Azure AKS Deploy
Overview
The Azure AKS Deploy template is a powerful solution meticulously crafted to seamlessly provision a secure, scalable, and highly available environment for microservices applications on Microsoft Azure. This templated deployment automates the creation of essential infrastructure components, ensuring a baseline setup that is not only robust but also compliant with the Center for Internet Security (CIS) benchmarks.The template is highly configurable, allowing users to tailor the deployment to meet specific requirements.
List of resources
- AKS
- Application gateways
- Container registry
- Key vault
- DNS zone
- Private DNS zones
- Private Endpoints
- Storage Account
- Log Analytics workspace
- Application Insights
- Virtual network
Cloud Architecture
© Copyright BOS Framework 2024
Input Parameters
| Input Variables | Descriptions | Default Values | Type | Supported Values |
|---|---|---|---|---|
| sp_client_id | Service Principal Client ID, used for authentication in Azure. | abcde123-4567-890f-12ab-34cd56789ef0 | string | |
| sp_tenant_id | Azure AD Tenant ID, the identity provider for the service principal. | 12345678-abcd-1234-ef12-123456789abc | string | |
| sp_subscription_id | Azure Subscription ID, specifying the target subscription. | abcdefgh-1234-5678-90ab-cdef12345678 | string | |
| sp_name | Name or identifier for the Service Principal | myserviceprincipal | string | |
| sp_client_secret | The secret key associated with the Service Principal for authentication. | mysecretclientsecret123 | string | |
| storage_use_azuread | Should the AzureRM Provider use AzureAD to connect to the Storage Blob API's, rather than the SharedKey from the Storage Account | true | bool | true, false |
| resource_group_name | The name of the Azure Resource Group where resources will be deployed. | myrg | string | |
| resource_group_location | Azure region where the Resource Group will be created. | eastus | string | |
| resourcegroup_lock | Whether to apply a resource group-level lock. | true | bool | true, false |
| resourcegroup_lock_level | Level of the resource group lock if resourcegroup_lock is set to true. | CanNotDelete | string | CanNotDelete, ReadOnly |
| tags_name | A map of tags to apply to Azure resources. | '{"Environment":"Dev","ProductName":"JohnDoe"}' | map(string) | |
| enable_defender_plans | Enable or disable Azure defender plans for the subscription. | true | bool | true, false |
| security_center_resource_types | list of resource types to be covered by Azure Security Center. | ["CloudPosture", "VirtualMachines", "AppServices", "SqlServers", "SqlServerVirtualMachines", "OpenSourceRelationalDatabases", "CosmosDbs", "StorageAccounts", "Containers", "KeyVaults", "Arm", "Api"]' | list | ["CloudPosture", "VirtualMachines", "AppServices", "SqlServers", "SqlServerVirtualMachines", "OpenSourceRelationalDatabases", "CosmosDbs", "StorageAccounts", "Containers", "KeyVaults", "Arm", "Api"]' |
| security_center_resource_types_tier | The Azure Security Center tier to use for the specified resource types. | ["Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard"]' | list | ["Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard"]' |
| auto_provision_log_analytics_agent | Whether to automatically provision the Log Analytics agent on VMs within the VNet. | Off | string | Off, On |
| vnet_name | The name of the Virtual Network (VNet). | my-vnet | string | |
| vnet_subnet1_aks_name | The name of the first subnet for AKS. | my-subnet-1 | string | |
| vnet_subnet2_appgw_name | The name of the second subnet for Application Gateway. | my-subnet-2 | string | |
| vnet_subnet3_services_name | The name of the third subnet for services. | my-subnet-3 | string | |
| vnet_address_space | The address space for the Virtual Network. | ["10.11.0.0/16"]' | list | |
| vnet_dns_servers | The DNS server IP addresses for the Virtual Network. | [] | list | |
| vnet_subnet1_aks_address_prefix | The address prefix for the first subnet for AKS. | ["10.11.8.0/21"]' | list | |
| vnet_subnet2_appgw_address_prefix | The address prefix for the second subnet for Application Gateway. | ["10.11.16.0/24"]' | list | |
| vnet_subnet3_services_address_prefix | The address prefix for the third subnet for services. | ["10.11.24.0/23"]' | list | |
| vnet_subnet4_firewall_address_prefix | The address prefix for the fourth subnet for the firewall. | ["10.11.32.0/26"]' | list | |
| vnet_firewall_enable | Whether to enable the Azure Firewall in the VNet. | false | bool | true, false |
| vnet_firewall_public_ip_zones | list of public IP address zones for the Azure Firewall. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| vnet_firewall_zones | list of zones for the Azure Firewall. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| vnet_firewall_sku | The SKU for the Azure Firewall. | AZFW_VNet | string | AZFW_VNet, AZFW_Hub |
| vnet_firewall_tier | The threat intelligence tier for the Azure Firewall. | Standard | string | Premium, Standard, Basic |
| vnet_firewall_threat_intel_mode | The threat intelligence mode for the Azure Firewall. | Deny | string | Deny, Alert |
| vnet_ddos_protection_plan_enable | Whether to enable DDoS protection for the VNet. | false | bool | true, false |
| vnet_ddos_protection_plan_name | The name for the DDoS protection plan. | my-ddos-plan | string | |
| vnet_subnet1_aks_service_endpoints | The list of Service endpoints to associate with the subnet1 | ["Microsoft.KeyVault", "Microsoft.Storage", "Microsoft.ContainerRegistry"]' | list | ["Microsoft.KeyVault", "Microsoft.Storage", "Microsoft.ContainerRegistry"]' |
| vnet_subnet3_service_endpoints | The list of Service endpoints to associate with the subnet3 | ["Microsoft.KeyVault", "Microsoft.Storage", "Microsoft.ContainerRegistry"]' | list | ["Microsoft.KeyVault", "Microsoft.Storage", "Microsoft.ContainerRegistry"]' |
| natgw_public_ip_prefix_name | Name of the Public IP Prefix for the NAT Gateway. | my-nat-pub-ip-prefix | string | |
| natgw_public_ip_prefix_length | Prefix length (subnet mask) for the Public IP Prefix. | 29 | number | 28,29,30,31 |
| natgw_public_ip_prefix_zones | Availability zones for the Public IP Prefix. | ["1"]' | list | ["1", "2", "3"]' |
| natgw_public_ip_name | Name of the Public IP address for the NAT Gateway. | my-nat-pub-ip | string | |
| natgw_public_ip_allocation_method | IP address allocation method for the Public IP. | Static | string | Dynamic, Static |
| natgw_public_ip_sku | SKU (service tier) for the Public IP address. | Standard | string | Basic, Standard |
