I have been testing out the Azure Verified Module for Azure Kubernetes Service that can be found in the Terraform Registry at https://registry.terraform.io/modules/Azure/avm-res-containerservice-managedcluster. This module came out in October 2024 so its fairly new.
This module is suitable for enterprise-grade production environments, applies Microsoft best practices, features RBAC, complex monitoring. Also it is supported by Microsoft and so you can raise support requests through its github repo. As of this writing, it is not generally available.
A common alternative is to use the azurerm module found at https://registry.terraform.io/modules/Azure/aks/azurerm/.
This is suitable for simpler, easier and faster deployments. It is not officially supported by Microsoft by the open source community, but widely used in organizations.
The AVM module provides a higher level of abstraction with better defaults, making it more suitable for enterprise deployments while simplifying compliance with Azure best practices.
One example scenario I have built is to deploy AKS, Azure container Registry and Log analytics workspace. This includes role assignment to Azure Container Registry with ACRPull role.
The following is the my code and you can build upon it.
For brevity, here are the core modules being called but visit the link above for the full and latest code.
resource "azurerm_log_analytics_workspace" "this" {
location = azurerm_resource_group.this.location
name = module.naming.log_analytics_workspace.name
resource_group_name = azurerm_resource_group.this.name
}
module "avm-res-containerservice-managedcluster" { # avm-res-containerservice-managedcluster
source = "Azure/avm-res-containerservice-managedcluster/azurerm" # Replaced to explicit source
name = module.naming.kubernetes_cluster.name
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
azure_active_directory_role_based_access_control = {
azure_rbac_enabled = true
tenant_id = data.azurerm_client_config.current.tenant_id
}
default_node_pool = {
name = "default"
vm_size = "Standard_DS2_v2"
node_count = 3
upgrade_settings = {
max_surge = "10%" # This is the maximum number of nodes that can be added during an upgrade
}
}
managed_identities = {
system_assigned = true
}
diagnostic_settings = {
to_la = {
name = "to-la"
workspace_resource_id = azurerm_log_analytics_workspace.this.id
}
}
}
module "avm-res-containerregistry-registry" {
source = "Azure/avm-res-containerregistry-registry/azurerm"
version = "0.4.0"
name = module.naming.container_registry.name
location = azurerm_resource_group.this.location
resource_group_name = azurerm_resource_group.this.name
sku = "Premium" # Basic, Standard, Premium
zone_redundancy_enabled = false # cost effective option
managed_identities = {
system_assigned = true
}
role_assignments = {
role_01 = {
principal_id = module.avm-res-containerservice-managedcluster.kubelet_identity_id
role_definition_id_or_name = "AcrPull"
}
}
diagnostic_settings = {
to_la = {
name = "to-la"
workspace_resource_id = azurerm_log_analytics_workspace.this.id
}
}
}
The result of the deployment in Azure Portal looks as follows.
Resource Group Resources
AKS Diagnostic settings to Log Analytics Resource
Azure Container Registry Diagnostic settings to the Log Analytics Workspace
Find Terraform AVM Resource Modules here
Where to go from here
If you are a novice beginner and just testing and getting familiar with AKS then I suggest go with https://registry.terraform.io/modules/Azure/aks/azurerm for the simplicity and less learning curve.
If you are more experienced with terraform and working in more enterprise deployment scenarios with compliance and complex scenarios such as private networking then consider AVM https://registry.terraform.io/modules/Azure/avm-res-containerservice-managedcluster
As I work with AVM modules, I really like the support through raising GitHub Issues in their AVM repos in raising clarifying questions, errors and feedback. They may not get back to you quickly all the time, but someone from Microsoft will respond.
As Azure Verified Modules continually get developed, I highly recommend getting familiar these modules to be a more overall effective devops engineer.
Please follow my repo as I will add more deployment scenarios with more complexity in the coming months.
Roy Kim on Azure and AI 