Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Terraform
Article
Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage clusters. In this quickstart, you:
Deploy an AKS cluster using Terraform.
Run a sample multi-container application with a group of microservices and web front ends simulating a retail scenario.
Note
To get started with quickly provisioning an AKS cluster, this article includes steps to deploy a cluster with default settings for evaluation purposes only. Before deploying a production-ready cluster, we recommend that you familiarize yourself with our baseline reference architecture to consider how it aligns with your business requirements.
First, log into your Azure account and authenticate using one of the methods described in the following section.
Terraform only supports authenticating to Azure with the Azure CLI. Authenticating using Azure PowerShell isn't supported. Therefore, while you can use the Azure PowerShell module when doing your Terraform work, you first need to authenticate to Azure.
Create a file named variables.tf and insert the following code:
Terraform
variable"resource_group_location" {
type = string
default = "eastus"
description = "Location of the resource group."
}
variable"resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
}
variable"node_count" {
type = number
description = "The initial quantity of nodes for the node pool."
default = 3
}
variable"msi_id" {
type = string
description = "The Managed Service Identity ID. Set this value if you're running this example using Managed Identity as the authentication method."
default = null
}
variable"username" {
type = string
description = "The admin username for the new cluster."
default = "azureadmin"
}
Create a file named outputs.tf and insert the following code:
Terraform
output"resource_group_name" {
value = azurerm_resource_group.rg.name
}
output"kubernetes_cluster_name" {
value = azurerm_kubernetes_cluster.k8s.name
}
output"client_certificate" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate
sensitive = true
}
output"client_key" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].client_key
sensitive = true
}
output"cluster_ca_certificate" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].cluster_ca_certificate
sensitive = true
}
output"cluster_password" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].password
sensitive = true
}
output"cluster_username" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].username
sensitive = true
}
output"host" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].host
sensitive = true
}
output"kube_config" {
value = azurerm_kubernetes_cluster.k8s.kube_config_raw
sensitive = true
}
Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.
Console
terraform init -upgrade
Key points:
The -upgrade parameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.
The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.
Apply a Terraform execution plan
Run terraform apply to apply the execution plan to your cloud infrastructure.
Console
terraform apply main.tfplan
Key points:
The example terraform apply command assumes you previously ran terraform plan -out main.tfplan.
If you specified a different filename for the -out parameter, use that same filename in the call to terraform apply.
If you didn't use the -out parameter, call terraform apply without any parameters.
Verify the results
Get the Azure resource group name using the following command.
Verify the previous command didn't add an ASCII EOT character using the following command.
Console
cat ./azurek8s
Key points:
If you see << EOT at the beginning and EOT at the end, remove these characters from the file. Otherwise, you may receive the following error message: error: error loading config file "./azurek8s": yaml: line 2: mapping values are not allowed in this context
Set an environment variable so kubectl can pick up the correct config using the following command.
Console
export KUBECONFIG=./azurek8s
Verify the health of the cluster using the kubectl get nodes command.
Console
kubectl get nodes
Key points:
When you created the AKS cluster, monitoring was enabled to capture health metrics for both the cluster nodes and pods. These health metrics are available in the Azure portal. For more information on container health monitoring, see Monitor Azure Kubernetes Service health.
Several key values classified as output when you applied the Terraform execution plan. For example, the host address, AKS cluster user name, and AKS cluster password are output.
Deploy the application
To deploy the application, you use a manifest file to create all the objects required to run the AKS Store application. A Kubernetes manifest file defines a cluster's desired state, such as which container images to run. The manifest includes the following Kubernetes deployments and services:
Store front: Web application for customers to view products and place orders.
Product service: Shows product information.
Order service: Places orders.
Rabbit MQ: Message queue for an order queue.
Note
We don't recommend running stateful containers, such as Rabbit MQ, without persistent storage for production. These are used here for simplicity, but we recommend using managed services, such as Azure CosmosDB or Azure Service Bus.
Create a file named aks-store-quickstart.yaml and copy in the following manifest:
If you create and save the YAML file locally, then you can upload the manifest file to your default directory in CloudShell by selecting the Upload/Download files button and selecting the file from your local file system.
Deploy the application using the kubectl apply command and specify the name of your YAML manifest.
Console
kubectl apply -f aks-store-quickstart.yaml
The following example output shows the deployments and services:
Output
deployment.apps/rabbitmq created
service/rabbitmq created
deployment.apps/order-service created
service/order-service created
deployment.apps/product-service created
service/product-service created
deployment.apps/store-front created
service/store-front created
Test the application
When the application runs, a Kubernetes service exposes the application front end to the internet. This process can take a few minutes to complete.