| natgw_public_ip_zones | Availability zones for the Public IP address of the NAT Gateway. | ["1"]' | list | ["1", "2", "3"]' |
| natgw_name | Name of the NAT Gateway. | my-nat-gateway | string | |
| natgw_idle_timeout_in_minutes | Idle timeout in minutes for the NAT Gateway's outbound connections. | 4 | number | |
| natgw_sku | SKU (service tier) for the NAT Gateway. | Standard | string | Basic, Standard |
| natgw_zones | Availability zones for the NAT Gateway. | ["1"]' | list | ["1", "2", "3"]' |
| network_watchername | Name of the Network Watcher resource. | NetworkWatcher_eastus | string | NetworkWatcher_region |
| network_watcher_exists | Indicates whether the Network Watcher resource exists or not. | false | bool | true, false |
| nsg_flow_logs_enable | Whether to enable Network Security Group (NSG) flow logs. | false | bool | true, false |
| vnet_subnet1_aks_nsg_name | Name of the Network Security Group (NSG) for the first subnet used by AKS. | my-nsg-1 | string | |
| vnet_subnet1_aks_nsg_rules | Rules defined for the Network Security Group (NSG) in the first subnet used by AKS. | {"rule1": {"name": "sn01-nsg-rule-01","priority": 1000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "22","source_address_prefix": "*","destination_address_prefix": "*"},"rule2": {"name": "sn01-nsg-rule-02","priority": 2000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "3389","source_address_prefix": "*","destination_address_prefix": "*"}}' | map(json) | It should consist of name, priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix and destination_address_prefix for each rule. |
| vnet_subnet3_services_nsg_name | Name of the Network Security Group (NSG) for the third subnet used for services. | my-nsg-3 | string | |
| vnet_subnet3_services_nsg_rules | Rules defined for the Network Security Group (NSG) in the third subnet used for services. | {"rule1": {"name": "sn03-nsg-rule-01","priority": 1000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "22","source_address_prefix": "*","destination_address_prefix": "*"},"rule2": {"name": "sn03-nsg-rule-02","priority": 2000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "3389","source_address_prefix": "*","destination_address_prefix": "*"}}' | map(json) | It should consist of name, priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix and destination_address_prefix for each rule. |
| vnet_subnet1_aks_nsg_flow_log_name | Name of the flow log for the Network Security Group (NSG) in the first subnet used by AKS. | my-nsg-1-flow-log | string | |
| vnet_subnet1_aks_nsg_flow_log_enabled | Whether flow logging is enabled for the Network Security Group (NSG) in the first subnet used by AKS. | true | bool | true, false |
| vnet_subnet1_aks_nsg_flow_log_retention_enabled | Whether log retention is enabled for the flow log of the Network Security Group (NSG) in the first subnet used by AKS. | true | bool | true, false |
| vnet_subnet1_aks_nsg_flow_log_retention_in_days | number of days to retain flow log data for the Network Security Group (NSG) in the first subnet used by AKS. | 90 | number | |
| vnet_subnet3_services_nsg_flow_log_name | Name of the flow log for the Network Security Group (NSG) in the third subnet used for services. | my-nsg-3-flow-log | string | |
| vnet_subnet3_services_nsg_flow_log_enabled | Whether flow logging is enabled for the Network Security Group (NSG) in the third subnet used for services. | true | bool | true, false |
| vnet_subnet3_services_nsg_flow_log_retention_enabled | Whether log retention is enabled for the flow log of the Network Security Group (NSG) in the third subnet used for services. | true | bool | true, false |
| vnet_subnet3_services_nsg_flow_log_retention_in_days | number of days to retain flow log data for the Network Security Group (NSG) in the third subnet used for services. | 90 | number | |
| vnet_subnet1_aks_nsg_flow_log_traffic_analytics_enabled | Whether traffic analytics is enabled for the flow log of the Network Security Group (NSG) in the first subnet used by AKS. | true | bool | true, false |
| vnet_subnet1_aks_nsg_flow_log_traffic_analytics_interval_in_minutes | Interval in minutes for traffic analytics for the flow log of the Network Security Group (NSG) in the first subnet used by AKS. | 60 | number | 10, 60 |
| vnet_subnet3_services_nsg_flow_log_traffic_analytics_enabled | Whether traffic analytics is enabled for the flow log of the Network Security Group (NSG) in the third subnet used for services. | true | bool | true, false |
| vnet_subnet3_services_nsg_flow_log_traffic_analytics_interval_in_minutes | Interval in minutes for traffic analytics for the flow log of the Network Security Group (NSG) in the third subnet used for services. | 60 | number | 10, 60 |
| vnet_subnet1_aks_nsg_flow_log_version | Version of the flow log for the Network Security Group (NSG) in the first subnet used by AKS. | 2 | number | 1, 2 |
| vnet_subnet3_services_nsg_flow_log_version | Version of the flow log for the Network Security Group (NSG) in the third subnet used for services. | 2 | number | 1, 2 |
| vnet_diagnostic_log_enable | Whether to enable diagnostic logs for the Virtual Network (VNet). | true | bool | true, false |
| vnet_diagnostic_log_name | Name of the diagnostic logs for the Virtual Network (VNet). | my-vnet-logs | string | |
| vnet_diagnostic_log_category_group | Category of diagnostic logs to enable for the Virtual Network (VNet). | allLogs | string | allLogs |
| require_vnet_peering | Whether to enable Vnet Peering. | false | bool | true, false |
| vnet_peering_configs | Configuration of the Vnet Peering. | [{"new_vnet_name": "myexistingvnet","new_vnet_rg": "myexistingvnetrg","peering_name_1": "peer1to2","peering_name_2": "peer2to1","allow_gateway_transit": false,"allow_vnet_access": true,"allow_forwarded_traffic": true,}]' | map(json) | It should consist of new_vnet_name, new_vnet_rg, peering_name_1, peering_name_2, allow_gateway_transit, allow_vnet_access, allow_forwarded_traffic for each peering. |
| private_dns_zone | Name of the Private DNS Zone to configure. | mywebsite.internal.com | string | |
| private_dns_vnetlink_name | Name of the Private DNS Virtual Network Link. | my-vnet-link | string | |
| public_dns_enable | Whether to create a Public DNS Zone. | true | bool | true, false |
| public_dns_zone | Name of the public DNS zone for a Virtual Network. | mywebsite.com | string | |
| acr_sku | The SKU (service tier) for the Azure Container Registry (ACR). | Premium | string | Basic, Standard, Premium |
