Provider name**: `error`**Description**: Pod identity assignment error (if any). - `provisioning_state`**Type**: `STRING`**Provider name**: `provisioningState`**Description**: The current provisioning state of the pod identity. - `user_assigned_identity_exceptions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `userAssignedIdentityExceptions`**Description**: The pod identity exceptions to allow. - `name`**Type**: `STRING`**Provider name**: `name`**Description**: The name of the pod identity exception. - `namespace`**Type**: `STRING`**Provider name**: `namespace`**Description**: The namespace of the pod identity exception. ## `power_state`{% #power_state %} **Type**: `STRUCT`**Provider name**: `properties.powerState`**Description**: The Power State of the cluster. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: Tells whether the cluster is Running or Stopped ## `private_fqdn`{% #private_fqdn %} **Type**: `STRING`**Provider name**: `properties.privateFQDN`**Description**: The FQDN of private cluster. ## `private_link_resources`{% #private_link_resources %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `properties.privateLinkResources`**Description**: Private link resources associated with the cluster. - `group_id`**Type**: `STRING`**Provider name**: `groupId`**Description**: The group ID of the resource. - `id`**Type**: `STRING`**Provider name**: `id`**Description**: The ID of the private link resource. - `name`**Type**: `STRING`**Provider name**: `name`**Description**: The name of the private link resource. - `private_link_service_id`**Type**: `STRING`**Provider name**: `privateLinkServiceID`**Description**: The private link service ID of the resource, this field is exposed only to NRP internally. - `required_members`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `requiredMembers`**Description**: The RequiredMembers of the resource - `type`**Type**: `STRING`**Provider name**: `type`**Description**: The resource type. ## `provisioning_state`{% #provisioning_state %} **Type**: `STRING`**Provider name**: `properties.provisioningState`**Description**: The current provisioning state. ## `public_network_access`{% #public_network_access %} **Type**: `STRING`**Provider name**: `properties.publicNetworkAccess`**Description**: Allow or deny public network access for AKS ## `resource_group`{% #resource_group %} **Type**: `STRING` ## `resource_uid`{% #resource_uid %} **Type**: `STRING`**Provider name**: `properties.resourceUID`**Description**: The resourceUID uniquely identifies ManagedClusters that reuse ARM ResourceIds (i.e: create, delete, create sequence) ## `security_profile`{% #security_profile %} **Type**: `STRUCT`**Provider name**: `properties.securityProfile`**Description**: Security profile for the managed cluster. - `azure_key_vault_kms`**Type**: `STRUCT`**Provider name**: `azureKeyVaultKms`**Description**: Azure Key Vault [key management service](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/) settings for the security profile. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable Azure Key Vault key management service. The default is false. - `key_id`**Type**: `STRING`**Provider name**: `keyId`**Description**: Identifier of Azure Key Vault key. See [key identifier format](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name) for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. - `key_vault_network_access`**Type**: `STRING`**Provider name**: `keyVaultNetworkAccess`**Description**: Network access of key vault. The possible values are `Public` and `Private`. `Public` means the key vault allows public access from all networks. `Private` means the key vault disables public access and enables private link. The default value is `Public`. - `key_vault_resource_id`**Type**: `STRING`**Provider name**: `keyVaultResourceId`**Description**: Resource ID of key vault. When keyVaultNetworkAccess is `Private`, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is `Public`, leave the field empty. - `custom_ca_trust_certificates`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `customCATrustCertificates`**Description**: A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see [Custom CA Trust Certificates](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority). - `defender`**Type**: `STRUCT`**Provider name**: `defender`**Description**: Microsoft Defender settings for the security profile. - `log_analytics_workspace_resource_id`**Type**: `STRING`**Provider name**: `logAnalyticsWorkspaceResourceId`**Description**: Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. - `security_monitoring`**Type**: `STRUCT`**Provider name**: `securityMonitoring`**Description**: Microsoft Defender threat detection for Cloud settings for the security profile. