Build and configure AKS on Azure using Terraform

Creating a user for your Azure account

subscription_id, tenant_id, client_id, and client_secret.
  • The top red mark is your storage_account_name
  • In the middle you have your container_name
  • The last one you have your key (file name)

Starting Terraform locally

terraform init \
-backend-config "container_name=<your folder inside Azure Blob Storage>" \
-backend-config "storage_account_name=<your Azure Storage Name>" \
-backend-config "key=<file name to be stored>" \
-backend-config "subscription_id=<subscription ID of your account>" \
-backend-config "client_id=<your username>" \
-backend-config "client_secret=<your password>" \
-backend-config "tenant_id=<tenant id>" \
-backend-config "resource_group_name=<resource group name to find your Blob Storage>"

Planning your deploy — Terraform plan

terraform plan \
-var 'client_id=<client_id>' \
-var 'client_secret=<secret_id>' \
-var 'subscription_id=<subscription_id>' \
-var 'tenant_id=<tenant_id>' \
-var 'timestamp=<timestamp>' \
-var 'acr_reader_user_client_id=<User client ID to read ACR>' \
-var 'acr_reader_user_secret_key=<User secret to read ACR>' \
-var-file="<your additional vars file name. Suggestion: rootVars-dev.tfvars>" \
-out tfout.log
  • TIMESTAMP — this is the timestamp of when you are running this terraform plan. It is intended to help with the blue/green deployment strategy. The timestamp is a simple string that will be added to the end of your resource group name. The resource group name will have the following format: “fixedRadical-environment-timestamp”. You can check how it’s built on file tf_infrastructure/modules/common/
  • ACR_READER_USER_CLIENT_ID — This is the client_id used by your Kubernetes to go and read the ACR (Azure Container Registry) to retrieve your docker images for deployment. You should use a new one with fewer privileges than the main client_id we’re using.
  • ACR_READER_USER_SECRET_KEY — This is the client secret (password) of the above client_id.
  • -VAR-FILE — Terraform allows us to add variables in a file instead of on the command line like we’ve been using. Do not store sensitive information inside this file. You have an example on tf_infrastructure/rootVars-dev.tfvars file
  • TFOUT.LOG — This is the name of the file to which Terraform will store the plan to achieve your Terraform configuration

Deploying the infrastructure — Terraform apply

terraform apply tfout.log

Configuring kubectl to work connected to AKS

az aks get-credentials --name $(terraform output aks_name) --resource-group $(terraform output resource_group_name)

Applying our configuration to Kubernetes

1. PROFILE=dev
2. kubectl apply -f k8s_deployment-dev.yaml
3. kubectl apply -f


  1. Kubernetes will grab our PROFILE=dev environment variable and pass on to Spring Boot.
  2. The path where Kubernetes will pull our images from using ACR credentials.
  3. Liveness probe teaches Kubernetes how to understand if that container is running or not.
  4. NodeSelector tells Kubernetes in which node pool (using the node_labels we highlighted above) where the Pods should be run.

Configure K8S

kubectl apply -f k8s_deployment-dev.yaml
  • The services (example below) use the ClusterIP strategy. It will tell Kubernetes to create an internal Load Balancer to balance requests to your pods. The port tells which port receives requests and the targetPort tells which port in the service will handle requests. More info here.
  • Ingress strategy is the most important part:
  1. nginx is the class for your ingress strategy. It uses nginx implementation to load balance requests internally.
  2. /$1$2$3 is what Kubernetes should forward as the request URL to our pods. $1 means (api/company) highlighted in item 5. $2 means (/|$) and $3 means (.*)
  3. /$1/swagger-ui.html this is the default app root for our Pods
  4. Redirect from www — true — self-explanatory
  5. Path is the URL structure to pass on as variables to item 2
  • To add TLS yo our Kubernetes you have to generate your certificate and past key and crt on the highlighted areas below on base64 format. An example on Linux is like first image below. When adding the info to the file remember to past it as a single row without spaces, line breaks or others. Second image shows where to put the crt and key respectivelly.

Apply nginx Load Balancer

kubectl apply -f

Testing our Kubernetes deployment

kubectl get ingress --watch



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Guilherme Sesterheim

Guilherme Sesterheim

Sharing experiences on IT subjects. Working for AWS. DevOps, Kubernetes, Microservices, Terraform, Ansible, and Java