| acr_admin_enabled | Whether administrative user access is enabled for the ACR. | true | bool | true, false |
| acr_name | Name of the Azure Container Registry (ACR). | mycontainerregistry | string | |
| acr_zone_redundancy_enabled | Whether geo-replication (zone redundancy) is enabled for the ACR. | true | bool | true, false |
| aks_role_definitionname | Name of the role definition to be assigned to the AKS service principal. | AcrPull | string | AcrPull |
| aks_acr_skip_service_principal_aad_check | Whether to skip the Azure AD check for the AKS service principal. | true | bool | true, false |
| acr_private_endpoint_name | Name of the Private Endpoint for the Azure Container Registry (ACR). | mycontainerregistry-pvep | string | |
| acr_private_dns_zone | Name of the Private DNS Zone for the ACR Private Endpoint. | privatelink.azurecr.io | string | privatelink.azurecr.io |
| acr_private_service_connection_name | Name of the Private Service Connection for the ACR. | mycontainerregistry-svc | string | |
| acr_private_service_is_manual_connection | Whether the Private Service Connection is a manual connection. | false | bool | true, false |
| acr_private_service_connection_subresource | Name of the Private Service Connection Subresource for the ACR. | ["registry"]' | list | ["registry"]' |
| acr_private_dns_zone_group_name | Name of the Private DNS Zone Group for the ACR. | mycontainerregistry-dns-grp | string | |
| acr_dns_vnet_link | Name of the DNS Virtual Network Link for the ACR. | mycontainerregistry-vnet-link | string | |
| acr_public_network_access_enabled | Enable or disable public network access for the ACR. | true | bool | true, false |
| acr_network_rule_bypass_option | Bypass option for network rules in the ACR | AzureServices | string | AzureServices, None |
| acr_network_rule_set_default_action | Default action for network rules in the ACR | Deny | string | Allow, Deny |
| acr_network_rule_set_ip_rule_action | Action for IP rules in the network rule set | Allow | string | Allow, Deny |
| acr_network_rule_set_ip_rule_ip_range | IP range for IP rules in the network rule set. | ["45.127.59.60/32"]' | list | |
| acr_diagnostic_log_enable | Enable or disable diagnostic logs for the Azure Container Registry (ACR). | true | bool | true, false |
| acr_diagnostic_log_name | Name of the diagnostic logs setting for the Azure Container Registry (ACR). | my-acr-logs | string | |
| acr_diagnostic_log_archive_enable | Specifies whether archiving of diagnostic logs for an Azure Container Registry (ACR) is enabled | true | bool | true, false |
| acr_diagnostic_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by an Azure Container Registry (ACR). | Dedicated | string | AzureDiagnostics. Dedicated |
| acr_diagnostic_log_category_group | Category of diagnostic logs to enable for the ACR. | audit | string | allLogs, audit |
| key_vault_name | Name of the Azure Key Vault. | my-keyvault | string | |
| keyvault_enabled_for_disk_encryption | Whether the Key Vault is enabled for disk encryption. | true | bool | true, false |
| keyvault_soft_delete_retention_days | The number of days for soft delete retention for the Key Vault. | 7 | number | |
| keyvault_sku | The SKU (service tier) for the Azure Key Vault. | standard | string | Standard, Premium |
| key_vault_secret_expiration_date | Expiration date for a secret in the Key Vault. | "2024-12-31T11:59:59.000Z" | string | |
| keyvault_private_endpoint_name | Name of the Private Endpoint for the Key Vault. | my-kv-pvep | string | |
| keyvault_private_dns_zone | Name of the Private DNS Zone for the Key Vault Private Endpoint. | privatelink.vaultcore.azure.net | string | privatelink.vaultcore.azure.net |
| keyvault_private_service_connection_name | Name of the Private Service Connection for the Key Vault. | my-kv-svc | string | |
| keyvault_private_service_is_manual_connection | Whether the Private Service Connection is a manual connection. | false | bool | true, false |
| keyvault_private_service_connection_subresource | Name of the Private Service Connection Subresource for the Key Vault. | ["Vault"]' | list | ["Vault"]' |
| keyvault_private_dns_zone_group_name | Name of the Private DNS Zone Group for the Key Vault. | my-kv-pv-grp | string | |
| keyvault_dns_vnet_link | Name of the DNS Virtual Network Link for the Key Vault. | my-pv-vnet-link | string | |
| keyvault_purge_protection_enabled | Whether purge protection is enabled for the Key Vault. | true | bool | true, false |
| keyvault_enable_rbac_authorization | Whether RBAC (Role-Based Access Control) authorization is enabled for the Key Vault. | true | bool | true, false |
| keyvault_public_network_access_enabled | Enable or disable public network access for the Key Vault. | true | bool | true, false |
| keyvault_network_acls_default_action | Default action for network access control lists (ACLs) in the Key Vault. | Deny | string | Allow, Deny |
| keyvault_network_acls_bypass | Bypass option for network ACLs in the Key Vault. | AzureServices | string | AzureServices, None |
| keyvault_network_acls_ip_rules | IP rules for network access control lists (ACLs) in the Key Vault. | ["45.127.59.60/32"]' | list | |
| key_vault_diagnostic_log_enable | Enable or disable diagnostic logs for the Azure Key Vault. | true | bool | true, false |
| key_vault_diagnostic_log_name | Name of the diagnostic logs setting for the Azure Key Vault. | my-keyvault-logs | string | |
| key_vault_diagnostic_log_archive_enable | Specifies whether archiving of diagnostic logs for an Azure Key Vault is enabled | true | bool | true, false |
| key_vault_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by an Azure Key Vault. | Dedicated | string | AzureDiagnostics. Dedicated |
| key_vault_diagnostic_log_category_group | Category of diagnostic logs to enable for the Key Vault. | audit | string | allLogs, audit |
| log_analytics_workspace_name | Name of the Log Analytics workspace. | my-log-analytics | string | |
| log_analytics_workspace_sku | SKU (service tier) for the Log Analytics workspace. | PerGB2018 | string | Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018) |
| log_retention_in_days | number of days to retain log data in the Log Analytics workspace. | 30 | number | |
| log_analytics_daily_quota_gb | Daily data ingestion quota in gigabytes for the Log Analytics workspace. | 3 | number | |
| log_analytics_action_group_name | Name of the Action Group associated with the Log Analytics workspace. | mydailycapactiongrp | string | |