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable Defender threat detection - `image_cleaner`**Type**: `STRUCT`**Provider name**: `imageCleaner`**Description**: Image Cleaner settings for the security profile. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable Image Cleaner on AKS cluster. - `interval_hours`**Type**: `INT32`**Provider name**: `intervalHours`**Description**: Image Cleaner scanning interval in hours. - `workload_identity`**Type**: `STRUCT`**Provider name**: `workloadIdentity`**Description**: Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See [https://aka.ms/aks/wi](https://aka.ms/aks/wi) for more details. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable workload identity. ## `service_mesh_profile`{% #service_mesh_profile %} **Type**: `STRUCT`**Provider name**: `properties.serviceMeshProfile` - `istio`**Type**: `STRUCT`**Provider name**: `istio` - `certificate_authority`**Type**: `STRUCT`**Provider name**: `certificateAuthority` - `plugin`**Type**: `STRUCT`**Provider name**: `plugin` - `cert_chain_object_name`**Type**: `STRING`**Provider name**: `certChainObjectName`**Description**: Certificate chain object name in Azure Key Vault. - `cert_object_name`**Type**: `STRING`**Provider name**: `certObjectName`**Description**: Intermediate certificate object name in Azure Key Vault. - `key_object_name`**Type**: `STRING`**Provider name**: `keyObjectName`**Description**: Intermediate certificate private key object name in Azure Key Vault. - `key_vault_id`**Type**: `STRING`**Provider name**: `keyVaultId`**Description**: The resource ID of the Key Vault. - `root_cert_object_name`**Type**: `STRING`**Provider name**: `rootCertObjectName`**Description**: Root certificate object name in Azure Key Vault. - `components`**Type**: `STRUCT`**Provider name**: `components` - `egress_gateways`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `egressGateways`**Description**: Istio egress gateways. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable the egress gateway. - `ingress_gateways`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `ingressGateways`**Description**: Istio ingress gateways. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable the ingress gateway. - `mode`**Type**: `STRING`**Provider name**: `mode`**Description**: Mode of an ingress gateway. - `revisions`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `revisions`**Description**: The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: [https://learn.microsoft.com/en-us/azure/aks/istio-upgrade](https://learn.microsoft.com/en-us/azure/aks/istio-upgrade) - `mode`**Type**: `STRING`**Provider name**: `mode`**Description**: Mode of the service mesh. ## `service_principal_profile`{% #service_principal_profile %} **Type**: `STRUCT`**Provider name**: `properties.servicePrincipalProfile`**Description**: Information about a service principal identity for the cluster to use for manipulating Azure APIs. - `client_id`**Type**: `STRING`**Provider name**: `clientId`**Description**: The ID for the service principal. - `secret`**Type**: `STRING`**Provider name**: `secret`**Description**: The secret password associated with the service principal in plain text. ## `sku`{% #sku %} **Type**: `STRUCT`**Provider name**: `sku`**Description**: The managed cluster SKU. - `name`**Type**: `STRING`**Provider name**: `name`**Description**: The name of a managed cluster SKU. - `tier`**Type**: `STRING`**Provider name**: `tier`**Description**: If not specified, the default is 'Free'. See [AKS Pricing Tier](https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers) for more details. ## `storage_profile`{% #storage_profile %} **Type**: `STRUCT`**Provider name**: `properties.storageProfile`**Description**: Storage profile for the managed cluster. - `blob_csi_driver`**Type**: `STRUCT`**Provider name**: `blobCSIDriver`**Description**: AzureBlob CSI Driver settings for the storage profile. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable AzureBlob CSI Driver. The default value is false. - `disk_csi_driver`**Type**: `STRUCT`**Provider name**: `diskCSIDriver`**Description**: AzureDisk CSI Driver settings for the storage profile. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable AzureDisk CSI Driver. The default value is true. - `file_csi_driver`**Type**: `STRUCT`**Provider name**: `fileCSIDriver`**Description**: AzureFile CSI Driver settings for the storage profile. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable AzureFile CSI Driver. The default value is true. - `snapshot_controller`**Type**: `STRUCT`**Provider name**: `snapshotController`**Description**: Snapshot Controller settings for the storage profile. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable Snapshot Controller. The default value is true. ## `subscription_id`{% #subscription_id %} **Type**: `STRING` ## `subscription_name`{% #subscription_name %} **Type**: `STRING` ## `support_plan`{% #support_plan %} **Type**: `STRING`**Provider name**: `properties.supportPlan`**Description**: The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. ## `system_data`{% #system_data %} **Type**: `STRUCT`**Provider name**: `systemData`**Description**: Azure Resource Manager metadata containing createdBy and modifiedBy information. - `created_at`**Type**: `STRING`**Provider name**: `createdAt`**Description**: The timestamp of resource creation (UTC). - `created_by`**Type**: `STRING`**Provider name**: `createdBy`**Description**: The identity that created the resource. - `created_by_type`**Type**: `STRING`**Provider name**: `createdByType`**Description**: The type of identity that created the resource. - `last_modified_at`**Type**: `STRING`**Provider name**: `lastModifiedAt`**Description**: The timestamp of resource last modification (UTC) - `last_modified_by`**Type**: `STRING`**Provider name**: `lastModifiedBy`**Description**: The identity that last modified the resource. - `last_modified_by_type`**Type**: `STRING`**Provider name**: `lastModifiedByType`**Description**: The type of identity that last modified the resource. ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `type`{% #type %} **Type**: `STRING`**Provider name**: `type`**Description**: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" ## `upgrade_settings`{% #upgrade_settings %} **Type**: `STRUCT`**Provider name**: `properties.upgradeSettings`**Description**: Settings for upgrading a cluster. - `override_settings`**Type**: `STRUCT`**Provider name**: `overrideSettings`**Description**: Settings for overrides. - `force_upgrade`**Type**: `BOOLEAN`**Provider name**: `forceUpgrade`**Description**: Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. - `until`**Type**: `STRING`**Provider name**: `until`**Description**: Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the `until` expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. ## `windows_profile`{% #windows_profile %} **Type**: `STRUCT`**Provider name**: `properties.windowsProfile`**Description**: The profile for Windows VMs in the Managed Cluster. - `admin_password`**Type**: `STRING`**Provider name**: `adminPassword`**Description**: Specifies the password of the administrator account.**Minimum-length:** 8 characters**Max-length:** 123 characters**Complexity requirements:** 3 out of 4 conditions below need to be fulfilledHas lower charactersHas upper charactersHas a digitHas a special character (Regex match [\W_])**Disallowed values:** "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" - `admin_username`**Type**: `STRING`**Provider name**: `adminUsername`**Description**: Specifies the name of the administrator account.**Restriction:** Cannot end in "."**Disallowed values:** "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".**Minimum-length:** 1 character**Max-length:** 20 characters - `enable_csi_proxy`**Type**: `BOOLEAN`**Provider name**: `enableCSIProxy`**Description**: For more details on CSI proxy, see the [CSI proxy GitHub repo](https://github.com/kubernetes-csi/csi-proxy). - `gmsa_profile`**Type**: `STRUCT`**Provider name**: `gmsaProfile`**Description**: The Windows gMSA Profile in the Managed Cluster. - `dns_server`**Type**: `STRING`**Provider name**: `dnsServer`**Description**: Specifies the DNS server for Windows gMSA.Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Specifies whether to enable Windows gMSA in the managed cluster. - `root_domain_name`**Type**: `STRING`**Provider name**: `rootDomainName`**Description**: Specifies the root domain name for Windows gMSA.Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. - `license_type`**Type**: `STRING`**Provider name**: `licenseType`**Description**: The license type to use for Windows VMs. See [Azure Hybrid User Benefits](https://azure.microsoft.com/pricing/hybrid-benefit/faq/) for more details. ## `workload_auto_scaler_profile`{% #workload_auto_scaler_profile %} **Type**: `STRUCT`**Provider name**: `properties.workloadAutoScalerProfile` - `keda`**Type**: `STRUCT`**Provider name**: `keda` - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable KEDA. - `vertical_pod_autoscaler`**Type**: `STRUCT`**Provider name**: `verticalPodAutoscaler` - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether to enable VPA. Default value is false.