Check the status of the deployed pods using the kubectl get pods command. Make all pods are Running before proceeding.
Console
kubectl get pods
Check for a public IP address for the store-front application. Monitor progress using the kubectl get service command with the --watch argument.
Azure CLI
kubectl get service store-front--watch
The EXTERNAL-IP output for the store-front service initially shows as pending:
Output
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
store-front LoadBalancer 10.0.100.10 <pending> 80:30025/TCP 4h4m
Once the EXTERNAL-IP address changes from pending to an actual public IP address, use CTRL-C to stop the kubectl watch process.
The following example output shows a valid public IP address assigned to the service:
Output
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
store-front LoadBalancer 10.0.100.10 20.62.159.19 80:30025/TCP 4h5m
Open a web browser to the external IP address of your service to see the Azure Store app in action.
Clean up resources
Delete AKS resources
When you no longer need the resources created via Terraform, do the following steps:
The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.
You can review the application code used in the Azure-Samples/aks-store-demo repo.
Clone the Azure Developer CLI template
The Azure Developer CLI allows you to quickly download samples from the Azure-Samples repository. In our quickstart, you download the aks-store-demo application. For more information on the general uses cases, see the azd overview.
Clone the AKS store demo template from the Azure-Samples repository using the azd init command with the --template parameter.
Azure Developer CLI
azd init --template Azure-Samples/aks-store-demo
Enter an environment name for your project that uses only alphanumeric characters and hyphens, such as aks-terraform-1.
Output
Enter a new environment name: aks-terraform-1
Sign in to your Azure Cloud account
The azd template contains all the code needed to create the services, but you need to sign in to your Azure account in order to host the application on AKS.
Sign in to your account using the azd auth login command.
Azure Developer CLI
azd auth login
Copy the device code that appears in the output and press enter to sign in.
Output
Start by copying the next code: XXXXXXXXX
Then press enter and continue to log in from your browser...
Important
If you're using an out-of-network virtual machine or GitHub Codespace, certain Azure security policies cause conflicts when used to sign in with azd auth login. If you run into an issue here, you can follow the azd auth workaround provided, which involves using a curl request to the localhost URL you were redirected to after running azd auth login.
Authenticate with your credentials on your organization's sign in page.
Confirm that it's you trying to connect from the Azure CLI.
Verify the message "Device code authentication completed. Logged in to Azure." appears in your original terminal.
Output
Waiting for you to complete authentication in the browser...
Device code authentication completed.
Logged in to Azure.
azd auth workaround
This workaround requires you to have the Azure CLI installed.
Open a terminal window and log in with the Azure CLI using the az login command with the --scope parameter set to https://graph.microsoft.com/.default.
Azure CLI
az login --scope https://graph.microsoft.com/.default
You should be redirected to an authentication page in a new tab to create a browser access token, as shown in the following example:
Copy the localhost URL of the webpage you received after attempting to sign in with azd auth login.
In a new terminal window, use the following curl request to log in. Make sure you replace the <localhost> placeholder with the localhost URL you copied in the previous step.
Console
curl <localhost>
A successful login outputs an HTML webpage, as shown in the following example:
Output
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="refresh" content="60;url=https://docs.microsoft.com/cli/azure/">
<title>Login successfully</title>
<style>
body {
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
}
code {
font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace;
display: inline-block;
background-color: rgb(242, 242, 242);
padding: 12px 16px;
margin: 8px 0px;
}
</style>
</head>
<body>
<h3>You have logged into Microsoft Azure!</h3>
<p>You can close this window, or we will redirect you to the <a href="https://docs.microsoft.com/cli/azure/">Azure CLI documentation</a> in 1 minute.</p>
<h3>Announcements</h3>
<p>[Windows only] Azure CLI is collecting feedback on using the <a href="https://learn.microsoft.com/windows/uwp/security/web-account-manager">Web Account Manager</a> (WAM) broker for the login experience.</p>
<p>You may opt-in to use WAM by running the following commands:</p>
<code>
az config set core.allow_broker=true<br>
az account clear<br>
az login
</code>
</body>
</html>
Close the current terminal and open the original terminal. You should see a JSON list of your subscriptions.
Copy the id field of the subscription you want to use.
To deploy the application, you use the azd up command to create all the objects required to run the AKS Store application.