| log_analytics_action_group_short_name | Short name or identifier for the Action Group. | mydailycapgrp | string | |
| log_analytics_daily_cap_alert_emails | list of email addresses for recipients of daily capacity alerts. | ["user1@example.com"]' | list | |
| log_analytics_action_group_common_schema | Use a common schema for the Action Group. | true | bool | true, false |
| log_analytics_daily_cap_alert_name | Name of the daily capacity alert in Log Analytics. | mydailycaplogalert | string | |
| log_analytics_daily_cap_alert_evaluation_frequency | Frequency of evaluation for the daily capacity alert. | PT10M | string | |
| log_analytics_daily_cap_alert_window_duration | Duration of the evaluation window for the daily capacity alert. | PT10M | string | |
| log_analytics_daily_cap_alert_severity | Severity level for the daily capacity alert. | 2 | number | 1 , 2, 3, 4 |
| log_analytics_daily_cap_alert_auto_mitigation_enabled | Enable or disable automatic mitigation for the daily capacity alert. | false | bool | true, false |
| log_analytics_daily_cap_alert_storage_enabled | Enable or disable alert data storage for the daily capacity alert. | false | bool | true, false |
| log_analytics_daily_cap_alert_enabled | Enable or disable the daily capacity alert. | true | bool | true, false |
| log_analytics_daily_cap_alert_query_time_range_override | Time range override for the daily capacity alert. | P1D | string | |
| application_insights_name | Name of the Application Insights resource. | my-prv-app-insights | string | |
| application_insights_application_type | Type or category of the Application Insights resource. | Node.JS | string | ios, java, MobileCenter, Node.JS, other, phone, store, web |
| private_aks_name | Name of the private Azure Kubernetes Service (AKS) cluster. | my-prv-aks-cluster | string | |
| private_aks_dns_prefix | DNS prefix for the private AKS cluster. | my-prv-aks-cluster-dns | string | |
| private_aks_version | Version of Kubernetes to use for the private AKS cluster. | 1.27.3 | string | |
| private_aks_nodepoolname | Name of the node pool in the private AKS cluster. | np01 | string | |
| private_aks_nodepool_size | Size of nodes in the node pool of the private AKS cluster. | Standard_D4ds_v4 | string | |
| private_aks_nodepool_enable_auto_scaling | Whether to enable auto-scaling for the node pool in the private AKS cluster. | true | bool | true, false |
| private_aks_nodepool_max_count | Maximum number of nodes in the node pool when auto-scaling is enabled. | 2 | number | |
| private_aks_nodepool_min_count | Minimum number of nodes in the node pool when auto-scaling is enabled. | 1 | number | |
| private_aks_nodepool_os_disk_type | Type of OS disk for nodes in the node pool of the private AKS cluster. | Ephemeral | string | Ephemeral, Managed |
| private_aks_nodepool_temp_name_for_rotation | Name of the temporary node pool used for node rotation. | tempnp01 | string | |
| private_aks_default_nodepool_identity | Identity to be assigned to the default node pool in the private AKS cluster. | SystemAssigned | string | SystemAssigned |
| private_aks_network_plugin | Network plugin to use for the private AKS cluster. | azure | string | azure, kubenet, none |
| private_aks_dns_service_ip | IP address for the DNS service in the private AKS cluster. | 10.10.0.10 | string | |
| private_aks_service_cidr | Address space for services in the private AKS cluster. | 10.10.0.0/16 | string | |
| private_aks_azure_policy_enabled | Whether Azure Policy is enabled for the private AKS cluster. | true | bool | true, false |
| private_aks_network_policy | Network policy mode for the private AKS cluster. | azure | string | calico, azure, cilium |
| private_aks_sku_tier | Tier (service level) for the private AKS cluster. | Standard | string | Standard, Free |
| private_aks_zones | Availability zones for the private AKS cluster. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| private_aks_api_server_access_profile_authorized_ip_ranges | Authorized IP ranges for accessing the private AKS API server. | ["45.127.59.60/32"]' | list | |
| private_aks_automatic_channel_upgrade | Whether to enable automatic channel upgrades for the private AKS cluster. | node-image | string | patch, rapid, node-image, stable |
| private_aks_diagnostic_log_enable | Enable or disable diagnostic logs for the private AKS cluster. | true | bool | true, false |
| private_aks_diagnostic_log_name | Name of the diagnostic logs setting for the private AKS cluster. | my-aks-logs | string | |
| private_aks_log_archive_enable | Specifies whether archiving of diagnostic logs for private AKS cluster is enabled | true | bool | true, false |
| private_aks_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by private AKS cluster. | Dedicated | string | AzureDiagnostics. Dedicated |
| private_aks_diagnostic_log_category_group | Category of diagnostic logs to enable for the private AKS cluster. | ["kube-audit", "kube-audit-admin", "kube-apiserver", "kube-controller-manager", "kube-scheduler"]' | string | ["kube-audit", "kube-audit-admin", "kube-apiserver", "kube-controller-manager", "kube-scheduler"]', "csi-snapshot-controller", "csi-azurefile-controller", "csi-azuredisk-controller", "cluster-autoscaler", "cloud-controller-manager") |
| aks_services_allowed_port_policy_name | Name of the policy that allows specific ports in the AKS cluster. | AKS-Allowed-Ports-Policy | string | |
| aks_services_allowed_port_policy_effect | Effect of the policy for allowing specific ports in the AKS cluster. | deny | string | Allow, Deny |
| aks_services_allowed_ports | list of allowed ports in the AKS cluster. | ["443", "80"]' | list | |
| aks_services_allowed_port_policy_excludednamespaces | Namespaces to exclude from the port policy in the AKS cluster. | [ "kube-system", "kube-node-lease", "kube-public", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system"]' | list | |
| aks_allowed_container_registries_policy_name | Name of the policy that allows specific container registries in the AKS cluster. | AKS-Allowed-Container_Registries-Policy | string | |
| aks_allowed_container_registries_policy_effect | Effect of the policy for allowing specific container registries in the AKS cluster. | deny | string | Allow, Deny |
| aks_allowed_container_registries_policy_excludednamespaces | Namespaces to exclude from the container registry policy in the AKS cluster. | ["kube-system", "kube-node-lease", "kube-public", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system"]' | list | |
| private_app_gateway_public_ip_name | Name of the public IP associated with the private Application Gateway. | my-ingress-appgw-pub-ip | string | |
| private_app_gateway_public_ip_allocation_method | Allocation method for the public IP of the private Application Gateway. | Static | string | Dynamic, Static |
| private_app_gateway_public_ip_sku | SKU (service tier) for the public IP of the private Application Gateway. | Standard | string | Basic, Standard |
| private_app_gateway_public_ip_ddos_protection_mode | DDoS protection mode for the public IP of the private Application Gateway. | Disabled | string | Enabled, Disabled |
| private_app_gateway_public_ip_zones | Availability zones for the public IP of the private Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| private_app_gateway_capacity | Capacity (instance count) for the private Application Gateway. | 2 | number | |
| private_app_gateway_name | Name of the private Application Gateway. | my-ingress-appgw | string | |
| private_app_gateway_sku | SKU (service tier) for the private Application Gateway. | WAF_v2 | string | Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, WAF_v2) |
| private_app_gateway_tier | Tier (performance level) for the private Application Gateway. | WAF_v2 | string | Standard, Standard_v2, WAF, WAF_v2 |
| private_app_gateway_zones | Availability zones for the private Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| private_app_gateway_private_fe_address | Private IP address for the frontend of the private Application Gateway. | 10.11.16.10 | string | |
| private_app_gateway_waf_enabled | Enable or disable Web Application Firewall (WAF) for the private Application Gateway. | true | bool | true, false |
| private_app_gateway_waf_firewall_mode | Firewall mode for the WAF in the private Application Gateway. | Prevention | string | Detection, Prevention |
| private_app_gateway_waf_rule_set_type | Type of WAF rule set for the private Application Gateway. | OWASP | string | OWASP, Microsoft_BotManagerRuleSet |
| private_app_gateway_waf_rule_set_version | Version of the WAF rule set for the private Application Gateway. | 3.2 | string | 0.1, 1.0, 2.2.9, 3.0, 3.1, 3.2 |
| private_app_gateway_ssl_policy_type | Specifies the type of SSL policy for the private Application Gateway. | Predefined | string | Predefined, Custom, CustomV2 |
| private_app_gateway_ssl_policyname | Specifies the name of the SSL policy for the private Application Gateway. | AppGwSslPolicy20220101S | string | AppGwSslPolicy20150501, AppGwSslPolicy20220101, AppGwSslPolicy20220101S, AppGwSslPolicy20170401, AppGwSslPolicy20170401S |
| private_app_gateway_diagnostic_log_enable | Enable or disable diagnostic logs for the private Application Gateway. | true | bool | true, false |
| private_app_gateway_diagnostic_log_name | Name of the diagnostic logs setting for the private Application Gateway. | my-ingress-appgw-logs | string | |
| private_app_gateway_log_archive_enable | Specifies whether archiving of diagnostic logs for private Application Gateway is enabled | true | bool | true, false |
| private_app_gateway_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by private Application Gateway. | Dedicated | string | AzureDiagnostics. Dedicated |
| private_app_gateway_diagnostic_log_category_group | Category of diagnostic logs to enable for the private Application Gateway. | allLogs | string | allLogs |
| require_main_public_app_gateway | Whether main public app gateway is required | true | bool | true, false |
| main_public_app_gateway_public_ip_name | Name of the public IP associated with the main public Application Gateway. | my-main-app-gw-pub-ip | string | |
| main_public_app_gateway_public_ip_allocation_method | Allocation method for the public IP of the main public Application Gateway. | Static | string | Dynamic, Static |
| main_public_app_gateway_public_ip_sku | SKU (service tier) for the public IP of the main public Application Gateway. | Standard | string | Basic, Standard |
| main_public_app_gateway_public_ip_ddos_protection_mode | DDoS protection mode for the public IP of the main public Application Gateway. | Disabled | string | Enabled, Disabled |
| main_public_app_gateway_public_ip_zones | Availability zones for the public IP of the main public Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| main_public_app_gateway_capacity | Capacity (instance count) for the main public Application Gateway. | 2 | number | number |
| main_public_app_gateway_name | Name of the main public Application Gateway. | my-main-app-gw | string | |
| main_public_app_gateway_sku | SKU (service tier) for the main public Application Gateway. | WAF_v2 | string | Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, WAF_v2 |
| main_public_app_gateway_tier | Tier (performance level) for the main public Application Gateway. | WAF_v2 | string | Standard, Standard_v2, WAF, WAF_v2 |
| main_public_app_gateway_zones | Availability zones for the main public Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| main_public_app_gateway_waf_enabled | Enable or disable Web Application Firewall (WAF) for the main public Application Gateway. | true | bool | true, false |
| main_public_app_gateway_waf_firewall_mode | Firewall mode for the WAF in the main public Application Gateway. | Prevention | string | Detection, Prevention |
| main_public_app_gateway_waf_rule_set_type | Type of WAF rule set for the main public Application Gateway. | OWASP | string | OWASP, Microsoft_BotManagerRuleSet |
| main_public_app_gateway_waf_rule_set_version | Version of the WAF rule set for the main public Application Gateway. | 3.2 | string | 0.1, 1.0, 2.2.9, 3.0, 3.1, 3.2 |
| main_public_app_gateway_ssl_policy_type | Specifies the type of SSL policy for the main public Application Gateway. | Predefined | string | Predefined, Custom, CustomV2 |
| main_public_app_gateway_ssl_policyname | Specifies the name of the SSL policy for the main public Application Gateway. | AppGwSslPolicy20220101S | string | AppGwSslPolicy20150501, AppGwSslPolicy20220101, AppGwSslPolicy20220101S, AppGwSslPolicy20170401, AppGwSslPolicy20170401S |
| main_public_app_gateway_diagnostic_log_enable | Enable or disable diagnostic logs for the main public Application Gateway. | true | bool | true, false |
| main_public_app_gateway_diagnostic_log_name | Name of the diagnostic logs setting for the main public Application Gateway. | my-main-app-gw-logs | string | |