An azure.yaml file defines a cluster's desired state, such as which container images to fetch and includes the following Kubernetes deployments and services:
Store front: Web application for customers to view products and place orders.
Product service: Shows product information.
Order service: Places orders.
Rabbit MQ: Message queue for an order queue.
Note
We don't recommend running stateful containers, such as Rabbit MQ, without persistent storage for production. These are used here for simplicity, but we recommend using managed services, such as Azure Cosmos DB or Azure Service Bus.
Deploy application resources
The azd template for this quickstart creates a new resource group with an AKS cluster and an Azure Key Vault. The key vault stores client secrets and runs the services in the pets namespace.
Create all the application resources using the azd up command.
Azure Developer CLI
azd up
azd up runs all the hooks inside of the azd-hooks folder to preregister, provision, and deploy the application services.
Customize hooks to add custom code into the azd workflow stages. For more information, see the azd hooks reference.
Select an Azure subscription for your billing usage.
Output
? Select an Azure Subscription to use: [Use arrows to move, type to filter]
> 1. My Azure Subscription (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
Select a region to deploy your application to.
Output
Select an Azure location to use: [Use arrows to move, type to filter]
1. (South America) Brazil Southeast (brazilsoutheast)
2. (US) Central US (centralus)
3. (US) East US (eastus)
> 43. (US) East US 2 (eastus2)
4. (US) East US STG (eastusstg)
5. (US) North Central US (northcentralus)
6. (US) South Central US (southcentralus)
azd automatically runs the preprovision and postprovision hooks to create the resources for your application. This process can take a few minutes to complete. Once complete, you should see an output similar to the following example:
Output
SUCCESS: Your workflow to provision and deploy to Azure completed in 9 minutes 40 seconds.
Generate Terraform plans
Within your Azure Developer template, the /infra/terraform folder contains all the code used to generate the Terraform plan.
Terraform deploys and runs commands using terraform apply as part of azd's provisioning step. Once complete, you should see an output similar to the following example:
Output
Plan: 5 to add, 0 to change, 0 to destroy.
...
Saved the plan to: /workspaces/aks-store-demo/.azure/aks-terraform-azd/infra/terraform/main.tfplan
Test the application
When the application runs, a Kubernetes service exposes the application front end to the internet. This process can take a few minutes to complete.
Set your namespace as the demo namespace pets using the kubectl set-context command.
Check the status of the deployed pods using the kubectl get pods command. Make sure all pods are Running before proceeding.
Console
kubectl get pods
Check for a public IP address for the store-front application and monitor progress using the kubectl get service command with the --watch argument.
Console
kubectl get service store-front --watch
The EXTERNAL-IP output for the store-front service initially shows as pending:
Output
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
store-front LoadBalancer 10.0.100.10 <pending> 80:30025/TCP 4h4m
Once the EXTERNAL-IP address changes from pending to an actual public IP address, use CTRL-C to stop the kubectl watch process.
The following sample output shows a valid public IP address assigned to the service:
Output
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
store-front LoadBalancer 10.0.100.10 20.62.159.19 80:30025/TCP 4h5m
Open a web browser to the external IP address of your service to see the Azure Store app in action.
Delete the cluster
Once you're finished with the quickstart, clean up unnecessary resources to avoid Azure charges.
Delete all the resources created in the quickstart using the azd down command.
Azure Developer CLI
azd down
Confirm your decision to remove all used resources from your subscription by typing y and pressing Enter.
Output
? Total resources to delete: 14, are you sure you want to continue? (y/N)
Allow purge to reuse the quickstart variables if applicable by typing y and pressing Enter.
Output
[Warning]: These resources have soft delete enabled allowing them to be recovered for a period or time after deletion. During this period, their names can't be reused. In the future, you can use the argument --purge to skip this confirmation.
In this quickstart, you deployed a Kubernetes cluster and then deployed a simple multi-container application to it. This sample application is for demo purposes only and doesn't represent all the best practices for Kubernetes applications. For guidance on creating full solutions with AKS for production, see AKS solution guidance.
To learn more about AKS and walk through a complete code-to-deployment example, continue to the Kubernetes cluster tutorial.
Note: The author created this article with assistance from AI. Learn more
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Azure Kubernetes Service feedback
Azure Kubernetes Service is an open source project. Select a link to provide feedback:
Welcome to this interactive skills validation experience. Completing this module helps prepare you for the Deploy and manage containers with Azure Kubernetes Service assessment.
Build end-to-end solutions in Microsoft Azure to create Azure Functions, implement and manage web apps, develop solutions utilizing Azure storage, and more.