| main_public_app_gateway_log_archive_enable | Specifies whether archiving of diagnostic logs for main public Application Gateway is enabled | true | bool | true, false |
| main_public_app_gateway_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by main public Application Gateway. | Dedicated | string | AzureDiagnostics. Dedicated |
| main_public_app_gateway_diagnostic_log_category_group | Category of diagnostic logs to enable for the main public Application Gateway. | allLogs | string | allLogs |
| storage_account_name | Name of the Azure Storage Account for nsg flow logs. | mynsglogsstorage | string | |
| storage_account_tier | Tier for the Azure Storage Account for nsg flow logs. | Standard | string | Standard, Premium |
| storage_account_kind | Kind of the Azure Storage Account for nsg flow logs. | StorageV2 | string | BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2 |
| storage_account_replication_type | Replication type for the Azure Storage Account for nsg flow logs. | LRS | string | LRS, GRS, RAGRS, ZRS, GZRS, RAGZRS |
| storage_account_access_tier | Access tier for the Azure Storage Account for nsg flow logs. | Hot | string | Hot, Cool |
| storage_account_public_network_access_enabled | Enable or disable public network access for the Azure Storage Account for nsg flow logs. | true | bool | true, false |
| storage_account_diagnostic_log_enable | Enable or disable diagnostic logs for the Azure Storage Account for nsg flow logs. | true | bool | true, false |
| storage_account_diagnostic_log_name | Name of the diagnostic logs setting for the Azure Storage Account for nsg flow logs. | my-sa-logs | string | |
| storage_account_diagnostic_log_archive_enable | Specifies whether archiving of diagnostic logs for Azure Storage Account is enabled for nsg flow logs. | true | bool | true, false |
| storage_account_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by Azure Storage Account for nsg flow logs. | Dedicated | string | AzureDiagnostics. Dedicated |
| storage_account_diagnostic_log_category_group | Category of diagnostic logs to enable for the Azure Storage Account for nsg flow logs. | allLogs | string | allLogs |
| storage_account_shared_access_key_enabled | Controls whether shared access keys are enabled for the storage account for nsg flow logs. | false | bool | true, false |
| storage_account_allow_nested_items_to_be_public | Indicates whether nested items within containers can have public access | false | bool | true, false |
| storage_account_enable_https_traffic_only | Enables HTTPS-only access to the storage account for nsg flow logs. | true | bool | true, false |
| storage_account_infra_encryption_enabled | Enables infrastructure encryption for the storage account for nsg flow logs. | true | bool | true, false |
| storage_account_min_tls_version | Specifies the minimum TLS version required for connections to the storage account for nsg flow logs. | TLS1_2 | string | TLS1_0, TLS1_1, TLS1_2 |
| storage_account_uaid_name | Name of the user-assigned identity for storage account for nsg flow logs. | my-sa-uaid | string | |
| storage_account_key_name | Name of the key for storage account user-assigned identity | my-sa-uaid-key | string | |
| storage_account_key_type | Type of the key for nsg flow log storage account user-assigned identity | RSA | string | RSA |
| storage_account_key_size | Size of the key for nsg flow log storage account user-assigned identity | 2048 | number | 2048, 3072, 4096 |
| storage_account_key_opts | Options for the key for nsg flow log storage account user-assigned identity | ["unwrapKey", "wrapKey"] | list(string) | decrypt, encrypt, sign, unwrapKey, verify, wrapKey |
| storage_account_key_expire_after | Expiry duration for the key for nsg flow log storage account user-assigned identity | P24M | string | Duration in ISO 8601 format |
| storage_account_key_rotation_time_before_expiry | Time before expiry to start key rotation for nsg flow log storage account identity | P22M | string | Duration in ISO 8601 format |
| storage_account_key_notify_before_expiry | Time before expiry to notify for key rotation for nsg flow log storage account identity | P21M | string | Duration in ISO 8601 format |
| storage_account_delete_retention_days | Specifies the number of days that the blob should be retained in nsg flow log storage account | 7 | number | 1-365 |
| storage_account_container_delete_retention_days | Specifies the number of days that the container should be retained in nsg flow storage account | 7 | number | 1-365 |
| storage_account_private_endpoint_enable | Enable or Disable private endpoint for nsg flow log storage account. | false | bool | true, false |
| storage_account_private_endpoint_name | Name of the private endpoint for nsg flow log storage account. | my-sa-pvep | string | |
| storage_account_private_service_connection_name | Name of the private service connection for nsg flow log storage account. | my-sa-svc | string | |
| storage_account_private_service_is_manual_connection | Enable or disable manual private service connection for nsg flow log storage account. | false | bool | true, false |
| storage_account_private_service_subresource | List of subresources for the private service connection. | ["blob"] | list(string) | ["blob"] |
| storage_account_private_dns_zone | Private DNS zone for nsg flow log storage account. | privatelink.blob.cache.windows.net | string | privatelink.blob.cache.windows.net |
| storage_account_private_dns_zone_vnet_link_name | Name of the VNet link for the private DNS zone. | my-sa-vnet-link | string | |
| storage_account_private_dns_a_record_ttl | Time to live (TTL) for the private DNS A record in seconds. | 300 | number | |
| security_center_contact_email_enable | Enable or disable security center contact email | false | bool | true, false |
| security_center_contact_name | Name of the security center contact | user1contact | string | |
| security_center_contact_email | Email address for security center contact | user1@example.com | string | |
| security_center_alert_notifications | Enable or disable security center alert notifications | true | bool | true, false |
| security_center_alerts_to_admins | Enable or disable sending security center alerts to admins | true | bool | true, false |
| log_archive_enable | Enable or disable log archiving | true | bool | true, false |
| log_archive_storage_account_name | Name of the storage account for log archiving | logarchivestorage | string | |
| log_archive_storage_account_tier | Storage account tier for log archiving | Standard | string | Standard, Premium |
| log_archive_storage_account_kind | Storage account kind for log archiving | StorageV2 | string | BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2 |
| log_archive_storage_account_replication_type | Replication type for the log archiving storage account. | LRS | string | LRS, GRS, RAGRS, ZRS, GZRS, RAGZRS |
| log_archive_storage_account_access_tier | Access tier for the log archiving storage account. | Cool | string | Hot, Cool |
| log_archive_storage_account_public_network_access_enabled | Enable or disable public network access for the storage account for log archive. | true | bool | true, false |
| log_archive_storage_account_versioning_enabled | Enable or disable versioning for the storage account used for log archive. | true | bool | true, false |
| log_archive_storage_account_network_default_action | Default action for network traffic to log archive storage account | Deny | string | Deny, Allow |
| log_archive_storage_account_network_ip_rules | List of IP addresses allowed to access the log archive storage account | ["45.127.59.60/32"]' | list | |
| log_archive_storage_account_network_bypass | List of network traffic types to bypass | ["AzureServices"] | list(string) | AzureServices, None |
| log_archive_storage_account_shared_access_key_enabled | Whether shared access keys are enabled for the log archive storage account. | false | bool | true, false |
| log_archive_storage_account_allow_nested_items_to_be_public | Whether nested items within the log archive storage account, such as blobs within containers, are allowed to be made public. | false | bool | true, false |
| log_archive_storage_account_lifecycle_rule_name | Name of the lifecycle rule for log archiving storage account. | rule1 | string | |
| log_archive_storage_account_lifecycle_rule_enabled | Enable or disable the lifecycle rule for log archiving storage account. | true | bool | true, false |
| log_archive_storage_account_lifecycle_rule_blob_types | List of blob types to apply the lifecycle rule to | ["blockBlob", "appendBlob"] | list(string) | ["blockBlob", "appendBlob"] |
| log_archive_storage_account_lifecycle_rule_delete_base_blob_after_days | Number of days to keep the base blob before deleting | 365 | number | |
| log_archive_storage_account_lifecycle_rule_delete_snapshot_after_days | Number of days to keep the blob snapshot before deleting | 365 | number | |
| log_archive_storage_account_lifecycle_rule_delete_version_after_days | Number of days to keep the blob version before deleting | 365 | number | |
| log_archive_storage_account_enable_https_traffic_only | Enables HTTPS-only access to the log archive storage account. | true | bool | true, false |
| log_archive_storage_account_infra_encryption_enabled | Enables infrastructure encryption for the log archive storage account. | true | bool | true, false |
| log_archive_storage_account_min_tls_version | Specifies the minimum TLS version required for connections to the log archive storage account. | TLS1_2 | string | TLS1_0, TLS1_1, TLS1_2 |
| log_archive_storage_account_uaid_name | Name of the user-assigned identity for log archive storage account. | my-log-archive-sa-uaid | string | |
| log_archive_storage_account_key_name | Name of the key for log archive storage account user-assigned identity | my-log-archive-sa-uaid-key | string | |
| log_archive_storage_account_key_type | Type of the key for log archive storage account user-assigned identity | RSA | string | RSA |
| log_archive_storage_account_key_size | Size of the key for log archive storage account user-assigned identity | 2048 | number | 2048, 3072, 4096 |
| log_archive_storage_account_key_opts | Options for the key for log archive storage account user-assigned identity | ["unwrapKey", "wrapKey"] | list(string) | decrypt, encrypt, sign, unwrapKey, verify, wrapKey |
| log_archive_storage_account_key_expire_after | Expiry duration for the key for log archive storage account user-assigned identity | P24M | string | Duration in ISO 8601 format |
| log_archive_storage_account_key_rotation_time_before_expiry | Time before expiry to start key rotation for log archive storage account identity | P22M | string | Duration in ISO 8601 format |
| log_archive_storage_account_key_notify_before_expiry | Time before expiry to notify for key rotation for log archive storage account identity | P21M | string | Duration in ISO 8601 format |
| log_archive_storage_account_delete_retention_days | Specifies the number of days that the blob should be retained in log archive storage account | 7 | number | 1-365 |
| log_archive_storage_account_container_delete_retention_days | Specifies the number of days that the container should be retained in log archive storage account | 7 | number | 1-365 |
| log_archive_storage_account_private_endpoint_enable | Enable or Disable private endpoint for log archive storage account. | false | bool | true, false |
| log_archive_storage_account_private_endpoint_name | Name of the private endpoint for log archive storage account. | my-log-archive-sa-pvep | string | |
| log_archive_storage_account_private_service_connection_name | Name of the private service connection for log archive storage account. | my-log-archive-sa-svc | string | |
| log_archive_storage_account_private_service_is_manual_connection | Enable or disable manual private service connection for log archive storage account. | false | bool | true, false |
| log_archive_storage_account_private_service_subresource | List of subresources for the private service connection. | ["blob"] | list(string) | ["blob"] |
| log_archive_storage_account_private_dns_zone | Private DNS zone for log archive storage account. | privatelink.blob.cache.windows.net | string | privatelink.blob.cache.windows.net |
| log_archive_storage_account_private_dns_zone_vnet_link_name | Name of the VNet link for the private DNS zone. | my-log-archive-sa-vnet-link | string | |
| log_archive_storage_account_private_dns_a_record_ttl | Time to live (TTL) for the private DNS A record in seconds. | 300 | number | |
| storage_account_network_default_action | Default action for network traffic on a storage account | Deny | string | Deny, Allow |
| storage_account_network_ip_rules | IP rules governing network access to a storage account | ["45.127.59.60/32"]' | list | |
| storage_account_network_bypass | Bypass rules for network traffic on a storage account | ["AzureServices"] | list(string) | AzureServices, None |
| storage_account_key_expiration_date | Expiration date for the storage account key | "2024-12-31T11:59:59.000Z" | string | |
| log_archive_storage_account_key_expiration_date | Expiration date for the storage account key used for log archival | "2024-12-31T11:59:59.000Z" | string | |
| private_aks_nodepool_enable_host_encryption | Enable host encryption for a private AKS node pool | true | bool | true, false |
| private_aks_cmk_encryption_enable | Enable Customer Managed Key (CMK) encryption for a private AKS | true | bool | true, false |
| private_aks_key_name | Name of the key used for encryption in a private AKS environment | aks-encry-key | string | |
| private_aks_key_type | Type of key used for encryption in a private AKS environment | RSA | string | RSA |
| private_aks_key_size | Size of the key used for encryption in a private AKS environment | 2048 | number | 2048, 3072, 4096 |
| private_aks_key_opts | Options associated with the key used for encryption in a private AKS environment | ["unwrapKey", "wrapKey"] | list(string) | decrypt, encrypt, sign, unwrapKey, verify, wrapKey |
| private_aks_key_expiration_date | Expiration date for the key used in a private AKS environment | "2024-12-31T11:59:59.000Z" | string | |
| private_aks_key_rotation_time_before_expiry | Time before expiration when key rotation should begin in a private AKS environment | P22M | string | Duration in ISO 8601 format |
| private_aks_key_expire_after | Time period after which the key in a private AKS environment should expire | P24M | string | Duration in ISO 8601 format |
| private_aks_key_notify_before_expiry | Notification period before key expiration in a private AKS environment | P21M | string | Duration in ISO 8601 format |
| acr_identity_type | Type of identity associated with an Azure Container Registry (ACR) | SystemAssigned, UserAssigned | string | SystemAssigned, UserAssigned |
| acr_encryption_enable | Enable encryption for an Azure Container Registry (ACR) | true | bool | true, false |
| acr_uaid_name | Name of the user-assigned identity associated with an ACR | test-acr-uaied | string | |
| acr_key_name | Name of the key associated with an ACR | acr-encry-key | string | |
| acr_key_type | Type of key associated with an ACR | RSA | string | RSA |
| acr_key_size | Size of the key associated with an ACR | 2048 | number | 2048, 3072, 4096 |
| acr_key_opts | Options associated with the key associated with an ACR | ["unwrapKey", "wrapKey"] | list(string) | decrypt, encrypt, sign, unwrapKey, verify, wrapKey |
| acr_key_expiration_date | Expiration date for the key associated with an ACR | "2024-12-31T11:59:59.000Z" | string | |
| acr_key_rotation_time_before_expiry | Time before expiration when key rotation should begin for an ACR | P22M | string | Duration in ISO 8601 format |
| acr_key_expire_after | Time period after which the key associated with an ACR should expire | P24M | string | Duration in ISO 8601 format |
| acr_key_notify_before_expiry | Notification period before key expiration for an ACR | P21M | string | Duration in ISO 8601 format |
| log_analytics_cmk_for_query_forced | Force the use of Customer Managed Key (CMK) for query in Log Analytics | true | bool | true, false |
| private_aks_key_set_name | Name of the key set used for encryption in a private AKS environment | aks-key-set | string | |
| private_aks_key_set_auto_rotation | Enable automatic rotation for the key set in a private AKS environment | true | bool | true, false |
| private_aks_key_set_type | Type of key set used for encryption in a private AKS environment | EncryptionAtRestWithPlatformAndCustomerKeys | string | EncryptionAtRestWithPlatformAndCustomerKeys |
| private_aks_key_set_identity_type | Type of identity associated with the key set in a private AKS environment | SystemAssigned | string | SystemAssigned |
Output parameters
| Output Variable Name | Description |
|---|---|
| rg_name | The name of the Azure Resource Group. |
| rg_location | The Azure region where the Resource Group is located. |
| rg_id | The unique identifier (ID) of the Azure Resource Group. |
| log_archive_storage_account_id | The ID of the storage account used for log archiving. |
| virtual_network_id | The ID of the Azure Virtual Network. |
| subnet1_aks_id | The ID of the first subnet used by the Azure Kubernetes Service (AKS). |
| subnet2_appgw_id | The ID of the second subnet used for Application Gateway Ingress Controller (AGIC). |
| subnet3_services_id | The ID of the third subnet used for services. |
| subnet1_aks_address | The address prefix of the first subnet. |
| subnet2_appgw_address | The address prefix of the second subnet for AGIC. |
| subnet3_services_address | The address prefix of the third subnet for services. |
| subnet4_firewall_address | The address prefix of the fourth subnet for the firewall. |
| vnet_address | The CIDR of the Azure Virtual Network. |
| natgw_public_ip | The public IP address of the Network Address Translation (NAT) gateway. |
| natgw_public_ip_prefix | The public IP prefix of the NAT gateway. |
| public_dns_zone_name | The name of the public DNS Zone. |
| public_dns_zone_id | The ID of the public DNS Zone. |
| keyvault_name | The name of the Azure Key Vault. |
| keyvault_id | The ID of the Azure Key Vault. |
| keyvault_private_endpoint_fqdn | The Fully Qualified Domain Name (FQDN) of the private endpoint for the Key Vault. |
| tenant_id | The Azure Active Directory (AAD) tenant ID. |
| subscription_id | The Azure subscription ID where resources are created. |
| sp_client_id | The client ID of the Service Principal used to create resources. |
| acr_username | The username for the Azure Container Registry (ACR). |
| acr_login_server | The login server for the Azure Container Registry (ACR). |
| acr_private_endpoint_fqdn | The Fully Qualified Domain Name (FQDN) of the private endpoint for the Azure Container Registry (ACR). |
| private_aks_name | The name of the private Azure Kubernetes Service (AKS). |
| private_appgw_fe_private_ip | The private IP address of the private Application Gateway used in AKS. |
| private_appgw_fe_public_ip | The public IP address of the public Application Gateway used in AKS. |
| log_analytics_id | The ID of the Azure Log Analytics resource used in AKS. |
| log_analytics_workspace_id | The ID of the Azure Log Analytics workspace used in AKS. |
| main_public_appgw_fe_public_ip | The public IP address of the main public Application Gateway. |
| storage_account_name | The name of the Azure Storage Account. |
| storage_account_id | The ID of the Azure Storage Account. |